[Techtalk] Reading Email headers

Malcolm Tredinnick malcolm at commsecure.com.au
Sun Apr 21 12:26:21 EST 2002 

On Sat, Apr 20, 2002 at 09:00:29PM -0500, Jason Guidry wrote:
> Can anyone help me figure out these headers so I can pinpoint what I 
> need to yell at my hosting company about?

It's not too hard to make some progress on these things. There are a
couple of red-herrings here (not the least of which is the fact that it
looks like you sent it yourself), but here's my analysis...

First thing: any head line starting with "X-" should not be trusted
without supporting evidence. They are non-standard headers that are not
vital to the delivery process.

> <start message>
> 
>  From - Sat Apr 20 20:40:48 2002
> X-UIDL: 8b5be4b6a82a0200
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 00000000
> Received: by hilcos02 (mbox jason)
>   (with Cubic Circle's cucipop (v1.31 1998/05/13) Sat Apr 20 20:39:20 2002)
> X-From_: sis at hongkong.com Sat Apr 20 19:32:29 2002

Although this is one of those X- headers, the time is worth noting,
because it backs up something from below. It was possibly 19:32:29 when
the mail was sent. Although we don't know whether that is UTC or
localtime, we can guess at localtime, since that would put them at UTC
minus five hours; so in the Central timezone in the USA.

> Received: from mail.itmom.com (mail.itmom.com [64.214.129.197])
> 	by hilcos01.hilconet.com (8.11.6/8.11.6) with SMTP id g3L0W9805514
> 	for <jason at hilconet.com>; Sat, 20 Apr 2002 19:32:12 -0500 (CDT)

Looking at the timestamp here, you are in the same timezone as the
X-From_ line, so you're being targeted by a local. Still believable.

> Received: (qmail 71527 invoked by uid 89); 21 Apr 2002 00:28:14 -0000
> Date: 21 Apr 2002 00:28:14 -0000
> Message-ID: <20020421002814.71526.qmail at mail.itmom.com>
> Delivered-To: jason at gmaestro.org
> Received: (qmail 71520 invoked from network); 21 Apr 2002 00:28:09 -0000
> Received: from unknown (HELO hongkong.com) (202.84.12.154)
>    by mail.itmom.com with SMTP; 21 Apr 2002 00:28:09 -0000
> Received: from Aktf([66.24.19.151]) by hongkong.com(JetMail 2.5.3.0)
> 	with SMTP id jm1043cc264ba; Sun, 21 Apr 2002 00:26:20 -0000

These headers -- the "Received:" ones -- tell you the path the mail has
taken. Every SMTP compliant mailer the message passes through adds a
line saying it received the message from ABCDEF by XYZ (where XYZ is the
machine adding the line), etc. It is possible to chop off "Received:"
headers if you control the mail server the message passes through, but
eventually the mail gets out into the world and the path starts piling
up. Read these and putting together the links, we see that the mail has
travelled the route:

66.24.19.151 --> hongkong.com --> mail.itmon.com --> hilcos01.hilconet.com

Running 'dig -x 66.24.19.151', we see that it resolves to
syr-66-24-19-151.twcny.rr.com. A bit of playing around with the 'whois'
command reveals that rr.com is registered by Road Runner, so it's
probably a cable modem connection. My poor grasp of US geography lets me
down here (no atlas handy and I can't find what I need on the web), but
the 'twcny' part of the domain name suggests somewhere in New York
state, but that makes the timezone wrong (doesn't it? Are different
parts of NY in different timezones? *shrug*).

Note also that the timestamps are all consistent. The mail was sent
around 19:30 your local time (00:30 UTC).

So, if you want to chase this down, you need to contact the Road Runner
abuse department, give them whatever details you can, including the
originating IP address and the time and date. If they care to follow it
up (not a given :-( ), they should be able to look up who was logged on
to that account at that time.

> From: jason <jason at gmaestro.org>
> To: jason at gmaestro.org
> Subject: Sos!
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> 	boundary=M4rTJ77P7ArjCa9441gts990W2LB69X
> Content-Length: 138959
> 
> --M4rTJ77P7ArjCa9441gts990W2LB69X
> Content-Type: text/html;
> Content-Transfer-Encoding: quoted-printable
> 
> <HTML><HEAD></HEAD><BODY>
> <iframe src=3Dcid:Yzz5x1u46C441sg757O height=3D0 width=3D0>
> </iframe>
> <FONT></FONT></BODY></HTML>
> 
> --M4rTJ77P7ArjCa9441gts990W2LB69X
> Content-Type: audio/x-midi;
> 	name=rocker_john[1].pif
> Content-Transfer-Encoding: base64
> Content-ID: <Yzz5x1u46C441sg757O>

It looks like they're sending you a fairly involved web page (the
text/html part) with music (audio/x-midi) and all. From the portion you
have posted, it's unclear what else is going on, but, as you say, this
is unwanted mail, so the contents make no difference.

Cheers,
Malcolm

--

More information about the Techtalk mailing list