How to tell from email header if sender address is legitimate

3

I received an email from Desk-017c@larsentoubro.com claiming that I have got an interview for Assistance Manager (exact words were - Result of your application for the position of assistant manager . I would like to invite you to attend an interview.). and it came with a PDF file attached.

I know that it was fake because it asked me to submit money before the interview.

The email header is shown below. How can I tell from this header where the email really came from and whether it is spam?

Delivered-To: sinharahul58@gmail.com
Received: by 10.107.155.193 with SMTP id d184csp3229700ioe;
        Wed, 24 Jun 2015 05:55:56 -0700 (PDT)
X-Received: by 10.70.90.133 with SMTP id bw5mr80267365pdb.85.1435150556549;
        Wed, 24 Jun 2015 05:55:56 -0700 (PDT)
Return-Path: <info@lntinfotech.biz>
Received: from sg2plwbeout19-1.prod.sin2.secureserver.net (sg2plwbeout19-1.prod.sin2.secureserver.net. [182.50.144.34])
        by mx.google.com with ESMTPS id da5si39769286pbc.20.2015.06.24.05.55.55
        for <sinharahul58@gmail.com>
        (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
        Wed, 24 Jun 2015 05:55:56 -0700 (PDT)
Received-SPF: neutral (google.com: 182.50.144.34 is neither permitted nor denied by best guess record for domain of info@lntinfotech.biz) client-ip=182.50.144.34;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 182.50.144.34 is neither permitted nor denied by best guess record for domain of info@lntinfotech.biz) smtp.mail=info@lntinfotech.biz
Received: from localhost ([182.50.144.112])
    by sg2plwbeout19-1.prod.sin2.secureserver.net with bizsmtp
    id kCvv1q0092Rj2se01Cvv9l; Wed, 24 Jun 2015 05:55:55 -0700
X-SID: kCvv1q0092Rj2se01
Received: (qmail 41764 invoked by uid 99); 24 Jun 2015 12:55:55 -0000
Content-Type: multipart/mixed;
    boundary="=_b169b0435b8622296c62a715d3e6f635"
X-Originating-IP: 106.219.63.197
User-Agent: Workspace Webmail 5.14.3
Message-Id: <20150624055553.5ceda2619095e240c253dad68c059c9c.541a6e07e4.wbe@email19.asia.secureserver.net>
From: "Larsen & Toubro Ltd \(India\)" <Desk-017c@larsentoubro.com>
X-Sender: info@lntinfotech.biz
Reply-To: "Larsen & Toubro Ltd \(India\)" <info@lntinfotech.biz>
To:
Subject: Result
Date: Wed, 24 Jun 2015 05:55:53 -0700
Mime-Version: 1.0
--=_b169b0435b8622296c62a715d3e6f635
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

I know it is spam, but I want to understand what part of the header signifies that it is spam.

Rahul Sinha

Posted 2015-06-24T17:28:54.527

Reputation: 33

1

See X-Sender: info@lntinfotech.biz & From: "Larsen & Toubro Ltd (India)" Desk-017c@larsentoubro.com

– Ganesh R. – 2015-06-24T17:35:27.600

Also avoid opening attachments from such mails – Ganesh R. – 2015-06-24T17:35:49.090

@GaneshR. - Put this as an answer so you get reputation for it and the poster can mark it as an answer. – kazoni – 2015-06-24T17:39:03.453

1Hi Rahul Sinha. I removed the link to the PDF attachment because we do not know whether it is malicious, and having the link potentially puts unsuspecting users of our site at risk. While it's good that you included what you felt was all relevant information, I see no need for the attachment to be included to answer your question. – a CVn – 2015-06-24T18:22:25.633

I also realized that it is not relevant to question. thanks. – Rahul Sinha – 2015-06-24T18:25:17.567

Answers

4

How can I tell from an email's headers if the sender address is legitimate?

Many of these email headers can be (and usually are) forged by spammers when they send their spam.

  • "From:" address
  • Some "Received:" headers can also be forged.

SMTP message spoofing shows just how easily this can be done using an open (unsecured) relay mail server.

How can I analyze the email headers?

There are many tools to analyze email headers, some of which can show if any of the ip addresses in the chain are on spam blacklists.

These tools can also tell if any of the "Received:" headers in the chain are forged.

MxToolbox Email Header Analyzer

One such tool is MxToolbox Email Header Analyzer

Feeding your email headers into this tool produces the following output:

enter image description here

Click on the blacklist button shows the ip address 182.50.144.34 (which is where google received the email from is on 3 email blacklists.

enter image description here

Further reading

DavidPostill

Posted 2015-06-24T17:28:54.527

Reputation: 118 938

is there a way which shows fault, directly looking at email header. – Rahul Sinha – 2015-06-24T18:13:14.817

Great, I understand that real sender's ip address is address that is received by gmail (mx.google.com), not that which shows as From's ip address. – Rahul Sinha – 2015-06-24T18:16:40.697

2Not without a lot of experience. That why people have written the automated tools to do the analysis. – DavidPostill – 2015-06-24T18:17:00.033

1

The "From" header is the one most often forged by spammers. Here is a nice little introductory tutorial Tutorial - Mail Header Analysis for Spoof Protection

– DavidPostill – 2015-06-24T18:20:01.447

Asked: 2015-06-24T17:28:54.527

Viewed: 6 318 times

Active: 2015-07-17T09:18:00.783