|
|
            
|
TRACING THROUGH A HEADER WITH TWO RECEIVED LINES Original Header: Received:
from smtp5.mindspring.com ([207.69.200.82]) by
mtiwgwc07.worldnet.att.net (InterMail v03.02.07 118 124)
with
ESMTP id <19990514180046.BGUB18987@smtp5.mindspring.com> for
<xxxxxxx@xxx.xxx>; Fri, 14 May 1999 18:00:46 +0000 Received:
from qthahrgm (pool-209-138-40-130.bltm.grid.net [209.138.40.130]) by
smtp5.mindspring.com (8.8.5/8.8.5) with SMTP id NAA02522; Fri,
14 May 1999 13:59:09 -0400 (EDT) Message-Id:
<199905141759.NAA02522@smtp5.mindspring.com> From:
Tina <whistle808@unbounded.com> To:
list1516 <whistle808@unbounded.com> Date:
Fri, 14 May 1999 14:02:50 -0500 Subject:
Do You Want To Increase Your Income? Reply-To:
whistle808@unbounded.com MIME-Version:
1.0 Content-Type:
text/plain; charset=us-ascii Content-Transfer-Encoding:
7bit X-Priority:
3 Relevant Parts of the Header:
To Determine the Sender: Perform an rDNS on the first IP address shown:
This IP address actually gives the name of the machine that sent the mail. It is a mailserver named SMTP5 at mindspring.com. It also matches the server name shown in the header. We know that our server got this mail from Mindspring. Next, check to see if the second received line is legitimate or forged. The first thing to check is the Time Stamps. The first Time stamp shows that your mailserver received this mail from the Mindspring mailserver at 18:00:46 +0000. This equates to 6:00:46 PM Greenwich Mean Time. (GMT). The second time stamp shows that the Mindspring mailserver received the mail at 13:59:09 -0400 (EDT). Adjust Eastern Daylight Time to GMT. The adjustment in the timestamp tells you that EDT is 4 hours earlier than GMT. So, the Mindspring server received the mail at 17:59:09 GMT or 5:59:09 PM. There is a delay of 13 seconds between the two time stamps, which is very realistic. The second received header is probably valid. Next, perform an rDNS on the originating IP Address:
Again, the canonical name for the IP address matches the named server in the header. This received line is most likely valid. The e-mail originated at a dial-up owned by grid.net Run a whois on grid.net:
grid.net is WorldCom. Worldcom is owned by MCI and is a backbone. So, who is the "guilty party"? Since Mindspring servers will not third party relay mail, the mail must have originated from someone with legal rights to use Mindspring's SMTP servers, i.e., a Mindspring customer. What is grid.net's involvement? Grid.net is part of MCI's backbone service. They lease dial-up POPs to to other providers. From the information found in this header, it looks like a Mindspring user dialed into the Mindspring servers using a POP leased from Grid.net. Grid.net is more or less an innocent party to this. This UCE would be forwarded to: abuse@mindspring.com or
|
|
