Foxfury Breakthrough
Results 1 to 11 of 11

Thread: How do you decode an email header?

  1. #1
    Flashaholic*
    Join Date
    Apr 2001
    Location
    Massachusetts
    Posts
    4,857

    Default How do you decode an email header?

    For an instance, how can I tell where this email actually came from? I've x'd out my email address but left the other header info intact. The body of the email contains a "stock tip". I have been getting a ton of these spam stock tip emails late and the Verizon spam detector is not stopping them. I doubt very much the sender's real address is "dzupqr@crazy4guy.com"

    Received: from 222.235.161.241 ([172.18.12.132])
    by vms043.mailsrvcs.net (Sun Java System Messaging Server 6.2-4.02 (built Sep
    9 2005)) with ESMTP id <0IYH00G7OLM79SD0@vms043.mailsrvcs.net> for
    xx.xx@verizon.net; Sat, 29 Apr 2006 09:01:20 -0500 (CDT)
    Received: from uqhx (222.235.161.241)
    by sv6pub.verizon.net (MailPass SMTP server v1.2.0 - 112105154401JY+PrW)
    with SMTP id <5-977-31-977-4156-1-1146319278> for vms043pub.verizon.net; Sat,
    29 Apr 2006 09:01:20 -0500
    Received: from qlv.mxkrwf ([222.235.198.120]) by uqhx (8.13.3/8.13.3)
    with SMTP id k3TE344H077770; Sat, 29 Apr 2006 23:03:04 +0900
    Date: Sat, 29 Apr 2006 22:58:28 +0900
    From: "Rolf Ellis" <dzupqr@crazy4guy.com>
    Subject: hypnotism show-off
    X-Originating-IP: [222.235.161.241]
    To: <xx.xx@verizon.net>
    Message-id: <002301c66b95$61f987db$78c6ebde@qlv.mxkrwf>
    MIME-version: 1.0
    X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    X-Mailer: Microsoft Outlook Express 6.00.2800.1165
    Content-type: multipart/related; type="multipart/alternative";
    boundary="----=_NextPart_000_001F_01C66BE0.D1E12F5F"
    X-Priority: 3
    X-MSMail-priority: Normal
    I live in a van down by the river

  2. #2
    *Flashaholic* KevinL's Avatar
    Join Date
    Jun 2004
    Location
    At World's End
    Posts
    5,801

    Default Re: How do you decode an email header?

    Read in reverse order:

    The source:
    Received: from qlv.mxkrwf ([222.235.198.120]) by uqhx (8.13.3/8.13.3)
    with SMTP id k3TE344H077770; Sat, 29 Apr 2006 23:03:04 +0900

    Passes it to an intermediary:
    Received: from uqhx (222.235.161.241)
    by sv6pub.verizon.net (MailPass SMTP server v1.2.0 - 112105154401JY+PrW)
    with SMTP id <5-977-31-977-4156-1-1146319278> for vms043pub.verizon.net; Sat,
    29 Apr 2006 09:01:20 -0500

    Which sends it to Verizon's servers to be delivered to you:
    Received: from 222.235.161.241 ([172.18.12.132])
    by vms043.mailsrvcs.net (Sun Java System Messaging Server 6.2-4.02 (built Sep
    9 2005)) with ESMTP id <0IYH00G7OLM79SD0@vms043.mailsrvcs.net> for
    xx.xx@verizon.net; Sat, 29 Apr 2006 09:01:20 -0500 (CDT)



    I know it sounds tempting to report spam, but nobody cares these days I just rely on better, and better junk filters on my servers and my desktop. Eudora 7 is not too bad.


    I ran a trace for you anyway.. it's coming from Korea. I believe the mail server is a legitimate ISP-owned mail server, and it's one of their subscribers doing the dirty deed. I could be wrong (wouldn't be the first time), but that's my guess.

    (btw - all of this is publicly available information that every netblock owner must register with their appropriate Internet Registry to be made available on the Internet for use in the event that they should need to be contacted. Yes.. I attend the regional registry events and briefings for my region and we are preached to about this )


    IPv4 Address : 222.235.160.0-222.235.191.255
    Network Name : HANANET-INFRA
    Connect ISP Name : HANANET
    Connect Date : 20050327
    Registration Date : 20050329
    Publishes : Y

    [ Organization Information ]
    Organization ID : ORG3930
    Org Name : Hanaro Telecom Inc.
    Address : Yeoeuido-dong Yeongdeungpo-gu SEOUL
    Detail address : 17-7 Asia One Bldg.
    Zip Code : 150-874

    [ Technical Contact Information ]
    Name : IP Manager
    Org Name : Hanaro Telecom Inc.
    Address : Yeoeuido-dong Yeongdeungpo-gu SEOUL
    Detail address : 17-7 Asia One Bldg.
    Zip Code : 150-874
    Phone : +82-2-106-2
    E-Mail : ip-adm@hanaro.com

    --------------------------------------------------------------------------------

    If the above contacts are not reachable, please contact following ISP
    for further information.

    [ ISP IPv4 Admin Contact Information ]
    Name : IP Administrator
    Phone : +82-2-106-2
    E-Mail : ip-adm@hanaro.com

    [ ISP IPv4 Tech Contact Information ]
    Name : IP Manager
    Phone : +82-2-106-2
    E-Mail : ip-adm@hanaro.com

    [ ISP Network Abuse Contact Information ]
    Name : Network Abuse
    Phone : +82-2-106-2
    E-Mail : abuse@hanaro.com
    Last edited by KevinL; 04-29-2006 at 09:13 AM.
    Celebrating the ROP.. 5 years of history

  3. #3
    *Flashaholic* gadget_lover's Avatar
    Join Date
    Oct 2003
    Location
    Near Silicon Valley (too near)
    Posts
    6,962

    Default Re: How do you decode an email header?

    One of the things to keep in mind when reading the headers is that they can be faked. You can only trust them 100% when they are created by a trusted source. Your mail server appears to be vms043.mailsrvcs.net. The very firstt "Received:" header shows it was sent by a system claiming to 222.235.161.241 but actually from a private address 172.18.12.132 that does not resolve ro a name. The private address leads one to believe that it's an internal mail delivery relay.

    The second "Received:" header shows that Verizon got it from 222.235.161.241, an address that does not resolve.

    Unfortunately, you can not trust it beyond that. There could be another 15 "Received:" headers, but they could all be faked.

    As a matter of policy, my mail servers don't accept mail from addresses that don't resolve to a name. All mail servers are supposed to have registered addresses, so unless there's a DNS screwup, mail like this is from a rogue.

    This policy is not as drastic as it seems. I give a 'soft' error so the mail delivery should be attempted later if it's a valid mail server.

    Daniel
    ================================================== =
    I have got to plan my procrastination better!

  4. #4
    Flashaholic* ACMarina's Avatar
    Join Date
    Sep 2004
    Location
    Brookston, IN
    Posts
    3,117

    Default Re: How do you decode an email header?

    Get a good email program and just junk them - mine is doing just fine, I get "Stock Tips" but I never see them..
    I love my Al-PD

  5. #5
    Flashaholic*
    Join Date
    Apr 2001
    Location
    Massachusetts
    Posts
    4,857

    Default Re: How do you decode an email header?

    I'm always afraid with the automatic spam detector programs that it might delete legit email, something that might be important from a friend or relative.
    I live in a van down by the river

  6. #6

    Default Re: How do you decode an email header?

    Only the worst anti-spam programs would delete spam. Most provide some means of reviewing those caught by the filter, in case you want to scan it quickly. Then you can go ahead and delete them if you wish.

    Thunderbird moves those that you've designated as "junk" to the junk folder, and learns from those you've designated as to what you consider spam.

  7. #7
    Flashaholic*
    Join Date
    Jun 2003
    Location
    SF Bay Area
    Posts
    2,090

    Default Re: How do you decode an email header?

    I only get 1-10 junk mails per day... And I use Thunderbird with the Junk mail filter... It has only mistakenly junked one good email--it was the first one I had ever received from our DARELL ....

    -Bill

  8. #8
    Flashaholic
    Join Date
    Jun 2005
    Location
    Under God.
    Posts
    160

    Default Re: How do you decode an email header?

    Also just a bit of additional info. On the spam/sinister side of things... the person could be using ways to play shadow games. In other words what gadget_lover stated and possibly then some... Botnets, zombies, other cracked systems could be being used to start the email. And to further agree with KevinL, most could care less. I've gotten into some heated emails only to have the other end throwing in the towel.

    Sincerely,

    Shaman
    Ephesians 5:8 (KJV) - For ye were sometimes darkness, but now are ye light in the Lord: walk as children of light:

  9. #9
    Flashaholic*
    Join Date
    Feb 2006
    Location
    Ventura, CA.
    Posts
    2,025

    Default Re: How do you decode an email header?

    Ive been getting dozens of things like this for a week or more -- some one using my address as their fake return address:

    (I removed a letter or two here and there where my addy appears to throw off bot,s or did I do it wrong?)

    Any know how to locate and dispatch these hell hounds?

    ------------
    This report relates to a message you sent with the following header fields:

    Status: U
    Return-Path: <>
    Received: from ar-goshawk.pas.sa.earthlink.net ([207.217.120.227])
    by mx-collie.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1fzP8N3WR3Nl36t3
    for <tedsplace@arthlink.net>; Sat, 29 Apr 2006 09:05:41 -0400 (EDT)
    Received: from mx13-dom.earthlink.net ([207.217.120.107] helo=whmx-evening.pas.sa.erthlink.net)
    by ar-goshawk.pas.sa.earthlink.net with smtp (Exim 3.36 #4)
    id 1FZp7w-0005Sd-00
    for tedsplace@earthlin.net; Sat, 29 Apr 2006 06:04:48 -0700
    X-ELNK-Loop: postmaster@tedsplace.com
    Received: from avas-mx06.fibertel.com.ar ([24.232.0.189])
    by whmx-evening.pas.sa.earthlink.net (EarthLink Mail Service) with ESMTP id 1fzP7R1gQ3NZFkO0
    for <ehk@tdsplace.com>; Sat, 29 Apr 2006 06:04:43 -0700 (PDT)
    Received: from mig1 ([10.10.10.171]:61614 "EHLO smtp.fibertel.com.ar")
    by avas-mx06.fibertel.com.ar with ESMTP id S1097958AbWD2NEb;
    Sat, 29 Apr 2006 10:04:31 -0300
    Received: from process-daemon.mta1.fibertel.com.ar by mail.fibertel.com.ar
    (Fibertel S.A. - Argentina) id <0IYH00G01IT8C500@mta1.fibertel.com.ar> for
    ehk@edsplac.com; Sat, 29 Apr 2006 10:04:31 -0300 (ART)
    Received: from mail.fibertel.com.ar (Fibertel S.A. - Argentina)
    id <0IYH00G0ZIZJR400@mta1.fibertel.com.ar>; Sat,
    29 Apr 2006 10:04:31 -0300 (ART)
    Date: Sat, 29 Apr 2006 10:04:31 -0300 (ART)
    From: Internet Mail Delivery <postmaster@fibertel.com.ar>
    Subject: Delivery Notification: Delivery has failed
    To: ehk@tedsplace.com
    Message-id: <0IYH00G11IZJR400@mta1.fibertel.com.ar>
    MIME-version: 1.0
    Content-type: multipart/report;
    boundary="Boundary_(ID_SL6nGAz6oFJ6mrucxYV9gw)"; report-type=delivery-status
    X-ELNK-Info: spv=0;
    X-ELNK-AV: 0
    X-ELNK-Info: sbv=2; sbrc=-0; sbf=00; sbw=011;

    Message-id: <000501c66b8d$6679d98a$1d909a46@zwni>
    Date: Sat, 29 Apr 2006 08:55:42 -0400
    From: Dorian Gregg <ehk@tedsplace.co>
    To: clarisa@fibertel.com.ar
    Subject: {posible spam} effigy

    Your message cannot be delivered to the following recipients:

    Recipient address: @stov2.fibertel.com.ar:clarisa@ims_daemon
    Original address: clarisa@fibertel.com.ar
    Reason: LMTP transmission failure has occurred
    Diagnostic code: smtp;522 5.2.0 Delivery failed: Over quota
    Remote system: dns;stov2.fibertel.com.ar (sto02. -- Server LMTP [Sun ONE Messaging Server 6.1 HotFix 0.11 [built Jan 28 2005]])

  10. #10
    Flashaholic*
    Join Date
    Jun 2003
    Location
    SF Bay Area
    Posts
    2,090

    Default Re: How do you decode an email header?

    There is a good chance that somebody is using your return address based on a "stolen" email list, either from one of your "friends" or from one of your own PCs... If it is one of your friends, there may not be a lot that you can do except to call the person(s) that you think may be responsible and tell them they may have a problem with their PC.

    Is there any chance that you have virus/Trojan/etc. on one of your own computers?

    One quick way, for me, was to temporally install the free edition of ZoneAlarm and see if I have any processes that sneaked into my PC... I set it to warn me of every program that attempts to access the Internet--if there is one that I don't recognize, I put that name into Google and see if there are any problems with that program...

    If your ISP is Earthlink (or one of the other ISP's with good support help), I would try support and see if they can help you from their side to see if it is your problem or not (they may be able to check the server logs and see if you are sending an unusual number of emails).

    -Bill

  11. #11
    Flashaholic* gregw's Avatar
    Join Date
    Jun 2004
    Location
    Hong Kong
    Posts
    1,511

    Default Re: How do you decode an email header?

    I am getting probably over 100 spam per day, but never see them as I've subscribed to an email account at Spamcop.net. The cost is $30 per year, and there isn't any limit on the amount of emails you can keep on the server (for now). You can use any POP/IMAP capable email software to download/sync with your email account. It automatically segregates all spam to a "Held Mail" folder, which you can check through, as well as report all the spam with a single click. Works very well...

    If you want to just report the spam, you can also do it at Spamcop.net. Reporting spam is good as it keeps the black lists current, and helps everyone else to filter the spam instead of letting it thorough to their inbox..
    Last edited by gregw; 04-29-2006 at 08:03 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •