Identify the true source of email sender Internet emails are designed to carry the IP address of the computer from which the email was sent. This IP address is stored in an email header delivered to the recipient along with the message. Email headers can be thought of like envelopes for postal mail. They contain the electronic equivalent of addressing and postmarks that reflect the routing of mail from source to destination. Finding IP Addresses in Email Headers Many people have never seen an email header, because modern email clients often hide the headers from view. However, headers are always delivered along with the message contents. Most email clients provide an option to enable display of these headers if desired. Internet email headers contain several lines of text. Some lines start with the words Received: from. Following these words is an IP address, such as in the following fictitous example: Received: from teela.mit.edu (65.54.185.39) by mail1.aol.com with SMTP; 30 Jun 2003 02:27:02 -0000 These lines of text are automatically inserted by email sender that route the message. If only one "Received: from" line appears in the header, a person can be confident this is the actual IP address of the sender. Understanding Multiple Received: from Lines In some situations, however, multiple "Received: from" lines appear in an email header. This happens when the message passes through multiple email servers. Alternatively, some email spammers will insert additional fake "Received: from" lines into the headers themselves in an attempt to confuse recipents. To identify the correct IP address when multiple "Received: from" lines are involved requires a small bit of detective work. If no faked information was inserted, the correct IP address is contained in the last "Received: from" line of the header. This is a good simple rule to follow when looking at mail from friends or family. Understanding Faked Email Headers If faked header information was inserted by a spammer, different rules must be applied to identify a sender's IP address. The correct IP address will be normally not be contained in the last "Received: from" line, because information faked by a sender always appears at the bottom of an email header. To find the correct address in this case, start from the last "Received: from" line and trace the path taken by the message by traveling up through the header. The "by" (sending) location listed in each "Received" header should match with the "from" (receiving) location listed in the next "Received" header below. Disregard any entries that contain domain names or IP addresses not matching with the rest of the header chain. The last "Received: from" line containing valid information is the one that contains the sender's true address. Note that many spammers send their emails directly rather than through Internet email servers. In these cases, all "Received: from" header lines except the first one will be faked. The first "Received: from" header line, then, will contain the sender's true IP address in this scenario. Internet Email Services and IP Addresses Finally, the popular Internet-based email services differ greatly in their use of IP addresses in email headers. Use these tips to identify IP addresses in such mails. * Google's Gmail service omits the sender IP address information from all headers. Instead, only the IP address of Gmail's mailserver is shown in Received: from. This means it is impossible to find a sender's true IP address in a received Gmail.Learn to filter effectively. A student related the story that when he went back to university to prepare for a Master's degree, the new email address assigned to him already had 500+ spam emails waiting for him the first time he signed into his mailbox. Because email addresses were produced using the first and last name of a student, they were relatively easy to generate for spammers. All students at the school were likely getting that much spam. Filtering of the mail server was woefully inadequate, and didn't even have an auto-spam folder. The simplest way to rid himself of the email in this case was to create a folder of emails to keep, scan the inbox carefully for such email, then move them for safekeeping. Then, since all remaining emails on a given page in the inbox were spam, a single click near the top of the page selected all of them, and they could be easily deleted en masse. Alternately, all emails could be selected with the single click, then desirable emails unchecked individually, before the deletion. While this method is more prone to deleting desired emails, sometimes that is your only option. Don't forward attachments. Except in a work environment where it might be expected, check with your intended recipient before sending attachments. If it is a large file, consider that sending it may block their account from receiving additional email because they exceeded their disk space quota. Attachments also take up company resources and eat up bandwidth unnecessarily. For example, if you send a PDF file to a group of, say, 10 co-workers, the mail server sends 10 copies of the same file and uses up 10x the space. 53.
Phil Jones tells Jose Mourinho arrested him quitting Man Utd