gmail.com in message header
I have some spam containing in the header:
mproxy.gmail.com and/or Message-Id: <{?}@www3.gmail.com> (I replaced the code with {?} In ' 'goodmail' i don't find this in the header. Only mail.gmail.com and mx.gmail.com Has this been happenning to other people? Is mproxy.gmail.com and Message-Id: <{?}@www3.gmail.com from gmail or is this a faked part of the header ? |
You need to show us the full header instead of that few sentences. Only the from server will indicate where the mail comes from.
|
you could still protect your username
show us the full header, you could still xxx out your username.
Trew |
Re: you could still protect your username
Quote:
:D Susan. |
If this is the only Message-ID header in the message, then it probably isn't fake.
As to the "mproxy.gmail.com", that depends on where exactly it appeared in the headers - it may or may not be fake. |
Thanks for the postings.
I did post here the complete raw mail with information between {} changed. However after this i read the rules of this forum once more and decided to strip it much more. I hope as this is about gmail.com it can stay here. I also have other samples ( www5.gmail.com ) This one does not has the mproxy.gmail.com I 'll try to analyze one with mproxy.gmail.com and perhaps post it after stripping. This Message-Ids are given by gmail ? === RAW MAIL SAMPLE 1 == X-Gmail-Received: {A_long_header_txt_I_did_not_see_strange_things_in_it} From: "Muriel Mayberry" {A_Email_ADDRESS} Date: Sat, 9 Oct 2004 06:36:10 -0700 Message-Id: <200410031404.i93PvjTw008596@www1.gmail.com> From: "Muriel Mayberry" <{A_Email_ADDRESS_.COM}> To: bolden@{MYDOMAIN.COM}, bompane@{MYDOMAIN.COM}, bonilla@{MYDOMAIN.COM}, boswell@{MYDOMAIN.COM}, bowden@{MYDOMAIN.COM}, bower@{MYDOMAIN.COM} Subject: Mime-Version: 1.0 Content-Type: text/plain; {The_message} |
You stripped the important portion. Example header is like this. The important part is in red.
Return-Path: admin@xxx.com Errors-To: admin@xxx.com Bounce-To: admin@xxx.com Reply-To: "XXX" <net@xxx.com> From: "XXX" <net@xxx.com> To: "zzz@zzz.com" <zzz@zzz.com> Delivered-To: zzz@zzzz.com X-Apparently-From: zzz@zzz.net Received: (qmail 16309 invoked from network); 22 Oct 2004 14:12:41 -0000 Received: from unknown (HELO mailshell.com) (xx.x.x.xxx) by xxxx.xxx.com with SMTP; 22 Oct 2004 14:12:41 -0000 Received: (qmail 30212 invoked by uid 99); 22 Oct 2004 14:12:42 -0000 Received: (qmail 18852 invoked from network); 22 Oct 2004 14:12:25 -0000 Received: from unknown (HELO omta08.mta.xxxx.xxx) (xxx.xxx.xxx.xx) by mail.xxxx.xxx with SMTP; 22 Oct 2004 14:12:25 -0000 Received: from imta41 (bigip34 [xxx.xxx.xxx.xx]) by omta08.mta.xxxx.xxx (Postfix) with ESMTP id 72CEF4076C for <zzz@xxx.com>; Fri, 22 Oct 2004 06:44:41 -0700 (PDT) Message-ID: <11873727.1098452681444.JavaMail.root@imta41> Subject: New Mail Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Precedence: Bulk X-EON-NOTIFY: 1 Date: Fri, 22 Oct 2004 06:44:41 -0700 (PDT) X-Apparently-To: xxx X-JUNK1: 0 |
Here is a less stripped one with mproxy.gmail.com
and wproxy.gmail.com === RAW SPAM MESSAGE STARTS BELOW ==== X-Gmail-Received: {LongHEX_NR} Delivered-To: {GMAIL_ACCOUNT}+{MYDOMAIN.COM}@gmail.com Received: by {IPnr_K} with SMTP id {SomeNumber}; Fri, 22 Oct 2004 12:05:47 -0700 (PDT) Received: by {IPnr_L} with SMTP id {SomeNumer2}; Fri, 22 Oct 2004 12:05:47 -0700 (PDT) Return-Path: <{Some_Email_Addres}> Received: from omta14.mta.{MAILPROVIDER.DOM} (sitemail.{MAILPROVIDER.DOM} [{IPnr_Z}]) by mx.gmail.com with ESMTP id {SomeNumer4}; Fri, 22 Oct 2004 12:05:47 -0700 (PDT) Received-SPF: neutral (gmail.com: {IPnr_Z} is neither permitted nor denied by domain of {Some_Email_Addres}) Received: from imta14.mta.{MAILPROVIDER.DOM} (bigip34 [{IPnr_Y}]) by omta14.mta.{MAILPROVIDER.DOM} (Postfix) with ESMTP id {SomeID9}; Fri, 22 Oct 2004 12:05:46 -0700 (PDT) Received: by imta14.mta.{MAILPROVIDER.DOM} (Postfix) id {SomeID8}; Fri, 22 Oct 2004 12:05:46 -0700 (PDT) Delivered-To: {MYDOMAIN.COM}@{OTHER_DOMAIN.COM} Received: from pmta04.mta.{MAILPROVIDER.DOM} (bigiplb-dsnat [{IPnr_Z}]) by imta14.mta.{MAILPROVIDER.DOM} (Postfix) with ESMTP id {SomeHexNR2} for <{MYDOMAIN.COM}@{OTHER_DOMAIN.COM}>; Fri, 22 Oct 2004 12:05:46 -0700 (PDT) Received: from chugmail2.{ANOTHERDOMAIN1.COM} ({IPnr_W} [{IPnr_W}]) by pmta04.mta.{MAILPROVIDER.DOM} (EON-PMTA) with ESMTP id {SomeHexNr3} for <{MYDOMAIN.COM}@{OTHER_DOMAIN.COM}>; Fri, 22 Oct 2004 12:05:46 -0700 Received: from mail.{ANOTHERDOMAIN2.COM} (mws-mail.{ANOTHERDOMAIN1.COM} [{IPnr_M}]) by chugmail2.{ANOTHERDOMAIN1.COM} (Postfix) with ESMTP id {SomeID7}; Fri, 22 Oct 2004 00:40:27 -0600 (MDT) Received: from dsl-{XX}-{XX}-{XX}-{XX}.access.uk.tiscali.com (unknown [{XX}.{XX}.{XX}. {XX}]) by mail.{ANOTHERDOMAIN2.COM} (Postfix) with SMTP id {SomeHexNr3}; Fri, 22 Oct 2004 00:35:51 -0600 (MDT) Received: from wproxy.gmail.com ([{IP_G}]:61893 "EHLO mproxy.gmail.com") by avas-mx35.{SomeDomain4} with ESMTP id {SomeID_X}; Sat, 9 Oct 2004 10:36:23 -0300 Received: by mproxy.gmail.com with SMTP id {SomeIDxx} for <xsjTasa58.{SomeDomain5}>; Sat, 09 Oct 2004 06:36:10 -0700 (PDT) Received: by {IPnr_F} with SMTP id {SomeNr4}; Sat, 09 Oct 2004 06:36:10 -0700 (PDT) Received: by {IPnr_Q} with HTTP; Sat, 9 Oct 2004 06:36:10 -0700 (PDT) Date: Sat, 9 Oct 2004 06:36:10 -0700 Message-Id: <200410031475.i93FwoTw008312@www5.gmail.com> From: "{A_NAME} " <{Some_Email_Addres}> To: field@{MYDOMAIN.COM}, fink@{MYDOMAIN.COM}, finn@{MYDOMAIN.COM}, rusba@{MYDOMAIN.COM}, rushing@{MYDOMAIN.COM}, russell_shute@{MYDOMAIN.COM}, rutherford@{MYDOMAIN.COM}, sadler@{MYDOMAIN.COM} Subject: Mime-Version: 1.0 Content-Type: text/plain; {The message} = = END OF RAWMSG = = I expect that the line Received: from dsl-{XX}-{XX}-{XX}-{XX}.access.uk.tiscali.com (unknown [{XX}.{XX}.{XX}. {XX}]) by mail.{ANOTHERDOMAIN2.COM} (Postfix) with SMTP id {SOME_HEX_NR}; " is the address of the sender or the (abused) system dsl system used to send this spam ? {XX}.{XX}.{XX}. {XX} is a Tiscali IPnr If {IP_G} is realy a IP number, it is from a big non internet company that normally should have noting to do with spam or email handling. |
Since you strripped them barred of numbers and domains, I have a tough time trying to know which domain recieve from which domain. But I come to this conclusion. This 2 IPs is the IPs that send the spam through. IPne_Q is probably the workstation IP or the user IP when logged on with the ISP.
Received: by {IPnr_F} with SMTP id {SomeNr4}; Sat, 09 Oct 2004 06:36:10 -0700 (PDT) Received: by {IPnr_Q} with HTTP; Sat, 9 Oct 2004 06:36:10 -0700 (PDT) |
I just remembered, Gmail have the forwarding feature. If someone set it as a forwarding gateway, mails that pass through will have the gmail names there. So their names will usually be in the middle to indicate gmail.server recieved from incoming.isp and gmail.server sending out to outgoing.isp.
|
jeronimus send a pm to somebody knowledgeable?
Maybe some of the more knowledgeable of us here could accept you send a non stripped version to them in a mutual trust agreement to not reveal anything if you want to keep things anon. As Killer indicate one need to see the flow of it from node to node to get what it is all about.
Maybe it is redirected which would make it not look a clear as most email headers do. Even me at times desipte me knowing almost nothing get a hang of it but the one you provided was above my capacity. Trew |
With a trust agreement I mail the full raw message to a limited group of people.
- not reveal anything - not use the information - especially not use the inforamtion for illegal activities - conclusion may be posted after anonimization and my permission is given. |
Quote:
|
All times are GMT +9. The time now is 01:54 PM. |
Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy