Nerd For Tech
Published in

Nerd For Tech

Phishing mail samples and inspection

Phishing email are usually easy to identify, most of them are not really carefully crafted, like followings:

Sample 1

The subject “IT-” with domain sender email “” simply don’t align, and with Hotmail, I am expecting beautiful HTML email with graphics and better layout (and capitalize “Hotmail”)

Sample 2

Similarly, how would Google (which Google Photos Hosting does not even imply it’s the famous Google company we know) send email from domain “”? And Google normally have specific subject and better footer design and disclaimer

A valid Google email footer I used to see:

Sample 3

This email is a common delivery phishing context email, the first thing is the To in email content is using my email alias (not my name), so they don’t know my name at all, which is weird. And also SF Express is a local company here in Hong Kong, and I am expecting a Chinese email instead, the email text is not commerical writing (too short and simple and too direct).

Again, the key is the email domain does not align with sf express.

See my other mail on (again, respect to which does reply promptly and took action on inspection for their service being abused, while the other service providers in the article does not even reply)

Short conclusion before a more complicated cases

Domain name of the email sender is very important information, when a email sender is from unknown domain or domain name that’s different from their company name (sometimes they are clever to register something very similar, like using a “1” to fake a “l” or using a “l” to fake an “I” (capital letter “i”).

For all email like that, it’s much easier to spot in PC than on mobile device which the screen is smaller and the app design might decide to hide some not so important information or make them look small.

Sample 4

This one look more “valid”, as the email content looks more “real” (the HTML email body, image, layout).

We can see several things that doesn’t align, still. First we have an attachments with 0 bytes, this is super suspicious. And the footer we have the company name “hongkongpost” (which is not capitalized and properly spaced , the real name is “Hongkong Post”). Last by not least, again it’s the domain.

Sample 5

This actually caught by the junk mail detector, but it took me some time to confirm.

First of all, the email look legitimate, the footer look very real. And the domain name is real, as well I did go check on the service provider, their customer service email is actually “”.

Then I would suspect if the email might fake their email “FROM” and does actually send from another email, so I go ahead to read the email source

Email header show some interesting lines:

First, the spf is not pass, and the lookup of failed on DNS Timeout, which before I dig deeper, I though it’s just because the DNS having issue at the time the mail being checked.

Then I take the IP address, that’s from Latvia, and viola, it must be a spam (if it’s from US, I would probably puzzle a bit more)

Side note

While I write this article, I realize a weird thing in email content, which is the “real-ish” footer, having a Simplified Chinese “click here” within the content of Traditional Chinese wordings:

Also, the font size does not really look right now (when I inspect carefully)


Even spam mail detector are doing pretty well, it’s still our own responsibility to be careful about those spam/phishing email.

Great reference



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store