[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Tracing IP through mail headers

Posted on 2005-04-13
Medium Priority
Last Modified: 2010-04-11
I received an email from aw-confirm@ebay.com telling me to change my info because someone was using my account etc etc. I logged in and nothing looks out of the ordinary. Was this a forged email? Is there anyway to tell? My email is dissolved@comcast.net below:

On a related note, what do the fields Received from, X-originating IP etc mean? I'm assuming originating IP is the actual public address of the computer that composed the message??

Received: from mail19d.g19.rapidsite.net ([])
          by rwcrmxc22.comcast.net (rwcrmxc22) with SMTP
          id <20050322215425r22007bt92e>; Tue, 22 Mar 2005 21:54:25 +0000
X-Originating-IP: []
Received: from (
by mail19d.g19.rapidsite.net (RS ver 1.0.95vs) with SMTP id 4-0244648464
for <dissolved@comcast.net>; Tue, 22 Mar 2005 16:54:24 -0500 (EST)
Received: (from memest@localhost)
by memestoica.com (8.12.11/8.12.9/Submit) id j2MLsOZS075762;
Tue, 22 Mar 2005 16:54:24 -0500 (EST)
(envelope-from memest)
Date: Tue, 22 Mar 2005 16:54:24 -0500 (EST)
Message-Id: <200503222154.j2MLsOZS075762@memestoica.com>
To: dissolved@comcast.net
Subject: Account Investigation Important Notice
From: "aw-confirm@ebay.com" <aw-confirm@ebay.com>
Reply-To: aw-confirm@ebay.com
MIME-Version: 1.0
Question by:dissolved
  • 4
  • 2

Expert Comment

ID: 13772289
This could be a "phishing" scam. These are becoming more and more prevalent nowadays. Basically, phishing is a scam that tries to get you to go to a site that looks authentic but which is actually meant to steal your login information. I hope you went directly to eBay and didn't click on any link provided in the email itself. You might want to follow up with eBay to ensure that your account has not actually been compromised.

Expert Comment

ID: 13772348
You can have the email and its headers analyzed for free by SpamCop (you have to register first):  www.spamcop.net

The analysis is about as good as it gets for automated systems. I would copy the entire email (it's important to get everything, all of the mai headers) into SpamCop and let it tell you what it believes is actually real and not forged. It will also allow you to file complaints to the "real" senders, if it can determine who they are, but you may or may not want to actually send the reports.

Remember that the "From:" headers are totally unreliable -- anyone can put anything in there.

Author Comment

ID: 13772465
Thanks. I didnt click on any links in the email.
What do the different fields mean in the header? ie: x originiating IP etc?
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 34

Assisted Solution

PsiCop earned 1200 total points
ID: 13772577
Hey, dissolved.

Trusting headers in SPAM E-Mail is tricky business. About the only header you can really trust is the one added by your ISP:

Received: from mail19d.g19.rapidsite.net ([]) by rwcrmxc22.comcast.net (rwcrmxc22) with SMTP id <20050322215425r22007bt92e>; Tue, 22 Mar 2005 21:54:25 +0000

Here, ComCast server rxvrmxc22 received the message from IP address, and that IP address had a reverse-lookup DNS entry that came back with the hostname of some machine at rapidsite.net. You can be *reasonably* sure that some host in the rapidsite.net network was used to send the E-Mail.

Beyond that, it gets tricky. X-Originating-IP may have been added by the spammer, to mislead. Same for the two other Received: headers - without knowing for certain what mailserver software is in use on the rapidsite servers, and how it is configured, its impossible to tell with certainty that the headers are genuine or meaningful.

Accepted Solution

jimwasson earned 800 total points
ID: 13773090
The X-Originating-IP is supposed to be the IP address of the machine that generated the original email. (Any field beginning with an "X" is optional, though.)
The "Received:" fields (there may be a chain of them) traces the "route" the email took from server to server until it reached you. These may or may not be reliable. As PsiCop mentioned, the only one that can really be trusted is the one from your ISP. Spammers/scammers often "seed" the email with fake fields to make tracing next to impossible.
The last "Received:" field is good (this is the handoff from rapidsite to comcast) -- SpamCop gives me this for mail19d.g19.rapidsite.net:

host mail19d.g19.rapidsite.net (checking ip) =
host = mail19d.dulles19-verio.com (cached)
No recent reports, no history available
Routing details for
[refresh/show] Cached whois for : ce-ipadmin@verio.net
Using abuse net on ce-ipadmin@verio.net
abuse net verio.net = abuse@verio.net

Everything before it, though is very suspicious. First of all the X-Originating-IP field points back to rapidsite.net as the originating machine (which it doesn't seem to be). Also the "Received:" field looks bogus. The IP Address belongs to Verio. It may or may not be bogus (faked). The domain memestoica.com is real but the registrar is in the process of deleting it -- it's not active. So I certainly wouldn't trust that header field at all.

Expert Comment

ID: 13773281
Actually Pobox has a pretty easy to understand tutorial on reading email headers and on spotting fake email headers here:


Author Comment

ID: 13775250
Thanks guys

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question