How to identify the real email address the email is comming from

We have a user getting emails that it seems not from Microsoft (to giver at least one example, this has happens with other know companies).

We went into Message Option and noticed that the "Return-Path" is not the same as the sender email, the "from" (see MESSAGE OPTION attached, we have changed real email names for obvious reasons)

Can EE give us some input on this matter?

(We use Outlook 2007)
Return-Path: <sabine460@raku-gaki.com>
Received: from mtain-db12.r1000.mx.aol.com (mtain-db12.r1000.mx.aol.com [172.29.64.96]) by air-de04.mail.aol.com (v128.1) with ESMTP id MAILINDE044-5eb34bW5608f1A1; Wed, 14 Apr 2010 02:28:31 -0400
Received: from plus51.host4u.net (plus51.host4u.net [209.150.128.134])
	by mtain-db12.r1000.mx.aol.com (Internet Inbound) with ESMTP id C116D38000095
	for <USERNAME@aol.com>; Wed, 14 Apr 2010 02:28:25 -0400 (EDT)
Received: from 114-42-76-84.dynamic.hinet.net (114-42-76-84.dynamic.hinet.net [114.42.76.84])
	by plus51.host4u.net (8.11.6/8.11.6) with ESMTP id o3E6RoP15816
	for <USERNAME@DOMAIN.com>; Wed, 14 Apr 2010 01:27:53 -0500
Received: from 114.42.76.84 by mail.raku-gaki.com; Wed, 14 Apr 2010 14:27:08 +0800
Message-ID: <000d01cadb9b$82451620$6400a8c0@sabine460>
From: "Microsoft Team" <support@microsoft.com>
To: <USERNAME@DOMAIN.com>
Subject: Conflicker.B Infection Alert
Date: Wed, 14 Apr 2010 14:27:08 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_NextPart_000_0006_01CADB9B.82451620"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3338.1
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3338.1
x-aol-global-disposition: S
X-AOL-VSS-INFO: 5400.1158/57431
X-AOL-VSS-CODE: clean
x-aol-sid: 3039ac1d40604bc560895fe8
X-AOL-IP: 209.150.128.134
Status:

Open in new window

rayluvsAsked:
Who is Participating?
 
ElrondCTCommented:
There is no guaranteed way to determine the email of the sender. The best you can do is determine the location from which it entered the Internet mail stream. If you look through the "Received" list, they're in reverse chronological order, meaning that the last entry (in your case, line 9, "Received: from 114.42.76.84 by mail.raku-gaki.com") is the starting point.

The interesting thing in this situation is that the return path email address matches up with the message ID and the initial Received entry. Normally spammers do a better job of covering their tracks than this. But it may well be that this message was generated from Outlook Express, as the X-Mailer line claims, and the hijacking was done by someone with limited skills. In this case, then, it does seem plausible that the Return-Path entry is actually the source.
0
 
rayluvsAuthor Commented:
Interesting and I did get to know the location, but I tried woth email I am familiar, and it gives back GoDaddy server when they are location somewhere else.

Can we know where the email is coming from ?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.