How to Trace a Spammy Email
Thud... another unwanted email with a potentially fake “From” address just landed in your inbox. And you wish you could find out where it actually came from. Or maybe you got an email several days after it was sent? Read on to learn about some free tools that can help with both situations... |
Who Really Sent That Email?
There are times when it’s useful to trace the path that an email traveled to land in your inbox. The most common situation is suspected spam, when you want to discover the true source of an email. Delays in receiving emails can also be diagnosed by tracing the path that emails take to you. But tracing emails on your own can be pretty frustrating. Here's why.
Every email contains hidden information about the path it took to reach you, called “header information.” To most people, it looks like 100 or so lines of gibberish, which is why it's hidden by your email program. Here is just a small part of a typical example:
X-Received: by 10.67.3.3 with SMTP id bs3pad.121.144187; 18 May 2024 05:10:17 -0700 (PDT)
Return-Path: EDDCOQNWXFNNFKD.BNLk9QJHMF3MHBFK.BNL@example.com
From: "Some User" <someuser@example.com>
To: "My Name" <myaddress@mydomain.com>
Message-ID: 60762392-7dbc-50e41ecd8bee@xt2mta1217.xt.local
With the possible exception of the "From" and "To" lines, ordinary mortals struggle to make sense out of email headers like this snippet. Geeks who run email servers or those who hunt down spammers for fun may get eyestrain looking at raw headers, too. But there are many online tools that parse email headers to make them more legible by humans.
The MxToolBox Email Header Analyzer is a free online tool provided by MX Tools, Inc., a Texas-based firm that primarily serves network administrators and ISPs. Anyone can use the Analyzer, however; just paste a block of header information into the tool’s form and click the “Analyze Header” button.
The results include a bar graph, indicating any delays in the hops that the message took to reach you. It will also show you if any of the mail servers that relayed the message are on a spam blacklist. If the sender's server is on a blacklist, that's a big red flag that the message may be suspicious, malicious, fictitious, or pernicious.
Wrapping Your Head Around Headers
I mentioned above that the email headers are hidden from view by email programs. So where do you find those hidden headers? Google provides brief, clear instructions on how to find message headers in Webmail messages, including Gmail, AOL, Yahoo! Mail, Excite Webmail, and Hotmail (now Outlook.com). Instructions for finding headers in desktop clients such as Microsoft Outlook, Apple Mail, Mozilla Thunderbird, and Opera are also given.
The Google Apps Toolbox also includes a message header analyzer. Its main purpose is to highlight delays in message relays and pinpoint their possible sources. (Typically, email messages are received within seconds, even if they must travel half-way around the globe.)
IPTracker is an email header tool that's more suited for non-techie users. In addition to showing the IP address of the sender, it also shows the name of the sender's Internet service provider, and the city and country of origin on a map.
Interpreting Email Headers is another Google tutorial, for those who want to read raw email header info. It walks you through each line of a sample header, explaining in plain English what it means.
Here are some bits of information that can be gleaned by analyzing the headers of an incoming email message:
- Sender information: From and Reply-To addresses (either may be forged)
- Recipient information: In addition to the "To" address, you can see if there were Cc: (Carbon copy) or Bcc: (Blind copy) recipients. A long list of Cc or Bcc adddresses is a red flag for spam.
- Spam/Virus Flags: You may find X-Spam-Status, X-Spam-Flag, and X-Virus-Scanned flags, indicating whether the email was flagged as spam or scanned for viruses.
- Validation: SPF, DKIM and DMARC headers will show PASS/FAIL values, to indicate if the From: address may have been forged
- Client Headers: X-Mailer and User-Agent headers may reveal the software used to send the email.
Identifying a Spammer
If a sender forges the "From" line, you may not be able to find the email address of the actual sender. But analyzing the email headers will show you at least that it WAS forged, and give you an indication where it originated. According to Statista, Russia is the top spam-producing country, where 31.5% of all spam originates.
It's also important to keep in mind that a lot of spammy emails are sent from ordinary home computers that are compromised by malware. The spamming masterminds can use networks of infected personal computers that number in the millions, to send their detestable dispatches anonymously. So don't assume that the person in the From: line of an email has any knowledge of having sent it.
For extra credit, you can paste the IP address found on the first "Received" line into the MaxMind GeoIP tool, to learn the approximate geographic location of the sender. (Note that first "Received" line is the one closest to the bottom of the headers. As messages travel over the Internet, the header lines stack up, so you need to read them in reverse order.)
For example, I got a classic 419 Scam email from a spammer recently, showing this: "Received: from User (UnknownHost [105.112.26.217]) by vdt.com …" Sure enough, the MaxMind tool confirmed my suspicion that the sender was in Lagos, Nigeria.
If you think a message is from a spammer or a scammer, don't reply to it. You'll only be confirming to the bad guys that your address is valid, and possibly embroiling yourself in a heap of trouble.
Keep in mind that anonymizing tools like VPNs (virtual private networks), proxy servers, forwarding services, and TOR can be used to hide or mask the IP address of an email sender. So your attempt to trace an email back to the actual sender may lead down a rabbit hole.
But ii you can determine that the outgoing mail server is an internet service provider, you can forward the suspect message, with full headers exposed, to abuse@[isp-name].com and often they will disable the sender's account. Don’t bother forwarding unwanted emails to the FTC at spam@uce.gov – that address was phased out in 2004. You can, however report a spam message to the FTC, just don't expect a reply. They will share your report with local, state, federal and foreign law enforcement partners. The FTC does not resolve individual complaints, but your report might be used to investigate cases.
Personally, I find it more satisfying to just hit the DELETE button and move on with my life. Your thoughts on this topic are welcome. Post your comment or question below…
This article was posted by Bob Rankin on 23 May 2024
| For Fun: Buy Bob a Snickers. |
 |
Prev Article: Geekly Update - 23 May 2024 |
The Top Twenty |
Next Article: The High Price of Anonymity |
 |
Post your Comments, Questions or Suggestions
|
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- How to Trace a Spammy Email (Posted: 23 May 2024)
Source: https://askbobrankin.com/how_to_trace_a_spammy_email.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "How to Trace a Spammy Email"
Posted by:
Cold City
29 May 2024
Hi ! Bob you ask that we read proof our comments, you should do the same for the main story : But ii you can determine that the outgoing"
There is even no need for AI to do this.
This story here seems just a replay?
Posted by:
Ernest N. Wilcox jr.
29 May 2024
In my younger years, I tried to be proactive about the spam messages I received in an effort to help get them prosecuted, but to no avail. Today, (like Bob) I simply move spam messages to my spam folder in my email client and move on with my life.
I define spam as any message I receive that I did not expect or that comes from a source I do not trust/do business with, or any message with a forged header, or that contains questionable hyperlinks. I use a web based who-is site to learn from where in the world a questionable message originates (forged header), and I always check the address any link will purportedly take me to, before clicking it (questionable hyperlinks). A questionable hyperlink is one that will take me to an address that doesn't correspond with the information on its label, or one that looks more like some complicated, arcane code that I do not understand than a web address.
In every case, if I'm suspicious about any email I receive, even if it seems to pass my investigation, I either send it to my spam/junk folder (messages that fail my investigation), or simply delete it (any other suspicious message).
When a message arrives (including any I'm expecting), I check the sender's email address. For example, my Ask Bob newsletter comes from bob@askbobrankin.com. If the email address reported by my email client differs, I send it to the spam/junk folder immediately. Next (if it passes my first examination), after opening the message, I verify the link to the item in today's message. If the web address does not start with https://askbobrankin.com, I send the message to my spam/junk folder. If the link passes my second test, I click, and read the item (as I've done today).
I've said this before, and I'll say it again, "Never blindly trust anything that comes from the internet (including email messages), ever!".
I hope this helps others,
Ernie (Oldster)
Posted by:
cho
29 May 2024
In Windows "Mail" app, a right-click > Send-to-Trash purportedly blocks the address from your acct. Not sure if it actually does so.
Posted by:
Ernest N. Wilcox jr.
29 May 2024
@cho,
Sadly, even if it does block the sender's email address, spammers use bot-nets to send their missives from many, perhaps hundreds of addresses, so blocking doesn't usually work.
Ernie (Oldster)
Posted by:
Brian B
29 May 2024
It would be immensely useful if we could use a geographic filter in our email apps, rather than address filters. It's too easy for scammers and spammers to just change an origin address, but a bit harder to change their country of origin from Russia or Nigeria, say. Any ideas on this? Thunderbird gives the option of filtering and address straight to trash, but what's the use of that. The spammer will never use that address again anyway.
Posted by:
Brian B
29 May 2024
Sorry Bob, the info received when using MxToolBox Email Header Analyzer, is just as much gobbledegook to me as the actual header.
Posted by:
Gillian
30 May 2024
". . . suspicious, malicious, fictitious, or pernicious" - lovely!!
Posted by:
Wolf
30 May 2024
This is another great and informative article. This is great information, just in case I may need to investigate anything specific; otherwise, I just delete that crap! If some stupid text message appears on my phone, I just select "delete and report junk." End of matter! No need to waste time and energy on the fools, bullshitters, hucksters, and other cyber-miscreants out there! Thank you, Bob!
Posted by:
Dave
31 May 2024
Some emails do not have a deletes/manage option, so I installed mail washer, after blocking the domain and the sender I bounce them, I thought that would fix those ones, but even that doesn't work, I still get the same emails from 3 or 4 senders.
Posted by:
Hugh Gautier
31 May 2024
Bob, in checking with that email checking program you had a link listed it is a BETA program, and I for one will not have a BETA program on my system. The problem stems from being stung by a BETA program and I lost everything on my system because the company had not even said the program was in the BETA test mode. Had I known that I would not have put the program onto my system. Well-known companies will say that they recommend that the user use a system that they are not afraid of having to format the entire hard drive because of faulty coding.
It might behoove you to let your users know that some of the software you mentioned is in the BETA test mode.
Posted by:
Frances
03 Jun 2024
Quite a few years ago for about 2 months I checked the headers for my incoming Hotmail every day and kept a record in a spreadsheet. Mostly it was just curiosity but, in a handful of cases, I followed up with the ISP and got replies.
One was from a road paving company in Arizona (I looked up the company online) which said that they knew they had a compromised computer but not which one and could I send them the IP address. Which i did.
Another was from an ISP in the UK which replied that they would follow up with the subscriber.
Unfortunately, I used a spreadsheet program that I no longer have and thus can't read the results. Still, it was interesting.
Posted by:
RandiO
13 Jun 2024
Thank you for all that you do for us, BobRankin,
I was under the impression that most eMail (gMail/Outlook/etc.) programs/apps already do spam-filtering aggressively.
"Aliasing" personal eMail addresses are provided by most programs/apps (gMail/Outlook/etc.) and such features can be used for further filtering and spam-blocking.