Blog | G5 Cyber Security

Email Virus Source: Header Analysis

G5 Cyber Security

TL;DR

This guide shows you how to find where a virus is coming from by looking at the email headers. We’ll focus on key fields like ‘Received’, ‘Return-Path’, and ‘Message-ID’ to trace the origin.

How to Find an Email Virus Source

  1. Open the Email Headers: The first step is getting access to the full email headers. How you do this depends on your email provider (Gmail, Outlook, etc.).
    • Gmail: Open the email, click the three vertical dots next to ‘Reply’, and select ‘Show original’.
    • Outlook: Double-click the email to open it in a new window. Go to ‘File’ > ‘Info’ > ‘Properties’. The headers will be at the bottom of the Properties window.
  2. Understand the ‘Received’ Headers: These are the most important part. Each server that handled the email adds a ‘Received’ header.
    • They read from bottom to top – the last server is at the bottom, and the original sender’s server is at the top.
    • Look for IP addresses in these headers (e.g., 192.168.1.1). These are clues to the email’s journey.
  3. Examine the ‘Return-Path’: This shows where bounce messages would be sent. 
    Return-Path:
    • It’s often (but not always) the sender’s actual email address, even if the ‘From:’ address is fake.
  4. Check the ‘Message-ID’: This is a unique identifier for the email. 
    Message-ID:
    • The domain part of this ID (e.g., example.com) can indicate the sending server or service.
  5. Identify Suspicious Servers: Look for servers that don’t match the sender’s known email provider.
    • If someone claims to be from ‘bankofamerica.com’, but a ‘Received’ header shows an IP address belonging to a different company, it’s a red flag.
  6. Use Online Tools: Several websites can help you trace IP addresses and domains.
    • IP Lookup: Websites like iplocation.net will tell you the location and owner of an IP address.
    • Domain WHOIS: Websites like whois.domaintools.com show registration information for a domain name.
  7. Look for Forged Headers: Sometimes, attackers will completely fake headers.
    • Inconsistencies in timestamps or server names are signs of forgery.
    • If the ‘Received’ headers seem very short or missing information, be suspicious.
  8. Report the Email: Once you’ve identified the source (or as much information as possible), report the email to your email provider and any relevant authorities.
    • Most providers have a ‘Report Phishing’ or ‘Report Spam’ button.

Example Scenario

Let’s say you receive an email claiming to be from PayPal, but the headers show this:

Received: from mailserver.attackerdomain.com (192.0.2.1) by yourmailprovider.com ...

The ‘Return-Path’ is a strange address on ‘attackerdomain.com’. This strongly suggests the email isn’t actually from PayPal and is likely malicious.

Exit mobile version