[ale] Another Email question Reading Headers.

Stephen Cristol stephen at bee.net
Sun Jun 25 14:35:08 EDT 2006


On Jun 24, 2006, at 3:24 PM, H. A. Story wrote:

> Looking at this header from an email I just got.
>
> Delivered-To: adrin at haswes.homelinux.org
> Received: from localhost (localhost [127.0.0.1])
> 	by PC002.haswes.homelinux.org (Postfix) with ESMTP id CF04F176D12
> 	for <adrin at localhost>; Sat, 24 Jun 2006 11:31:11 -0400 (EDT)
> Received: from mail.bellsouth.net [205.152.59.17]
> 	by localhost with POP3 (fetchmail-6.2.5.2)
> 	for adrin at localhost (single-drop); Sat, 24 Jun 2006 11:31:11 -0400  
> (EDT)
> Received: from ibm15aec.bellsouth.net ([208.141.108.121])
>           by imf02aec.mail.bellsouth.net with ESMTP
>           id  
> <20060624152806.LDLP2126.imf02aec.mail.bellsouth.net at ibm15aec.bellsout 
> h.net>;
>           Sat, 24 Jun 2006 11:28:06 -0400

Here's where the nugget of useful information is. This is BellSouth's  
server time stamping a message it received from  
ibm15aec.bellsouth.net [208.141.108.121]. You can believe this is  
BellSouth, because in the line before, your box said it got a message  
from BellSouth and [205.152.59.17] actually is a BellSouth mailserver  
(at least to casual inspection):

   sc$ host 205.152.59.17
   17.59.152.205.in-addr.arpa domain name pointer  
mail01.mail.bellsouth.net.

As I understand things, the name "ibm15aec.bellsouth.net" comes from  
the HELO (or EHLO) statement sent to the SMTP server by the sender.  
These self identifications receive no scrutiny and the SMTP standard  
says that any hostname is allowed. To keep some accountability in the  
system, most SMTP servers will add the IP address of the host from  
which it received the message. So, you can discover that  
[208.141.108.121] is actually part of tranquility.net:

   sc$ host 208.141.108.121
   121.108.141.208.in-addr.arpa domain name pointer so- 
gw.tranquility.net.

At this point, you know all you can know with any degree of  
certainty. Anything after this line was added by an untrusted host  
and can be a complete work of fiction.

HTH,
S


> Received: from soaserver3.architecture.local ([208.141.108.121])
>           by ibm15aec.bellsouth.net with ESMTP
>           id  
> <20060624152803.SXCX22161.ibm15aec.bellsouth.net at soaserver3.architectu 
> re.local>;
>           Sat, 24 Jun 2006 11:28:03 -0400
> Received: from hci1 ([68.33.211.140]) by  
> soaserver3.architecture.local with Microsoft SMTPSVC(6.0.3790.1830);
> 	 Sat, 24 Jun 2006 10:28:01 -0500
> From: "PayPal"<aw-confirms at paypal.com>
>
> Granted I am running fetchmail. So I know where the first 2  
> "Received" came from.   But the next 3 throw me a little.
> The 3rd one must be a bellsouth server the received the email.  So  
> the last two must be the account where the email came from
> or was relayed from???  The last looking like a exchange server????  
> the last receive being a comcast domain and number 4 being
> another domain that isn't bellsouth.  Now if they are blocking port  
> 25????  How does this email get around that???? And the to: only
> shows undisclosed-recipients.
>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale




More information about the Ale mailing list