You are here: Home / Help Center / Email Support / General Email / How to Analyze Full Email Headers to Identify Phishing Scams

How to Analyze Full Email Headers to Identify Phishing Scams

by Inka Luoma last modified Oct 23, 2015 05:52 PM

In the document Is This a Phishing Email? we examine two examples of a Phishing Scam describing the red flags raised before one even looks at the the full email headers to identify the actual sender of an email.

In this document we show the full email headers opened to view (follows below image in black), that underlie this Phishing Scam:
verifyScam.jpg

In the full email headers the first thing to look at is the Return-Path. Notice that the sender of the Phish is adminn@kellin.net. It is not an OlympusNet email address. At the bottom of the headers there is an identifying line that the authenticated user is thebrokers@kellin.net. Unless that address were familiar to you, you have the final proof to discard this email as a scam.

See How to Display Full Email Headers in your email application, or using Webmail.

Return-Path: srs0+/s6++76+olympus.net=adminn@kellin.net
Delivered-To: someone@olympus.net
X-FDA: 70754798268.08.skate44_709b2045baf3a
Authentication-Results: auth.b.hostedemail.com; dkim=none
    reason="no signature"; dkim-adsp=unknown (insecure policy);
    dkim-atps=neutral
X-Spam-Summary: 50,0,0,61b1a28ea00306f6,d41d8cd98f00b204,srs0+/s6++76+olympus.net=adminn@kellin.net,:,RULES_HIT:41:72:355:379:800:901:960:962:967:973:983:988:989:1189:1208:1212:1221:1260:1263:1313:1314:1345:1381:1431:1436:1437:1516:1517:1518:1534:1541:1560:1575:1588:1589:1593:1594:1711:1714:1730:1749:1777:1792:1801:2068:2069:2525:2566:2682:2685:2828:2859:2890:2902:2915:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3867:3873:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4042:4321:4362:4552:4605:4659:5007:6261:6678:7266:8518:8599:8603:9025:9040:9080:9149:9388:9855:10004:10049:10400:11473:11658:11854:11914:12043:12438:12555:12679:12740:13132:13231:14093:21080,0,RBL:neutral,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0
X-HE-Tag: skate44_709b2045baf3a
X-Filterd-Recvd-Size: 3362
Received: from kellin.net (mail.kellin.net [198.57.0.229])
    by imf13.b.hostedemail.com (Postfix) with ESMTP
    for <someone@olympus.net>; Sun, 18 Oct 2015 10:06:13 +0000 (UTC)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=37.235.49.70;
From: "Olympus Verification Centre" <adminn@olympus.net>
Subject: Verify Your Olympus Email Account !!
To: someone@olympus.net
Content-Type: multipart/alternative; charset="ISO-8859-1"; boundary="qxarv76Gk6AEZssL8VD9mAjpexnfDR=_MX0"
MIME-Version: 1.0
Reply-To: cdpt@rocketmail.com
Date: Sun, 18 Oct 2015 11:06:08 +0100
Message-ID: <29201673640178@smtp.kellin.net>
X-Authenticated-User: thebrokers@kellin.net