Distinguishing fraudulent e-mails

Checked out my spam folder today and an email from PayPal diverted my attention. OK, I’ve been receiving spam mails calming to be from PayPal, asking me to ‘reset my password’ even before I owned a PayPal account :D But this one was better than the simple textual ones I used to get. This was an exact look alike of the original PayPal emails.. Complete with CSS formatted right infobar !

Sender : <service@paypal.com>

Fake paypal email
Fake PayPal email

PayPal original mail
An authentic PayPal email

What I mean from this is that scammers and phishers are trying their level best to deceive you. Mail service providers do help a lot with phishing mail warnings. Browsers too display phishing site warnings the moment you enter one. But it’s always better to know your stuff.

original_mesage.jpg

Gmail had already found it to be a ’spoofing’ mail and hence marked it as Spam. All the hyperlinks in such emails will be unlinked. I was curious to find out the phishing site and desperately wanted the link :D ..

Anyways, here is a way to find out if a mail is fake or not. View the original message header.
For gmail, just click on “show original”.

Find out the “Received” field. Check if the domain from which the mail was sent is actually the domain in the ‘from’ address of the mail..

Received: from server7.techplanetindia.com ([66.90.103.81])
        by mx.google.com with ESMTP id f6si31844636pyh.2007.07.12.19.07.06;
        Thu, 12 Jul 2007 19:07:06 -0700 (PDT)
Received-SPF: neutral (google.com: 66.90.103.81 is neither permitted nor
denied by domain of nobody@server7.techplanetindia.com)
Received: from nobody by server7.techplanetindia.com with local (Exim 4.63)
 (envelope-from <nobody@server7.techplanetindia.com>)
 id 1I9AYk-0000f9-6z

The mail was actually mailed from <nobody@server7.techplanetindia.com>
For Yahoo! mail, you’d need to enable email headers as it is disabled by default. Sign into Yahoo mail, Options > General Preferences > Scroll down to Messages and choose ‘Show all headers on incoming messages’

yahoo_mailoptions.jpg

Now, you can see the original email header on all your mails. E.g:

Authentication-Results: mta485.mail.mud.yahoo.com from=hotmail.com; domainkeys=neutral (no sig)
Received: from 65.54.246.162 (EHLO bay0-omc2-s26.bay0.hotmail.com) (65.54.246.162) by mta485.mail.mud.yahoo.com with SMTP; Fri, 13 Jul 2007 10:05:41 -0700

The next time you get a mail and feel the least bit suspicious about it, don’t forget to check out the headers.

cheers !



Search the Web with Google

5 Responses to “Distinguishing fraudulent e-mails”


  1. 1 imperfectblogger

    nice post.. i always wondered how to get full headers in yahoo..

    1
  2. 2 Umang

    EXCELLENT post .helped. thankyou :)

    2
  3. 3 JEAHBOYEEE

    RAD POST. thanks for the gmail tip. very very helpful.

    3
  4. 4 J Gutierrez

    A-one post ..

    4
  5. 5 aaa

    Received: (qmail 22481 invoked from network); 12 Oct 2008 23:46:05 -0000
    Received: from nic.ira.sch.gr ([194.63.237.132])
    by mail-cluster.att.sch.gr (qmail-ldap-1.03) with QMQP; 12 Oct 2008 23:46:05 -0000
    Delivered-To: CLUSTERHOST nic.ira.sch.gr alexand@sch.gr
    Received: (qmail 12447 invoked by uid 207); 12 Oct 2008 23:46:06 -0000
    Received: from 72.14.204.168 by nic (envelope-from , uid 201) with qmail-scanner-2.01
    (sophie: //.
    Clear:RC:0(72.14.204.168):SA:0(-0.0/5.0):.
    Processed in 1.658166 secs); 12 Oct 2008 23:46:06 -0000
    X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on nic
    X-Spam-Status: No, score=-0.0 required=5.0 tests=HTML_MESSAGE,SPF_HELO_PASS,
    SPF_PASS autolearn=failed version=3.2.4
    X-Spam-Level:
    X-Envelope-From: mtheodoros6@gmail.com
    Received: from qb-out-1314.google.com ([72.14.204.168])
    (envelope-sender )
    by nic.ira.sch.gr (qmail-ldap-1.03) with SMTP
    for ; 12 Oct 2008 23:46:03 -0000
    Received: by qb-out-1314.google.com with SMTP id e16so1300254qba.18
    for ; Sun, 12 Oct 2008 16:46:01 -0700 (PDT)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=gmail.com; s=gamma;
    h=domainkey-signature:received:received:message-id:date:from:to
    :subject:mime-version:content-type;
    bh=2A148Fek7eHj8UznsRJNAXJaR+CMHip56LVxguUzVns=;
    b=V/e9kAQBRoi66XqdKCroxG5sr8Xvq7ky58zisngoxXeS8+LMt7f0WZ8oSI+uLA5jcY
    F0ECE4teIdLwy1iElfnALYqi4ss3BvLlovxJ0LUgVXzXfdVj4ik6CgDIGMst5ZR4YA4Z
    qLwrS/TlQCe8Dps7orQnAPgFW83F9/7/uDiNE=
    DomainKey-Signature: a=rsa-sha1; c=nofws;
    d=gmail.com; s=gamma;
    h=message-id:date:from:to:subject:mime-version:content-type;
    b=SHJ8RLEOpxxtRHNrPmJHtMZnoELRXRZYH50P6NoXw8deoDQPGXh3cKanLvgq43aufn
    MKTkF34EyxWg7gteZ5iABNlAWuYTmzM0m5Hw0qAB2ts42DN4jxVzbtDX/yWheJtd9CeT
    RpW7nOns8BpilgIn+s8++A7szEuiyojXHXir8=
    Received: by 10.210.24.7 with SMTP id 7mr4543666ebx.98.1223855160932;
    Sun, 12 Oct 2008 16:46:00 -0700 (PDT)
    Received: by 10.210.120.8 with HTTP; Sun, 12 Oct 2008 16:46:00 -0700 (PDT)
    Message-ID:
    Date: Mon, 13 Oct 2008 02:46:00 +0300
    From: “martakis theodoros”
    To: alexand@sch.gr
    Subject: =?ISO-8859-7?B?0NHP09nQycrP?=
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary=”—-=_Part_34947_11727234.1223855160939″

    5

Leave a Reply





Clicky