Help me to understand headers

TheMSsForum.com: The Microsoft Software Forum

I've received some SPAM, which had the following received lines in its
headers (bottom two only shown);

Received: from c-24-9-246-141.client.comcast.net ([24.9.246.141])by
BFLITEMAIL-KR4.bigfoot.com (LiteMail v3.03(BFLITEMAIL-KR4)) with SMTP id
24Nov2003_BFLITEMAIL-KR4_223300_73868345; Mon, 24 Nov 2003 20:59:36 -0500
EST

Received: from [16.30.46.104] by c-24-9-246-141.client.comcast.net with
ESMTP id 36360197; Tue, 25 Nov 2003 11:53:43 -0300

I'm trying to discover whether the first received header is false (in
order to make me think that the IP address 16.30.46.104 was the original
sender).

How can I tell if it's false. What is the significance of an IP address
which only appears in square brackets (like the first line) and one which
is also within curved brackets (like the second ([24.9.246.141])). Is the
first one false.

Any help much appreciated
Top

Re: Help me to understand headers by anonymous

anonymous
Wed Nov 26 17:47:37 CST 2003

I tried all that....
don't waste your time.
easier to get spam blocker.
or just delete any message you did/do not want.

www.virtualchase.com/researchskills/quality_emailheader.ht
ml

-------------------------
>-----Original Message-----
>I've received some SPAM, which had the following
received lines in its
>headers (bottom two only shown);
>
>Received: from c-24-9-246-141.client.comcast.net
([24.9.246.141])by
>BFLITEMAIL-KR4.bigfoot.com (LiteMail v3.03(BFLITEMAIL-
KR4)) with SMTP id
>24Nov2003_BFLITEMAIL-KR4_223300_73868345; Mon, 24 Nov
2003 20:59:36 -0500
>EST
>
>Received: from [16.30.46.104] by c-24-9-246-
141.client.comcast.net with
>ESMTP id 36360197; Tue, 25 Nov 2003 11:53:43 -0300
>
>I'm trying to discover whether the first received header
is false (in
>order to make me think that the IP address 16.30.46.104
was the original
>sender).
>
>How can I tell if it's false. What is the significance
of an IP address
>which only appears in square brackets (like the first
line) and one which
>is also within curved brackets (like the second
([24.9.246.141])). Is the
>first one false.
>
>Any help much appreciated
>
>
>
>.
>
Top

Re: Help me to understand headers by Ken

Ken
Wed Nov 26 21:48:26 CST 2003

The only header you can trust is the one that your mailserver adds (ie the
one that says received from someOtherServer (xxx.xxx.xxx.xxx) by
yourServer.yourDomain.com (xxx.xxx.xxx.xxx)

The IP address that you can trust is the one that is after the name. Some
people give their machines names like 11.22.33.44 to make you think that's
the IP address that you are receiving mail from, but the real IP address is
the one afterwards, eg in:

Received from 11.22.33.44 (111.222.333.444) by youServer.yourDomain.com
(88.88.88.88) the IP addresses in the parantheses () are the real ones.

Cheers
Ken


"Paul Simon" <postmaster@XnospamXpaulhsimon.plus.com> wrote in message
news:zsaxb.13488$lm1.103474@wards.force9.net...
: I've received some SPAM, which had the following received lines in its
: headers (bottom two only shown);
:
: Received: from c-24-9-246-141.client.comcast.net ([24.9.246.141])by
: BFLITEMAIL-KR4.bigfoot.com (LiteMail v3.03(BFLITEMAIL-KR4)) with SMTP id
: 24Nov2003_BFLITEMAIL-KR4_223300_73868345; Mon, 24 Nov 2003 20:59:36 -0500
: EST
:
: Received: from [16.30.46.104] by c-24-9-246-141.client.comcast.net with
: ESMTP id 36360197; Tue, 25 Nov 2003 11:53:43 -0300
:
: I'm trying to discover whether the first received header is false (in
: order to make me think that the IP address 16.30.46.104 was the original
: sender).
:
: How can I tell if it's false. What is the significance of an IP address
: which only appears in square brackets (like the first line) and one which
: is also within curved brackets (like the second ([24.9.246.141])). Is the
: first one false.
:
: Any help much appreciated
:
:
:


Top

Re: Help me to understand headers by N

N
Thu Nov 27 03:29:29 CST 2003

In article <zsaxb.13488$lm1.103474@wards.force9.net>,
postmaster@XnospamXpaulhsimon.plus.com says...
> I've received some SPAM, which had the following received lines in its
> headers (bottom two only shown);

It is as Ken says.

> Received: from c-24-9-246-141.client.comcast.net ([24.9.246.141])by
> BFLITEMAIL-KR4.bigfoot.com (LiteMail v3.03(BFLITEMAIL-KR4)) with SMTP id
> 24Nov2003_BFLITEMAIL-KR4_223300_73868345; Mon, 24 Nov 2003 20:59:36 -0500
> EST
>
> Received: from [16.30.46.104] by c-24-9-246-141.client.comcast.net with
> ESMTP id 36360197; Tue, 25 Nov 2003 11:53:43 -0300
>
> I'm trying to discover whether the first received header is false (in
> order to make me think that the IP address 16.30.46.104 was the original
> sender).

The first header is not false, but it is not a proper SMTP relay for
Comcast, either. It doesn't log the headers of incoming traffic in any
reliable way, so don't trust any subsequent Received: lines.

> How can I tell if it's false. What is the significance of an IP address
> which only appears in square brackets (like the first line) and one which
> is also within curved brackets (like the second ([24.9.246.141])). Is the
> first one false.

By figuring out if it is a proper MX server for the domain, "comcast.net".
If it isn't, then it likely can't be trusted. Do a Google on RFC 2821, and
you will learn more than you ever wanted to know about SMTP. But, normally,
the square brackets are optional, the parenthesis are required.

Incidentally, the "client.comast.net" name is an rDNS name, which pretty
much marks this as a residential customer. He probably has an unwanted
"guest", an open proxy which will accept connections, and pass them to
domain MX servers using SMTP. It is for this reason that AOL, among others,
rejects mail from such customers. This only affects a small percentage of
hobbyists, like me, who find our email blocked from their customers.

If you take a look at RFC 2821, you find anonymous is quite right; there is
a lot to learn about this SMTP stuff. Unless you are willing to buckle down
and learn something new, you are better off using MSOE's limited filtering,
finding a third party filter, and just hitting delete. It is not difficult,
but it takes time to sort it all out. Only you know if it will be worth your
time! ;)

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint
Top

Re: Help me to understand headers by Philip

Philip
Thu Nov 27 03:55:42 CST 2003

I have a subscription to Spamcop.net. You can forward suspect email to
Spamcop, and (if you tick "show technical details" on their web page) the
result page shows their analysis of what's forged or not.

--
######################
## PH, London ##
######################


Paul Simon wrote:
> I've received some SPAM, which had the following received lines in its
> headers (bottom two only shown);
>
> Received: from c-24-9-246-141.client.comcast.net ([24.9.246.141])by
> BFLITEMAIL-KR4.bigfoot.com (LiteMail v3.03(BFLITEMAIL-KR4)) with SMTP
> id 24Nov2003_BFLITEMAIL-KR4_223300_73868345; Mon, 24 Nov 2003
> 20:59:36 -0500 EST
>
> Received: from [16.30.46.104] by c-24-9-246-141.client.comcast.net
> with ESMTP id 36360197; Tue, 25 Nov 2003 11:53:43 -0300
>
> I'm trying to discover whether the first received header is false (in
> order to make me think that the IP address 16.30.46.104 was the
> original sender).
>
> How can I tell if it's false. What is the significance of an IP
> address which only appears in square brackets (like the first line)
> and one which is also within curved brackets (like the second
> ([24.9.246.141])). Is the first one false.
>
> Any help much appreciated


Top