How to trace and identify a mysterious email? [Archive]

View Full Version : How to trace and identify a mysterious email?

mrzippy

11-26-2002, 07:01 PM

OK.. I just received a rather "mysterious" email and I would like to try and find out exactly who sent it.

Here's the headers: (I've replaced any occurance of my own email address with "me@domain.com".) From d.c.@shaw.ca Tue Nov 26 14:39:34 2002
Return-path: <d.c.@shaw.ca>
Envelope-to: me@domain.com
Delivery-date: Tue, 26 Nov 2002 14:39:34 -0500
Received: from shawidc-mo1.cg.shawcable.net ([24.71.223.10] helo=pd6mo2so.prod.shaw.ca)
by server1.host-vault.com with esmtp (Exim 3.36 #1)
id 18GlYK-0000U5-00
for me@domain.com; Tue, 26 Nov 2002 14:39:24 -0500
Received: from pd4mr2so.prod.shaw.ca
(pd4mr2so-qfe3.prod.shaw.ca [10.0.141.213]) by l-daemon
(iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002))
with ESMTP id <0H67003FX7XIZO@l-daemon> for me@domain.com; Tue,
26 Nov 2002 12:39:21 -0700 (MST)
Received: from pn2ml7so.prod.shaw.ca
(pn2ml7so-qfe0.prod.shaw.ca [10.0.121.151]) by l-daemon
(iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002))
with ESMTP id <0H6700F6H7XGN0@l-daemon> for me@domain.com; Tue,
26 Nov 2002 12:39:17 -0700 (MST)
Received: from doug ([24.84.100.180])
by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002))
with SMTP id <0H67008287UQZO@l-daemon> for me@domain.com; Tue,
26 Nov 2002 12:39:15 -0700 (MST)
Date: Tue, 26 Nov 2002 11:26:22 -0800
From: doug <d.c.@shaw.ca>
Subject: Fw: New Solo Album
To: My Name <me@domain.com>
Message-id: <001d01c29581$b8af2100$0501a8c0@vs.shawcable.net>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2615.200
X-Mailer: Microsoft Outlook Express 5.00.2615.200
Content-type: multipart/mixed; boundary="Boundary_(ID_AwjmcdSUFz4raKDfYklnBw)"
X-Priority: 3
X-MSMail-priority: Normal
Status: R

Is it possible to identify anything out of this? What is the hostname/IP of the original sender's machine?

Thanks.

Centralized

11-27-2002, 12:15 AM

SC said:
From d.c.@shaw.ca Tue Nov 26 14:39:34 2002
Return-path: <d.c.@shaw.ca>
Envelope-to: x
Delivery-date: Tue, 26 Nov 2002 14:39:34 -0500
Received: from shawidc-mo1.cg.shawcable.net ([24.71.223.10] helo=pd6mo2so.prod.shaw.ca)
by server1.host-vault.com with esmtp (Exim 3.36 #1)
id 18GlYK-0000U5-00
for x; Tue, 26 Nov 2002 14:39:24 -0500
Received: from pd4mr2so.prod.shaw.ca
(pd4mr2so-qfe3.prod.shaw.ca [10.0.141.213]) by l-daemon
(iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002))
with ESMTP id <0H67003FX7XIZO@l-daemon> for x; Tue,
26 Nov 2002 12:39:21 -0700 (MST)
Received: from pn2ml7so.prod.shaw.ca
(pn2ml7so-qfe0.prod.shaw.ca [10.0.121.151]) by l-daemon
(iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002))
with ESMTP id <0H6700F6H7XGN0@l-daemon> for x; Tue,
26 Nov 2002 12:39:17 -0700 (MST)
Received: from doug ([24.84.100.180])
by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002))
with SMTP id <0H67008287UQZO@l-daemon> for x; Tue,
26 Nov 2002 12:39:15 -0700 (MST)
Date: Tue, 26 Nov 2002 11:26:22 -0800
From: doug <>
Subject: Fw: New Solo Album
To: My Name <x>
Message-id: <001d______________________a8c0@vs.shawcable.net>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2615.200
X-Mailer: Microsoft Outlook Express 5.00.2615.200
Content-type: multipart/mixed; boundary="Boundary_(ID_AwjmcdSUFz4raKDfYklnBw)"
X-Priority: 3
X-MSMail-priority: Normal
Status: R
Skip to Reports
Parsing header:

Received: from shawidc-mo1.cg.shawcable.net ([24.71.223.10] helo=pd6mo2so.prod.shaw.ca) by server1.host-vault.com with esmtp (Exim 3.36 #1) id 18GlYK-0000U5-00 for x; Tue, 26 Nov 2002 14:39:24 -0500
Possible spammer: 24.71.223.10
host shawidc-mo1.cg.shawcable.net (checking ip) ip = 24.71.223.10
Taking name from IP...
host 24.71.223.10 (getting name) 24.71.223.10 = shawidc-mo1.cg.shawcable.net.
host shawidc-mo1.cg.shawcable.net. (checking ip) ip = 24.71.223.10
Received line accepted

Received: from pd4mr2so.prod.shaw.ca (pd4mr2so-qfe3.prod.shaw.ca [10.0.141.213]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H67003FX7XIZO@l-daemon> for x; Tue, 26 Nov 2002 12:39:21 -0700 (MST)
host 24.71.223.10 (getting name) 24.71.223.10 = shawidc-mo1.cg.shawcable.net.
24.71.223.10 trusted implicitly
10.0.141.213 discarded

Received: from pn2ml7so.prod.shaw.ca (pn2ml7so-qfe0.prod.shaw.ca [10.0.121.151]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H6700F6H7XGN0@l-daemon> for x; Tue, 26 Nov 2002 12:39:17 -0700 (MST)
host 24.71.223.10 (getting name) 24.71.223.10 = shawidc-mo1.cg.shawcable.net.
24.71.223.10 trusted implicitly
10.0.121.151 discarded

Received: from doug ([24.84.100.180]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with SMTP id <0H67008287UQZO@l-daemon> for x; Tue, 26 Nov 2002 12:39:15 -0700 (MST)
host 24.71.223.10 (getting name) 24.71.223.10 = shawidc-mo1.cg.shawcable.net.
24.71.223.10 trusted implicitly
Possible spammer: 24.84.100.180
Taking name from IP...
host 24.84.100.180 (getting name) no name
24.84.100.180 is not an MX for shawidc-mo1.cg.shawcable.net.
Chain test:shawidc-mo1.cg.shawcable.net. =? shawidc-mo1.cg.shawcable.net.
shawidc-mo1.cg.shawcable.net. and shawidc-mo1.cg.shawcable.net. have same hostname - chain verified
Possible relay: 24.71.223.10
24.71.223.10 not listed in relays.ordb.org.
24.71.223.10 has already been sent to relay testers
Received line accepted

Tracking message source:24.84.100.180:
Routing details for 24.84.100.180
[refresh/show] Cached whois for 24.84.100.180 : ipadmin@sjrb.ca
ipadmin@sjrb.ca: abuse net sjrb.ca = internet.abuse@sjrb.ca
abuse net sjrb.ca = internet.abuse@sjrb.ca
Using best contacts internet.abuse@sjrb.ca
Whois found internet.abuse@sjrb.ca
24.84.100.180 not listed in formmail.relays.monkeys.com
24.84.100.180 not listed in opm.blitzed.org
24.84.100.180 not listed in relays.ordb.org.

Would send message source reports to:

Re:24.84.100.180 (Administrator of network where email originates)

internet.abuse@sjrb.caCookie option allows additional reporting in this space.

mrzippy

11-27-2002, 01:59 AM

Originally posted by Centralized
SC said:

What is "SC"?

El Nino

11-27-2002, 02:15 AM

SC is Spam Cop

akashik

11-27-2002, 03:55 AM

http://www.spamcop.net

Greg Moore

progex

11-27-2002, 04:03 PM

Centralized, where on SC were you able to retrieve that information? :)

sasha

11-27-2002, 04:08 PM

Originally posted by mrzippy

Is it possible to identify anything out of this? What is the hostname/IP of the original sender's machine?

Thanks.

I think the message might be from from d.c.@shaw.ca

jolly

11-27-2002, 04:34 PM

http://www.visualware.com/emailtrackerpro/index.html