Computer Help and Support

LAS14

(14,676 posts) Fri Nov 18, 2022, 02:36 PM Nov 2022

How do you analyze the source behind an e-mail's sender address?

Funny stuff is happening in my Hotmail account. I figured out how to look at the paragraphs and paragraphs of gobbledy gook behind the sender address, but I've forgotten how to look for the significant info.

Can someone help?

tia
las

3 replies

= new reply since forum marked as read

Highlight:

How do you analyze the source behind an e-mail's sender address? (Original Post) LAS14 Nov 2022 OP

email sender's address ('from' field) CloudWatcher Nov 2022 #1

Well this gives me something to go on. I'm off to search for "Received" LAS14 Nov 2022 #2

Help deciphering senders. usonian Nov 2022 #3

CloudWatcher

(1,923 posts)

1. email sender's address ('from' field)

Reply to LAS14 (Original post)

Fri Nov 18, 2022, 02:51 PM

Nov 2022

... this is trivially forgeable. Don't trust it. Doesn't matter if it is "Joe Biden " or not, it's not to be believed.

Depending on the software you're using to read your mail, there's usually some sort of "show all headers" command (or show raw message).

With some practice, you can follow the "Received: from" lines and see which computers are talking with each other to deliver the email. The domain-names in there can give a hint about where the message was sent from.

Then it's a matter of matching the domain names to the address in the from field, and if you're lucky they'll line up ok. If not .. it's usually (not always) a forgery.

Sorry I can't be more specific, figuring this stuff out is a bit of an art.

LAS14

(14,676 posts)

2. Well this gives me something to go on. I'm off to search for "Received"

Reply to CloudWatcher (Reply #1)

Fri Nov 18, 2022, 03:00 PM

Nov 2022

usonian

(13,757 posts)

3. Help deciphering senders.

Reply to LAS14 (Original post)

Fri Nov 18, 2022, 03:18 PM

Nov 2022

Looks like you got the message with
• View All Headers

Search for Received

Received-Spf: ⁨pass (wrong)

Received: ⁨from ci74p00im-qukt09080301.me.com by p128-mailgateway-smtp-7f54dd7dd6-vrsb2 (mailgateway 2302B229) with SMTP id 0dcfb01d-69a2-4172-b8ca-2c66d2418baa for (me); Mon, 7 Nov 2022 20:55:05 GMT⁩

Received: ⁨from o2926.abmail.marketing.gofundme.com (o2926.abmail.marketing.gofundme.com [149.72.227.147]) by ci74p00im-qukt09080301.me.com (Postfix) with ESMTPS id 7722B5280110 for (me) 20:55:03 +0000 (UTC)⁩

Received: ⁨by filterdrecv-5df9bb45b8-x9gdw with SMTP id filterdrecv-5df9bb45b8-x9gdw-1-636970A7-5A 2022-11-07 20:55:03.650078702 +0000 UTC m=+614413.386547220⁩

Received: ⁨from MTAyMDU3MDY (unknown) by geopod-ismtpd-5-1 (SG) with HTTP id WL6i3wZCQUyPD-yNtJMdBw Mon, 07 Nov 2022 20:55:02.852 +0000 (UTC)⁩

The last one is first. So this came from a web interface (HTTP) to some unknown sender. And this says basically nothing useful.

More often, the "last is first" Received indicates that a home system (i.e. res-something.comcast.net) originated it, meaning that someone's home computer was malware'd into sending spam or more malware. And messages like this usually have the home-ip address that can be traced (traceroute) and reported. Those rarely change (except possibly when someone reboots a home router), so they aren't definitive (except to certain swat teams that don't care to do their homework), but they can help get a home system off the internet until they are cleaned up.

Footnote: if you can save the full-headers (or message source) message as a text file, it's one command in vim to filter it
vim: v/^Received/d

Good luck.
HTH

Reply to this discussion