Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Extracting IP address of emails from spam folder

Posted on 2014-12-12
10
276 Views
Last Modified: 2014-12-13
I receive 100-200 spams a day. I am trying to find a way to get  the sender's IP address from 1000 or more spams in my junk folder in Outlook. When I export spams in the folder, it doesn't even export header information.
Is there any way to export header information to csv so that I can open in excel and get the last email server's ip addresses sorted out, so I can import to my IP blocklist?
0
Comment
Question by:crcsupport
  • 5
  • 4
10 Comments
 
LVL 24

Accepted Solution

by:
Phillip Burton earned 250 total points
ID: 40496530
There are a lot of document properties available with emails.

http://www.filecats.co.uk/metadata-extended-document-properties/microsoft-outlook-msg-files/email-metadata/ shows that MSG document properties. I think the one you are looking for is Transport Message Headers. It includes information such as "Received: from forward.a.hostedemail.com (216.40.42.17)".

If you've got the information in MSG format, and you say you are looking for a solution to import this data into Excel, have a look at that link.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
ID: 40496904
You should know that most spam comes from networks of machines that are virus infested and controlled by a central controller somewhere.  Some spam networks are upwards of 10,000 machines.  And sometimes the header info is spoofed.  And it would not be surprising if you receive the same email from a different source every day for a week.

So it is likely that your block list will get Very long and that you will be blocking people who may be your friends and not know that they have a virus problem.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40497214
Is it really possible to spoof sender IP address in SMTP protocol? If the sender exchanges fake IP address, I wonder how the spam came to my server successfuly. I know they spoof email address and name or add head infos, but wonder if it really can change the sender IP address during the SMTP communication, it will break the communication resulting the spam not delivered to the recipient. ???

For example, when a spammer sends HELO to my email server, then my SMTP server tries to establish TCP/IP connection with  the spammer, then how session can be established if they use a fake IP address?
If they use proxy, I understand, but can they really use someone else's IP address which is not on the path between the recipient and sender SMTP servers?
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40497260
SMTP is very odd in some ways.  They probably can't fake the IP address in the 'envelope' which is what is actually used to deliver email... but they can fake what ever is in the headers.  The problem is that clients never see the 'envelope' info and the IP address used to connect to the mail server.  All they see is what is in the header.

Add that to the fact that most spam is supposedly sent by bot networks made up of virus infected home computers.  You may get the same message from multiple sources.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40497296
I am not sure, in general and normal environment, I thought a receiving server inserts the header 'Received'. If an email is sent back and forth by forwarding or by relay, then I guess there will be multiple 'Received' headers so spammers can change 'Received' header, but the last and most recent 'Received' header should give the real ip address of the last sender's email server IP address only if it's true that it's created by a receiving server.

Maybe it's something I have to look into. I'm surprised because if that last 'Received' header is inserted by any other than the receiving server, than your warning is very true and turns me to a complete different direction to react to spams.

Microsoft Mail Internet Headers Version 2.0
Received: from li576-182.members.linode.com ([192.155.85.182]) by mail.mydomain.com with Microsoft SMTPSVC(6.0.3790.4675);
       Fri, 12 Dec 2014 05:44:07 -0500

Received: from li576-182.members.linode.com (localhost [127.0.0.1])
      by li576-182.members.linode.com (8.14.4/8.14.4) with ESMTP id sBCAi6JR001956
      for <admin@mydomain.com>; Fri, 12 Dec 2014 10:44:06 GMT
Received: (from apache@localhost)
      by li576-182.members.linode.com (8.14.4/8.14.4/Submit) id sBCAi5Ul001951;
      Fri, 12 Dec 2014 10:44:05 GMT
Date: Fri, 12 Dec 2014 10:44:05 +0000
To: Admin <admin@mydomain.com>
From: Flashtechllc <no-reply@flashtechllc-service.com>
Reply-To: Flashtechllc <no-reply@flashtechllc-service.com>
Subject: (ad)Apple Samsung HTC screen replacement parts wholesale and retail- Flash Tech LLC Christmas Promotions
Message-ID: <NzUzMTIyNwAC52571Y20BAMTQxODM4MTA0NTM1NzY3@www.flashtechllc-service.com>
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40497321
https://www.linode.com/ is a web hosting company.  But li576-182.members.linode.com looks like a home or DSL address.  However, it returns the same IP address ([192.155.85.182])  when I do a lookup.  (localhost [127.0.0.1]) indicates that it is probably sent from a web site thru the local SMTP or 'sendmail' service.

Flashtechllc <no-reply@flashtechllc-service.com> is the Linode contact or maybe parent company.

If you are getting a lot of spam from that one site, I would contact them about it.  Hosting companies don't like spammers on their sites.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40497337
Not sure how it's related to the problem of forging   the last 'Received' header's IP address...
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40497352
Do you mean that if sender's IP address is dynamic, later it will be handed off to another person which will be also blocked by IP blocking? I'm not concerned about this because we only communicate in B2B where our partners' email servers have static IP addresses or their ISP is not residential.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40497357
A bot network for sending spam will have 10,000 plus sources.  A control machine somewhere (Russia?) will tell them what to send every day.  At times, I get the same message from multiple sources.

It's not related to forging.  But you didn't show me the headers before so I could check them out.  If the headers are 'legitimate', then Linode will know who 'li576-182.members.linode.com' is.  I'd contact them if a lot of the spams are coming from there.

But that says nothing about spams that aren't coming from there.  There are all sorts of methods used to send spam.  You just have to go thru them if you want to stop them.  I don't bother any more.  I just delete them, up to 100 a day.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
ID: 40497367
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question