Results 1 to 12 of 12
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    Find out where that e-mail really came from




    INSIDER TRICKS

    Find out where that e-mail really came from


    By Susan Bradley

    Potentially dangerous scam e-mails might be landing in your inbox, masquerading as legitimate mail. Fortunately, there are tools that can help you determine the source of suspect messages and possibly identify who's sending them.

    The full text of this column is posted at WindowsSecrets.com/insider-tricks/Find-out-where-that-e-mail-really-came-from/ (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    New Lounger
    Join Date
    Jun 2010
    Location
    San Francisco, California, USA
    Posts
    13
    Thanks
    0
    Thanked 1 Time in 1 Post

    View email content in Thunderbird w/o opening file

    I find that some emails that look like spam are not and have caught some important responses using the method below.

    Using Thunderbird you have the option under File, Print Preview of viewing most of the email WITHOUT actually opening it. Some HTML images don't show there and you probably don't need it either.

    Also, use F8 to turn off the preview screen. TB tends to reactivate it.
    Mary
    MJN

  3. #3
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,397 Times in 1,220 Posts
    Outlook 2010 can be easily configured to allow you access to a message header info, there is no need to use an external app. I just customized the ribbon and added the Message Options command to the View tab.

    MessageOptions.JPG

    It shows you the message header quite clearly:

    InternetHeaders.JPG

  4. #4
    2 Star Lounger
    Join Date
    Feb 2010
    Location
    Coon Rapids, Mn
    Posts
    199
    Thanks
    22
    Thanked 4 Times in 4 Posts
    I don't do this as much as I did years ago. I use Yahoo Mail Plus exclusively, and have been a paid subscriber for 13 years, what I've always read is that the last line in the header is the real sender. Perhaps not true anymore. I don't get much spam, a few pieces a week, and Yahoo scans everything before it lets you open it, but some of those are just too amusing. The garbled English is the first clue, hovering a link showing that it isn't really the FBI is another - I loved the one that said I MUST open their attachment because they were the FBI! The funniest one I've gotten lately has come multiple times purporting to be from the NYC Motor Vehicles division and telling me my speeding fine is overdue so open the attachment and fill it out and pay up, giggle. Might work on some, but I've never been in NYC other than once at La Guardia coming back from a military tour overseas, 40 years ago. Those guys don't get smarter with time. Enjoyed your article. :^)

  5. #5
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Fresno, California, USA
    Posts
    259
    Thanks
    0
    Thanked 71 Times in 45 Posts
    I've seen that but find the peek tool makes it easier to grab the header files for cut and paste purposes.
    Last edited by SusanBradley; 2011-11-10 at 16:01.

  6. #6
    New Lounger
    Join Date
    Nov 2011
    Location
    United Socialist States of America
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    That was a very interesting article. I remember the old days of forwarding everything to SpamCop. The address I used to use doesn't seem to produce results any more

    Regarding this article, I compared the results of using the MailHops Thunderbird add-on versus using the ipTrackerOnline.com email header analysis. I was surprised and a skoshe dismayed to find that they yielded *very* different results.

    To whit, I have been conversing with a person who says he is from Russia, about 400 miles outside of Moscow. He has a US-based yahoo.com email address. MailHops says that the email originated in Sunnyvale, CA - just like another yahoo.com email address I had tried. ipTrackerOnline.com claimed that the originating IP address seemed to be in Wednesbury, England and got to Yahoo from there.

    More interestingly, running the headers from a second email from my Russian friend through ipTrackerOnline showed that the originating location was, indeed, the Russian Federation, but MailHop still listed Sunnyvale, CA.

    I guess one has to be skeptical of MailHop's results and consider the possibility that the current version of their product (0.5) may need quite a bit of work.

    Analyzing an email sent from my sister's AOL address yielded very similar results between the two analysis tools - both indicating the actual town that she lives in as the originating address.

  7. #7
    New Lounger
    Join Date
    Nov 2011
    Location
    United Socialist States of America
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Huh, it would appear that ipTrackerOnline.com's parsing algorithm has a big bug in it. One of the results I got from it indicated that emails sent by me to others were being routed through DoD's network (the Department of Defense). Since I'm politically active it set off all kinds of paranoia alarms that my email was being monitored by the government. However, when I searched for the IP address in the header that was supposedly part of DoD, I came up with a line like this one:

    Received: from imr-da06.mx.aol.com (imr-da06.mx.aol.com. [205.188.169.203])
    by mx.google.com with ESMTP id i17si1051058vcw.112.2011.11.10.16.32.03;
    Thu, 10 Nov 2011 16:32:03 -0800 (PST)


    11.11.10.16 was the alarming address since the entire 11.0.0.0 class A IP address does belong to DoD. But if you pay close attention to 2011.11.10.16.32.03, which ipTrackerOnline was trying to parse as an IP address, you'll see that it's actually a timestamp that translates into Nov 10, 2011 at 04:32:03 PM.

    I only hope that they'll fix their algorithms before they give some other poor libertarian political activist like me a stroke!
    Last edited by vorlonken; 2011-11-10 at 19:46. Reason: typo

  8. #8
    New Lounger
    Join Date
    Dec 2009
    Location
    WA
    Posts
    21
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Years ago I used a program called Sam Spade. I would copy the headers and paste them into Sam Spade which would parse the data and give you an easy to read results. I don't think SS has been updated for years so I'm not sure if it's still valid. I've started using ipnetinfo. It would be nice to have someone who knows what they are doing to evaluate those and give your opinion.
    Thanks for the great newsletter.

  9. #9
    2 Star Lounger
    Join Date
    Nov 2003
    Location
    Christchurch, Canterbury
    Posts
    122
    Thanks
    27
    Thanked 1 Time in 1 Post
    Problem with PocketKnifePeek (at least for Outlook 2002) is that it marks the headers as being edited. Which means if you open the Outbox (for instance to check what is there or resend after an error) the selected email won't be sent! This took me some time to track down - and it would be on a day when a large email had to get to a client in a hurry.

  10. #10
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    London
    Posts
    703
    Thanks
    256
    Thanked 4 Times in 4 Posts
    Does anyone know of an equivalent to Peek for IE or Windows Mail?

  11. #11
    New Lounger
    Join Date
    Dec 2009
    Location
    Denver, CO
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

  12. #12
    Bronze Lounger
    Join Date
    Sep 2002
    Location
    Naples, Florida, USA
    Posts
    1,231
    Thanks
    40
    Thanked 3 Times in 3 Posts

    Is my "safety check" appropriate?

    I use Windows Live Mail and have always just ensure that the reading pane is "Off" before checking email so only header shows. If it's clearly spam, I delete it. If I'm not sure, I right click header, check Properties and sometimes Message Source to decide.

    Is this a safe way to check or do I need one of the programs Susan or other Loungers have suggested?

    Thanks,

    Linda

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •