How Can I Tell Where This Email Is Really Coming From?

Profile picture of the author Steven Wagenheim by Steven Wagenheim Posted: 12/20/2008
I have a problem that may be more serious than I thought.

I am getting emails from one of my other email accounts but I am not
sending them.

Now, I know to look at the header and see if there is another email
address listed, but there isn't. The only email address listed in the header
is my own.

Is there something else I can look at to see where this email is really
coming from?

I do see this:

Received: from [85.100.56.163] (port=4674 helo=xxxxxx.com)
by xxxx.xxxxxxxx.com with smtp (Exim 4.68)
(envelope-from <myaddress@mydomain.com>)
id 1LEA0M-0002CG-Ru
for myaddress@mydomain.com; Sat, 20 Dec 2008

I have removed all the actual information because I don't want to publicly
get somebody in trouble, but where it says port=4674 and then there
is a domain after it, is that where the email is actually orginating from?

I replaced my actual email address with myaddress@mydomain.com.

Any help anybody can give me on this will be appreciated.

Thanks.
#coming #email

  • Profile picture of the author KirkMcD
    KirkMcD
    Is that the entire header?

    This is where it originated, if it is.
    Received: from [85.100.56.163]
    Here is the Whois for the ip:
    http://www.db.ripe.net/whois?form_ty..._search=Search
  • Profile picture of the author Steven Wagenheim
    Steven Wagenheim
    Originally Posted by KirkMcD View Post

    Is that the entire header?

    This is where it originated, if it is.


    Here is the Whois for the ip:
    Query the RIPE Database
    Thanks Kirk, now how do I stop it? Apparently, this is out in the land of "the
    foreign spammers". Do I have a prayer or do I just forget about it?
  • Profile picture of the author ExRat
    ExRat
    Hi Steven,

    I'm getting nailed on one of my paypal emails in the same manner. It started about two weeks ago. Are the emails all very short messages with 'click here to view message' images?

    This ****** has almost forced me to dump this email address. There's spam and there's persistent spam. This is pissistent...

    It's from my domain and the emails are all sent from 'my address' to the same one that's 'sending' them.



    Hey thanks Kirk. That helped.
  • Profile picture of the author Steven Wagenheim
    Steven Wagenheim
    Originally Posted by ExRat View Post

    Hi Steven,

    I'm getting nailed on one of my paypal emails in the same manner. It started about two weeks ago. Are the emails all very short messages with 'click here to view message' images?

    This ****** has almost forced me to dump this email address. There's spam and there's persistent spam. This is pissistent...

    It's from my domain and the emails are all sent from 'my address' to the same one that's 'sending' them.

    Roger yes, it's the same, but fortunately I'm not getting so many that
    I have to dump the address.

    Curious. Knowing the real location, is it possible to block email by the
    IP address or real location?

    Certainly there has to be a way to do that. If not, somebody should
    invent it.
  • Profile picture of the author Jim M
    Jim M
    The starting point would be to report the Source IP address to the hosting company as being suspected of sending spam emails fraudulently using your details - see what they can come up with.

    I've had emails arrive in my gmail in box from me, when I check the details it even shows it's still from me - at the moment I only get the odd one, if it grew to a flood then I'd get worried and shut down the account.
  • Profile picture of the author Andy Fletcher
    Andy Fletcher
    Its a common spamming trick to send people email from themselves. Depending on what software is used for the mail server is definitely possible to block this kind of spam.

    You'll need to find out what IP address you actually send email from (this will be the IP address of your SMTP server) then you can blacklist your own email accounts unless they come from the real IP address.
  • Profile picture of the author Jim M
    Jim M
    Originally Posted by Steven Wagenheim View Post

    Curious. Knowing the real location, is it possible to block email by the
    IP address or real location?

    Certainly there has to be a way to do that. If not, somebody should
    invent it.

    Isn't there a setting in one of the spam filters within Cpanel hosting where you can block an IP address?
  • Profile picture of the author Andy Fletcher
    Andy Fletcher
    Oh, and another thing, your biggest problem will most likely be the computer sending it is owned by some completely unsuspecting guy/girl who has had their computer compromised by a virus which has installed an SMTP server on it.
  • Profile picture of the author Steven Wagenheim
    Steven Wagenheim
    Okay, I just checked several of these emails and they're all from different IP
    addresses, so either they are being sent by different people (doubtful as
    they are all the same type of emails) or they are being sent using some
    kind of rotating IP scheme (assuming this can be done...no, I'm not a techno
    geek so I don't know.)
  • Profile picture of the author myob
    myob
    Spammers are getting more sophisticated these days with fake headers replicating the recipients email address. Unless you are getting bounced emails from other non-existent emails with your header info, don't worry about it. I get spam from myself quite frequently.

    You might try to shield your email address on your websites with javascript, or use a php contact form as I started doing myself recently.
  • Profile picture of the author Andy Fletcher
    Andy Fletcher
    The simplest fix is actually to just blacklist your own email addresses. How often do you email yourself anyway?
  • Profile picture of the author Steven Wagenheim
    Steven Wagenheim
    Originally Posted by Andy Fletcher View Post

    The simplest fix is actually to just blacklist your own email addresses. How often do you email yourself anyway?
    I can't do that. I forward emails from that address to my AOL account. I
    do this because I have so many email addresses that it's easier to read all
    the customer service emails from one place.
  • Profile picture of the author radhika
    radhika
    Received: from [85.100.56.163] (port=4674 helo=xxxxxx.com)
    by xxxx.xxxxxxxx.com with smtp (Exim 4.68)
    (envelope-from <myaddress@mydomain.com>)
    id 1LEA0M-0002CG-Ru
    for myaddress@mydomain.com; Sat, 20 Dec 2008
    Steven,

    The ip is from Turkey. Somebody spoofing your domain email address to send email. Ask your host to set up SPF record for you. It simply tells the world that your email from your site are ONLY sent from your allowed ip address (mostly your server main ip). So if somebody uses your domain email from their own ip, that email will be rejected by receiving mail server.

    .
  • Profile picture of the author Andy Fletcher
    Andy Fletcher
    Originally Posted by Steven Wagenheim View Post

    I can't do that. I forward emails from that address to my AOL account. I
    do this because I have so many email addresses that it's easier to read all
    the customer service emails from one place.
    OK. Well the more complicated version of blacklisting your email addresses unless they come from the correct IP will still work. I hope whoever you have your email server with provides this functionality for you.
  • Profile picture of the author Jim M
    Jim M
    Originally Posted by Steven Wagenheim View Post

    I can't do that. I forward emails from that address to my AOL account. I
    do this because I have so many email addresses that it's easier to read all
    the customer service emails from one place.
    Is there a common phrase / partial common content that you can flag as spam in your AOL account?
  • Profile picture of the author ExRat
    ExRat
    Hi all,

    Thanks for the great help as usual, should be able to sort this out now.
  • Profile picture of the author Steven Wagenheim
    Steven Wagenheim
    Originally Posted by radhika View Post

    Steven,

    The ip is from Turkey. Somebody spoofing your domain email address to send email. Ask your host to set up SPF record for you. It simply tells the world that your email from your site are ONLY sent from your allowed ip address (mostly your server main ip). So if somebody uses your domain email from their own ip, that email will be rejected by receiving mail server.

    .
    Thanks, I just emailed my web host.
  • Profile picture of the author sylviad
    sylviad
    When I appeared to be receiving emails from myself, I thought my account had been hacked. I asked my provider and he told me they are not coming from my account. They subsequently did something that stopped it as I haven't received any since.

    Sylvia
  • Profile picture of the author Sean Kelly
    Sean Kelly
    Originally Posted by radhika View Post

    Steven,

    The ip is from Turkey. Somebody spoofing your domain email address to send email. Ask your host to set up SPF record for you. It simply tells the world that your email from your site are ONLY sent from your allowed ip address (mostly your server main ip). So if somebody uses your domain email from their own ip, that email will be rejected by receiving mail server.

    .
    If you have Plesk you are in luck, there are many things you can do...

    In Plesk log in as Admin, click on 'Server' and then click on 'Mail'.

    Under 'Relay options' make sure it is set to authorization is required: SMTP
    Under 'DomainKeys spam protection' make sure 'Verify incoming mail' is CHECKED

    Also switch on 'Verify incoming mail'
    and set 'SPF checking mode' to 'Reject mails when SPF resolved to fail'

    You can also switch on 'Switch on spam protection based on DNS blackhole lists'
    and use sbl.spamhaus.org as your originator checking service.

    Sean
  • Profile picture of the author learnmore
    learnmore
    It may be hard to pin point the actually sender. The spammers need to be ahead of the curve and this would be the first thing they would want to cover their tracks.

    The From address in an incoming mail can be made to look like anything. Few lines of Java/PHP/?? code can literally construct an email with following info and send it out to whoever:

    From: you@yourdomain.com Or accounts@paypal.com
    To: you@yourdomain.com
    Subject: Spoof
    Message: More spoof

    Following links can give you more info:

    Prevent email spoofing
    FAQ: Spoof email

Related discussions