News Stay informed about the latest enterprise technology news and product updates.

Anonymous phishing email

Learn how to determine if you're receiving a phishing email and how they are created and sent anonymously.

You are reading tip #3 from "10 tips in 10 minutes: Phishing exposed," excerpted from Chapter 3 of the book Phishing Exposed, published by Syngress Publishing.

Technology sector experts well know that SMTP was not designed with security in mind. Email is trivial to forge, and in more than one way, forged email can be passed with ease to the mail transport agent (SMTP server). As we already are aware, spammers forge emails, and since phishers are classified as spammers, they take on this practice as well. Most spammers tend to forge emails for anonymity, since they are sending you annoying emails that will usually get a negative reaction, and if the emails were easily traceable, they would probably be caught. Phishers forge for a different reason: They are attempting to con you, and they are using forgery to spoof a likely bank email, such as Not all headers can be forged, so the good news is that you can still track down the originator IP address, but unfortunately the phishers are not emailing directly from their homes.

The headers that can be forged are:

  • Subject, Date, Message-ID
  • Recipients: From, To, CC
  • Content body
  • Any arbitrary headers such as the X-Mailer and X-Message-Info
  • The initial Received headers

The headers that cannot be forged are:

  • The final Received headers
  • The originating mail server, including:
  • IP address
  • Subsequent timestamps

A header view of a phishing email that was sent targeting Citibank customers might look something like this:

Received: from 
( []) 
        by (8.13.0/8.13.0) with SMTP id i6KCInwW020143; 
        Tue, 20 Jul 2004 08:18:51 -0400 
 Received: from ([]) 
by with Microsoft SMTPSVC(5.0.2195.6824); 
         Tue, 20 Jul 2004 11:01:16 -0200 
 Received: from aeronauticsaranf21 (bub[]) 
           by (mcak97) with SMTP 
           id <40364465887f8mut> 
           Tue, 20 Jul 2004 11:01:16 -0200 
 From: "Citibank" <>
 To: "'Novell2'" <>
 Subject: Attn: Citibank Update! 
 Date: Tue, 20 Jul 2004 14:03:16 +0100 
 Message-ID: <1575948b156d80$0sv4mtq8$296tas263sil@edmondsonvl9695>

We want to read Received headers from top to bottom in this case. As we learned earlier, at the very top is the final Received header, which cannot be forged. In this case, the previous hop before the message landed at its final destination was through This address can be verified by a forward lookup of the IP, which resolves to this. The next Received line says it is from, which we should doubt--first, because it is tough to forge email from a web email service in general, and second, the IP address and hostnames for the Hotmail domains do not exist on the Internet.

The bottom Received header is clearly a fake header, since there is no real domain associated and IP address is untraceable. So, relying on what we know, the only known accurate header is oh, what a surprise, a whois ( lookup on the IP shows the location to be in Estonia, which happens to be a popular country for phishing and other electronic fraud. Also, this IP address has been on record at the SPAMHAUS ( Real Time Block List, meaning that it was probably an open relay at some point in time and used to send abusive email.

Looking at context clues, we note the timestamps on the two forged Received headers. It is extremely unlikely that the timestamps would be at the exact same time, as indicated here.

The Message-ID is definitely not a Hotmail one, since Hotmail message IDs take a form similar to BAY19-F30997BCBE3A45FF3DB16698E3D0@phx.gbl. Hotmail also sends an X-Originating-IP as well as a few other abuse-tracking headers, which are definitely not included in the phishing email.

General clues within the header usually identify whether it is forged or not. The obvious one is the Received headers being inconsistent with mismatched From and by fields. The HELO name does not match the IP address, there are nonstandard headers in general placed within the email, and wrong or "different" formats of the Date, Received, Message-ID, and other header labels.

Here are some more specific clues regarding this email header:

  • The time zone on the Hotmail header doesn't match the geographical location, nor does the Date header.
  • The asterisk in the From domain cannot originate from Hotmail and generally is not legitimate;
  • SMTPSVC is Exchange's SMTP connector, which is used consistently throughout Hotmail.
  • Hotmail records a Received header matching Received: from [browser/proxy IP] with HTTP; [date].
  • Hotmail systems are usually set to GMT.

Let's compare the suspicious mail to a legitimate Hotmail message:

Received: from ( [])
 by (Postfix) with ESMTP id 4F6A7AAA8E
 for <>; Tue,  5 Apr 2005 21:46:27 -0700 (PDT)
Received: from mail pickup service by with Microsoft SMTPSVC;
  Tue, 5 Apr 2005 21:45:50 -0700
Message-ID: <BAY19-F30997BCBE3A45FF3DB16698E3D0@phx.gbl>
Received: from xx.7.239.24 by with HTTP;
 Wed, 06 Apr 2005 02:45:50 GMT
X-Originating-IP: [xx.7.239.24]
X-Originating-Email: []
From: "Hotmail Account" <>
Date: Wed, 06 Apr 2005 02:45:50 +0000

A quick comparison to the phishing email makes it quite obvious that the previous email headers were not authentic and definitely not from Hotmail. The final Received header shows accurately that it was received from Hotmail, and if we did a forward DNS lookup on the IP, it would match Hotmail. The second Received header is the internal mail pickup service and demonstrates that there was an extra hop from the user sending email from the Web outgoing to the Internet. The initial Received header is authentic, displaying our IP address and the mail relay it was picked up by. It also states that we performed this action via HTTP on a certain date and time based in the GMT time zone.

We also note the X-headers; in this case they are being used for abuse tracking so that one can quickly identify the IP address of the originator. X-headers are user-defined fields, usually marked by other vendors outside the MTA; they are usually nonstandard and vendor-specific. The X-Originating-Email matches the From: field, and the dates are sufficiently accurate and do not look suspicious. All in all, you can see a vast difference between a suspicious set of headers and a properly formed email. This does not mean that forged headers are always this obvious, but there are some clues that may give it away if you know how to read them.

10 tips in 10 minutes: Phishing exposed

 Home: Introduction
 Tip 1: Email basics for Exchange admins
 Tip 2: Understanding email delivery
 Tip 3: Anonymous phishing email
 Tip 4: How phishers forge email headers
 Tip 5: Phishers use of open relays and proxy servers
 Tip 6: How phishers send anonymous email
 Tip 7: Phishers techniques for email harvesting
 Tip 8: Phishers, hackers and insiders
 Tip 9: Sending spam; phishing tools of the trade
 Tip 10: Phishing email and spam filters

This chapter excerpt from Phishing Exposed, Lance James, is printed with permission from Syngress Publishing, Copyright 2005. Click here for the chapter download.

Dig Deeper on Exchange Server setup and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.