How to read email headers and identify Spam
Nobody likes or wants SPAM. And yet our inboxes are full of it.
It is not only plain intrusive, it also puts our online identity at risk. Phishing attacks have only been on the rise ever since they came into existence.
It’s not easy to detect phishing emails
To defend customers inboxes from SPAM emails, companies spend time and money to block malicious emails before they even reach the customers with the DMARC (Domain-based Message Authentication Reporting and Conformance) standard.
Unfortunately, no matter what one does, some unsolicited emails will always make it to the inbox. While some of the emails we receive are obvious spam, most of them are not very easy to recognise just by seeing the content or the sender. And these are extremely effective—97% of people around the globe cannot identify a sophisticated phishing email.
But there’s a way..
Here comes the advance debugging of email which is commonly known as analysing the email headers. Let’s understand what email headers are and how they can help in detecting fraudulent emails.
Generally only the basic information is displayed on the normal email header. Some examples of normal email header in different mail clients:
As you notice, most email readers only show the From: and To: headers, which can be easily forged. The complete message headers will look something like this:
Delivered-To: firstname.lastname@example.org Received: by 10.200.41.121 with SMTP id z54csp461727qtz; Sun, 8 Jan 2017 04:33:03 -0800 (PST) X-Received: by 10.55.157.17 with SMTP id g17mr82034336qke.122.1483878783846; Sun, 08 Jan 2017 04:33:03 -0800 (PST) Return-Path: <email@example.com> Received: from trans.pepitrans01.com (trans.pepitrans01.com. [22.214.171.124]) by mx.google.com with ESMTPS id 94si44473076qtb.140.2017.01.08.04.33.03 for <firstname.lastname@example.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 08 Jan 2017 04:33:03 -0800 (PST) Received-SPF: pass (google.com: domain of email@example.com designates 126.96.36.199 as permitted sender) client-ip=188.8.131.52; Authentication-Results: mx.google.com; dkim=pass firstname.lastname@example.org; email@example.com; spf=pass (google.com: domain of firstname.lastname@example.org designates 184.108.40.206 as permitted sender) email@example.com DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pepipost; d=delivery.seasonsms.com;h=Message-ID:To:From:Subject:Content-Type:List-Unsubscribe:Date; bh=IReTMq2p4Y99Y1lFEln+pSvcofA=;b=dEWvsIdSK0j5Gmp9ATUlhfDRHQqUR7BolSaqyBh+CzC5WU4iGnn6aBZFtLSi0b4ze+V5nwG3fCAyn4mkAGhdgA7DvJTikspVnn+Jqpu68ru6UnH10WVD8oCJ6aa4Pa6A/sA4Zm52K9h2R7cGQjMOcEZ+N5NNQ6BG9Dtvi+ezKgk= Received: by trans226.mailxy.com id he8oo0229vgh; Sun, 8 Jan 2017 18:03:04 +0530 (envelope-from <firstname.lastname@example.org>) Delivered-To: email@example.com DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pepipost; d=delivery.seasonsms.com;h=Message-ID:To:From:Subject:Content-Type:List-Unsubscribe:Date;bh=ChnX1bsU13QtrayAVkclQsY4c0s=;b=Ziuit9vOzeeAanLi0/ idQ3hTE/Jb3cWs2pMLW71gzQ1/AHgpWYBhXDZoxU8wAmluG/8q2BmnQNKYr9W+ZU1DD4aZHUS1ViqMWYcAdudle3pBb40kLPyk6uCuixu3hXcV/J2d13xEOJ5QkVyiYWYYL1WLxRSOypYBU/7eHWxntiE= Message-ID: <firstname.lastname@example.org> To: email@example.com From: "Confirmation - Thrifty-Deals" <firstname.lastname@example.org> Subject: Confirm your newsletter subscription Content-Type: text/plain List-Unsubscribe: <mailto:email@example.com> X-InjTime: 1483878784 X-Abuse-Reports-To: firstname.lastname@example.org X-FNCID: 22228-14838138016706353-0 X-TransMail: 1 Date: Sun, 8 Jan 2017 18:03:04 +0530 We have received your request to receive the Thrifty-Deals newsletter. Please click below now to complete the process: http://seasonsms.com/lt.pl?jfklowerwksdfha Thank you! Publisher: Season Publishing House Newport News, VA 23606
The complete email header would provide much more information on the origin of a message and is a useful tool for tracking and stopping SPAM and virus-laden email.
Whenever you open an email to read, you’ll also find options like View Source, View Message Header or Show Original. Here is the guide for you to view the complete email headers on different email clients or webmail provider.
Understanding the different elements of email headers
The header lines begin with Received: and provides a trace of the email from its origin to your mail server. It will show the origin along with the list of servers which processed this email before reaching your mailbox. The ‘Received:’ parameter of your email gives you many valuable clues to identify the legitimacy of the source.
How to analyse the Received parameter in the mail headers
Each mail server which handles an email message adds a Received: header set to the front of the message; the first set is therefore added by your mail server.
The first Received header shows that the email was actually originated from a server with IP address 10.200.41.121
Received: by 10.200.41.121 with SMTP id z54csp461727qtz; Sun, 8 Jan 2017 04:33:03 -0800 (PST)
In the above example, the header shows the email is actually received From: “Confirmation – Thrifty-Deals” <email@example.com> but the Received: parameter is showing from trans.pepitrans01.com. [220.127.116.11].
Received: from trans.pepitrans01.com (trans.pepitrans01.com. [18.104.22.168]) by mx.google.com with ESMTPS id 94si44473076qtb.140.2017.01.08.04.33.03 for <firstname.lastname@example.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 08 Jan 2017 04:33:03 -0800 (PST)
Now, this seems suspicious. Unless trans.pepitrans01.com belongs to the same owner who owns seasonsms.com or the owner of seasonsms.com has given rights to trans.pepitrans01.com to send emails on their behalf.
As per the SPF record, seasonsms.com has granted rights to pepipost.net for sending emails on their behalf.
So, now let’s try to valid the actual sending IP address trans.pepitrans01.com. [22.214.171.124] belongs to pepipost.net or not. If that validates, then we are safe to say that email is not spam.
So, let’s check the SPF record of pepipost.net
Also, the SPF of trans.pepitrans01.com
Cool, in both of the above we got same reference of IP address, which is 103.52.181.x here. So, this shows that pepipost.net has allowed 102.52.181.x to send emails on their behalf.
So, the conclusion of this analysis is that
- the user email@example.com has received an email from firstname.lastname@example.org via 103.52.181.x IP address which is owned by pepipost.net
- seasonsms’s SPF shows that they have allowed pepipost.net to send emails on their behalf.
Hence, this is a legitimate email and not a forged one.
Received-SPF and DKIM-Signature
In the above example there are two more important parameters, Received-SPF and DKIM-Signature. Not every sender adds these, but most of the good/ big senders have now made it a practice to add SPF and DKIM. These parameters help in identifying the authenticity of the email.
The header parameter in Received-SPF is showing as pass. This means the domain seasonsms.com has allowed the IP address 126.96.36.199 to send emails on their behalf.
This conforms to the analysis which we did earlier.
Received-SPF: pass (google.com: domain of email@example.com designates 188.8.131.52 as permitted sender) client-ip=184.108.40.206;
The next header parameter Authentication-Results: is showing dkim=pass. This means the long public key mentioned in the parameter DKIM-Signature: matches with its associated private key stored on the actual sending server 220.127.116.11/pepipost.net server.
Authentication-Results: mx.google.com; dkim=pass firstname.lastname@example.org; spf=pass (google.com: domain of email@example.com designates 18.104.22.168 as permitted sender) firstname.lastname@example.org DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pepipost; d=delivery.seasonsms.com; h=Message-ID:To:From:Subject:Content-Type:List-Unsubscribe:Date; bh=IReTMq2p4Y99Y1lFEln+pSvcofA=;b=dEWvsIdSK0j5Gmp9ATUlhfDRHQqUR7BolSaqyBh+CzC5WU4iGnn6aBZFtLSi0b4ze+V5nwG3fCAyn4mkAGhdgA7DvJTikspVnn+Jqpu68ru6UnH10WVD8oCJ6aa4Pa6A/sA4Zm52K9h2R7cGQjMOcEZ+N5NNQ6BG9Dtvi+ezKgk= Received-SPF: pass (google.com: domain of email@example.com designates 22.214.171.124 as permitted sender) client-ip=126.96.36.199;
In the above case the email was sent using a third party SMTP service Pepipost. But, in case the email was sent using their own in-house infrastructure, then the owner of the sender domain and sending IP address should be ideally same (unless on a shared infrastructure).
A number of tools are available for verifying the ownership of a domain/IP address. The authoritative reference for IP addresses is the American Registry of Internet Numbers. Using ARIN’s “Search WHOIS” tool, you can find the identification of the IP address owner.
If nothing works out and you still doubt on the legitimacy of an email then simply send a message to “abuse@organization” with a copy of complete email header (Here is the above example: it will be firstname.lastname@example.org). Most of the webmasters validate and reply to queries received on abuse.
This is another important parameters parameter in the email header.
In case the user wants to unsubscribe from an email then simply send an email to this long email address, and user will get unsubscribed.
The List-Unsubscribe header is an optional piece of text. It works in conjunction with options that the email client provides for unsubscribing and spam complaints.
Example: In case of Gmail you will see an option to unsubscribe from this sender. When a user clicks on this link, the email client sends an email to the email address defined in the List-Unsubscribe header parameter.
All email headers prefixed with “X-” are actually not the standard headers. It is added by the sending server for some of their internal tracking and reporting purpose. Hence, these can be simply ignored for any analysis. Example of these headers in the above example are: X-Abuse-Reports-To, X-InjTime, X-FNCID, X-TransMail, X-SG-EID.
Historically, designers and implementers of application protocols have often distinguished between standardized and unstandardized parameters by prefixing the names of unstandardized parameters with the string “X-” or similar constructs. In practice, that convention causes more problems than it solves. Hence it is later depreciated by the IETF community.
Some handy tips for identifying and avoiding Spam emails:
Tip 1: Test it before you check it
If you are unsure of any embedded text in the email, hover your mouse over the link to review the full email address. If it looks fishy, don’t click it. Test the link by opening the link in a different window.
Tip 2: Check for spelling mistakes
Brands are pretty serious about the emails they send out. Legitimate messages usually do not have major spelling mistakes or poor grammar. Email addresses of Spam or phishing emails have random spellings which can be easily noticed.
Tip 3: Don’t share your personal information
Legitimate banks and most other companies will never ask for personal credentials via email so don’t share it.
Tip 4: Invoking a sense of urgency or fear is a common phishing tactic.
Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt” such emails are most probably SPAM.
Tip 5: Don’t click on attachments
Including viruses and malware as an attachment is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.
We at Pepipost take spam seriously. We are working hard to rebuild and reconstruct the email ecosystem. Let’s together make it spam free. Start analyzing your emails and mark unwanted suspicious emails as Spam and stay safe from Phishing.