[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 389
  • Last Modified:

Can someone interpret these e-mail headers from start to finish?

I need to verify my thoughts on these e-mail headers... Can anyone interpret these from start to finish for me?  Thanks!  Please note that I did change some of my own information with **** but it should not affect your interpretation

Return-Path: <investor@studiotraffic.com> Mon Mar 27 20:22:24 2006
Received: from ip35-236-90-69.parcom.net [69.90.236.35] by sith.myinternetwebhost.com with SMTP;
   Mon, 27 Mar 2006 20:22:24 -0800
X-ASG-Debug-ID: 1143519731-4827-418-0
X-Barracuda-URL: http://odo.parcom.net:8585/cgi-bin/mark.cgi
Received: from 200.yapioduts.com (mail.studiotraffic.com [64.62.165.200])
      by odo.parcom.net (Spam Firewall) with ESMTP id 1B3EFD2254AA
      for <****@maxcompute.com>; Mon, 27 Mar 2006 20:22:11 -0800 (PST)
Received: from host44.201-252-182.telecom.net.ar ([201.252.182.44] helo=nuevapc)
      by 200.yapioduts.com with smtp (Exim 4.52)
      id 1FO5iZ-0005hR-U7
      for ****@maxcompute.com; Mon, 27 Mar 2006 20:22:08 -0800
Message-ID: <027a01c6521f$2c114170$0401a8c0@nuevapc>
From: "Studio Traffic Team" <investor@studiotraffic.com>
To: "**** ******" <****@maxcompute.com>
References: <000001c6520d$17622bc0$0202a8c0@antimac>
X-ASG-Orig-Subj: Re: I am interested in shares.. .how do I buy?
Subject: Re: I am interested in shares.. .how do I buy?
Date: Tue, 28 Mar 2006 01:22:02 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="----=_NextPart_000_0275_01C65206.04917200"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - 200.yapioduts.com
X-AntiAbuse: Original Domain - maxcompute.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - studiotraffic.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-Virus-Scanned: by Parcom.net Anti-Spam and Anti-Virus System at parcom.net
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using per-user scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=1.2 KILL_LEVEL=6.5 tests=
X-Barracuda-Spam-Report: Code version 3.02, rules version 3.0.10182
      Rule breakdown below pts rule name              description
      ---- ---------------------- --------------------------------------------------

========================================

Here was my interpretation...  Am I correct?

"OK I did receive an e-mail back from the investor address.

As far as I can tell the origin of the e-mail comes from fastservers e-mail server.

Something does seem odd the way it bounces around.

It starts from 200.yapioduts.com (which resolves to 64.62.165.200 which is fastservers)

It then bounces to 201.252.182.44 (which is based in Argentina)

And then goes to the final destination (your e-mail server)

So the only thing that I am reading out of this whole thing is that whoever is sending these e-mails is trying to be sneaky by setting up a smarthost on the fastservers e-mail server. What does this mean? Nothing new! Sneaky but not effective. It is still going through Fastservers. "




0
NINE
Asked:
NINE
  • 3
  • 2
2 Solutions
 
nepostojeci_emailCommented:
Bear in mind that those "Received: " fields can also be forged.
That means, it would be smart to contact ISP's about your
issue, and do it in this way:

1. first contact:
  postmaster@parcom.net, root@parcom.net, office@parcom.net
  (put them all in the TO field, or a CC field)

2. then contact:
  postmaster@he.net, root@he.net, hostmaster@he.net

3. and finally:
  postmaster@TA.TELECOM.COM.AR, root@TA.TELECOM.COM.AR abuse@TA.TELECOM.COM.AR

and hope that they will respond, and let you know what is
going on.
0
 
NINEAuthor Commented:
So I was correct in my original interpretation?  Also where  he.net come from?  Thanks!
0
 
NINEAuthor Commented:
After rereading the headers.. I am thinking I was wrong...

Is host44.201-252-182.telecom.net.ar ([201.252.182.44] helo=nuevapc) the senders computer?
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
nepostojeci_emailCommented:
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - 200.yapioduts.com
X-AntiAbuse: Original Domain - maxcompute.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - studiotraffic.com

studiotraffic.com is the senders origin.
0
 
r-kCommented:
Yes, I think the sender's computer was IP  201.252.182.44
which translates to:  host44.201-252-182.telecom.net.ar
Most likely a dial-up conection in Argentina.

At least, most likely.
0
 
nepostojeci_emailCommented:
the fact that line: "Received: from host44.201-252-182.telecom.net.ar ([201.252.182.44] helo=nuevapc)
     by 200.yapioduts.com with smtp (Exim 4.52)"
comes before any other "Received:" lines doesn't mean it is the valid line.
For ex. spammer can pretend he is a smtp server that is relaying the email
for somebody else, which I think this is the case here, trying to cover his
tracks by fooling you to think that the email originally came from that domain.

Anyway, I deal with the spam in a simple way, I get all of the "received" lines
in one file, and then I resolve them to IP addresses, after that I go to some
online WHOIS server, and get the name of the ISP that is responsible for that
IP address (every single one), and also there should be some email address
of that ISP.

So, when I collect all those emails, I just put all them in the TO field and send
a "spam complaint" to all those email addresses with the original email included
(with full headers, so the ISP can figure out who was the spammer).

Also, I copy/paste the full original email to a SpamCop site which in return puts
those IP addresses on a blacklist, until somebody removes it (to remove it, he
must prove that he resolved the reason why he got to the blacklist at the first
place). So, that way you just bounce the problem back to the ISPs who are
responsible in the first place for allowing the spammer such activities.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now