Hard to believe, but we can actually examine an email's contents without risking a virus or worm infection by opening it. The best webmail services offer this as standard.
Some feature a dedicated option button (often shaped like a cog or gear) with a drop-down list of choices including 'show source' – like Very Good Email.
Oops! This image does not follow our content guidelines. To continue publishing, please remove it or upload a different image.
While with others, we must right-click (ctrl and click using a Mac) the email entry to get up the view source command in a drop-down list.
Oops! This image does not follow our content guidelines. To continue publishing, please remove it or upload a different image.
Other webmail services are a bit rubbish at allowing this safety feature so we will have to view the source via HTML by right-clicking (ctrl and click using a Mac) a suspect email message.
Checking an HTML source
This is a pain if we know nothing about coding. The HTML source is full of the stuff: how the page is constructed, what fonts are used, what the boxes in which these things are placed are called and... Sheesh this is boring! Still, we can look for key parts of the source relating to the actual email by using the find function (keyboard shortcut Ctrl+f ).
Alternatively, we can view the source in Email clients like Outlook and Thunderbird if we use them.
Outlook Express
Right-click (ctrl and click using a Mac) on the message and select "Properties". Select the "Details" tab and then click on "Message Source."
MozillaThunderbird
Select the message and press Ctrl+U. Don't use the Print Preview ofThunderbird to view a message as some malicious scripts can run in Print Preview.
What are we looking for?
Okay, so we can see the source by using one of the above methods. Now we need to search the stuff in the header, or the upper part of the email contents. By using the find function (keyboard shortcut Ctrl+f ) look for the following:
1– find > Return-Path (the email address of the sender).
We need to check this against the name of the person or company who sent it. If it says it's from American Express and the return path is to john@gmail, or even Americanexpress@gmail, it's fake. If you don't know, large corporations don't use gmail. Don't bother trying to contact this email address. If we do, we're flagging up our own address for more spam and worse. Also we don't know if the person's email has been hacked and the scammer is using it to send out multiple spam emails. We can pass it on to one of the many online spam investigators.
LINK 1 Email spaminvestigators
2 - Next, we ignore 'Delivered-To' or 'Envelope-To' (that's our email address).
3 - The 'Received' entry comes up a few times and details the network(s) the email travelled across, whether it was sent from a company server or from an email client like Outlook or Thunderbird. That's useful if we're a cyber cop.
4 - We may notice lots of numbers inside brackets separated by dots like this: (54.164.216.196) – they are IP addresses. The first one is usually our webmail supplier's, or our website server if we have one. The other one is the sender's webmail supplier or a webmail server belonging to a person or corporation. BTW, if your email address bar at the top left of your screen says HTTP and not HTTPS, these IP addresses can be seen by others and recorded.
IP addresses may vary in position on the page, depending on our set up, so simply copy and paste the numbers into an online IP address specialist website like whatismyipaddress.com. If you try the IP address above after getting a weird email from WP, this may put your mind at rest. :)
We can usually track down the email provider company the scammer was using this way. We can then report the spam to them, through their abuse section. Hopefully they'll remove the account and the other 500 the scammer has. :)
Eventually, if we scroll down to the bottom of the source we see the actual message inside the unopened email. Some companies like WP encrypt the message as a security measure so it looks like this:
This is usually a good sign because it means the company sending it realises that some email firms use an unsecured connection, or HTTP, easily intercepted by hackers because it's written in plain text. Encryption helps us, but it's also used by hackers and spook agencies (NSA, GCHQ) to hide viruses. We can't do much about that, but with all the evidence we've gleaned from the source we'll usually know if we should delete an email or open it.
