Erm's I.T. Girl – Zelna Ellis

Don't fear when Zel is near…

SPAM – Trace the sender

I have recently received the following spam letter:

From: Compaq Electronics Promo [mailto:schatan@la.twcbc.com]
Sent: 09 March 2009 02:36 PM
To: info@lotto.org
Subject: Claims Of £950,000,00 Pounds

Your draw has a total value of £950,000,00 GBP which you won. Please acknowledge the receipt of this mail with the details below to :Mr. Jerry Smith,
E-mail:jerry.smith00@btinternet.com
Claims Requirements:
1.Full name:2.Address:3.Age:4.Sex:5.Country:6:Phone No:
Sincerely,
Mrs.Sarah Wood
PROMOTION CO-ORDINATOR

Just looking at this message, one can see it is JUNK!!!

Firstly is to gather the information from the internet header.

  • In Outlook Express:
    With the message selected or open the message. Select File, Properties. Activate the second tab page named Details
  • In Microsoft Outlook
    The easiest way is to Right-click on the message and select Options or Message Options.
  • Mozilla Thunderbird
    Open the message and from the menu select View, Headers and select All.

Now lets look at a part of the header of this e-mail SPAM I recently received:

Delivered-To: xxxxxxx
Received: by xx.xxx.xxx.xx with SMTP id xxxxxxx;
Mon, 9 Mar 2009 05:35:52 -0700 (PDT)
Received: by 10.150.199.16 with SMTP id xxx.xxx.xxxx;
Mon, 09 Mar 2009 05:35:51 -0700 (PDT)
Return-Path:
Received: from hrndva-commlb.mail.rr.com (hrndva-commlb.mail.rr.com [71.74.57.9])
by mx.google.com with ESMTP id xxxxxx;
Mon, 09 Mar 2009 05:35:51 -0700 (PDT)
Received-SPF: neutral (google.com: 71.74.57.9 is neither permitted nor denied by domain of schatan@la.twcbc.com) client-ip=71.74.57.9;
Authentication-Results: mx.google.com; spf=neutral (google.com: 71.74.57.9 is neither permitted nor denied by domain of schatan@la.twcbc.com) smtp.mail=schatan@la.twcbc.com
Received: from rrcs-agw-02.hrndva.rr.com ([24.28.200.152])
by hrndva-comm-mta02.mail.rr.com with ESMTP
id ;
Mon, 9 Mar 2009 12:35:46 +0000
Message-Id:
Received: from unknown (HELO rrcs-out.biz.rr.com) ([172.28.200.143])
by rrcs-agw-02b.hrndva.rr.com with SMTP; 09 Mar 2009 08:35:35 -0400
X-Mailer: Openwave WebEngine, version 2.8.17 (webedge20-101-1107-20041027)
From: Compaq Electronics Promo
Reply-To: jerry.smith11@btinternet.com
To:
Subject: Claims Of =?iso-8859-1?B?ozk1MCwwMDAsMDA=?= Pounds
Date: Mon, 9 Mar 2009 7:35:38 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Find the info
To find the computer it is originally send from find the Received from the farest down.
Received: from unknown (HELO rrcs-out.biz.rr.com) ([172.28.200.143])
The first one is from a computer called unknown with the IP address 172.28.200.143
Then it was routed to my ISP’s server atrrcs-agw-02b.hrndva.rr.com and so on and so forth till it got to my email server.
The fact that is states unknown already indicates that this could be a virus-generated e-mail.

The next step is to find out what is the actual I.P. Address. Go to Who is site. Typed in 172.28.200.143 and hit the Search button.

Read the results carefully. If the IP is not in the database, it should send you a link to another database that does contain that IP.

The result:
whois

TAKE NOTE:
Remember email headers cannot be trusted, and not all email can be traced or authenticated. Legitimate mail can be traced, but for SPAM, and virus-generated emails it is difficult to say that the headers are absolutely trustworthy.
DO NOT REPLY TO SPAM!!!

11 March 2009 - Posted by | E-Mails | , ,

2 Comments »

  1. But it doesnt wana work on gmail????

    Comment by Joe | 21 January 2010 | Reply

    • Log in to gmail.
      Open the message you want to check
      Next to the reply button (top-right of msg) there is a drop-down box, select it, select show original

      Comment by zellis | 21 January 2010 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: