(Updated 2020) How to Read Email Headers and identify SPAM
Why is SPAM still in existence?
The tumorous flow of SPAM requires a SMART solution. Read below to keep your inbox free of junk.
It is not only plain intrusive, but it also puts our online identity at risk. Phishing attacks have only been on the rise ever since they came into existence. Email Validation still remains an important topic to understand.
Detection of phishing emails
To defend customers inboxes from SPAM emails, companies spend time and money to block malicious emails before they even reach the customers with the DMARC (Domain-based Message Authentication Reporting and Conformance) standard.
Unfortunately, no matter what one does, some unsolicited emails will always make it to the inbox. While some of the emails we receive are obvious spam, most of them are not very easy to recognize just by seeing the content or the sender. And these are extremely deceptive!
97% of people around the globe cannot identify a sophisticated phishing email.
-BusinessWire (May 12, 2015). Read the full report here.
Analysis of Email Headers
Here comes the advance debugging of email which is commonly known as analyzing the email headers. Let's understand what email headers are and how they can help in detecting fraudulent emails.
Generally, only the basic information is displayed on the normal email header. Some examples of normal email header in different mail clients:
Google Mail Header (GMAIL)
As you notice, most email readers only show the "From" and "To" headers, which can be easily forged. The complete message headers will look something like this:
Delivered-To: email@example.com Received: by 10.200.41.121 with SMTP id z54csp461727qtz; Sun, 8 Jan 2017 04:33:03 -0800 (PST) X-Received: by 10.55.157.17 with SMTP id g17mr82034336qke.122.1483878783846; Sun, 08 Jan 2017 04:33:03 -0800 (PST) Return-Path: <firstname.lastname@example.org> Received: from trans.pepitrans01.com (trans.pepitrans01.com. [184.108.40.206]) by mx.google.com with ESMTPS id 94si44473076qtb.140.2017.01.08.04.33.03 for <email@example.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 08 Jan 2017 04:33:03 -0800 (PST) Received-SPF: pass (google.com: domain of firstname.lastname@example.org designates 220.127.116.11 as permitted sender) client-ip=18.104.22.168; Authentication-Results: mx.google.com; dkim=pass email@example.com; firstname.lastname@example.org; spf=pass (google.com: domain of email@example.com designates 22.214.171.124 as permitted sender) firstname.lastname@example.org DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pepipost; d=delivery.seasonsms.com;h=Message-ID:To:From:Subject:Content-Type:List-Unsubscribe:Date; bh=IReTMq2p4Y99Y1lFEln+pSvcofA=;b=dEWvsIdSK0j5Gmp9ATUlhfDRHQqUR7BolSaqyBh+CzC5WU4iGnn6aBZFtLSi0b4ze+V5nwG3fCAyn4mkAGhdgA7DvJTikspVnn+Jqpu68ru6UnH10WVD8oCJ6aa4Pa6A/sA4Zm52K9h2R7cGQjMOcEZ+N5NNQ6BG9Dtvi+ezKgk= Received: by trans226.mailxy.com id he8oo0229vgh; Sun, 8 Jan 2017 18:03:04 +0530 (envelope-from <email@example.com>) Delivered-To: firstname.lastname@example.org DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pepipost; d=delivery.seasonsms.com;h=Message-ID:To:From:Subject:Content-Type:List-Unsubscribe:Date;bh=ChnX1bsU13QtrayAVkclQsY4c0s=;b=Ziuit9vOzeeAanLi0/ idQ3hTE/Jb3cWs2pMLW71gzQ1/AHgpWYBhXDZoxU8wAmluG/8q2BmnQNKYr9W+ZU1DD4aZHUS1ViqMWYcAdudle3pBb40kLPyk6uCuixu3hXcV/J2d13xEOJ5QkVyiYWYYL1WLxRSOypYBU/7eHWxntiE= Message-ID: <email@example.com> To: firstname.lastname@example.org From: "Confirmation - Thrifty-Deals" <email@example.com> Subject: Confirm your newsletter subscription Content-Type: text/plain List-Unsubscribe: <mailto:firstname.lastname@example.org> X-InjTime: 1483878784 X-Abuse-Reports-To: email@example.com X-FNCID: 22228-14838138016706353-0 X-TransMail: 1 Date: Sun, 8 Jan 2017 18:03:04 +0530 We have received your request to receive the Thrifty-Deals newsletter. Please click below now to complete the process: http://seasonsms.com/lt.pl?jfklowerwksdfha Thank you! Publisher: Season Publishing House Newport News, VA 23606
The complete email header would provide much more information on the origin of a message and is a useful tool for tracking and stopping SPAM and virus-laden email.
Whenever you open an email to read, you’ll also find options like View Source, View Message Header or Show Original. Here is the guide for you to view the complete email headers on different email clients or webmail provider.
Understanding the different elements of email headers
The header lines begin with Received: and provide a trace of the email from its origin to your mail server. It will show the origin along with the list of servers that processed this email before reaching your mailbox. The ‘Received:’ parameter of your email gives you many valuable clues to identify the legitimacy of the source.
How to analyze the Received parameter in the mail headers
Each mail server that handles an email message adds a Received: header set to the front of the message; the first set is therefore added by your mail server.
The first Received header shows that the email was actually originated from a server with IP address 10.200.41.121
Received: by 10.200.41.121 with SMTP id z54csp461727qtz; Sun, 8 Jan 2017 04:33:03 -0800 (PST)
In the above example, the header shows the email is actually received From: "Confirmation - Thrifty-Deals" <firstname.lastname@example.org> but the Received: parameter is showing from trans.pepitrans01.com. [126.96.36.199].
Received: from trans.pepitrans01.com (trans.pepitrans01.com. [188.8.131.52]) by mx.google.com with ESMTPS id 94si44473076qtb.140.2017.01.08.04.33.03 for <email@example.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 08 Jan 2017 04:33:03 -0800 (PST)
Now, this seems suspicious. Unless trans.pepitrans01.com belongs to the same owner who owns seasonsms.com or the owner of seasonsms.com has given rights to trans.pepitrans01.com to send emails on their behalf.
Let’s check the SPF record of seasonsms.com. This you can easily do on Mxtoolbox or simply type ~ dig TXT seasonsms.com on your terminal.
As per the SPF record, seasonsms.com has granted rights to pepipost.net for sending emails on their behalf.
So, now let’s try to validate the actual sending IP address trans.pepitrans01.com. [184.108.40.206] belongs to pepipost.net or not. If that validates, then we are safe to say that email is not spam.
So, let’s check the SPF record of pepipost.net
Also, the SPF of trans.pepitrans01.com
Cool, in both of the above we got the same reference of IP address, which is 103.52.181.x here. So, this shows that pepipost.net has allowed 102.52.181.x to send emails on their behalf.
So, here's the insight to all of the above :
- the user firstname.lastname@example.org has received an email from email@example.com via 103.52.181.x IP address which is owned by pepipost.net
- seasonsms’s SPF shows that they have allowed pepipost.net to send emails on their behalf.
Hence, this is a legitimate email and not a forged one.
Received-SPF and DKIM-Signature
In the above example, there are two more important parameters, Received-SPF and DKIM-Signature. Not every sender adds these, but most of the good/ big senders have now made it a practice to add SPF and DKIM. These parameters help in identifying the authenticity of the email.
The header parameter in Received-SPF is showing as pass. This means the domain seasonsms.com has allowed the IP address 220.127.116.11 to send emails on their behalf.
This conforms to the analysis which we did earlier.
Received-SPF: pass (google.com: domain of firstname.lastname@example.org designates 18.104.22.168 as permitted sender) client-ip=22.214.171.124;
The next header parameter Authentication-Results: is showing dkim=pass. This means the long public key mentioned in the parameter DKIM-Signature: matches with its associated private key stored on the actual sending server 126.96.36.199/pepipost.net server.
Authentication-Results: mx.google.com; dkim=pass email@example.com; spf=pass (google.com: domain of firstname.lastname@example.org designates 188.8.131.52 as permitted sender) email@example.com DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pepipost; d=delivery.seasonsms.com; h=Message-ID:To:From:Subject:Content-Type:List-Unsubscribe:Date; bh=IReTMq2p4Y99Y1lFEln+pSvcofA=;b=dEWvsIdSK0j5Gmp9ATUlhfDRHQqUR7BolSaqyBh+CzC5WU4iGnn6aBZFtLSi0b4ze+V5nwG3fCAyn4mkAGhdgA7DvJTikspVnn+Jqpu68ru6UnH10WVD8oCJ6aa4Pa6A/sA4Zm52K9h2R7cGQjMOcEZ+N5NNQ6BG9Dtvi+ezKgk= Received-SPF: pass (google.com: domain of firstname.lastname@example.org designates 184.108.40.206 as permitted sender) client-ip=220.127.116.11;
In the above case, the email was sent using a third party SMTP service Pepipost. But, in case the email was sent using their own in-house infrastructure, then the owner of the sender domain and sending IP address should be ideally the same (unless on a shared infrastructure).
A number of tools are available for verifying the ownership of a domain/IP address. The authoritative reference for IP addresses is the American Registry of Internet Numbers. Using ARIN's "Search WHOIS" tool, you can find the identification of the IP address owner.
Pro Tip: If nothing works out and you still doubt on the legitimacy of an email then simply send a message to "abuse@organization" with a copy of the complete email header (Here is the above example: it will be email@example.com).
Most of the webmasters validate and reply to queries received on abuse.
This is another important parameter in the email header.
In case the user wants to unsubscribe from an email then simply send an email to this long email address, and the user will get unsubscribed.
The List-Unsubscribe header is an optional piece of text. It works in conjunction with options that the email client provides for unsubscribing and spam complaints.
Example: In the case of Gmail you will see an option to unsubscribe from this sender. When a user clicks on this link, the email client sends an email to the email address defined in the List-Unsubscribe header parameter.
All email headers prefixed with “X-” are actually not the standard headers. It is added by the sending server for some of their internal trackings and reporting purposes. Hence, these can be simply ignored for any analysis. Examples of these headers in the above example are X-Abuse-Reports-To, X-InjTime, X-FNCID, X-TransMail, X-SG-EID.
Historically, designers and implementers of application protocols have often distinguished between standardized and unstandardized parameters by prefixing the names of unstandardized parameters with the string "X-" or similar constructs. In practice, that convention causes more problems than it solves. Hence it is later depreciated by the IETF community.
Did you know about DMARC policy for email senders which protects users from SPAM emails involving pornography?
Some handpicked tips to identify and avoid Spam emails
Tip 1: Test it before you check it
If you are unsure of any embedded text in the email, hover your mouse over the link to review the full email address. If it looks fishy, don’t click it. Test the link by opening the link in a different window.
Tip 2: Check for spelling mistakes
Brands are pretty serious about the emails they send out. Legitimate messages usually do not have major spelling mistakes or poor grammar. Email addresses of Spam or phishing emails have random spellings that can be easily noticed.
Tip 3: Don’t share your personal information
Legitimate banks and most other companies will never ask for personal credentials via email so don’t share it.
Tip 4: Invoking a sense of urgency or fear is a common phishing tactic.
Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt” such emails are most probably SPAM.
Tip 5: Don’t click on attachments
Including viruses and malware as an attachment is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.
Also, read this important article on SPAM Traps.
We at Pepipost take spam seriously. We are working hard to rebuild and reconstruct the email ecosystem. Let’s together make it spam free. Start analyzing your emails and mark unwanted suspicious emails as Spam and stay safe from Phishing.
There's also a special layer of protection known as TLS, which you must know about.