Identify who is really sending you an email
- Luc Labonte
- Mar 23
- 9 min read
Time To Read: 6 minutes
Target Technical Level: Low OS: Windows, Android, iOS, Linux --Just take me to the point--
A long time ago, we used to get really excited to receive mail, it was before digital mail had really taken a major place in our lives, and it had 3 major forms:
A letter from someone you know - this would make your day.
Bills.
Junk mail - ads, soliciting, etc.
We have a tendency to trust mail as it shows us who sent the letter, which includes their personal data on the letter, being the name and address. That trust has been exploited since the dawn of mail though, for example, Tuscany in 1786 enacted the Leopoldine Code (Codice Leopoldino) which covered fraud, theft and deception. The first case of applying a law (The lotteries Act -1823 - England) to mail seems to be in 1830s in the case of the Glasgow Lottery , where the government detected and shut down a fraudulent lottery scheme that was discovered through the mail. We also have some very interesting resurgences of physical mail fraud to cause digital harm: https://www.pandasecurity.com/en/mediacenter/how-hackers-are-using-physical-mail-for-phishing-scams/
A lot of people we have taught have assumed that we have lost a lot of the trust in digital mail as it no longer explains who has sent the mail to you, but this fallacy is what we will be showing off today.
Mail Data
Here is the information found on physical mail:
Bob Bobberson
Additional Delivery Information Dept.
1234-12345 Main St. NW Calgary, AB T1T1T1
Here is how to find information found in digital mail:
Let's break down our email first, the email program I'll be showing first is Thunderbird and highlighted in yellow is the display name:
As you can see, not a lot of details here.
In Thunderbird, if we hover our mouse (put the cursor over the name without clicking) it will display the email address associated to the display name. Shown below.
Still not a lot of information, but you can see who is the actual sender of the email. The information after the @ sign, is the mailbox address and should match the domain of whoever sent it. To explain: Display Name - Luc Labonte Username - Luc
Mailbox Address - etslsg.org
Domain Name - https://etslsg.org
To break down what attackers will often do:
Display Name - Luc Labonte
Username - bad
Mailbox Address - 32908jf3[.]evilguy[.]net
Domain Name - evilguy[.]net
Subdomain - 32908jf3
So, it will look like it comes from Luc in this case, but if you hovered over it, it will show you that the email was actually sent by bad@32908jf3[.]evilguy[.]net :
GMail (Windows & Mac)
Gmail uses a much more common setup and uses a tiny down arrow (officially called the "black down-pointing triangle"):
Clicking on that will show more details:
Gmail (Android)
Gmail's mobile offering has a similar setup, though it uses a different down arrow (this one is the "keyboard down arrow"):
Outlook
Microsoft has become oddly draconian over the years, but their mail client keeps a similar design to the rest of the email offerings on the market and displays the full email address of the sender:
The reason I call it draconian is what happens when you click on the sender address, highlighted in yellow are the relevant details, but the last is a security alert from a very common Google service, when there are accurate, they are very useful. When everything is flagged as potential security problem though, it tends to desensitize the users:
Apple (iOS)
I have access to an iPad, it is not in a reliable state. My current Apple Mail is currently showing the full email address instead of the display name, however, the User Interface is almost identical to the Android example above, but it is using a right keyboard arrow instead of a down keyboard arrow. As a note, Apple likes to change their settings frequently, so you may need to use a search engine like so: Click Me
Advanced Information (recommended reading)
I will preface this with: this can be overwhelming, but it is useful to understand even a little bit of this section. There is a method that lets you see all of the information in an email, which is going to be an overload for almost everyone. It is frequently used by developers and security teams.
In the same area that we use to find our to and from details, on the right side we should see a ⋮ or ⋯ or ≡.
When we click on that, we get our options for the specific email we are working with, this is also commonly where Print and Save are found.
We are looking for one of these sets of words:
Show Original
View Source
View > View Message Details
This is the real information and it's daunting. Here is an example:
Alright, here is the important security information at the top: SPF - Sender Policy Framework - Who is allowed to send an email on behalf of the owner of the domain. If you asked a lawyer to send a digital letter on your behalf, you would need to add that lawyer to your SPF for that letter to pass a security check.
DKIM - DomainKeys Identified Mail - Wax seals used to be applied to letters to allow the receiver to know if that letter had been opened or tampered with by a third party. This uses a digital signature that checks against your domain's signature to make sure the seal has not been broken in order to pass the verification check.
DMARC - Domain-based Message Authentication, Reporting and Conformance - This is the stern-faced gorilla bouncer in cartoons blocking anyone who has not passed their SPF and DKIM checks, although you can also tell that bouncer to just let everyone through anyway. And some other common useful information you may see:
smtp.mailfrom - This is the actual delivery address used behind the scenes. SPF checks against this address.
Received - This shows the route the email has taken and which "post offices" it has checked in at or been passed through. And the random strings of letters and numbers are encrypted data, though sometimes, if you scroll to the bottom of the original data, you can find items that have been hidden in the email.
What to do if it looks suspicious
Don't click on any links in the email.
Don't reply to the email. Replying confirms to the attacker that your email account is active.
Don't download or click on any attachments in the email, it is likely malware.
If the email claims to be from someone you know(friend, family, government, bank), verify it through a different channel. Call them from a number you already have or verify that information with a search engine, do not use the details in the email to contact them.
Note if it is asking for gift cards, this is an automatic red flag.
Report it as phishing through your mail client, the menu ( ⋮ or ⋯ or ≡ ) or the "Report" button.
If you have already clicked a link and entered account information, change the account password immediately using the website found through a search engine or another source that is not the suspicious email.
"Reply-To" Spoofing
Always check suspicious emails for an email in the reply to section, as this is often used as an attacker hand off to go from a spoofed (fake) account or hacked account, to an account that the attacker would have stable access to.
Research Notes:
I had a moment of severe curiosity that is added below. When did countries start to identify scamming as a problem and when did it start to interact with mail? When I was done with the research, I realized that it may not be interesting for everyone, but I find it too interesting to remove entirely.
Country | Date | Law / Statute | Types of Fraud Banned | Notes & Caveats |
Tuscany (Italy) | 1786 | Leopoldine Code (Codice Leopoldino) | General criminal code covering fraud, theft, and deception. First code in the world to abolish the death penalty. | Not a modern fraud statute per se; reformed medieval criminal norms. Replaced 1801 under Napoleon, reinstated 1814. |
Austria | 1787 | Josephine Code (Allgemeines Gesetz über Verbrechen) | General criminal offences including fraud (Betrug) and deception. Declared “no crime without a law.” | Replaced by Austrian Penal Code of 1803 (Strafgesetz 1803) with expanded fraud provisions. Code of 1852 followed. |
Prussia (Germany) | 1794 | Allgemeines Landrecht für die Preußischen Staaten (ALR) | Comprehensive code of 17,000+ articles covering civil and criminal law, including fraud, forgery, and deception offences. | Effective 1 June 1794. Covered fraud by any means including post. Remained in force until German Empire codes of 1871–1900. |
France | 1810 | Code Pénal de 1810, Article 405 (Escroquerie) | Criminalized fraud using false names, false pretenses, or fraudulent manoeuvres to obtain funds, property, or obligations. Covered scams by any delivery method including mail. | Promulgated 19 Feb 1810. Remained in force until 1994. Spread across Napoleonic-occupied Europe and influenced laws in Netherlands, Belgium, Italy, and parts of Germany. |
Netherlands | 1811 | French Code Pénal (adopted via annexation to French Empire) | Same as France: escroquerie (Article 405) covering fraud, false pretenses, and swindling. | French code enforced from 1811 when Netherlands joined French Empire. Remained the basis of Dutch criminal law until replaced by the Wetboek van Strafrecht in 1886. |
Spain | 1822 | Código Penal de 1822 (First Spanish Penal Code) | Criminalized estafa (fraud/swindling) and related property crimes, based on Enlightenment principles of proportionality. | In force only Jan-Oct 1823 before absolute monarchy was restored. Replaced by the more durable Código Penal de 1848, which became the template for Spanish and Latin American criminal law. |
United Kingdom | 1823 | Lotteries Act 1823 (4 Geo. 4. c. 60) | Banned all unauthorized lotteries and games of chance. Participants deemed “Rogues and Vagabonds.” Lottery-by-mail was the dominant postal scam of the era. | Followed by the Lotteries Act 1836 (banned advertising lotteries) and the Post Office (Offences) Act 1837 (criminalized forging postal instruments with intent to defraud). |
United States | 1872 | Mail Fraud Statute (17 Stat. 283, §301) | First law specifically making it a crime to use the postal system as the instrument of fraud. Covered “any scheme or artifice to defraud” via the mails. Built on an 1868 anti-lottery postal law. | Enacted 8 June 1872 by the 42nd Congress. Championed by Rep. Farnsworth (IL). First to give postal inspectors federal prosecution power over scammers. Revised 1889, 1909, and later. |
Germany (unified) | 1872 | Reichsstrafgesetzbuch (Imperial Penal Code), §263 Betrug | Criminalized fraud (Betrug): obtaining property by deception or distortion of facts. Applied across the unified German Empire, including to postal fraud. | Based on North German Confederation Penal Code of 1870. Came into effect 1 Jan 1872. Included postal stamp fraud provisions (§§275-276). |
Canada | 1892 | Criminal Code, 1892 (55–56 Victoria, c. 29), s. 394 | Created offence of “conspiracy to defraud.” Also criminalized stealing post letter bags (3 yr minimum) and frauds upon the government (1 month minimum). | First criminal code in a self-governing British Empire jurisdiction. Received Royal Assent 9 July 1892, in force 1 July 1893. Fraud expanded to a standalone offence in 1948. |
Sources & Citations:
1. Tuscany: Leopoldine Code - Wikipedia, "Leopoldine Code," https://en.wikipedia.org/wiki/Leopoldine_Code
2. Austria: Josephine Code & StG 1803 - Country Data, "Austria – Penal Codes," http://www.country-data.com/cgi-bin/query/r-924.html ; CEEOL article on Austrian Criminal Code of 1803, https://www.ceeol.com/search/article-detail?id=159762
3. Prussia: ALR 1794 - Wikipedia, "General State Laws for the Prussian States," https://en.wikipedia.org/wiki/General_State_Laws_for_the_Prussian_States ; German History in Documents, https://germanhistorydocs.org/en/the-holy-roman-empire-1648-1815/ghdi:document-3550 ; EBSCO Research Starters, "Allgemeines Landrecht," https://www.ebsco.com/research-starters/history/allgemeines-landrecht
4. France: Code Pénal 1810 - Légifrance, Article 405 (original text), https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000006490418/1810-02-19 ; Wikipedia, "French Penal Code of 1810," https://en.m.wikipedia.org/wiki/French_Penal_Code_of_1810
5. Netherlands: Wikipedia, "Criminal justice system of the Netherlands," https://en.wikipedia.org/wiki/Criminal_justice_system_of_the_Netherlands ; Russian Law Journal, "History of Dutch Penal Code," https://russianlawjournal.org/index.php/journal/article/download/1807/996
6. Spain: Código Penal 1822 - Wikipedia, "Criminal Code (Spain)," https://en.wikipedia.org/wiki/Criminal_Code_(Spain) ; BJS World Factbook, "Spain," https://bjs.ojp.gov/content/pub/pdf/wfbcjssp.pdf ; University of Cantabria repository, https://repositorio.unican.es/xmlui/handle/10902/12073
7. UK: Lotteries Act 1823 - University of Glasgow Library Blog, "The Case of the Glasgow Lottery," https://universityofglasgowlibrary.wordpress.com/2017/03/24/the-case-of-the-glasgow-lottery/ ; Hansard, 1934 debates referencing Lotteries Act 1836, https://hansard.parliament.uk/commons/1934-11-07/debates/69013cd2-bdc4-48cc-bc0a-5fdeae8dc501/Clause20 ; Great Britain Philatelic Society, Post Office (Offences) Act 1837, https://www.gbps.org.uk/information/sources/acts/1837-07-12_Act-1-Victoria-cap-36.php
8. US: Mail Fraud Statute 1872 - US Postal Inspection Service, "History of the Mail Fraud Statute," https://www.uspis.gov/history-spotlight-2023/history-of-the-mail-fraud-statute ; Encyclopedia.com, "Federal Mail Fraud Act," https://www.encyclopedia.com/history/encyclopedias-almanacs-transcripts-and-maps/mail-fraud-and-false-representation-statutes ; Library of Congress/CRS, https://www.congress.gov/crs-product/R41930
9. Germany: Reichsstrafgesetzbuch 1872 - Wikipedia, "Strafgesetzbuch," https://en.wikipedia.org/wiki/Strafgesetzbuch ; US State Dept Historical Documents (Prussian penal code discussion), https://history.state.gov/historicaldocuments/frus1879/d190
10. Canada: Criminal Code 1892 - Wikibooks, "Canadian Criminal Law/Offences/Fraud," https://en.wikibooks.org/wiki/Canadian_Criminal_Law/Offences/Fraud ; Osgoode Society, "The Genesis of the Canadian Criminal Code of 1892," https://www.osgoodesociety.ca/book/the-genesis-of-the-canadian-criminal-code-of-1892/ ; Osgoode Hall Law Journal, legislative history of mandatory minimums, https://digitalcommons.osgoode.yorku.ca/cgi/viewcontent.cgi?article=1462&context=ohlj
The Case of the Glasgow Lottery - University Glasgow Library, https://universityofglasgowlibrary.wordpress.com/2017/03/24/the-case-of-the-glasgow-lottery/
*This research prioritized verifiable dates of enacted legislation. Some countries (e.g., Bavaria 1751, various Italian states) may have had earlier provisions that could not be confirmed with specific fraud-related statutory text during this research. The distinction between “general fraud law applicable to mail scams” and “mail-specific fraud law” is important: the US Mail Fraud Statute of 1872 was genuinely the first to make using the postal system the criminal act itself, but general fraud statutes in continental Europe predated it by decades.
Comments