We recently gave advice on steps you can take to reduce the amount of spam emails that you receive, but spammers are becoming sneakier and are finding new ways to get around your anti-spam protocols.
It’s common for spammers to send email pretending to be a large company like O2, Apple, or Amazon, where the variations are so subtle that it’s almost impossible to tell the difference between a legitimate email and a fraudulent one.
The first immediate bit of advice would be, if you’re unsure, proceed with caution. Don't open any links or give out any details unless you can check the legitimacy and the authenticity of the sender.
The email may say it was “From: Apple” but it's possible for senders to mask their actual email address with anything they want. This practice is known as email spoofing and is commonly used by spammers.
To find out who the email is actually from – and not just who it's pretending to be from – there are certain steps you can take.
Master of disguise
If you expand the email to show the sender’s email address, you might see that what you thought was from Apple is actually from email@example.com. This is clearly not an official Apple email address, it just looks like it is. If the spammer is really clever, the email may have even come from support@appIe.com where, if you look closely, you’ll notice that the 'L' in ‘Apple’ is actually a capital 'i'.
These emails are often believable because of who they appear to be from, what the email looks like, and the kind of content it contains. They're designed to cause panic in the hope that you click a link without thinking. More often than not they'll make you worried that you’ve actually been charged for downloading something that know you didn't do.
But as soon as you click the link that says ‘To cancel this order click here’ they’ve got you. Because that link isn’t going to go to the Apple support website, it’s going to be a harmful phishing link designed with malicious intent.
As well as being vigilant checking who the sender is, another way to make sure it's genuine is by being careful with the links. It’s easy enough for the spammer to make a string of text that says www.apple.com actually link to something completely different.
So, if in doubt, you can right click on the link, select “copy hyperlink”, and then paste it into a Notepad document. This is where you might see that what appears to link to the Apple site, actually links to a completely different (and much more dangerous) website.
Finding email headers
Email headers provide a detailed account of the journey an email has taken from start to finish.
Most email service providers will allow you to view email headers. Where to find this information however, will differ depending on which one you use.
Our knowledgebase guide provides instructions on how to locate email headers using some of the more popular email programs such as Outlook or Thunderbird.
Reading email headers
If you haven't looked at an email header before, it can seem a little confusing at first. But, once you know how to approach them and what specific data to look for, it gets easier.
Here are some tips on how to read email headers:
- Always read the header from bottom to top. The bottom shows where the email journey began and which mail server the email originated from. This is especially important when attempting to track down spammers.
- Think of every ‘Received from’ instance as an email hop. Effectively, emails move or ‘hop’ from server to server until they reach their destination. If you break the header apart and separate each hop then the header becomes clearer.
Below is an example of a broken down email header, shown from bottom to top:
Received from randomserver.com ([10.11.12.123]) bycdptpa-fep04.email.rr.com (InterMail vM.8.04.01.13201-2343-100-167-20161006) with ESMTP id<20151119042833.QXMB15673.randomserver.com> for <[redacted]>; Thu, 6 Oct 2016 04:28:33 +0000
Received from [192.0.2.10] ([192.0.2.10:39015]helo= cust-smtp-auth2.randomisp.co.uk) by cdptpa-iedge07 (envelope-from<firstname.lastname@example.org>) (ecelerity 188.8.131.52861 r(Momo-dev:tip)) with ESMTPid 28/00-20029-1FF4D465; Thur, 6 Oct 2016 04:28:33 +0000
Received from randomdomain.com (unknown [184.108.40.206]) bycust-smtp-auth2.localnetwork (Postfix) with ESMTPA id AE1BB74021F for<[redacted]>; Thur, 6 Oct 2016 04:28:29 +0000 (GMT)
From the header we can find out more about the email's journey, like:
- The email originated from 220.127.116.11. This is usually the sender’s local computer or network.
- The message was then passed from 18.104.22.168 to 192.0.2.10. This shows the ‘hop’ between the sender and the sender’s mail provider.
- The email finally arrives at server 10.11.12.123 from 192.0.2.10. This shows the ‘hop’ between the mail provider and the recipient’s mail server or service provider.
Email headers can have more or less ‘hops’ depending on which, and how many, networks the email travels through.
Using the IP addresses you found in steps 1 and 2 above, you can report misuse to the relevant internet service provider (ISP). You can perform a WHOIS IP lookup to find out who provides that email address with email hosting. A WHOIS lookup will display information like this:
netname: FASTHOSTS-UK-NETWORKorg: ORG-FHL1-RIPEdescr: Fasthosts Internet Limited – UK’s largest web hosting companydescr: based in Gloucester, Englanddescr: Shared Hostingcountry: GBadmin-c: GD8691-RIPEtech-c: FHUK-RIPEstatus: ASSIGNED PAmnt-by: AS15418-MNTmnt-by: AS8560-MNTremarks: trouble: email@example.com: Please report abuse to firstname.lastname@example.org
From this, you can see that for the example IP address found in the email header, the ISP is Fasthosts Internet Limited, and the address to report spam to is email@example.com.
To report the spam you received to the ISP, you will need to email the following to them:
- A copy of the email headers.
- The content of the email itself.
Reporting spam can help the ISPs identify spammers on their network and can assist them in taking action against them. So if you are receiving a lot of unwanted spam emails, please report them to the relevant ISP.