Skip to content. Skip to navigation

ICTP Portal

Sections
You are here: Home FAQ Where does this e-mail really come from?
Personal tools
Document Actions

Where does this e-mail really come from?

Checking whether a message is real or spoofed

It is usually possible to find out the address of the originating computer by examining the full header of an e-mail. This information is usually not displayed by the e-mail client application. How to have it shown depends on the program you are using. E.g. in Pine you have to press the H key to switch between reduced and full header display.

Here is an example of a full header:

Return-Path: <projectdale@asdfkj.com>
Received: from ictp.trieste.it (smtp.ictp.trieste.it [140.105.16.52])
        by sv2.ictp.trieste.it (8.12.10+Sun/8.12.9) with ESMTP id
    i6R7n8pD013512
        for <john@ictp.trieste.it>; Tue, 27 Jul 2004 09:49:08 +0200 (MEST)
Received: from 140.105.16.52 ([211.176.22.199])
        by ictp.trieste.it (8.12.9-20030917/8.12.9) with SMTP id
    i6R7lK1w020432
        for <john@ictp.trieste.it>; Tue, 27 Jul 2004 09:47:25 +0200
Received: from [211.164.221.63] by 211.176.22.199 with bursitis SMTP;
        Mon, 26 Jul 2004 22:45:33 -0600
X-Authentication-Warning: alphameric contractor alcott easternmost
Date: Mon, 26 Jul 2004 22:45:33 -0600
From: "Noemi Martinez" <delphidivalent@asdfkj.com>
Reply-To: "Noemi Martinez" <thrillwhiff@asdfkj.com>
Message-ID: <8797742143.808872903709168412@regretful>
To: john@ictp.trieste.it
Subject:
References: <081806488540513393818@exact>
In-Reply-To: <428536800758268438224@savoy>
X-Mailer: antiquary nabla
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-ASICTP-MailScanner-Information: Please see
    http://www.ictp.trieste.it/antispam.html
X-ASICTP-MailScanner: Found to be clean
X-ASICTP-MailScanner-SpamCheck: not spam, SpamAssassin (score=3.8,
        required 5, BAYES_99 3.01, DATE_IN_PAST_03_06 0.27, IN_REP_TO -0.37,
        MIME_HTML_ONLY 0.10, RCVD_IN_ORBS 0.11, RCVD_IN_RFCI 1.09,
        REFERENCES -0.00, X_AUTH_WARNING -0.40)
X-ASICTP-MailScanner-SpamScore: sss
Status: O
X-UID: 48185
Content-Length: 5795
X-Keywords:

while the normal header display would be:

Date: Mon, 26 Jul 2004 22:45:33 -0600
From: Noemi Martinez <delphidivalent@asdfkj.com>
Reply-To: Noemi Martinez <thrillwhiff@asdfkj.com>
To: john@ictp.trieste.it

So it is understandable that usually you are not presented with the full header. However, it can be useful to find out where it really came from. The last Received: from line tells you to which computer the message can be traced back. In this case it is 211.164.221.63. If a message is sent from within the ICTP, you would see something like

Received: from sv17 (sv17.ictp.trieste.it [140.105.16.137])

as last Received: line. In any case, the domains of the From: address and the last Received: host should match, otherwise it is unlikely that the sender is really who he pretends to be.


Powered by Plone This site conforms to the following standards: