From owner-freebsd-questions@FreeBSD.ORG Wed May 18 17:31:26 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AB4816A4CE for ; Wed, 18 May 2005 17:31:26 +0000 (GMT) Received: from smtp-out4.blueyonder.co.uk (smtp-out4.blueyonder.co.uk [195.188.213.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16BD243DA3 for ; Wed, 18 May 2005 17:31:25 +0000 (GMT) (envelope-from xfb52@dial.pipex.com) Received: from [82.41.37.55] ([82.41.37.55]) by smtp-out4.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.6713); Wed, 18 May 2005 18:32:00 +0100 Message-ID: <428B7BE8.8050605@dial.pipex.com> Date: Wed, 18 May 2005 18:31:20 +0100 From: Alex Zbyslaw User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.7.7) Gecko/20050510 X-Accept-Language: en, en-us MIME-Version: 1.0 To: jonvalverde@aol.com References: <8C72933FE6C89D0-B0C-45179@FWM-D38.sysops.aol.com> In-Reply-To: <8C72933FE6C89D0-B0C-45179@FWM-D38.sysops.aol.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 May 2005 17:32:01.0020 (UTC) FILETIME=[7FC98BC0:01C55BCF] cc: freebsd-questions@freebsd.org Subject: Re: Finding out original source of e-mail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 17:31:26 -0000 jonvalverde@aol.com wrote: > >OK....this might not be the right place to aqsk this questions. But, I'm trying to find the true souce of this e-mail.....is it possible to do this? > > >Received: from JonValverde@aol.com > by imo-d23.mx.aol.com (mail_out_v38_r1.7.) id t.144.45734b7c (16109) > for ; Tue, 17 May 2005 15:29:57 -0400 (EDT) >Return-Path: >Received: from FWM-D38 (fwm-d38.webmail.aol.com [205.188.162.14]) by >air-id12.mx.aol.com (vx) with ESMTP id MAILINID121-3eed428a4635111; Tue, 17 May >2005 15:29:57 -0400 > > >Date: Tue, 17 May 2005 15:29:57 -0400 >Message-Id: <8C7292DF1ACA2ED-B0C-44CA8@FWM-D38.sysops.aol.com> >From: jonvalverde@aol.com >References: <3320552738.123535@vega-club.rousse.spnet.net> >Received: from 204.214.222.51 by FWM-D38.sysops.aol.com (205.188.162.14) with >HTTP (WebMailUI); Tue, 17 May 2005 15:29:57 -0400 > >X-Mailer: AOL WebMail 1.0.0.12281 > This bit at the bottom is the transcript of the original email. Most bounce messages include it, some do not. There are too few hours in the day to shoot all the postmasters responsible for bounce message which do not contain these original headers, but you are lucky and have them. The lines you care about are the "Received:" lines, and you have to read them backwards. That is, the line nearest the bottom is the first step in the mail delivery, and the top line is the last step in the delivery. Looking at the first received line shows that FWM-D38.sysops.aol.com received the email from 204.214.222.51. Usually you would expect to see a name associated with that address, but in this case there isn't. Trying # host -a 204.214.222.51 rcode = 3 (Non-existent domain), ancount=0 Host not found. shows that there no reverse lookup info for this host. Most probably an AOL host given that it was sent using an AOL Webmail interface. My advice? Forget about it and throw it in the bin where it belongs. I've had half a dozen minimum this week. Some spammer is pretending to be you. The HTTP (WebMailUI) delivery method seems unusual; normally you would expect some zombie machine to be sending these with SMTP. But then again, I pay so little attention to these things these days that maybe this is not so unusual. --Alex PS See http://www.faqs.org/rfcs/rfc822.html