How to tell from email header if sender address is legitimate

email spam-prevention spoofing
6,468

How can I tell from an email's headers if the sender address is legitimate?

Many of these email headers can be (and usually are) forged by spammers when they send their spam.

  • "From:" address
  • Some "Received:" headers can also be forged.

SMTP message spoofing shows just how easily this can be done using an open (unsecured) relay mail server.

How can I analyze the email headers?

There are many tools to analyze email headers, some of which can show if any of the ip addresses in the chain are on spam blacklists.

These tools can also tell if any of the "Received:" headers in the chain are forged.

MxToolbox Email Header Analyzer

One such tool is MxToolbox Email Header Analyzer

Feeding your email headers into this tool produces the following output:

enter image description here

Click on the blacklist button shows the ip address 182.50.144.34 (which is where google received the email from is on 3 email blacklists.

enter image description here

Further reading

Share:
6,468

Related videos on Youtube

Rahul Sinha
Author by

Rahul Sinha

Updated on September 18, 2022

Comments

  • Rahul Sinha
    Rahul Sinha over 1 year

    I received an email from [email protected] claiming that I have got an interview for Assistance Manager (exact words were - Result of your application for the position of assistant manager . I would like to invite you to attend an interview.). and it came with a PDF file attached.

    I know that it was fake because it asked me to submit money before the interview.

    The email header is shown below. How can I tell from this header where the email really came from and whether it is spam?

    Delivered-To: [email protected]
Received: by 10.107.155.193 with SMTP id d184csp3229700ioe;
        Wed, 24 Jun 2015 05:55:56 -0700 (PDT)
X-Received: by 10.70.90.133 with SMTP id bw5mr80267365pdb.85.1435150556549;
        Wed, 24 Jun 2015 05:55:56 -0700 (PDT)
Return-Path: <[email protected]>
Received: from sg2plwbeout19-1.prod.sin2.secureserver.net (sg2plwbeout19-1.prod.sin2.secureserver.net. [182.50.144.34])
        by mx.google.com with ESMTPS id da5si39769286pbc.20.2015.06.24.05.55.55
        for <[email protected]>
        (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
        Wed, 24 Jun 2015 05:55:56 -0700 (PDT)
Received-SPF: neutral (google.com: 182.50.144.34 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=182.50.144.34;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 182.50.144.34 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: from localhost ([182.50.144.112])
    by sg2plwbeout19-1.prod.sin2.secureserver.net with bizsmtp
    id kCvv1q0092Rj2se01Cvv9l; Wed, 24 Jun 2015 05:55:55 -0700
X-SID: kCvv1q0092Rj2se01
Received: (qmail 41764 invoked by uid 99); 24 Jun 2015 12:55:55 -0000
Content-Type: multipart/mixed;
    boundary="=_b169b0435b8622296c62a715d3e6f635"
X-Originating-IP: 106.219.63.197
User-Agent: Workspace Webmail 5.14.3
Message-Id: <20150624055553.5ceda2619095e240c253dad68c059c9c.541a6e07e4.wbe@email19.asia.secureserver.net>
From: "Larsen & Toubro Ltd \(India\)" <[email protected]>
X-Sender: [email protected]
Reply-To: "Larsen & Toubro Ltd \(India\)" <[email protected]>
To:
Subject: Result
Date: Wed, 24 Jun 2015 05:55:53 -0700
Mime-Version: 1.0
--=_b169b0435b8622296c62a715d3e6f635
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

    I know it is spam, but I want to understand what part of the header signifies that it is spam.

    • John
      John almost 9 years
      See X-Sender: [email protected] & From: "Larsen & Toubro Ltd (India)" <[email protected]>
    • John
      John almost 9 years
      Also avoid opening attachments from such mails
    • kazoni
      kazoni almost 9 years
      @GaneshR. - Put this as an answer so you get reputation for it and the poster can mark it as an answer.
    • user
      user almost 9 years
      Hi Rahul Sinha. I removed the link to the PDF attachment because we do not know whether it is malicious, and having the link potentially puts unsuspecting users of our site at risk. While it's good that you included what you felt was all relevant information, I see no need for the attachment to be included to answer your question.
  • Rahul Sinha
    Rahul Sinha almost 9 years
    Great, I understand that real sender's ip address is address that is received by gmail (mx.google.com), not that which shows as From's ip address.
  • DavidPostill
    DavidPostill almost 9 years
    Not without a lot of experience. That why people have written the automated tools to do the analysis.
  • DavidPostill
    DavidPostill almost 9 years
    The "From" header is the one most often forged by spammers. Here is a nice little introductory tutorial Tutorial - Mail Header Analysis for Spoof Protection

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is the difference between a SPF include: and a:?
Emails sent via Amazon SES going to spam in Gmail
Gmail is marking my emails as SPAM - Please help
How to avoid getting spam through a website?
Reduce likelihood of Mailchimp email campaign going to Spam
Receiving thousands of "Mail delivery failed: returning message to sender"
How do you deal with spam when using a catch-all email address?
Prevent Sending Spam with my Yahoo Account?
legitimate mail from my server is being blocked by Outlook...?
How do scammers get your contacts when they send emails that appear to come from you?