• ARTICLES
SEARCH

How-To Geek

HTG Explains: How Scammers Forge Email Addresses and How You Can Tell

image

Consider this a public service announcement: Scammers can forge email addresses. Your email program may say a message is from a certain email address, but it may be from another address entirely.

Email protocols don’t verify addresses are legitimate — scammers, phishers, and other malicious individuals exploit this weakness in the system. You can examine a suspicious email’s headers to see if its address was forged.

How Email Works

Your email software displays who an email is from in the “From” field. However, no verification is actually performed – your email software has no way of knowing if an email is actually from who it says it’s from. Each email includes a “From” header, which can be forged – for example, any scammer could send you an email that appears to be from bill@microsoft.com. Your email client would tell you this is an email from Bill Gates, but it has no way of actually checking.

image

Emails with forged addresses may appear to be from your bank or another legitimate business. They’ll often ask you for sensitive information such as your credit card information or social security number, perhaps after clicking a link that leads to a phishing site designed to look like a legitimate website.

Think of an email’s “From” field as the digital equivalent of the return address printed on envelopes you receive in the mail. Generally, people put an accurate return address on mail. However, anyone can write anything they like in the return address field – the postal service doesn’t verify that a letter is actually from the return address printed on it.

When SMTP (simple mail transfer protocol) was designed in the 1980s for use by academia and government agencies, verification of senders was not a concern.

How to Investigate an Email’s Headers

You can see more details about an email by digging into the email’s headers. This information is located in different areas in different email clients – it may be known as the email’s “source” or “headers.”

(Of course, it’s generally a good idea to disregard suspicious emails entirely – if you’re at all unsure about an email, it’s probably a scam.)

In Gmail, you can examine this information by clicking the arrow at the top right corner of an email and selecting Show original. This displays the email’s raw contents.

image

Below you’ll find the contents of an actual spam email with a forged email address. We’ll explain how to decode this information.

Delivered-To: [MY EMAIL ADDRESS]
Received: by 10.182.3.66 with SMTP id a2csp104490oba;
Sat, 11 Aug 2012 15:32:15 -0700 (PDT)
Received: by 10.14.212.72 with SMTP id x48mr8232338eeo.40.1344724334578;
Sat, 11 Aug 2012 15:32:14 -0700 (PDT)
Return-Path: <e.vwidxus@yahoo.com>
Received: from 72-255-12-30.client.stsn.net (72-255-12-30.client.stsn.net. [72.255.12.30])
by mx.google.com with ESMTP id c41si1698069eem.38.2012.08.11.15.32.13;
Sat, 11 Aug 2012 15:32:14 -0700 (PDT)
Received-SPF: neutral (google.com: 72.255.12.30 is neither permitted nor denied by best guess record for domain of e.vwidxus@yahoo.com) client-ip=72.255.12.30;
Authentication-Results: mx.google.com; spf=neutral (google.com: 72.255.12.30 is neither permitted nor denied by best guess record for domain of e.vwidxus@yahoo.com) smtp.mail=e.vwidxus@yahoo.com
Received: by vwidxus.net id hnt67m0ce87b for <[MY EMAIL ADDRESS]>; Sun, 12 Aug 2012 10:01:06 -0500 (envelope-from <e.vwidxus@yahoo.com>)
Received: from vwidxus.net by web.vwidxus.net with local (Mailing Server 4.69)
id 34597139-886586-27/./PV3Xa/WiSKhnO+7kCTI+xNiKJsH/rC/
for root@vwidxus.net; Sun, 12 Aug 2012 10:01:06 –0500

From: “Canadian Pharmacy” e.vwidxus@yahoo.com

There are more headers, but these are the important ones – they appear at the top of the email’s raw text. To understand these headers, start from the bottom – these headers trace the email’s route from its sender to you. Each server that receives the email adds more headers to the top — the oldest headers from the servers where the email started out are located at the bottom.

The “From” header at the bottom claims the email is from an @yahoo.com address – this is just a piece of information included with the email; it could be anything at all. However, above it we can see that the email was first received by “vwidxus.net”  (below) before being received by Google’s email servers (above). This is a red flag – we’d expect the see the lowest “Received:” header on the list as one of Yahoo!’s email servers.

The IP addresses involved may also clue you in – if you receive a suspicious email from an American bank but the IP address it was received from resolves to Nigeria or Russia, that’s likely a forged email address.

In this case, the spammers have access to the address “e.vwidxus@yahoo.com”, where they want to receive replies to their spam, but they’re forging the “From:” field anyway. Why? Likely because they can’t send massive amounts of spam via Yahoo!’s servers – they’d get noticed and be shut down. Instead, they’re sending spam from their own servers and forging its address.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 08/12/12

Comments (71)

  1. Phillip Ross

    Why can’t (or don’t) email programs provide a consistency check to make sure that the email is actually from the address in the “From” field?

  2. TheFu

    People have been complaining about email (SMTP) since the beginning. OTOH, it has been around and working “since the beginning” so the designers did something correct. To an end-user, SMTP seems really simple. They don’t understand all the complex routing, holding, disconnected servers, MIME attachments, and dead letters that are all built-in. SMTP is fantastically great and slightly complex.

    Email is much less like a letter and more like a postcard. The postcard analogy is very accurate in almost every way. Anything can be written on the card. If the TO address isn’t correct, it will still be sent, but it is unlikely to get to the intended person. The FROM address is meaningless. REPLY-TO is also meaningless. If the FROM and REPLY-TO are from different domains, it is probably spam. Every “post office” that an email goes through adds a stamp to the message – this helps trace any issues. The very first in that list of email servers can also be spoofed. It is much less likely for intermediate email systems to spoof anything.

    If you want a letter, you need to use encryption with your email. Look up GPG and enigmail for more about that. Companies are more likely to use X.509 certificates, but individuals overwhelmingly use GPG with public key encryption methods.

    @Phillip: The answer is that standard does not address verification and how could that be done within SMTP. Why not?
    * Should every email server in the world have a list of every email account on every email server always?
    * When we send an email, it is not required that the recipients email server be turned on.
    * There is no way to validate the TO fields until the message actually arrives.
    * Similarly, once a message is sent, that email server can disconnect itself just like you can close your front door after you place the postcard in any mailbox.
    * There is no way for the mailman 5 states over to verify that you are at home before he delivers the email to your friend’s home.

    The only way that I know to ensure an email is actually from the person you expect is to use either GPG or x.509 certificates and have the messages signed or signed AND encrypted.

    SMTP has been around a really long time and it was designed to work in a not-always-connected world. It still can work this way. In fact, anyone on the internet can connect directly to any email server and type in all the needed fields to deliver a message to an address on that system using telnet. How cool is that? You don’t need an email service or an email client, just telnet and a little knowledge – about 4 lines is all, I think.

    SMTP was designed to allow anyone – anyone – to run an email server. You – yes, you – can run an email server on the internet. It was not designed to be a single system, rather it was designed to be extremely resilient to failures at any level. When you look at SMTP this way, it actually does work really well.

    If you’d like to understand how email really works, this document https://www.ietf.org/rfc/rfc2821.txt tells all. It is a relatively simple to understand document. Just scanning the first 4 pgs is useful if you don’t have much time.

  3. Albert Kolkin

    I do not understand the explanation.

  4. Chris Benner

    Where is the IP address and how can you tell whether it is from Nigeria or Russia?

  5. Roland Rodriguez

    This is just like caller id. People (Companies) can send different information as to who is calling and what number their calling from. Of course, the telephone company does know (they want to get paid for the call from another country); they just have to invest time and money to make sure this information is accurate.

  6. Kip

    I believe this is the ip although I am as lost as the rest of you :

    “spf=neutral (google.com: 72.255.12.30 is “

  7. Dean

    If the email programs had to verify every email’s sender that came to them, that would be an exponential cost to create that software. You would lose the free email services because Yahoo! and others would need to re-do their programming. Then you would have a war between scammers and verifiers, which may open up the doors to more virus attacks.

    The simplest solution is, if it is not a *solid* email, such as a legitimate Subject in the subject line, then delete it. When I get an email from SweetSuzie and the subject is, “I like you!”, the first thing I do is think, “I like me too!”, the second is to delete it. If it is just a “FW” or “RE:”, with no subject or a subject I never inquired of (remember, they’re supposedly responding to your inquiry), I delete it.

    Evil people are everywhere (especially those 14 years olds in India that just raided your bank account). Play it **smart** and you’ll avoid 99.9% of all traps.

  8. Lyn Valentine

    Can someone tell me the best way to locate a persons email that I do not have and need???
    Thx
    Lyn

  9. iagoman

    A bit confusing, but somewhat helpful.
    Determining where an IP address is from seems to be difficult.
    How does one do that?

  10. Allan McLeod

    Why not provide a line by line explanation?

  11. Marc

    Google for “ip locator”; many websites provide this service.

  12. Carwin57

    Go to ‘whatismyipaddress.com. You can type in any IP address and it will tell you who it belongs to.

  13. Barbara Fuller

    This explanation leaves a lot to be desired. I agree with Albert. I still don’t know more than I did before the ‘explanation.’ How can a person forge the route the e-mail takes from Sender to Recipient, when it is out of their hands once they click the Send button? I just got an e-mail that is supposedly from one of my daughter’s Yahoo e-mail accounts, with a link in it that Norton blocked. I still can’t determine who it is actually from. As my dear old (deceased) mother would say, “This explanation is as clear as mud.” It doesn’t identify at all how scammers do this dirty deed.

  14. Barry Etheridge

    “Why can’t (or don’t) email programs provide a consistency check to make sure that the email is actually from the address in the “From” field?”

    Exactly what GMail does as part of its spam and scam detection!

  15. Bob

    You can also use this free tool. Just follow the directions. It is never 100% accurate as it depends on what is in the header. For example some services such as gmail really do not give enough info to track it back easily. Try it with some of the obvious scam/spam emails you receive – it can be very interesting. Remember however, even if it does not track back to Nigeria, India etc if it looks too good to be true it is very, very likely a scam.

    http://www.iptrackeronline.com/email-header-analysis.php

  16. Neville Newton

    Thanks for the information, I think it is very good, I will look out for such mails in the future.

    Neville.

  17. Jim

    What it doesn’t tell you – what if you do not have Gmail?
    Windows Live Mail allows you to see the details under save/print/propertiies
    Open properties and you can read all the details……………

  18. brian

    Use Whatismyipaddress.com

  19. brian

    You don’t really think Bill Gates is after your money, DO YOU?

  20. cindyv

    When I dont trust that a sender’s email address is real I copy it and paste it in notepad where the real from name appears.

  21. Paolo

    One of my ways to verify the source o fan email is to check the IP address. True, it can be confusing to find the correct IP, but if you can get to the email header, as describe in the (confusing) text of the article above, select and copy the whole header then bring up the following site:
    http://whatismyipaddress.com/trace-email?gclid=CNaJ5JT5rakCFUZn5QodZH0QKw
    Paste the header in the appropriate window and click on the tab “Get Source”.
    The program will return to you (995 of the times) the geographical location of the original IP. Try it, you will be surprised how easy it is (if you know how to get the email header) and how far the junk email is coming from.
    Good luck, and do not open suspicious email!

  22. Mike S

    “In Gmail, you can examine this information by clicking the arrow at the top right corner of an email and selecting Show original. This displays the email’s raw contents.”

    I can’t find this arrow on any of my Gmails. Does it sometimes go by another name or symbol?

  23. mike

    I fell at the first hurdle.

    Can’t see an arrow at the top right of my e-mail to click on, and your first screen scrape doesn’t appear to show it either.

    What am I missing please?

    Mike

  24. Squarepants

    It seems that spam happens and it is not 100% defeat-able.
    My solution, 3 accounts:

    1)Gmail account for strictly banking, business medical concerns, and for people I trust. The address contains my full name in the so the recipient knows who the message is from. Seems to stay spam free for the moment.

    2)Hotmail account for online retailer sale notices (like woot and newegg), receipts, blog/forum subscriptions, Facebook and the like. It has spam safeguards but plenty slip through.

    3)Yahoo account for web sites that want an email address just to sign up or view picture, or a web site that I have no intent on visiting again. If I do go back to that site, I will resign in and change the account preferences to the Hotmail address. Every once in a while I go to the Yahoo sight to do some maintenance (delete messages).

    Perhaps this note isn’t for this particular concern at the top, but I felt it might help someone.

  25. Michael Shaw

    I was attracted to this article because it is good information. But it needs more explanation. I realize that if you tell all on this subject, the newbee scammers could learn how to scam from that.

    I wish there could be a way to explain this topic better and not provide instruction for the bad guys.

    But a better explanation with more detail would be much appreciated from my perspective. Usually writers here explain in a more ‘How-To-Geek’ fashion. And even if you exposed their methods, at least the readers of this article could be more aware and thereby protect against these bad guys.

  26. Anono

    @ iagoman

    You’re right! Finding host info for a particular IP is a bit difficult (for scumbag spammers/scammers, anyway). But for quick info you can just Google an IP address. On the other hand, you may want to try a service like this: http://www.ip-lookup.net/ . I find this site (and others like it) quite useful for discovering details about various (legitimate) hosts.

    So, for example, 208.43.115.82 should show that it is the IP domain of “www.howtogeek.com” web site. It’s really not much more than what a simple public DNS lookup that your system (and browser) might do. But according to ARIN’s records, you should also see that HTG is “hosted” in Dallas, TX by a company called SoftLayer Technologies Inc. (I’m sure HTG has nothing to hide here.) That’s probably NOT a subsidiary of HTG since it’s just where HTG host’s their web site. Then again, maybe it is! You’ll have to ask or research the hosting company to get any more info.

    But I’m sure you could instead plug in a IP address of an email hop (aka “server”) and find out info like where it might be located, who owns it, etc. But don’t forget that just tells you info of the public hops (servers). It doesn’t necessarily tell you where the email (or traffic) really originated since there is the matter of tunneling and proxy’s (via zombie systems most likely) to consider too.

    For way more than you may ever want to know – including some great software to download – here is another excellent web site I discovered a long time ago (sorry if this isn’t kosher): http://www.analogx.com/ . You may also notice that this is the same entity (person-?) which hosts another great web site: http://www.internettrafficreport.com/ for those times when you’re wondering why things are so slow.

    And if you want to know who ARIN is (and you should!), here’s a wiki: https://en.wikipedia.org/wiki/ARIN

  27. Paul in San Francisco

    Dear Lyn Valentine, The best way to find out a person’s email address is to telephone and ask. Then take a pencil and write the answer down.

  28. Avi

    Nice article. But whenever I see you site logo, a little addition of cape will turn this website to howtosupergeek :D.

  29. Paul Rutherford

    You will find a good explanation of how to take effective countermeasures/resolve doubts at …

    http://www.ipaddresslocation.org/email-tracking/email-header.php

    My email provider is Yahoo … and I use “EMail Trace” (whose URL that is) about once a week … because Yahoo lets me access the “full header” … which EMail trace is easily able to use.

    It’s amazing how many “replica” watches are being sold out of Nigeria/Israel/South America!

    the give away is none of them accept PayPal – because of the risk of “chargeback”

    **************

    What does hack me off, however, is when a government organisation (e.g. UK HMRC) simply wants to have the spoof e-mail forwarded to them.

    IMHO, this destroys the full header making the forwarded eMail untraceable = an exercise in fatuousity.

    If you are reading this, UK HMRC, please reply ….. and tell us I’m wrong!

  30. princeinflorida

    I’ve just recently noticed that I am getting these emails regarding my listings on Craigslist. Data miners are prevalent on Craigslist, especially looking to receive valid email addresses to sell.

    Here’s what I do to check it out.

    First, if I suspect such an email, after I click Reply, I then check the TO Address generated against the FROM Address. If they are different, I assume it is a forged address for data mining.

    Also, my Yahoo email spam filter puts these emails into my Spam folder. I am guessing that the spam filter is comparing the From address to the Reply address and sending the email to the Spam folder when different.

    So at least this email client, i.e. Yahoo, is monitoring forged emails. Nice to know!

  31. Matt V.

    For a more comprehensive look at this topic:
    http://www.grc.com/securitynow.htm

    and do a find on “Episode #79″ or “Backtracking Spoofed Spam eMail”

  32. bd1235

    To those asking where the down arrow is on Gmail, it is adjacent to the Reply button and when you hover over it you see a balloon showing More. Click it and then click on Original.

    I have Hotmails and Outlook.com emails and I forward them (or get Gmail to collect them) all to Gmail. It’s spam and scam detection is so good. I then pull them back to the PC email client which also spam checks them.

  33. David Freestone

    The website i use is IP To Exact Location Finder.
    The address is:- http://www.iptef.com/
    This gives name, address and sometimes even phone number.
    Certainly worth a look.

  34. sVen

    @ Lyn Valentine

    If you’re looking for the email of a past acquaintance, etc, it’s just a guessing game, and you’re not likely to get it without contacting that person in some other way.
    If you’re looking to contact a person, or entity with a public email address, I’d suggest Google. …. how to contact disneyland transportation department…. how to contact maine port authority switchboard… how to contact valerie bertinelli….

    Companies, schools, government departments have contact lists, usually publicly accessible.

    If you’re looking for an old friend, whom you haven’t seen in twenty years, there are pay sites which can help you locate people. Google ‘find people’, and you should get several results.

    @ Paul in San Francisco

    Sarcastic much?

  35. UltimatePSV

    Is there a similar command for Show Original in Thunderbird?

  36. Marcus

    Bill gates doesn’t want my money. In fact he has so much, I have won nearly a billion dollars on the Microsoft random email lottery. I just need to pay his attorney about $5000 to get it released

  37. Scott

    Sorry, your tutorials are usually pretty good, but this one has a lot of LAZY in it. You reference noticing whether or not the IP address resolves to Nigeria, but no instruction on how to properly resolve it, or to even identify what the IP address is in the header. I think this one was thrown together a little too quickly, without any thought to the people that might be reading it. Email header info can be a bit complicated and require more effort than what was shown in this article.

  38. Matt H

    Barbara Fuller:

    They aren’t forging the route, just the place they claim it came from. Like sending something from one place but claiming it came from some place entirely different. The paper trail still leads back to the actual originating point.

  39. Chuck

    The arrow that is mentioned is next to the email date and is for ‘reply’.

    Next to the arrow is an upside down triangle. If you place your mouse over it you will see ‘More’.
    Clicking on it will show a dialog box with several options.

    The option you want is ‘Show Original’.

    Chuck

  40. Jack

    It’s sort of like putting your name and address on a snail mail letter but sending it from 3 towns over, or would it be more like sending it from your house with a friends name and address on it that is 3 towns over? Hmm.

  41. thompr

    For those that wanted to know what the IP number was and how to resolve it, I copied the information below from Whatismyipaddress.com. (http://whatismyipaddress.com/ip-lookup is where you can actually put in an IP address and they will resolve it. The IP address used in the article is 72.255.12.30 and resolves to just northeast of Wichita, Kansas (Nigeria was just used for illustration.)

    Every device connected to the public Internet is assigned a unique number known as an Internet Protocol (IP) address. IP addresses consist of four numbers separated by periods (also called a ‘dotted-quad’) and look something like 127.0.0.1.

    Since these numbers are usually assigned to internet service providers within region-based blocks, an IP address can often be used to identify the region or country from which a computer is connecting to the Internet. An IP address can sometimes be used to show the user’s general location.

    Because the numbers may be tedious to deal with, an IP address may also be assigned to a Host name, which is sometimes easier to remember. Hostnames may be looked up to find IP addresses, and vice-versa. At one time ISPs issued one IP address to each user. These are called static IP addresses. Because there is a limited number of IP addresses and with increased usage of the internet ISPs now issue IP addresses in a dynamic fashion out of a pool of IP addresses (Using DHCP). These are referred to as dynamic IP addresses. This also limits the ability of the user to host websites, mail servers, ftp servers, etc. In addition to users connecting to the internet, with virtual hosting, a single machine can act like multiple machines (with multiple domain names and IP addresses).

  42. Terry

    If I suspect an email is suspicious, I just click on the email header, do a CTL-A copying the contents of the whole header and launch http://www.ip-adress.com/trace_email/ and paste the contents of that header (CTL-V) and it tells me (for the most part) as to where that email came from.

  43. rick s

    Most of the time you can tell if it’s a scam just by the wording even if it says it came from a friend.
    I got one once that had fancy words in it so I knew it was bogus because my friends writing skills are slightly above cave man.
    If unsure it’s better to delete it and call your friend just in case. He/she can always send another one.

  44. Torwin

    Hey people, lighten up. There are limits to how “simplified” an explanation can be, of a complicated subject. The main clue to look for is whether the lowest level From: field in the header text is consistent with the From field as displayed in your mail software. There will be other clues but you would need a degree in computer science (or equivalent years of study) to work them out.
    But this only matters to 1% or so of e-mails that you are doubtful about. The other 99% can be deleted without question if they are unexpected, implausible, ask for personal information, or you need to click on a link or enclosure to figure out what they are about. (Don’t do it!)

  45. Lex Li

    As I worked for Microsoft in the past, so I can only comment that bill@microsoft.com is not the one for Bill Gates :)

  46. RickS

    The arrow in GMAIL being refered to I believe is in the upper left corner with a notation ‘to me’ next to it. It is a small breakdown of the information accessed by the “details” in the bottom right corner of a yahoo email. It’s like a lot of things here with the geeks, they instruct like they are talking to other geeks.

    Lyn Valentine wrong forum and if ya got their phone number.

    here here Allan McLeod

    Jim good imput

    Mike S I don’t see a response like you mentioned from this arrow.

    Squarepants same here but I’ve got 4 yahoos and 3 gmails all for various uses.

    The one I use for this is the one I use for every thang until they qualify for my personal E-Mail accounts and then I got a business one and then a family one only the family gets….

    A note here::::: YOU DO NOT GET A VIRUS OR BAD SH.T FROM OPENING AN EMAIL IT IS WHAT YOU OPEN IN THAT EMAIL……

  47. Mikik

    You can also use IPNETINFO to find the server

  48. Mikik

    You can also use IPNETINFO to find the server of the ip address

  49. Viggenboy

    People (customers of my hosting service especially) seem incredulous that email works like this saying it is yet another evil the interenet has introduce; but I always point out that email is no different whatsoever from real old fashioned mail in this respect; when you post a letter does the mailbox check that you are who you say you are? An when old fashioned mail frauds were perpetrated, did people blame the USPS/Royal Mail? NO! Did they say the mail service was evil and should be stopped? NO! Did they say it was the responsibility of the mail service providers to police such scams? NO!

    This big difference is that: a) Mass scamming – on a huge scale is now cheap; b) People seem to be INCREDIBLY, implausibly gullible when it comes to email scams…. I’d love to understand the psychology here.

  50. BvG

    @MARCUS lol

  51. Joebee

    To make is simple copy the FULL eMail header and go to

    http://www.iptrackeronline.com/email-header-analysis.php

    and paste into iptrackeronline window and let the Email Header Analysis
    do the work for you.

  52. Seabat

    I am an Outlook.com user. Just like Live Mail, Outlook lets users decide what mail gets through. I have never had spam or phishers send anything that can get through to me. It’s very simple, if your name is not on my mail list, your mail does not get to me. Send me garbage and it goes to my Junk folder. If I don’t want you in my Junk folder, I have the option to automatically delete so I don’t have to deal with it or you. I use a dummy account with another email client. That’s where junk comes in because there is no screening for me to set up. Look before you leap, folks.

  53. Drew P. Balls

    Beware of receiving e-mails from 127.0.0.1 I heard that guy is dangerous, and you don’t want anything to do with him.

  54. Jonn

    i wish it told us how to forge email addresses

  55. spike

    +1 @Viggenboy

    @Drew P. Balls: That address is localhost – which means, the email was sent using a server on the host it was sent from.

    @John: This article is aimed at letting people know that they can be forged, not to give step-by-step instructions so that every N00b can add to the volume of them.

    @others saying ‘not enough detail’: Wow, if the article was long enough to give all the details for every email client, it would be so long that none of you would read it, and we would be seeing comments like “probably good article, but so long that I didn’t even start. we want shorter articles!”

  56. Cecebee

    The title of the article is totally misleading. You did nothing to explain how a spammer forges the name of a sender; you merely re-stated that it can be done. I can appreciate you trying to help people in this murky area but the fact is that it is not something you or any one else can explain to the satisfaction of the general public. The explanation is just too technical for most people. If people want to escape this kind of annoying email they need to start using a form of registered email as they do with snail mail when they want to only receive something verified to come from a specific sender. That means using nothing but encrypted email and public key encryption and trying to sell that to the public is ridiculous.

  57. spike

    @Cecebee: “You did nothing to explain how a spammer forges the name of a sender; you merely re-stated that it can be done.” This is a good thing. Yes, the title is a bit misleading, but they did explain the circumstances (how email works) that shows why it can be done. That is enough explanation for the general public.

  58. spike

    I don’t want every HTG reader to start sending me emails that appear to have come from my bank, so I’m glad for this omission from the explanations.

  59. spike

    @Phillip Ross: (first comment)
    …Because that wouldn’t really address the problem, and would cost software companies more programming time. People that spam generally aren’t using Outlook or similar to send mail from.

  60. chris

    Mike,
    It’s in “Other Actions”. Click then you’ll see “Source”

  61. chris

    Oh, yes. You can forward the email to gmail and be able to use the “View Source” to see the whole journey. Having said that, I also would like more explanation of the result and how to understand it.
    Thanks to HTG anyway for a good try.

  62. BillB3857

    So what do you do when some of these scammers are using YOUR e-mail address?

  63. spike

    @chris: Woah- forwarding to Gmail, and looking at the headers, will trace back to the computer you forwarded from. There are ways of viewing headers in all the major email clients out there; you should learn to use that instead. In Outlook 2007, right-click the message, go to Message Options, and at the bottom, you will see Internet Headers. In Outlook 2010, open the message, go to File > Info > Properties, and again, the Internet Headers will be at the bottom. You can copy and paste this info into whatismyipaddress.com/trace-email for an easy-to-read breakdown
    Also, there is another HTG article explaining more on interpreting the header data.
    http://www.howtogeek.com/108205/htg-explains-what-can-you-find-in-an-email-header/

  64. trickrun

    I have to agree with the note above asking why gmail only? Are you paid by Google, i don’t google anymore…too much going on behind those scenes and i think gmail is the worst email of all the ones i’ve tried.

  65. Veer

    Hello Team,

    I remember the article regards to identify original source has been already published in How To Geek. Could you anybody confirm this for me?

    Thanks & Regards

  66. spike

    @trickrun: Google is dependable and fast, that’s why it’s popular. They use that for the example because that’s what the most people are likely to be familiar with.

    @Veer:
    If I know what you’re referring to, it’s 2 posts above yours, but here it is again.
    http://www.howtogeek.com/108205/htg-explains-what-can-you-find-in-an-email-header/

  67. Pete

    After reading all the comments, it seems the point of this article is completely missed.

    The point is
    Everything except the TO address can be spoofed in an email. EVERYTHING.

    It doesn’t take much effort to learn this. Knowledge and telnet is all it takes.

  68. Steve

    False Advertising at HTG! The article doesn’t explain “How scammers forge email addresses,” so much as “Scammers can forge email addresses and maybe this technique can help you avoid being fooled.” I didn’t learn the how-to that I was promised and that I wanted to learn. Two thumbs down.

  69. David

    I get bounced spammer mail which has my return address forged into the header. The header is complete and looks normal, except that a Russian or Ukranian spammer (I can tell by the TO: addy) has inserted my email address as a return. I have no idea how they do this, nor does your article explain that.

  70. M.J.

    The CONSISTENCY CHECK is a good idea, and would seem fairly simple to implement. Is the first “received by” consistent with the email address stated??

    The long, rambling “explanation” following this excellent idea sounds like excuses for not doing something that would be too difficult to implement anyway.

    What would be the best way of encouraging the ISPs to implement a simple consistency check on the last two line of the source data shown?

  71. Gopal Das

    I think everybody should check out the Scam Detector app. I believe they’re online as well.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!