Knowing how to check the source, as in the raw "code," of an email is important because there will be times when you need to do it. Why? To check authenticity of an email. Spam and phishing emails are getting more tricky to identify all the time, and your best weapon against this is knowing how to check the source of an email.

Unfortunately it is the case where the process of getting the source of an email is distinctively different per provider or mail client, so here’s a quick cheat sheet on how to do it:

Hotmail

1. Right-click the email you want to view the source of.

2. Left-click View Message Source.

Example:

Important note: This can only be done when your emails are shown as a list. If you double-click to open an email whereas the message list is not seen, there isn’t a way to view the message source from there. You must right-click specifically on the email in list view (regardless of whether the reading pane is on or off.)

Yahoo! Mail

There are two ways in Y! Mail to view the source.

1. While in list view, right click the email you want to view the source of.

2. Left click View full headers. It will be last in the list.

Example:

or..

Whether reading a message or having it highlighted in list view, click the Actions button then Full Header.

Example:

Yahoo! Mail Classic

1. Open the email you want to view the source of.

2. Scroll all the way to the bottom and look for the tiny text on the extreme right that says Full Headers and click it.

Example:

Gmail

1. Open the email you want to view the source of.

2. Click the small down arrow on the right to drop down a menu.

3. Select Show original.

Example:

Windows Live Mail or Microsoft Outlook Express 6

The super-annoying long way

(This is not the way you want to do it because it takes too many steps. See super-easy way below this.)

1. Right-click the email you want to view the source of.

2. Select Properties, like this:

3. From the window that opens up, select the Details tab, like this:

4. In that same window, click the Message Source button, like this:

The super-easy way

1. Highlight or open the email you want to view the source of.

2. Press CTRL+F3

The F3 method is a completely undocumented feature, both in OE 6 and WL Mail. But trust me, it’s there. Try it for yourself.

Mozilla Thunderbird

1. Highlight any email in the message list or open an email.

2. Click View then Message Source.

Example:

or..

1. Highlight any email in the message list or open an email.

2. Press CTRL+U

Incidentally, this is the exact same keystroke used to view web page HTML source in the Mozilla Firefox web browser.

What headers should you check in the source?

Okay, so you know how to view the source of an email, but what do you look for?

The easiest thing to check is the Received: header. This will tell you up front where the email came from originally. The part that’s most important is the very end of the line where the dot-com/net/org is.

Example:

This email came from google.com (it was a Gmail address,) so I know this email is safe. What’s before the google.com doesn’t matter much as it’s the tail that counts. Spam and phishing attempts will attempt to fool you into thinking the mail was delivered from a trusted domain by inserting said domain in the middle. For example, a spam/phish would show as google.com.some.bad.site.ru or something similar. The google.com is in there, but not at the tail. That’s bad and it’s a spam/phish attempt.

Keep an eye on the tail side of a Received: header and you’ll easily be able to identify true trusted domains from spam and phishing attempts.

As you are probably well aware, phishing scams are everywhere. I believe these are by far the most dangerous “computer” threat out there as their sole purpose is to steal important info (i.e. bank logins). While security programs attempt to detect these, I am extremely skeptical about relying on these programs (as you may know, I don’t believe in anti-virus/internet security suites) as the best protection is education.

On that note here is a good test to help determine how good you are at distinguishing real emails from fake ones. Some questions are easier than others, so if you end up missing a few be sure to review the information on why.

Additionally, for those interested, I have written an article on this site which really gets down to the nuts and bolts of some fake emails in an eBay scam I was the target of.

If you haven’t heard, everybody (like here, here and here in addition to a ton of other places) is talking how a Hotmail phishing attack happened and somewhere in the neighborhood of 20,000+ account passwords were leaked.

Use Hotmail and think your account is compromised? Well, if you happen to be in European user and your account name started with an A or B, probably. You’ll know if you attempt to login and can’t. It should be noted Microsoft responded to this immediately and is in the process of restoring accounts.

What caused this fracas to occur in the first place? As the title of this article indicates, phishing. This means a ton of people were fooled into simply giving over their account information. Where did the phishing occur? Social media. It was not an internal Microsoft system fault.

You could simply blame the account leaks on dumb internet users, but the difference today compared to yesteryear is that we now have web sites that routinely require our permission to interconnect.

For example, if you have a Flickr account and use another web service that accesses it, what happens on first use is that you must grant permission for the other site to use it. After you authorize it, the secondary web site can access the original Flickr account.

This is not a bad thing, but what is bad is that we see these authorization notices often, and many just consider it normal and that you should do it. Add to this that in social media these authorization requests all roughly look the same, and you can see where this can pose a problem.

With that said:

• If there is any email that asks you for your email account information, don’t do it.
• If when using social media (such as Facebook, MySpace or otherwise) it asks you for your email account information, don’t do it.
• Only check your mail within the mail system itself and not via any third-party source.

In the news recently, there was mention of a City in Montana requiring not only information on your social media accounts, but your user name and passwords as well. It goes without saying, this is huge concern to applicants’ privacy.

On a related note, phishers and scammers are taking advantage of job applicants as well by setting up phony companies to order to gather personal information. This is an article definitely worth looking at if you are applying for a job primarily via electronic communication.

Job seekers who posted their resumes on Monster, Career Builder and Yahoo received e-mails from either USA Voice or Instant Human Resources, telling them that based on the their resumes they qualified for a promising sounding position. Those who didn’t smell a scam right away filled out online applications, in the process disclosing personal information.

Just be careful who you give your personal information to. Whenever there is opportunity, you can bet scammers are looking to take advantage of people.

I have noticed a few suspicious emails recently and people have forwarded me copies of an email appearing to come from Network Solutions Tech Support. This email is fake (here is the notice from Network Solutions).

The only reason I am posting this as a tip is because several people have forwarded me this email telling me to make sure our domain information gets updated, so if they are believing it others probably are too.

One thing you will notice when you click on the link in the email is it takes you to a fake domain which ends with “.sys58.biz”. This is all you need to know to see it is a fake. The scammers simply mirrored the network solutions home page (ironically, it has the phishing scam warning on their page) and are redirecting your login information to their database, so they can log in as you and steal your domains by transferring it to them.

If you get this email, delete it.

For your reference, here is a copy of what the email looks like. I have seen several slight variations but they all link to the same page:

Subject: Inaccurate Whois Information / Your Domain Is In Transfer / Your Domain Is About To Expire

Dear Network Solutions® Customer,

On Fri, 31 Oct 2008 11:36:29 +0200 we received a third party complaint of invalid domain contact information in the Whois database for this domain Whenever we receive a complaint, we are required by ICANN regulations to initiate an investigation as to whether the contact data displaying in the Whois database is valid data or not. If we find that there is invalid or missing data, we contact both the registrant and the account holder and inform them to update the information.

Please note: ICANN (the Internet Corporation for Assigned Names and Numbers) regulations state that the WHOIS Administrative Contact may initiate and approve domain name registration transfers from your Network Solutions account to other Registrars. If you are not listed as the WHOIS Administrative Contact a transfer can occur without your knowledge if Domain Protect is not enabled for the domain name registrations listed above.

To change the WHOIS Administrative Contact Information for any of your domains, please login to Account Manager:

1. Log in to Account Manager at: http://www.networksolutions.com.  <- This links to a fake domain ending in “sys58.biz”
2. Click on the “Profile & Accounts” tab in the left navigation menu to be taken to a page listing your account details.
3. Click on “Accounts” and select the account you wish to edit.
4. Click “View/Edit WHOIS Contacts” to make your updates.

If you believe someone requested this change without your consent, please contact Customer Service.

If you would like to order additional services or to update your account, please visit us online.

Thank you for choosing Network Solutions. We are committed to providing you with the solutions, services, and support to help you succeed online.

Sincerely,
Network Solutions® Customer Support

If you do any form of communication over the Internet, online frauds and scams are something you always have to be wary of. I have been fortunate enough to avoid such scams as I keep my email reasonably locked down, have a relatively good “BS detector” and am overall a tad bit on the cynical side (only slightly though!… maybe…). That said, I have never been an actual singled out target for a scammer until recently.

I thought it would be fun to do a writeup dissecting exactly how the scam worked (in a both a real world/average user approach as well as in a technical sense) and also point out how, with a careful eye alone, you can spot a fake (or spoofed) email. Sit back and enjoy.

The Scam – A Real World Perspective

A couple of months ago I decided to post a couple of old laptops (one of which was advertised for parts only) I had laying around the house on eBay. I go through the usual motions, of taking a picture, setting a price, etc. One of the stipulations I clearly put in my terms of sale was I would only ship to the United States. So the week of the auction goes by and my “for parts” laptop sells, but of course to someone in Nigeria.

The “buyer” (interpreted loosely in this case) in Nigeria sends me an eBay request for an invoice, to which I reply with an eBay message telling them:

I’m sorry, but as stated in my auction, I only ship to the United States.

Of course, the buyer sends me a few more messages as they must have been checking their email at the same time as me, one of which says (none of the emails are edited):

Have already transfer the moeny..so i have paid the sum of $100.00 for the shipment fof the item through USPS Global express mail…so i want you to get the item posted as sson as possible..

Now, from the email image above, my item sold for $56 with a $10 shipping fee, so the buyer was going to “pay” me $100 to ship a for parts only laptop to them overseas. I was scratching my head at this point and then I receive an email from eBay:

No sooner did I finish reading this, I received “another” email from “eBay” contradicting what the previous message said. I only had to read first paragraph to tell this second email was a fake. I took a look at the email headers which clearly proved this was a fraudulent email. I have highlighted everything in the email below which is evidence support the email is garbage.

Reading the text is actually quite humorous as the text is so poorly written. Combine that with the fact of the reply to addressing being an @instruction.com email.

It doesn’t stop there, about 45 minutes later I get a “payment confirmation” from “Paypal”. Not only had payment been made, but this this generous individual “payed” a total of $300 for a $66 item. They must have really wanted the parts. Of course, the Paypal email was a fake in the same fashion as the eBay spoofs.

I will say this for fake emails sent, at a quick glance they do appear legit. A respectable job was done in replicating the fine print at the bottom (not showing in the “Paypal” email). All the images (when shown) resemble their authentic counterparts and (most of the) links in the emails took you to the correct locations.

After I received the first fake eBay email telling me the item was reinstated “and you can go ahead with the transaction”, I did not send a another email to the scammer. Here are all the emails they sent me after this, each getting a bit more threatening:

2 days later:

Payment made for your ebay item.

i have transfered the payment for your item and the money for your item as been deducted from my paypal account.and i have not head anything from you since then.so i want you to get the item shipped to my store’s address and send the shipment tracking number to paypal at their customer care link given to you in order for the money i transfered to be credited to your account.
get back to me as soon as possible so that we can dialog and complete this transaction.

1 day later (this one from “Paypal”):

PayPal Shipment Reminder for Transaction ID: 92S849286985130M

PayPal Postage Verification Center is using this message to remind you of the transaction between you and [fake name] about an eBay item paid for by the Buyer who also is our Client .We are yet to receive the shipment details of the transaction,the buyer has paid and your money is still in our Account Database ready to be credited into your account once we verify the shipment of the item.
The buyers shipping address has been confirmed by us:

[... address information ...]

This PayPal payment has been Confirmed and Approved by us,but due to that its International Transaction all we need from you is the shipment proof for the verification of your money.Once this as been received and verify by us,You will receive a CONFIRMATION E-MAIL from us informing you that the money transfered to your account as been credited.

1 day later:

Why can’t you just reply !!!!!!!!!!!

I have transfred the payment for your ebay item and the money for the item as been deducted from my account.and i receive a mail from paypal informing me that to protect bot parties that you need to send to the the shipment deatils for the item so that thye can creditmthe money to your acount so i want you to get the item shipped and get back to paypal at thier customer care link given to you….
N:B :
I want you to get back to me or else i will report….!!!!

3 days later:

Confirmation of payment…get item shipped!!!!!!!!!!

i have Already contacted pay pal on your behalf about your fund and the explain that they are taking new procedure for international transaction in order to secure but buyer and seller against fraud and they just introduce the new system for international transaction only and your have been deducted from my account already and i await you to complete the transaction.I hope you would have been contacted by pay pal now for confirmation of payment.
thank you and pls reply if you have any question

3 hours later (this one from “Paypal”):

*** Message From PayPal Postage Verification Department ***

Dear Customer,
PayPal is using this time to remind you about the transaction between you and [fake name]. The money transfered to your paypal account by [fake name] for your ebay item as been deducted from her account and its here in our Data Base side for security purpose. so we want you to get the item shipped to the buyers address and get back to us for verification of your money to your account once we have the shipment details for the items from you, your money will get credited to your paypal account immediately. Now get this done as soon as possible and get back to us with the shipment details so that your money been PENDING days ago can be release and credited to your paypal acount.

Thanks for contacting us.
We hope to serve you better till Future.

After the last reminder from “Paypal” I didn’t hear anything else. The timing was such that they waited a week with no response from me before giving up and moving on. This having been the first scam I was singled out on and looking at it from an average user’s perspective, I can understand how someone would fall for this scam. In general the emails are convincing enough (although, the scammers spending 30 seconds to spell check and proof read their emails would make it more convincing) to lure in someone who is relatively new to eBay or somewhat naive/trusting. It is a real shame these are the ones which get taken advantage of.

The Anatomy – Breaking Down The Scam Technically

In this section, I am going to do a quick breakdown of some of the technical elements which definitely prove the emails are fake. You do not have to be a “geek” to follow as I will explain in plain English.

Since the scammer sent me several fraudulent emails, they must have gotten my email somewhere. My eBay user name is not my email address and I have nothing in my eBay profile to indicate my email. So the first place I started looking was in the emails eBay sent to me and, indeed, they got it on the invoice request email.

As you can see, the email was sent to me but additionally to the scammer via the carbon copy (the scammer’s email is blurred out). I can only guess when the scammer was sending the email through the eBay system, they selected the option to have a copy of the email sent to them. If this is the case, I cannot believe eBay would be so careless as to let this happen as they are adamant about warning you to only send and respond to messages using the eBay system. Supplying such a simple vehicle for unscrupulous people to subvert this safety measure is a big time failure on eBay’s part. Again, I stress the emphasized “if this is the case” above.

So once they had my email address, the barrage of spoofed emails ensued. From here, producing their cleverly replicated eBay and Paypal emails was, probably, just a matter of copying and pasting a template email where the scammers reproduced a legit email, modified the text and “filled in the blanks” with my information. In the case of this scam, the email format was replicated reasonably well, but the wording of their text was so poor you could recognize the email as a fake right away.

Suppose the scammers did take a few minutes to actually read their email before sending it and the result was an email which is the spitting image of a legit message with flawlessly worded text. How do you recognize it then? You have to use the full email headers to find out where the message originated. To demonstrate the dissection of the headers, take a look at the image below where I have headers from a legit email sent from eBay on top of the headers from a fake email.

When you take a look at the information indicating where the email was sent from (look at the “Received:” values above), you can immediately see the domain name for valid emails end with “ebay.com” where the fake ones end with “yahoo.com”. Why would eBay send messages from Yahoo’s servers? They wouldn’t. The scammer was clearly using Yahoo Mail to send their fake emails.

By doing simple things like changing the ‘friendly name’ on their Yahoo Mail preferences to something like “service@ebay.com” or “notification@paypal.com” in place of where you would usually put your actual name and changing the ’send replies to’ setting to an equally crafty email address can make an email appear to be legit when only quickly glanced at.

Taking Action: Protecting Yourself And Reporting Scams

The most effective weapon you have for protecting yourself against scammers is common sense. Scammers make a living by playing to people’s naivety, trust, greed, ego or all of these. In my case, why would someone voluntarily pay me $300 for an item which went for $66 total? This is way to good to be true as nobody is that generous. Combine this with the incessant fraudulent emails calling for immediate action “or else”, the scammer was counting on me being naive, trusting or greedy. Another interesting observation is they used a female name, for all of their correspondence. Perhaps there is more perceived trust when you are dealing with a woman? I have no evidence to support this, just a thought I am throwing out.

As an extra measure, and to help others thwart these types of scams in the future, pretty much all major online sites have methods to report suspected fake emails. In the case of eBay and Paypal, this involved just forwarding the unmodified email to “spoof@ebay.com” or “spoof@paypal.com”. I did this for each of the fake messages and got a response back in no later than 30 minutes. Any time you suspect a email to be fraudulent but are not totally sure, be sure to do this before responding to the suspect email.

If you have already fallen victim to a scam or want to report the attempt, you can report them to the Internet Crime Complaint Center. Here you fill out a somewhat detailed form regarding the scam (i.e. how did they solicit you?, how did they want you to send money to them?, where did they want you to send money?, etc.). I filled out one to report this scam attempt. Every little bit helps.

Stay smart.