Earlier during the day, I noticed a funny email in my spambox. The message pretended to be from SkyDrive (which is now OneDrive, by Microsoft). The content in a poor English says my files (which I never uploaded) are corrupt. Ironically, the person working at SkyDrive needed an email account from eurobuy.it (^^,) …

skydrive-spam

Screenshot from Spam mail

I shared the screenshot on facebook & it triggered interesting discussions. Alex pointed out how Gmail assigns “importance” to emails based of domain names at times. We also discussed how certain websites are compromised & exploited to send out spam emails. To further analyze fake/spam emails, I told Alex about analyzing email headers.

For example, this “SkyDrive” spam displayed the following details in the mail header:

Return-Path: <irene@euroboy.it>
Received: from cha.chandigarhoutsourcing.com (cha.chandigarhoutsourcing.com. [192.254.222.147])

So, the email was in fact sent from cha.chandigarhoutsourcing.com, which could have been compromised.

Our discussions then took another turn & we thought what if someone pretends to be sending from gov.mu? Will Gmail differentiate?

Let’s do a test. A mini-lab would suffice to do that. I fired-up VirtualBox & booted an Ubuntu VM. I installed sendmail and configured a mail client with details as showing like the Government of Mauritius.

sendmail

Sendmail installed

At the same time I requested for a “password reset” on the Government of Mauritius web portal, so as to receive an email. Indeed, the email that I received was tagged as “important” by Gmail.

gov-mu-password-reset

However, the fake email that I sent myself, landed in the spam folder, although the domain ended with mail.gov.mu.

gov-mu-spam-mail-test

Return-Path: <ict@mail.gov.mu>
Received: from vbox ([197.225.252.138])

Ahaaa! That IP address comes from my Virtual Machine. Anomalies in the mail header will therefore get the email marked as spam. On this note, we can say we’re safe from getting fake government emails into our inbox.

However, it’ll be a good practice to check the header for any suspicious email. In Gmail, this can be done by clicking the arrow next to the reply option. See image below.

gmail-show-header

I hope this article helps in debunking fake emails. Thanks to Alex for brainstorming on the subject.