Results 1 to 8 of 8
  1. #1
    New Lounger
    Join Date
    Dec 2009
    Location
    Nevada
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question Detective work needed with email headers.

    I need help in determining if two emails were sent by the same person using different yahoo email accounts. I have the headers from both emails:
    To protect privacy, I have changed the plain text email and individual names. In the emails, bob.xxxxxxx@gmail.com is the recipient of both emails,
    and the sender of header one is yyyyyyy@yahoo.cn and the sender of header two is zzzzzzz12@yahoo.cn.
    With what I //THINK\\ I have determined is that both came from the same IP of 112.246.217.52 which I think is either the senders home
    IP or that of something like an internet café.
    Can anyone out there shed some more light on these two emails? I think both emails may be from the same person, and
    could be leading up to a scam of some sort. I am trying to save a friend from a lot of long term grief.
    Thanks


    HEADER ONE:

    HTML Code:
    Delivered-To: [email]bob.xxxxxxx@gmail.com[/email]
    Received: by 10.49.94.78 with SMTP id da14csp65396qeb;
            Sun, 10 Feb 2013 20:54:58 -0800 (PST)
    X-Received: by 10.68.200.230 with SMTP id jv6mr15580365pbc.137.1360558498255;
            Sun, 10 Feb 2013 20:54:58 -0800 (PST)
    Return-Path: <yyyyyy@yahoo.cn>
    Received: from nm9-vm5.bullet.mail.tp2.yahoo.com (nm9-vm5.bullet.mail.tp2.yahoo.com. [203.188.200.191])
            by mx.google.com with ESMTPS id w6si8547290pax.330.2013.02.10.20.54.57
            (version=TLSv1 cipher=RC4-SHA bits=128/128);
            Sun, 10 Feb 2013 20:54:58 -0800 (PST)
    Received-SPF: neutral (google.com: 203.188.200.191 is neither permitted nor denied by best guess record for domain of [email]yyyyyyy@yahoo.cn[/email]) client-ip=203.188.200.191;
    Authentication-Results: mx.google.com;
           spf=neutral (google.com: 203.188.200.191 is neither permitted nor denied by best guess record for domain of [email]yyyyyy@yahoo.cn[/email]) smtp.mail=yyyyyy@yahoo.cn;
           dkim=pass header.i=@yahoo.cn
    Received: from [203.188.200.143] by nm9.bullet.mail.tp2.yahoo.com with NNFMP; 11 Feb 2013 04:54:56 -0000
    Received: from [119.42.242.52] by tm5.bullet.mail.tp2.yahoo.com with NNFMP; 11 Feb 2013 04:54:55 -0000
    Received: from [127.0.0.1] by omp1001.mail.cnh.yahoo.com with NNFMP; 11 Feb 2013 04:54:55 -0000
    X-Yahoo-Newman-Property: ymail-3
    X-Yahoo-Newman-Id: [email]744818.12351.bm@omp1001.mail.cnh.yahoo.com[/email]
    Received: (qmail 40890 invoked by uid 60001); 11 Feb 2013 04:54:55 -0000
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.cn; s=s1024; t=1360558495; bh=GFPMLOVTg52DZYkrNJBXQwaiVJTSJ1VbHCKSmqOxdrQ=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=bSE5xqsZRGl/7iJwcM1fX/u3HLP4XrvnKxtfKJuMt7QWD95ECN9QGkOnjVhaHmlAz0ZZxRuMERmc2DvpP3o8xtcu1hntrL7+uDapdiHJQg5ku0wgyCieBtSJJHe+as9+LCuMq71uixLKq7v4varT7eIairRFzrC9dgBXmf97/dM=
    DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
      s=s1024; d=yahoo.cn;
      h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type;
      b=EegBHIpdpEyPWBwd4O3qMzx+8/3+gkIz8fp3S2rxy+vQKpaAb3al9PBhFl7wCWAIQYug87okp6ApOEb2cxJ3FFY+NLXKA+KhVFozgMlbtikm4l+996X1fosWx5cMBqg4VS4plQrqcwOhIGL2RU9IdFzf8TV6ALsOoO3wssLgz2s=;
    X-YMail-OSG: 3faASrgVM1kmD6jmDdNwSLOw9XPggk2d.myZHygSwlJ7vrL
     ywDJFXLRksFni__zT1fqU_a4kGkkWy3CgkdJLqMMeiw_hl4JAlHgOgQNYADn
     o17eM6NQtbXgfmwtbszCWAeFK5HGoenhhpnWgcGGpXkrPghv6kNzctOnxH0Z
     kn8ISV6kvRqLDG7N1QVDMZithHPiFI60uDJa2J_8ydfwEWDeu7SEVYVqqB0X
     S39EVzhlDV.Y0a63IDBjgKpf9S4F7p_wjJjBXOQOYv9EcTM.VhfEZVxOm2Eu
     20yEVPpcSx.xZ4hG8B3DL3ObTOo.T9lTnvUDMoJfZjaPZxCXfSgDdPGLmcf4
     8RdXdNZydpBPnmM8ZiOqzcaaf
    Received: from [112.246.217.52] by web92402.mail.cnh.yahoo.com via HTTP; Mon, 11 Feb 2013 12:54:55 CST
    X-Rocket-MIMEInfo: 001.001,aGVsbG8gwqBkZWEgciByb2IKwqB0aGFua3MgZm9yIHlvciB3YXJtIHNpbmNldmVyIG1lc3NhZ2UgM3RoIGZlYiBpIHNlbmQgeW91IGVtYWlsIMKgeW91IG5vdCBoYXZlIHRvIGdldCB0aGVtID8KwqB5ZXMgaGVyZSBuZXcgeXJzIMKgaSDCoGhvcGUgeW91IGhlcmUgd2l0aCBtZSBzaGFyZSBoYXBweSBuZXcgeXJzwqAKaSDCoHN1cmUgd2Ugd2lsbCBzaGFyZSBuY2llIGhhcHB5IHZhY2F0aW4gb2sgeWVzIHlvdSBhbHdheXMgaW4gbXkgbWluZCBpbiBteSDCoGhlYXJ0CsKgaW4gbXkgZHJlYW0gaSBob3BlIG15IGQBMAEBAQE-
    X-Mailer: YahooMailWebService/0.8.132.503
    References: <CAG0EKvmhpO_zO27D-BDyA1Ur4DXutnPQmt6c30vYX-uPCoO7Lw@mail.gmail.com>
    Message-ID: <1360558495.22666.YahooMailNeo@web92402.mail.cnh.yahoo.com>
    Date: Mon, 11 Feb 2013 12:54:55 +0800 (CST)
    From: Yyyyy Yyy <yyyyyyy@yahoo.cn>
    Reply-To: Yyyyy Yyy <yyyyyy@yahoo.cn>
    Subject: =?utf-8?B?5Zue5aSN77yaIEhlbGxvIGFnYWlu?=
    To: Robert Xxxxxx <bob.xxxxxx@gmail.com>
    In-Reply-To: <CAG0EKvmhpO_zO27D-BDyA1Ur4DXutnPQmt6c30vYX-uPCoO7Lw@mail.gmail.com>
    MIME-Version: 1.0
    Content-Type: multipart/alternative; boundary="373869220-829038882-1360558495=:22666"
    
    --373869220-829038882-1360558495=:22666
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: quoted-printable


    HEADER TWO:

    HTML Code:
    Delivered-To: [email]bob.xxxxxx@gmail.com[/email]
    Received: by 10.49.94.78 with SMTP id da14csp67317qeb;
            Sun, 10 Feb 2013 22:14:16 -0800 (PST)
    X-Received: by 10.66.82.67 with SMTP id g3mr38528605pay.58.1360563255807;
            Sun, 10 Feb 2013 22:14:15 -0800 (PST)
    Return-Path: <zzzzzzz12@yahoo.com.cn>
    Received: from nm16-vm8.bullet.mail.sg3.yahoo.com (nm16-vm8.bullet.mail.sg3.yahoo.com. [106.10.149.71])
            by mx.google.com with ESMTPS id l7si17520461paz.9.2013.02.10.22.14.14
            (version=TLSv1 cipher=RC4-SHA bits=128/128);
            Sun, 10 Feb 2013 22:14:15 -0800 (PST)
    Received-SPF: neutral (google.com: 106.10.149.71 is neither permitted nor denied by best guess record for domain of [email]zzzzzzzz12@yahoo.com.cn[/email]) client-ip=106.10.149.71;
    Authentication-Results: mx.google.com;
           spf=neutral (google.com: 106.10.149.71 is neither permitted nor denied by best guess record for domain of [email]zzzzzzz12@yahoo.com.cn[/email]) smtp.mail=zzzzzzz12@yahoo.com.cn;
           dkim=pass header.i=@yahoo.com.cn
    Received: from [106.10.166.120] by nm16.bullet.mail.sg3.yahoo.com with NNFMP; 11 Feb 2013 06:14:12 -0000
    Received: from [106.10.151.234] by tm9.bullet.mail.sg3.yahoo.com with NNFMP; 11 Feb 2013 06:14:12 -0000
    Received: from [127.0.0.1] by omp1018.mail.sg3.yahoo.com with NNFMP; 11 Feb 2013 06:14:12 -0000
    X-Yahoo-Newman-Property: ymail-3
    X-Yahoo-Newman-Id: [email]883197.53944.bm@omp1018.mail.sg3.yahoo.com[/email]
    Received: (qmail 64756 invoked by uid 60001); 11 Feb 2013 06:14:12 -0000
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.cn; s=s1024; t=1360563251; bh=1bDqKGYHmCPKD6QrSrtMnidWHoTmAKMcRmeQdWNMzt0=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=LYtkmHXPtZsXgw6KQ+6PDRw30S1+BdU4IozM3oNajZxG6+c4VfL3L8cJ2/qHjTWMubleiwhwupfzjreiWiP3P03Ma3EFrQRfU+lDoUNcVMk3SCbHM7t8GiXtCvFPWN8j4HMUYgvlv7dZpI7AFAXKFvgfJu4netBvTH5DW5EJD4M=
    DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
      s=s1024; d=yahoo.com.cn;
      h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type;
      b=FGSxJQeb07PAIqGWmaVU9qACzL37lyX392RRagm49yh6P4GrLm6654EbjKp3654KSMhEerzqRptnHyd8wGCW/1XxUcPl6VLOT06aftW0vhT9BCG5exb4btk/1SVg/rlt/2LFObgiFpTcRWj0I6Qw9xu4VVG8Xf94xJdW/80f4Jk=;
    X-YMail-OSG: DcbQTewVM1nn4LkJ.nKPD1ki5HJaR522FANBjJQUX8RTNMG
     ZXdLhNS3Im.P_DR3K3tXbDIm5GYxEPpi2_7QkWMszl4LUJ4kKCoiPfVCpet7
     8QDAXhcqVr1xfZRnUrF2LxRGcyvfY9F4hQ5KeJNDB.EMgO0qvezWIseBkwyq
     .9NasguTZCsA_sCra0_AhPkD9CLjS66Yzz.CYJ7OkF3AMgO4rVrXtlusFfO8
     VxuDUQ6z88b4kaAzAtMgGHECcIYp5e0cabaFSbC8zmPDmDM8.3fsAaRAsaOw
     QDz6u8vTgvYfrD5hvUxqMLebccJ1Hn.PDp69fodiIPwr1.tB_2SUnT34fnVJ
     Tfroyv.DRlbpt5bogruRp9XShh1s28FEqgLSZQG7fDiE7V9GNFDfTx_6OBoj
     qte0U
    Received: from [112.246.217.52] by web15703.mail.cnb.yahoo.com via HTTP; Mon, 11 Feb 2013 14:14:11 CST
    X-Rocket-MIMEInfo: 001.001,aGVsbG8gZGVhciByb2JlcnTCoAp0aGFua3MgZm9yIHlvdXIgbWVzc2FnZSB5ZXMgaSBzZW5kIHlvdSBlbWFpbCB5b3Ugbm90IGhhdmUgdG8gZ2V0IHRoZW0gPwrCoHBscyBsZXQgaSBrbm93IG9rIHllcyBpIGhvcGUgeW91IGhhdmUgbmNpZSBkYXnCoApob3BlIHRvIGdldCB5b3VyIHJlcGx5CsKgc2luY2V2ZXJseSBodWHCoAoKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCiDlj5Hku7bkurrvvJogUm9iZXJ0IENpcmVsbGkgPGJvYi5jaXJlbGxpQGdtYWlsLmNvbT4K5pS25Lu25Lq677yaIFBlaWgBMAEBAQE-
    X-Mailer: YahooMailWebService/0.8.132.503
    References: <CAG0EKvnLq6VX=bb4kEjrpzBCQ8ruUR9ALEaXVoyyD1j4v=kS0Q@mail.gmail.com>
    Message-ID: <1360563251.64660.YahooMailNeo@web15703.mail.cnb.yahoo.com>
    Date: Mon, 11 Feb 2013 14:14:11 +0800 (CST)
    From: Zzzzzz Zzzz <zzzzzz12@yahoo.com.cn>
    Reply-To: Zzzzzz Zzzz <zzzzzz12@yahoo.com.cn>
    Subject: =?utf-8?B?5Zue5aSN77yaIEhlbGxv?=
    To: Robert Xxxxx <xxxxxx@gmail.com>
    In-Reply-To: <CAG0EKvnLq6VX=bb4kEjrpzBCQ8ruUR9ALEaXVoyyD1j4v=kS0Q@mail.gmail.com>
    MIME-Version: 1.0
    Content-Type: multipart/alternative; boundary="1263515812-509779858-1360563251=:64660"
    
    --1263515812-509779858-1360563251=:64660
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: quoted-printable

  2. #2
    5 Star Lounger RussB's Avatar
    Join Date
    Dec 2009
    Location
    Grand Rapids, Michigan
    Posts
    803
    Thanks
    10
    Thanked 50 Times in 49 Posts
    Go here and paste your headers for a very good report.
    http://www.iptrackeronline.com/email...r-analysis.php
    Do you "Believe"? Do you vote? Please Read:
    LEARN something today so you can TEACH something tomorrow.
    DETAIL in your question promotes DETAIL in my answer.
    Dominus Vobiscum <))>(

  3. #3
    Gold Lounger Roderunner's Avatar
    Join Date
    Dec 2009
    Location
    Scotland.
    Posts
    3,462
    Thanks
    16
    Thanked 216 Times in 183 Posts
    Quote Originally Posted by RussB View Post
    Go here and paste your headers for a very good report.
    http://www.iptrackeronline.com/email...r-analysis.php
    How do I find the Header in WL Mail 2012
    O wad some Power the giftie gie us, to see oursels as ithers see us!

  4. #4
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,794
    Thanks
    117
    Thanked 799 Times in 720 Posts
    Quote Originally Posted by Roderunner View Post
    How do I find the Header in WL Mail 2012
    Right click on the email and select properties.

    Jerry

  5. #5
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 984 Times in 914 Posts
    My reading of those emails is they are from compromised machines in China, unless people are being paid to write spam on their computers.
    The server names match the IP addresses reported Received: from nm16-vm8.bullet.mail.sg3.yahoo.com (nm16-vm8.bullet.mail.sg3.yahoo.com. [106.10.149.71]). The only IP addresses that do not have matching names are the HTTP senders and they are both in China.

    cheers, Paul

  6. #6
    Gold Lounger Roderunner's Avatar
    Join Date
    Dec 2009
    Location
    Scotland.
    Posts
    3,462
    Thanks
    16
    Thanked 216 Times in 183 Posts
    Quote Originally Posted by jwitalka View Post
    Right click on the email and select properties.

    Jerry
    This is what it showed. What is the header?
    -
    Delivered-To:
    Received: by 10.58.69.8 with SMTP id a8csp130382veu;
    Tue, 12 Feb 2013 04:17:55 -0800 (PST)
    X-Received: by 10.194.103.163 with SMTP id fx3mr18481074wjb.58.1360671475086;
    Tue, 12 Feb 2013 04:17:55 -0800 (PST)
    Return-Path: <customercare.advisor@eu.panasonic.com>
    Received: from euedimxc012.emea.sykes.com (euedimxc012.emea.sykes.com. [195.254.180.104])
    by mx.google.com with ESMTPS id bn10si15481753wjb.150.2013.02.12.04.17.54
    (version=TLSv1 cipher=RC4-SHA bits=128/128);
    Tue, 12 Feb 2013 04:17:55 -0800 (PST)
    Received-SPF: softfail (google.com: domain of transitioning customercare.advisor@eu.panasonic.com does not designate 195.254.180.104 as permitted sender) client-ip=195.254.180.104;
    Authentication-Results: mx.google.com;
    spf=softfail (google.com: domain of transitioning customercare.advisor@eu.panasonic.com does not designate 195.254.180.104 as permitted sender) smtp.mail=customercare.advisor@eu.panasonic.com
    X-AuditID: 0a700868-b7fbd6d0000046dd-57-511a32f1d6fa
    Received: from eu.panasonic.com (Unknown_Domain [10.112.8.1])
    by euedimxc012.emea.sykes.com (Symantec Messaging Gateway) with SMTP id A4.5D.18141.1F23A115; Tue, 12 Feb 2013 12:17:53 +0000 (GMT)
    CaseID: [419118]
    From: "Panasonic Customer Service" <customercare.advisor@eu.panasonic.com>
    To:
    Message-ID: <8e67d914d4a94346acb55d70d0e16eaa@eu.panasonic.com >
    Date: Tue, 12 Feb 2013 12:17:53 +0000
    Subject: RE: Panasonic - HOME ENTERTAINMENT Enquiry [Case ID #: 419118]
    MIME-Version: 1.0
    Content-type: text/html; charset=utf-8
    Content-Transfer-Encoding: quoted-printable
    X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPJMWRmVeSWpSXmKPExsXCVcDBqPvRSC rQ4NQOQ4tXjz6zOzB67Jx1
    lz2AMYrLJiU1J7MstUjfLoErY/b7lawF14srpj5ZwNbAuCS+i5GTQ0LARGLSozPMELaYxIV7
    69m6GLk4hAQOM0p8PHWJCSTBLCAgsf7kXUYQm03AS+LplD9gto iAhMSyM41gzbwC9hLPlixm
    B7FZBFQlDj/8wgpiCwu4S+z7vIgRokZQ4uTMJywQM9UkFv5eBDVfW2LZwtfME xh5ZiEpm4Wk
    bBaSsgWMzKsYpVJLU1MycyuSDQyN9FJzUxP1iiuzU4v1kvNzNz FCgiVjB+Pmf/qHGAU4GJV4
    eI+qSAUKsSaWFVfmHmKU4GBWEuGV0QcK8aYkVlalFuXHF5XmpB YfYpTmYFES513FGhwgJJCe
    WJKanZpakFoEk2Xi4JRqYLSePiHT+25X3Kd6+x/TjqzYJ13gJ7v1ZfwGhr6Eg3svfGTYV/xM
    sfZbxHr3TSUh87oXx50IW76O6eyLs7W7HvidmMaeIGkqvZKP1T o867K11heJdu7aVct4Ojn5
    X3IU3/y36zyr70fB3VfVHbZE2k9sr7zpXmD1MONX3/wpIfcC/s+QuV3E3aPEUpyRaKjFXFSc
    CAC3cv28EgIAAA==
    X-Antivirus: avast! (VPS 130212-0, 12/02/2013), Inbound message
    X-Antivirus-Status: Clean
    O wad some Power the giftie gie us, to see oursels as ithers see us!

  7. #7
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,584
    Thanks
    5
    Thanked 1,059 Times in 928 Posts
    @RR, the whole thing is generically "the header". See the results at email header explained for links to investigate for details.

    Joe

  8. #8
    Gold Lounger Roderunner's Avatar
    Join Date
    Dec 2009
    Location
    Scotland.
    Posts
    3,462
    Thanks
    16
    Thanked 216 Times in 183 Posts
    Thanks Joe
    O wad some Power the giftie gie us, to see oursels as ithers see us!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •