It is easy, trivial even, to fake what appears in the “From” or “Reply-To” line of an email message. Dig deeper to find the message’s true origin. E-mails typically have three components, the transport/message envelope, message header and message body.
An email message is constructed like a letter you'd send through the postal service: a message enclosed in an envelope. The email envelope header is analogous to the envelope of a hardcopy letter, but some of the information that is ordinarily present on a hardcopy envelope is contained in the message header instead of the envelope header.
This header also contains information that is not usually found on a real-world envelope, but is essential to email delivery and troubleshooting. The most interesting part of the e-mail headers are the Received header section. In legitimate e-mails each one of these represents a step the message takes between two e-mail servers.
With each additional step taken, a new ‘Received’ header section is added on top of the original message. The envelope header is usually hidden when you view an email, and the message header is usually visible. Together, these two headers are called the full header. By looking at these headers, you should be able to trace the complete path taken by the message from its source to its destination and vice versa.
1. There will be times when you can easily see information in the e-mail headers (the material that comes before the body of a message) that can contradict the information in the e-mail’s “From” line. For instance take a look at example 1 above, the email headers information from a phishing e-mail message that claims to be from Adobe. Spelling and grammatical errors are good indicators that an e-mail could potentially be bad.
2. Example 2 above shows what the e-mail message’s full headers look like; for details that normally aren’t displayed, to determine whether an email is legitimate. Find out how to reveal full headers in the email software you are using here at the Help Desk knowledge base articles http://its.uiowa.edu/support/article/2355. For instructions on how to forward e-mail with the full headers included go to http://its.uiowa.edu/support/article/3605.
Using the example above, 2.a is what you would want to check—the first line starting with ‘Received’ that you find just above the ‘Date’ line (in bold). This indicates where the email message started its journey. Look at the host name, ‘mta811.email.childrensplace.com’. Visiting the website childrensplace.com takes the user to a children’s shopping website, an unlikely origin for a message from reporting to be from Adobe. If the email had actually come from Adobe, the Received line would probably show that the email started its journey at adobe.com.
Examples 2.b above shows the spoofed header – notice the typo in the ‘From:’ field along with the erroneous e-mail address. If you were to reply to the e-mail above that email would be redirected to “support-bx9v0dvbfjbebzau60jacqc68fsb9p@ email.childrensplace.com” not “newsletter@ adobe-newsletter.com”.