How do you decode an email header?

geepondy

Flashlight Enthusiast
Joined
Apr 15, 2001
Messages
4,896
Location
Massachusetts
For an instance, how can I tell where this email actually came from? I've x'd out my email address but left the other header info intact. The body of the email contains a "stock tip". I have been getting a ton of these spam stock tip emails late and the Verizon spam detector is not stopping them. I doubt very much the sender's real address is "[email protected]"

Received: from 222.235.161.241 ([172.18.12.132])
by vms043.mailsrvcs.net (Sun Java System Messaging Server 6.2-4.02 (built Sep
9 2005)) with ESMTP id <[email protected]> for
[email protected]; Sat, 29 Apr 2006 09:01:20 -0500 (CDT)
Received: from uqhx (222.235.161.241)
by sv6pub.verizon.net (MailPass SMTP server v1.2.0 - 112105154401JY+PrW)
with SMTP id <5-977-31-977-4156-1-1146319278> for vms043pub.verizon.net; Sat,
29 Apr 2006 09:01:20 -0500
Received: from qlv.mxkrwf ([222.235.198.120]) by uqhx (8.13.3/8.13.3)
with SMTP id k3TE344H077770; Sat, 29 Apr 2006 23:03:04 +0900
Date: Sat, 29 Apr 2006 22:58:28 +0900
From: "Rolf Ellis" <[email protected]>
Subject: hypnotism show-off
X-Originating-IP: [222.235.161.241]
To: <[email protected]>
Message-id: <[email protected]>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Mailer: Microsoft Outlook Express 6.00.2800.1165
Content-type: multipart/related; type="multipart/alternative";
boundary="----=_NextPart_000_001F_01C66BE0.D1E12F5F"
X-Priority: 3
X-MSMail-priority: Normal
 

KevinL

Flashlight Enthusiast
Joined
Jun 10, 2004
Messages
5,866
Location
At World's End
Read in reverse order:

The source:
Received: from qlv.mxkrwf ([222.235.198.120]) by uqhx (8.13.3/8.13.3)
with SMTP id k3TE344H077770; Sat, 29 Apr 2006 23:03:04 +0900

Passes it to an intermediary:
Received: from uqhx (222.235.161.241)
by sv6pub.verizon.net (MailPass SMTP server v1.2.0 - 112105154401JY+PrW)
with SMTP id <5-977-31-977-4156-1-1146319278> for vms043pub.verizon.net; Sat,
29 Apr 2006 09:01:20 -0500

Which sends it to Verizon's servers to be delivered to you:
Received: from 222.235.161.241 ([172.18.12.132])
by vms043.mailsrvcs.net (Sun Java System Messaging Server 6.2-4.02 (built Sep
9 2005)) with ESMTP id <[email protected]> for
[email protected]; Sat, 29 Apr 2006 09:01:20 -0500 (CDT)



I know it sounds tempting to report spam, but nobody cares these days :( I just rely on better, and better junk filters on my servers and my desktop. Eudora 7 is not too bad. :)


I ran a trace for you anyway.. it's coming from Korea. I believe the mail server is a legitimate ISP-owned mail server, and it's one of their subscribers doing the dirty deed. I could be wrong (wouldn't be the first time), but that's my guess. :)

(btw - all of this is publicly available information that every netblock owner must register with their appropriate Internet Registry to be made available on the Internet for use in the event that they should need to be contacted. Yes.. I attend the regional registry events and briefings for my region and we are preached to about this :D)


IPv4 Address : 222.235.160.0-222.235.191.255
Network Name : HANANET-INFRA
Connect ISP Name : HANANET
Connect Date : 20050327
Registration Date : 20050329
Publishes : Y

[ Organization Information ]
Organization ID : ORG3930
Org Name : Hanaro Telecom Inc.
Address : Yeoeuido-dong Yeongdeungpo-gu SEOUL
Detail address : 17-7 Asia One Bldg.
Zip Code : 150-874

[ Technical Contact Information ]
Name : IP Manager
Org Name : Hanaro Telecom Inc.
Address : Yeoeuido-dong Yeongdeungpo-gu SEOUL
Detail address : 17-7 Asia One Bldg.
Zip Code : 150-874
Phone : +82-2-106-2
E-Mail : [email protected]

--------------------------------------------------------------------------------

If the above contacts are not reachable, please contact following ISP
for further information.

[ ISP IPv4 Admin Contact Information ]
Name : IP Administrator
Phone : +82-2-106-2
E-Mail : [email protected]

[ ISP IPv4 Tech Contact Information ]
Name : IP Manager
Phone : +82-2-106-2
E-Mail : [email protected]

[ ISP Network Abuse Contact Information ]
Name : Network Abuse
Phone : +82-2-106-2
E-Mail : [email protected]
 
Last edited:

gadget_lover

Flashaholic
Joined
Oct 7, 2003
Messages
7,147
Location
Near Silicon Valley (too near)
One of the things to keep in mind when reading the headers is that they can be faked. You can only trust them 100% when they are created by a trusted source. Your mail server appears to be vms043.mailsrvcs.net. The very firstt "Received:" header shows it was sent by a system claiming to 222.235.161.241 but actually from a private address 172.18.12.132 that does not resolve ro a name. The private address leads one to believe that it's an internal mail delivery relay.

The second "Received:" header shows that Verizon got it from 222.235.161.241, an address that does not resolve.

Unfortunately, you can not trust it beyond that. There could be another 15 "Received:" headers, but they could all be faked.

As a matter of policy, my mail servers don't accept mail from addresses that don't resolve to a name. All mail servers are supposed to have registered addresses, so unless there's a DNS screwup, mail like this is from a rogue.

This policy is not as drastic as it seems. I give a 'soft' error so the mail delivery should be attempted later if it's a valid mail server.

Daniel
 

ACMarina

Flashlight Enthusiast
Joined
Sep 10, 2004
Messages
3,119
Location
Brookston, IN
Get a good email program and just junk them - mine is doing just fine, I get "Stock Tips" but I never see them..
 

geepondy

Flashlight Enthusiast
Joined
Apr 15, 2001
Messages
4,896
Location
Massachusetts
I'm always afraid with the automatic spam detector programs that it might delete legit email, something that might be important from a friend or relative.
 

Empath

Flashaholic
Joined
Nov 11, 2001
Messages
8,508
Location
Oregon
Only the worst anti-spam programs would delete spam. Most provide some means of reviewing those caught by the filter, in case you want to scan it quickly. Then you can go ahead and delete them if you wish.

Thunderbird moves those that you've designated as "junk" to the junk folder, and learns from those you've designated as to what you consider spam.
 

BB

Flashlight Enthusiast
Joined
Jun 17, 2003
Messages
2,129
Location
SF Bay Area
I only get 1-10 junk mails per day... And I use Thunderbird with the Junk mail filter... It has only mistakenly junked one good email--it was the first one I had ever received from our DARELL :lolsign:....

-Bill
 

shaman

Newly Enlightened
Joined
Jun 12, 2005
Messages
160
Location
Under God.
Also just a bit of additional info. On the spam/sinister side of things... the person could be using ways to play shadow games. In other words what gadget_lover stated and possibly then some... Botnets, zombies, other cracked systems could be being used to start the email. And to further agree with KevinL, most could care less. I've gotten into some heated emails only to have the other end throwing in the towel.

Sincerely,

Shaman
 

TedTheLed

Flashlight Enthusiast
Joined
Feb 22, 2006
Messages
2,021
Location
Ventura, CA.
Ive been getting dozens of things like this for a week or more -- some one using my address as their fake return address:

(I removed a letter or two here and there where my addy appears to throw off bot,s or did I do it wrong?)

Any know how to locate and dispatch these hell hounds?

------------
This report relates to a message you sent with the following header fields:

Status: U
Return-Path: <>
Received: from ar-goshawk.pas.sa.earthlink.net ([207.217.120.227])
by mx-collie.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1fzP8N3WR3Nl36t3
for <[email protected]>; Sat, 29 Apr 2006 09:05:41 -0400 (EDT)
Received: from mx13-dom.earthlink.net ([207.217.120.107] helo=whmx-evening.pas.sa.erthlink.net)
by ar-goshawk.pas.sa.earthlink.net with smtp (Exim 3.36 #4)
id 1FZp7w-0005Sd-00
for [email protected]; Sat, 29 Apr 2006 06:04:48 -0700
X-ELNK-Loop: [email protected]
Received: from avas-mx06.fibertel.com.ar ([24.232.0.189])
by whmx-evening.pas.sa.earthlink.net (EarthLink Mail Service) with ESMTP id 1fzP7R1gQ3NZFkO0
for <[email protected]>; Sat, 29 Apr 2006 06:04:43 -0700 (PDT)
Received: from mig1 ([10.10.10.171]:61614 "EHLO smtp.fibertel.com.ar")
by avas-mx06.fibertel.com.ar with ESMTP id S1097958AbWD2NEb;
Sat, 29 Apr 2006 10:04:31 -0300
Received: from process-daemon.mta1.fibertel.com.ar by mail.fibertel.com.ar
(Fibertel S.A. - Argentina) id <[email protected]> for
[email protected]; Sat, 29 Apr 2006 10:04:31 -0300 (ART)
Received: from mail.fibertel.com.ar (Fibertel S.A. - Argentina)
id <[email protected]>; Sat,
29 Apr 2006 10:04:31 -0300 (ART)
Date: Sat, 29 Apr 2006 10:04:31 -0300 (ART)
From: Internet Mail Delivery <[email protected]>
Subject: Delivery Notification: Delivery has failed
To: [email protected]
Message-id: <[email protected]>
MIME-version: 1.0
Content-type: multipart/report;
boundary="Boundary_(ID_SL6nGAz6oFJ6mrucxYV9gw)"; report-type=delivery-status
X-ELNK-Info: spv=0;
X-ELNK-AV: 0
X-ELNK-Info: sbv=2; sbrc=-0; sbf=00; sbw=011;

Message-id: <000501c66b8d$6679d98a$1d909a46@zwni>
Date: Sat, 29 Apr 2006 08:55:42 -0400
From: Dorian Gregg <[email protected]>
To: [email protected]
Subject: {posible spam} effigy

Your message cannot be delivered to the following recipients:

Recipient address: @stov2.fibertel.com.ar:clarisa@ims_daemon
Original address: [email protected]
Reason: LMTP transmission failure has occurred
Diagnostic code: smtp;522 5.2.0 Delivery failed: Over quota
Remote system: dns;stov2.fibertel.com.ar (sto02. -- Server LMTP [Sun ONE Messaging Server 6.1 HotFix 0.11 [built Jan 28 2005]])
 

BB

Flashlight Enthusiast
Joined
Jun 17, 2003
Messages
2,129
Location
SF Bay Area
There is a good chance that somebody is using your return address based on a "stolen" email list, either from one of your "friends" or from one of your own PCs... If it is one of your friends, there may not be a lot that you can do except to call the person(s) that you think may be responsible and tell them they may have a problem with their PC.

Is there any chance that you have virus/Trojan/etc. on one of your own computers?

One quick way, for me, was to temporally install the free edition of ZoneAlarm and see if I have any processes that sneaked into my PC... I set it to warn me of every program that attempts to access the Internet--if there is one that I don't recognize, I put that name into Google and see if there are any problems with that program...

If your ISP is Earthlink (or one of the other ISP's with good support help), I would try support and see if they can help you from their side to see if it is your problem or not (they may be able to check the server logs and see if you are sending an unusual number of emails).

-Bill
 

gregw

Flashlight Enthusiast
Joined
Jun 7, 2004
Messages
1,511
Location
Hong Kong
I am getting probably over 100 spam per day, but never see them as I've subscribed to an email account at Spamcop.net. The cost is $30 per year, and there isn't any limit on the amount of emails you can keep on the server (for now). You can use any POP/IMAP capable email software to download/sync with your email account. It automatically segregates all spam to a "Held Mail" folder, which you can check through, as well as report all the spam with a single click. Works very well... :)

If you want to just report the spam, you can also do it at Spamcop.net. Reporting spam is good as it keeps the black lists current, and helps everyone else to filter the spam instead of letting it thorough to their inbox..
 
Last edited:
Top