How to tell from email header if sender address is legitimate

I received an email from [email protected] claiming that I have got an interview for Assistance Manager (exact words were - Result of your application for the position of assistant manager . I would like to invite you to attend an interview.). and it came with a PDF file attached.

I know that it was fake because it asked me to submit money before the interview.

The email header is shown below. How can I tell from this header where the email really came from and whether it is spam?

Delivered-To: [email protected]
Received: by 10.107.155.193 with SMTP id d184csp3229700ioe;
        Wed, 24 Jun 2015 05:55:56 -0700 (PDT)
X-Received: by 10.70.90.133 with SMTP id bw5mr80267365pdb.85.1435150556549;
        Wed, 24 Jun 2015 05:55:56 -0700 (PDT)
Return-Path: <[email protected]>
Received: from sg2plwbeout19-1.prod.sin2.secureserver.net (sg2plwbeout19-1.prod.sin2.secureserver.net. [182.50.144.34])
        by mx.google.com with ESMTPS id da5si39769286pbc.20.2015.06.24.05.55.55
        for <[email protected]>
        (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
        Wed, 24 Jun 2015 05:55:56 -0700 (PDT)
Received-SPF: neutral (google.com: 182.50.144.34 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=182.50.144.34;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 182.50.144.34 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: from localhost ([182.50.144.112])
    by sg2plwbeout19-1.prod.sin2.secureserver.net with bizsmtp
    id kCvv1q0092Rj2se01Cvv9l; Wed, 24 Jun 2015 05:55:55 -0700
X-SID: kCvv1q0092Rj2se01
Received: (qmail 41764 invoked by uid 99); 24 Jun 2015 12:55:55 -0000
Content-Type: multipart/mixed;
    boundary="=_b169b0435b8622296c62a715d3e6f635"
X-Originating-IP: 106.219.63.197
User-Agent: Workspace Webmail 5.14.3
Message-Id: <20150624055553.5ceda2619095e240c253dad68c059c9c.541a6e07e4.wbe@email19.asia.secureserver.net>
From: "Larsen & Toubro Ltd \(India\)" <[email protected]>
X-Sender: [email protected]
Reply-To: "Larsen & Toubro Ltd \(India\)" <[email protected]>
To:
Subject: Result
Date: Wed, 24 Jun 2015 05:55:53 -0700
Mime-Version: 1.0
--=_b169b0435b8622296c62a715d3e6f635
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

I know it is spam, but I want to understand what part of the header signifies that it is spam.


How can I tell from an email's headers if the sender address is legitimate?

Many of these email headers can be (and usually are) forged by spammers when they send their spam.

  • "From:" address
  • Some "Received:" headers can also be forged.

SMTP message spoofing shows just how easily this can be done using an open (unsecured) relay mail server.


How can I analyze the email headers?

There are many tools to analyze email headers, some of which can show if any of the ip addresses in the chain are on spam blacklists.

These tools can also tell if any of the "Received:" headers in the chain are forged.


MxToolbox Email Header Analyzer

One such tool is MxToolbox Email Header Analyzer

Feeding your email headers into this tool produces the following output:

enter image description here

Click on the blacklist button shows the ip address 182.50.144.34 (which is where google received the email from is on 3 email blacklists.

enter image description here


Further reading

  • Tutorial - Mail Header Analysis for Spoof Protection
  • Example - SMTP message spoofing