Interpreting Email headers

[booker@mgt]

One of my users asked me to determine where an email originated.

The header is below, but what seems conflicting is that the X originating IP
gives me a reverse lookup to an established citywide ISP, but what am I to
interpret from the bottom Received from header, saying it came from localhost?
(P.s, I changed the domain names for privacy reasons, so don't take the
names at face value

Received: from deliverator3.ecc.domain357.dgz (123.345.185.173) by
aeatlgtrex02.domain125.sfg (123.345.195.46) with Microsoft SMTP Server id
8.1.263.0; Wed, 15 Oct 2008 11:32:36 -0400
Received: from deliverator3.ecc.domain357.dgz (localhost [127.0.0.1])
by
localhost (Postfix) with SMTP id 06E1339C102 for
<[email protected]>; Wed, 15 Oct 2008 11:32:35 -0400 (EDT)
Received: from mail8.domain357.dgz (bigip.ecc.domain357.dgz
[123.345.185.140]) by
deliverator3.ecc.domain357.dgz (Postfix) with ESMTP id B20D139C0EA for
<[email protected]>; Wed, 15 Oct 2008 11:32:35 -0400 (EDT)
Received: from mail8.domain357.dgz (localhost [127.0.0.1]) by
mail8.domain357.dgz
(Postfix) with ESMTP id 9125E5FF5F for
<[email protected]>; Wed,
15 Oct 2008 11:32:35 -0400 (EDT)
Date: Wed, 15 Oct 2008 11:32:35 -0400
From: "Jones, Kristina W" <[email protected]>
To: (e-mail address removed)357.dgz
Message-ID: <[email protected]>
Subject: assignment
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [21.98.214.90]
X-Mailer: Zimbra 5.0.8_GA_2462.RHEL4_64 (ZimbraWebClient - IE7
(Win)/5.0.8_GA_2462.RHEL4_64)
X-GT-AVAS-Version: 5.4.1.325704, Antispam-Engine: 2.6.0.325393,
Antispam-Data: 2008.10.15.150726
X-GT-Spam-Details: Internal Mail
X-GT-Spam-Rating: (0%)
Return-Path: (e-mail address removed)

 

[Roady [MVP]]

Internal mail or some internal delivery/relay to process a certain function
or the mail server is hosted on a DNS server so the lookup points to itself.

 

[booker@mgt]

Thanks

So what if any, would be the relation between the X-Originating IP, and the
information in that bottom received from section

Internal mail or some internal delivery/relay to process a certain function
or the mail server is hosted on a DNS server so the lookup points to itself.



-----

One of my users asked me to determine where an email originated.

The header is below, but what seems conflicting is that the X originating
IP
gives me a reverse lookup to an established citywide ISP, but what am I to
interpret from the bottom Received from header, saying it came from
localhost?
(P.s, I changed the domain names for privacy reasons, so don't take the
names at face value

Received: from deliverator3.ecc.domain357.dgz (123.345.185.173) by
aeatlgtrex02.domain125.sfg (123.345.195.46) with Microsoft SMTP Server id
8.1.263.0; Wed, 15 Oct 2008 11:32:36 -0400
Received: from deliverator3.ecc.domain357.dgz (localhost [127.0.0.1])
by
localhost (Postfix) with SMTP id 06E1339C102 for
<[email protected]>; Wed, 15 Oct 2008 11:32:35 -0400 (EDT)
Received: from mail8.domain357.dgz (bigip.ecc.domain357.dgz
[123.345.185.140]) by
deliverator3.ecc.domain357.dgz (Postfix) with ESMTP id B20D139C0EA
for
<[email protected]>; Wed, 15 Oct 2008 11:32:35 -0400 (EDT)
Received: from mail8.domain357.dgz (localhost [127.0.0.1]) by
mail8.domain357.dgz
(Postfix) with ESMTP id 9125E5FF5F for
<[email protected]>; Wed,
15 Oct 2008 11:32:35 -0400 (EDT)
Date: Wed, 15 Oct 2008 11:32:35 -0400
From: "Jones, Kristina W" <[email protected]>
To: (e-mail address removed)357.dgz
Message-ID:
<[email protected]>
Subject: assignment
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [21.98.214.90]
X-Mailer: Zimbra 5.0.8_GA_2462.RHEL4_64 (ZimbraWebClient - IE7
(Win)/5.0.8_GA_2462.RHEL4_64)
X-GT-AVAS-Version: 5.4.1.325704, Antispam-Engine: 2.6.0.325393,
Antispam-Data: 2008.10.15.150726
X-GT-Spam-Details: Internal Mail
X-GT-Spam-Rating: (0%)
Return-Path: (e-mail address removed)

 

[VanguardLH]

One of my users asked me to determine where an email originated.

The header is below, but what seems conflicting is that the X originating IP
gives me a reverse lookup to an established citywide ISP, but what am I to
interpret from the bottom Received from header, saying it came from localhost?
(P.s, I changed the domain names for privacy reasons, so don't take the
names at face value

Received:
from deliverator3.ecc.domain357.dgz (123.345.185.173)
by aeatlgtrex02.domain125.sfg (123.345.195.46) ...
Received:
from deliverator3.ecc.domain357.dgz (localhost [127.0.0.1])
by localhost ...
Received:
from mail8.domain357.dgz (bigip.ecc.domain357.dgz [123.345.185.140])
by deliverator3.ecc.domain357.dgz ...
Received:
from mail8.domain357.dgz (localhost [127.0.0.1])
by mail8.domain357.dgz ...

A bunch of internal routing in domain357 which finally gets delivered to
domain125.

X-Originating-IP: [21.98.214.90]

The sender's IP address of their host/router who uses the DoD as their
ISP and is using the domain357 e-mail service. Since you apparently
fouled up the IP addresses along with the IP names, no conflict can be
identified by what you provided. That the first mail host in the chain
of Received headers doesn't bother to identify the sender and instead
shows some internal routing host only means that ESP is not honoring the
RFCs regarding proper Received header construction, not that there is a
conflict.

Based on your hiding of the real domain names and possibly their valid
IP addresses, too, I suspect you are asking about an internally routed
e-mail from one DoD employee to another DoD employee. As such, there
really is no need to identify the sender in a Received header since
management of the users and their identities along with authentication
are controllable within that same organization. For the recipient that
doesn't want to rely on the address book info for the sender within
their own organization, the X-Originating-IP, Return-Path, and From
headers are sufficient. Was Kristina Jones claiming that she never sent
that e-mail to another same-entity employee?

There was no need to alter the domain names. They don't identify the
sender. Just munging or starring out the sender and recipient e-mail
addresses would've been sufficient. Other than telling that I'm a
Comcast user by my IP address (if it showed in a header in my post), you
know nothing else. I hardly suspect that knowing someone's ISP or ESP
(email service provider) divulges any private details about them to
anyone other than their ISP or ESP.

 

[Roady [MVP]]

See VanguardLH's reply.



-----

Thanks

So what if any, would be the relation between the X-Originating IP, and
the
information in that bottom received from section

Internal mail or some internal delivery/relay to process a certain
function
or the mail server is hosted on a DNS server so the lookup points to
itself.



-----

One of my users asked me to determine where an email originated.

The header is below, but what seems conflicting is that the X
originating
IP
gives me a reverse lookup to an established citywide ISP, but what am I
to
interpret from the bottom Received from header, saying it came from
localhost?
(P.s, I changed the domain names for privacy reasons, so don't take the
names at face value

Received: from deliverator3.ecc.domain357.dgz (123.345.185.173) by
aeatlgtrex02.domain125.sfg (123.345.195.46) with Microsoft SMTP Server
id
8.1.263.0; Wed, 15 Oct 2008 11:32:36 -0400
Received: from deliverator3.ecc.domain357.dgz (localhost [127.0.0.1])
by
localhost (Postfix) with SMTP id 06E1339C102 for
<[email protected]>; Wed, 15 Oct 2008 11:32:35 -0400 (EDT)
Received: from mail8.domain357.dgz (bigip.ecc.domain357.dgz
[123.345.185.140]) by
deliverator3.ecc.domain357.dgz (Postfix) with ESMTP id B20D139C0EA
for
<[email protected]>; Wed, 15 Oct 2008 11:32:35 -0400 (EDT)
Received: from mail8.domain357.dgz (localhost [127.0.0.1]) by
mail8.domain357.dgz
(Postfix) with ESMTP id 9125E5FF5F for
<[email protected]>; Wed,
15 Oct 2008 11:32:35 -0400 (EDT)
Date: Wed, 15 Oct 2008 11:32:35 -0400
From: "Jones, Kristina W" <[email protected]>
To: (e-mail address removed)357.dgz
Message-ID:
<[email protected]>
Subject: assignment
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [21.98.214.90]
X-Mailer: Zimbra 5.0.8_GA_2462.RHEL4_64 (ZimbraWebClient - IE7
(Win)/5.0.8_GA_2462.RHEL4_64)
X-GT-AVAS-Version: 5.4.1.325704, Antispam-Engine: 2.6.0.325393,
Antispam-Data: 2008.10.15.150726
X-GT-Spam-Details: Internal Mail
X-GT-Spam-Rating: (0%)
Return-Path: (e-mail address removed)

 

[booker@mgt]

It was just by chance that that ip address went to the DoD, i just made that
ip address up. Even though i mangled the ip's, i only mangled them to the
degree that I changed the first two sections, so that the continutity could
be seen despite the bogus ip addresses.

Thanks for your response.

What threw me off, was in trying to determine if the email originated inside
of the 123.345 network was that the first received from said local host

So i was not sure, if that meant that it originated from that spot(Wherever
that was), or if it originated on a computer at the 21.98.214.90 network

One of my users asked me to determine where an email originated.

The header is below, but what seems conflicting is that the X originating IP
gives me a reverse lookup to an established citywide ISP, but what am I to
interpret from the bottom Received from header, saying it came from localhost?
(P.s, I changed the domain names for privacy reasons, so don't take the
names at face value

Received:
from deliverator3.ecc.domain357.dgz (123.345.185.173)
by aeatlgtrex02.domain125.sfg (123.345.195.46) ...
Received:
from deliverator3.ecc.domain357.dgz (localhost [127.0.0.1])
by localhost ...
Received:
from mail8.domain357.dgz (bigip.ecc.domain357.dgz [123.345.185.140])
by deliverator3.ecc.domain357.dgz ...
Received:
from mail8.domain357.dgz (localhost [127.0.0.1])
by mail8.domain357.dgz ...

A bunch of internal routing in domain357 which finally gets delivered to
domain125.

X-Originating-IP: [21.98.214.90]

The sender's IP address of their host/router who uses the DoD as their
ISP and is using the domain357 e-mail service. Since you apparently
fouled up the IP addresses along with the IP names, no conflict can be
identified by what you provided. That the first mail host in the chain
of Received headers doesn't bother to identify the sender and instead
shows some internal routing host only means that ESP is not honoring the
RFCs regarding proper Received header construction, not that there is a
conflict.

Based on your hiding of the real domain names and possibly their valid
IP addresses, too, I suspect you are asking about an internally routed
e-mail from one DoD employee to another DoD employee. As such, there
really is no need to identify the sender in a Received header since
management of the users and their identities along with authentication
are controllable within that same organization. For the recipient that
doesn't want to rely on the address book info for the sender within
their own organization, the X-Originating-IP, Return-Path, and From
headers are sufficient. Was Kristina Jones claiming that she never sent
that e-mail to another same-entity employee?

There was no need to alter the domain names. They don't identify the
sender. Just munging or starring out the sender and recipient e-mail
addresses would've been sufficient. Other than telling that I'm a
Comcast user by my IP address (if it showed in a header in my post), you
know nothing else. I hardly suspect that knowing someone's ISP or ESP
(email service provider) divulges any private details about them to
anyone other than their ISP or ESP.