How To Spot Bogus E-Mail

Although most operating systems come equipped with any number of command-line IP tools, savvy network administrators are quick to exploit the capabilities of graphical commercial implementations of such functionality. Enhanced commercial packages, like NetScan Tools Pro 2004, offer friendlier graphical interfaces and built-in support that make them a bit quicker and easier to use.

Whether IP tools run at the command line or inside a dolled-up graphical interface, they are designed to inform users where network traffic originates, what that traffic contains, how packets make the trip from sender to receiver and how long that takes. It's easy to use these tools to debunk phishing scams and spoofed e-mails. In this systems recipe, you'll learn how to use nslookup, a built-in Windows utility that performs all kinds of forward and reverse mappings between numeric IP addresses and symbolic domain name. (Go to techbuilder.org to find out about IP2Location, a geographical IP address lookup utility that debunks phishing scams.)

Because I used built-in Windows utilities and a publicly accessible Web site for this recipe, you don't have to do anything to prepare for that task, except to make sure you've got a working Internet connection, access to your favorite browser, and know how to start up and work at the Windows command line. If you decide to use a commercial package instead, you'll want to install NetScan Tools Pro 2004 on the machine where you'll perform your analysis, monitoring, troubleshooting and other IP networking tasks.

I installed NetScan Tools Pro 2004 on Windows 2000 Professional and Server, Windows XP Professional (SP1 and SP2 RC2) and Windows 2003 Server using a download package provided to me from the Northwest Performance Software site. If you use a laptop with NetScan Tools Pro installed, you must furnish that laptop with all the elements necessary for a working IP connection to the Internet.

Sponsored post

Now, let's take a look at the four steps involved in analyzing e-mail name and address information:

  • Start Outlook or whatever e-mail package you ordinarily use. For this recipe, I used Outlook 2003 on Windows XP.
  • Pick a suspect spam e-mail to analyze. Inside Outlook, select a message, then double-click the sender or subject to open it in its own window.
  • Click on View, then Options to examine the Internet header for the message.
  • Launch a command window: Start, Run, then type cmd into the Open: text box and click OK. Type nslookup at the command prompt, hit enter, then type the IP address again and hit enter again. Now compare the IP address in the e-mail header with the IP address for the domain where it claims to originate, if it exists. If it's not a match, you've done your job.

Recognizing Phony E-Mail Addresses
Obvious signs of fake addresses include:

  • Sender names that appear plucked from a dictionary or other word list. For example, Monochromes A. Purge and Canker A. Hoisting don't sound much like names for people—at least no one I know.
  • Sender names that include parts or all of the receiver's name, or do likewise with the reported sender address.
  • Messages with no sender name at all. Something about the sender e-mail address %RNDLCCHAR514@hotmail.com fails to inspire belief that it's real or valid.
  • Well-known celebrities, politicians, academics and other notable personages don't send me much e-mail, but right now my inbox contains a message from Milton Friedman, a Hoover fellow and noted economist. Whaddya bet it's not for real? Someday, the same thing may happen to your customers.

Ed Tittel is a writer based in Austin, Texas.

Close