cybersecurity
digital security
email
gmail
security
cybersecurity, digital security, dkim, email analysis, email authentication, email headers, email metadata, email privacy, email scams, email security, email spoofing, email tracking, email verification, fraud prevention, gmail tips, gmail tutorial, header analysis, identifying threats, inbox security, investment scams, online safety, phishing protection, protecting identity, show original, spam detection, spam filters, spf fail, spotting spam, suspicious emails, tech tips
9M2PJU
0 Comments
How to Recognize Spam Emails Using Gmail’s Show Original Feature
In today’s digital world, spam emails have become increasingly sophisticated, making them harder to identify at first glance. Fortunately, Gmail provides a powerful tool called “Show Original” that can help you investigate suspicious messages and identify telltale signs of spam. In this post, I’ll walk you through how to use this feature and what red flags to look for, using a real-world example.
What is “Show Original” in Gmail?
The “Show Original” feature allows you to view the complete email header and raw content of any message. This includes technical information about the email’s journey from sender to recipient, authentication results, and other metadata that’s normally hidden from view.
How to Access “Show Original”
- Open the email in Gmail
- Click the three dots (â‹®) in the top-right corner of the email
- Select “Show original” from the dropdown menu
Key Red Flags to Look For
Let’s examine a real spam email offering investment opportunities in student housing, and identify the warning signs visible in the “Show Original” view.
1. Failed Authentication Checks
One of the most reliable indicators of spam is failed authentication checks. In our example:
SPF: FAIL with IP 185.125.188.73
DKIM: 'FAIL' with domain realestateintouktr.co.uk
SPF (Sender Policy Framework) verifies that the sending server is authorized to send email for that domain. A failure means the email is likely spoofed.
DKIM (DomainKeys Identified Mail) verifies that the email content hasn’t been tampered with during transit. A failure indicates potential manipulation.
2. Mismatched Sender Information
Alignment: The From header Investment <invest@realestateintouktr.co.uk> does not match the SPF domain realestateintouktr.co.uk.
This warning explicitly states that the sender’s address doesn’t align with the domain that should be sending the email – a classic sign of spoofing.
3. Suspicious Domain Names
The domain “realestateintouktr.co.uk” has several red flags:
- Unnecessarily long and complex
- Combines multiple concepts (“real estate”, “UK”, “into”)
- Lacks credibility markers of established businesses
Legitimate companies typically use straightforward, brand-focused domain names.
4. Unusual Routing Information
Looking at the email headers, we can see some suspicious routing patterns:
Received: from realestateintouktr.co.uk (realestateintouktr.co.uk [93.113.206.153]) by smtp-mx-ubuntu-1.canonical.com (Postfix) with SMTP id D5CAA13CE27 for <faizul@ubuntu.com>;
The email appears to have been routed through multiple servers, including one at Canonical (Ubuntu), which is unusual for a legitimate investment company.
5. Misleading Subject Lines and Content
The subject line “Earn 10% NET Returns with Fully-Managed Student Studios – From Just £79,999!” uses classic spam tactics:
- Promises unrealistically high returns (10% NET)
- Creates false urgency
- Mentions specific amounts to appear legitimate
6. Tracking Pixels and Hidden Elements
At the bottom of the HTML content, we find:
<img src="http://www.realestateintouktr.co.uk/email/open.php?M=1301046&L=138&N=3396&F=H&image=.jpg" height="1" width="10">
This is a tracking pixel that reports back to the sender when you open the email. While tracking pixels are used in legitimate marketing too, in combination with other red flags, they support the spam classification.
Other Technical Indicators
Weak Encryption Keys
dkim=policy (weak key) header.i=@realestateintouktr.co.uk
The email uses weak encryption keys, which legitimate businesses typically avoid.
Delivery Delays
Created at: Mon, Mar 17, 2025 at 3:00 PM (Delivered after 3726 seconds)
The email was delayed by over an hour (3726 seconds) before delivery, which can indicate it was held for additional spam checking.
Conclusion
By using Gmail’s “Show Original” feature, you can look beyond the surface-level content of suspicious emails and examine the technical details that reveal their true nature. The next time you receive a message that seems too good to be true or slightly off, take a moment to check these technical indicators.
Remember these key warning signs:
- Failed authentication checks (SPF, DKIM)
- Mismatched sender information
- Suspicious domain names
- Unusual routing information
- Unrealistic promises or urgency in content
- Hidden tracking elements
Stay vigilant and use these tools to protect yourself from phishing attempts and scams. Your digital security is worth the extra few seconds it takes to verify suspicious messages.
Post Comment