Help with finding the email sender's originial IP address

J

Jorge Cervantes

I received this email f rom China. It appears to be from a scammer in
Beijing.
I would like to find the sender's original IP address.
The copy of the internet header for the email message (received in
Outlook07) is as follows.
There are five "received from" lines. I am wondering which one is to use
idetify the sender's IP address..
I am using Outlook 2007 and Windows 7. Jorge

***************************

Return-path: <[email protected]>
Envelope-to: aaa@bbbb
Delivery-date: Tue, 20 Apr 2010 22:31:48 -0400
Received: from impinc01.yourhostingaccount.com ([10.1.13.101]
helo=impinc01.yourhostingaccount.com)
by mailscan14.yourhostingaccount.com with esmtp (Exim)
id 1O4PjA-0006US-6Z
for aaaa@bbbb; Tue, 20 Apr 2010 22:31:48 -0400
Received: from mail.idcsea.com ([220.231.142.1])
by impinc01.yourhostingaccount.com with NO UCE
id 82Xk1e03Y0211rQ022XlE7; Tue, 20 Apr 2010 22:31:48 -0400
X-EN-OrigIP: 220.231.142.1
X-EN-IMPSID: 82Xk1e03Y0211rQ022XlE7
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.idcsea.com (EMOS V1.5 (Postfix)) with ESMTP id A7A1628ECBE;
Wed, 21 Apr 2010 10:31:39 +0800 (CST)
X-DSPAM-Result: Whitelisted
X-DSPAM-Processed: Wed Apr 21 10:31:39 2010
X-DSPAM-Confidence: 0.9997
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 1,4bce638b295361083620689
X-Virus-Scanned: amavisd-new at idcsea.com
Received: from mail.idcsea.com ([127.0.0.1])
by localhost (mail.idcsea.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id o7Gu5VkI8d5o; Wed, 21 Apr 2010 10:31:38 +0800 (CST)
Received: from 20100321-1337 (unknown [222.72.137.103])
by mail.idcsea.com (EMOS V1.5 (Postfix)) with ESMTPA id E078328F42F;
Wed, 21 Apr 2010 10:12:53 +0800 (CST)
Reply-To: (e-mail address removed)
From: "abcde"<[email protected]>
To:
Subject:
=?GB2312?B?QW5ub3VuY2VtZW50LVRoZSBicmFuZCChsCBpbnNpdHVzobEgZGlzcHV0ZS4=?=
Date: Wed, 21 Apr 2010 10:14:20 +0800
Message-Id: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_10042110034467168632145_001"
X-Priority: 1
X-Mailer: DreamMail 4.4.1.0
 
V

VanguardLH

Jorge said:
I would like to find the sender's original IP address.

Received: <last one - at receiving mail host>
from impinc01.yourhostingaccount.com ([10.1.13.101]
by mailscan14.yourhostingaccount.com
Received:
from mail.idcsea.com ([220.231.142.1])
by impinc01.yourhostingaccount.com
Received:
from localhost (localhost.localdomain [127.0.0.1])
by mail.idcsea.com
Received:
from mail.idcsea.com ([127.0.0.1])
by localhost (mail.idcsea.com [127.0.0.1])
Received: <first one - sender or their sending mail host>
from 20100321-1337 (unknown [222.72.137.103])
by mail.idcsea.com
Click to expand...

Trace through the Received headers (which get prepended to the headers
section when it passes through a mail host). There was some internal
routing at idcsea.com (see www.dnsstuff.com/tools/whois/?ip=idcsea.com), a
Chinese "group" that uses a Gmail address for contact. Uh huh.

222.72.137.103 (them) --> mail.idcsea.com --> yourhostingaccount.com (you)

222.72.137.103 (www.dnsstuff.com/tools/whois/?ip=222.72.137.103) is
allocated to China-Net, an ISP. So a spammer with an account at China-Net
is sending their crap through a mail server at idcsea.com (and who allows a
blank To header, assuming you didn't blank it out instead of munge it).

So just what are you going to do with the sender's IP address, or knowing
who is their e-mail provider? Sending a spam abuse report to China-Net will
be fruitless since they didn't deliver the spam e-mail. Reporting the abuse
to idcsea.com will also be fruitless because they are a spam-friendly e-mail
provider. You could open a free account at SpamCop to report spam e-mails
but you should be aware the primary purpose of that reporting is to update
their blacklist (which only benefits those that use it in their anti-spam
software). They may send off an abuse report to the sending mail server or
ISP for the sender but don't expect that to have much, if any, effect since
these are spam-friendly ISPs and e-mail providers. Also, SpamCop won't send
abuse reports to targets that are known to ignore them or to ISPs or e-mail
providers that have requested to not get these abuse reports.

Outlook's junk filter might not catch this crap. It is a Bayesian filter (a
statistical guessing scheme) with some known sources for which you get a
monthly update from Microsoft. A month is way too long for identifying
known spam sources and Bayes works best when it is based on YOUR history of
e-mail traffic and not a compendium of other users' experiences. You might
want to look at anti-spam software. Some is free and can utilize the DNSBLs
(DNS blacklists of known spam sources which are dynamically updated, like
SpamHaus and SpamCop). Presumably you already enabled the server-side spam
filter on your mailbox as part of your e-mail account's options.

Have you yet bothered to configure the language option in Outlook to filter
out e-mails using character sets other than those that you can read? I
don't know if this feature will catch ISO-encoded Subject headers (where you
see "Subject: =?....?=") but there's no point in keeping e-mails in your
Inbox that use a language that you cannot decipher. In Outlook 2003 (you
never mentioned WHICH version that you use), go to Actions -> Junk Email ->
Junk Email Options -> International tab: Blocked Encodings button. I
enabled all of them except Central European, Latin 3, Latin 9, US-ASCII, and
Western European. Enable the encodings (languages) that you don't
understand to junk those e-mails that use them.

I don't bother using the Blocked Top-Level Domain List feature since it
merely interrogates the sender's e-mail address to inspect the TLD, like
(e-mail address removed) for a China TLD. Obviously spammers don't use their own true
e-mail address so this blocking would only be useful against senders that
use their real e-mail address and do so consistently - and that wouldn't
include spammers. This feature, like the Blocked Senders list, is worthless
against spam because the spammers change their e-mail address every time
they squeeze out another spew of their turds. Also, I might ask a mobo
maker or computer component manufacturer in China, Taiwan, or another asian
locale for help so I obviously want to get those e-mails.
 
V

VanguardLH

Jorge said:
I received this email f rom China. It appears to be from a scammer in
Beijing. I would like to find the sender's original IP address. The copy
of the internet header for the email message (received in Outlook07) is
as follows. There are five "received from" lines. I am wondering which
one is to use idetify the sender's IP address.. I am using Outlook 2007
and Windows 7. Jorge
Click to expand...

http://spamlinks.net/track-trace-headers.htm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Some Internet Headers stripped, even when fwd as attachment in OL2 2
Interpreting Email headers 5
Attached message header order 0
Email From Specific Sender Comes Through As Html 5
Blocking doesn't work 2
Email from AOL 0
How do I turn off all the header junk on incoming email 5
Some incoming mail appears to be unconverted html. 1

Top