Solved

How to tell the origin of an email

Posted on 2013-10-25
7
652 Views
Last Modified: 2013-11-05
I am not sure what zone 'email about becoming a mystery shopper' belongs in.
Please change zone.

I received this email about becoming a mystery shopper.
Did this email come from syr.edu?

                                                                                                                                                                                                                                                              
Delivered-To: ME
Received: by 10.64.238.82 with SMTP id vi18csp57788iec;
        Fri, 25 Oct 2013 09:43:57 -0700 (PDT)
X-Received: by 10.229.30.7 with SMTP id s7mr12047704qcc.7.1382719436846;
        Fri, 25 Oct 2013 09:43:56 -0700 (PDT)
Return-Path: <fdlittle@syr.edu>
Received: from smtp1.syr.edu (smtp1.syr.edu. [128.230.18.82])
        by mx.google.com with ESMTPS id o9si3345006qez.82.2013.10.25.09.43.56
        for <ME>
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Fri, 25 Oct 2013 09:43:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of fdlittle@syr.edu designates 128.230.18.82 as permitted sender) client-ip=128.230.18.82;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of fdlittle@syr.edu designates 128.230.18.82 as permitted sender) smtp.mail=fdlittle@syr.edu
Received: from 2008std (syru153-084.syr.edu [128.230.153.84])
  by smtp1.syr.edu (8.14.7/8.14.5) with ESMTP id r9PGhs3e026842
  (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
  for <ME>; Fri, 25 Oct 2013 12:43:55 -0400
MIME-Version: 1.0
From: "SS_ Network" <fdlittle@syr.edu>
Reply-To: Derrick.rose@gmx.us
To: ME
Subject: JOB Opportunity
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
X-Mailer: SmartSend.2.0.126
Date: Fri, 25 Oct 2013 17:44:06 +0100
Message-ID: <21162313414081157511385@2008std>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794,1.0.431,0.0.0000
 definitions=2013-10-25_06:2013-10-25,2013-10-25,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=1 phishscore=0
 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=7.0.1-1305240000 definitions=main-1310250121

Job Descriptions:

You will be assigned to visit a shop.
You need to "pretend" to be a normal potential customer who is looking for =
a particular service or product.
You will then finish an on-line questionnaire to share with us your custome=
r experience.

Requirements:

19 Years old or above.
Can speak local language well.
Can read and write English.
No experience needed Like Shopping.

Job pay:

You will get $200 for each assignment.
Most of the time you will only need to spend 20 minutes on the visit.

Give me your information for register ;
 1. Name : . . . . .
 2. Ages : . . . . .
 3. Physical A_ddress : . . . . .
 4. Citys / States / Countrys : . . . . .
 5. Zip Codes : . . . . .
 6. Phone : . . . . .
 7. Gender : . . . . .
 8. O.c.c.u.p.a.t.i.o.n : . . . . .

we are waiting your good response,

Regards,
Sheila Lindsay
Head Of Recruitment

Open in new window

0
Comment
Question by:rgb192
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
7 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39601571
Yes.  But I use the IP for reference and do a whois lookup.  DNS host names could be forged.
0
 
LVL 13

Expert Comment

by:Daniel Helgenberger
ID: 39601627
My way is to 'dig' the source server and compare it to the IP given:
$ dig smtp1.syr.edu

; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-5.P2.fc19 <<>> smtp1.syr.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49827
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;smtp1.syr.edu.			IN	A

;; ANSWER SECTION:
smtp1.syr.edu.		3600	IN	A	128.230.18.82

;; Query time: 236 msec
;; SERVER: 172.16.21.1#53(172.16.21.1)
;; WHEN: Fr Okt 25 22:35:18 CEST 2013
;; MSG SIZE  rcvd: 58

Open in new window


As you can see, it really originates from this server. In this case you do not need to do this, as syr.edu has even a SPF record witch permits this server (Line 13):
Received-SPF: pass (google.com: best guess record for domain of fdlittle@syr.edu designates 128.230.18.82 as permitted sender) client-ip=128.230.18.82;
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 250 total points
ID: 39601654
helge000 is correct about using a forward dig to find out if the IP matches the hostname.

A whois, though, will tell you the company/individual allocated or assigned the IP.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:rgb192
ID: 39610713
As you can see, it really originates from this server. In this case you do not need to do this, as syr.edu has even a SPF record witch permits this server (Line 13):
Received-SPF: pass (google.com: best guess record for domain of fdlittle@syr.edu designates 128.230.18.82 as permitted sender) client-ip=128.230.18.82;


could this be a student connected to syr.edu wifi using php mail()
0
 
LVL 13

Accepted Solution

by:
Daniel Helgenberger earned 250 total points
ID: 39610947
Mail headers can all be faked. The only thing you know for sure is the IP if the originating email server and that the sender had a valid destination address (yours).
But you can assume a few things:
1. If syr.edu is a well known origin and therefore is not an open relay, meaning it has some kind of sender/user auth in place
2. This leads to the assumption that the originating email account is valid
3. The reason for that may be a hacked/proofed/fished account/password.

But as you can imagine, without the help of syr.edu the only thing you can do is guessing.
0
 

Author Closing Comment

by:rgb192
ID: 39624272
Thanks for the mail information.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question