[ale] Another Email question Reading Headers.

H. A. Story adrin at bellsouth.net
Sun Jun 25 15:18:19 EDT 2006


Stephen Cristol wrote:

>On Jun 24, 2006, at 3:24 PM, H. A. Story wrote:
>
>  
>
>>Looking at this header from an email I just got.
>>
>>Delivered-To: adrin at haswes.homelinux.org
>>Received: from localhost (localhost [127.0.0.1])
>>	by PC002.haswes.homelinux.org (Postfix) with ESMTP id CF04F176D12
>>	for <adrin at localhost>; Sat, 24 Jun 2006 11:31:11 -0400 (EDT)
>>Received: from mail.bellsouth.net [205.152.59.17]
>>	by localhost with POP3 (fetchmail-6.2.5.2)
>>	for adrin at localhost (single-drop); Sat, 24 Jun 2006 11:31:11 -0400  
>>(EDT)
>>Received: from ibm15aec.bellsouth.net ([208.141.108.121])
>>          by imf02aec.mail.bellsouth.net with ESMTP
>>          id  
>><20060624152806.LDLP2126.imf02aec.mail.bellsouth.net at ibm15aec.bellsout 
>>h.net>;
>>          Sat, 24 Jun 2006 11:28:06 -0400
>>    
>>
>
>Here's where the nugget of useful information is. This is BellSouth's  
>server time stamping a message it received from  
>ibm15aec.bellsouth.net [208.141.108.121]. You can believe this is  
>BellSouth, because in the line before, your box said it got a message  
>from BellSouth and [205.152.59.17] actually is a BellSouth mailserver  
>(at least to casual inspection):
>
>   sc$ host 205.152.59.17
>   17.59.152.205.in-addr.arpa domain name pointer  
>mail01.mail.bellsouth.net.
>
>As I understand things, the name "ibm15aec.bellsouth.net" comes from  
>the HELO (or EHLO) statement sent to the SMTP server by the sender.  
>These self identifications receive no scrutiny and the SMTP standard  
>says that any hostname is allowed. To keep some accountability in the  
>system, most SMTP servers will add the IP address of the host from  
>which it received the message. So, you can discover that  
>[208.141.108.121] is actually part of tranquility.net:
>
>   sc$ host 208.141.108.121
>   121.108.141.208.in-addr.arpa domain name pointer so- 
>gw.tranquility.net.
>
>At this point, you know all you can know with any degree of  
>certainty. Anything after this line was added by an untrusted host  
>and can be a complete work of fiction.
>
>HTH,
>S
>
>
>  
>
>>Received: from soaserver3.architecture.local ([208.141.108.121])
>>          by ibm15aec.bellsouth.net with ESMTP
>>          id  
>><20060624152803.SXCX22161.ibm15aec.bellsouth.net at soaserver3.architectu 
>>re.local>;
>>          Sat, 24 Jun 2006 11:28:03 -0400
>>Received: from hci1 ([68.33.211.140]) by  
>>soaserver3.architecture.local with Microsoft SMTPSVC(6.0.3790.1830);
>>	 Sat, 24 Jun 2006 10:28:01 -0500
>>From: "PayPal"<aw-confirms at paypal.com>
>>
>>Granted I am running fetchmail. So I know where the first 2  
>>"Received" came from.   But the next 3 throw me a little.
>>The 3rd one must be a bellsouth server the received the email.  So  
>>the last two must be the account where the email came from
>>or was relayed from???  The last looking like a exchange server????  
>>the last receive being a comcast domain and number 4 being
>>another domain that isn't bellsouth.  Now if they are blocking port  
>>25????  How does this email get around that???? And the to: only
>>shows undisclosed-recipients.
>>
>>
>>
>>
>>_______________________________________________
>>Ale mailing list
>>Ale at ale.org
>>http://www.ale.org/mailman/listinfo/ale
>>    
>>
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
>  
>
Thanks,  This  was a phish for paypal accounts  which I never finished 
setting up.   As I don't like someone having a store of my Credit Card 
or access to my bank account.

Adrin




More information about the Ale mailing list