Finding out original source of e-mail

Alex Zbyslaw xfb52 at dial.pipex.com
Wed May 18 10:31:26 PDT 2005


jonvalverde at aol.com wrote:

> 
>OK....this might not be the right place to aqsk this questions.  But, I'm trying to find the true souce of this e-mail.....is it possible to do this?
>  
>
>Received: from JonValverde at aol.com
>    by imo-d23.mx.aol.com (mail_out_v38_r1.7.) id t.144.45734b7c (16109)
>     for <Ashlee at wyomingcda.com>; Tue, 17 May 2005 15:29:57 -0400 (EDT)
>Return-Path: <jonvalverde at aol.com>
>Received: from  FWM-D38 (fwm-d38.webmail.aol.com [205.188.162.14]) by 
>air-id12.mx.aol.com (vx) with ESMTP id MAILINID121-3eed428a4635111; Tue, 17 May 
>2005 15:29:57 -0400
>  
>
>Date: Tue, 17 May 2005 15:29:57 -0400
>Message-Id: <8C7292DF1ACA2ED-B0C-44CA8 at FWM-D38.sysops.aol.com>
>From: jonvalverde at aol.com
>References: <3320552738.123535 at vega-club.rousse.spnet.net>
>Received: from 204.214.222.51 by FWM-D38.sysops.aol.com (205.188.162.14) with 
>HTTP (WebMailUI); Tue, 17 May 2005 15:29:57 -0400
>
>X-Mailer: AOL WebMail 1.0.0.12281
>


This bit at the bottom is the transcript of the original email.  Most 
bounce messages include it, some do not.  There are too few hours in the 
day to shoot all the postmasters responsible for bounce message which do 
not contain these original headers, but you are lucky and have them.

The lines you care about are the "Received:" lines, and you have to read 
them backwards.  That is, the line nearest the bottom is the first step 
in the mail delivery, and the top line is the last step in the delivery.

Looking at the first received line shows that FWM-D38.sysops.aol.com 
received the email from  204.214.222.51.  Usually you would expect to 
see a name associated with that address, but in this case there isn't.  
Trying

# host -a 204.214.222.51
rcode = 3 (Non-existent domain), ancount=0
Host not found.

shows that there no reverse lookup info for this host.  Most probably an 
AOL host given that it was sent using an AOL Webmail interface.

My advice?  Forget about it and throw it in the bin where it belongs.  
I've had half a dozen minimum this week.  Some spammer is pretending to 
be you.  The HTTP (WebMailUI) delivery method seems unusual; normally 
you would expect some zombie machine to be sending these with SMTP.  But 
then again, I pay so little attention to these things these days that 
maybe this is not so unusual.

--Alex


PS  See http://www.faqs.org/rfcs/rfc822.html



More information about the freebsd-questions mailing list