Spoofed Email

[Legios]

I work for a medium sized company and we recently got an email from a customer that was a reply to a "fake email supposedly sent by us. The only thing was this email had some made up numbers in it most likely intending to get this guy a substantial discount. The fake email had some pretty glaring typos in it as well as some information that was just plain wrong, IE the phone number of the guy he was trying to emulate.

I looked at the original source for it and cant seem to see where it may have come from. We know it did not originate from our servers as there is no log of it having been sent.

What else can I look at to see if it was self sent by spoofing?

 

[seepy83]

You would want to get your hands on the full headers for the email that your customer received. With that, you would look for lines that say "Received: from [Sending SMTP Server IP/ServerName] by [Receiving SMTP Server IP/ServerName]." You should be able to use that to determine the originating SMTP server.

 

[Legios]

Thanks, unfortunately we think the customer is the perpetrator of this little scam so getting his original source files may be tricky.

 

[alkemyst]

Yeah the only way is to look through the full headers of the message, even then it's possible it just routes back to an open SMTP server.

 

[John Connor]

Try this: http://www.nirsoft.net/utils/ipnetinfo.html

 

[PrincessFrosty]

If you cannot trust the customer then the only thing you can really do is check your outbound emails server logs to see if it really originated from you, check with your systems administrator or IT team.

 

[Legios]

If you cannot trust the customer then the only thing you can really do is check your outbound emails server logs to see if it really originated from you, check with your systems administrator or IT team.

We did that, 100% guaranteed to not have originated from within.