IP Adresses and Full Headers

[PurplRose]

I need help reading the full headers on my emails. I use yahoo. I receive replies through my backpage and cl ads, and then some directly from the person replying to my reply.

My question is, how do I read the headers, and determine which is the ip address of that person's email?

I hope I stated that correctly, and someone can help me.

Thank you,
Carey

*Sorry if this was the wrong place to post this. I wasn't sure.*

[Guest 062810-1]

Double click on the email you want the full header of.

On the right hand side in a blue hyperlink (right above the date and time of the email) you'll see either "compact header" or "standard header". Click on that

Then scroll down to "full header" and select it.

LAP

[Rezo]

A visual aid on how to reveal the headers in Yahoo, Gmail, Hotail, and AOL can be found here.

http://www.johnru.com/active-whois/headers...otmail-aol.html


The sender's actual IP address will be in the bottommost "Received:" Header.

Example from a previous Spam Du Jour...

<div class='codetop'>CODE</div><div class='codemain' style='height:200px;white-space:pre;overflow:auto'>Order some Snake Oil today!
Saturday, October 4, 2008 7:36 PM
From Armand Shields Sat Oct 4 17:36:22 2008

Return-Path: <armandshields13@yahoo.com>
Authentication-Results: mta229.mail.re4.yahoo.com from=yahoo.com; domainkeys=pass (ok)
Received: from 98.136.44.46 (HELO n58.bullet.mail.sp1.yahoo.com) (98.136.44.46) by mta229.mail.re4.yahoo.com with SMTP; Sat, 04 Oct 2008 17:36:26 -0700
Received: from [216.252.122.219] by n58.bullet.mail.sp1.yahoo.com with NNFMP; 05 Oct 2008 00:36:22 -0000
Received: from [69.147.84.100] by t4.bullet.sp1.yahoo.com with NNFMP; 05 Oct 2008 00:36:22 -0000
Received: from [127.0.0.1] by omp201.mail.sp1.yahoo.com with NNFMP; 05 Oct 2008 00:36:22 -0000
Received: (qmail 84135 invoked by uid 60001); 5 Oct 2008 00:36:22 -0000
Received: from [190.74.20.34] by web45002.mail.sp1.yahoo.com via HTTP; Sat, 04 Oct 2008 17:36:22 PDT
Date: Sat, 4 Oct 2008 17:36:22 -0700 (PDT)
From: Armand Shields <armandshields13@yahoo.com>
Reply-To: armandshields13@yahoo.com
Subject: Order some Snake Oil today!
To: mrniceguy@yahoo.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1501768074-1223166982=:81435"
Message-ID: <721352.81167.qm@web45002.mail.sp1.yahoo.com>
Content-Length: 1430 </div>

Notice the IP address in red. This is the the IP address you want if trying to do a trace of some kind.

[laserface]

<div class='quotetop'>QUOTE (island_beau @ Feb 25 2009, 11:44 AM) <{POST_SNAPBACK}></div>

The sender&#39;s actual IP address will be in the bottommost "Received:" Header.[/b]

Well, it will usually be there - unless the sender has added some fake "Received:" headers of their own, before submitting the message to the MTA. Those are usually not hard to spot, for someone experienced with such things, but a "fake" header might confuse or fool a novice....

[Rezo]

Good point, laserface. Though when looking at the simplest of faked received headers the IP address that is in parenthesis/brackets is still going to be the real IP of the sender.

Looking at the "Received" headers in the example I posted you will see the path the email originally took. It reads something like....

"Received: from SomeAddress3 by SomeAddress4; SomeTime/Date"
"Received: from SomeAddress2 by SomeAddress3; SomeTime/Date"
"Received: from SomeAddress1 by SomeAddress2; SomeTime/Date"

If you think someone is going the extra mile with fake headers then you need to trace the path of the email from the top. The top Received header has to be real since that is where the email reached your mail provider. We can only presume the bottom header is where it originated from. Work your way from the top down to try and determine if the Received headers might be faked.

First you should see the chain like pattern that the computer, noted by SomeAddress, received the message is then in the next received line as the address that is sending. If the message was given to a computer/address in one line it would make sense that it would be the one to pass it along to the next computer in the following line.

Also take a look at the timestamps. Since there are no time machines, emails cant be created after the next server received the message so that is another clue for sniffing out faked info.

Lastly you would need to lookup each ip address with something like nslookup to verify its a real ip.

[-Lit-]

Why would you want to track my IP address? Wouldn&#39;t this be along the same lines as writing down my license plate number? :unsure:

[Dee Licious]

To make sure it&#39;s you and not the stalker trying to out us pretending to be you.

[GneissGuy]

<div class='quotetop'>QUOTE (island_beau @ Mar 8 2009, 05:55 PM) <{POST_SNAPBACK}></div>

...Also take a look at the timestamps. Since there are no time machines, emails cant be created after the next server received the message so that is another clue for sniffing out faked info.

Lastly you would need to lookup each ip address with something like nslookup to verify its a real ip.[/b]

Time machines - Sometimes a computer clock is wrong, and often, they don&#39;t properly identify time zones, but the screwy time stamp does raise suspicions.

There are often legitimate non-routable, or non-DNSable IP&#39;s in an e-mail header. In particular, there are often private IP&#39;s in the 10.x.x.x, 172.16-31.x.x, or 192.168.x.x ranges. There may be other IP&#39;s that are in someone&#39;s internal system that aren&#39;t reachable by the outside world. However, such addresses bear further investigation if you encounter them.

Remember that even if you figure out the originating IP, that doesn&#39;t mean that is the person who sent it. The "originating" computer may be one that&#39;s compromised in a botnet, spyware, etc.

And don&#39;t forget internet cafe&#39;s, wifi hotspots, houses with unsecured wireless, etc.

[Rezo]

<div class='quotetop'>QUOTE (gneissguy @ Mar 15 2009, 10:22 AM) <{POST_SNAPBACK}></div>

Time machines - Sometimes a computer clock is wrong, and often, they don&#39;t properly identify time zones, but the screwy time stamp does raise suspicions.[/b]

The original senders timestamp might be messed up due to an incorrectly configured clock but it is unlikely the "legitimate" servers in between will. Timezones are noted as well.

This is why you might suspect something is amiss in regards to the timestamps.

I&#39;m not really talking about minutes and seconds here. I mean days, months, years :P

[InsatiableBitch]

Purple-if you need help, pm me..

[Rezo]

<div class='quotetop'>QUOTE (gneissguy @ Mar 15 2009, 10:22 AM) <{POST_SNAPBACK}></div>

There are often legitimate non-routable, or non-DNSable IP&#39;s in an e-mail header. In particular, there are often private IP&#39;s in the 10.x.x.x, 172.16-31.x.x, or 192.168.x.x ranges. There may be other IP&#39;s that are in someone&#39;s internal system that aren&#39;t reachable by the outside world. However, such addresses bear further investigation if you encounter them.[/b]

Good note about the non-routable IPs. You should still see the message enter a host through its Public IP and exit their private network with a Public IP as well. Usually it will be the exact same host or within the same Class B or C subnet.

If the original MTA was on a private IP then the traceable address would be the first public IP that appears afterwards in the headers.

[PurplRose]

Thanks for all of the replies.

Carey

[blowpop]

<div class='quotetop'>QUOTE (Dee Licious @ Mar 15 2009, 09:56 AM) <{POST_SNAPBACK}></div>

To make sure it&#39;s you and not the stalker trying to out us pretending to be you.[/b]

An IP address doesn&#39;t do much to establish this.

A better solution: If the guy is a member of a hobby board, have him PM you with his board account for the initial contact - then take it to e-mail. Unless his hobby board account has been compromised, you have a good idea that he&#39;s who he claims to be.