pbsdis Posted May 26, 2009 Share Posted May 26, 2009 Hi, I am brand new to the email headers (not talking about spam), but I would like and need to have some knowledge for it now. I list two email headers below, they are (assumed) from the same sender with the same machine, is this correct and how can I tell that from the headers? BTW, the emails are from China, how can I tell where is the sender's system is? What is the info I should look to find the above items? From =?gb2312?B?zv3B1rjfzd64383e?= Fri May 22 17:10:04 2009 Return-Path: <replaced[at]live.cn> Authentication-Results: mta130.mail.cnb.yahoo.com from=live.cn; domainkeys=neutral (no sig); from=live.cn; dkim=neutral (no sig) Received: from 65.55.116.84 (EHLO blu0-omc3-s9.blu0.hotmail.com) (65.55.116.84) by mta130.mail.cnb.yahoo.com with SMTP; Fri, 22 May 2009 17:10:07 +0800 Received: from BLU142-W6 ([65.55.116.72]) by blu0-omc3-s9.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 22 May 2009 02:10:05 -0700 Message-ID: <BLU142-W61D9CB9D64971BCBF26E7C4560[at]phx.gbl> Return-Path: replaced[at]live.cn Content-Type: multipart/alternative; boundary="_95acf702-5617-4f95-828f-9bbaeb83ee81_" From: =?gb2312?B?zv3B1rjfzd64383e?= <replaced[at]live.cn> 查看è”系人资料 To: <replaced[at]yahoo.com.cn> Subject: =?gb2312?B?u9i4tA==?= Date: Fri, 22 May 2009 09:10:04 +0000 Importance: Normal MIME-Version: 1.0 Content-Length: 829 From =?gb2312?B?zv3B1rjfzd64383e?= Tue May 26 16:15:19 2009 Return-Path: <replaced[at]live.cn> Authentication-Results: mta128.mail.cnb.yahoo.com from=live.cn; domainkeys=neutral (no sig); from=live.cn; dkim=neutral (no sig) Received: from 65.55.116.104 (EHLO blu0-omc3-s29.blu0.hotmail.com) (65.55.116.104) by mta128.mail.cnb.yahoo.com with SMTP; Tue, 26 May 2009 16:16:23 +0800 Received: from BLU142-W14 ([65.55.116.72]) by blu0-omc3-s29.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 26 May 2009 01:15:20 -0700 Message-ID: <BLU142-W14E5BA21777E0A83388373C4520[at]phx.gbl> Return-Path: replaced[at]live.cn Content-Type: multipart/alternative; boundary="_2e821a2a-bc19-4feb-a1cc-9cb691bfbf08_" From: =?gb2312?B?zv3B1rjfzd64383e?= <replaced[at]live.cn> 查看è”系人资料 To: =?gb2312?B?sc8g0cex8g==?= <replaced[at]yahoo.com.cn> Subject: Date: Tue, 26 May 2009 08:15:19 +0000 Importance: Normal MIME-Version: 1.0 Content-Length: 872 Thanks P.S. I replaced the USER IDs for the sender and receiver. Link to comment Share on other sites More sharing options...
rconner Posted May 26, 2009 Share Posted May 26, 2009 Normally, if you are going to post headers on this board, folks here prefer them to be in the form of tracking URLs (see this Wiki reference). It really is rather difficult to check a header unless it is presented in the standard form (which the forum board software here doesn't quite support). Also, someone with better superpowers than I is probably going to want to move this thread since it has nothing to do with SpamCop Mailhost Configuration. Still, going on what you have posted, both messages took the same path to get to you: from 65.55.116.72 (assigned to Microsoft, possibly a webmail host of some sort) to 65.55.116.84 (another Microsoft/hotmail mail host) to a Yahoo server (presumably your e-mail service). There are no records for any earlier relays. If by "sender" you mean the person who typed the message and hit the send button, then there isn't a good way to identify the sender from the mail header, particularly if you choose to disguise the information in the header when you post it here. Generally, we cannot trust any e-mail addresses we find in a questionable e-mail message. -- rick Link to comment Share on other sites More sharing options...
turetzsr Posted May 26, 2009 Share Posted May 26, 2009 <snip> Also, someone with better superpowers than I is probably going to want to move this thread since it has nothing to do with SpamCop Mailhost Configuration. <snip> ...Thanks, Rick -- with this posting, I am moving this from the "Mailhost Configuration of your Reporting Account" forum to the "SpamCop Lounge" SpamCop forum.Hi, I am brand new to the email headers (not talking about spam), but I would like and need to have some knowledge for it now. <snip> ...:google: Google is your friend! http://www.google.com/#hl=en&q=(%22rea...;fp=onqzTwbkviA. Link to comment Share on other sites More sharing options...
pbsdis Posted May 26, 2009 Author Share Posted May 26, 2009 Hi, My previous post was deleted due to the 'improper' title that contained 'newbie', I guess :angry: Here is the modified one. I am pasting two email headers that are assumed to be from the same sender and the same system. My questions are: how do I get the original sender's IP address? The last 'received from' point to the IP that seems like from Microsoft (using whois or nslook) hotmail. How can I get information like where (i.e. city) the sender's system is from. You may tell that the headers are from emails from China, I have replaced user IDs with 'replace'. Can I tell that the two headers are from the same sender (without using the sender's email address)? From =?gb2312?B?zv3B1rjfzd64383e?= Tue May 26 16:15:19 2009 Return-Path: <replace[at]live.cn> Authentication-Results: mta128.mail.cnb.yahoo.com from=live.cn; domainkeys=neutral (no sig); from=live.cn; dkim=neutral (no sig) Received: from 65.55.116.104 (EHLO blu0-omc3-s29.blu0.hotmail.com) (65.55.116.104) by mta128.mail.cnb.yahoo.com with SMTP; Tue, 26 May 2009 16:16:23 +0800 Received: from BLU142-W14 ([65.55.116.72]) by blu0-omc3-s29.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 26 May 2009 01:15:20 -0700 Message-ID: <BLU142-W14E5BA21777E0A83388373C4520[at]phx.gbl> Return-Path: replace[at]live.cn Content-Type: multipart/alternative; boundary="_2e821a2a-bc19-4feb-a1cc-9cb691bfbf08_" From: =?gb2312?B?zv3B1rjfzd64383e?= <replace[at]live.cn> ??????? To: =?gb2312?B?sc8g0cex8g==?= <replace[at]yahoo.com.cn> Subject: Date: Tue, 26 May 2009 08:15:19 +0000 Importance: Normal MIME-Version: 1.0 Content-Length: 872 From =?gb2312?B?zv3B1rjfzd64383e?= Fri May 22 17:26:40 2009 Return-Path: <replace[at]live.cn> Authentication-Results: mta132.mail.cnb.yahoo.com from=live.cn; domainkeys=neutral (no sig); from=live.cn; dkim=neutral (no sig) Received: from 65.55.116.105 (EHLO blu0-omc3-s30.blu0.hotmail.com) (65.55.116.105) by mta132.mail.cnb.yahoo.com with SMTP; Fri, 22 May 2009 17:26:41 +0800 Received: from BLU142-W1 ([65.55.116.72]) by blu0-omc3-s30.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 22 May 2009 02:26:40 -0700 Message-ID: <BLU142-W15B1BFBD7EDA3653CF8E5C4560[at]phx.gbl> Return-Path: replace[at]live.cn Content-Type: multipart/alternative; boundary="_2314936a-e66e-4037-82a3-dde45a2cae86_" From: =?gb2312?B?zv3B1rjfzd64383e?= <replace[at]live.cn> ??????? To: =?gb2312?B?sc8g0cex8g==?= <replace[at]yahoo.com.cn> Subject: Date: Fri, 22 May 2009 09:26:40 +0000 Importance: Normal MIME-Version: 1.0 Content-Length: 792 Thanks, PB You forgot, I think, to replace the live.cn sender name in this example the third time it appears. so I did it for you since you wanted to keep them hidden. Link to comment Share on other sites More sharing options...
turetzsr Posted May 26, 2009 Share Posted May 26, 2009 <snip> My previous post was deleted due to the 'improper' title that contained 'newbie', I guess :angry: <snip> ...Huh? Why do you say that? http://forum.spamcop.net/forums/index.php?...f=6&t=10404 Edit: oops, my mistake, I failed to leave a link in the original forum! ...With this post, I am merging this new post into your original one. PM (Personal Message) sent to PB to let her/him know. Link to comment Share on other sites More sharing options...
turetzsr Posted May 26, 2009 Share Posted May 26, 2009 <snip> I am pasting two email headers that are assumed to be from the same sender and the same system. My questions are: how do I get the original sender's IP address? ...You can't reliably do that. as far as I know. Many e-mail providers hide that information. Some software (such as spam software) might forge or hide it. The best you are likely to be able to tell is the last server it went through before hitting your e-mail provider's servers. This is what the SpamCop parser tries to do. The last 'received from' point to the IP that seems like from Microsoft (using whois or nslook) hotmail. How can I get information like where (i.e. city) the sender's system is from....I know of no reliable way to do that. Perhaps others here do....You may tell that the headers are from emails from China, <snip> ...Sorry, but how -- because of the ".cn" in the address? That could be forged! Link to comment Share on other sites More sharing options...
rconner Posted May 26, 2009 Share Posted May 26, 2009 My previous post was deleted due to the 'improper' title that contained 'newbie', I guessNo, I think your post was moved because it didn't have to do with SpamCop Mailhost Configuration. But, I see you found your way back here and perhaps to the replies you received to your original message. I am pasting two email headers that are assumed to be from the same sender and the same system. My questions are: how do I get the original sender's IP address? In general, you can't, unless it was somehow put into the header (not a sure bet by any means, as Steve points out). Even if it does appear there, it still won't help you identify who the sender is (which I assume is what you ultimately want). The sender could have a computer with dynamic IP, or might even have sent the message from an airport kiosk or a hotel. The IP address belongs to a machine, not to a person. It is generally not a useful form of personal identification. -- rick Link to comment Share on other sites More sharing options...
turetzsr Posted May 26, 2009 Share Posted May 26, 2009 <snip> But, I see you found your way back here and perhaps to the replies you received to your original message. <snip> ...Nope, I moved the second post here, as well. ...Oops, I see I must have skipped the option to leave a link in the original Forum! *GASP* But I did send a PM (but only after the OP's second post, so it really was my bad). Link to comment Share on other sites More sharing options...
pbsdis Posted May 27, 2009 Author Share Posted May 27, 2009 ...Nope, I moved the second post here, as well. ...Oops, I see I must have skipped the option to leave a link in the original Forum! *GASP* But I did send a PM (but only after the OP's second post, so it really was my bad). turetzsr, thanks for leting me know the move. I looked for my original post in 'Mailhost Configuration' and didn't see it, then I checked the posting 'rules' and saw that something like 'help beginners' is the phrase to be avoided, so I thought the post was filtered and deleted. Thanks you all guys for your intuitive replies, I did learn much from them. Link to comment Share on other sites More sharing options...
turetzsr Posted May 27, 2009 Share Posted May 27, 2009 turetzsr, thanks for leting me know the move. <snip> ...My pleasure. I apologize, again, that I was so late in letting you know! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.