电邮地址

Just because an email shows up in your inbox labeled Bill.Smith@somehost.com, doesn’t mean that Bill actually had anything to do with it. Read on as we explore how to dig in and see where a suspicious email actually came from.

仅仅因为一封电子邮件显示在您的收件箱中标有Bill.Smith@somehost.com的电子邮件上，并不意味着Bill实际上与它有任何关系。 在我们探索如何深入挖掘并查看可疑电子邮件的实际来源时，请继续阅读。

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-drive grouping of Q&A web sites.

今天的问答环节由SuperUser提供，它是Stack Exchange的一个分支，它是Q＆A网站的社区推动组织。

问题 (The Question)

SuperUser reader Sirwan wants to know how to figure out where emails actually originate from:

超级用户读者Sirwan想知道如何确定电子邮件的真正来源：

How can I know where an Email really came from? Is there any way to find it out? I have heard about email headers, but I don’t know where can I see email headers for example in Gmail.

我怎么知道电子邮件的真正来源？ 有什么办法找出来吗？ 我听说过电子邮件标头，但是我不知道在哪里可以看到电子邮件标头，例如在Gmail中。

Let’s take a look at these email headers.

让我们看一下这些电子邮件标题。

答案 (The Answers)

SuperUser contributor Tomas offers a very detailed and insightful response:

超级用户贡献者Tomas提供了非常详细和有见地的回复：

See an example of scam that has been sent to me, pretending it is from my friend, claiming she has been robbed and asking me for financial aid. I have changed the names — suppose that I am Bill, the scammer has send an email to bill@domain.com, pretending he is alice@yahoo.com. Note that Bill has forward to bill@gmail.com.

看到一个发送给我的诈骗示例，假装是我朋友发来的，声称她被抢劫并向我寻求经济援助。 我已经更改了姓名-假设我是Bill，诈骗者已将电子邮件发送到bill@domain.com ，假装他是alice@yahoo.com 。 请注意，Bill已转发至bill@gmail.com 。

First, in Gmail, use show original:

首先，在Gmail中，使用show original ：

Then, the full email and its headers will open:

然后，完整的电子邮件及其标题将打开：

Delivered-To: bill@gmail.com
Received: by 10.64.21.33 with SMTP id s1csp177937iee;
Mon, 8 Jul 2013 04:11:00 -0700 (PDT)
X-Received: by 10.14.47.73 with SMTP id s49mr24756966eeb.71.1373281860071;
Mon, 08 Jul 2013 04:11:00 -0700 (PDT)
Return-Path: <SRS0=Znlt=QW=yahoo.com=alice@domain.com>
Received: from maxipes.logix.cz (maxipes.logix.cz. [2a01:348:0:6:5d59:50c3:0:b0b1])
by mx.google.com with ESMTPS id j47si6975462eeg.108.2013.07.08.04.10.59
for <bill@gmail.com>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Mon, 08 Jul 2013 04:11:00 -0700 (PDT)
Received-SPF: neutral (google.com: 2a01:348:0:6:5d59:50c3:0:b0b1 is neither permitted nor denied by best guess record for domain of SRS0=Znlt=QW=yahoo.com=alice@domain.com) client-ip=2a01:348:0:6:5d59:50c3:0:b0b1;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 2a01:348:0:6:5d59:50c3:0:b0b1 is neither permitted nor denied by best guess record for domain of SRS0=Znlt=QW=yahoo.com=alice@domain.com) smtp.mail=SRS0=Znlt=QW=yahoo.com=alice@domain.com
Received: by maxipes.logix.cz (Postfix, from userid 604)
id C923E5D3A45; Mon,  8 Jul 2013 23:10:50 +1200 (NZST)
X-Original-To: bill@domain.com
X-Greylist: delayed 00:06:34 by SQLgrey-1.8.0-rc1
Received: from elasmtp-curtail.atl.sa.earthlink.net (elasmtp-curtail.atl.sa.earthlink.net [209.86.89.64])
by maxipes.logix.cz (Postfix) with ESMTP id B43175D3A44
for <bill@domain.com>; Mon,  8 Jul 2013 23:10:48 +1200 (NZST)
Received: from [168.62.170.129] (helo=laurence39)
by elasmtp-curtail.atl.sa.earthlink.net with esmtpa (Exim 4.67)
(envelope-from <alice@yahoo.com>)
id 1Uw98w-0006KI-6y
for bill@domain.com; Mon, 08 Jul 2013 06:58:06 -0400
From: "Alice" <alice@yahoo.com>
Subject: Terrible Travel Issue.....Kindly reply ASAP
To: bill@domain.com
Content-Type: multipart/alternative; boundary="jtkoS2PA6LIOS7nZ3bDeIHwhuXF=_9jxn70"
MIME-Version: 1.0
Reply-To: alice@yahoo.com
Date: Mon, 8 Jul 2013 10:58:06 +0000
Message-ID: <E1Uw98w-0006KI-6y@elasmtp-curtail.atl.sa.earthlink.net>
X-ELNK-Trace: 52111ec6c5e88d9189cb21dbd10cbf767e972de0d01da940e632614284761929eac30959a519613a350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 168.62.170.129
[... I have cut the email body ...]

Delivered-To: bill@gmail.com
Received: by 10.64.21.33 with SMTP id s1csp177937iee;
Mon, 8 Jul 2013 04:11:00 -0700 (PDT)
X-Received: by 10.14.47.73 with SMTP id s49mr24756966eeb.71.1373281860071;
Mon, 08 Jul 2013 04:11:00 -0700 (PDT)
Return-Path: <SRS0=Znlt=QW=yahoo.com=alice@domain.com>
Received: from maxipes.logix.cz (maxipes.logix.cz. [2a01:348:0:6:5d59:50c3:0:b0b1])
by mx.google.com with ESMTPS id j47si6975462eeg.108.2013.07.08.04.10.59
for <bill@gmail.com>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Mon, 08 Jul 2013 04:11:00 -0700 (PDT)
Received-SPF: neutral (google.com: 2a01:348:0:6:5d59:50c3:0:b0b1 is neither permitted nor denied by best guess record for domain of SRS0=Znlt=QW=yahoo.com=alice@domain.com) client-ip=2a01:348:0:6:5d59:50c3:0:b0b1;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 2a01:348:0:6:5d59:50c3:0:b0b1 is neither permitted nor denied by best guess record for domain of SRS0=Znlt=QW=yahoo.com=alice@domain.com) smtp.mail=SRS0=Znlt=QW=yahoo.com=alice@domain.com
Received: by maxipes.logix.cz (Postfix, from userid 604)
id C923E5D3A45; Mon,  8 Jul 2013 23:10:50 +1200 (NZST)
X-Original-To: bill@domain.com
X-Greylist: delayed 00:06:34 by SQLgrey-1.8.0-rc1
Received: from elasmtp-curtail.atl.sa.earthlink.net (elasmtp-curtail.atl.sa.earthlink.net [209.86.89.64])
by maxipes.logix.cz (Postfix) with ESMTP id B43175D3A44
for <bill@domain.com>; Mon,  8 Jul 2013 23:10:48 +1200 (NZST)
Received: from [168.62.170.129] (helo=laurence39)
by elasmtp-curtail.atl.sa.earthlink.net with esmtpa (Exim 4.67)
(envelope-from <alice@yahoo.com>)
id 1Uw98w-0006KI-6y
for bill@domain.com; Mon, 08 Jul 2013 06:58:06 -0400
From: "Alice" <alice@yahoo.com>
Subject: Terrible Travel Issue.....Kindly reply ASAP
To: bill@domain.com
Content-Type: multipart/alternative; boundary="jtkoS2PA6LIOS7nZ3bDeIHwhuXF=_9jxn70"
MIME-Version: 1.0
Reply-To: alice@yahoo.com
Date: Mon, 8 Jul 2013 10:58:06 +0000
Message-ID: <E1Uw98w-0006KI-6y@elasmtp-curtail.atl.sa.earthlink.net>
X-ELNK-Trace: 52111ec6c5e88d9189cb21dbd10cbf767e972de0d01da940e632614284761929eac30959a519613a350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 168.62.170.129
[... I have cut the email body ...]

The headers are to be read chronologically from bottom to top — oldest are at the bottom. Every new server on the way will add its own message — starting with Received. For example:

标头应按时间顺序从下至上读取-最旧的在底部。 途中的每个新服务器都会添加自己的消息-从Received开始。 例如：

Received: from maxipes.logix.cz (maxipes.logix.cz. [2a01:348:0:6:5d59:50c3:0:b0b1])
by mx.google.com with ESMTPS id j47si6975462eeg.108.2013.07.08.04.10.59
for <bill@gmail.com>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Mon, 08 Jul 2013 04:11:00 -0700 (PDT)

This says that mx.google.com has received the mail from maxipes.logix.cz at Mon, 08 Jul 2013 04:11:00 -0700 (PDT).

这表示mx.google.com已于Mon, 08 Jul 2013 04:11:00 -0700 (PDT)从maxipes.logix.cz收到邮件。

Now, to find the real sender of your email, your goal is to find the last trusted gateway — last when reading the headers from top, i.e. first in the chronological order. Let’s start by finding the Bill’s mail server. For this, you query MX record for the domain. You can use some online tools, or on Linux you can query it on command line (note the real domain name was changed to domain.com):

现在，要查找电子邮件的真实发件人，您的目标是找到最后一个受信任的网关-从顶部开始读取标头时，即在时间顺序上优先。 让我们从查找比尔的邮件服务器开始。 为此，您查询域的MX记录。 您可以使用一些在线工具 ，或者在Linux上可以在命令行中查询它(请注意，实际域名已更改为domain.com )：

~$ host -t MX domain.com
domain.com               MX      10 broucek.logix.cz
domain.com               MX      5 maxipes.logix.cz

~$ host -t MX domain.com
domain.com               MX      10 broucek.logix.cz
domain.com               MX      5 maxipes.logix.cz

So you see the mail server for domain.com is maxipes.logix.cz or broucek.logix.cz. Hence, the last (first chronologically) trusted “hop” — or last trusted “Received record” or whatever you call it — is this one:

因此，您会看到domain.com的邮件服务器是maxipes.logix.cz或broucek.logix.cz 。 因此，最后一个(按时间顺序)受信任的“跃点”(或最后一个受信任的“接收记录”或您所说的任何东西)就是：

Received: from elasmtp-curtail.atl.sa.earthlink.net (elasmtp-curtail.atl.sa.earthlink.net [209.86.89.64])
by maxipes.logix.cz (Postfix) with ESMTP id B43175D3A44
for <bill@domain.com>; Mon,  8 Jul 2013 23:10:48 +1200 (NZST)

You can trust this because this was recorded by Bill’s mail server for domain.com. This server got it from 209.86.89.64. This could be, and very often is, the real sender of the email — in this case the scammer! You can check this IP on a blacklist. — See, he is listed in 3 blacklists! There is yet another record below it:

您可以放心，因为它是由Bill的domain.com邮件服务器记录的。 该服务器从209.86.89.64获得了它。 这可能是并且经常是电子邮件的真实发件人，在这种情况下是骗子！ 您可以在黑名单上检查该IP 。 —看，他被列入3个黑名单！ 下面还有另一个记录：

Received: from [168.62.170.129] (helo=laurence39)
by elasmtp-curtail.atl.sa.earthlink.net with esmtpa (Exim 4.67)
(envelope-from <alice@yahoo.com>)
id 1Uw98w-0006KI-6y
for bill@domain.com; Mon, 08 Jul 2013 06:58:06 -0400

Received: from [168.62.170.129] (helo=laurence39)
by elasmtp-curtail.atl.sa.earthlink.net with esmtpa (Exim 4.67)
(envelope-from <alice@yahoo.com>)
id 1Uw98w-0006KI-6y
for bill@domain.com; Mon, 08 Jul 2013 06:58:06 -0400

but you cannot actually trust this, because that could just be added by the scammer to wipe out his traces and/or lay a false trail. Of course there is still the possibility that the server 209.86.89.64 is innocent and only acted as a relay for the real attacker at 168.62.170.129, but then the relay is often considered to be guilty and is very often blacklisted. In this case, 168.62.170.129 is clean so we can be almost sure the attack was done from 209.86.89.64.

但您实际上不能相信这一点，因为诈骗者可能会添加它，以抹去他的踪迹和/或打假 。 当然，仍然有可能服务器209.86.89.64是无辜的，并且仅充当168.62.170.129的真正攻击者的中继，但是随后该中继通常被认为是有罪的，并且经常被列入黑名单。 在这种情况下， 168.62.170.129 是干净的，因此我们几乎可以确定攻击是从209.86.89.64 。

And of course, as we know that Alice uses Yahoo! and elasmtp-curtail.atl.sa.earthlink.netisn’t on the Yahoo! network (you may want to re-check its IP Whois information), we may safely conclude that this email was not from Alice, and that we should not send her any money to her claimed vacation in the Philippines.

当然，正如我们所知，爱丽丝使用Yahoo! 并且elasmtp-curtail.atl.sa.earthlink.net不在Yahoo!上。 网络(您可能希望重新检查其IP Whois信息 )，我们可以安全地得出结论，该电子邮件并非来自爱丽丝，并且我们不应该将她的任何钱寄给她声称在菲律宾度假。

Two other contributors, Ex Umbris and Vijay, recommended, respectively, the following services for assisting in decoding of email headers: SpamCop and Google’s Header Analysis tool.

另外两个贡献者Ex Umbris和Vijay分别推荐了以下服务来帮助解码电子邮件标头： SpamCop和Google的标头分析工具 。

Have something to add to the explanation? Sound off in the the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.

有什么补充说明吗？ 在评论中听起来不对。 是否想从其他精通Stack Exchange的用户那里获得更多答案？ 在此处查看完整的讨论线程 。

翻译自: https://www.howtogeek.com/169539/how-can-i-find-out-where-an-email-really-came-from/

电邮地址