1

Email Header analysis

Log into your Gmail or
1 Google mail Account

Open the Email whose

2 headers you want to
view

You will see Reply at the

top right of the message
3
pane

You will see a little arrow

pointing down next to Reply.
4
Click on this down arrow next
to Reply

A drop down menu will

5 open up, Select Show
original in this menu

The full headers will now

6 appear in a new window
2

Go to Email Header analysis site

7 like mxtoolbox.com, cyber
forensics, redirectdetective.com

Check DMARC,SPF,DKIM
8 Authentication whether it
X is passed or not

Check for The IP Address

9 in IPvoid.com and virus
Y total whether IP is
Blacklisted or not

X & Y
10 Conditions are
not satisfied (IP
is blacklisted &
SPF, DKIM is not
Authenticated)

Email Msg is Spammed

3

Email Structure:-

Step 1:Log into your Gmail or Google mail Account

Step 2: Open the Email whose headers you want to view

I received Mail from ofiiceofnokiauk6@mymts.net and it Body contains

“We are delighted to inform you that you were drawn a winner
4

of 545000 And 2 Nokia 9, Laptop) in the 2019 NOKIA DRAW

(United Kingdom).
Contact Mrs Elisabeth Edward.PLEASE SEND YOUR NAMES:”

After seeing this Msg I start Investigating for further steps.

Step 3:- You will see Reply at the top right of the
message pane.
Step 4: You will see a little arrow pointing down next to
Reply. Click on this down arrow next to Reply.
Step 5 : A drop down menu will open up, Select Show
original in this menu.

Step 6 : After clicking the show Original the full headers

will now appear in a new window
5

Step 7 : Copy the Email Header,Go to Email Header

analysis site like mxtoolbox.com, cyber forensics,
redirectdetective.com
Step 8: Check For DMARK,SPF,DKIM Authentication
whether it is passed or not
Paste the Email Header in MxToolbox.com and Start analysing
it.
6

In MxToolBoX DKIM-Signature is Not Verified and it is not Authenticated by

Dkim.
I note down the IP Address from the Mxtoolbox and started further investigation.

Use SPF with DKIM and DMARC

 SPF specifies which domains can send messages.

 DKIM verifies that message content is authentic and not changed.
 DMARC specifies how your domain handles suspicious incoming
emails.
7

Step 9 : Check for The IP Address in IPvoid.com,IBM X-

Force and virustotal.com whether IP is BlockListed Or not.

From IBM X-Force It is cleared that this IP address is used for Spam purposes
and its Risk level is 5.6.
IPVOID.COM

In IPVoid.com Also This IP address is blacklisted hence I conclude that Email

which I received is spammed .

Submitted by
Shiv