My Location
«  
  »

Who sent that email?

hiding

For some strange reason I woke up this morning and realized that I had a newfound curiosity in fraudulent online behavior.
Wouldn’t it be cool to be able to check if the sender of an email really is the person he/she claims to be?

I am familiar email headers but not until now have I had an urge to understand more about how it actually works. An email header is little message travelling with every email containing information about the sender, the receiver, the subject and a few more things.

Your email client (Outlook, Gmail, Yahoo, Hotmail, etc) will display parts of the email header, typically From: , To: and Subject:. It is very easy to fake the From: information in an email so you need retrieve the full email header with the complete information about the email message to try to find the true origin of the email. With the full email header you can see where the email started its journey and how the email has traveled across the internet so reach your inbox.

You retrieve the full email header in different ways depending on your email client. For Outlook 2007 just right-click on the email in your Inbox (don’t open the email) and in the Internet Headers section you see the full header information. For instructions on how to retrieve the email header in other email clients just Google on: view email header [your email client]. There’s also a guide to some of the most common email clients here: http://www.ip-adress.com/faq/view_email_header/

Ok, you’ve got the full email header now! The interesting part of it is the Received: lines. Scroll through the email header and look for Received: and the text immediately following.

Here is an example from an email from I received the another day from cqmw40mmg@urscorp.com.
URS Corp is one of the largest engineering design firms in the world and a major US government contractor. I was curios to see what they wanted to inform me of but reading the mail the Subject: and the Body: of the mail seemed very strange…

Mumbo Jumo

Received: from jura.zsem.hr (193.198.217.4 [193.198.217.4]) by sj1-dm03.mta.everyone.net (EON-INBOUND) with SMTP id sj1-dm03.4ace186c.408bb2 for <fredrik@lyhagen.com>; Thu, 8 Oct 2009 23:03:11 -0700

You see name of the sender’s domain (jura.zsem.hr) and the IP-address (193.198.217.4) associated with that domain. Thereafter you see to which domain the email was sent (sj1-dm03.mta.everyone.net) and finally the To: information and a time stamp.

The first step to check the senders IP-address could be to just copy-paste the entire header to a web page that will analyse the header for you and return the IP-address and as much info as it can retrieve. This is likely to work if the sender is not not trying to conceal their real location and identify.

Copy the full header from one of your email to this page and see what it returns: http://www.ipaddresslocation.org/email-tracking/email-header.php

Copying the full email header from the example above to http://www.ipaddresslocation.org/email-tracking/email-header.php I see that the email is sent from Croatia.  This email is probably not from URS Corp and they have just been used a facade to hide the identity of the true sender.

Easy to use email tracing from ipaddresslocation.org

http://whatismyipaddress.com/staticpages/index.php/trace-email-source-IP-address

The email header tracing will not always give you as much information as in this example. Sometimes you only get the IP-address and you will need to check the owner of the IP-address and the domain name associated with the IP-address. Just search on DNS lookup and you’ll find plenty of sites offering this.

As an example go to http://www.ip-adress.com/ip_tracer/ and enter the IP-address: 74.125.53.100

Now, imagine that you get a call from somebody offering you a fantastic investment opportunity. Since you are a bit careful with your money you ask the person to send you an email with the offer so you can think it over properly.

You may want to run a check on the origin of the email to understand if the sender location matches with the location of the country he/she claims to be calling from. Or if the company the person is calling from has an office in the same location as the location of the IP-address in the sender’s email header.

October 15th, 2009 | Category: Uncategorized | Leave a comment

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>