Erm's I.T. Girl – Zelna Ellis

Don't fear when Zel is near…

SPAM – Trace the sender

I have recently received the following spam letter:

From: Compaq Electronics Promo []
Sent: 09 March 2009 02:36 PM
Subject: Claims Of £950,000,00 Pounds

Your draw has a total value of £950,000,00 GBP which you won. Please acknowledge the receipt of this mail with the details below to :Mr. Jerry Smith,
Claims Requirements:
1.Full name:2.Address:3.Age:4.Sex:5.Country:6:Phone No:
Mrs.Sarah Wood

Just looking at this message, one can see it is JUNK!!!

Firstly is to gather the information from the internet header.

  • In Outlook Express:
    With the message selected or open the message. Select File, Properties. Activate the second tab page named Details
  • In Microsoft Outlook
    The easiest way is to Right-click on the message and select Options or Message Options.
  • Mozilla Thunderbird
    Open the message and from the menu select View, Headers and select All.

Now lets look at a part of the header of this e-mail SPAM I recently received:

Delivered-To: xxxxxxx
Received: by with SMTP id xxxxxxx;
Mon, 9 Mar 2009 05:35:52 -0700 (PDT)
Received: by with SMTP id;
Mon, 09 Mar 2009 05:35:51 -0700 (PDT)
Received: from ( [])
by with ESMTP id xxxxxx;
Mon, 09 Mar 2009 05:35:51 -0700 (PDT)
Received-SPF: neutral ( is neither permitted nor denied by domain of client-ip=;
Authentication-Results:; spf=neutral ( is neither permitted nor denied by domain of
Received: from ([])
by with ESMTP
id ;
Mon, 9 Mar 2009 12:35:46 +0000
Received: from unknown (HELO ([])
by with SMTP; 09 Mar 2009 08:35:35 -0400
X-Mailer: Openwave WebEngine, version 2.8.17 (webedge20-101-1107-20041027)
From: Compaq Electronics Promo
Subject: Claims Of =?iso-8859-1?B?ozk1MCwwMDAsMDA=?= Pounds
Date: Mon, 9 Mar 2009 7:35:38 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Find the info
To find the computer it is originally send from find the Received from the farest down.
Received: from unknown (HELO ([])
The first one is from a computer called unknown with the IP address
Then it was routed to my ISP’s server and so on and so forth till it got to my email server.
The fact that is states unknown already indicates that this could be a virus-generated e-mail.

The next step is to find out what is the actual I.P. Address. Go to Who is site. Typed in and hit the Search button.

Read the results carefully. If the IP is not in the database, it should send you a link to another database that does contain that IP.

The result:

Remember email headers cannot be trusted, and not all email can be traced or authenticated. Legitimate mail can be traced, but for SPAM, and virus-generated emails it is difficult to say that the headers are absolutely trustworthy.


11 March 2009 - Posted by | E-Mails | , ,


  1. But it doesnt wana work on gmail????

    Comment by Joe | 21 January 2010 | Reply

    • Log in to gmail.
      Open the message you want to check
      Next to the reply button (top-right of msg) there is a drop-down box, select it, select show original

      Comment by zellis | 21 January 2010 | Reply

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: