How Can I Tell Where This Email Is Really Coming From?

14 replies
I have a problem that may be more serious than I thought.

I am getting emails from one of my other email accounts but I am not
sending them.

Now, I know to look at the header and see if there is another email
address listed, but there isn't. The only email address listed in the header
is my own.

Is there something else I can look at to see where this email is really
coming from?

I do see this:

Received: from [85.100.56.163] (port=4674 helo=xxxxxx.com)
by xxxx.xxxxxxxx.com with smtp (Exim 4.68)
(envelope-from <myaddress@mydomain.com>)
id 1LEA0M-0002CG-Ru
for myaddress@mydomain.com; Sat, 20 Dec 2008

I have removed all the actual information because I don't want to publicly
get somebody in trouble, but where it says port=4674 and then there
is a domain after it, is that where the email is actually orginating from?

I replaced my actual email address with myaddress@mydomain.com.

Any help anybody can give me on this will be appreciated.

Thanks.
#coming #email
  • Profile picture of the author KirkMcD
    Is that the entire header?

    This is where it originated, if it is.
    Received: from [85.100.56.163]
    Here is the Whois for the ip:
    http://www.db.ripe.net/whois?form_ty..._search=Search
    {{ DiscussionBoard.errors[346591].message }}
    • Profile picture of the author Steven Wagenheim
      Originally Posted by KirkMcD View Post

      Is that the entire header?

      This is where it originated, if it is.


      Here is the Whois for the ip:
      Query the RIPE Database
      Thanks Kirk, now how do I stop it? Apparently, this is out in the land of "the
      foreign spammers". Do I have a prayer or do I just forget about it?
      {{ DiscussionBoard.errors[346599].message }}
      • Profile picture of the author Jim M
        The starting point would be to report the Source IP address to the hosting company as being suspected of sending spam emails fraudulently using your details - see what they can come up with.

        I've had emails arrive in my gmail in box from me, when I check the details it even shows it's still from me - at the moment I only get the odd one, if it grew to a flood then I'd get worried and shut down the account.
        Signature
        Jim Montgomery www.thepublishing.press
        [/I]
        {{ DiscussionBoard.errors[346612].message }}
    • Profile picture of the author ExRat
      Hi Steven,

      I'm getting nailed on one of my paypal emails in the same manner. It started about two weeks ago. Are the emails all very short messages with 'click here to view message' images?

      This ****** has almost forced me to dump this email address. There's spam and there's persistent spam. This is pissistent...

      It's from my domain and the emails are all sent from 'my address' to the same one that's 'sending' them.



      Hey thanks Kirk. That helped.
      Signature


      Roger Davis

      {{ DiscussionBoard.errors[346605].message }}
      • Profile picture of the author Steven Wagenheim
        Originally Posted by ExRat View Post

        Hi Steven,

        I'm getting nailed on one of my paypal emails in the same manner. It started about two weeks ago. Are the emails all very short messages with 'click here to view message' images?

        This ****** has almost forced me to dump this email address. There's spam and there's persistent spam. This is pissistent...

        It's from my domain and the emails are all sent from 'my address' to the same one that's 'sending' them.

        Roger yes, it's the same, but fortunately I'm not getting so many that
        I have to dump the address.

        Curious. Knowing the real location, is it possible to block email by the
        IP address or real location?

        Certainly there has to be a way to do that. If not, somebody should
        invent it.
        {{ DiscussionBoard.errors[346608].message }}
        • Profile picture of the author Jim M
          Originally Posted by Steven Wagenheim View Post

          Curious. Knowing the real location, is it possible to block email by the
          IP address or real location?

          Certainly there has to be a way to do that. If not, somebody should
          invent it.

          Isn't there a setting in one of the spam filters within Cpanel hosting where you can block an IP address?
          Signature
          Jim Montgomery www.thepublishing.press
          [/I]
          {{ DiscussionBoard.errors[346617].message }}
        • Profile picture of the author myob
          Spammers are getting more sophisticated these days with fake headers replicating the recipients email address. Unless you are getting bounced emails from other non-existent emails with your header info, don't worry about it. I get spam from myself quite frequently.

          You might try to shield your email address on your websites with javascript, or use a php contact form as I started doing myself recently.
          {{ DiscussionBoard.errors[346629].message }}
  • Profile picture of the author Andy Fletcher
    Its a common spamming trick to send people email from themselves. Depending on what software is used for the mail server is definitely possible to block this kind of spam.

    You'll need to find out what IP address you actually send email from (this will be the IP address of your SMTP server) then you can blacklist your own email accounts unless they come from the real IP address.
    {{ DiscussionBoard.errors[346616].message }}
  • Profile picture of the author Andy Fletcher
    Oh, and another thing, your biggest problem will most likely be the computer sending it is owned by some completely unsuspecting guy/girl who has had their computer compromised by a virus which has installed an SMTP server on it.
    {{ DiscussionBoard.errors[346622].message }}
    • Profile picture of the author Steven Wagenheim
      Okay, I just checked several of these emails and they're all from different IP
      addresses, so either they are being sent by different people (doubtful as
      they are all the same type of emails) or they are being sent using some
      kind of rotating IP scheme (assuming this can be done...no, I'm not a techno
      geek so I don't know.)
      {{ DiscussionBoard.errors[346628].message }}
    • Profile picture of the author radhika
      Received: from [85.100.56.163] (port=4674 helo=xxxxxx.com)
      by xxxx.xxxxxxxx.com with smtp (Exim 4.68)
      (envelope-from <myaddress@mydomain.com>)
      id 1LEA0M-0002CG-Ru
      for myaddress@mydomain.com; Sat, 20 Dec 2008
      Steven,

      The ip is from Turkey. Somebody spoofing your domain email address to send email. Ask your host to set up SPF record for you. It simply tells the world that your email from your site are ONLY sent from your allowed ip address (mostly your server main ip). So if somebody uses your domain email from their own ip, that email will be rejected by receiving mail server.

      .
      Signature
      Follow up Autoresponder PRO :: 33% Discount!!
      FREE Upgrades! IMPROVED Email Deliverability!!
      {{ DiscussionBoard.errors[346638].message }}
      • Profile picture of the author Steven Wagenheim
        Originally Posted by radhika View Post

        Steven,

        The ip is from Turkey. Somebody spoofing your domain email address to send email. Ask your host to set up SPF record for you. It simply tells the world that your email from your site are ONLY sent from your allowed ip address (mostly your server main ip). So if somebody uses your domain email from their own ip, that email will be rejected by receiving mail server.

        .
        Thanks, I just emailed my web host.
        {{ DiscussionBoard.errors[346656].message }}
      • Profile picture of the author Sean Kelly
        Originally Posted by radhika View Post

        Steven,

        The ip is from Turkey. Somebody spoofing your domain email address to send email. Ask your host to set up SPF record for you. It simply tells the world that your email from your site are ONLY sent from your allowed ip address (mostly your server main ip). So if somebody uses your domain email from their own ip, that email will be rejected by receiving mail server.

        .
        If you have Plesk you are in luck, there are many things you can do...

        In Plesk log in as Admin, click on 'Server' and then click on 'Mail'.

        Under 'Relay options' make sure it is set to authorization is required: SMTP
        Under 'DomainKeys spam protection' make sure 'Verify incoming mail' is CHECKED

        Also switch on 'Verify incoming mail'
        and set 'SPF checking mode' to 'Reject mails when SPF resolved to fail'

        You can also switch on 'Switch on spam protection based on DNS blackhole lists'
        and use sbl.spamhaus.org as your originator checking service.

        Sean
        Signature
        http://javadocs.com - Javadocs
        {{ DiscussionBoard.errors[346671].message }}
  • Profile picture of the author Andy Fletcher
    The simplest fix is actually to just blacklist your own email addresses. How often do you email yourself anyway?
    {{ DiscussionBoard.errors[346630].message }}
    • Profile picture of the author Steven Wagenheim
      Originally Posted by Andy Fletcher View Post

      The simplest fix is actually to just blacklist your own email addresses. How often do you email yourself anyway?
      I can't do that. I forward emails from that address to my AOL account. I
      do this because I have so many email addresses that it's easier to read all
      the customer service emails from one place.
      {{ DiscussionBoard.errors[346633].message }}
      • Profile picture of the author Andy Fletcher
        Originally Posted by Steven Wagenheim View Post

        I can't do that. I forward emails from that address to my AOL account. I
        do this because I have so many email addresses that it's easier to read all
        the customer service emails from one place.
        OK. Well the more complicated version of blacklisting your email addresses unless they come from the correct IP will still work. I hope whoever you have your email server with provides this functionality for you.
        {{ DiscussionBoard.errors[346640].message }}
        • Profile picture of the author sylviad
          When I appeared to be receiving emails from myself, I thought my account had been hacked. I asked my provider and he told me they are not coming from my account. They subsequently did something that stopped it as I haven't received any since.

          Sylvia
          Signature
          :: Got a dog? Visit my blog. Dog Talk Weekly
          :: Writing, Audio Transcription Services? - Award-winning Journalist is taking new projects. Warrior Discounts!
          {{ DiscussionBoard.errors[346658].message }}
          • Profile picture of the author learnmore
            It may be hard to pin point the actually sender. The spammers need to be ahead of the curve and this would be the first thing they would want to cover their tracks.

            The From address in an incoming mail can be made to look like anything. Few lines of Java/PHP/?? code can literally construct an email with following info and send it out to whoever:

            From: you@yourdomain.com Or accounts@paypal.com
            To: you@yourdomain.com
            Subject: Spoof
            Message: More spoof

            Following links can give you more info:

            Prevent email spoofing
            FAQ: Spoof email
            {{ DiscussionBoard.errors[346695].message }}
      • Profile picture of the author Jim M
        Originally Posted by Steven Wagenheim View Post

        I can't do that. I forward emails from that address to my AOL account. I
        do this because I have so many email addresses that it's easier to read all
        the customer service emails from one place.
        Is there a common phrase / partial common content that you can flag as spam in your AOL account?
        Signature
        Jim Montgomery www.thepublishing.press
        [/I]
        {{ DiscussionBoard.errors[346644].message }}
        • Profile picture of the author ExRat
          Hi all,

          Thanks for the great help as usual, should be able to sort this out now.
          Signature


          Roger Davis

          {{ DiscussionBoard.errors[346654].message }}

Trending Topics