How to Determine The Origin of an Email Message for Reporting spam or Virus

How to Determine The Origin of an Email Message for Reporting spam or Virus

Summary

To determine the origin of the email message, use the extended email headers to locate the IP address of the sender's mail server. Keep in mind that the header is always in the reverse when read from top to bottom. The first mail server listed is the last one the mail went through on its way to you. The further down you read the further you back track where the message has come from. 

Note that if you see multiple Received: from sections in the message header, use the last one in the sequence.

EarthLink abuse can only investigate spam or junk mail that originated from our network. If you are unsure where the spam message originated, please use the following document to determine the ISP or company from where the message originated.

How Can I Determine the Origin of an Email Message

  • Sample extended email message header
  • Determine IP address of Sender's Mail Server
  • Using Whois Site to Determine Owner of IP Address
  • Where to Report the Junk or spam Mail Message

Sample extended email message header

  1. Return-Path: mailbox@mindspring.com
  2. Received: from mailmule0.mindspring.com (mailmule0.mindspring.com [204.180.128.191]) by mailgrunt1.mindspring.com (8.7.4/8.7.3) with ESMTP id TAA09377 for ; Mon, 24 Feb 1997 19:30:43 -0500 (EST)
  3. Received: from LOCALNAME (user-37kb512.dialup.mindspring.com [207.69.148.34]) by mailmule0.mindspring.com (8.8.4/8.8.4) with SMTP id TAA00875; Mon, 24 Feb 1997 19:30:34 -0500 (EST) Date: Mon, 24 Feb 1997 19:30:34 -0500 (EST)
  4. Message-Id: 1.5.4.16.19970224193529.22e79a46@pop.mindspring.com
  5. X-Sender: mailbox@pop.mindspring.com X-Mailer: Windows Eudora Light Version 1.5.4 (16)
  6. Organization: MindSpring Enterprises Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"
  7. To: MindSpring Technical Support Desk From: mailbox@mindspring.com Subject: Reading Mail Headers Cc: mailbox@mindspring.com 

Top

Determing IP address of Sender's Mail Server

From the examples given above, the third example contains the IP address of the sender's email server.

Received: from LOCALNAME (user-37kb512.dialup.mindspring.com [207.69.148.34])

The IP address of the sender's mail server is 207.69.148.34.

Top

Using Whois Site to Determine Owner of IP Address

You will now need to go to a Web site that will identify who owns the IP address. One such site is

http://whois.arin.net/ui

There are other sites that provides information on IP addresses. Use the site that you are most comfortable with.

You will see a field to enter the IP address. Either copy and paste or manually enter the IP address and press the Submit button. A search for 207.69.148.34 IP address yields the following information:

Search results for: 207.69.148.34

OrgName: EarthLink, Inc.
OrgID: ERMS
Address: 1439 PEACHTREE ST NE
City: ATLANTA
StateProv: GA
PostalCode: 30309
Country: US 

Top

Where to Report the Junk or spam Mail Message

If the message is not from an EarthLink customer, you will need to notify the domain's support department of the email. This will require a small amount of detective work. You will need to find the support email address of the ISP responsible for the IP address. First, use whois to get IP information on the original IP address that sent the spam email. Then try finding the Web site of the company or ISP based on the whois information. Seach for the Web site or ISP's contact information - most companies will use either support@domain or abuse@domain formats. You will need to forward the original email including the full or extended headers. You should also include a note stating that you received this from one of their customers and need to take the appropriate action.

Top





    • Related Articles

    • How to Determine the Origin of an Email Message

      To determine the origin of the email message, use the extended email headers to locate the IP address of the sender's mail server. Keep in mind that the header is always in the reverse when read from top to bottom. The first mail server listed is the ...
    • How to Report Fraud, Junk, and Spam Emails

      How to Report Fraud, Junk, and Spam Emails On this page • Why Should I Report Suspicious Email? • What is Spam? • What is Email Fraud or Phishing? • Reporting Spam & Email Fraud (Phishing) • What Should I Do if I Feel Like My Account Has Been ...
    • Email Abuse

      EarthLink provides its customers with as much protection as it can from e-mail abuse.  However, if you ever notice an instance of e-mail abuse, we encourage you to report all counts of the abuse and take the steps listed below to help prevent it from ...
    • Web Hosting Manage Email Accounts

      Summary   This article will walk you through the process of using Mail Manager.  Mail Manager is a simple and convenient email management tool. With Mail Manager you can create, configure various domain email accounts and email account features.  You ...
    • Web Hosting Manage Email Accounts

      Summary This article will walk you through the process of using Mail Manager.  Mail Manager is a simple and convenient email management tool. With Mail Manager you can create, configure various domain email accounts and email account features.  You ...