EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > The Technical Zone...
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

The Technical Zone... The Geeky forum... Use this forum to discuss technical aspects of email, from authentication protocols to encryption.

Reply
 
Thread Tools
Old 19 Nov 2016, 06:36 AM   #1
pikov
Junior Member
 
Join Date: Aug 2014
Posts: 15
Parsjng Email Headers

I have a spoofed email and I am trying to determine who the actual sender is from looking at the header.

At the top, I see

Return-Path: <community-4sam+bncBDS2HWPRXQMRBQXNVDAQKGQEJ7YYUHI@googlegroups.com>
Received: from gideon.mail.atl.earthlink.net ([207.69.200.80])
by mdl-raibs.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1C6pucBO3Nl36y0; Mon, 14 Nov 2016 17:12:20 -0500 (EST)
Received: from mail-pa0-f58.google.com ([209.85.220.58])
by gideon.mail.atl.earthlink.net (EarthLink SMTP Server) with ESMTP id 1C6pua7aI3Nl3pK0
for <XYZZY@mindspring.com>; Mon, 14 Nov 2016 17:12:18 -0500 (EST)
Received: by mail-pa0-f58.google.com with SMTP id yw6sf14842091pac.0
for <XYZZY@mindspring.com>; Mon, 14 Nov 2016 14:12:18 -0800 (PST)

XYZZY@mindspring.com does not appear anywhere else in the headers or body. Could he be the actual sender??

Thanks.
pikov is offline   Reply With Quote

Old 19 Nov 2016, 10:04 AM   #2
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,916
First I need to point out that in some cases portions of email headers can be spoofed. You read email headers starting at the bottom. So from the portion you show it appears that this happened:
  • We can't see the critical header which shows the original sender SMTP message submission. So I have no idea of the source. It's lower down in the original headers. It might have been directly sent to a Google server, or forwarded to that server.
  • The message ended up at a Google server (mail-pa0-f58.google.com) with a To address of "XYZZY@mindspring.com".
  • The Google server (mail-pa0-f58.google.com) then relayed (forwarded) the message to an Earthlink server (gideon.mail.atl.earthlink.net). The message still had a To address of "XYZZY@mindspring.com". Mindspring and Earthlink are the same company.
  • That Earthlink server (gideon.mail.atl.earthlink.net) transferred the message to a different Earthlink server (mdl-raibs.atl.sa.earthlink.net) which was evidently the destination mailbox server.
  • The envelope-from address (address to which delivery problems are returned) is a Google Groups community address. This address is normally not shown to the end user, and is often different from the From address shown during delivery.
So it appears (unless spoofed) that a Google Groups community message was sent to "XYZZY@mindspring.com" and delivered to that address. But the critical headers which might show how the message got to Google Groups was lower down in the headers.

Bill
n5bb is offline   Reply With Quote
Old 19 Nov 2016, 10:08 AM   #3
pikov
Junior Member
 
Join Date: Aug 2014
Posts: 15
This appeared on the community-4sam mailing list as being sent from Rap Reinhardt who insisted that he didn't send it.


Source Info:

Return-Path: <community-4sam+bncBDS2HWPRXQMRBQXNVDAQKGQEJ7YYUHI@googlegroups.com>
Received: from gideon.mail.atl.earthlink.net ([207.69.200.80])
by mdl-raibs.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1C6pucBO3Nl36y0; Mon, 14 Nov 2016 17:12:20 -0500 (EST)
Received: from mail-pa0-f58.google.com ([209.85.220.58])
by gideon.mail.atl.earthlink.net (EarthLink SMTP Server) with ESMTP id 1C6pua7aI3Nl3pK0
for <XYZZY@mindspring.com>; Mon, 14 Nov 2016 17:12:18 -0500 (EST)
Received: by mail-pa0-f58.google.com with SMTP id yw6sf14842091pac.0
for <XYZZY@mindspring.com>; Mon, 14 Nov 2016 14:12:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20120806;
h=sender:from:to:references:in-reply-to:subject:date:message-id
:mime-version:thread-index:content-language:x-original-sender
:x-original-authentication-results:reply-torecedence:mailing-list
:list-id:x-spam-checked-in-group:list-post:list-help:list-archive
:list-unsubscribe;
bh=1ssvWk7WNATNb/RUuHVkjz54DC0t/aZCTCEWgxgwS00=;
b=zZH06AI9DO8DmyDqXhjUmd8leq900CaYf2DmSDQLF8kS4zBzGg3MTeN2tg3o6wAr2P
8lg76yxR4qalHtBt54ZYiEUP9wm5Q8rjBJO5H7tgG6vhjh0qNaAu+XL7G8zKPSisetg0
4FblvtpjCp2KQ8coPL2nrlN8AHAwHPda4IhksfX01UM9pLmtV94DSWthNoCx5FFzZmyk
/qFquGtQjrRUSoQlOXK8YwV5+bHKZ4XzduUqOzwxD5zKbIKk1rUcTQI/8JW93n+hPbQG
09E7Y9I7y+tHjcB79tXwKOqcok7zBy/B2+eAryodWDlcQ3sqz7N/lAkCndQWyEAMTerI
QhGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=sender:x-gm-message-state:from:to:references:in-reply-to:subject
:date:message-id:mime-version:thread-index:content-language
:x-original-sender:x-original-authentication-results:reply-to
recedence:mailing-list:list-id:x-spam-checked-in-group:list-post
:list-help:list-archive:list-unsubscribe;
bh=1ssvWk7WNATNb/RUuHVkjz54DC0t/aZCTCEWgxgwS00=;
b=WYySKjw0fapby7juKWdpi9RPx3vGidSaUAad9nAe+6l5i+Pfm/sK++7UMdXN5ecMsR
336arzdy2lwCBLFejjJDLPVAj2PNX/FTchcE4Df/RozgI7XUGdUZziMzycyl3NolEwLc
2VVi8qwG5dSqiJ2FAYo01AP1mDPL3zYH05YJJ1Iqbh21KSVW5iRreeZOqpkJa34UM51F
viNtLHZ0f21RT54dZjSrgDeyHruCb/yh8puRdiS5GD4c/aCXO6c+oiZD6G2dG3sGjRPE
/zknf1/+xa577JR50IKgxefKSuaDg1lOu6wOjxSCejWk715u8bjwGradVVHp5Gd2HZue
7W4Q==
Sender: community-4sam@googlegroups.com
X-Gm-Message-State: ABUngve+BNSze2PIO9MgZezFHUkNsGCY3KzvSvZ9STAPB4l5HwC4qXIBOebOb804AmS/0A==
X-Received: by 10.157.48.39 with SMTP id d36mr1251858otc.1.1479161538289;
Mon, 14 Nov 2016 14:12:18 -0800 (PST)
X-BeenThere: community-4sam@googlegroups.com
Received: by 10.157.34.166 with SMTP id y35ls8678397ota.49.gmail; Mon, 14 Nov
2016 14:12:17 -0800 (PST)
X-Received: by 10.157.13.116 with SMTP id 107mr7402322oti.31.1479161537927;
Mon, 14 Nov 2016 14:12:17 -0800 (PST)
Received: from resqmta-po-02v.sys.comcast.net (resqmta-po-02v.sys.comcast.net. [2001:558:fe16:19:96:114:154:161])
by gmr-mx.google.com with ESMTPS id c68si55298ith.1.2016.11.14.14.12.17
for <community-4sam@googlegroups.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 14 Nov 2016 14:12:17 -0800 (PST)
Received-SPF: pass (google.com: domain of reinhardt.rp@comcast.net designates 2001:558:fe16:19:96:114:154:161 as permitted sender) client-ip=2001:558:fe16:19:96:114:154:161;
Received: from resomta-po-05v.sys.comcast.net ([96.114.154.229])
by resqmta-po-02v.sys.comcast.net with SMTP
id 6PU4cLOBm1zBd6PU9cjXRR; Mon, 14 Nov 2016 22:12:17 +0000
Received: from OwnerPC ([IPv6:2601:80:8501:2fac:f8f3:c20a:1021:c197])
by resomta-po-05v.sys.comcast.net with SMTP
id 6PU7cr9IHeZDE6PU8cgxUC; Mon, 14 Nov 2016 22:12:17 +0000
From: "Rap and Phyllis Reinhardt" <reinhardt.rp@comcast.net>
To: "4 Seasons at Mapleton" <community-4sam@googlegroups.com>
References: <1586404f94d-717-4096@webprd-m63.mail.aol.com> <15864a0ced2-53b-cc31@webprd-a18.mail.aol.com>
In-Reply-To: <15864a0ced2-53b-cc31@webprd-a18.mail.aol.com>
Subject: [Community-4SAM:10451] FW: The Difference
Date: Mon, 14 Nov 2016 17:12:18 -0500
Message-ID: <037201d23ec4$2ac1ecf0$8045c6d0$@comcast.net>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0373_01D23E9A.41EE07D0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQDqGoZmDKprcWsKwTW1yaoMNuaPD6KpUncw
Content-Language: en-us
X-CMAE-Envelope: MS4wfJpW7IKRbz9L7Jey9WXp0cid2L6HqCzqLD5Bv/GdtxmULwvX0ifPA+Dh/OoI2S+FdfxR6VJN/Jv9xw/XxsFhIUnpUYNYhL01LW2XJcCUreyQHibgxXAL
9+ldGL6JxwyBFojH7l2qvDPMJU8lAvFWqN7FXUluHnrj34Xgs5piqGQ+wpUiMvcY7xx58ubDs9Gd1I0RDswhjBNL4Bgfo3pHALbXhCgWgwEgcxwENiVZZrmn
3WdnhjQbQF29P9KehkpuU9AcDpj93URHfMZ55mKZDNytGwb1tQLZiwRQHUs9UjHq73ll0ZPrtwx61Fc5m6xTwkCXL0f+lLsYmZnnoBLoKLlOdrnMFnWUqO8E
QpUPtbmVQAmlmVK6HrwdY9FZi6Mws7xJOQ7/aBPqDqBUMaXTXLPsfPBOALxROBa9phjP4ke9
X-Original-Sender: reinhardt.rp@comcast.net
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@comcast.net; spf=pass (google.com: domain of
reinhardt.rp@comcast.net designates 2001:558:fe16:19:96:114:154:161 as
permitted sender) smtp.mailfrom=reinhardt.rp@comcast.net; dmarc=pass
(p=NONE dis=NONE) header.from=comcast.net
Reply-To: reinhardt.rp@comcast.net
Precedence: list
Mailing-list: list community-4sam@googlegroups.com; contact community-4sam+owners@googlegroups.com
List-ID: <community-4sam.googlegroups.com>
X-Spam-Checked-In-Group: community-4sam@googlegroups.com
X-Google-Group-Id: 468577325155
List-Post: <https://groups.google.com/group/community-4sam/post>, <mailto:community-4sam@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:community-4sam+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/community-4sam
List-Unsubscribe: <mailto:googlegroups-manage+468577325155+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/community-4sam/subscribe>
X-ELNK-Received-Info: spv=0;
X-Authentication-Results: dkim="pass"; (0:no or failed dkim processing); dmarc="none"; (1); dwl="miss"; den="not exempt"
X-ELNK-AV: 0
X-ELNK-Info: sbv=1; sbrc=-0; sbf=cb; sbw=000;
pikov is offline   Reply With Quote
Old 19 Nov 2016, 10:10 AM   #4
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,916
You should edit your previous post and munge (change) the email addresses to protect innocent persons. Those headers (if not spoofed during some relay) indicate that the message was sent from a Comcast user in New Jersey with the indicated Comcast email address. It looks like the message passed both DKIM and SPF authentication tests when received at Google. See the header starting with:
Code:
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@comcast.net; spf=pass
So that message appears to be sent by a Comcast user who used the indicated email address, but of course there is no way to verify that a certain person actually created the message.

Bill

Last edited by n5bb : 19 Nov 2016 at 10:25 AM.
n5bb is offline   Reply With Quote
Old 19 Nov 2016, 10:45 AM   #5
pikov
Junior Member
 
Join Date: Aug 2014
Posts: 15
Quote:
Originally Posted by n5bb View Post
So that message appears to be sent by a Comcast user who used the indicated email address, but of course there is no way to verify that a certain person actually created the message.

Bill
Oh.

Thanks.
pikov is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 05:28 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy