Finding out original source of e-mail
Alex Zbyslaw
xfb52 at dial.pipex.com
Wed May 18 10:31:26 PDT 2005
jonvalverde at aol.com wrote:
>
>OK....this might not be the right place to aqsk this questions. But, I'm trying to find the true souce of this e-mail.....is it possible to do this?
>
>
>Received: from JonValverde at aol.com
> by imo-d23.mx.aol.com (mail_out_v38_r1.7.) id t.144.45734b7c (16109)
> for <Ashlee at wyomingcda.com>; Tue, 17 May 2005 15:29:57 -0400 (EDT)
>Return-Path: <jonvalverde at aol.com>
>Received: from FWM-D38 (fwm-d38.webmail.aol.com [205.188.162.14]) by
>air-id12.mx.aol.com (vx) with ESMTP id MAILINID121-3eed428a4635111; Tue, 17 May
>2005 15:29:57 -0400
>
>
>Date: Tue, 17 May 2005 15:29:57 -0400
>Message-Id: <8C7292DF1ACA2ED-B0C-44CA8 at FWM-D38.sysops.aol.com>
>From: jonvalverde at aol.com
>References: <3320552738.123535 at vega-club.rousse.spnet.net>
>Received: from 204.214.222.51 by FWM-D38.sysops.aol.com (205.188.162.14) with
>HTTP (WebMailUI); Tue, 17 May 2005 15:29:57 -0400
>
>X-Mailer: AOL WebMail 1.0.0.12281
>
This bit at the bottom is the transcript of the original email. Most
bounce messages include it, some do not. There are too few hours in the
day to shoot all the postmasters responsible for bounce message which do
not contain these original headers, but you are lucky and have them.
The lines you care about are the "Received:" lines, and you have to read
them backwards. That is, the line nearest the bottom is the first step
in the mail delivery, and the top line is the last step in the delivery.
Looking at the first received line shows that FWM-D38.sysops.aol.com
received the email from 204.214.222.51. Usually you would expect to
see a name associated with that address, but in this case there isn't.
Trying
# host -a 204.214.222.51
rcode = 3 (Non-existent domain), ancount=0
Host not found.
shows that there no reverse lookup info for this host. Most probably an
AOL host given that it was sent using an AOL Webmail interface.
My advice? Forget about it and throw it in the bin where it belongs.
I've had half a dozen minimum this week. Some spammer is pretending to
be you. The HTTP (WebMailUI) delivery method seems unusual; normally
you would expect some zombie machine to be sending these with SMTP. But
then again, I pay so little attention to these things these days that
maybe this is not so unusual.
--Alex
PS See http://www.faqs.org/rfcs/rfc822.html
More information about the freebsd-questions
mailing list