How to check if an incoming email is really sent from CityU network?

You may have experience in receiving email looks like being sent from the "support", "service", "network/email/web administrator"... etc of the University and you have doubt in the actual source of the message. In such situation you should first identify if the email is really sent from a computer located in CityU network by tracing the information contained in the Full Mail Headers of the concerned email.

Full Mail Headers is the complete set of Email headers added by the sender's email software and related Mail Servers during the email delivery process. It contains very useful information of the email message delivery and routing, including IP addresses involved, time sent and the sources of the email. For the details of viewing full mail headers with different email tools please refer to here.

Following is the procedure of identifying whether an email is sent from CityU network:

  1. Read the Full Mail Headers of the concerned email. The following is an example:
    Return-path: ...
    ...
    Received: ...
    Received: ...
    Received: from apparent_hostname ( real_hostname [ IP_Address ] ) by ... with ... for ....
    Date: ...
    From: ...
    Subject: ...
    To: ...

    Note: (i) Sometimes the "real_hostname" is absent. (ii) If the "real_hostname" presents but differs from the "apparent_hostname", trust the "real_hostname".

  2. You should focus on the last "Received:" header line (the one before the "Date:" header), especially the IP address (usually shown in the format as [a.b.c.d]).
  3. If the IP address starts with 144.214 (e.g. [144.214.1.2]), it means the computer that originated the email was connected with the CityU main campus network (including dial-up service and VPN).
  4. If the IP address does not start with 144.214, that means the computer was NOT connected to the CityU main campus network, and in most cases it does not belong to CityU. If you want to find out which network/domain owns the concerned IP address, you can use the Whois tools provided by some sites on the Internet, such as http://www.whois.sc/.

Example: The following is a sample email message which in fact is generated by computer virus/worm. From the last "Received:" line, we know that the email was sent by a machine named 056-078.dummy.com. The IP address of the machine is [12.34.56.78]. This machine does NOT belong to CityU. (The spoofed apparent_hostname "cityu.edu.hk" and the spoofed sender email address " webmaster@cityu.edu.hk" were made-up by the virus.)

Return-path:
Received: from conversion-daemon.mailgw1.cityu.edu.hk by mailgw3.cityu.edu.hk (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) id <0HTD00H011A1Q3@mailgw1.cityu.edu.hk> (original mail from webmaster@cityu.edu.hk); Fri, 20 Feb 2004 09:50:32 +0800 (CST)
Received: from cityu.edu.hk (056-078.dummy.com [12.34.56.78]) by mailgw3.cityu.edu.hk (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with SMTP id <0HTD11JL77CH5U@mailgw3.cityu.edu.hk> for ccallen@cityu.edu.hk; Fri, 20 Feb 2004 09:50:30 +0800 (CST)
Date: Fri, 20 Feb 2004 09:43:27 +0800
From: webmaster@cityu.edu.hk
Subject: Your password has been successfully updated
To: ccallen@cityu.edu.hk
Message-id: <0HTD00JL81CH5U@mailgw3.cityu.edu.hk>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary="Boundary_(ID_XCKVEQphE4B2OgXVrzzunQ)"

Dear user ccallen,
You have successfully updated the password of your Cityu account.
If you did not authorize this change or if you need assistance with your account, please contact Cityu customer service at: webmaster@cityu.edu.hk
Thank you for using Cityu!
The Cityu Support Team

 

+++ Attachment: No Virus (Clean)
+++ Cityu Antivirus - www.cityu.edu.hk

 

Note: For safety, you should protect all your computers (including your home PC, office PC, and notebook computers) with an updated anti-virus software. If you are not sure your computer is virus free, you may perform a virus-scanning on it.

Return to University In-house Email Service FAQ page

IT.ServiceDesk@cityu.edu.hk