Email headers: Fraudulent or Legitimate?

  

Overview:

Email is a quick and convenient method for communication, but it was never designed to be secure. When you receive a message, email clients and web services by default display information like who it is from, who it was sent to, etc. However, it is trivial for potential attackers to 'spoof' or 'forge' this information to make it appear as if it came from someone else. This article will teach you some basic information for analyzing and detecting forged messages. This is a useful skill for verifying the legitimacy of a message and helping users become aware of phishing attempts or scams.

Analyzing headers can be useful any time you feel a message is suspicious. Some signs that a message is suspicious are:

  • the requesting of sensitive or personal information
  • attempts to solicit fake goods or medication
  • any message that uses an elaborate story for setting up bank accounts and sending money (for any purpose)
  • requests for username and password 

NOTE: LSU (and most other sites/services) will NEVER ask you for your password! Never give out your personal information or passwords/credentials; anything requesting that information is most likely a scam. LSU will NEVER request this information nor will LSU "deactivate" your account.

To find email headers for your respective email service, see: GROK Article 14922
 

Examples: 

One way to tell if a header if forged is if the bottom-most "received" line does not match the email address of who sent the email. The example phishing email and header below will demonstrate.

mail header source code showing the addresses not matching

The "received" box highlighted in red is the last one listed, meaning the email originated here first and was sent by the address below it underlined it red. This address does not match the sender of the email indicated below by the red box. Because these addresses do not match, this is a good indicator that the email header is forged. 

Another example can be found by examining the email itself:

an example email where the address does not match up

If you have trouble with interpreting the email header, the content of the email can also be a good indicator of a forged email. For instance, the email abve has a suspicious link to click on as well as a password (140A) and ID to use (220029). When you see an email like this it should be a red flag. 

 


Question: I have a suspicious email message, what should I do with it?

LSU IT Security is willing to investigate any potential scam messages on your behalf. You may do so by clicking the PhishMe Reporter icon at the top right of your message to send phishing messages to LSU IT Security Team, or by sending the original message (with full headers) to security@lsu.edu. For more information on PhishMe Reporter, please visit the PhishMe Reporter Information Page.

Typically, forged messages mean that the headers contain false data. LSU can help you verify this, but there is little we can do to stop this kind of abuse. However here are a few cases where we recommend you contact security@lsu.edu: 

  • you receive a phishing scam that contains links, the LSU IT Security office has the ability to prevent on-campus users from visiting these links
  • you clicked on a link or responded with personal information to a potential email scam and need help determining what to do
  • you have a message you think is forged but are not sure

As long as you do not click on any links or respond to the email with personal information, you as well as your computer should not be at risk.

As always, if you have any concerns or comments please feel free to contact the LSU IT Security Office with any of your security questions at security@lsu.edu.

 

16564
8/22/2017 3:50:44 PM