Use Full Email Headers to Identify a Spam Sender

In the document Is This Phishing? we examine two examples of a Phishing Scam describing the red flags before one even looks at the the full email headers to identify the actual sender of an email.

In this document we show how to use Webmail to display full email headers, and look at the headers from the Phishing email previously described.

  1. Log in to Webmail using your olympus.net email address and password.

  2. Check the checkbox beside the email for which you want to examine the email headers. Click on the More icon in the gray banner above the email list, then select Show Source. The Full Headers will open in a new window. [Note: The screenshot showing how to show full headers in Webmail does not match the sample of the headers at the bottom of the document.]

    Show Source

The email headers opened to view (follows below, in black) show the sender of this Phishing scam:

image of Verify Scam

Look first at the Return-Path. Notice that the sender of the Phish is adminn@kellin.net. It is not an OlympusNet email address. At the bottom of the headers, there is an identifying line that the authenticated user is thebrokers@kellin.net. You have the proof that the email is a scam.

The sender of the email could be blocked by adding *@kellin.net to your Blocked Senders list. This would block any sender from the domain “kellin.net”.
To block spam for olympus.net, see Block Spam Using OlympusNet Webmail for more guidance.
To block spam for domains like example.com, see Block Spam Using Domain Webmail for more guidance.

See Inspect Suspicious Mail (video, links) for links showing how to display the source or full headers in your own email application.

Return-Path: srs0+/s6++76+olympus.net=adminn@kellin.net
Delivered-To: someone@olympus.net
X-FDA: 70754798268.08.skate44_709b2045baf3a
Authentication-Results: auth.b.hostedemail.com; dkim=none
    reason="no signature"; dkim-adsp=unknown (insecure policy);
    dkim-atps=neutral
X-Spam-Summary: 50,0,0,61b1a28ea00306f6,d41d8cd98f00b204,srs0+/s6++76+olympus.net=adminn@kellin.net,:,RULES_HIT:41:72:355:379:800:901:960:962:967:973:983:988:989:1189:1208:1212:1221:1260:1263:1313:1314:1345:1381:1431:1436:1437:1516:1517:1518:1534:1541:1560:1575:1588:1589:1593:1594:1711:1714:1730:1749:1777:1792:1801:2068:2069:2525:2566:2682:2685:2828:2859:2890:2902:2915:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3867:3873:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4042:4321:4362:4552:4605:4659:5007:6261:6678:7266:8518:8599:8603:9025:9040:9080:9149:9388:9855:10004:10049:10400:11473:11658:11854:11914:12043:12438:12555:12679:12740:13132:13231:14093:21080,0,RBL:neutral,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0
X-HE-Tag: skate44_709b2045baf3a
X-Filterd-Recvd-Size: 3362
Received: from kellin.net (mail.kellin.net [198.57.0.229])
    by imf13.b.hostedemail.com (Postfix) with ESMTP
    for ; Sun, 18 Oct 2015 10:06:13 +0000 (UTC)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=37.235.49.70;
From: "Olympus Verification Centre" 
Subject: Verify Your Olympus Email Account !!
To: someone@olympus.net
Content-Type: multipart/alternative; charset="ISO-8859-1"; boundary="qxarv76Gk6AEZssL8VD9mAjpexnfDR=_MX0"
MIME-Version: 1.0
Reply-To: cdpt@rocketmail.com
Date: Sun, 18 Oct 2015 11:06:08 +0100
Message-ID: <29201673640178@smtp.kellin.net>
X-Authenticated-User: thebrokers@kellin.net