How to Tell if an Email Has Been Spoofed

I use Microsoft Outlook (formerly Hotmail) as my primary email service. I’ve noticed that every time I get a “spoofed” email, the sender’s address shows up right in the heading.

I’mot sure if Microsoft’ anti-phishing system is configured to expose the sender’s true email adress to its users, but there have been plenty of instances in which an email supposedly coming from a major company (i.e., PayPal) shows a reutrn address that shows anything BUT “paypal.com.” I immediately report it to Microsoft as a “Phishing Scam,” using Outlook’s drop-down reporting menu.

Microsoft has long had a very aggressive anti-spam filter—far more aggressive than either Gmail or Yahoo Mail—so why would it not also have an aggressive anti-phishing filter that exposes the sender’s true email address? I’ve used Hotmail/Outlook for more than a decade and I’ve never been fooled by spam or malware-infected email.

I try to have an optimal configuration in addition to that I have managed to mitigate trying to misuse my mail servers is the blocking of full ranges of addresses ips with which I have no relationship whatsoever. and above all, as you comment, do not forget to trust your instinct. Jose Hicks

Thanks!

One way I use is to hover over the sender and see if it looks legit. If it doesn’t I send it to the company it is trying to spook like spoof at paypal dot com.

First, this is in US patent 9674145.
There are many Received. Attacker may inject a Received in the header.  The one you need to look is the last one (usually the first one at top) that is written by your SMTP.

Thanks

Dan

Correction: the header shows parameters:
Return-Path: (legit name)
Reply-To: (bogus name)

If opinion is allowed here, I think the “Reply-To” email setting is an unnecessary vulnerability for individuals.

My understanding is that the only legit use is for bounced emails, so the bounces go to a separate mailbox typically within your organization. Furthermore it only makes sense to use it when sent from a “no-reply” mailbox, because a “manual” reply address would look surprising unless it closely resembled the original. And it’s extremely suspicious if the Reply-To address goes to a strange name in a different domain (like in my case comes in from @yahoo, goes back to @gmail.)

Therefore it’s only of use to bulk-mailers, spammers, and (legitimately) to owners of larger private email groups who want this convenient way to find bounces (there are plenty of other ways).

Outgoing SMTP servers should detect a domain-mismatch, at least, in the Reply-To parameter in the header, and flag the email before sending.

A very legit use of Reply-To is when we join email lists. All our replies must be directed not to the sender but to the group. But that still does not make it a good setting in an individual’s account.

Josh, thanks. My friend is elderly and remote, hard to help. I have told him to scan, and of course change Yahoo password. Results may come tomorrow, he is in Asia.
I will update with the outcome.

so i got an email from someone from my own domain it says mail-by mydoamin.com sign by Hotmail
and as I said I checked original header I found my webmail Ip.. as long as I know I set my spf records to reject and all did as it supposes to be..  some spoor guy send me an email from my own domain ..t says mail by my own domain.com.. is there any way to stop they do that?

So I get this email from Techlicious.com this morning with the following subject title:

“How to Tell if an Email is Real of Spoofed”

Yes - typo included!  I chuckled because the first thing I look for in an email that’s trying to get me to click on links is GRAMMAR and SPELLING!

So I did not click on this particular email’s link - instead, I just went to Techlicious.com to send you this comment.

Thanks for the smile today!

Hi, I received an email addressed to .(JavaScript must be enabled to view this email address).  I dont have aol. It showed up in a personal email that I do NOT use for sales-y stuff and never get spam.  When I try to dig into the actual address that it was sent to, I cannot find anything.  Im sure its spoofed but I’m used to seeing this on the FROM field, not TO.  How do I verify?

I used the tool on an email in my inbox not spam or junk folder and the results come back as being sent from google

Here is the header

Will send header over next two post to long to put in one comment

Delivered-To: .(JavaScript must be enabled to view this email address)
Received: by 2002:a05:6504:1389:0:0:0:0 with SMTP id k9csp822192lto;
      Wed, 28 Oct 2020 15:49:13 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy+l41b7KnNPYWAgmqCfM5sdYMCJbkOEWfBtGM8EduYFZIi91MMz6cPfVXGDzEEFZVLWknQ
X-Received: by 2002:a9f:2261:: with SMTP id 88mr1460064uad.32.1603925353509;
      Wed, 28 Oct 2020 15:49:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1603925353; cv=none;
      d=google.com; s=arc-20160816;
      b=giz+u1SthNR88z9tqnygiEVhrgsad9U2sk/H4hEl7TizvwBFSGUMlAovhpKHUeFzp4
      tecCj8ar3qHmdOxmUDbHQXtsSEWIcnStOWqhA5Id4PLD3xrZISeFQHcGe2yIkMy2YQAX
      JtB2CYKnfmfk1GoMTEXSnDgwzgn1S6rFbmzwKUGXgjRPxsx+YxErDtU5dWGSKs6CSjUN
      W+/S/k4L0kte41BYXIx8NXMPU41fkq+/42+6bGfeMC5PqpJDbVWjDguH0vcWJA+1j3JJ
      8Wb+NqQdbSlhRrUteUZKnpEeg22+iIEO7fvH5lgiXnb3ngNtSrbwbkqdtRsTC7v/Ts2P
      I54A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
      h=to:subject:message-id:date:from:in-reply-to:references:mime-version
      :dkim-signature;

bh=sTpYoulaPmI9U+Bch5KOodhbOExc9+NWTfL6zkreoI0=;
      b=vARFuHgw56TYc0Swos6SbH9ly6+X26bKYzE85Ur8ko0Dd9ItIpFk7WgeF+Bgw9L/Wk
      +S1zMgyRYfZWk2dZsw8XXQKmZ15OXLoeuh3in/dn3NRXoKT6C3IltO9f+IXf7DXcuqdB
      1jiXD2YHSWYCNYl3ABdmqu3sTU+TBPjmxL5Rv0YvF4N96FahWE+NzoIUZ+Wy8eGQHK5w
      hGrrfdm6IuFhTKhceEI9dObEq27W0PLDdIs7wfUbik2X1TGyLfHBB41EnQp9PtVTIP7C
      QyK5rVUewd/snYmViTnCfdzr+CwTVKR1Z6aQ24YkZ329eRatsSgpW6B/s3bcfxknDp+b
      r4Pw==
ARC-Authentication-Results: i=1; mx.google.com;
    dkim=pass header.i=@gmail.com header.s=20161025 header.b=“W2C9/WKO”;
    spf=pass (google.com: domain of .(JavaScript must be enabled to view this email address) designates 209.85.220.41 as permitted sender) smtp.mailfrom=rosenroncame@gmail.com;
    dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <rosenroncame@gmail.com>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
      by mx.google.com with SMTPS id h5sor348115vsm.22.2020.10.28.15.49.13
      for <rjw75092@gmail.com>
      (Google Transport Security);
      Wed, 28 Oct 2020 15:49:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of .(JavaScript must be enabled to view this email address) designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
    dkim=pass header.i=@gmail.com header.s=20161025 header.b=“W2C9/WKO”;
    spf=pass (google.com: domain of .(JavaScript must be enabled to view this email address) designates 209.85.220.41 as permitted sender) smtp.mailfrom=rosenroncame@gmail.com;
    dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
      d=gmail.com; s=20161025;
      h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
      bh=sTpYoulaPmI9U+Bch5KOodhbOExc9+NWTfL6zkreoI0=;
      b=W2C9/WKOz+2HUTQhBg78b+RVzu5BTp/9Pxioq1Xw7WeC1AZjeg3YcpOCtmRSt/3uhw
      QqwIKE6C9516U7xfw1B5SxNmik9bRuVuoRP9xMwdjWygNCYgA1N+9ghqsCMB9xWMuaxG
      ClnuqGWGECzyAMY0DTboZH0ijgLJZ3vLw9FzExS9uj3Yf/179prG6pl3hbixM3y1WoCv
      yxxINEDr2F/4XKNmowVOGemH6dcx/2/bAqo87yOciDdGxseT3VWgimOlHnbRa+7ZJNP7
      AYvd0gdyon4KUuKJ5WlcFaVLCBC8SNwsB1+tIEqzGRedLVjRXHIDzPpzwqpv4MwkLhnY
      Arhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
      d=1e100.net; s=20161025;
      h=x-gm-message-state:mime-version:references:in-reply-to:from:date
      :message-id:subject:to;
      bh=sTpYoulaPmI9U+Bch5KOodhbOExc9+NWTfL6zkreoI0=;
      b=SEhjCUmtR2OA6C3HQKCzrn7csOfXd2uS0eOFf5ezTWNqCGbI2RyykMORl11hUkGgxO
      7VIIcM3rns5dt65Ck5i5G3QWvrWLGNe0LxuuZWJpYAxyYkJLope2FX6II7UASM3qFU4k
      oGQpeYuyrqPlOQBSmsN7UgrPv7cvz968e0hk02sQiQaP8eQLtjCvb8J9PM5enztplCSA
      +q7NbVXLdemYSy6gQFYfHzy65F1m5Uy4TMphoUEUMYsXaCdIt/g8AhoH8mgEGg4IjkG1
      FZMeAa+og4T4Nge0yR+zcMxi4SqAwI2ouX+rCHV3FHAJjWMZno7RLPvF9hCaiEALiEB/
      ga2Q==
X-Gm-Message-State: AOAM5322+yZCcBIh/4JlUjAAf5e8SbIvPWe1+AZTAxjyMuD+2QLutv15 XBbR3zHS3xX9y6iCoSFIpCQB14GzO7PR3m19UzE=
X-Received: by 2002:a05:6102:3c8:: with SMTP id n8mt1239210vsq.31.1603925353150; Wed, 28 Oct 2020 15:49:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAGkt0=tG4uvQ266r_L+5Z1Zk-Vtr_VTobSCWhqAbH=eVFcwgpw@mail.gmail.com>
In-Reply-To: <CAGkt0=tG4uvQ266r_L+5Z1Zk-Vtr_VTobSCWhqAbH=eVFcwgpw@mail.gmail.com>
From: Stephanie Ly <rosenroncame@gmail.com>
Date: Thu, 29 Oct 2020 04:49:01 +0600
Message-ID: <CAGkt0=t3Ue_n00eZ-4t8KXVvxFzkc6Rq91wX+BG58i5MXsmWLg@mail.gmail.com>
Subject: Re:
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=“000000000000ec68f705b2c2f8ce”
Bcc: .(JavaScript must be enabled to view this email address)

—000000000000ec68f705b2c2f8ce
Content-Type: text/plain; charset=“UTF-8”
Content-Transfer-Encoding: quoted-printable

On Thu, Oct 29, 2020 at 4:47 AM Stephanie Ly <rosenroncame@gmail.com> wrote=
:

> *Hey baby I just started telling you about myself and what my plans are I
> want one woman I want I’m a ladies man and you know I want a relationship
> I’m fixing to buy a house in another year I’m in recovery I don’t drink.
> But it’s cool if you drink I don’t drink or drugs no no good but I*
>
>
> *=F0=9F=91=97=F0=9F=91=99=F0=9F=91=99=F0=9F=91=9D=F0=9F=92=AC=F0=9F=97=A8=
=F0=9F=91=84=F0=9F=92=8B[?][?]=F0=9F=92=91=F0=9F=92=9E*
>
> *  Sent from my iPhone   *
>

—000000000000ec68f705b2c2f8ce
Content-Type: text/html; charset=“UTF-8”
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr”>
</div>
<div class=3D"gmail_quote”><div dir=3D"ltr” =
class=3D"gmail_attr”>On Thu, Oct 29, 2020 at 4:47 AM Stephanie Ly <<a >rosenroncame@gmail.com</a>> wrote:<=
br></div><blockquote class=3D"gmail_quote” style=3D"margin:0px 0px 0px 0.8e=
x;border-left:1px solid rgb(204,204,204);padding-left:1ex”><div dir=3D"ltr”=
><div style=3D"text-align:center”><font color=3D”#444444”>Hey baby I jus=
t started telling you about myself and what my plans are I want one woman I=
want I'm a ladies man and you know I want a relationship I'm fixin=
g to buy a house in another year I'm in recovery I don't drink. But=
it's cool if you drink I don't drink or drugs no no good but I</fo=
nt></div><div style=3D"text-align:center”><font color=3D”#444444”><b=
r></font></div><div style=3D"text-align:center”><font color=3D”#4444=
44”>
</font></div><div><div style=3D"text-align:center”><font col=
or=3D”#444444”>=F0=9F=91=97=F0=9F=91=99=F0=9F=91=99=F0=9F=91=9D=F0=9F=92=AC=
=F0=9F=97=A8=F0=9F=91=84=F0=9F=92=8B=F3=BE=93=A6=F3=BE=93=A6=F0=9F=92=91=F0=
=9F=92=9E</font></div><div style=3D"text-align:center”><font color=
=3D”#444444”>
</font></div><div style=3D"text-align:center”><font=
color=3D”#444444”>=C2=A0 Sent from my iPhone=C2=A0 =C2=A0</font></div>=
</div></div>
</blockquote></div>

—000000000000ec68f705b2c2f8ce—

my Received from says google, but the sender domain is not google, its their website name. but the SPF says pass. does this just mean they are hosted by google? or that they have a personal email this is forwarded to?? also every time i look up the ip on different sites, i sometimes get different locations but it says google on the reverse lookup

i am new to this, learning as i go, so hopefully i provided the right information and its not a silly question..

This person hacked into my back account

BpVA

ARC-Authentication-Results: i1; mx.google.com;

dkin pass header.i-spiration.com heuder.ssl header.b-KoPVVpt; dkim=pass header.i=@sender id.info header.smtpapi head.b-Cox,

spf-pass (google.com: domain of bounces+1381704-bce5-artkitten2-gmail.com@mail.spiration.com designates 167 89.21.38 as permitted winder) st dman-pass ( BEJECT spaNNE di=NONE) freader from aspiration.com

Return-Path: <bounces+1381784-bces .(JavaScript must be enabled to view this email address) Received: from 02.email.uspiration.com (02.email.aspiration.com. [167.89.21.301)

by mx.google.com with FSHTPS k1251502896pk 145.2021 6.11.06.01.05. for .(JavaScript must be enabled to view this email address)>

(version=TI 1-3 cipher-TUS_AES_178 GCM_SHA256 bits=128/128);

Fri, 11 Jun 2021 00:01:05 0700 (PDT) Received-SPF: poss (noogle.com: domain of bounces 1381200-125 pikitten Cominal aspiration.com designates 167 m.21.30 a permitted sender)

Authentication-Results: m.google.com

dkimepass .(JavaScript must be enabled to view this email address) header.sss reader.b-kohvat;

dkim-pass header sendgrid Info ader.s-sinspapiider, 5-015qoui spf=pass (google.com domain of bounces+1381704 bces-artkitter .(JavaScript must be enabled to view this email address)/designates 167.89.21.29 as permitted under) sp

dmarc-pass (DREJECT sp=NONE UE) header.from-aspiration.com DKIM-Signature: v 1; a=rsa-sha256; c=relaxed/relaxed; deaspiration.com, -content-transfer-encoding:content-type from mire version:subject:

x-feedback ditug s=s1; bh=pacpte TVBBMeAuvox 32T SEzXu Berishibor=;

b-KPVhVptver V6U833my1zqk2Ukpmg/Yx37, NO±6ka=ySTOTYRT IbeGqEAUPatting Voi3d5apexjOFE

DKIM Signature: v=1; a=rsa-sha256; relased/relaxed; desenegrid_res hecontent transfer-encoding:content-type: from mixer Coruj

x-feedback-idito;

VYY 2m WTQ&Mohdintys; EevZP2xeaked twgyE5nk/G=1VUBA VALDXXG

B How

NASDAQ-40

Thanks for the article, most interesting.

As you say the SPF is not a particiualry accurate means of validating an email as it is a bit of a lottery.

I am however interested in the Receive: from field.

Could you let me know if that field is Always accurate ?

For example
a)
If .(JavaScript must be enabled to view this email address) sends an email
or .(JavaScript must be enabled to view this email address) sends an email

is that field guaranteed to contain
hotmail.com
bobo.com
respectively ?

b)
If say a scammer sent an email to .(JavaScript must be enabled to view this email address) from an email I recognize, say .(JavaScript must be enabled to view this email address)
but his SMTP is smtp.scammy.com
Is it guaranteed that the Receive: from fleld will contain smtp.scammy.com and there is no way that can be fiddles with ?

Thank you

With Outlook on line, the three dots anywhere; any of them show the options for File and then Properties and I checked every other possibility to locate them as well.

This is the problem with most instructions like this.  Their stated procedures to follow in no way reflect the actual product.  I don’t understand where you guys get this stuff.  I just don’t.

There’s an ad between the Outlook app instructions and the Outlook.com instructions, making it look like the app instructions are for both platforms.

So you have the Outlook.com instructions here:

Open the email. Click on the more icon (three dots) and select “View” and then “View message source.” The headers will show in a pop-up box.

That do this stuff. I’d like to kick em where it hurts!