FAQ #1366
Artikel editieren
Artikel weiterleiten

How do I find out the actual sender of an email?

The actual sender of an email can be found out through what we call the header information.

The email header must be analyzed for this. It is possible to display the email header in most standard email programs. You should look at the lowest "Received Block", which does not contain "localhost". The sending server (from) is normally the creator of the spam, the receiving server (by) is the abused email server of a provider.

Please also note that sly spammers intentionally insert their own "received:" lines and spoof sender addresses.

Please remember that forwarding of your email account is activated, it may lead to several "Received:" lines, whereby this does not always show who the sender is, but rather through which email server the email was delivered.

Your email address is: "yourname@desiredname.de". DHowever, this email can still be forwarded to a different email account (for example name@freenet.de). The complete header of this email is, for example:

X-Envelope-To: name@freenet.de
X-Delivery-Time: 1064940906

(1) Received:from mail.sul.freenet.de ([123.456.78.9]) by smtp.strato.de ..... ; Wed, 3 Sep 2003 12:22:50 +0200 (MEST)(2) Received:from pop3.strato.de ([987.65.4.32]) by fwd10.egal.spam.abc with Microsoft SMTPSVC(5.0.2258.6454); Wed, 3 Sep 2003 12:12:22 +0200(3) Received:from mailout.de.bone.net (mailout.de.bone.net [111.222.333.4]) by fwd10.egal.spam.abc with smtp id 1A4-0p80; Tue, 2 Sep 2003 18:58:36 +0200Message-ID:
From: spammer@blablabla.de

This is what the "received" lines mean:

(1) Received: specifies that the email was from "smtp.strato.de" and was delivered to "mail.sul.freenet.de".
(2) Received: means that the email was delivered from "fwd10.whatever.spam.abc" to "pop3.strato.de".
(3) Received: means that the email was sent from a computer with the name "mailout.de.bone.net" via "fwd10.whatever.spam.abc".
Note: Please remember that the names do not identify the original "spam sender", because they may also be spoofed. Instead, it is the IP number in square brackets which provides the identity (mailout.de.bone.net [111.222.333.4]). Based on this number, you can find out the actual server from which the email was sent via the Ripe Datenbank

All other data provides information about the time, the IP addresses and various other data.

Based on this header, you can also recognize that somebody with the sender address "spammer@blablabla.de" sent an email through "fwd10.whatever.spam.abc" to your email address "yourname@desiredname.de" This was also correctly delivered to the STRATO mail server (pop3.strato.de).

However, since a forwarder was configured, our email server (pop3.strato.de) forwarded this email correctly to the Freenet Server (mail.sul.freenet.de) and subsequently to your forwarding address (name@freenet.de) weitergeleitet.

More information about this can be found e.g. under http://abuse.net/ or http://de.wikipedia.org/wiki/Header_(E-Mail). This provides information about the true origin.

Once you have found out through which server the email was sent, you can send an email to "postmaster@" and "abuse@". Write this email in English and attach the spam email with all headers.