Ever get an email from “Evelyn?” Who is Evelyn? Is she a long lost friend, a neighbor, a relative you just learned you had, or someone hoping you know an Evelyn and will open their pharmaceutical advertisement?

It may appear that you don’t know until you actually open the email, but that is not true. When you first open an email it very much like looking at the outside envelope of mail you get from the postal service. Both systems have a delivery address and a return address. In both cases, anyone can put what ever return address they want to. For instance, I could send out a thank you note on behalf of my parents. While doing the return address, I could forget who is “sending” the mail and put my personal address instead of my parents. The recipient would not know who actually sent the mail until the opened it.

The “from” address that displays in your email browser works the same way. The sender can put what ever he wants.

However, I cannot fake the post office that actually takes the regular mail and sends it for me. They add an ink stamp or two to on the front of the envelope. Responsible email servers also leave signatures identifying the “post office” or sender. This information is stored in the “Header” information of the email.

• Outlook: you can get to this information by right clicking on the email in question. In the pop-up menu select “Message Options.”
• Webmail (Horde): When you rollover the sender’s name in the email list, the system has a cursor pop-up that shows a real email address. (which can be faked, but is often not bothered with.)

Below is a sample header from Outlook sent from “John Hannah” Notice in particular the number of ways that the sender can be identified. If you see something odd in any of them, be very concerned:

• Notice the sections in Red–that is what the server puts in to tell you where it really came from
• Notice the section in Blue–that is what you typically see from your email browser.
• Purple is a comment from me
  
• The grey text has been changed just to keep it out of the public domain. (Some of us are just paranoid; no use in attracting any more spam than I need to.)

X-Spam-Flag: YES
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.6 required=4.0 tests=BAYES_99,HELO_LH_HOME,
RDNS_NONE,TRACKER_ID,TVD_SPACE_RATIO autolearn=no version=3.2.3
X-Spam-Report:
* 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
* 2.7 HELO_LH_HOME HELO_LH_HOME
* 2.0 TRACKER_ID BODY: Incorporates a tracking ID number
* 2.3 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
Received: from speedtouch.lan ([IPS Address]) by myserver with MailEnable ESMTP; Mon, 11 Aug 2008 11:09:32 -0400
Message-ID: <01c8fb78$d21fb600$c9eded40@maintainedtw91>
From: “John Hannah” <maintainedtw91@rv-ventures.com> The section betwen < and > can be faked. This is the address that shows up when in the rollover in webmail.
To: my name<myemailaddress@pracprog.com>
Subject: [SPAM] SpecialPrices100mgBestQuality
Date: Mon, 11 Aug 2008 06:09:32 -0900
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset=”us-ascii”;
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
X-Spam: Not detected
Return-Path: <maintainedtw91@rv-ventures.com>
Reply-To: <maintainedtw91@rv-ventures.com>–Sometimes faked also
Sender: <maintainedtw91@rv-ventures.com>
X-Spam-Prev-Subject: SpecialPrices100mgBestQuality

This entry was posted on Monday, August 11th, 2008 at 11:44 am and is filed under Spam Prevention. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.