Solved

Can you read this e-mail header?

Posted on 2013-05-13
10
746 Views
Last Modified: 2013-05-16
To protect the privacy of the parties, I'm editing the names and replacing them with John Doe and Jane Doe. The rest is not being editted.
A friend and I were discussing a matter and suddenly this Jane Doe sent an e-mail to my friend about what we were discussing and my friend never gave their e-mail to anyone for them to know the subject that we were talking about.
I see some numbers and an IP address there between all the garb so maybe you can figure it out.

From Jane Doe Thu May  9 16:06:46 2013
X-Apparently-To: johndoe@yahoo.de via 46.228.37.113; Thu, 09 May 2013 15:06:38 +0000
Return-Path: <Jane.Doe@rocketmail.com>
Received-SPF: none (domain of rocketmail.com does not designate permitted sender hosts)
 AQEB
X-YMailISG: 0BiONa0WLDvUignqySZRHlAG.vftdFI.EfK.7YfC7yI2uDkV
 NcfadfFZA4f.cg2v.HVPeSaZAsk4wTzvYmciTsluFaMglWoOG67AsHuuIK32
 _C2hx2qBEJ2YYTZ87Cjcq8.2M6XKTYhfuFxgrO7jIHxQkamc5wO0ltjC6.S_
 nLTgaNhIFctp3i_jkf9b7zeZnzUZj_Jhb60SrHFLXOIbAb7z0ZPVFbpy9b8k
 GFYhys9oOFjDNSRANLCp6R6aJNkwt7n39yLxrIceosixcPP7.0_5SosYx9yn
 5lHD6egGdVRLgwULNMq_lFMHsX4lKsU0Nq.8GfV.RUCEr5hKZ7ZnR4WDsr2W
 6frcwAF3BcvoT3Yddl8zWUFcZFFsQ9yXHbo.PbuJ5UcMypxb2tGk1xIFYIX6
 l6j_KwmEWkRYCTcCINBXiWaCg8HPX7lobT3ytmX3499xZsJZOEQZi1cOaqy4
 gDZ.ZKnI2LAOKfkECcPePZsHMR4pcgkt_7FbS5T7nxCwyU56TVo3JerUvhYh
 nwyY_IPASkz6Cnj20D8zp5ZjRAxfjF0K27NYLuyOCMloh.P2v6EtiydG7sAx
 aZgfgg9eZXh5eGiRzxUtiv8UtNzYKm0vr5r52GohaDNQf4CrWdmnDdUF8bY0
 iokyoSAyDg2rVbpXGDosm3ma2qon8FR5umM133KVU4DdHzOGrc06dQB7.4ZO
 sSMEd4Ny.zMkN2YQ0ktYBaigre7Zvrfy7sKRhdO7vbo1JdPPtVsG9SEdyz1G
 qmprD1IMh7iRNr7wxVUTpM1w5mjBSBT4DlxNpcXVU8eFO8qxytTCUoLNLopZ
&nbs p;uTHc5bQS00c9cQhTw0k87ZNapWdWT0w.jGeFbVoBt0uviCanmGywAdDlTrY5
 LTPIrV0UBkXURfdUuLpAbOa0H3i4RRI6ZvjL2KrMa9iO8im9lVXtVV1YghzH
 QN2eIfmMTcuFWIVRkWY2bYRkNtaN.F5BhAK1swm3Ix2Fi3H23fJq1fQN1MZV
 pZl_ZAgkRmtyZO6waQdwgkJVoJyBvfCEXT8RlLIHJviHaW2zX7IHtxVxyW2w
 cmr3s_86UcPNrB7aQwduXbATkQ3ZVKGsOBeMga7e.PKjsm2VKtSOkNLrx1Zq
 VsHlZ.l6yI_vygAouPHM.UWcsXFrmpdLVKfRtxXV.sIfNA--
X-Originating-IP: [98.138.90.94]
Authentication-Results: mta1183.mail.ir2.yahoo.com  from=rocketmail.com; domainkeys=neutral (no sig);  from=rocketmail.com; dkim=pass (ok)
Received: from 127.0.0.1  (EHLO nm21-vm0.bullet.mail.ne1.yahoo.com) (98.138.90.94)
  by mta1183.mail.ir2.yahoo.com with SMTP; Thu, 09 May 2013 15:06:38 +0000
Received: from [98.138.226.177] by nm21.bullet.mail.ne1.yahoo.com with NNFMP; 09 May 2013 15:06:37 -0000
Received: from [98.138.226.56] by tm12.bullet.mail.ne1.yahoo.com with NNFMP; 09 May 2013 15:06:36 -0000
Received: from [127.0.0.1] by smtp207.mail.ne1.yahoo.com with NNFMP; 09 May 2013 15:06:36 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rocketmail.com; s=s1024; t=1368111996; bh=J60cx+867857NPzisnUe3jBrCsgQCakNMcMNBDeuQDs=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Date:Subject:Message-ID:From:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=MsLbjvn4zz6kNWqrHuatcNqPM1ekCmlZhmWhZ+uwuW0vBf0T/lcBAlEqn7fzYIGMtTEJcp99+m7TqFRr/xi+tF6hhUGWbvRunyMUl4/i6Y76iKTPSmapDM+MYuCgi6ACYbj+QsOE5Vrs80lda7Cx+PElcTTkZT3kEn34iSgl85o=
X-Yahoo-Newman-Id: 811538.7457.bm@smtp207.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: WRayXL8VM1neiLpTr6MKMegdWZZsOg8_GgpCzBCHsU6vtVn
 oIKiSqfUI.FklTQQxytxZ.7r1BiCPMEaICtNcybIGXuF3gYlHe6PY59V43pk
 zDyK4pQ_UmYOoOgMzp5ekB_g4StMJy79Wx6_SX8BeOmume3fRtZ7ebL1f.FS
 pb1XDsvzJyeTMyQNjRV9Xi2lDSEFbLtVnoXQ15nojm8dKrr1cCr6jeuH7jvN
 8uGNvQuqqlf9MkO0yK2H5PAu1wTaPpERcfCoIB781AIhTMf3GUJslb_.ShOw
 hbI_FPqYVI5HMMHGqCusLhJMgd5p69v0J2ITaaL5PIlLpJ8YyMHnnHdPdZqV
 v6X4PXXBZtKeYSgOh8E4XEsS64oUS1r1Yjplw2Mvqw10uzE3dv1SITc8MCNI
 0Gd2of4Q2J.q8KbmUZ36K8q9d30vrYGbqmCeAMENBKNd8hwMVFFu3uGabyWJ
 CQA--
X-Yahoo-SMTP: oSxRVvSswBB_r4TQCRzVXmJyUVu36cnA.FBO2G1u4lpTh5tdhTXXH8Q7
        by smtp207.mail.ne1.yahoo.com with SMTP; 09 May 2013 08:06:36 -0700 PDT
Date: Thu, 09 May 2013 11:06:46 -0400
Subject: But i would like to meet you
Message-ID: <73dwfakfudb2jrkdmxsmbva6.1368112006787@email.android.com>
From: Jane Doe <Jane.Doe@rocketmail.com>
To: johndoe@yahoo.de
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
Content-Length: 54
0
Comment
Question by:nickg5
  • 6
  • 4
10 Comments
 
LVL 90

Accepted Solution

by:
John Hurst earned 325 total points
ID: 39161667
Everything in the headers above is Yahoo!

46.228.32.0 is Yahoo! Europe
98.138.90.94 is Yahoo! US
98.138.226.177 is Yahoo! US
rocketmail.com is Yahoo! US

So it has come from someone hacking into a Yahoo account and somehow getting your address. It is all within Yahoo!

"But i would like to meet you" is a standard SPAM subject.

So how do we determine from the above that the spammer knew what you were talking about?

.... Thinkpads_User
0
 
LVL 25

Author Comment

by:nickg5
ID: 39161698
Because we were talking about Jane Doe.
And the e-mail was sent from a Jane Doe.

Our messages between us two had "re: Jane Doe" in the subject line.
And then here comes a message from a Jane Doe.

My friend's address is the @ yahoo.de so that is not the hacker or the phony.
The @ rocketmail is the phony or the pfisher. But phisher's don't normally know what my friend and I were discussing which was shown in our subect lines.

We were discussing their relative and re: Jane Doe" was in the subject line of our e-mails.
Then here comes a message from Jane.Doe @ rocketmail claiming to be Jane Doe.
0
 
LVL 25

Author Comment

by:nickg5
ID: 39161711
What I mean is, a spammer's name should not be the name of the person we had been discussing.

Genealogy related is what we were talking about, a lost contact with relative.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39161727
I use Mail.com and people who do not know me from Adam send email to me from phony addresses or from myself sometimes (it looks like I sent it myself). I see my own address in the subject line.

So what you see is no surprise. It is just spam and I don't know why Yahoo did not categorize as spam. It is not the most secure email system.

I cannot tell you how the hacker got your email address, but I have seen this happen to me. All of this goes into the Mail.com spam bucket.

... Thinkpads_User
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39161736
I wonder if your friend sent a mail to a Yahoo email address (likely) that itself was compromised, and the hacker used this.

It is all social engineering so you will open the email. Then your computer is compromised.

... Thinkpads_User
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 25

Author Comment

by:nickg5
ID: 39161837
It is all social engineering so you will open the email. Then your computer is compromised.

So, what do we do? Change passwords and that is all we can do?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39161857
You should (along with your friend) change your Yahoo! email passwords, but that won't stop the email from coming. You need to blacklist it if you can. That is what I try to do.  The only way I know how to stop this (because it is email) is with spam filtering. The next line of defense is really good Anti Virus software.

... Thinkpads_User
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39166760
Here is a link from ZDNet that talks to my above points about social engineering and specially crafted web pages.  Someone your friend knows probably has been hit with this stuff.

http://www.zdnet.com/microsoft-fixes-two-critical-ie-security-flaws-including-nuke-zero-day-7000015369/?s_cid=e589&ttag=e589

... Thinkpads_User
0
 
LVL 25

Author Closing Comment

by:nickg5
ID: 39172317
-
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39172482
@nickg5 - Thank you, and I was happy to help you with this.

... Thinkpads_User
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now