Welcome Sign in
TechNet Magazine
Click to Rate and Give Feedback
Related Articles
Have Exchange questions? We've got answers. This month, Henrik Walther looks at configuring Windows Server 2008 to work with Outlook Anywhere, testing remote connectivity, deploying standby continuous replication, and more.

By Henrik Walther (November 2008)
In the September 2008 installment of Exchange Queue & A, we answer questions about calculating the number of Global Catalog servers you'll need, changing a server's site membership, and more.

By Henrik Walther (September 2008)
Moving from a legacy voicemail system to a unified messaging platform can be done fairly easily and with little disruption to your end users—as long as you have a solid plan in place. Here’s what you need to know to plan your migration, test your new systems, and implement unified messaging in your organization.

By Jeff Goodwin (July 2008)
Have questions about Exchange? In this installment, we answer questions about using Exchange with SharePoint, working with standby continuous replication, installing Exchange 2007 Mailbox servers on Windows Server 2008, and more.

By Henrik Walther (July 2008)
More ...
Articles by this Author
Do you have e-mail saved in many different places, in different formats, and on different operating systems? Dara Korra’ti explains how you can access all your mail from one place using IMAP4.

By R'ykandar Korra'ti (August 2008)


By R'ykandar Korra'ti (February 2007)


By R'ykandar Korra'ti (October 2006)
Over the previous two issues, I discussed the two most popular Internet message-moving protocols, SMTP and POP3. This month, I will approach the Internet Message Access Protocol Version 4, revision one (IMAP4rev1), often referred to just as IMAP4.

By R'ykandar Korra'ti (March • April 2006)
In the last issue, I discussed SMTP, the most common protocol for sending e-mail across the Internet. Now I’d like to discuss the other Internet protocol that almost all mail clients support: POP3, which lets users access the e-mail on their mail server.

By R'ykandar Korra'ti (January • February 2006)
SMTP, the Simple Mail Transfer Protocol, carries the electronic mail of the world. While other message transferring systems exist—some more efficient, some better at specific tasks, some privately owned and some public—none have won the widespread public acceptance of the venerable SMTP, first defined in RFC 821, all the way back in 1982.

By R'ykandar Korra'ti (November • December 2005)
More ...
Popular Articles
Your users are complaining that a server is running poorly—do you know where to look to diagnose the problem? PerfMon can be an indispensible tool for this as it has numerous diagnostic capabilities. Get an overview of the key indicators you should use to diagnose a variety of common bottlenecks that can slow down your servers.

By Steven Choy (August 2008)
Far too often, people who are not trained database administrators somehow end up responsible for a database. They lack the proper training and knowledge to maintain their database, and problems begin to develop. Here’s a primer for all those involuntary DBAs who need a crash course in database maintenance best practices.

By Paul S. Randal (August 2008)
The introduction of Hyper-V makes virtualization an even more compelling solution for IT environments. Get an overview of today’s virtualization market and see how Hyper-V improves the manageability, reliability, and security of virtualization

By Rajiv Arunkundram (October 2008)
Today, the likelihood of a homogeneous network has become increasingly remote. It’s in your interest not to limit yourself to a single platform. Instead, you can be known as the IT guy who can do whatever needs to be done—whether it be supporting Mac or Windows. Don Jones teaches what you need to know to set up a Mac on your Windows network, troubleshoot network problems, share files and folders among Macs and Windows-based systems, and configure Macs to use your network printers.

By Don Jones (December 2008)
More ...
Read the Blog
Proxy authentication lets users perform a simple bind to an Active Directory Lightweight Directory Services instance but still have an association to an Active Directory account. This can be very useful: it gives developers full access to a user object without giving them access to the Active Directory ...
Read more!
The latest installment of our online-only Sustainable Computing column is now available. Find out how you can: Bring Windows Server 2008 and Windows Vista Power Management Settings into Compliance Bring Windows Server ...
Read more!
The complexity of systems today makes troubleshooting more difficult than ever. It’s harder to keep track of what has changed, when, and how that relates to everything else. If something goes wrong, chances are good that users will ...
Read more!
Have various workers in your company been showing up with questions about Macs? The odds of having a homogeneous network today are very unlikely. Macs are becoming increasingly popular and chances are if you don't already have some on your network, soon you will.  Don't consider this a burden. This actually creates a fantastic ...
Read more!
Did you just go “whoa!” when you saw that title? Bet you never thought you’d see that here! But the times, as they say, are a-changing and we have too. Many organizations today use multiple operating systems. We all have the same goal of providing high-quality, cost-effective IT services to the ...
Read more!
The December 2008 issue of TechNet Magazine is now available online. And it's filled with information ...
Read more!
More ...
How IT Works E-mail Headers
R'ykandar Korra'ti


As a network administrator, you've just seen fifty copies of the same e-mail virus sent to your users. How do you know which machine is infected? Is it someone inside your own company or someone external you can block?
Often, you can isolate it to a single machine by analyzing the one portion of the header your own e-mail server provides. Figure 1 shows a real-life example (all real names have been changed).
The important data is in the Received: line. Each time a server receives an SMTP message, it is supposed to add a new Received: line at the beginning of the header block. The topmost line will have been added by your server.
My e-mail server added the topmost line in this example; since there are no other Received: lines further below it, it is probably safe to assume that it was delivered directly to my system by an embedded mini-SMTP engine running on an infected machine. Had there been more than one Received: line, the first one might have been a relaying mail server. As servers are not as likely to be infected as clients, you may want to skip down to the second entry.
The Received: line provides information in this format: 
Received: from <info supplied by sender—untrustworthy>
(<info provided by our server—trustworthy>) 
by <our server> with <protocol> 
<message ID> {for <email address>}; <date>
Your concern should lie with the information provided by your server; that's the data in parentheses following the "from" information supplied by the sender. The sender-provided information will almost always be invalid in virus and spam mail, so you can just ignore it.
In this example, the information added by my server consisted only of the IP address of the machine handing me the message—69.66.109.194. That's the least amount of information you'll get. There may also be a machine name before the IP address, but still within the parentheses. If present, it is also trustworthy information and saves you the next step.
Two tools are needed to discover and verify the name of this machine and the owner of its domain: nslookup (host, on some operating systems) and whois. Both nslookup and host provide DNS lookups against hostnames or IP addresses: 
C:\>nslookup 69.66.109.194

194.109.66.69.in-addr.arpa domain name pointer 
dwtt-00-0194.dsl.cascadiatelecom.net.
I now know the sender is in the domain cascadiatelecom.net. I've already learned that Cascadia Telecom supports reverse-DNS lookups, although not all network providers do. For those that don't, you must apply the whois tool.
To oversimplify a bit, whois provides information about domains rather than individual hosts. This tool is generally used to identify the owner of a particular domain, as shown in Figure 2. Whois can also be used to identify the owner of an IP address, or range of IP addresses, when you don't know the name of the domain. A network of top-level whois servers exists for this purpose. These are whois.apnic.net (Asia-Pacific), whois.arin.net (Americas), and whois.ripe.net (Europe), covering different geographical domains. As a rule of thumb, test against the server your geographical area first; if that fails, keep going until you find one that works. I already know my example is in North America, but if I didn't, that's where I'd start (see Figure 3).
With any batch of virus mail received, you'll see a cacophony of sender-provided misinformation. But with a little analysis, you'll often find most of it actually came from one or two infected (and easily blocked and disinfected) machines.

R'ykandar Korra'ti, a glass sculptor, lives in Seattle with her partner Anna, and is postmaster for a small co-op ISP. Having shipped many e-mail products, she retired from Microsoft in 1999 to focus on her art career.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.
Page view tracker