We recently gave advice on steps you can take to reduce the amount of spam emails that you receive, but spammers are becoming sneakier and are finding new ways to get around your anti-spam protocols.

It’s common for spammers to send email purporting to be a large company like O2, Apple, or Amazon, where the nuances are so minute that it’s almost impossible to tell the difference between a legitimate and a fraudulent email.


The first immediate piece of advice would be: if you’re unsure, proceed with caution. Do not open any links or give out any details unless you can verify the legitimacy and the authenticity of the sender.

The email may say it was “From: Apple” but it is possible for senders to mask their actual email address with anything they want. This practice is known as email spoofing and is commonly used by spammers.

To find out who the email is actually from, and not just who it is pretending to be from, there are certain steps you can take.

Master of disguise

If you expand the email to show the sender’s email address, you might see that what you thought was from Apple is actually from support@apple.sdfwzxfnk.com which is not an Apple email address – it just looks like it is. If the spammer is really clever the email may have even come from support@appIe.com where, if you look closely, you’ll notice that the L in ‘Apple’ is actually a capital i.

These emails are often believable because of who they appear to be from, what the email looks like, and the kind of content it contains. These emails are often designed to cause panic in the hope that you click a link without thinking because you’re worried that you’ve actually been charged for downloading something that you have no recollection of doing.

But as soon as you click the link that says ‘To cancel this order click here’ then they’ve got you. Because that link isn’t going to go to the Apple support website, it’s going to be a harmful phishing link designed with malicious intent.

Right click

As well as being vigilant over checking who is sending the email, another way to ensure the email is genuine is by being careful with the links. It’s easy enough for the spammer to make a string of text that says www.apple.com actually link to something completely different.

So, if in doubt, you can right click on the link, select “copy hyperlink”, and then paste it into a Notepad document. This is where you might see that what appears to link to the Apple site, actually links to a completely different (and much more malicious) website.

Finding email headers

Email headers provide a detailed account of the journey an email has taken from start to finish.

Most email service providers will allow you to view email headers. Where to find this information however, will differ depending on which one you use.

Our knowledge base guide linked below will provide instructions on how to locate email headers using some of the more popular email programs such as Outlook or Thunderbird.


Reading email headers

If you have not looked at an email header before then it can seem a little confusing at first. However, once you know how to approach them and what specific data to look for, it gets easier.

  • Always read the header from bottom to top. The bottom shows where the email journey began and which mail server the email originated from. This is especially important when attempting to track down spammers.
  • Think of every ‘Received from’ instance as an email hop. Effectively, emails move or ‘hop’ from server to server until they reach their destination. If you break the header apart and separate each hop then the header becomes clearer.

Below is an example of a broken down email header, shown from bottom to top:


Received from randomserver.com ([]) bycdptpa-fep04.email.rr.com (InterMail vM. with ESMTP id<20151119042833.QXMB15673.randomserver.com> for <[redacted]>; Thu, 6 Oct 2016 04:28:33 +0000

Received from [] ([]helo= cust-smtp-auth2.randomisp.co.uk) by cdptpa-iedge07 (envelope-from<e-mail@randomdomain.com>) (ecelerity r(Momo-dev:tip)) with ESMTPid 28/00-20029-1FF4D465; Thur, 6 Oct 2016 04:28:33 +0000

Received from randomdomain.com (unknown []) bycust-smtp-auth2.localnetwork (Postfix) with ESMTPA id AE1BB74021F for<[redacted]>; Thur, 6 Oct 2016 04:28:29 +0000 (GMT)



To summarise the email journey:

  • The email originated from This is usually the sender’s local computer or network.
  • The message was then passed from to This shows the ‘hop’ between the sender and the sender’s mail provider.
  • The email finally arrives at server from This shows the ‘hop’ between the mail provider and the recipient’s mail server or service provider.

Email headers can have more or less ‘hops’ depending on which, and how many, networks the email travels through.

Using the IP addresses you found in steps 1 and 2 above, you can report misuse to the relevant internet service provider (ISP). You can perform a WHOIS IP lookup to find out who provides that email address with email hosting. A WHOIS lookup will display information like this:

netname: FASTHOSTS-UK-NETWORKorg: ORG-FHL1-RIPEdescr: Fasthosts Internet Limited – UK’s largest web hosting companydescr: based in Gloucester, Englanddescr: Shared Hostingcountry: GBadmin-c: GD8691-RIPEtech-c: FHUK-RIPEstatus: ASSIGNED PAmnt-by: AS15418-MNTmnt-by: AS8560-MNTremarks: trouble: abuse@fasthosts.co.ukremarks: Please report abuse to abuse@fasthosts.co.uk

From this, you can see that for the example IP address found in the email header, the ISP is Fasthosts Internet Limited, and the address to report spam to is abuse@fasthosts.co.uk.

To report the spam you received to the ISP, you will need to email the following to them:

  • A copy of the email headers.
  • The content of the email itself.

Reporting spam can help the ISPs identify spammers on their network and can assist them in taking action against them. So if you are receiving a lot of unwanted spam emails, please report them to the relevant ISP.