How do you analyze the source behind an e-mail's sender address?
Funny stuff is happening in my Hotmail account. I figured out how to look at the paragraphs and paragraphs of gobbledy gook behind the sender address, but I've forgotten how to look for the significant info.
Can someone help?
tia
las
CloudWatcher
(1,933 posts)... this is trivially forgeable. Don't trust it. Doesn't matter if it is "Joe Biden " or not, it's not to be believed.
Depending on the software you're using to read your mail, there's usually some sort of "show all headers" command (or show raw message).
With some practice, you can follow the "Received: from" lines and see which computers are talking with each other to deliver the email. The domain-names in there can give a hint about where the message was sent from.
Then it's a matter of matching the domain names to the address in the from field, and if you're lucky they'll line up ok. If not .. it's usually (not always) a forgery.
Sorry I can't be more specific, figuring this stuff out is a bit of an art.
LAS14
(14,789 posts)usonian
(14,619 posts)Looks like you got the message with
View All Headers
Search for Received
Received-Spf: pass (wrong)
Received: from ci74p00im-qukt09080301.me.com by p128-mailgateway-smtp-7f54dd7dd6-vrsb2 (mailgateway 2302B229) with SMTP id 0dcfb01d-69a2-4172-b8ca-2c66d2418baa for (me); Mon, 7 Nov 2022 20:55:05 GMT
Received: from o2926.abmail.marketing.gofundme.com (o2926.abmail.marketing.gofundme.com [149.72.227.147]) by ci74p00im-qukt09080301.me.com (Postfix) with ESMTPS id 7722B5280110 for (me) 20:55:03 +0000 (UTC)
Received: by filterdrecv-5df9bb45b8-x9gdw with SMTP id filterdrecv-5df9bb45b8-x9gdw-1-636970A7-5A 2022-11-07 20:55:03.650078702 +0000 UTC m=+614413.386547220
Received: from MTAyMDU3MDY (unknown) by geopod-ismtpd-5-1 (SG) with HTTP id WL6i3wZCQUyPD-yNtJMdBw Mon, 07 Nov 2022 20:55:02.852 +0000 (UTC)
The last one is first. So this came from a web interface (HTTP) to some unknown sender. And this says basically nothing useful.
More often, the "last is first" Received indicates that a home system (i.e. res-something.comcast.net) originated it, meaning that someone's home computer was malware'd into sending spam or more malware. And messages like this usually have the home-ip address that can be traced (traceroute) and reported. Those rarely change (except possibly when someone reboots a home router), so they aren't definitive (except to certain swat teams that don't care to do their homework), but they can help get a home system off the internet until they are cleaned up.
Footnote: if you can save the full-headers (or message source) message as a text file, it's one command in vim to filter it
vim: v/^Received/d
Good luck.
HTH