Jump to content
Sign in to follow this  
Aiden

Country of Origin

Recommended Posts

Hello:

I have an email and the sender says they are in Turkey. I wanted to very that the email was sent from Turkey.  But...., to me, if looks fishy.

I have looked at the header extensively but this is not my field. So I am not sure I am interpreting all the info correctly.

From what I can gather the X originating IP is, 209.85.218.43

And the return path has just two servers in it, the X originating IP and my conection IP.

The header follows.  Main question, is is possible that this email originated in Turkey?

 

Thanks, Aiden

 

X-Apparently-To: lifecan@yahoo.com; Fri, 07 Sep 2018 11:56:27 +0000
Return-Path: <kathryn@gmail.com>
Received-SPF: pass (domain of gmail.com designates 209.85.218.43 as permitted sender)
X-YMailISG: .I2deVgWLDvEPUdGxzwSy2W5t6aDqKikBaOoyTl0Mfqdnoz8
 rAEJVlvfMSDD54yfeFmhqQWUEdmQw0E1HqblexDkXWMAfViXd.TU5zCfl.06
 yAjdyGFzxcGiZq5t5Yt0jZziwnJr1AOet8CBx7POCDH4Cfe6qWb2AJYOhWHE
 KPieBvilxzqy_e0VrlVN2b84x5_RWL7Zb8zofRRrj8OBZo9jJor.yQEfgape
 .zJygfUBRUora_eCt_6YSXAKOeo8wc_jlL4g5thDU1bJILzMQoxfdSbnufm9
 YvaNlAJsIwj4WIBFrykoJ6LMVo2lNb4ox8EltqMr_Jc14Ybw0SnHGKFb.e2Z
 eiHoyn_T77BEqHd19_LPrYs0tTVGEbpI1i4QKAjh_egEztEdHttnAYMahQ20
 4ublM3p_CypUS_n9uC6o8USog4wwkRptenTXQqg0fP3uSdxptwIgaZlF3RAQ
 FAIUg0kgVtCtrCwS_jeaYzbudNNNAxYO_D2eZPEDFIiI4BpmId117Yt4nYjk
 m81WzLXWgRZyZLZur.b5TjglPjg2yv_VuMOFq0kIQopNMgK1zHBnz4p0lY27
 SKXPJ4lCWgCoBzjFazZiDz2.Kga7SQWXe51y5VUcGxndwPbMxqx6IQYE9eYz
 OubgC8jsoVxN2zNWIxL9Hkyspv.7ZG9gOuRbpZeM9T_HthUEC4SW9KMBRPhY
 WXyba47TMwDc_ow5IqoK8IZRyAbEgrWOpwp1WdeV.S0bUldg0DlKZb9uO.rP
 fgstQy0dCTTyULbSgNRSBeClwsIqIxSzsP0.afNBQx88j7_tAX36dL_j6vjC
 KRsIFzLSvYXnURLt_F70jYav7k0_kdQqJ1jwZeM2fQ.5nXJ8JOm6WNxZfZFr
 Ex1UiAuQNwOcQKfm1oSxOj12sAeICG9pGX_qgizUBz8gANtVlARRuRvRkupt
 MFwTqP.KLQeb0.oBmMUdc7v7BY8_HzHYKVoOI2pIQdPHcjtkralXj_LDv51y
 jHZw1hfNl8sFgGs6eYfifN6F.rfGPOYzSeB8VRNFe2mPtgwsTJFBIQfo1PxR
 nLfHR2VKrdIHLkrEA.TaTCfGWXlYvHN7WDGuRrQBKHSrFWKBTKa22TByGruE
 dhv0kjUuL_Gnxa47MTQDYyGExjs4dmw5RTmyoOJCmg--
X-Originating-IP: [209.85.218.43]
Authentication-Results: mta4140.mail.ne1.yahoo.com  from=gmail.com; domainkeys=neutral (no sig);  from=gmail.com; dkim=pass (ok)
Received: from 127.0.0.1  (EHLO mail-oi0-f43.google.com) (209.85.218.43)
  by mta4140.mail.ne1.yahoo.com with SMTPS; Fri, 07 Sep 2018 11:56:26 +0000
Received: by mail-oi0-f43.google.com with SMTP id c190-v6so26693346oig.6
        for <lifecan@yahoo.com>; Fri, 07 Sep 2018 04:56:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=cAAyRcN8Jy5/N1h10EcAGDNFTqkhKS4XmY6EKFLOxLE=;
        b=hWgqx546w9l0Bz7AAvsKBgregc5S+3HmGHMDp/6FcBpvfz3mU/KXUFD+mitQ0r6dF0
         2nfREl6R7hl67n2qzcAR0OFmjl4tABQYQMjG930s7hSuTZ4H/bNWvGtX12n8V++9wpSw
         ytVg7q1icuCTkH/JvhUTo27IvlTqJhvOZhmcMt4OFS7oPLzznf1FN3bivRrUamjmNGmb
         mEJGzC98RSkES8ImymqeMdglxyggl7yJuJ09hCqdzYFkqaU2adwI6EuuPdKRTsH5u0u+
         E/cMEy7SVyjjDCr4BO1fio+N0bSOLXVN3pl1ffSXiBUqC6r+oZqT0eNoxydybeP5zioO
         OlZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=cAAyRcN8Jy5/N1h10EcAGDNFTqkhKS4XmY6EKFLOxLE=;
        b=a+59QDRc96Ie7IxZYl18cSs9x8OQ7XTlexpOActiZJGbJJ+IjYwmZy3d+JfuVPTCUz
         t0mP3w7UWAgI7A2OwBFo62N9uA1w1BQbJ3KHM4XP5VYb7uICvCYJzh5beBJsqGlbpDc8
         ivW3O7lFXydfLFOKfdU7920NuFALbVbPqy3aSEo6twlkW5L6wbU3M3YBd+z75VXSDsLW
         Xf91zyBO2iH/23f8x1Oqdv06nZXakBSmkm7YXEavGh8baEcygvQJrR2c1HxMpelPDP29
         Mj1Tb5q23TpL/8H8MZFhWKiPvC/taGWhGNXQzx2X2v5DLrDMo6HMOhVWL1yH0oVyrdc1
         zDeA==
X-Gm-Message-State: APzg51DJT8My6pEw6ke5mpCS7ZQM8DO4VVlhQKIAwMdZEV7ooB5peFWB
	tztGd0N7PBLyNwB7UVg774142vNOiW1sGhF0W+m3AMhcaQ4=
X-Google-Smtp-Source: ANB0VdaCNpl4UrLm4GmCY1Bkmj7l+lCG9e0ZA2dpCesQluwsRa9AFRGUeKdsCuIwllXGIrl3RSwj8gJ85YfVklmgWiI=
X-Received: by 2002:aca:aa06:: with SMTP id t6-v6mr8095720oie.152.1536321386167;
 Fri, 07 Sep 2018 04:56:26 -0700 (PDT)
MIME-Version: 1.0
References: <CAD8+=+7A1S64XkzzYk_F+1+cve3B5YpM4D2eFm1r2pxwkk4AJg@mail.gmail.com>
 <1250095599.641649.1536172817194@mail.yahoo.com> <CAD8+=+5S_unO5h7TJyVThU43iL2d3L0mmUXrjWH4GowALWNLCQ@mail.gmail.com>
 <816792627.933053.1536210210269@mail.yahoo.com> <CAD8+=+7M4GExbxruG3QjmTe9NdOo+HeTF_F88cn48b83gQrJQw@mail.gmail.com>
 <199333859.1250349.1536258408729@mail.yahoo.com>
In-Reply-To: <199333859.1250349.1536258408729@mail.yahoo.com>
From: Kathryn <kathryn@gmail.com>
Date: Fri, 7 Sep 2018 04:56:27 -0700
Message-ID: <CAD8+=+6r+eEX9N2NNXcwyqcWydrBSj-oY7KCm3X-dRhPdz6wVA@mail.gmail.com>
Subject: Re: RAINDROPZZZ OFF AFF
To: XXXXXXX@XXXXX.com
Content-Type: multipart/alternative; boundary="0000000000007bc292057546b2b2"
Content-Length: 32622

--0000000000007bc292057546b2b2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

 

 

Edited by Lking
Remove TO: email

Share this post


Link to post
Share on other sites

It would have been nice if you had submitted the email to SpamCop.net so the parser and then provided here the Tracking URL

Then

  1. The parser could have identified the source IP, the location of which may answer your question
  2. It would not have been necessary to hide you email address in the header so all the spammers could not collect it.
  3. In general it would not be necessary for you to be able trace through the header to get your answer.

Share this post


Link to post
Share on other sites

Check out the abuse reports for 209.85.218.43. It was last reported 6 days ago, and it appears to be sending fake emails from supposed friends.
...................................................
It also says
Important Note: 209.85.218.43 is an IP address from within our whitelist. Whitelisted netblocks are typically owned by trusted entities, such as Google or Microsoft who may use them for search engine spiders. However, these same entities sometimes also provide cloud servers and mail services which are easily abused. Pay special attention when trusting or distrusting these IPs
...................................................

I'm also getting a heck of a lot of phishing and scam emails from google spider bot IP addresses listed at Mountain View, California

AbuseIPDB » 209.85.218.43

 

Share this post


Link to post
Share on other sites
On 9/11/2018 at 4:26 PM, mojorisin said:

209.85.218.43 is an IP address from within our whitelist.

209.85.218.43 is not a routeable IP address 

Probably a Google network address post a tracking url the info you gave is useless

Share this post


Link to post
Share on other sites
10 hours ago, petzl said:

209.85.218.43 is not a routeable IP address 

Probably a Google network address post a tracking url the info you gave is useless

Glad to be of no help to you 😬

I hope it helped the original; poster, who asked if it was a legitimate IP address from Turkey not involved in suspicious behaviour though 😀

 

Edited by mojorisin

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×