电子邮件传输的内容_电子邮件标题中有什么内容，为什么要关注？

电子邮件传输的内容

Ever gotten a spam or phishing message from an email address you didn't recognize? Maybe someone offered you a free trip, asked you to send them bitcoin in exchange for personal photos, or just sent you an unwanted marketing email?

是否曾经从您不认识的电子邮件地址收到垃圾邮件或网络钓鱼邮件？也许有人为您提供了免费旅行，要求您向他们发送比特币以换取个人照片，或者只是给您发送了一封不需要的营销电子邮件？

Have you wondered where those emails came from? Seen a spammer spoof your email address and wondered how they did it?

您是否想知道这些电子邮件来自何处？看到垃圾邮件发送者欺骗了您的电子邮件地址，并想知道他们是如何做到的？

Email spoofing, or making an email appear as though the email came from a different address than it did (for example an email that appears to come from whitehouse.gov, but is actually from a scammer) is remarkably easy.

电子邮件欺骗或使电子邮件看起来好像来自与原来不同的地址(例如，似乎来自whitehouse.gov的电子邮件，但实际上是来自欺诈者的电子邮件)非常容易。

Core email protocols don't have any method for authentication, meaning that the 'from' address is basically just a fill-in-the-blank.

核心电子邮件协议没有任何身份验证方法，这意味着“发件人”地址基本上只是空白。

Usually when you get an email, it looks something like this:

通常，当您收到电子邮件时，看起来像这样：

From: Name <name@gmail.com>
Date: Tuesday, July 16, 2019 at 10:02 AM
To: Me <Me@freecodecamp.com>

Below that is the subject and message.

下面是主题和消息。

But how do you know where that email really came from? Isn't there any additional data that can be analyzed?

但是，您如何知道该电子邮件的真正来源呢？没有其他可以分析的数据吗？

What we're looking for is the full email headers — what you see above is just a partial header. This data will give us some additional information about where the email came from and how it reached your inbox.

我们正在寻找的是完整的电子邮件标头-您在上方看到的只是部分标头。这些数据将为我们提供有关电子邮件的来源以及如何到达收件箱的其他信息。

If you want to look at your own email headers, here's how to access them on Outlook and Gmail. Most mail programs operate in a similar manner, and a simple Google search will tell you how to view headers on alternative mail services.

如果您想查看自己的电子邮件标题，请按照以下方法在Outlook和Gmail上进行访问。大多数邮件程序以类似的方式运行，简单的Google搜索将告诉您如何查看备用邮件服务的标头。

In this article we'll look at a set of real headers (though they're heavily redacted — I've changed hostnames, timestamps, and IP addresses).

在本文中，我们将查看一组真实的标头(尽管它们经过大量编辑，但我更改了主机名，时间戳和IP地址)。

We'll read the headers from top to bottom, but be aware that each new server adds their header to the top of the email body. This means we'll read each header from the final Message Transfer Agent (MTA) and work down to the first MTA to accept the message.

我们将从头到尾阅读标题，但是请注意，每个新服务器都将其标题添加到电子邮件正文的顶部。这意味着我们将从最终的邮件传输代理(MTA)中读取每个标头，然后向下处理到第一个MTA以接收邮件。

内部转账 (Internal Transfers)

Received: from REDACTED.outlook.com (IPv6 Address) by REDACTED.outlook.com with HTTPS via REDACTED.OUTLOOK.COM; Fri, 25 Oct 2019 20:16:39 +0000

This first hop shows an HTTPS line, which means that the server didn't receive the message via standard SMTP and instead created the message from input it received on a web application.

第一跳显示HTTPS行，这表示服务器未通过标准SMTP接收消息，而是根据在Web应用程序上接收到的输入创建了消息。

Received: from REDACTED.outlook.com (IPv6Address) by REDACTED.outlook.com (IPv6Address) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1358.20; Fri, 25 Oct 2019 20:16:38 +0000Received: from REDACTED.outlook.com (IPv6Address) by REDACTED.outlook.office365.com (IPv6Address) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2385.20 via Frontend Transport; Fri, 25 Oct 2019 20:16:37 +0000 Authentication-Results: spf=softfail (sender IP is REDACTEDIP)smtp.mailfrom=gmail.com; privatedomain.com; dkim=pass (signature was verified)header.d=gmail.com;privatedomain.com; dmarc=pass action=noneheader.from=gmail.com;compauth=pass reason=100Received-SPF: SoftFail (REDACTED.outlook.com: domain of transitioning gmail.com discourages use of IPAddress as permitted sender)

These are the first two header blocks are internal mail transfers. You can tell that these were received by Office365 servers (outlook.com), and routed internally to the correct recipient.

这些是前两个标头块是内部邮件传输。您可以说这些是Office365服务器(outlook.com)收到的，并在内部路由到正确的收件人。

You can also tell that the message is being sent via encrypted SMTP. You know this because the header lists "with Microsoft SMTP Server" and then specifies the TLS version it is using, as well as the specific cipher.

您还可以告诉邮件正在通过加密的SMTP发送。您知道这一点是因为标题列出了“ with Microsoft SMTP Server”，然后指定了它正在使用的TLS版本以及特定的密码。

The third header block marks the transition from a local mail server to a mail filtering service. You know this because it went "via Frontend Transport" which is a Microsoft-Exchange specific protocol (and therefore it wasn't strictly SMTP).

第三个标头块标记了从本地邮件服务器到邮件过滤服务的过渡。您知道这一点是因为它是“通过前端传输”通过的，这是Microsoft-Exchange特定的协议(因此，它不是严格的SMTP)。

This block also includes some email checks. Outlook.com's header is detailing their SPF/DKIM/DMARC results here. An SPF softfail means that this IP address isn't authorized to send emails on gmail.com's behalf.

此块还包括一些电子邮件检查。 Outlook.com的标题在此处详细说明了它们的SPF / DKIM / DMARC结果。 SPF软失败意味着该IP地址无权代表gmail.com发送电子邮件。

"dkim=pass" means that the email is from its purported sender and was (most likely) not altered in transit.

“ dkim = pass”表示电子邮件来自其声称的发件人，并且(很可能)在传输过程中未更改。

DMARC is a set of rules telling the mail server how to interpret SPF and DKIM results. Pass likely means that the email continues on to its destination.

DMARC是一组规则，告诉邮件服务器如何解释SPF和DKIM结果。通过可能意味着电子邮件继续到达其目的地。

For more on SPF, DKIM, and DMARC, check out this article.

有关SPF，DKIM和DMARC的更多信息，请参阅本文。

内部/外部过渡 (Internal/External Transition)

Received: from Redacted.localdomain.com (IP address) byredacted.outlook.com (IP address) with Microsoft SMTPServer (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id15.20.2305.15 via Frontend Transport; Fri, 25 Oct 2019 20:16:37 +0000Received-SPF: None (Redacted.localdomain.com: no senderauthenticity information available from domain ofsender@gmail.com) identity=xxx; client-ip=IPaddress;receiver=Redacted.localdomain.com;envelope-from="sender@gmail.com";x-sender="sender@gmail.com"; x-conformance=sidf_compatibleReceived-SPF: Pass (Redacted.localdomain.com: domain ofsender@gmail.com designates sending IP as permittedsender) identity=mailfrom; client-ip=IPaddress2;receiver=Redacted.localdomain.com;envelope-from="sender@gmail.com";x-sender="sender@gmail.com"; x-conformance=sidf_compatible;x-record-type="v=spf1"; x-record-text="v=spf1ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"

This is Google's SPF record - telling the receiving server that the email which says it is coming from gmail.com, is coming from a Google approved server.

这是Google的SPF记录-告诉接收服务器该电子邮件来自gmail.com，来自Google批准的服务器。

Received-SPF: None (redacted.localdomain.com: no senderauthenticity information available from domain ofpostmaster@redatedgoogle.com) identity=helo;client-ip=IPaddress; receiver=Redacted.localdomain.com;envelope-from="sender@gmail.com";x-sender="postmaster@.google.com";x-conformance=sidf_compatibleAuthentication-Results-Original: Redacted@localdomain.com; spf=Nonesmtp.pra=sender@gmail.com; spf=Pass smtp.mailfrom=sender@gmail.com;spf=None smtp.helo=postmaster@redacted.google.com; dkim=pass (signatureverified) header.i=@gmail.com; dmarc=pass (p=none dis=none) d=gmail.comIronPort-SDR: IronPort-PHdr: =X-IronPort-Anti-Spam-Filtered: trueX-IronPort-Anti-Spam-Result: =X-IronPort-AV: ;d="scan"X-Amp-Result: SKIPPED(no attachment in message)X-Amp-File-Uploaded: False

This shows some additional SPF/DKIM/DMARC checks, as well as the results from an IronPort scan.

这显示了一些其他的SPF / DKIM / DMARC检查，以及IronPort扫描的结果。

Ironport is a popular email filter used by many corporations to look for spam, viruses, and other malicious emails. It scans the links and attachments in the email and determines if the email is malicious (and should be dropped), if it is likely legitimate and should be delivered, or if it is suspicious in which case it can attach a header to the body which tells users to be wary of the email.

Ironport是一种流行的电子邮件过滤器，许多公司都使用它来查找垃圾邮件，病毒和其他恶意电子邮件。它会扫描电子邮件中的链接和附件，并确定电子邮件是否是恶意的(应丢弃)，是否可能是合法的，应该被发送或是否可疑，在这种情况下，可以将标头附加到正文上告诉用户注意电子邮件。

Received: from redacted.google.com ([IPAddress])by Redacted.localdomain.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; Fri, 25 Oct 2019 16:16:36 -0400Received: by redacted.google.com with SMTP idfor recipient@localdomain.com; Fri, 25 Oct 2019 13:16:35 -0700 (PDT)X-Received: by IPv6:: with SMTP id; Fri, 25 Oct 2019 13:16:35 -0700 (PDT) Return-Path: sender@gmail.comReceived: from senderssmacbook.fios-router.home (pool-.nycmny.fios.verizon.net. [IP address redacted])by smtp.gmail.com with ESMTPSA id redacted IP(version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);Fri, 25 Oct 2019 13:16:34 -0700 (PDT)Received: from senderssmacbook.fios-router.home (pool-.nycmny.fios.verizon.net. [IP address redacted])by smtp.gmail.com with ESMTPSA id redacted IP(version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);Fri, 25 Oct 2019 13:16:34 -0700 (PDT)

This section shows the internal hops the email took from the sender's initial device through gmail's routing system and to the outlook environment of the recipient. From this we can see that the initial sender was from a Macbook, using a home router, with Verizon Fios in NYC.

本节显示了电子邮件从发件人的初始设备通过gmail的路由系统到收件人的Outlook环境所经过的内部跃点。从中我们可以看到，最初的发件人来自Macbook，是使用家用路由器的，位于纽约的Verizon Fios。

This is the end of the hops showing the route the email has taken from sender to recipient. Past this, you'll see the body of the email (and the headers you typically see like "from:", "to:", etc.), perhaps with some formatting based on the media type and email client (for example the MIME Version, content type, boundary, etc). It may also contain some user-agent information, which is details on what type of device sent the message.

这是跃点的结尾，显示了电子邮件从发件人到收件人的路由。此后，您将看到电子邮件的正文(以及通常看到的标题，例如“发件人：”，“收件人：”等)，也许还会根据媒体类型和电子邮件客户端(例如MIME版本，内容类型，边界等)。它还可能包含一些用户代理信息，这些信息是有关发送消息的设备类型的详细信息。

In this case we already know that the sending device was a Macbook due to Apple's naming convention, but it may also contain details on the CPU type, version, even the browser and version which were installed on the device.

在这种情况下，由于苹果的命名约定，我们已经知道发送设备是Macbook，但是它也可能包含有关CPU类型，版本的详细信息，甚至包括设备上安装的浏览器和版本。

In some cases, but not all, it might also contain the IP address of the sending device (though many providers will hide that information without a subpoena).

在某些情况下(但不是全部)，它可能还包含发送设备的IP地址(尽管许多提供程序会在不传票的情况下隐藏该信息)。

电子邮件标题可以告诉您什么？ (What can email headers tell you?)

Email headers can help identify when emails are not being sent from their purported senders. They can provide some information on the sender - though it usually isn't enough to identify the true sender.

电子邮件标题可以帮助识别何时未从其声称的发件人发送电子邮件。他们可以提供有关发件人的一些信息-尽管通常这不足以识别真正的发件人。

Law enforcement can often use this data to subpoena the information from the right ISP, but the rest of us can mostly just use it to help inform investigations, generally into phishing.

执法部门通常可以使用这些数据来传唤来自正确的ISP的信息，但是我们大多数人通常只能使用它来帮助为网络钓鱼的调查提供信息。

This process is made harder by the fact that headers can be faked by malicious servers or hackers. Without contacting each server's owner and individually verifying that the headers in your email match their SMTP logs, which is painstaking and time-consuming, you won't be certain the headers are accurate (other than the headers attached by your own mail servers).

由于标头可能被恶意服务器或黑客伪造，因此使此过程变得更加困难。如果不与每个服务器的所有者联系并单独验证电子邮件中的标头是否与它们的SMTP日志相匹配(这既费力又费时)，那么您将无法确定标头是否准确(除了您自己的邮件服务器附加的标头之外)。

Without contacting each server's owner and individually verifying that the headers in your email match their SMTP logs, which is painstaking and time-consuming, you won't be certain the headers are all accurate..

如果不与每个服务器的所有者联系并单独验证电子邮件中的标头是否与它们的SMTP日志相匹配(这既费力又费时)，您将无法确定标头是否准确。

DKIM, DMARC and SPF can all help with this process, but aren't perfect, and without them, there's no verification at all.

DKIM，DMARC和SPF都可以在此过程中提供帮助，但并不完美，没有它们，根本无法进行验证。

Don't want to analyze your own headers? This site will do it for you.

不想分析自己的标题吗？该网站将为您服务。