How to identify the real email address the email is comming from

We have a user getting emails that it seems not from Microsoft (to giver at least one example, this has happens with other know companies).

We went into Message Option and noticed that the "Return-Path" is not the same as the sender email, the "from" (see MESSAGE OPTION attached, we have changed real email names for obvious reasons)

Can EE give us some input on this matter?

(We use Outlook 2007)
Return-Path: <>
Received: from ( []) by (v128.1) with ESMTP id MAILINDE044-5eb34bW5608f1A1; Wed, 14 Apr 2010 02:28:31 -0400
Received: from ( [])
	by (Internet Inbound) with ESMTP id C116D38000095
	for <>; Wed, 14 Apr 2010 02:28:25 -0400 (EDT)
Received: from ( [])
	by (8.11.6/8.11.6) with ESMTP id o3E6RoP15816
	for <>; Wed, 14 Apr 2010 01:27:53 -0500
Received: from by; Wed, 14 Apr 2010 14:27:08 +0800
Message-ID: <000d01cadb9b$82451620$6400a8c0@sabine460>
From: "Microsoft Team" <>
To: <>
Subject: Conflicker.B Infection Alert
Date: Wed, 14 Apr 2010 14:27:08 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3338.1
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3338.1
x-aol-global-disposition: S
X-AOL-VSS-INFO: 5400.1158/57431
x-aol-sid: 3039ac1d40604bc560895fe8

Open in new window

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

There is no guaranteed way to determine the email of the sender. The best you can do is determine the location from which it entered the Internet mail stream. If you look through the "Received" list, they're in reverse chronological order, meaning that the last entry (in your case, line 9, "Received: from by") is the starting point.

The interesting thing in this situation is that the return path email address matches up with the message ID and the initial Received entry. Normally spammers do a better job of covering their tracks than this. But it may well be that this message was generated from Outlook Express, as the X-Mailer line claims, and the hijacking was done by someone with limited skills. In this case, then, it does seem plausible that the Return-Path entry is actually the source.
rayluvsAuthor Commented:
Interesting and I did get to know the location, but I tried woth email I am familiar, and it gives back GoDaddy server when they are location somewhere else.

Can we know where the email is coming from ?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.