Solved

Can you read this e-mail header?

Posted on 2013-05-13
10
750 Views
Last Modified: 2013-05-16
To protect the privacy of the parties, I'm editing the names and replacing them with John Doe and Jane Doe. The rest is not being editted.
A friend and I were discussing a matter and suddenly this Jane Doe sent an e-mail to my friend about what we were discussing and my friend never gave their e-mail to anyone for them to know the subject that we were talking about.
I see some numbers and an IP address there between all the garb so maybe you can figure it out.

From Jane Doe Thu May  9 16:06:46 2013
X-Apparently-To: johndoe@yahoo.de via 46.228.37.113; Thu, 09 May 2013 15:06:38 +0000
Return-Path: <Jane.Doe@rocketmail.com>
Received-SPF: none (domain of rocketmail.com does not designate permitted sender hosts)
 AQEB
X-YMailISG: 0BiONa0WLDvUignqySZRHlAG.vftdFI.EfK.7YfC7yI2uDkV
 NcfadfFZA4f.cg2v.HVPeSaZAsk4wTzvYmciTsluFaMglWoOG67AsHuuIK32
 _C2hx2qBEJ2YYTZ87Cjcq8.2M6XKTYhfuFxgrO7jIHxQkamc5wO0ltjC6.S_
 nLTgaNhIFctp3i_jkf9b7zeZnzUZj_Jhb60SrHFLXOIbAb7z0ZPVFbpy9b8k
 GFYhys9oOFjDNSRANLCp6R6aJNkwt7n39yLxrIceosixcPP7.0_5SosYx9yn
 5lHD6egGdVRLgwULNMq_lFMHsX4lKsU0Nq.8GfV.RUCEr5hKZ7ZnR4WDsr2W
 6frcwAF3BcvoT3Yddl8zWUFcZFFsQ9yXHbo.PbuJ5UcMypxb2tGk1xIFYIX6
 l6j_KwmEWkRYCTcCINBXiWaCg8HPX7lobT3ytmX3499xZsJZOEQZi1cOaqy4
 gDZ.ZKnI2LAOKfkECcPePZsHMR4pcgkt_7FbS5T7nxCwyU56TVo3JerUvhYh
 nwyY_IPASkz6Cnj20D8zp5ZjRAxfjF0K27NYLuyOCMloh.P2v6EtiydG7sAx
 aZgfgg9eZXh5eGiRzxUtiv8UtNzYKm0vr5r52GohaDNQf4CrWdmnDdUF8bY0
 iokyoSAyDg2rVbpXGDosm3ma2qon8FR5umM133KVU4DdHzOGrc06dQB7.4ZO
 sSMEd4Ny.zMkN2YQ0ktYBaigre7Zvrfy7sKRhdO7vbo1JdPPtVsG9SEdyz1G
 qmprD1IMh7iRNr7wxVUTpM1w5mjBSBT4DlxNpcXVU8eFO8qxytTCUoLNLopZ
&nbs p;uTHc5bQS00c9cQhTw0k87ZNapWdWT0w.jGeFbVoBt0uviCanmGywAdDlTrY5
 LTPIrV0UBkXURfdUuLpAbOa0H3i4RRI6ZvjL2KrMa9iO8im9lVXtVV1YghzH
 QN2eIfmMTcuFWIVRkWY2bYRkNtaN.F5BhAK1swm3Ix2Fi3H23fJq1fQN1MZV
 pZl_ZAgkRmtyZO6waQdwgkJVoJyBvfCEXT8RlLIHJviHaW2zX7IHtxVxyW2w
 cmr3s_86UcPNrB7aQwduXbATkQ3ZVKGsOBeMga7e.PKjsm2VKtSOkNLrx1Zq
 VsHlZ.l6yI_vygAouPHM.UWcsXFrmpdLVKfRtxXV.sIfNA--
X-Originating-IP: [98.138.90.94]
Authentication-Results: mta1183.mail.ir2.yahoo.com  from=rocketmail.com; domainkeys=neutral (no sig);  from=rocketmail.com; dkim=pass (ok)
Received: from 127.0.0.1  (EHLO nm21-vm0.bullet.mail.ne1.yahoo.com) (98.138.90.94)
  by mta1183.mail.ir2.yahoo.com with SMTP; Thu, 09 May 2013 15:06:38 +0000
Received: from [98.138.226.177] by nm21.bullet.mail.ne1.yahoo.com with NNFMP; 09 May 2013 15:06:37 -0000
Received: from [98.138.226.56] by tm12.bullet.mail.ne1.yahoo.com with NNFMP; 09 May 2013 15:06:36 -0000
Received: from [127.0.0.1] by smtp207.mail.ne1.yahoo.com with NNFMP; 09 May 2013 15:06:36 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rocketmail.com; s=s1024; t=1368111996; bh=J60cx+867857NPzisnUe3jBrCsgQCakNMcMNBDeuQDs=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Date:Subject:Message-ID:From:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=MsLbjvn4zz6kNWqrHuatcNqPM1ekCmlZhmWhZ+uwuW0vBf0T/lcBAlEqn7fzYIGMtTEJcp99+m7TqFRr/xi+tF6hhUGWbvRunyMUl4/i6Y76iKTPSmapDM+MYuCgi6ACYbj+QsOE5Vrs80lda7Cx+PElcTTkZT3kEn34iSgl85o=
X-Yahoo-Newman-Id: 811538.7457.bm@smtp207.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: WRayXL8VM1neiLpTr6MKMegdWZZsOg8_GgpCzBCHsU6vtVn
 oIKiSqfUI.FklTQQxytxZ.7r1BiCPMEaICtNcybIGXuF3gYlHe6PY59V43pk
 zDyK4pQ_UmYOoOgMzp5ekB_g4StMJy79Wx6_SX8BeOmume3fRtZ7ebL1f.FS
 pb1XDsvzJyeTMyQNjRV9Xi2lDSEFbLtVnoXQ15nojm8dKrr1cCr6jeuH7jvN
 8uGNvQuqqlf9MkO0yK2H5PAu1wTaPpERcfCoIB781AIhTMf3GUJslb_.ShOw
 hbI_FPqYVI5HMMHGqCusLhJMgd5p69v0J2ITaaL5PIlLpJ8YyMHnnHdPdZqV
 v6X4PXXBZtKeYSgOh8E4XEsS64oUS1r1Yjplw2Mvqw10uzE3dv1SITc8MCNI
 0Gd2of4Q2J.q8KbmUZ36K8q9d30vrYGbqmCeAMENBKNd8hwMVFFu3uGabyWJ
 CQA--
X-Yahoo-SMTP: oSxRVvSswBB_r4TQCRzVXmJyUVu36cnA.FBO2G1u4lpTh5tdhTXXH8Q7
        by smtp207.mail.ne1.yahoo.com with SMTP; 09 May 2013 08:06:36 -0700 PDT
Date: Thu, 09 May 2013 11:06:46 -0400
Subject: But i would like to meet you
Message-ID: <73dwfakfudb2jrkdmxsmbva6.1368112006787@email.android.com>
From: Jane Doe <Jane.Doe@rocketmail.com>
To: johndoe@yahoo.de
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
Content-Length: 54
0
Comment
Question by:nickg5
  • 6
  • 4
10 Comments
 
LVL 92

Accepted Solution

by:
John Hurst earned 325 total points
ID: 39161667
Everything in the headers above is Yahoo!

46.228.32.0 is Yahoo! Europe
98.138.90.94 is Yahoo! US
98.138.226.177 is Yahoo! US
rocketmail.com is Yahoo! US

So it has come from someone hacking into a Yahoo account and somehow getting your address. It is all within Yahoo!

"But i would like to meet you" is a standard SPAM subject.

So how do we determine from the above that the spammer knew what you were talking about?

.... Thinkpads_User
0
 
LVL 25

Author Comment

by:nickg5
ID: 39161698
Because we were talking about Jane Doe.
And the e-mail was sent from a Jane Doe.

Our messages between us two had "re: Jane Doe" in the subject line.
And then here comes a message from a Jane Doe.

My friend's address is the @ yahoo.de so that is not the hacker or the phony.
The @ rocketmail is the phony or the pfisher. But phisher's don't normally know what my friend and I were discussing which was shown in our subect lines.

We were discussing their relative and re: Jane Doe" was in the subject line of our e-mails.
Then here comes a message from Jane.Doe @ rocketmail claiming to be Jane Doe.
0
 
LVL 25

Author Comment

by:nickg5
ID: 39161711
What I mean is, a spammer's name should not be the name of the person we had been discussing.

Genealogy related is what we were talking about, a lost contact with relative.
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 39161727
I use Mail.com and people who do not know me from Adam send email to me from phony addresses or from myself sometimes (it looks like I sent it myself). I see my own address in the subject line.

So what you see is no surprise. It is just spam and I don't know why Yahoo did not categorize as spam. It is not the most secure email system.

I cannot tell you how the hacker got your email address, but I have seen this happen to me. All of this goes into the Mail.com spam bucket.

... Thinkpads_User
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 39161736
I wonder if your friend sent a mail to a Yahoo email address (likely) that itself was compromised, and the hacker used this.

It is all social engineering so you will open the email. Then your computer is compromised.

... Thinkpads_User
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 25

Author Comment

by:nickg5
ID: 39161837
It is all social engineering so you will open the email. Then your computer is compromised.

So, what do we do? Change passwords and that is all we can do?
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 39161857
You should (along with your friend) change your Yahoo! email passwords, but that won't stop the email from coming. You need to blacklist it if you can. That is what I try to do.  The only way I know how to stop this (because it is email) is with spam filtering. The next line of defense is really good Anti Virus software.

... Thinkpads_User
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 39166760
Here is a link from ZDNet that talks to my above points about social engineering and specially crafted web pages.  Someone your friend knows probably has been hit with this stuff.

http://www.zdnet.com/microsoft-fixes-two-critical-ie-security-flaws-including-nuke-zero-day-7000015369/?s_cid=e589&ttag=e589

... Thinkpads_User
0
 
LVL 25

Author Closing Comment

by:nickg5
ID: 39172317
-
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 39172482
@nickg5 - Thank you, and I was happy to help you with this.

... Thinkpads_User
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now