1

Is there anyway I can trace the sender profile through email headers?

We have received spam emails as undeliverable sent from our mail id. We would like to find out where they are originating from

Thank you

Clerita
  • 11
  • 1
  • 2
  • 1
    The header contains this information but is mostly useless to be honest except if you want to blacklist the server – Ramhound Feb 04 '14 at 23:09
  • Very often the "from" headers on spam are fake. The "received" headers can also be faked. The emails can also be sent out from an ever changing array of bots (infected computers) through the victims personal or corporate email server. – John1024 Feb 04 '14 at 23:26
  • @John1024 - I don't agree that the headers can be faked. While you can claim its from X the actual headers will contain who its actually from. Of course as you point out, even blocking the actual sender, is sort of useless because they have endless supplies of victims and these really bad people send email on their behalf – Ramhound Feb 04 '14 at 23:59
  • @Ramhound While the newest "received" headers will be genuine, the oldest received headers are readily faked. You can read more about it [here](http://www.pobox.com/helpspot/index.php?pg=kb.page&id=257) and [here](http://superuser.com/questions/86310/how-to-verify-an-emails-sender-identity) – John1024 Feb 05 '14 at 00:08
  • @Ramhound The problem is that you don't know where the fake headers end and the genuine ones begin, which is what you need to know to identify the source of the spam. It can require significant expertise. – David Schwartz Feb 05 '14 at 00:25
  • @DavidSchwartz - I don't disagree. The question just asked if it was possible though. – Ramhound Feb 05 '14 at 00:41
  • @John1024 - I have experience in this space. I am more then aware that you can indicate anyone you want, as being the person who sent the email. At some point there will actually be a sender and actually be somebody who received it. – Ramhound Feb 05 '14 at 00:44

1 Answers1

0

Your ability to do this is limited by the amount of time you would like to invest and the cooperative spirit of server administrators.

Frankly, you cannot trust any email header that appears in the message headers regarding the delivery route that is beyond a server that you control. For most people, this means that you can only trust that your server received it from the server that it identifies by address and name.

To determine whether or not this is the actual source, you would have to contact the owner of that system that most immediately delivered the mail to your server with the relevant time and information about that message from your mail delivery logs. Using that information, if he is so willing, he can extract data from his server log to tell you which server gave it to him. You probably begin to see the issue here.

If he is unwilling, that is no indication that his server was the origin of the spam. However, if he is unwilling, your trail also immediately turns cold.

Hope this helps!

David Hoelzer
  • 476
  • 4
  • 10