take a look at this email's header. To see the header, you'll need
to view the properties of the email. To do this in MS Outlook Express
for instance, you'll need to open the email, then select 'Properties'
from the 'File' menu. This brings up the properties window, then
select the 'Details' tab - this shows the header only information (by
selecting 'Message Source', you will see the header and email
source code which can be copied and pasted into any report you need to
make to us - email@example.com).
Here is a comparison between the headers of a spoofed
and a genuine eBay email (parts are highlighted to aid comparison, but
the yellow highlights are the important pieces)...
The spoof header:
Received: (qmail 21262 invoked from network); 6 Jun 2003 21:21:49 -0000
Received: from unknown (HELO mail.almtal.net)
by server16.donhost.co.uk with SMTP; 6 Jun 2003 21:21:49 -0000
Received: from localhost (mail.almtal.net
by mail.almtal.net (8.11.6/8.8.7) with
SMTP id h56LRD008495
for <firstname.lastname@example.org>; Fri, 6 Jun 2003 23:27:16 +0200
Subject: ebaY Contest
Date: Fri, 6 Jun 2003 23:27:13 +0200
The genuine header: (see
a copy of this email)
Received: (qmail 36907 invoked from network); 9 Jun 2003 10:22:29 -0000
Received: from unknown (HELO mx5.smf.ebay.com)
by server16.donhost.co.uk with SMTP; 9 Jun 2003 10:22:29 -0000
Received: from miami.smf.ebay.com (miami.smf.ebay.com
by mx5.smf.ebay.com (8.12.3/8.12.3) with
ESMTP id h59AMQG9000488
for <email@example.com>; Mon, 9 Jun 2003 03:22:26 -0700
Received: from rhv-kas-03.corp.ebay.com (rhv-kas-03.corp.ebay.com [184.108.40.206])
by miami.smf.ebay.com (8.11.6+Sun/8.11.6) with SMTP id h59AMfZ10198
for <firstname.lastname@example.org>; Mon, 9 Jun 2003 03:22:41 -0700 (PDT)
Date: Mon, 09 Jun 2003 03:22:28 -0700
To: millersmiles <email@example.com>
Subject: Re: (KMM72404455V54089L0KM)
From: eBay United Kingdom Customer Support <firstname.lastname@example.org>
Reply-To: eBay United Kingdom Customer Support <email@example.com>
Content-Type: text/plain; charset = "us-ascii"
X-Mailer: Kana 6.0
See the differences in the highlighted text.....
The 'Received: from Unknown
(HELO xxx.xxxx.xxx) part tells us the details of the machine
that the email was sent from. In this case, the spoof shows a machine
with the ID 'mail.almtal.net'
with IP address 220.127.116.11,
whereas eBay's genuine email has come from a machine with the ID mx5.smf.ebay.com and
IP address 18.104.22.168.
When querying a whois lookup (aka DNS look up, or reverse look up)
it is clear that the genuine email has originated from eBay's mail
server at IP 22.214.171.124 (eBay, San Jose, CA), whereas the spoof
has come from a different machine at an IP address that is owned
by someone in Wien, Austria.
The handling mail server has further added an identifier for the sending
server, in the case of the spoof, Received:
from localhost (mail.almtal.net [127.0.0.1]) which is either
an internal mail server, or a mail server running on the same machine.
Whereas, eBay's genuine email, correctly shows that the sending server
was identified as miami.smf.ebay.com
[126.96.36.199 (which again proves to be owned by eBay when
conducting a whois lookup).
The email server and mail software version are shown by the handling
server as the email is relayed from ISP to ISP, and the spoof shows by
mail.almtal.net (8.11.6/8.8.7), which is again NOT eBay's mail
server which is shown correctly in the genuine email as by
This is a mere comparison of an actual spoof email received and a genuine
eBay email received, the problem can be more intricat though, and you
should also read this document - Identitfy
Theft Part 3.