5

I got an e-mail (in my spam folder) from usercenter@idcenter.uc.cn which asks me to click a link to validate my login for their website. Obviously, I deleted this e-mail without clicking it's link. But, I am still wondering if this e-mail was sent by one of the many website where I had registered for some webinar or white paper.

Out of curiosity, I searched google for this e-mail id and for idcenter.uc.cn but found almost nothing. Luckily MyWot had some info for this and some info about the registrar too. But, I am not even sure if MyWot is correct. Moreover, if there is no source like mywot, then how do I find out the source of such e-mails and verify if the source is legitimate or not ? Its a different matter that the source may be legitimate, but was hijacked.

MyWOT profile for this - 

http://www.mywot.com/en/scorecard/idcenter.uc.cn

Registrant (from China) - http://whois.domaintools.com/uc.cn

广州市动景计算机科技有限公司 - Guangzhou move King Computer Technology Co., Ltd.
Result - awards and honors page of company

Sponsoring registrar (china) - 

北京新网数码信息技术有限公司 - Beijing Xin Net Technology Co., Ltd.

Some result - http://spamtrackers.eu/wiki/index.php/Xin_Net

FirstName LastName
  • 1,489
  • 4
  • 19
  • 28

1 Answers1

6

To find the source of an email, you need to look at email headers. In Gmail, click the down arrow next to the reply button, and choose "Show Original". If you use a different email program, check this list, or use Google.

In general, the bottom-most "Received:" line indicates the source of the email. This isn't 100% reliable, but is good enough in most cases.

Here is an example (from http://whatismyipaddress.com/email-header) showing that the email sent to example_to@imaps.bath.dc.uk originated from 205.206.231.19.

Received: from tom.bath.dc.uk ([138.38.32.21] ident=yalrla9a1j69szla2ydr) by steve.wrath.dc.uk with esmtp (Exim 3.36 #2)id 19OjC3-00064B-00 for example_to@imaps.bath.dc.uk; Sat, 07 Jun 2005 20:17:35 +0100

Received: from write.example.com ([205.206.231.26]) by tom.wrath.dc.uk with esmtp id 19OjBy-0001lb-3V for example_to@bath.ac.uk; Sat, 07 Jun 2005 20:17:30 +0100

Received: from master.example.com (lists.example.com [205.206.231.19]) by write.example.com (Postfix) with QMQP id F11418F2C1; Sat, 7 Jun 2005 12:34:34 -0600 (MDT)

I strongly hold the view that the most reliable way to verify if an email is legitimate is to contact the (purported) sender via a different method, and ask them. Technical analysis of the headers might indeed show that an email came from company X, but what if the sender had his account hacked? Doing this also alerts the sender of a breach, if it has occurred, doing them a great service.

Finally, good that you didn't click the link - clicking on unknown links in suspicious emails is risky. There are some tools to help you evaluate a link without visiting it - I find URLquery and VirusTotal to be very good. Others may have additional suggestions.

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54