Checked out my spam folder today and an email from PayPal diverted my attention. OK, I’ve been receiving spam mails calming to be from PayPal, asking me to ‘reset my password’ even before I owned a PayPal account 
But this one was better than the simple textual ones I used to get. This was an exact look alike of the original PayPal emails.. Complete with CSS formatted right infobar !
Sender : <service@paypal.com>
Fake PayPal email
An authentic PayPal email
What I mean from this is that scammers and phishers are trying their level best to deceive you. Mail service providers do help a lot with phishing mail warnings. Browsers too display phishing site warnings the moment you enter one. But it’s always better to know your stuff.
Gmail had already found it to be a ’spoofing’ mail and hence marked it as Spam. All the hyperlinks in such emails will be unlinked. I was curious to find out the phishing site and desperately wanted the link ..
Anyways, here is a way to find out if a mail is fake or not. View the original message header.
For gmail, just click on “show original”.
Find out the “Received” field. Check if the domain from which the mail was sent is actually the domain in the ‘from’ address of the mail..
Received: from server7.techplanetindia.com ([66.90.103.81])
by mx.google.com with ESMTP id f6si31844636pyh.2007.07.12.19.07.06;
Thu, 12 Jul 2007 19:07:06 -0700 (PDT)
Received-SPF: neutral (google.com: 66.90.103.81 is neither permitted nor
denied by domain of nobody@server7.techplanetindia.com)
Received: from nobody by server7.techplanetindia.com with local (Exim 4.63)
(envelope-from <nobody@server7.techplanetindia.com>)
id 1I9AYk-0000f9-6z
The mail was actually mailed from <nobody@server7.techplanetindia.com>
For Yahoo! mail, you’d need to enable email headers as it is disabled by default. Sign into Yahoo mail, Options > General Preferences > Scroll down to Messages and choose ‘Show all headers on incoming messages’
Now, you can see the original email header on all your mails. E.g:
The next time you get a mail and feel the least bit suspicious about it, don’t forget to check out the headers.
cheers !
nice post.. i always wondered how to get full headers in yahoo..
1EXCELLENT post .helped. thankyou
2RAD POST. thanks for the gmail tip. very very helpful.
3A-one post ..
4Received: (qmail 22481 invoked from network); 12 Oct 2008 23:46:05 -0000
5Received: from nic.ira.sch.gr ([194.63.237.132])
by mail-cluster.att.sch.gr (qmail-ldap-1.03) with QMQP; 12 Oct 2008 23:46:05 -0000
Delivered-To: CLUSTERHOST nic.ira.sch.gr alexand@sch.gr
Received: (qmail 12447 invoked by uid 207); 12 Oct 2008 23:46:06 -0000
Received: from 72.14.204.168 by nic (envelope-from , uid 201) with qmail-scanner-2.01
(sophie: //.
Clear:RC:0(72.14.204.168):SA:0(-0.0/5.0):.
Processed in 1.658166 secs); 12 Oct 2008 23:46:06 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on nic
X-Spam-Status: No, score=-0.0 required=5.0 tests=HTML_MESSAGE,SPF_HELO_PASS,
SPF_PASS autolearn=failed version=3.2.4
X-Spam-Level:
X-Envelope-From: mtheodoros6@gmail.com
Received: from qb-out-1314.google.com ([72.14.204.168])
(envelope-sender )
by nic.ira.sch.gr (qmail-ldap-1.03) with SMTP
for ; 12 Oct 2008 23:46:03 -0000
Received: by qb-out-1314.google.com with SMTP id e16so1300254qba.18
for ; Sun, 12 Oct 2008 16:46:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:received:received:message-id:date:from:to
:subject:mime-version:content-type;
bh=2A148Fek7eHj8UznsRJNAXJaR+CMHip56LVxguUzVns=;
b=V/e9kAQBRoi66XqdKCroxG5sr8Xvq7ky58zisngoxXeS8+LMt7f0WZ8oSI+uLA5jcY
F0ECE4teIdLwy1iElfnALYqi4ss3BvLlovxJ0LUgVXzXfdVj4ik6CgDIGMst5ZR4YA4Z
qLwrS/TlQCe8Dps7orQnAPgFW83F9/7/uDiNE=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=message-id:date:from:to:subject:mime-version:content-type;
b=SHJ8RLEOpxxtRHNrPmJHtMZnoELRXRZYH50P6NoXw8deoDQPGXh3cKanLvgq43aufn
MKTkF34EyxWg7gteZ5iABNlAWuYTmzM0m5Hw0qAB2ts42DN4jxVzbtDX/yWheJtd9CeT
RpW7nOns8BpilgIn+s8++A7szEuiyojXHXir8=
Received: by 10.210.24.7 with SMTP id 7mr4543666ebx.98.1223855160932;
Sun, 12 Oct 2008 16:46:00 -0700 (PDT)
Received: by 10.210.120.8 with HTTP; Sun, 12 Oct 2008 16:46:00 -0700 (PDT)
Message-ID:
Date: Mon, 13 Oct 2008 02:46:00 +0300
From: “martakis theodoros”
To: alexand@sch.gr
Subject: =?ISO-8859-7?B?0NHP09nQycrP?=
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_Part_34947_11727234.1223855160939″