Extracting IP address of emails from spam folder

I receive 100-200 spams a day. I am trying to find a way to get  the sender's IP address from 1000 or more spams in my junk folder in Outlook. When I export spams in the folder, it doesn't even export header information.
Is there any way to export header information to csv so that I can open in excel and get the last email server's ip addresses sorted out, so I can import to my IP blocklist?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Phillip BurtonDirector, Practice Manager and Computing ConsultantCommented:
There are a lot of document properties available with emails.

http://www.filecats.co.uk/metadata-extended-document-properties/microsoft-outlook-msg-files/email-metadata/ shows that MSG document properties. I think the one you are looking for is Transport Message Headers. It includes information such as "Received: from forward.a.hostedemail.com (".

If you've got the information in MSG format, and you say you are looking for a solution to import this data into Excel, have a look at that link.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
You should know that most spam comes from networks of machines that are virus infested and controlled by a central controller somewhere.  Some spam networks are upwards of 10,000 machines.  And sometimes the header info is spoofed.  And it would not be surprising if you receive the same email from a different source every day for a week.

So it is likely that your block list will get Very long and that you will be blocking people who may be your friends and not know that they have a virus problem.
crcsupportAuthor Commented:
Is it really possible to spoof sender IP address in SMTP protocol? If the sender exchanges fake IP address, I wonder how the spam came to my server successfuly. I know they spoof email address and name or add head infos, but wonder if it really can change the sender IP address during the SMTP communication, it will break the communication resulting the spam not delivered to the recipient. ???

For example, when a spammer sends HELO to my email server, then my SMTP server tries to establish TCP/IP connection with  the spammer, then how session can be established if they use a fake IP address?
If they use proxy, I understand, but can they really use someone else's IP address which is not on the path between the recipient and sender SMTP servers?
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Dave BaldwinFixer of ProblemsCommented:
SMTP is very odd in some ways.  They probably can't fake the IP address in the 'envelope' which is what is actually used to deliver email... but they can fake what ever is in the headers.  The problem is that clients never see the 'envelope' info and the IP address used to connect to the mail server.  All they see is what is in the header.

Add that to the fact that most spam is supposedly sent by bot networks made up of virus infected home computers.  You may get the same message from multiple sources.
crcsupportAuthor Commented:
I am not sure, in general and normal environment, I thought a receiving server inserts the header 'Received'. If an email is sent back and forth by forwarding or by relay, then I guess there will be multiple 'Received' headers so spammers can change 'Received' header, but the last and most recent 'Received' header should give the real ip address of the last sender's email server IP address only if it's true that it's created by a receiving server.

Maybe it's something I have to look into. I'm surprised because if that last 'Received' header is inserted by any other than the receiving server, than your warning is very true and turns me to a complete different direction to react to spams.

Microsoft Mail Internet Headers Version 2.0
Received: from li576-182.members.linode.com ([]) by mail.mydomain.com with Microsoft SMTPSVC(6.0.3790.4675);
       Fri, 12 Dec 2014 05:44:07 -0500

Received: from li576-182.members.linode.com (localhost [])
      by li576-182.members.linode.com (8.14.4/8.14.4) with ESMTP id sBCAi6JR001956
      for <admin@mydomain.com>; Fri, 12 Dec 2014 10:44:06 GMT
Received: (from apache@localhost)
      by li576-182.members.linode.com (8.14.4/8.14.4/Submit) id sBCAi5Ul001951;
      Fri, 12 Dec 2014 10:44:05 GMT
Date: Fri, 12 Dec 2014 10:44:05 +0000
To: Admin <admin@mydomain.com>
From: Flashtechllc <no-reply@flashtechllc-service.com>
Reply-To: Flashtechllc <no-reply@flashtechllc-service.com>
Subject: (ad)Apple Samsung HTC screen replacement parts wholesale and retail- Flash Tech LLC Christmas Promotions
Message-ID: <NzUzMTIyNwAC52571Y20BAMTQxODM4MTA0NTM1NzY3@www.flashtechllc-service.com>
Dave BaldwinFixer of ProblemsCommented:
https://www.linode.com/ is a web hosting company.  But li576-182.members.linode.com looks like a home or DSL address.  However, it returns the same IP address ([])  when I do a lookup.  (localhost []) indicates that it is probably sent from a web site thru the local SMTP or 'sendmail' service.

Flashtechllc <no-reply@flashtechllc-service.com> is the Linode contact or maybe parent company.

If you are getting a lot of spam from that one site, I would contact them about it.  Hosting companies don't like spammers on their sites.
crcsupportAuthor Commented:
Not sure how it's related to the problem of forging   the last 'Received' header's IP address...
crcsupportAuthor Commented:
Do you mean that if sender's IP address is dynamic, later it will be handed off to another person which will be also blocked by IP blocking? I'm not concerned about this because we only communicate in B2B where our partners' email servers have static IP addresses or their ISP is not residential.
Dave BaldwinFixer of ProblemsCommented:
A bot network for sending spam will have 10,000 plus sources.  A control machine somewhere (Russia?) will tell them what to send every day.  At times, I get the same message from multiple sources.

It's not related to forging.  But you didn't show me the headers before so I could check them out.  If the headers are 'legitimate', then Linode will know who 'li576-182.members.linode.com' is.  I'd contact them if a lot of the spams are coming from there.

But that says nothing about spams that aren't coming from there.  There are all sorts of methods used to send spam.  You just have to go thru them if you want to stop them.  I don't bother any more.  I just delete them, up to 100 a day.
Dave BaldwinFixer of ProblemsCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.