Is this email genuine?

How do you check the origin of an email?

By Rainer Wichmann rainer@nullla-samhna.de    (last update: Jan 09, 2017)

Probably everyone has, at some time, received an email purportedly originating from his or her bank, from a well known business company, or from a good friend, which was a fraud rather than genuine. Usually these are mass mailings aimed at (e.g.) taking control of your computer to use it for criminal purposes, extorting money from you (by encrypting your data and demanding a ransom for the decryption key), or gathering information to access your banking accounts.

Sometimes such fake emails also represent targeted attacks, e.g. to get access to the network of a company by targeting its employees. As a result, every now and then you may ask yourself "is this email genuine?" when you look at your inbox. And even if it is genuine, it may not always be wise to trust it.

Basic security considerations

  • Don't trust your name: Paypal (and maybe others) makes it a point that they will always address you with your real name in their emails. The idea is that criminals who somehow got your email address probably won't know your full real name. This idea is profoundly broken! In fact, quite unsurprisingly address books or address databases usually contain your name as well as your email address, so whoever gets hold of them has your name.
  • Don't trust your friends blindly: even if that email full of links to "funny sites" really is from your friend, it may well be that (s)he is a gullible person, has fallen into a trap, and unwittingly spreads links to malicious websites.
  • Develop safe habits:
    • Links: when you find that an email contains clickable links, don't use them. If the email purports to come from your bank and you think it might be genuine and warrants your attention, then use your own bookmarks to login to your bank (you have bookmarked the website of your bank, right?).
    • Attachments: don't open attachments unless you know the sender, you expect the attachments, and they are in the expected format. E.g., friends on vacation may send you pictures (GIF, JPG, or PNG format). Business companies may send you invoices for purchases (PDF format), or co-workers may send you documents in some MS Office format (DOC/XLS/PPT). If in doubt, ask the sender.
    • Security updates: keep your system up to date. Malicious software often uses know vulnerabilities for which patches are available, except that many users are too lazy to install them...

How can I know whether an email is genuine?

Digital Signatures

A digital signature (which should not be confused with a scanned hand-written signature) is a cryptographic token to authenticate the sender of a message. Standard email readers will verify the signature and inform you of the result. In Outlook, you will see a status line (see this MS support article). In Thunderbird, a signature is indicated with an icon that you need to click to see relevant details, like the name of the signee.

Important: you still have to check whether the signee is identical to the sender given in the From: header line.

Unfortunately, digital signatures are not in widespread use, probably because many businesses shy away from the effort to implement them, or because they don't expect the average consumer to understand them.

The "Received:" headers

On the way from the sender to the recipient, an email passes one or more mail servers. Each of those will add one Received: header, usually using the format:


Received: from name and IP address of sending server
	by name of receiving server with internal details
	for <recipient address>; timestamp

Thus, if you change the message display to show all headers, you can inspect the chain of Received: headers to find the origin of a message.

Outlook 2016, 2013, or 2010
Open message, then: File -> Info -> Properties -> Internet Headers
Outlook 2007
Open message, then: Message -> Options -> Dialog Box Launcher -> Message Options -> Internet Headers
Thunderbird
Menu button (upper right) -> View -> Headers -> All; then open message

The following is an example of a genuine message from Paypal (note that it originates from the paypal.com domain):


Received: from mx0.slc.paypal.com (mx1.slc.paypal.com [173.0.84.226])
	by aaa.bbb.cc (Postfix) with ESMTP id 9A5BEE192F
	for ; Thu, 29 Dec 2016 11:36:40 +0100 (CET)

While this email, which purportedly was sent by service@paypal.com, quite obviously comes from a very different place:


Received: from mailgate.filshill.co.uk (mailgate.filshill.co.uk [217.36.81.169])
	by aaa.bbb.cc (Postfix) with ESMTP id D4534E1A57
	for ; Thu, 11 Jun 2015 00:51:49 +0200 (CEST)
Received: from hosted-by.blazingfast.io ([185.11.146.230])
	by mailgate.filshill.co.uk with Microsoft SMTPSVC(6.0.3790.3959);
	Wed, 10 Jun 2015 23:39:15 +0100

This is another example of a fake Paypal email. Note that it originates from a nameless computer (most likely hijacked home PC connected via DSL), and doesn't pass through any server in the paypal.com domain:


Received: from webserver4.srv.vs4you.de (webserver4.srv.vs4you.de [5.104.108.15])
	by aaa.bbb.cc (Postfix) with ESMTP id 8F1FBE19E7
	for ; Thu, 26 Nov 2015 11:26:43 +0100 (CET)
Received: from [185.61.151.68] (unknown [185.61.151.68])
	by webserver4.srv.vs4you.de (Postfix) with ESMTPA id EA704813BD4FB
	for ; Thu, 26 Nov 2015 11:17:11 +0100 (CET)

Note: it is of course possible to fake a "Received:" header. However, it's not possible for the sender to do anything about headers inserted later by mail servers on the way to the recipient. In practice, malicious senders don't seem to bother anyway, probably because they don't expect the average recipient to have a look.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.0 Germany License.