How do I view full headers in my email to determine if an email is a scam or virus?
Answer
If you are trying to find out if an e-mail that you received is a scam or a virus, etc., you can look at the full headers of the e-mail as explained below:
- Log into Gmail.
- Open the message (don't open any attachments).
- Click the down arrow in the upper right corner of the message where you would normally select “Reply to All,” etc.
- Click “Show Original.” This will show you the full header of the actual message, including extensive info about where the e-mail is really from.
See the example shown below:
Delivered-To: user@carthage.edu
Received: by 10.151.26.16 with SMTP id d16cs664780ybj
Tue, 6 Oct 2009 04:01:50 -0700 (PDT)
Received: by 10.224.63.218 with SMTP id c26mr1098124qai.92.1254826909643;
Tue, 06 Oct 2009 04:01:49 -0700 (PDT)
Return-Path:
Received: from psmtp.com (na3sys009amx260.postini.com [74.125.149.144])
by mx.google.com with SMTP id 34si6822493yxe.83.2009.10.06.04.01.47;
Tue, 06 Oct 2009 04:01:48 -0700 (PDT)
Received-SPF: error (google.com: error in processing during lookup of kodak0555@se.onet.pl: DNS timeout) client-ip=195.57.2.125;
Authentication-Results: mx.google.com; spf=temperror (google.com: error in processing during lookup of
kodak0555@se.onet.pl: DNS timeout) smtp.mail=kodak0555@se.onet.pl
Received: from source ([195.57.2.125]) by na3sys009amx260.postini.com ([74.125.148.11]) with SMTP;
Tue, 06 Oct 2009 11:01:46 GMT
Received: from 195.57.2.125 by poczta.onet.pl; Tue, 6 Oct 2009 12:59:54 +0100
From: "DHL Delivery Services"
To:
Subject: DHL Delivery Problem Number 16585
Date: Tue, 6 Oct 2009 12:59:54 +0100
Message-ID: <000d01ca4674$22a48b40$6400a8c0@kodak0555>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000E_01CA4674.22A48B40"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2244.8
Importance: Normal
X-pstn-neptune: 85/78/0.92/77
X-pstn-levels:(S: 0.81915/99.86600 CV:99.9000 FC:95.5390
LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
This is a multi-part message in MIME format.
Sometimes, the info is pretty cryptic and requires a system administrator to make sense of it, but often, any user can see that it's not from who it says it is. Note the bolded "From:" in the middle of the contents shows that the sender was ostensibly delivery@dhl-usa.com, but the "Return-path:" shows the address as kodak0555@se.onet.pl, which is from Poland. That address is also stated elsewhere in the header.