It’s an unfortunate fact that when using email you will sooner or later receive an email pretending to be legitimate, trying to make you reveal information or click a malicious link. This is commonly called “phishing” and may attempt to lead you to a website that looks like for instance your bank, and then convince you to provide your login details.

Since it’s as easy to falsify the From (sender) information in an email as it is to write a random return address on an envelope, you can’t trust the From address when determining whether an email is legitimate.

However, by reviewing the headers of an email you will most likely be able to tell whether you can trust the contents. You can view the headers of an email in Runbox Webmail by first opening the message and then clicking the “View full headers” icon in the top right area of the message.

The best way to tell where a message was in fact sent from is the first (lowermost) Received entries. Received headers are added to a message every time a server processes it, the most recent header always above the previous one.

When reviewing the headers of a message the Received headers will therefore indicate a series of handoffs where each server on the way from sender to recipient accepts the message and passes it on to the next server.

Someone trying to trick you into believing a message is legitimate would be able to falsify the From entry (sender name and email address), but Received headers cannot be forged. It is however possible to add fake Received headers, so if there is a mismatch either with the timestamps or the server/domain names there might be something “phishy” about the message.

Here is an example of a legitimate Runbox message with valid email headers:

From demo@runbox.com Tue Jul 30 11:51:56 2013
Return-path: <demo@runbox.com>
Received: from [10.9.9.209] (helo=mailfront04.runbox.com)
by taishi.runbox.com with esmtp (Exim 4.69)
id 1V46ay-0007uz-NW
for demo@runbox.com; Tue, 30 Jul 2013 11:51:56 +0200
Received: from exim by mailfront04.runbox.com with sa-scanned (Exim 4.76)
id 1V46ay-0001Ib-Hn
for demo@runbox.com; Tue, 30 Jul 2013 11:51:56 +0200
Received: from ti0012a380-dhcp1392.bb.online.no ([88.89.108.117] helo=runbox.com)
by mailfront04.runbox.com with esmtp (Exim 4.76)
id 1V46aY-0000kp-8B
for demo@runbox.com; Tue, 30 Jul 2013 11:51:38 +0200
Subject: Test mail
Message-Id: <E1V46ay-0001Ib-Hn@mailfront04.runbox.com>
From: demo@runbox.com
Date: Tue, 30 Jul 2013 11:51:56 +0200

Reading the Received headers from bottom to top, we can see that each timestamp and server name matches the previous one. And because it starts at the bottom with “Received: … by mailfront04.runbox.com”, we can tell that the message was initially handled by a server on the runbox.com domain.

If there are any server or domain names in the Received headers that you don’t recognize or that don’t make sense, it’s reason to be cautious.

Usually you can also tell whether a message is legitimate by applying some common sense, especially regarding any links included in the message.

Read more about phishing and how to spot it.