Detecting spoofed emails is one of several methods you can use to identify a phishing attempt before you become a victim
The most obvious method for detecting “SPOOFED” email is to look in the FROM field of the email. If the e-mail address displayed is different from the known e-mail address of the person who supposedly sent it, then you know it’s a spoof. These emails come to a lot of individuals quite frequently and appear to be coming from legitimate companies like eBay, PayPal or a major bank. It is also referred to as “PHISHING”. It is really easy for con artists to send spoofed email, but there are ways it can be detected.
Before we take a look at these methods, tip #1 is that your bank or eBay or PayPal will never ask you for your personal information through an email. If you do get an email from one of them asking you to send personal information you know that they already have it’s a safe bet the email is not genuine.
Let’s take a look at Email 101:
The basic flow if email goes like this:
- Your email is sent via the email program you use (i.e. Microsoft Outlook, Hotmail, SmarterMail, etc.) to a Simple Mail Transport Protocol (SMTP) server.
- These servers send your email message from SMTP server to SMTP server from one end of the Internet to another.
- Then it arrives in the email inbox of the person you sent it to where it resides until the recipient uses their email program to retrieve and read your message.
Another method you can use to detect “SPOOFED” is by taking a look at an email message’s “header”. The header contains information on the route the email message took as it was being transmitted across the Internet on its way into your email inbox. This is the place where you should be able to track down the original email that sent the dubious message.
Here are some ways to access the headers in some well known email sources. If yours is not listed here you can check the help file for information on how to review the headers.
Outlook: select View/Options
Outlook Express: select Properties/Details
Eudora: click on the “Blah Blah Blah” button
Pine: type H
Hotmail: go to Options/Mail Display Settings/Message Headers and select “Full.”
Yahoo! Mail: select “Full Headers.”
Netscape: select View/Headers/All
Look for any differences between the name that looks like the name of the person you know and the actual e-mail address in the FROM field. If the friendly name is “BIG BANK of US” but the e-mail address is jimmy@con_artists.com, or if the name in the FROM field is missing or spelled incorrectly, the e-mail is probably spoofed. The experienced email spoofer won’t make this mistake though.
Next, you can review the Received fields. Every time the mail gets passed on from SMTP server to SMTP server, a new Received field is added. They need to be read from the bottom up to the top. The bottom Received field might look like this:
Received: from HarryPotter ([1234.1234.1234.1234]) by HarryPotterMail
(MyMailProgram v3.7) with SMTP id 9-2-7-1-6HarryPotterMail@Theaters for < Bobby Jones >; Sun, 24 Apr 2004 08:23:47 +3251
This is meant to describe the original mail coming from the person sending it through their email program to the SMTP server being used by their ISP’s (or company’s) server. However, keep in mind that this too can be forged. If the mail purports to be from HarryPotter.com but you see names like “con_artists.com” you have reason to be skeptical. Additionally, it’s a good idea to review the IP address from the person sending the email. This is the four numbers separated by dots in the “Received:” line.
If the person sending the email has an IP address of 1234.1234.1234.1234 then at the Windows command prompt (Start, Programs, Accessories, Command Prompt) type:
Nslookup 1234.1234.1234.1234
This should reveal the name of their SMTP server. You can also use:
Tracert 1234.1234.1234.1234
The Tracert command with display the route, along the network, from your computer to the IP address specified. Things to look for are dubious names of servers or signs that indicate geographical locations (e.g., SEA for Seattle). Again, the thing you should be focusing on is any unexplained interruptions in the network route. However, if the IP address is useless, don’t be surprised. Spoofers can and do use Internet “magic” in their bid to hide their electronic tracks.
Using your detective skills along with a bit of luck, it’s possible to track down the email address of the ISP used by the correct sender of the email message. You’ll need to continue to review each of the different “received” fields until you get to the end. If you’re able to get to the original ISP, you can send them an email message with a copy of the email received and try to get them booted off of their ISP. How do you know the email address of the ISP? If the email came from the ISP provider fastnet.com, the email address would be postmaster@fastnet.com.
Unfortunately there’s really not much that can be done to thwart email spoofing these days. Mail server security can be tightened and many companies have done just that. One product we recommend is PGP (Pretty Good Privacy). It’s available as freeware at http://web.mit.edu/network/pgp.html. And appropriate to use when the legitimacy of the email sender must be ascertained and the person sending the email is someone you’ve already exchanged email messages with. There are other good encryptions programs available for exchanging email. If you’re unfamiliar with the term “encryption”, it’s a special type of security protocol used to protect email or other transactions over the Internet from being tampered with. In email, it identifies the sender completely.
Good luck with your detective work and be very careful of “Spoofed” email.