?
Solved

Extracting IP address of emails from spam folder

Posted on 2014-12-12
10
Medium Priority
?
287 Views
Last Modified: 2014-12-13
I receive 100-200 spams a day. I am trying to find a way to get  the sender's IP address from 1000 or more spams in my junk folder in Outlook. When I export spams in the folder, it doesn't even export header information.
Is there any way to export header information to csv so that I can open in excel and get the last email server's ip addresses sorted out, so I can import to my IP blocklist?
0
Comment
Question by:crcsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 24

Accepted Solution

by:
Phillip Burton earned 1000 total points
ID: 40496530
There are a lot of document properties available with emails.

http://www.filecats.co.uk/metadata-extended-document-properties/microsoft-outlook-msg-files/email-metadata/ shows that MSG document properties. I think the one you are looking for is Transport Message Headers. It includes information such as "Received: from forward.a.hostedemail.com (216.40.42.17)".

If you've got the information in MSG format, and you say you are looking for a solution to import this data into Excel, have a look at that link.
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 1000 total points
ID: 40496904
You should know that most spam comes from networks of machines that are virus infested and controlled by a central controller somewhere.  Some spam networks are upwards of 10,000 machines.  And sometimes the header info is spoofed.  And it would not be surprising if you receive the same email from a different source every day for a week.

So it is likely that your block list will get Very long and that you will be blocking people who may be your friends and not know that they have a virus problem.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40497214
Is it really possible to spoof sender IP address in SMTP protocol? If the sender exchanges fake IP address, I wonder how the spam came to my server successfuly. I know they spoof email address and name or add head infos, but wonder if it really can change the sender IP address during the SMTP communication, it will break the communication resulting the spam not delivered to the recipient. ???

For example, when a spammer sends HELO to my email server, then my SMTP server tries to establish TCP/IP connection with  the spammer, then how session can be established if they use a fake IP address?
If they use proxy, I understand, but can they really use someone else's IP address which is not on the path between the recipient and sender SMTP servers?
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40497260
SMTP is very odd in some ways.  They probably can't fake the IP address in the 'envelope' which is what is actually used to deliver email... but they can fake what ever is in the headers.  The problem is that clients never see the 'envelope' info and the IP address used to connect to the mail server.  All they see is what is in the header.

Add that to the fact that most spam is supposedly sent by bot networks made up of virus infected home computers.  You may get the same message from multiple sources.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40497296
I am not sure, in general and normal environment, I thought a receiving server inserts the header 'Received'. If an email is sent back and forth by forwarding or by relay, then I guess there will be multiple 'Received' headers so spammers can change 'Received' header, but the last and most recent 'Received' header should give the real ip address of the last sender's email server IP address only if it's true that it's created by a receiving server.

Maybe it's something I have to look into. I'm surprised because if that last 'Received' header is inserted by any other than the receiving server, than your warning is very true and turns me to a complete different direction to react to spams.

Microsoft Mail Internet Headers Version 2.0
Received: from li576-182.members.linode.com ([192.155.85.182]) by mail.mydomain.com with Microsoft SMTPSVC(6.0.3790.4675);
       Fri, 12 Dec 2014 05:44:07 -0500

Received: from li576-182.members.linode.com (localhost [127.0.0.1])
      by li576-182.members.linode.com (8.14.4/8.14.4) with ESMTP id sBCAi6JR001956
      for <admin@mydomain.com>; Fri, 12 Dec 2014 10:44:06 GMT
Received: (from apache@localhost)
      by li576-182.members.linode.com (8.14.4/8.14.4/Submit) id sBCAi5Ul001951;
      Fri, 12 Dec 2014 10:44:05 GMT
Date: Fri, 12 Dec 2014 10:44:05 +0000
To: Admin <admin@mydomain.com>
From: Flashtechllc <no-reply@flashtechllc-service.com>
Reply-To: Flashtechllc <no-reply@flashtechllc-service.com>
Subject: (ad)Apple Samsung HTC screen replacement parts wholesale and retail- Flash Tech LLC Christmas Promotions
Message-ID: <NzUzMTIyNwAC52571Y20BAMTQxODM4MTA0NTM1NzY3@www.flashtechllc-service.com>
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40497321
https://www.linode.com/ is a web hosting company.  But li576-182.members.linode.com looks like a home or DSL address.  However, it returns the same IP address ([192.155.85.182])  when I do a lookup.  (localhost [127.0.0.1]) indicates that it is probably sent from a web site thru the local SMTP or 'sendmail' service.

Flashtechllc <no-reply@flashtechllc-service.com> is the Linode contact or maybe parent company.

If you are getting a lot of spam from that one site, I would contact them about it.  Hosting companies don't like spammers on their sites.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40497337
Not sure how it's related to the problem of forging   the last 'Received' header's IP address...
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40497352
Do you mean that if sender's IP address is dynamic, later it will be handed off to another person which will be also blocked by IP blocking? I'm not concerned about this because we only communicate in B2B where our partners' email servers have static IP addresses or their ISP is not residential.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40497357
A bot network for sending spam will have 10,000 plus sources.  A control machine somewhere (Russia?) will tell them what to send every day.  At times, I get the same message from multiple sources.

It's not related to forging.  But you didn't show me the headers before so I could check them out.  If the headers are 'legitimate', then Linode will know who 'li576-182.members.linode.com' is.  I'd contact them if a lot of the spams are coming from there.

But that says nothing about spams that aren't coming from there.  There are all sorts of methods used to send spam.  You just have to go thru them if you want to stop them.  I don't bother any more.  I just delete them, up to 100 a day.
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 1000 total points
ID: 40497367
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We aren’t perfect, just like everyone else.  Check out the email errors our community caught and learn the top errors every email marketer should avoid.
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
This Micro Tutorial will demonstrate the easy use of Gmail embedding images in your email so the recipient of your email can view them in context.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question