EmailDiscussions.com

EmailDiscussions.com (http://www.emaildiscussions.com/index.php)
-   Google Gmail Forum (http://www.emaildiscussions.com/forumdisplay.php?f=30)
-   -   gmail.com in message header (http://www.emaildiscussions.com/showthread.php?t=28559)

jeronimus 22 Oct 2004 11:18 AM

gmail.com in message header
 
I have some spam containing in the header:

mproxy.gmail.com
and/or
Message-Id: <{?}@www3.gmail.com>

(I replaced the code with {?}

In ' 'goodmail' i don't find this in the header.
Only mail.gmail.com and mx.gmail.com

Has this been happenning to other people?
Is mproxy.gmail.com and Message-Id: <{?}@www3.gmail.com from gmail or is this a faked part of the header ?

Killer 22 Oct 2004 11:28 AM

You need to show us the full header instead of that few sentences. Only the from server will indicate where the mail comes from.

fmnewbee 22 Oct 2004 01:09 PM

you could still protect your username
 
show us the full header, you could still xxx out your username.

Trew

SusanUKF 22 Oct 2004 01:28 PM

Re: you could still protect your username
 
Quote:

Originally posted by fmnewbee
show us the full header, you could still xxx out your username.

Trew

You just need to XXXXXX out any personal information that is not relevant to reading the headers( As Trew has indicated above). That way people can help you still and your privacy is not compromised.

:D Susan.

Daniel S 22 Oct 2004 07:13 PM

If this is the only Message-ID header in the message, then it probably isn't fake.

As to the "mproxy.gmail.com", that depends on where exactly it appeared in the headers - it may or may not be fake.

jeronimus 23 Oct 2004 01:59 AM

Thanks for the postings.

I did post here the complete raw mail
with information between {} changed.
However after this i read the rules of this forum once more and decided to strip it much more. I hope as this is about gmail.com it can stay here.

I also have other samples ( www5.gmail.com )
This one does not has the mproxy.gmail.com I 'll try to analyze one with mproxy.gmail.com and perhaps post it after stripping.
This Message-Ids are given by gmail ?

=== RAW MAIL SAMPLE 1 ==
X-Gmail-Received:
{A_long_header_txt_I_did_not_see_strange_things_in_it}
From: "Muriel Mayberry" {A_Email_ADDRESS}
Date: Sat, 9 Oct 2004 06:36:10 -0700
Message-Id: <200410031404.i93PvjTw008596@www1.gmail.com>
From: "Muriel Mayberry" <{A_Email_ADDRESS_.COM}>
To: bolden@{MYDOMAIN.COM}, bompane@{MYDOMAIN.COM},
bonilla@{MYDOMAIN.COM}, boswell@{MYDOMAIN.COM}, bowden@{MYDOMAIN.COM},
bower@{MYDOMAIN.COM}
Subject:
Mime-Version: 1.0
Content-Type: text/plain;
{The_message}

Killer 23 Oct 2004 10:00 AM

You stripped the important portion. Example header is like this. The important part is in red.




Return-Path: admin@xxx.com
Errors-To: admin@xxx.com
Bounce-To: admin@xxx.com
Reply-To: "XXX" <net@xxx.com>
From: "XXX" <net@xxx.com>
To: "zzz@zzz.com" <zzz@zzz.com>
Delivered-To: zzz@zzzz.com
X-Apparently-From: zzz@zzz.net

Received: (qmail 16309 invoked from network); 22 Oct 2004 14:12:41 -0000
Received: from unknown (HELO mailshell.com) (xx.x.x.xxx)
by xxxx.xxx.com with SMTP; 22 Oct 2004 14:12:41 -0000
Received: (qmail 30212 invoked by uid 99); 22 Oct 2004 14:12:42 -0000
Received: (qmail 18852 invoked from network); 22 Oct 2004 14:12:25 -0000
Received: from unknown (HELO omta08.mta.xxxx.xxx) (xxx.xxx.xxx.xx)
by mail.xxxx.xxx with SMTP; 22 Oct 2004 14:12:25 -0000
Received: from imta41 (bigip34 [xxx.xxx.xxx.xx])
by omta08.mta.xxxx.xxx (Postfix) with ESMTP id 72CEF4076C
for <zzz@xxx.com>; Fri, 22 Oct 2004 06:44:41 -0700 (PDT)

Message-ID: <11873727.1098452681444.JavaMail.root@imta41>
Subject: New Mail
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Precedence: Bulk
X-EON-NOTIFY: 1
Date: Fri, 22 Oct 2004 06:44:41 -0700 (PDT)
X-Apparently-To: xxx
X-JUNK1: 0

jeronimus 24 Oct 2004 09:45 AM

Here is a less stripped one with mproxy.gmail.com
and wproxy.gmail.com

=== RAW SPAM MESSAGE STARTS BELOW ====

X-Gmail-Received: {LongHEX_NR}
Delivered-To: {GMAIL_ACCOUNT}+{MYDOMAIN.COM}@gmail.com
Received: by {IPnr_K} with SMTP id {SomeNumber};
Fri, 22 Oct 2004 12:05:47 -0700 (PDT)
Received: by {IPnr_L} with SMTP id {SomeNumer2};
Fri, 22 Oct 2004 12:05:47 -0700 (PDT)
Return-Path: <{Some_Email_Addres}>
Received: from omta14.mta.{MAILPROVIDER.DOM} (sitemail.{MAILPROVIDER.DOM} [{IPnr_Z}])
by mx.gmail.com with ESMTP id {SomeNumer4};
Fri, 22 Oct 2004 12:05:47 -0700 (PDT)
Received-SPF: neutral (gmail.com: {IPnr_Z} is neither permitted nor denied by domain of {Some_Email_Addres})
Received: from imta14.mta.{MAILPROVIDER.DOM} (bigip34 [{IPnr_Y}])
by omta14.mta.{MAILPROVIDER.DOM} (Postfix) with ESMTP
id {SomeID9}; Fri, 22 Oct 2004 12:05:46 -0700 (PDT)
Received: by imta14.mta.{MAILPROVIDER.DOM} (Postfix)
id {SomeID8}; Fri, 22 Oct 2004 12:05:46 -0700 (PDT)
Delivered-To: {MYDOMAIN.COM}@{OTHER_DOMAIN.COM}
Received: from pmta04.mta.{MAILPROVIDER.DOM} (bigiplb-dsnat [{IPnr_Z}])
by imta14.mta.{MAILPROVIDER.DOM} (Postfix) with ESMTP id {SomeHexNR2}
for <{MYDOMAIN.COM}@{OTHER_DOMAIN.COM}>; Fri, 22 Oct 2004 12:05:46 -0700 (PDT)
Received: from chugmail2.{ANOTHERDOMAIN1.COM} ({IPnr_W} [{IPnr_W}])
by pmta04.mta.{MAILPROVIDER.DOM} (EON-PMTA) with ESMTP id {SomeHexNr3}
for <{MYDOMAIN.COM}@{OTHER_DOMAIN.COM}>; Fri, 22 Oct 2004 12:05:46 -0700
Received: from mail.{ANOTHERDOMAIN2.COM} (mws-mail.{ANOTHERDOMAIN1.COM} [{IPnr_M}])
by chugmail2.{ANOTHERDOMAIN1.COM} (Postfix) with ESMTP id {SomeID7};
Fri, 22 Oct 2004 00:40:27 -0600 (MDT)
Received: from dsl-{XX}-{XX}-{XX}-{XX}.access.uk.tiscali.com (unknown [{XX}.{XX}.{XX}. {XX}]) by mail.{ANOTHERDOMAIN2.COM} (Postfix) with SMTP id {SomeHexNr3};
Fri, 22 Oct 2004 00:35:51 -0600 (MDT)
Received: from wproxy.gmail.com ([{IP_G}]:61893 "EHLO mproxy.gmail.com")
by avas-mx35.{SomeDomain4} with ESMTP id {SomeID_X};
Sat, 9 Oct 2004 10:36:23 -0300
Received: by mproxy.gmail.com with SMTP id {SomeIDxx}
for <xsjTasa58.{SomeDomain5}>; Sat, 09 Oct 2004 06:36:10 -0700 (PDT)
Received: by {IPnr_F} with SMTP id {SomeNr4};
Sat, 09 Oct 2004 06:36:10 -0700 (PDT)
Received: by {IPnr_Q} with HTTP; Sat, 9 Oct 2004 06:36:10 -0700 (PDT)
Date: Sat, 9 Oct 2004 06:36:10 -0700
Message-Id: <200410031475.i93FwoTw008312@www5.gmail.com>
From: "{A_NAME} " <{Some_Email_Addres}>
To: field@{MYDOMAIN.COM}, fink@{MYDOMAIN.COM}, finn@{MYDOMAIN.COM},
rusba@{MYDOMAIN.COM}, rushing@{MYDOMAIN.COM},
russell_shute@{MYDOMAIN.COM}, rutherford@{MYDOMAIN.COM},
sadler@{MYDOMAIN.COM}
Subject:
Mime-Version: 1.0
Content-Type: text/plain;

{The message}

= = END OF RAWMSG = =
I expect that the line
Received: from dsl-{XX}-{XX}-{XX}-{XX}.access.uk.tiscali.com (unknown [{XX}.{XX}.{XX}. {XX}]) by mail.{ANOTHERDOMAIN2.COM} (Postfix) with SMTP id {SOME_HEX_NR}; "
is the address of the sender or the (abused) system dsl system used to send this spam ?

{XX}.{XX}.{XX}. {XX} is a Tiscali IPnr

If {IP_G} is realy a IP number, it is from a big non internet company that normally should have noting to do with spam or email handling.

Killer 24 Oct 2004 12:25 PM

Since you strripped them barred of numbers and domains, I have a tough time trying to know which domain recieve from which domain. But I come to this conclusion. This 2 IPs is the IPs that send the spam through. IPne_Q is probably the workstation IP or the user IP when logged on with the ISP.


Received: by {IPnr_F} with SMTP id {SomeNr4};
Sat, 09 Oct 2004 06:36:10 -0700 (PDT)
Received: by {IPnr_Q} with HTTP; Sat, 9 Oct 2004 06:36:10 -0700 (PDT)

Killer 24 Oct 2004 12:37 PM

I just remembered, Gmail have the forwarding feature. If someone set it as a forwarding gateway, mails that pass through will have the gmail names there. So their names will usually be in the middle to indicate gmail.server recieved from incoming.isp and gmail.server sending out to outgoing.isp.

fmnewbee 24 Oct 2004 09:36 PM

jeronimus send a pm to somebody knowledgeable?
 
Maybe some of the more knowledgeable of us here could accept you send a non stripped version to them in a mutual trust agreement to not reveal anything if you want to keep things anon. As Killer indicate one need to see the flow of it from node to node to get what it is all about.

Maybe it is redirected which would make it not look a clear as most email headers do.

Even me at times desipte me knowing almost nothing get a hang of it but the one you provided was above my capacity.

Trew

jeronimus 25 Oct 2004 08:23 AM

With a trust agreement I mail the full raw message to a limited group of people.
- not reveal anything
- not use the information
- especially not use the inforamtion for illegal activities
- conclusion may be posted after anonimization and my permission is given.

Killer 25 Oct 2004 10:01 AM

Quote:

Originally posted by jeronimus
With a trust agreement I mail the full raw message to a limited group of people.
- not reveal anything
- not use the information
- especially not use the inforamtion for illegal activities
- conclusion may be posted after anonimization and my permission is given.

Take note that if you suspect of any illegal happenings, you cannot alter the headers in anyway. And that headers from your I don't think gmail have anything do with it.


All times are GMT +9. The time now is 01:54 PM.


Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy