Hi,

I am brand new to the email headers (not talking about spam), but I would like and need to have some knowledge for it now. I list two email headers below, they are (assumed) from the same sender with the same machine, is this correct and how can I tell that from the headers? BTW, the emails are from China, how can I tell where is the sender's system is? What is the info I should look to find the above items?

QUOTE

From =?gb2312?B?zv3B1rjfzd64383e?= Tue May 26 16:15:19 2009
Return-Path: <[b]replaced@live.cn>
Authentication-Results: mta128.mail.cnb.yahoo.com from=live.cn; domainkeys=neutral (no sig); from=live.cn; dkim=neutral (no sig)
Received: from 65.55.116.104 (EHLO blu0-omc3-s29.blu0.hotmail.com) (65.55.116.104) by mta128.mail.cnb.yahoo.com with SMTP; Tue, 26 May 2009 16:16:23 +0800
Received: from BLU142-W14 ([65.55.116.72]) by blu0-omc3-s29.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 26 May 2009 01:15:20 -0700
Message-ID: <BLU142-W14E5BA21777E0A83388373C4520[at]phx.gbl>
Return-Path: replaced@live.cn
Content-Type: multipart/alternative; boundary="_2e821a2a-bc19-4feb-a1cc-9cb691bfbf08_"
From: =?gb2312?B?zv3B1rjfzd64383e?= <replaced@live.cn> 查看联系人资料
To: =?gb2312?B?sc8g0cex8g==?= <replaced@yahoo.com.cn>
Subject:
Date: Tue, 26 May 2009 08:15:19 +0000
Importance: Normal
MIME-Version: 1.0
Content-Length: 872 [/b]



Thanks

P.S. I replaced the USER IDs for the sender and receiver.

Normally, if you are going to post headers on this board, folks here prefer them to be in the form of tracking URLs (see this Wiki reference). It really is rather difficult to check a header unless it is presented in the standard form (which the forum board software here doesn't quite support). Also, someone with better superpowers than I is probably going to want to move this thread since it has nothing to do with SpamCop Mailhost Configuration.

Still, going on what you have posted, both messages took the same path to get to you: from 65.55.116.72 (assigned to Microsoft, possibly a webmail host of some sort) to 65.55.116.84 (another Microsoft/hotmail mail host) to a Yahoo server (presumably your e-mail service). There are no records for any earlier relays. If by "sender" you mean the person who typed the message and hit the send button, then there isn't a good way to identify the sender from the mail header, particularly if you choose to disguise the information in the header when you post it here. Generally, we cannot trust any e-mail addresses we find in a questionable e-mail message.

-- rick

...Thanks, Rick -- with this posting, I am moving this from the "Mailhost Configuration of your Reporting Account" forum to the "SpamCop Lounge" SpamCop forum.... Google is your friend! http://www.google.com/#hl=en&q=(%22rea...;fp=onqzTwbkviA.

Hi,

My previous post was deleted due to the 'improper' title that contained 'newbie', I guess

Here is the modified one.

I am pasting two email headers that are assumed to be from the same sender and the same system. My questions are: how do I get the original sender's IP address? The last 'received from' point to the IP that seems like from Microsoft (using whois or nslook) hotmail. How can I get information like where (i.e. city) the sender's system is from. You may tell that the headers are from emails from China, I have replaced user IDs with 'replace'. Can I tell that the two headers are from the same sender (without using the sender's email address)?








Thanks,
PB

You forgot, I think, to replace the live.cn sender name in this example the third time it appears. so I did it for you since you wanted to keep them hidden.

...Huh? Why do you say that? http://forum.spamcop.net/forums/index.php?...f=6&t=10404 Edit: oops, my mistake, I failed to leave a link in the original forum!
...With this post, I am merging this new post into your original one. PM (Personal Message) sent to PB to let her/him know.

...You can't reliably do that. as far as I know. Many e-mail providers hide that information. Some software (such as spam software) might forge or hide it. The best you are likely to be able to tell is the last server it went through before hitting your e-mail provider's servers. This is what the SpamCop parser tries to do....I know of no reliable way to do that. Perhaps others here do.......Sorry, but how -- because of the ".cn" in the address? That could be forged!

No, I think your post was moved because it didn't have to do with SpamCop Mailhost Configuration. But, I see you found your way back here and perhaps to the replies you received to your original message.

In general, you can't, unless it was somehow put into the header (not a sure bet by any means, as Steve points out). Even if it does appear there, it still won't help you identify who the sender is (which I assume is what you ultimately want). The sender could have a computer with dynamic IP, or might even have sent the message from an airport kiosk or a hotel. The IP address belongs to a machine, not to a person. It is generally not a useful form of personal identification.

-- rick

...Nope, I moved the second post here, as well.
...Oops, I see I must have skipped the option to leave a link in the original Forum! *GASP* But I did send a PM (but only after the OP's second post, so it really was my bad).

turetzsr, thanks for leting me know the move. I looked for my original post in 'Mailhost Configuration' and didn't see it, then I checked the posting 'rules' and saw that something like 'help beginners' is the phrase to be avoided, so I thought the post was filtered and deleted.


Thanks you all guys for your intuitive replies, I did learn much from them.

...My pleasure. I apologize, again, that I was so late in letting you know!