How to Identify "Spoofed" Email Addresses

13 Keywords: Phishing, Phish, E-mail, Email, Suspicious, Ban, Action, Password, Beta, Hack, Compromise, Security, Fake Keywords: Phishing, Phish, E-mail, Email, Suspicious, Ban, Action, Password, Beta…

Even if you receive an email from a @blizzard.com or @battle.net address, it's still important to remain cautious. This is because it's possible to change how a sending address appears in the "From" field of an email. The process is known as "spoofing" and may cause a phishing email to initially look like it's been sent by Blizzard Entertainment. To determine the actual sending address of an email, you will need to check the email's header information.

How do I access email header information?

Email headers contain information about the sender (who sent the email message), the path the email took to reach your inbox, and things that may have happened to the email before arriving. This information is very important and can be used to determine whether or not an email is malicious.

Most email providers and applications will allow you to view an email's header information with just a few mouse clicks. We've included instructions regarding how to access email headers using some of the more common email providers and applications below.

AOL	Open the email message Click Details under the 'To' field
Gmail	Open the email message Click the down arrow next to the 'Reply' button Select Show Original
Hotmail and MSN	Right-click the email message Select View Message Source
Windows Live	Right-click the email message Select View Source
Yahoo	Open the email message Click on the Full Headers option (in the lower right-hand corner)

For more information on how to view the header, please review the help documentation provided by the e-mail provider or the software package. Additional details regarding how to locate header information using some of the more common applications and web-based e-mail providers can be found here.

What should I look for in the header?

Once you've accessed an email's header information, you'll want to attempt to verify the sending address. To do this, look at the "Return-Path" or the "originating address" for the email. For most phishing emails, the email address displayed in this location will differ from the address displayed in the "From" field.

A legitimate header from Blizzard Entertainment should look something like this:

X-SID-PRA noreplyeu@blizzard.com
or
Return-Path: <noreplyeu@blizzard.com>
Received: from smtp02.blizzard.com ([XX.XXX.XXX.XXX]) by…
Received: from … by smtp02.blizzard.com …
Your Email Address>; Tue, 29 Jan 2008 10:46:05 GMT
From: noreplyeu@blizzard.com
To: Your Email Address

What should I do if I receive a phishing email?

If you believe you've received a phishing email, please forward the email to hacks@blizzard.com at your earliest convenience. When forwarding the email, copy and paste the entire email header into the message body to ensure that we are able to identify the source. This information will help us prevent future phishing emails of the same type.

Updated: 13-Dec-2011 Article ID: 921

	Report Post # written by
Reason
Explain (256 characters max)
	Submit \| Cancel

Reported!

[Close]

Comments (13)

Dotaa
Ghostlands

Profile

Dotaa

5 days, 10 hours ago

i got...

x-store-info:4r51+eLowCe79NzwdU2kR2jqqCgBoD6PP09UsfoVjDBH/ZWVHEf5P4z6yIXyf0lV7ilY77ksnZ6mZ/6NJJ7YL1uKEvt481x3iiqZyjENJuyncrNJDkD/355MJRPg95SozzsiTuqBbgw=
Authentication-Results: hotmail.com; sender-id=none (sender IP is 200.71.212.211) header.from=Newsletter@email.blizzard.net; dkim=none header.d=email.blizzard.net; x-hmca=none
X-SID-PRA: Newsletter@email.blizzard.net
X-SID-Result: None
X-DKIM-Result: None
X-Message-Status: n:0:n
X-AUTH-Result: NONE
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: 11chDOWqoTmjqhOzvWWho/vK8oL2x1FIoEm0Tn+r3D4Vy8IHo2wUnpLHnNn9qmRI4sF2MTPVXWLchQBlfkylBl7cvhhxGWq7nGBqGLsyuh3Xk6S7NvEQ3IKapTO/N15Pi5mAoIvlT2c=
Received: from email.blizzard.net ([200.71.212.211]) by COL0-MC3-F21.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Sun, 20 May 2012 09:39:16 -0700
From: "noreply@blizzard.com" <Newsletter@email.blizzard.net>
Subject: World of Warcraft: Mists of Pandaria Beta Test Invitation
To: kingpinjibbs@hotmail.co.uk
Content-Type: text/plain;charset="BIG5"
Content-Transfer-Encoding: 8bit
Date: Mon, 21 May 2012 00:39:53 +0800
X-Priority: 3
X-Mailer: Foxmail 4.2 [cn]
Return-Path: Newsletter@email.blizzard.net
Message-ID: <COL0-MC3-F21mPHpzwL0095e4b5@COL0-MC3-F21.Col0.hotmail.com>
X-OriginalArrivalTime: 20 May 2012 16:39:17.0142 (UTC) FILETIME=[190E5360:01CD36A7]

Congratulations! You've been selected to participate in the beta test of World of Warcraft Mists of Pandaria

As a beta test participant, you'll experience the new content and features of Mists of Pandaria before the expansion is released. Help the Alliance and Horde explore a strange

world cloaked in mists, and wage war against the mysterious Sha energy that threatens to engulf the land. A whole new continent awaits!

Your feedback will directly impact the quality of the final game -- our developers are standing by!

SENDING US FEEDBACK:

We've put up forums where you can discuss the game, which you can find by going to
http://us.battle.wowmory.info/?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%

2Findex.xml&app=bam and scrolling down to the beta forums. You are expected to follow the posting guidelines and forum Code of Conduct at all times while participating in any

discussions. Maintaining a constructive dialog with fellow testers and Blizzard posters will help ensure the forums remain a positive place for discussing and providing feedback

about Mists of Pandaria content.

TROUBLESHOOTING:

If you experience any difficulties running the beta game client, please visit the appropriate beta technical support forum or use our web form.
Sincerely,
Blizzard, Inc.
Copyright 2004-2012 Blizzard, Inc. All rights reserved.

Madmadarr
La Croisade écarlate

Profile

Madmadarr

08/04/2012

i have hotmail and when i right click i got this below ->
x-store-info:4r51+eLowCe79NzwdU2kRwMf1FfZT+JrdcHiixA72G7ZJns5nL8EZ97YMmak2geTLh/AnP49/0G4UeFNL8gxihwsY9/5AA5Q2wJE+lBtyEg6Tfza6Wgw6rEtbVoJtiWN0QksnqkuruIvXkZjauhSig==
Authentication-Results: hotmail.com; sender-id=fail (sender IP is 112.219.92.82) header.from=noreply@battle.net; dkim=none header.d=battle.net; x-hmca=fail
X-SID-PRA: noreply@battle.net
X-SID-Result: Fail
X-DKIM-Result: None
X-Message-Status: n:0:n
X-AUTH-Result: FAIL
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: z6+tzUa3IoSkHoZNP7yC+W8WxC1lAx8/E89hIjvo/VIYyelfykhCFsLxUyT0o0srXik8omlSuTherZqXmveG4iBBN3OSPFw2zzoJcJ79yVJZX8tHUepKqjbAOTaPcXZKxRG1M/gmONPXTet1BfmpYw==
Received: from battle.net ([112.219.92.82]) by SNT0-MC4-F14.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Sun, 8 Apr 2012 12:37:23 -0700
From: "Blizzard Entertainment" <noreply@battle.net>
Subject: [EN] Battle.net Account Email Verification - Action Required
To: tom110983@hotmail.com
Content-Type: text/html;charset="GB2312"
Content-Transfer-Encoding: 8bit
Reply-To: noreply@battle.net
Date: Mon, 9 Apr 2012 03:37:29 +0800
X-Priority: 3
X-Mailer: Foxmail 4.2 [cn]
Return-Path: noreply@battle.net
Message-ID: <SNT0-MC4-F14l3tTUqp0008c266@SNT0-MC4-F14.Snt0.hotmail.com>
X-OriginalArrivalTime: 08 Apr 2012 19:37:23.0778 (UTC) FILETIME=[05701220:01CD15BF]

<DIV><includetail>
<TABLE cellSpacing=0 cellPadding=0 width=613 border=0>
<TBODY>
<TR>
<TD width=613 bgColor=#000000>
<TABLE cellSpacing=0 cellPadding=0 width=613 border=0>
<TBODY>
<TR>
<TD vAlign=top width=613 colSpan=54 height=444><A href="https://www.worldofwarcraft.com/account/claim-promotion.html?promoId=SEVEN_DAYS_PROMOTION" target=_blank><SPAN style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px"><IMG style="DISPLAY: block" height=444 src="http://b96.photo.store.qq.com/psb?/4f1f3dc4-3c38-4c6a-ab0b-211279aa3050/mGl..9kp26wKiijNAhfNS96pHMN2Mf7Xn3GiTuSXdZM!/b/YeeSPjm9GgAAYtOEOzkhGwAA" width=613 border=0></SPAN></A></TD></TR>
<TR height="100%">
<TD vAlign=top width=2 bgColor=#010000 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=2 border=0></TD>
<TD vAlign=top width=1 bgColor=#6b7176 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top width=1 bgColor=#534d48 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top width=1 bgColor=#000201 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top width=1 bgColor=#4b4a46 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top width=1 bgColor=#282d2c height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top width=1 bgColor=#908d88 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top width=1 bgColor=#110705 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top width=1 bgColor=#190804 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top width=43 bgColor=#000000 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=43 border=0></TD>
<TD vAlign=top width=1 bgColor=#190904 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top width=1 bgColor=#140805 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top width=1 bgColor=#090302 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top width=1 bgColor=#110903 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top width=1 bgColor=#2f0e01 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top width=1 bgColor=#230901 height="100%"><IMG style="DISPLAY: block" height=1 src="http://us.media.blizzard.com/emails/gotyur040711/pixel.gif" width=1 border=0></TD>
<TD vAlign=top widt

Hupalala
Lightbringer

Profile

Hupalala

06/04/2012

If you get some of these e-mails try to keep your mouse of the the Blizzard entertainment, if it's say's 'no-reply(something)' its truth, but the fakes use the 'noreply' which only Blizzard can make truth, just a little hint, and remember not to click, just keep the mouse over the 'Blizzard Entertainment'

Hupalala
Lightbringer

Profile

Hupalala

06/04/2012

@Hupalala: and obviously Blizzard haven't seen that or atleast dont tell it to people since it's a damn easy way to find out, so I hope a GM will see and tell people out in the future!

Orclocker
Kilrogg

Profile

Orclocker

04/04/2012

@Mysterius I had the same e-mail. Just fake. Ignore and delete it.

HybridNoSkil #101

Profile

HybridNoSkil

04/03/2012

Lol, something funny about my e-mails from them is that i haven't played wow for about 3-4 years. And it says it happened recently, lol.
I get that !@#$ regularly and don't pay attention to it -.-''
but their biggest fail was telling me that i tried to sell my TOR account when i don't have one XD

Tiborian
Shadowsong

Profile

Tiborian

03/03/2012

I just found out a little trick to double check this, I don't know if it's been tried yet but here's what I did.

Once you've opened the header, try finding the 'Sender's IP address. Once I entered it in the 'IP finder' I found my e-mail was sent from 'Tapei-Taiwan' so I guess there's my answer :)

Mysterius
Deathwing

Profile

Mysterius

29/02/2012

I also got an e-mail from "Blizzard Entertainment claiming I was trying to sell my account - no I'm not! And yes maybe stupid i followed the link in the email

recieved this email twice this week and i'm not trying to sell my account

Missdevil
The Venture Co

Profile

Missdevil

23/02/2012

so noreply@battle.net is NOT a legit header?

Fatheroldman
Argent Dawn

Profile

Fatheroldman

23/03/2012

@Missdevil: nope no-reply@blizzard.com is legit so is noreplyeu@blizzard.com

Druidgen
Silvermoon

Profile

Druidgen

06/01/2012

got the same message, is this real?? btw im not selling my account and how do u get that kind of information????

Shahan
Genjuros

Profile

Shahan

04/01/2012

hello. i got the same e-mail..lot of times..should i blocked it ? or if i do this. i will stop receving from battle.net or blizzard ?..and unfortunatly i have already follow this link twice...
thank you

Nuguy
Magtheridon

Profile

Nuguy

31/12/2011

Got an e-mail from "Blizzard Entertainment <WoWAccountAdmin@blizzard.com>" claiming I was trying to sell my account - no I'm not!

Battle.net

Support

More