It is easy to fake what appears in the From or Reply-to line of an email message. Check the message headers to discover the message's real origin. Message headers are the material that comes before the body of a message.
Sometimes information in the headers contradicts the From line. For instance, here are the headers of a message that claims to be from PayPal:
(1)-From: “PayPal Customer Service” Subject: Account Management Date: Tue, 12 Feb 2008 17:49:19 -0600 X-Original-IP: 126.96.36.199 (2)-X-Original-Hostname: d1.duc.auburn.edu
(1) The From address looks fine (firstname.lastname@example.org).
(2) The X-Original-Hostname shows that the message actually came from somewhere at Auburn University (d1.ducaubum.edu).
Full Headers Check
If a quick check doesn't give you the answer, look at the message's full headers. See instructions to display full headers.
Full headers show the path that an email message traveled, and they can be quite long. For example, you normally see the following:
From: “PayPal” Subject: PayPal - Security Measures Date: Tue, 25 Dec 2007 12:30:24 -0600
Turning on full headers reveals the full picture:
Return-Path: Received: from postoffice7.mail.cornell.edu ([unix socket]) by postoffice7.mail.cornell.edu (Cyrus v2.1.11) with LMTP; Tue, 25 Dec 2007 13:51:10 -0500 Received: from hermes30.mail.cornell.edu (hermes30.mail.cornell.edu [188.8.131.52]) by postoffice7.mail.cornell.edu (8.12.10/8.12.6) with ESMTP id lBPIp7SV004763 for ; Tue, 25 Dec 2007 13:51:07 -0500 (EST) Received: (from daemon@localhost) by hermes30.mail.cornell.edu (8.13.6/8.12.6) id lBPIp64G017076 for email@example.com; Tue, 25 Dec 2007 13:51:06 -0500 (EST) Received: from localhost.localdomain (soapstone1.mail.cornell.edu [184.108.40.206]) by hermes30.mail.cornell.edu (8.13.6/8.12.6) with ESMTP id lBPIp4F8017044 for ; Tue, 25 Dec 2007 13:51:05 -0500 (EST) Received: from unknown-host by soapstone1 with queue (Sophos PureMessage Version 5.301) id 72862194-1 for firstname.lastname@example.org; Tue, 25 Dec 2007 18:41:18 GMT Received: from router1_tc [10.253.83.144] by with SMTP id ; Tue, 25 Dec 2007 18:41:18 GMT (envelope-from email@example.com) Received: from mail01.crtc.com.tw (unknown [220.127.116.11]) by 18.104.22.168; Tue, 25 Dec 2007 13:41:18 -0500 (3)-Received: from dc2 ([22.214.171.124]) by mail01.crtc.com.tw with Microsoft SMTPSVC (6.0.3790.1830); Wed, 26 Dec 2007 02:40:44 +0800 X-PH: V4.1@hermes30 From: “PayPal” Subject: PayPal - Security Measures Date: Tue, 25 Dec 2007 12:30:24 -0600 ...
(3) The highlighted information indicates where the email message started its journey. Check the line starting with Received above the Subject line. In the example, the hostname is mail01.crtc.com.tw. The .tw stands for Taiwan, an unlikely origin for a message from PayPal.
If the email had actually come from PayPal, the Received line would probably show that the email started its journey at paypal.com:
Received: from email-120.paypal.com (email-120.paypal.com [126.96.36.199]) by 188.8.131.52;Thu, 2 Oct 2008 13:05:54 -0400