Solved

Extracting IP address of emails from spam folder

Posted on 2014-12-12
10
265 Views
Last Modified: 2014-12-13
I receive 100-200 spams a day. I am trying to find a way to get  the sender's IP address from 1000 or more spams in my junk folder in Outlook. When I export spams in the folder, it doesn't even export header information.
Is there any way to export header information to csv so that I can open in excel and get the last email server's ip addresses sorted out, so I can import to my IP blocklist?
0
Comment
Question by:crcsupport
  • 5
  • 4
10 Comments
 
LVL 24

Accepted Solution

by:
Phillip Burton earned 250 total points
ID: 40496530
There are a lot of document properties available with emails.

http://www.filecats.co.uk/metadata-extended-document-properties/microsoft-outlook-msg-files/email-metadata/ shows that MSG document properties. I think the one you are looking for is Transport Message Headers. It includes information such as "Received: from forward.a.hostedemail.com (216.40.42.17)".

If you've got the information in MSG format, and you say you are looking for a solution to import this data into Excel, have a look at that link.
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
ID: 40496904
You should know that most spam comes from networks of machines that are virus infested and controlled by a central controller somewhere.  Some spam networks are upwards of 10,000 machines.  And sometimes the header info is spoofed.  And it would not be surprising if you receive the same email from a different source every day for a week.

So it is likely that your block list will get Very long and that you will be blocking people who may be your friends and not know that they have a virus problem.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40497214
Is it really possible to spoof sender IP address in SMTP protocol? If the sender exchanges fake IP address, I wonder how the spam came to my server successfuly. I know they spoof email address and name or add head infos, but wonder if it really can change the sender IP address during the SMTP communication, it will break the communication resulting the spam not delivered to the recipient. ???

For example, when a spammer sends HELO to my email server, then my SMTP server tries to establish TCP/IP connection with  the spammer, then how session can be established if they use a fake IP address?
If they use proxy, I understand, but can they really use someone else's IP address which is not on the path between the recipient and sender SMTP servers?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40497260
SMTP is very odd in some ways.  They probably can't fake the IP address in the 'envelope' which is what is actually used to deliver email... but they can fake what ever is in the headers.  The problem is that clients never see the 'envelope' info and the IP address used to connect to the mail server.  All they see is what is in the header.

Add that to the fact that most spam is supposedly sent by bot networks made up of virus infected home computers.  You may get the same message from multiple sources.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40497296
I am not sure, in general and normal environment, I thought a receiving server inserts the header 'Received'. If an email is sent back and forth by forwarding or by relay, then I guess there will be multiple 'Received' headers so spammers can change 'Received' header, but the last and most recent 'Received' header should give the real ip address of the last sender's email server IP address only if it's true that it's created by a receiving server.

Maybe it's something I have to look into. I'm surprised because if that last 'Received' header is inserted by any other than the receiving server, than your warning is very true and turns me to a complete different direction to react to spams.

Microsoft Mail Internet Headers Version 2.0
Received: from li576-182.members.linode.com ([192.155.85.182]) by mail.mydomain.com with Microsoft SMTPSVC(6.0.3790.4675);
       Fri, 12 Dec 2014 05:44:07 -0500

Received: from li576-182.members.linode.com (localhost [127.0.0.1])
      by li576-182.members.linode.com (8.14.4/8.14.4) with ESMTP id sBCAi6JR001956
      for <admin@mydomain.com>; Fri, 12 Dec 2014 10:44:06 GMT
Received: (from apache@localhost)
      by li576-182.members.linode.com (8.14.4/8.14.4/Submit) id sBCAi5Ul001951;
      Fri, 12 Dec 2014 10:44:05 GMT
Date: Fri, 12 Dec 2014 10:44:05 +0000
To: Admin <admin@mydomain.com>
From: Flashtechllc <no-reply@flashtechllc-service.com>
Reply-To: Flashtechllc <no-reply@flashtechllc-service.com>
Subject: (ad)Apple Samsung HTC screen replacement parts wholesale and retail- Flash Tech LLC Christmas Promotions
Message-ID: <NzUzMTIyNwAC52571Y20BAMTQxODM4MTA0NTM1NzY3@www.flashtechllc-service.com>
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40497321
https://www.linode.com/ is a web hosting company.  But li576-182.members.linode.com looks like a home or DSL address.  However, it returns the same IP address ([192.155.85.182])  when I do a lookup.  (localhost [127.0.0.1]) indicates that it is probably sent from a web site thru the local SMTP or 'sendmail' service.

Flashtechllc <no-reply@flashtechllc-service.com> is the Linode contact or maybe parent company.

If you are getting a lot of spam from that one site, I would contact them about it.  Hosting companies don't like spammers on their sites.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40497337
Not sure how it's related to the problem of forging   the last 'Received' header's IP address...
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40497352
Do you mean that if sender's IP address is dynamic, later it will be handed off to another person which will be also blocked by IP blocking? I'm not concerned about this because we only communicate in B2B where our partners' email servers have static IP addresses or their ISP is not residential.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40497357
A bot network for sending spam will have 10,000 plus sources.  A control machine somewhere (Russia?) will tell them what to send every day.  At times, I get the same message from multiple sources.

It's not related to forging.  But you didn't show me the headers before so I could check them out.  If the headers are 'legitimate', then Linode will know who 'li576-182.members.linode.com' is.  I'd contact them if a lot of the spams are coming from there.

But that says nothing about spams that aren't coming from there.  There are all sorts of methods used to send spam.  You just have to go thru them if you want to stop them.  I don't bother any more.  I just delete them, up to 100 a day.
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
ID: 40497367
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The purpose of this video is to demonstrate how to use PicMonkey software to customize images for a Mailchimp campaign. Picmonkey is free and simple online software which can be used by users who don’t have robust editing software such as Photoshop,…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now