Ip address identificactions

[goodole1]

Sometimes I receive emails etc that are just downright not right. Is there software to read the header and tell you who the host is and possible sender information?

 

[elcamino74ss]

depending on your mail client but all that info is already in the original email and you do not need another piece of software. check the help on your mail client.

 

[goodole1]

Yes the info is there but to interpret the info is another thing. All the letters and number are great, but if you can't understand the acronyms it's kind of a lost cause.

Thanks

 

[engineereeyore]

If you're just looking for the source IP address, you should only need to look at the received items. These are usually listed in descending order, newest to oldest, I believe. So the first entry should tell you who gave it to your computer and from whom they got it. Follow that all the say down and you should see the IP address of the computer it came from. This may be the address of the mail server though and not the actual computer, depending on how they were connected.

 

[bsobel]

Originally posted by: engineereeyore
If you're just looking for the source IP address, you should only need to look at the received items. These are usually listed in descending order, newest to oldest, I believe. So the first entry should tell you who gave it to your computer and from whom they got it. Follow that all the say down and you should see the IP address of the computer it came from. This may be the address of the mail server though and not the actual computer, depending on how they were connected.

Unfortunately you can only 'trust' the last header you can verify. For most users that is the first received header. Anything up stream may simply have been forged. Spammers will often inject bogus received headers to make fake sources (trust me on this, I've seen plenty, we scan about 1/4 of the overall global email traffic)

And frankly, if it's spam we are talking about, it's most likely overseas or from a bot. There are few true 'spamming' server left in the US. Most email bots send only a few spams per day (I've seen numbers from 3-20 for smart bot nets). Meaning you can spend a week shutting down a bot, but you've killed 3 emails, not the botnet which is generating millions.

 

[engineereeyore]

Originally posted by: bsobel
Unfortunately you can only 'trust' the last header you can verify. For most users that is the first received header. Anything up stream may simply have been forged. Spammers will often inject bogus received headers to make fake sources (trust me on this, I've seen plenty, we scan about 1/4 of the overall global email traffic)

And frankly, if it's spam we are talking about, it's most likely overseas or from a bot. There are few true 'spamming' server left in the US. Most email bots send only a few spams per day (I've seen numbers from 3-20 for smart bot nets). Meaning you can spend a week shutting down a bot, but you've killed 3 emails, not the botnet which is generating millions.

Very true. It is possible that you'll occasionally actually catch someone using their home computer to send out such messages and don't know how to cover their tracks, but most of the time what you see is bogus. We had to write our own email client while I was in college and it's nuts how easy it is to forge all that information. I would think that placing a few more restrictions on outgoing mail servers would help fix this, but how do you implement that world-wide?

 

[bsobel]

but how do you implement that world-wide?

Slowly over time e.g. SPF, domain keys, etc...

 

[engineereeyore]

Originally posted by: bsobel

but how do you implement that world-wide?

Slowly over time e.g. SPF, domain keys, etc...

Very true. I haven't done a lot with mail server specifications in a while. Have they started mandating any of this yet or it is still left to the service provider to decide if they want to use it?

 

[bsobel]

Originally posted by: engineereeyore

Originally posted by: bsobel

but how do you implement that world-wide?

Slowly over time e.g. SPF, domain keys, etc...

Very true. I haven't done a lot with mail server specifications in a while. Have they started mandating any of this yet or it is still left to the service provider to decide if they want to use it?

Its not mandated, what your seeing is the larger providers enabling it and using it as part of spam scoring. The smaller providers have to support it to ensure their mail flows properly to the 'big boys' (hotmail, gmail, yahoo, etc...) Not ideal but is helping and can only improve matters over time.

 

[goodole1]

Well I can tell you it's not a spam issue, I just block most of them with software, it's more or less a fraudulent situation. I've tried to ping most of the address's in the header only to find two of maybe 6 valid. I just thought there was an easier way out of China town so to speak.

Thanks for your comments.

 

[SunnyD]

Originally posted by: goodole1
Well I can tell you it's not a spam issue, I just block most of them with software, it's more or less a fraudulent situation. I've tried to ping most of the address's in the header only to find two of maybe 6 valid. I just thought there was an easier way out of China town so to speak.

Thanks for your comments.

Ping? Keep in mind that a lot of servers will outright block ICMP requests. Definitely not a good test to see if something is alive.

 

[goodole1]

So I found out the hard way.