How to tell the origin of an email

I am not sure what zone 'email about becoming a mystery shopper' belongs in.
Please change zone.

I received this email about becoming a mystery shopper.
Did this email come from syr.edu?

                                                                                                                                                                                                                                                              
Delivered-To: ME
Received: by 10.64.238.82 with SMTP id vi18csp57788iec;
        Fri, 25 Oct 2013 09:43:57 -0700 (PDT)
X-Received: by 10.229.30.7 with SMTP id s7mr12047704qcc.7.1382719436846;
        Fri, 25 Oct 2013 09:43:56 -0700 (PDT)
Return-Path: <fdlittle@syr.edu>
Received: from smtp1.syr.edu (smtp1.syr.edu. [128.230.18.82])
        by mx.google.com with ESMTPS id o9si3345006qez.82.2013.10.25.09.43.56
        for <ME>
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Fri, 25 Oct 2013 09:43:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of fdlittle@syr.edu designates 128.230.18.82 as permitted sender) client-ip=128.230.18.82;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of fdlittle@syr.edu designates 128.230.18.82 as permitted sender) smtp.mail=fdlittle@syr.edu
Received: from 2008std (syru153-084.syr.edu [128.230.153.84])
  by smtp1.syr.edu (8.14.7/8.14.5) with ESMTP id r9PGhs3e026842
  (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
  for <ME>; Fri, 25 Oct 2013 12:43:55 -0400
MIME-Version: 1.0
From: "SS_ Network" <fdlittle@syr.edu>
Reply-To: Derrick.rose@gmx.us
To: ME
Subject: JOB Opportunity
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
X-Mailer: SmartSend.2.0.126
Date: Fri, 25 Oct 2013 17:44:06 +0100
Message-ID: <21162313414081157511385@2008std>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794,1.0.431,0.0.0000
 definitions=2013-10-25_06:2013-10-25,2013-10-25,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=1 phishscore=0
 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=7.0.1-1305240000 definitions=main-1310250121

Job Descriptions:

You will be assigned to visit a shop.
You need to "pretend" to be a normal potential customer who is looking for =
a particular service or product.
You will then finish an on-line questionnaire to share with us your custome=
r experience.

Requirements:

19 Years old or above.
Can speak local language well.
Can read and write English.
No experience needed Like Shopping.

Job pay:

You will get $200 for each assignment.
Most of the time you will only need to spend 20 minutes on the visit.

Give me your information for register ;
 1. Name : . . . . .
 2. Ages : . . . . .
 3. Physical A_ddress : . . . . .
 4. Citys / States / Countrys : . . . . .
 5. Zip Codes : . . . . .
 6. Phone : . . . . .
 7. Gender : . . . . .
 8. O.c.c.u.p.a.t.i.o.n : . . . . .

we are waiting your good response,

Regards,
Sheila Lindsay
Head Of Recruitment

Open in new window

LVL 1
rgb192Asked:
Who is Participating?
 
Daniel HelgenbergerConnect With a Mentor Commented:
Mail headers can all be faked. The only thing you know for sure is the IP if the originating email server and that the sender had a valid destination address (yours).
But you can assume a few things:
1. If syr.edu is a well known origin and therefore is not an open relay, meaning it has some kind of sender/user auth in place
2. This leads to the assumption that the originating email account is valid
3. The reason for that may be a hacked/proofed/fished account/password.

But as you can imagine, without the help of syr.edu the only thing you can do is guessing.
0
 
Jan SpringerCommented:
Yes.  But I use the IP for reference and do a whois lookup.  DNS host names could be forged.
0
 
Daniel HelgenbergerCommented:
My way is to 'dig' the source server and compare it to the IP given:
$ dig smtp1.syr.edu

; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-5.P2.fc19 <<>> smtp1.syr.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49827
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;smtp1.syr.edu.			IN	A

;; ANSWER SECTION:
smtp1.syr.edu.		3600	IN	A	128.230.18.82

;; Query time: 236 msec
;; SERVER: 172.16.21.1#53(172.16.21.1)
;; WHEN: Fr Okt 25 22:35:18 CEST 2013
;; MSG SIZE  rcvd: 58

Open in new window


As you can see, it really originates from this server. In this case you do not need to do this, as syr.edu has even a SPF record witch permits this server (Line 13):
Received-SPF: pass (google.com: best guess record for domain of fdlittle@syr.edu designates 128.230.18.82 as permitted sender) client-ip=128.230.18.82;
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Jan SpringerConnect With a Mentor Commented:
helge000 is correct about using a forward dig to find out if the IP matches the hostname.

A whois, though, will tell you the company/individual allocated or assigned the IP.
0
 
rgb192Author Commented:
As you can see, it really originates from this server. In this case you do not need to do this, as syr.edu has even a SPF record witch permits this server (Line 13):
Received-SPF: pass (google.com: best guess record for domain of fdlittle@syr.edu designates 128.230.18.82 as permitted sender) client-ip=128.230.18.82;


could this be a student connected to syr.edu wifi using php mail()
0
 
rgb192Author Commented:
Thanks for the mail information.
0
All Courses

From novice to tech pro — start learning today.