Tracing IP through mail headers

Posted on 2005-04-13
Last Modified: 2010-04-11
I received an email from telling me to change my info because someone was using my account etc etc. I logged in and nothing looks out of the ordinary. Was this a forged email? Is there anyway to tell? My email is below:

On a related note, what do the fields Received from, X-originating IP etc mean? I'm assuming originating IP is the actual public address of the computer that composed the message??

Received: from ([])
          by (rwcrmxc22) with SMTP
          id <20050322215425r22007bt92e>; Tue, 22 Mar 2005 21:54:25 +0000
X-Originating-IP: []
Received: from (
by (RS ver 1.0.95vs) with SMTP id 4-0244648464
for <>; Tue, 22 Mar 2005 16:54:24 -0500 (EST)
Received: (from memest@localhost)
by (8.12.11/8.12.9/Submit) id j2MLsOZS075762;
Tue, 22 Mar 2005 16:54:24 -0500 (EST)
(envelope-from memest)
Date: Tue, 22 Mar 2005 16:54:24 -0500 (EST)
Message-Id: <>
Subject: Account Investigation Important Notice
From: "" <>
MIME-Version: 1.0
Question by:dissolved
    LVL 7

    Expert Comment

    This could be a "phishing" scam. These are becoming more and more prevalent nowadays. Basically, phishing is a scam that tries to get you to go to a site that looks authentic but which is actually meant to steal your login information. I hope you went directly to eBay and didn't click on any link provided in the email itself. You might want to follow up with eBay to ensure that your account has not actually been compromised.
    LVL 7

    Expert Comment

    You can have the email and its headers analyzed for free by SpamCop (you have to register first):

    The analysis is about as good as it gets for automated systems. I would copy the entire email (it's important to get everything, all of the mai headers) into SpamCop and let it tell you what it believes is actually real and not forged. It will also allow you to file complaints to the "real" senders, if it can determine who they are, but you may or may not want to actually send the reports.

    Remember that the "From:" headers are totally unreliable -- anyone can put anything in there.

    Author Comment

    Thanks. I didnt click on any links in the email.
    What do the different fields mean in the header? ie: x originiating IP etc?
    LVL 34

    Assisted Solution

    Hey, dissolved.

    Trusting headers in SPAM E-Mail is tricky business. About the only header you can really trust is the one added by your ISP:

    Received: from ([]) by (rwcrmxc22) with SMTP id <20050322215425r22007bt92e>; Tue, 22 Mar 2005 21:54:25 +0000

    Here, ComCast server rxvrmxc22 received the message from IP address, and that IP address had a reverse-lookup DNS entry that came back with the hostname of some machine at You can be *reasonably* sure that some host in the network was used to send the E-Mail.

    Beyond that, it gets tricky. X-Originating-IP may have been added by the spammer, to mislead. Same for the two other Received: headers - without knowing for certain what mailserver software is in use on the rapidsite servers, and how it is configured, its impossible to tell with certainty that the headers are genuine or meaningful.
    LVL 7

    Accepted Solution

    The X-Originating-IP is supposed to be the IP address of the machine that generated the original email. (Any field beginning with an "X" is optional, though.)
    The "Received:" fields (there may be a chain of them) traces the "route" the email took from server to server until it reached you. These may or may not be reliable. As PsiCop mentioned, the only one that can really be trusted is the one from your ISP. Spammers/scammers often "seed" the email with fake fields to make tracing next to impossible.
    The last "Received:" field is good (this is the handoff from rapidsite to comcast) -- SpamCop gives me this for

    host (checking ip) =
    host = (cached)
    No recent reports, no history available
    Routing details for
    [refresh/show] Cached whois for :
    Using abuse net on
    abuse net =

    Everything before it, though is very suspicious. First of all the X-Originating-IP field points back to as the originating machine (which it doesn't seem to be). Also the "Received:" field looks bogus. The IP Address belongs to Verio. It may or may not be bogus (faked). The domain is real but the registrar is in the process of deleting it -- it's not active. So I certainly wouldn't trust that header field at all.
    LVL 7

    Expert Comment

    Actually Pobox has a pretty easy to understand tutorial on reading email headers and on spotting fake email headers here:

    Author Comment

    Thanks guys

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical princ…
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now