Skip to content. Skip to navigation

ICTP Portal

Sections
Navigation
« November 2024 »
Su Mo Tu We Th Fr Sa
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
 
You are here: Home FAQ Where does this e-mail really come from?
Personal tools
Document Actions

Where does this e-mail really come from?

Checking whether a message is real or spoofed

It is usually possible to find out the address of the originating computer by examining the full header of an e-mail. This information is usually not displayed by the e-mail client application. How to have it shown depends on the program you are using. E.g. in Pine you have to press the H key to switch between reduced and full header display.

Here is an example of a full header:

Return-Path: <projectdale@asdfkj.com>
Received: from ictp.trieste.it (smtp.ictp.trieste.it [140.105.16.52])
        by sv2.ictp.trieste.it (8.12.10+Sun/8.12.9) with ESMTP id
    i6R7n8pD013512
        for <john@ictp.trieste.it>; Tue, 27 Jul 2004 09:49:08 +0200 (MEST)
Received: from 140.105.16.52 ([211.176.22.199])
        by ictp.trieste.it (8.12.9-20030917/8.12.9) with SMTP id
    i6R7lK1w020432
        for <john@ictp.trieste.it>; Tue, 27 Jul 2004 09:47:25 +0200
Received: from [211.164.221.63] by 211.176.22.199 with bursitis SMTP;
        Mon, 26 Jul 2004 22:45:33 -0600
X-Authentication-Warning: alphameric contractor alcott easternmost
Date: Mon, 26 Jul 2004 22:45:33 -0600
From: "Noemi Martinez" <delphidivalent@asdfkj.com>
Reply-To: "Noemi Martinez" <thrillwhiff@asdfkj.com>
Message-ID: <8797742143.808872903709168412@regretful>
To: john@ictp.trieste.it
Subject:
References: <081806488540513393818@exact>
In-Reply-To: <428536800758268438224@savoy>
X-Mailer: antiquary nabla
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-ASICTP-MailScanner-Information: Please see
    http://www.ictp.trieste.it/antispam.html
X-ASICTP-MailScanner: Found to be clean
X-ASICTP-MailScanner-SpamCheck: not spam, SpamAssassin (score=3.8,
        required 5, BAYES_99 3.01, DATE_IN_PAST_03_06 0.27, IN_REP_TO -0.37,
        MIME_HTML_ONLY 0.10, RCVD_IN_ORBS 0.11, RCVD_IN_RFCI 1.09,
        REFERENCES -0.00, X_AUTH_WARNING -0.40)
X-ASICTP-MailScanner-SpamScore: sss
Status: O
X-UID: 48185
Content-Length: 5795
X-Keywords:

while the normal header display would be:

Date: Mon, 26 Jul 2004 22:45:33 -0600
From: Noemi Martinez <delphidivalent@asdfkj.com>
Reply-To: Noemi Martinez <thrillwhiff@asdfkj.com>
To: john@ictp.trieste.it

So it is understandable that usually you are not presented with the full header. However, it can be useful to find out where it really came from. The last Received: from line tells you to which computer the message can be traced back. In this case it is 211.164.221.63. If a message is sent from within the ICTP, you would see something like

Received: from sv17 (sv17.ictp.trieste.it [140.105.16.137])

as last Received: line. In any case, the domains of the From: address and the last Received: host should match, otherwise it is unlikely that the sender is really who he pretends to be.

Weather
No information available
 
Powered by Plone This site conforms to the following standards: