[ale] Another Email question Reading Headers.
Stephen Cristol
stephen at bee.net
Sun Jun 25 14:35:08 EDT 2006
On Jun 24, 2006, at 3:24 PM, H. A. Story wrote:
> Looking at this header from an email I just got.
>
> Delivered-To: adrin at haswes.homelinux.org
> Received: from localhost (localhost [127.0.0.1])
> by PC002.haswes.homelinux.org (Postfix) with ESMTP id CF04F176D12
> for <adrin at localhost>; Sat, 24 Jun 2006 11:31:11 -0400 (EDT)
> Received: from mail.bellsouth.net [205.152.59.17]
> by localhost with POP3 (fetchmail-6.2.5.2)
> for adrin at localhost (single-drop); Sat, 24 Jun 2006 11:31:11 -0400
> (EDT)
> Received: from ibm15aec.bellsouth.net ([208.141.108.121])
> by imf02aec.mail.bellsouth.net with ESMTP
> id
> <20060624152806.LDLP2126.imf02aec.mail.bellsouth.net at ibm15aec.bellsout
> h.net>;
> Sat, 24 Jun 2006 11:28:06 -0400
Here's where the nugget of useful information is. This is BellSouth's
server time stamping a message it received from
ibm15aec.bellsouth.net [208.141.108.121]. You can believe this is
BellSouth, because in the line before, your box said it got a message
from BellSouth and [205.152.59.17] actually is a BellSouth mailserver
(at least to casual inspection):
sc$ host 205.152.59.17
17.59.152.205.in-addr.arpa domain name pointer
mail01.mail.bellsouth.net.
As I understand things, the name "ibm15aec.bellsouth.net" comes from
the HELO (or EHLO) statement sent to the SMTP server by the sender.
These self identifications receive no scrutiny and the SMTP standard
says that any hostname is allowed. To keep some accountability in the
system, most SMTP servers will add the IP address of the host from
which it received the message. So, you can discover that
[208.141.108.121] is actually part of tranquility.net:
sc$ host 208.141.108.121
121.108.141.208.in-addr.arpa domain name pointer so-
gw.tranquility.net.
At this point, you know all you can know with any degree of
certainty. Anything after this line was added by an untrusted host
and can be a complete work of fiction.
HTH,
S
> Received: from soaserver3.architecture.local ([208.141.108.121])
> by ibm15aec.bellsouth.net with ESMTP
> id
> <20060624152803.SXCX22161.ibm15aec.bellsouth.net at soaserver3.architectu
> re.local>;
> Sat, 24 Jun 2006 11:28:03 -0400
> Received: from hci1 ([68.33.211.140]) by
> soaserver3.architecture.local with Microsoft SMTPSVC(6.0.3790.1830);
> Sat, 24 Jun 2006 10:28:01 -0500
> From: "PayPal"<aw-confirms at paypal.com>
>
> Granted I am running fetchmail. So I know where the first 2
> "Received" came from. But the next 3 throw me a little.
> The 3rd one must be a bellsouth server the received the email. So
> the last two must be the account where the email came from
> or was relayed from??? The last looking like a exchange server????
> the last receive being a comcast domain and number 4 being
> another domain that isn't bellsouth. Now if they are blocking port
> 25???? How does this email get around that???? And the to: only
> shows undisclosed-recipients.
>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list