Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to tell the origin of an email

Posted on 2013-10-25
7
Medium Priority
?
680 Views
Last Modified: 2013-11-05
I am not sure what zone 'email about becoming a mystery shopper' belongs in.
Please change zone.

I received this email about becoming a mystery shopper.
Did this email come from syr.edu?

                                                                                                                                                                                                                                                              
Delivered-To: ME
Received: by 10.64.238.82 with SMTP id vi18csp57788iec;
        Fri, 25 Oct 2013 09:43:57 -0700 (PDT)
X-Received: by 10.229.30.7 with SMTP id s7mr12047704qcc.7.1382719436846;
        Fri, 25 Oct 2013 09:43:56 -0700 (PDT)
Return-Path: <fdlittle@syr.edu>
Received: from smtp1.syr.edu (smtp1.syr.edu. [128.230.18.82])
        by mx.google.com with ESMTPS id o9si3345006qez.82.2013.10.25.09.43.56
        for <ME>
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Fri, 25 Oct 2013 09:43:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of fdlittle@syr.edu designates 128.230.18.82 as permitted sender) client-ip=128.230.18.82;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of fdlittle@syr.edu designates 128.230.18.82 as permitted sender) smtp.mail=fdlittle@syr.edu
Received: from 2008std (syru153-084.syr.edu [128.230.153.84])
  by smtp1.syr.edu (8.14.7/8.14.5) with ESMTP id r9PGhs3e026842
  (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
  for <ME>; Fri, 25 Oct 2013 12:43:55 -0400
MIME-Version: 1.0
From: "SS_ Network" <fdlittle@syr.edu>
Reply-To: Derrick.rose@gmx.us
To: ME
Subject: JOB Opportunity
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
X-Mailer: SmartSend.2.0.126
Date: Fri, 25 Oct 2013 17:44:06 +0100
Message-ID: <21162313414081157511385@2008std>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794,1.0.431,0.0.0000
 definitions=2013-10-25_06:2013-10-25,2013-10-25,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=1 phishscore=0
 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=7.0.1-1305240000 definitions=main-1310250121

Job Descriptions:

You will be assigned to visit a shop.
You need to "pretend" to be a normal potential customer who is looking for =
a particular service or product.
You will then finish an on-line questionnaire to share with us your custome=
r experience.

Requirements:

19 Years old or above.
Can speak local language well.
Can read and write English.
No experience needed Like Shopping.

Job pay:

You will get $200 for each assignment.
Most of the time you will only need to spend 20 minutes on the visit.

Give me your information for register ;
 1. Name : . . . . .
 2. Ages : . . . . .
 3. Physical A_ddress : . . . . .
 4. Citys / States / Countrys : . . . . .
 5. Zip Codes : . . . . .
 6. Phone : . . . . .
 7. Gender : . . . . .
 8. O.c.c.u.p.a.t.i.o.n : . . . . .

we are waiting your good response,

Regards,
Sheila Lindsay
Head Of Recruitment

Open in new window

0
Comment
Question by:rgb192
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
7 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39601571
Yes.  But I use the IP for reference and do a whois lookup.  DNS host names could be forged.
0
 
LVL 13

Expert Comment

by:Daniel Helgenberger
ID: 39601627
My way is to 'dig' the source server and compare it to the IP given:
$ dig smtp1.syr.edu

; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-5.P2.fc19 <<>> smtp1.syr.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49827
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;smtp1.syr.edu.			IN	A

;; ANSWER SECTION:
smtp1.syr.edu.		3600	IN	A	128.230.18.82

;; Query time: 236 msec
;; SERVER: 172.16.21.1#53(172.16.21.1)
;; WHEN: Fr Okt 25 22:35:18 CEST 2013
;; MSG SIZE  rcvd: 58

Open in new window


As you can see, it really originates from this server. In this case you do not need to do this, as syr.edu has even a SPF record witch permits this server (Line 13):
Received-SPF: pass (google.com: best guess record for domain of fdlittle@syr.edu designates 128.230.18.82 as permitted sender) client-ip=128.230.18.82;
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 1000 total points
ID: 39601654
helge000 is correct about using a forward dig to find out if the IP matches the hostname.

A whois, though, will tell you the company/individual allocated or assigned the IP.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:rgb192
ID: 39610713
As you can see, it really originates from this server. In this case you do not need to do this, as syr.edu has even a SPF record witch permits this server (Line 13):
Received-SPF: pass (google.com: best guess record for domain of fdlittle@syr.edu designates 128.230.18.82 as permitted sender) client-ip=128.230.18.82;


could this be a student connected to syr.edu wifi using php mail()
0
 
LVL 13

Accepted Solution

by:
Daniel Helgenberger earned 1000 total points
ID: 39610947
Mail headers can all be faked. The only thing you know for sure is the IP if the originating email server and that the sender had a valid destination address (yours).
But you can assume a few things:
1. If syr.edu is a well known origin and therefore is not an open relay, meaning it has some kind of sender/user auth in place
2. This leads to the assumption that the originating email account is valid
3. The reason for that may be a hacked/proofed/fished account/password.

But as you can imagine, without the help of syr.edu the only thing you can do is guessing.
0
 

Author Closing Comment

by:rgb192
ID: 39624272
Thanks for the mail information.
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out the latest tech news, community articles, and expert highlights in August's newsletter.
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question