A question though;
you say:
....or report it to the isp the
| mail came from (based on the ip in the received header, not
| the from line).
I use OE6, what and where is, "ip in the received header"?
You can find a lot of sites explaining how to read headers at
http://www.google.com/search?q="reading+email+headers"&sourceid=opera&num=0&ie=utf-8&oe=utf-8
Here's my summary.
To view the complete headers in OE6 ...
select the message
select properties by
- right clicking & selecting properties or
- selecting file/properties or
- pressing alt+enter
select details to view the headers
Here are an example of headers from a message I received ...
Return-Path: <
[email protected]>
Received: from localhost ([24.192.121.150])
by fep01-mail.bloor.is.net.cable.rogers.com
(InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with SMTP
id <20031109174050.EWUG489006.fep01-mail.bloor.is.net.cable.rogers.com@localhost>
for <
[email protected]>; Sun, 9 Nov 2003 12:40:50 -0500
From: "Microsoft" <
[email protected]>
To: <
[email protected]>
Subject: Use this patch immediately !
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary="xxxx"
Message-Id: <20031109174050.EWUG489006.fep01-mail.bloor.is.net.cable.rogers.com@localhost>
Date: Sun, 9 Nov 2003 12:40:50 -0500
I've added munge to all of the email addresses, to block usenet harvesters.
Often there will be more than one Received header. The most recent Received one will be
first, and will have been generated by your isp, when the computer that generated the
header, received the message. Depending on how your isp has their system setup, it may
add more than one Received header, as it passes the message between computers that it owns.
The sending isp may also generate more than one Received header. A virus, or spammer, or
anyone trying to make identifying them more difficult, may include "forged" Received headers
too, but they will always follow the real headers.
Normally you want to use the bottom received header, to identify the sending computer, but
when there are forged headers too, you have to figure out which ones were forged, and use
the bottom (first created) real one. The tricky part can be figuring out which ones are
forged<g>!
The numbers in the square brackets are the actual ip of the computer that sent
the message. The name before the brackets is provided by the sending computer,
and may or may not have anything to do with who owns the computer. Often spammers,
or viruses will use what looks like an ip number, as a name, to confuse people.
The ip from the Received header is 24.192.121.150. The computer at that ip
has chosen to call itself "localhost". In normal mail, the name the sending
computer uses will match the name recorded in the whois database (more on that
later). From a "whois" lookup, I can tell this came from a machine on rogers.com
(same isp that I use). This guarantees the Return path, and From email addresses
are forged, in this case by the Dumaru email worm, that generated the message.
By running a whois lookup, on the ip from each received header, you can trace which
machines it went through. You identify which headers are forged, by looking for a
point in the path, that doesn't make sense. For example, if the first header says
it was received from rogers, by your isp, and the second says it was received by
rogers, from AOL, the second is fake. An email from AOL to your isp, wouldn't go
through rogers.
The easiest way to run a whois lookup, is to go to a website like
http://www.samspade.org/
enter the ip into the first box, and press the "Do Stuff" button. In some cases it will
provide you with the information from the whois database, in others, it will provide you
with a registrars website you have to go to, to run the lookup. On the samspade site, it
will also show you a traceroute. You should confirm that the isp name shown in the
traceroute matches what's shown in the whois, as the whois info can be fake.
The whois info may include an email address for sending abuse complaints to, such as
abuse@rogers dot com. If it doesn't, you can enter the domain name (in this case,
rogers.com) at
http://www.abuse.net/lookup.phtml to see if they've registered one
or more email addresses there. If you can't find one there, according to standards,
the address to use is (e-mail address removed), but most sites have an abuse@ address.
If the computer that sent the message is using dial up access, the isp will have
to consult their logs to see who was connected when the message was sent. Be sure
to include the complete headers, in any complaint you send them, and try to do it
fairly soon, after you receive the message (they may only keep their logs for a
day or two).
This should be enough to get you started<g>. Feel free to ask me, or others here,
if you need more help.
Regards, Dave Hodgins
