Jump to content

Help beginner to analyse the sample headers


pbsdis
 Share

Recommended Posts

Hi,

I am brand new to the email headers (not talking about spam), but I would like and need to have some knowledge for it now. I list two email headers below, they are (assumed) from the same sender with the same machine, is this correct and how can I tell that from the headers? BTW, the emails are from China, how can I tell where is the sender's system is? What is the info I should look to find the above items?

From =?gb2312?B?zv3B1rjfzd64383e?= Fri May 22 17:10:04 2009

Return-Path: <replaced[at]live.cn>

Authentication-Results: mta130.mail.cnb.yahoo.com from=live.cn; domainkeys=neutral (no sig); from=live.cn; dkim=neutral (no sig)

Received: from 65.55.116.84 (EHLO blu0-omc3-s9.blu0.hotmail.com) (65.55.116.84) by mta130.mail.cnb.yahoo.com with SMTP; Fri, 22 May 2009 17:10:07 +0800

Received: from BLU142-W6 ([65.55.116.72]) by blu0-omc3-s9.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 22 May 2009 02:10:05 -0700

Message-ID: <BLU142-W61D9CB9D64971BCBF26E7C4560[at]phx.gbl>

Return-Path: replaced[at]live.cn

Content-Type: multipart/alternative; boundary="_95acf702-5617-4f95-828f-9bbaeb83ee81_"

From: =?gb2312?B?zv3B1rjfzd64383e?= <replaced[at]live.cn> 查看è”系人资料

To: <replaced[at]yahoo.com.cn>

Subject: =?gb2312?B?u9i4tA==?=

Date: Fri, 22 May 2009 09:10:04 +0000

Importance: Normal

MIME-Version: 1.0

Content-Length: 829

From =?gb2312?B?zv3B1rjfzd64383e?= Tue May 26 16:15:19 2009

Return-Path: <replaced[at]live.cn>

Authentication-Results: mta128.mail.cnb.yahoo.com from=live.cn; domainkeys=neutral (no sig); from=live.cn; dkim=neutral (no sig)

Received: from 65.55.116.104 (EHLO blu0-omc3-s29.blu0.hotmail.com) (65.55.116.104) by mta128.mail.cnb.yahoo.com with SMTP; Tue, 26 May 2009 16:16:23 +0800

Received: from BLU142-W14 ([65.55.116.72]) by blu0-omc3-s29.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 26 May 2009 01:15:20 -0700

Message-ID: <BLU142-W14E5BA21777E0A83388373C4520[at]phx.gbl>

Return-Path: replaced[at]live.cn

Content-Type: multipart/alternative; boundary="_2e821a2a-bc19-4feb-a1cc-9cb691bfbf08_"

From: =?gb2312?B?zv3B1rjfzd64383e?= <replaced[at]live.cn> 查看è”系人资料

To: =?gb2312?B?sc8g0cex8g==?= <replaced[at]yahoo.com.cn>

Subject:

Date: Tue, 26 May 2009 08:15:19 +0000

Importance: Normal

MIME-Version: 1.0

Content-Length: 872

Thanks

P.S. I replaced the USER IDs for the sender and receiver.

Link to comment
Share on other sites

Normally, if you are going to post headers on this board, folks here prefer them to be in the form of tracking URLs (see this Wiki reference). It really is rather difficult to check a header unless it is presented in the standard form (which the forum board software here doesn't quite support). Also, someone with better superpowers than I is probably going to want to move this thread since it has nothing to do with SpamCop Mailhost Configuration.

Still, going on what you have posted, both messages took the same path to get to you: from 65.55.116.72 (assigned to Microsoft, possibly a webmail host of some sort) to 65.55.116.84 (another Microsoft/hotmail mail host) to a Yahoo server (presumably your e-mail service). There are no records for any earlier relays. If by "sender" you mean the person who typed the message and hit the send button, then there isn't a good way to identify the sender from the mail header, particularly if you choose to disguise the information in the header when you post it here. Generally, we cannot trust any e-mail addresses we find in a questionable e-mail message.

-- rick

Link to comment
Share on other sites

<snip>

Also, someone with better superpowers than I is probably going to want to move this thread since it has nothing to do with SpamCop Mailhost Configuration.

<snip>

...Thanks, Rick -- with this posting, I am moving this from the "Mailhost Configuration of your Reporting Account" forum to the "SpamCop Lounge" SpamCop forum.
Hi,

I am brand new to the email headers (not talking about spam), but I would like and need to have some knowledge for it now.

<snip>

...:google: Google is your friend! http://www.google.com/#hl=en&q=(%22rea...;fp=onqzTwbkviA. Edited by turetzsr
Link to comment
Share on other sites

Hi,

My previous post was deleted due to the 'improper' title that contained 'newbie', I guess :angry:

Here is the modified one.

I am pasting two email headers that are assumed to be from the same sender and the same system. My questions are: how do I get the original sender's IP address? The last 'received from' point to the IP that seems like from Microsoft (using whois or nslook) hotmail. How can I get information like where (i.e. city) the sender's system is from. You may tell that the headers are from emails from China, I have replaced user IDs with 'replace'. Can I tell that the two headers are from the same sender (without using the sender's email address)?

From =?gb2312?B?zv3B1rjfzd64383e?= Tue May 26 16:15:19 2009

Return-Path: <replace[at]live.cn>

Authentication-Results: mta128.mail.cnb.yahoo.com from=live.cn; domainkeys=neutral (no sig); from=live.cn; dkim=neutral (no sig)

Received: from 65.55.116.104 (EHLO blu0-omc3-s29.blu0.hotmail.com) (65.55.116.104) by mta128.mail.cnb.yahoo.com with SMTP; Tue, 26 May 2009 16:16:23 +0800

Received: from BLU142-W14 ([65.55.116.72]) by blu0-omc3-s29.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 26 May 2009 01:15:20 -0700

Message-ID: <BLU142-W14E5BA21777E0A83388373C4520[at]phx.gbl>

Return-Path: replace[at]live.cn

Content-Type: multipart/alternative; boundary="_2e821a2a-bc19-4feb-a1cc-9cb691bfbf08_"

From: =?gb2312?B?zv3B1rjfzd64383e?= <replace[at]live.cn> ???????

To: =?gb2312?B?sc8g0cex8g==?= <replace[at]yahoo.com.cn>

Subject:

Date: Tue, 26 May 2009 08:15:19 +0000

Importance: Normal

MIME-Version: 1.0

Content-Length: 872

From =?gb2312?B?zv3B1rjfzd64383e?= Fri May 22 17:26:40 2009

Return-Path: <replace[at]live.cn>

Authentication-Results: mta132.mail.cnb.yahoo.com from=live.cn; domainkeys=neutral (no sig); from=live.cn; dkim=neutral (no sig)

Received: from 65.55.116.105 (EHLO blu0-omc3-s30.blu0.hotmail.com) (65.55.116.105) by mta132.mail.cnb.yahoo.com with SMTP; Fri, 22 May 2009 17:26:41 +0800

Received: from BLU142-W1 ([65.55.116.72]) by blu0-omc3-s30.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 22 May 2009 02:26:40 -0700

Message-ID: <BLU142-W15B1BFBD7EDA3653CF8E5C4560[at]phx.gbl>

Return-Path: replace[at]live.cn

Content-Type: multipart/alternative; boundary="_2314936a-e66e-4037-82a3-dde45a2cae86_"

From: =?gb2312?B?zv3B1rjfzd64383e?= <replace[at]live.cn> ???????

To: =?gb2312?B?sc8g0cex8g==?= <replace[at]yahoo.com.cn>

Subject:

Date: Fri, 22 May 2009 09:26:40 +0000

Importance: Normal

MIME-Version: 1.0

Content-Length: 792

Thanks,

PB

You forgot, I think, to replace the live.cn sender name in this example the third time it appears. so I did it for you since you wanted to keep them hidden.

Edited by Miss Betsy
Link to comment
Share on other sites

<snip>

My previous post was deleted due to the 'improper' title that contained 'newbie', I guess :angry:

<snip>

...Huh? Why do you say that? http://forum.spamcop.net/forums/index.php?...f=6&t=10404 Edit: oops, my mistake, I failed to leave a link in the original forum! :blush:

...With this post, I am merging this new post into your original one. PM (Personal Message) sent to PB to let her/him know.

Edited by turetzsr
Link to comment
Share on other sites

<snip>

I am pasting two email headers that are assumed to be from the same sender and the same system. My questions are: how do I get the original sender's IP address?

...You can't reliably do that. as far as I know. Many e-mail providers hide that information. Some software (such as spam software) might forge or hide it. The best you are likely to be able to tell is the last server it went through before hitting your e-mail provider's servers. This is what the SpamCop parser tries to do.
The last 'received from' point to the IP that seems like from Microsoft (using whois or nslook) hotmail. How can I get information like where (i.e. city) the sender's system is from.
...I know of no reliable way to do that. Perhaps others here do....
You may tell that the headers are from emails from China,

<snip>

...Sorry, but how -- because of the ".cn" in the address? That could be forged!
Link to comment
Share on other sites

My previous post was deleted due to the 'improper' title that contained 'newbie', I guess
No, I think your post was moved because it didn't have to do with SpamCop Mailhost Configuration. But, I see you found your way back here and perhaps to the replies you received to your original message.

I am pasting two email headers that are assumed to be from the same sender and the same system. My questions are: how do I get the original sender's IP address?
In general, you can't, unless it was somehow put into the header (not a sure bet by any means, as Steve points out). Even if it does appear there, it still won't help you identify who the sender is (which I assume is what you ultimately want). The sender could have a computer with dynamic IP, or might even have sent the message from an airport kiosk or a hotel. The IP address belongs to a machine, not to a person. It is generally not a useful form of personal identification.

-- rick

Link to comment
Share on other sites

<snip>

But, I see you found your way back here and perhaps to the replies you received to your original message.

<snip>

...Nope, I moved the second post here, as well.

...Oops, I see I must have skipped the option to leave a link in the original Forum! *GASP* But I did send a PM (but only after the OP's second post, so it really was my bad).

Link to comment
Share on other sites

...Nope, I moved the second post here, as well.

...Oops, I see I must have skipped the option to leave a link in the original Forum! *GASP* But I did send a PM (but only after the OP's second post, so it really was my bad).

turetzsr, thanks for leting me know the move. I looked for my original post in 'Mailhost Configuration' and didn't see it, then I checked the posting 'rules' and saw that something like 'help beginners' is the phrase to be avoided, so I thought the post was filtered and deleted.

Thanks you all guys for your intuitive replies, I did learn much from them.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...