Using OS X Mail to spot phishing emails

I have been using this trick for so long it never occurred to me before to write about it. Using OS X’s built-in Mail client you can spot fake (phishing) emails. This is not a tried and tested method and should not be used as your only line of defense against phishing emails but it has helped me spot phishing emails that were pretty damn good. Here we go.

For those unfamiliar with the term, a phishing email is a fake email trying to trick you into installing something, revealing information about something, getting you to enter your name and password somewhere or all of the above. Phishing emails can usually be identified by their obvious mistakes in spelling or grammar but the phishers have been getting better and better at it. This results in a phishing email from PayPal being almost indistinguishable from a real PayPal email and manages to trick many people daily world wide. I use PayPal as an example (and will keep using PayPal for the rest of this article) but of course these fake emails can pretend to be anyone.

If a phishing email is crafted good enough and does not raise suspicion, most people don’t even look at the sender address. If something doesn’t feel right though, most people will glance at the sender address and see that it did indeed come from ‘service@paypal.com’ but the sender address can be easily faked. Something that can not be faked though (or at least I have not seen this) are the headers, specifically the ‘Received’ header. This part of the header, hidden by default in Mail, shows where the email originated and what path it took to get to your inbox. Unless PayPal’s mail server was hacked allowing phishers direct access this part of the header can not be faked.

So, we can use Mail to set up some kind of visual alert that can tell us at a glance if a PayPal email really came from PayPal. It’s a bit of work but for me it has paid off quite a few times.

Create a folder
You can choose to leave all email in your inbox but personally I prefer my mail neatly sorted in different folders. In my case I have a folder set up for all my PayPal email. If you want a folder for whatever you are applying this article to (PayPal, Bank of America, mail from your boss etc.) now is the time to create it.

Gather headers
Find emails from PayPal, select them one at a time and from the View menu go to Message > All Headers.

This will cause an extra block of data to be revealed on top of the email message. Focus on the line that starts with ‘Received: from’ and copy/paste this line into a text document. Select the word ‘from’ and the address that follows, don’t select anything that comes after like the IP address.

Do this for at least 10-15 emails and try to go back a few months to make sure you don’t grab headers from recent emails only. You will end up with a few different headers and some or most of them will be the same. In my case I sampled over 30 emails and ended up with this list:

from mx0.phx.paypal.com
from mx0.slc.paypal.com
from mx1.phx.paypal.com
from mx1.slc.paypal.com
from mx3.slc.paypal.com
from mx2.slc.paypal.com
from outbound.na.e.paypal.com

I previously verified all these emails to be the real deal so I trust this list to be actual PayPal mailservers. Sampling more emails will obviously result in a more detailed list but you can always add to this later.

Create filters
In Mail go to the Mail menu and select Preferences. Once there, select the ‘Rules’ tab on the far right. Now click the ‘Add Rule’ button. Make the description anything you like and move on to the first dropdown menu, default set to ‘Any Recipient’. Click on it and go all the way to the bottom of the list to where it says ‘Edit Header List’. Since the ‘Received’ header is not in this list by default you have to add it manually. A small window will pop up, click the plus button and add “Received” (no quotes, capital R). Then click OK.

Now you can start configuring the filter, or Rule as it’s called in Mail.
Set the first dropdown menu to ‘Received’, second menu to ‘Contains’, enter the first saved string in the text field and then click the round plus button to create a new line. Set the second line up the same way and enter a new saved string in each text field until you’ve covered them all. When you are done it will look something like this:

That took care of the conditions a PayPal email must meet. Now the actions that must be performed when one or more of these conditions are met have to be configured. This is how I configured mine:

I instructed Mail to move all messages that meet my set conditions to a folder names PayPal and to make the background of these emails green. When done, click OK and Mail will ask you if you want this new rule to be applied to existing mail, say yes. The result:

Every email from PayPal that is in this folder and has a green background came from a server that I trust to belong to PayPal. If none of the conditions are met the email will stay in my inbox until I inspect it. Once verified and trusted, I can add that email’s header to the list. This system does not mean you should stop inspecting emails, I use it as a way to draw extra attention to emails that did not get picked up by my Mail rules and like I mentioned, this has paid off in the past.

You can set these type of rules up for anything but as this requires some work I would focus on financial related senders (PayPal, your bank, Amazon, eBay etc.). Similar rules can be set up to help you with that annoying Junk Mail that keeps slipping through the cracks. If you have a lot of email these rules may not catch on right away or take a while to sort through your entire mailbox. To speed things up you can select all your messages, right click on one of them and select ‘Apply rules’.

For additional tips on how to spot phishing emails, have a look at the article I linked to a few times already in this post. You can find it here.

Any comments or feedback you have about this article is welcome.