Identify legit emails vs Spoofed emails in the Header

%3CLINGO-SUB%20id%3D%22lingo-sub-2049373%22%20slang%3D%22en-US%22%3EIdentify%20legit%20emails%20vs%20Spoofed%20emails%20in%20the%20Header%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2049373%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20differentiate%20between%20legit%20and%20spoofed%20emails%20from%20looking%20into%20email%20header%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20saw%20an%20spoofed%20email%20saying%26nbsp%3B%3CEM%3Evia%20return-path%3C%2FEM%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20does%20Outlook%2FExchange%20process%20to%20choose%20and%20pick%20the%20legit%20emails%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2049373%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Hi everyone,

 

Is there any way to differentiate between legit and spoofed emails from looking into email header?

 

We saw an spoofed email saying via return--path in the To:... section. And it comes from return--path.com.

 

So what is the area of mismatch between legit and spoofed email that exchange or outlook consider one as an unverified email?

 

How does Outlook/Exchange process to choose and pick the legit emails?

 

Thanks

3 Replies

@Ali Fadavinia 

 

Hi,

 

This method I have witnessed when you do the spoofing INTERNALLY....

Copy email header and paste it in "Microsoft Message Header Analyzer" tool

 

If it is spoofed email you will find like this

> X-MS-Exchange-Organization-AuthAs: Anonymous

 

if it is a legitimate email you will find this way
> X-MS-Exchange-Organization-AuthAs: Internal

 

External spoofing : An SPF record is playing a key role here to block spoofing emails –
(SPF record: a list of IP addresses which are authorized to send emails from a domain.)

Most probably your mail gateway will block the spoofing emails based on define RULES.

 

Thank you,

Regards,
MD

Thanks MD, I will give it a try

@Ali Fadavinia 

 

Most welcome buddy.

 

TC,

 

Regards,

MD