Tip o’ the Week #241 – Where did that email come from?


clip_image002Most people don’t really pay much attention to where emails originate from or how they got to be in your inbox. This is clearly exploited by scammers and spammers of all sorts, as many consumers will happily click on a link in a genuine- looking email and not think twice about the fact that it might not be all it seems.

Anti-spam technology has improved a lot in the last decade, so a lot of the obvious junk mail is filtered out before it arrives, or if it makes it as far as your mailbox, it’ll be dropped into your Junk Mail folder. But even though the crooks have gotten more sophisticated, sometimes fishy-looking email is still delivered, but clearly marked as probably not safe, as there are tell-tale signs of it not being genuine.

Here’s an example of a typical “phishing” email that’s trying to lure the recipient into clicking a link to a website they think is their bank, Ebay, PayPal etc. etc.

clip_image004In this case, the URL is shown at the bottom of the window by hovering over it (the mouse pointer doesn’t show up in the screen capture, but it was over the “Update” button). This doesn’t look like a genuine URL; ditto, anything that is displayed in the text as (for example) https://login.youraccount.com but when you hover, you’ll find it’s some other URL. Some scammers are increasingly using TinyURL, Bit.ly or other URL-shortening services to try to hide their obvious dodginess.

Many email programs (like the standard Windows 8 Mail client) try to hide complexity from end users, but if you hover over a link, it will show the URL in a pop-up.

There are other scenarios, though, where the sender isn’t purporting to be a large institution or other supposedly trustworthy source. Maybe you’re selling something and a potential buyer contacts you to offer a quick cash purchase, sometimes in tandem with an overly complicated arrangement of an agent coming to collect your goods, in exchange for some online means of payment. If your Spidey-sense doesn’t pick up a slightly iffy premise to these kinds of offers, then there might be other ways of tracking down the sender.

Every email comes with an “envelope” – it’s actually like a routing slip attached to the block of data that makes up the main body of the message, and every time a computer (like an internet mail server) handles the message, it adds some kind of marker on the routing slip. The most recent markers on the message “headers” are at the top, so to find out where it really came from, parse down and look for the earliest point in the header that shows where the message originated.

clip_image005To see the detail on a message, you’ll need to use a mail client such as Outlook or Windows Live Mail (if you’re using Outlook.com/Hotmail etc, or Gmail), and look at the properties of the message.

In Outlook, open the message in its own window, then go into File / Properties and you’ll see Internet Headers - if the message came from outside the company, this is the key to your sleuthing. Select all the text and  clip_image007right-click to copy it into the clipboard, and paste it into Notepad for easier viewing.

The header information might be incomprehensible (there are plenty of guides online that can help you make sense, if you’re all that interested), and in fact, much of the text could be faked – but it often gives some interesting breadcrumbs.

Above is the header of a message that’s a tad suspect – viewed in Windows Live Mail (open the message, look in File clip_image009/ Properties and look in the Details tab). Looking down the headers, we can see the message originally was sent to Yahoo, and it was handed over to the Yahoo mail service by the IP address listed: 

Received: from [41.220.68.62] by web172005.mail.ir2.yahoo.com via HTTP; Wed, 09 Jul 2014 13:19:54 BST

The sender, who’s offering to buy a car in this case, purports to be in Aberdeen. Now let’s just see where this address is by pasting the source IP address (41.220 etc) into the box on the top right of www.whatismyipaddress.com – or put the IP address into the URL, like here.

Doesn’t look a lot like Aberdeen, does it?

Comments (1)

  1. Ed (DareDevil57) says:

    good post, thanks

Skip to main content