Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member Latest Breaking News Editorials & Other Articles General Discussion The DU Lounge All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

LAS14

(14,789 posts)
Fri Nov 18, 2022, 02:36 PM Nov 2022

How do you analyze the source behind an e-mail's sender address?

Funny stuff is happening in my Hotmail account. I figured out how to look at the paragraphs and paragraphs of gobbledy gook behind the sender address, but I've forgotten how to look for the significant info.

Can someone help?

tia
las

3 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
How do you analyze the source behind an e-mail's sender address? (Original Post) LAS14 Nov 2022 OP
email sender's address ('from' field) CloudWatcher Nov 2022 #1
Well this gives me something to go on. I'm off to search for "Received" LAS14 Nov 2022 #2
Help deciphering senders. usonian Nov 2022 #3

CloudWatcher

(1,933 posts)
1. email sender's address ('from' field)
Fri Nov 18, 2022, 02:51 PM
Nov 2022

... this is trivially forgeable. Don't trust it. Doesn't matter if it is "Joe Biden " or not, it's not to be believed.

Depending on the software you're using to read your mail, there's usually some sort of "show all headers" command (or show raw message).

With some practice, you can follow the "Received: from" lines and see which computers are talking with each other to deliver the email. The domain-names in there can give a hint about where the message was sent from.

Then it's a matter of matching the domain names to the address in the from field, and if you're lucky they'll line up ok. If not .. it's usually (not always) a forgery.

Sorry I can't be more specific, figuring this stuff out is a bit of an art.

usonian

(14,619 posts)
3. Help deciphering senders.
Fri Nov 18, 2022, 03:18 PM
Nov 2022

Looks like you got the message with
• View All Headers

Search for Received

Received-Spf: ⁨pass (wrong)

Received: ⁨from ci74p00im-qukt09080301.me.com by p128-mailgateway-smtp-7f54dd7dd6-vrsb2 (mailgateway 2302B229) with SMTP id 0dcfb01d-69a2-4172-b8ca-2c66d2418baa for (me); Mon, 7 Nov 2022 20:55:05 GMT⁩

Received: ⁨from o2926.abmail.marketing.gofundme.com (o2926.abmail.marketing.gofundme.com [149.72.227.147]) by ci74p00im-qukt09080301.me.com (Postfix) with ESMTPS id 7722B5280110 for (me) 20:55:03 +0000 (UTC)⁩

Received: ⁨by filterdrecv-5df9bb45b8-x9gdw with SMTP id filterdrecv-5df9bb45b8-x9gdw-1-636970A7-5A 2022-11-07 20:55:03.650078702 +0000 UTC m=+614413.386547220⁩

Received: ⁨from MTAyMDU3MDY (unknown) by geopod-ismtpd-5-1 (SG) with HTTP id WL6i3wZCQUyPD-yNtJMdBw Mon, 07 Nov 2022 20:55:02.852 +0000 (UTC)⁩

The last one is first. So this came from a web interface (HTTP) to some unknown sender. And this says basically nothing useful.

More often, the "last is first" Received indicates that a home system (i.e. res-something.comcast.net) originated it, meaning that someone's home computer was malware'd into sending spam or more malware. And messages like this usually have the home-ip address that can be traced (traceroute) and reported. Those rarely change (except possibly when someone reboots a home router), so they aren't definitive (except to certain swat teams that don't care to do their homework), but they can help get a home system off the internet until they are cleaned up.

Footnote: if you can save the full-headers (or message source) message as a text file, it's one command in vim to filter it
vim: v/^Received/d

Good luck.
HTH

Latest Discussions»Help & Search»Computer Help and Support»How do you analyze the so...