1. First, you need to display the full message header.
- If using GMAIL, with the message in the display window, click on the down (More) arrow and select "Show original".
- If using Outlook, select View > Options, and look at the "Internet Header."
- If using Hotmail, select Options > Mail Display Settings > Message Headers > Full
- For other email software, or if the above software has changed, just consult the Help function, or ask your email provider how to display the header. Most email providers make it simple to display the header, but it isn't automatically displayed.
2. Now check out the following example email:
From : <ramalamadingdong@yourcompany.com>
Sent : September 24, 2007 10:55:40 AM
To : buddy@hotmail.com
Subject : Is this Message Spoofed?
Received: from venus.server.com ([204.1.9.20]) by bay0-mc7-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Sun, 24 Sep 2007 09:55:34 -0700
Received: from cpanel by venus.server.com with local (Exim 4.52)id 1GRXGW-00035j-7Rfor buddy@hotmail.com; Sun, 24 Sep 2006 12:55:40 -0400
Received: from 23.67.9.168 by notyourcompany.com (HordeMIME library) with HTTP; Sun, 24 Sep 2007 12:55:40 -0400
X-Message-Info: txF49lGdW431U93ePTzPUKmTHakyyzWnEfrMvJgLg0U=
User-Agent: Internet Messaging Program (IMP) H3 (4.1.1)
X-OriginalArrivalTime: 24 Sep 2007 16:55:34.0703 (UTC) FILETIME=[40B48BF0:01C6DFFA]
3. Note the domain (yourcompany.com) in the "From" line. We've put it in bold. This might also be listed as the reply-to address in your email header. You only care about the last two fields in the domain name that the email came from (in most cases). The last two fields, separated by the dot, show the organization that the email supposedly came from (in this case, yourcompany.com).
4. Now, each time the message moved from server to server enroute to the recipient, a "Received from" line was added above the previous "Received from" line. So look for the last "Received from" line (the one furthest down in the header, or with the oldest time-stamp).
5. Then reading from left to right on the oldest "Received from" line, look for the first domain name listed (again, just the last two fields separated by a dot). We've put this in bold again (notyourcompany.com). If this domain does not match the "From:" domain, or reply-to address, then the email was spoofed. In this example, the email was indeed spoofed since yourcompany.com and notyourcompany.com are different (they must be exactly the same).
6. Although email headers may differ somewhat, this method will help you or your customers identify most spoofed email.