gmail.com in message header

jeronimus · 22nd October 2004, 10:18 AM

I have some spam containing in the header:

mproxy.gmail.com
and/or
Message-Id: <{?}@www3.gmail.com>

(I replaced the code with {?}

In ' 'goodmail' i don't find this in the header.
Only mail.gmail.com and mx.gmail.com

Has this been happenning to other people?
Is mproxy.gmail.com and Message-Id: <{?}@www3.gmail.com from gmail or is this a faked part of the header ?

Killer · 22nd October 2004, 10:28 AM

You need to show us the full header instead of that few sentences. Only the from server will indicate where the mail comes from.

fmnewbee · 22nd October 2004, 12:09 PM

show us the full header, you could still xxx out your username.

Trew

SusanUKF · 22nd October 2004, 12:28 PM

Quote:

Originally posted by fmnewbee
show us the full header, you could still xxx out your username.

Trew

You just need to XXXXXX out any personal information that is not relevant to reading the headers( As Trew has indicated above). That way people can help you still and your privacy is not compromised.

Susan.

22nd October 2004, 06:13 PM

If this is the only Message-ID header in the message, then it probably isn't fake.

As to the "mproxy.gmail.com", that depends on where exactly it appeared in the headers - it may or may not be fake.

jeronimus · 23rd October 2004, 12:59 AM

Thanks for the postings.

I did post here the complete raw mail
with information between {} changed.
However after this i read the rules of this forum once more and decided to strip it much more. I hope as this is about gmail.com it can stay here.

I also have other samples ( www5.gmail.com )
This one does not has the mproxy.gmail.com I 'll try to analyze one with mproxy.gmail.com and perhaps post it after stripping.
This Message-Ids are given by gmail ?

=== RAW MAIL SAMPLE 1 ==
X-Gmail-Received:
{A_long_header_txt_I_did_not_see_strange_things_in_it}
From: "Muriel Mayberry" {A_Email_ADDRESS}
Date: Sat, 9 Oct 2004 06:36:10 -0700
Message-Id: <200410031404.i93PvjTw008596@www1.gmail.com>
From: "Muriel Mayberry" <{A_Email_ADDRESS_.COM}>
To: bolden@{MYDOMAIN.COM}, bompane@{MYDOMAIN.COM},
bonilla@{MYDOMAIN.COM}, boswell@{MYDOMAIN.COM}, bowden@{MYDOMAIN.COM},
bower@{MYDOMAIN.COM}
Subject:
Mime-Version: 1.0
Content-Type: text/plain;
{The_message}

Killer · 23rd October 2004, 09:00 AM

You stripped the important portion. Example header is like this. The important part is in red.

Return-Path: admin@xxx.com
Errors-To: admin@xxx.com
Bounce-To: admin@xxx.com
Reply-To: "XXX" <net@xxx.com>
From: "XXX" <net@xxx.com>
To: "zzz@zzz.com" <zzz@zzz.com>
Delivered-To: zzz@zzzz.com
X-Apparently-From: zzz@zzz.net

Received: (qmail 16309 invoked from network); 22 Oct 2004 14:12:41 -0000
Received: from unknown (HELO mailshell.com) (xx.x.x.xxx)
by xxxx.xxx.com with SMTP; 22 Oct 2004 14:12:41 -0000
Received: (qmail 30212 invoked by uid 99); 22 Oct 2004 14:12:42 -0000
Received: (qmail 18852 invoked from network); 22 Oct 2004 14:12:25 -0000
Received: from unknown (HELO omta08.mta.xxxx.xxx) (xxx.xxx.xxx.xx)
by mail.xxxx.xxx with SMTP; 22 Oct 2004 14:12:25 -0000
Received: from imta41 (bigip34 [xxx.xxx.xxx.xx])
by omta08.mta.xxxx.xxx (Postfix) with ESMTP id 72CEF4076C
for <zzz@xxx.com>; Fri, 22 Oct 2004 06:44:41 -0700 (PDT)

Message-ID: <11873727.1098452681444.JavaMail.root@imta41>
Subject: New Mail
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Precedence: Bulk
X-EON-NOTIFY: 1
Date: Fri, 22 Oct 2004 06:44:41 -0700 (PDT)
X-Apparently-To: xxx
X-JUNK1: 0

jeronimus · 24th October 2004, 08:45 AM

Here is a less stripped one with mproxy.gmail.com
and wproxy.gmail.com

=== RAW SPAM MESSAGE STARTS BELOW ====

X-Gmail-Received: {LongHEX_NR}
Delivered-To: {GMAIL_ACCOUNT}+{MYDOMAIN.COM}@gmail.com
Received: by {IPnr_K} with SMTP id {SomeNumber};
Fri, 22 Oct 2004 12:05:47 -0700 (PDT)
Received: by {IPnr_L} with SMTP id {SomeNumer2};
Fri, 22 Oct 2004 12:05:47 -0700 (PDT)
Return-Path: <{Some_Email_Addres}>
Received: from omta14.mta.{MAILPROVIDER.DOM} (sitemail.{MAILPROVIDER.DOM} [{IPnr_Z}])
by mx.gmail.com with ESMTP id {SomeNumer4};
Fri, 22 Oct 2004 12:05:47 -0700 (PDT)
Received-SPF: neutral (gmail.com: {IPnr_Z} is neither permitted nor denied by domain of {Some_Email_Addres})
Received: from imta14.mta.{MAILPROVIDER.DOM} (bigip34 [{IPnr_Y}])
by omta14.mta.{MAILPROVIDER.DOM} (Postfix) with ESMTP
id {SomeID9}; Fri, 22 Oct 2004 12:05:46 -0700 (PDT)
Received: by imta14.mta.{MAILPROVIDER.DOM} (Postfix)
id {SomeID8}; Fri, 22 Oct 2004 12:05:46 -0700 (PDT)
Delivered-To: {MYDOMAIN.COM}@{OTHER_DOMAIN.COM}
Received: from pmta04.mta.{MAILPROVIDER.DOM} (bigiplb-dsnat [{IPnr_Z}])
by imta14.mta.{MAILPROVIDER.DOM} (Postfix) with ESMTP id {SomeHexNR2}
for <{MYDOMAIN.COM}@{OTHER_DOMAIN.COM}>; Fri, 22 Oct 2004 12:05:46 -0700 (PDT)
Received: from chugmail2.{ANOTHERDOMAIN1.COM} ({IPnr_W} [{IPnr_W}])
by pmta04.mta.{MAILPROVIDER.DOM} (EON-PMTA) with ESMTP id {SomeHexNr3}
for <{MYDOMAIN.COM}@{OTHER_DOMAIN.COM}>; Fri, 22 Oct 2004 12:05:46 -0700
Received: from mail.{ANOTHERDOMAIN2.COM} (mws-mail.{ANOTHERDOMAIN1.COM} [{IPnr_M}])
by chugmail2.{ANOTHERDOMAIN1.COM} (Postfix) with ESMTP id {SomeID7};
Fri, 22 Oct 2004 00:40:27 -0600 (MDT)
Received: from dsl-{XX}-{XX}-{XX}-{XX}.access.uk.tiscali.com (unknown [{XX}.{XX}.{XX}. {XX}]) by mail.{ANOTHERDOMAIN2.COM} (Postfix) with SMTP id {SomeHexNr3};
Fri, 22 Oct 2004 00:35:51 -0600 (MDT)
Received: from wproxy.gmail.com ([{IP_G}]:61893 "EHLO mproxy.gmail.com")
by avas-mx35.{SomeDomain4} with ESMTP id {SomeID_X};
Sat, 9 Oct 2004 10:36:23 -0300
Received: by mproxy.gmail.com with SMTP id {SomeIDxx}
for <xsjTasa58.{SomeDomain5}>; Sat, 09 Oct 2004 06:36:10 -0700 (PDT)
Received: by {IPnr_F} with SMTP id {SomeNr4};
Sat, 09 Oct 2004 06:36:10 -0700 (PDT)
Received: by {IPnr_Q} with HTTP; Sat, 9 Oct 2004 06:36:10 -0700 (PDT)
Date: Sat, 9 Oct 2004 06:36:10 -0700
Message-Id: <200410031475.i93FwoTw008312@www5.gmail.com>
From: "{A_NAME} " <{Some_Email_Addres}>
To: field@{MYDOMAIN.COM}, fink@{MYDOMAIN.COM}, finn@{MYDOMAIN.COM},
rusba@{MYDOMAIN.COM}, rushing@{MYDOMAIN.COM},
russell_shute@{MYDOMAIN.COM}, rutherford@{MYDOMAIN.COM},
sadler@{MYDOMAIN.COM}
Subject:
Mime-Version: 1.0
Content-Type: text/plain;

{The message}

= = END OF RAWMSG = =
I expect that the line
Received: from dsl-{XX}-{XX}-{XX}-{XX}.access.uk.tiscali.com (unknown [{XX}.{XX}.{XX}. {XX}]) by mail.{ANOTHERDOMAIN2.COM} (Postfix) with SMTP id {SOME_HEX_NR}; "
is the address of the sender or the (abused) system dsl system used to send this spam ?

{XX}.{XX}.{XX}. {XX} is a Tiscali IPnr

If {IP_G} is realy a IP number, it is from a big non internet company that normally should have noting to do with spam or email handling.

Killer · 24th October 2004, 11:25 AM

Since you strripped them barred of numbers and domains, I have a tough time trying to know which domain recieve from which domain. But I come to this conclusion. This 2 IPs is the IPs that send the spam through. IPne_Q is probably the workstation IP or the user IP when logged on with the ISP.

Received: by {IPnr_F} with SMTP id {SomeNr4};
Sat, 09 Oct 2004 06:36:10 -0700 (PDT)
Received: by {IPnr_Q} with HTTP; Sat, 9 Oct 2004 06:36:10 -0700 (PDT)

Killer · 24th October 2004, 11:37 AM

I just remembered, Gmail have the forwarding feature. If someone set it as a forwarding gateway, mails that pass through will have the gmail names there. So their names will usually be in the middle to indicate gmail.server recieved from incoming.isp and gmail.server sending out to outgoing.isp.

fmnewbee · 24th October 2004, 08:36 PM

Maybe some of the more knowledgeable of us here could accept you send a non stripped version to them in a mutual trust agreement to not reveal anything if you want to keep things anon. As Killer indicate one need to see the flow of it from node to node to get what it is all about.

Maybe it is redirected which would make it not look a clear as most email headers do.

Even me at times desipte me knowing almost nothing get a hang of it but the one you provided was above my capacity.

Trew

jeronimus · 25th October 2004, 07:23 AM

With a trust agreement I mail the full raw message to a limited group of people.
- not reveal anything
- not use the information
- especially not use the inforamtion for illegal activities
- conclusion may be posted after anonimization and my permission is given.

Killer · 25th October 2004, 09:01 AM

Quote:

Originally posted by jeronimus
With a trust agreement I mail the full raw message to a limited group of people.
- not reveal anything
- not use the information
- especially not use the inforamtion for illegal activities
- conclusion may be posted after anonimization and my permission is given.

Take note that if you suspect of any illegal happenings, you cannot alter the headers in anyway. And that headers from your I don't think gmail have anything do with it.

22nd October 2004, 10:18 AM	#1
jeronimus Member Join Date: Jul 2004 Location: NL Posts: 73	gmail.com in message header I have some spam containing in the header: mproxy.gmail.com and/or Message-Id: <{?}@www3.gmail.com> (I replaced the code with {?} In ' 'goodmail' i don't find this in the header. Only mail.gmail.com and mx.gmail.com Has this been happenning to other people? Is mproxy.gmail.com and Message-Id: <{?}@www3.gmail.com from gmail or is this a faked part of the header ?

22nd October 2004, 12:09 PM	#3
fmnewbee Master of the @ Join Date: Aug 2004 Location: Sweden Posts: 1,135	you could still protect your username show us the full header, you could still xxx out your username. Trew

23rd October 2004, 12:59 AM	#6
jeronimus Member Join Date: Jul 2004 Location: NL Posts: 73	Thanks for the postings. I did post here the complete raw mail with information between {} changed. However after this i read the rules of this forum once more and decided to strip it much more. I hope as this is about gmail.com it can stay here. I also have other samples ( www5.gmail.com ) This one does not has the mproxy.gmail.com I 'll try to analyze one with mproxy.gmail.com and perhaps post it after stripping. This Message-Ids are given by gmail ? === RAW MAIL SAMPLE 1 == X-Gmail-Received: {A_long_header_txt_I_did_not_see_strange_things_in_it} From: "Muriel Mayberry" {A_Email_ADDRESS} Date: Sat, 9 Oct 2004 06:36:10 -0700 Message-Id: <200410031404.i93PvjTw008596@www1.gmail.com> From: "Muriel Mayberry" <{A_Email_ADDRESS_.COM}> To: bolden@{MYDOMAIN.COM}, bompane@{MYDOMAIN.COM}, bonilla@{MYDOMAIN.COM}, boswell@{MYDOMAIN.COM}, bowden@{MYDOMAIN.COM}, bower@{MYDOMAIN.COM} Subject: Mime-Version: 1.0 Content-Type: text/plain; {The_message} Last edited by jeronimus : 23rd October 2004 at 07:19 AM.

24th October 2004, 08:36 PM	#11
fmnewbee Master of the @ Join Date: Aug 2004 Location: Sweden Posts: 1,135	jeronimus send a pm to somebody knowledgeable? Maybe some of the more knowledgeable of us here could accept you send a non stripped version to them in a mutual trust agreement to not reveal anything if you want to keep things anon. As Killer indicate one need to see the flow of it from node to node to get what it is all about. Maybe it is redirected which would make it not look a clear as most email headers do. Even me at times desipte me knowing almost nothing get a hang of it but the one you provided was above my capacity. Trew

22nd October 2004, 10:28 AM	#2
Killer Intergalactic Postmaster Join Date: Nov 2000 Location: Singapore Posts: 6,734 Representative of: Killer.kkk.sg	You need to show us the full header instead of that few sentences. Only the from server will indicate where the mail comes from.

22nd October 2004, 06:13 PM	#5
Daniel S Guest Posts: n/a	If this is the only Message-ID header in the message, then it probably isn't fake. As to the "mproxy.gmail.com", that depends on where exactly it appeared in the headers - it may or may not be fake.

23rd October 2004, 09:00 AM	#7
Killer Intergalactic Postmaster Join Date: Nov 2000 Location: Singapore Posts: 6,734 Representative of: Killer.kkk.sg	You stripped the important portion. Example header is like this. The important part is in red. Return-Path: admin@xxx.com Errors-To: admin@xxx.com Bounce-To: admin@xxx.com Reply-To: "XXX" <net@xxx.com> From: "XXX" <net@xxx.com> To: "zzz@zzz.com" <zzz@zzz.com> Delivered-To: zzz@zzzz.com X-Apparently-From: zzz@zzz.net Received: (qmail 16309 invoked from network); 22 Oct 2004 14:12:41 -0000 Received: from unknown (HELO mailshell.com) (xx.x.x.xxx) by xxxx.xxx.com with SMTP; 22 Oct 2004 14:12:41 -0000 Received: (qmail 30212 invoked by uid 99); 22 Oct 2004 14:12:42 -0000 Received: (qmail 18852 invoked from network); 22 Oct 2004 14:12:25 -0000 Received: from unknown (HELO omta08.mta.xxxx.xxx) (xxx.xxx.xxx.xx) by mail.xxxx.xxx with SMTP; 22 Oct 2004 14:12:25 -0000 Received: from imta41 (bigip34 [xxx.xxx.xxx.xx]) by omta08.mta.xxxx.xxx (Postfix) with ESMTP id 72CEF4076C for <zzz@xxx.com>; Fri, 22 Oct 2004 06:44:41 -0700 (PDT) Message-ID: <11873727.1098452681444.JavaMail.root@imta41> Subject: New Mail Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Precedence: Bulk X-EON-NOTIFY: 1 Date: Fri, 22 Oct 2004 06:44:41 -0700 (PDT) X-Apparently-To: xxx X-JUNK1: 0

24th October 2004, 08:45 AM	#8
jeronimus Member Join Date: Jul 2004 Location: NL Posts: 73	Here is a less stripped one with mproxy.gmail.com and wproxy.gmail.com === RAW SPAM MESSAGE STARTS BELOW ==== X-Gmail-Received: {LongHEX_NR} Delivered-To: {GMAIL_ACCOUNT}+{MYDOMAIN.COM}@gmail.com Received: by {IPnr_K} with SMTP id {SomeNumber}; Fri, 22 Oct 2004 12:05:47 -0700 (PDT) Received: by {IPnr_L} with SMTP id {SomeNumer2}; Fri, 22 Oct 2004 12:05:47 -0700 (PDT) Return-Path: <{Some_Email_Addres}> Received: from omta14.mta.{MAILPROVIDER.DOM} (sitemail.{MAILPROVIDER.DOM} [{IPnr_Z}]) by mx.gmail.com with ESMTP id {SomeNumer4}; Fri, 22 Oct 2004 12:05:47 -0700 (PDT) Received-SPF: neutral (gmail.com: {IPnr_Z} is neither permitted nor denied by domain of {Some_Email_Addres}) Received: from imta14.mta.{MAILPROVIDER.DOM} (bigip34 [{IPnr_Y}]) by omta14.mta.{MAILPROVIDER.DOM} (Postfix) with ESMTP id {SomeID9}; Fri, 22 Oct 2004 12:05:46 -0700 (PDT) Received: by imta14.mta.{MAILPROVIDER.DOM} (Postfix) id {SomeID8}; Fri, 22 Oct 2004 12:05:46 -0700 (PDT) Delivered-To: {MYDOMAIN.COM}@{OTHER_DOMAIN.COM} Received: from pmta04.mta.{MAILPROVIDER.DOM} (bigiplb-dsnat [{IPnr_Z}]) by imta14.mta.{MAILPROVIDER.DOM} (Postfix) with ESMTP id {SomeHexNR2} for <{MYDOMAIN.COM}@{OTHER_DOMAIN.COM}>; Fri, 22 Oct 2004 12:05:46 -0700 (PDT) Received: from chugmail2.{ANOTHERDOMAIN1.COM} ({IPnr_W} [{IPnr_W}]) by pmta04.mta.{MAILPROVIDER.DOM} (EON-PMTA) with ESMTP id {SomeHexNr3} for <{MYDOMAIN.COM}@{OTHER_DOMAIN.COM}>; Fri, 22 Oct 2004 12:05:46 -0700 Received: from mail.{ANOTHERDOMAIN2.COM} (mws-mail.{ANOTHERDOMAIN1.COM} [{IPnr_M}]) by chugmail2.{ANOTHERDOMAIN1.COM} (Postfix) with ESMTP id {SomeID7}; Fri, 22 Oct 2004 00:40:27 -0600 (MDT) Received: from dsl-{XX}-{XX}-{XX}-{XX}.access.uk.tiscali.com (unknown [{XX}.{XX}.{XX}. {XX}]) by mail.{ANOTHERDOMAIN2.COM} (Postfix) with SMTP id {SomeHexNr3}; Fri, 22 Oct 2004 00:35:51 -0600 (MDT) Received: from wproxy.gmail.com ([{IP_G}]:61893 "EHLO mproxy.gmail.com") by avas-mx35.{SomeDomain4} with ESMTP id {SomeID_X}; Sat, 9 Oct 2004 10:36:23 -0300 Received: by mproxy.gmail.com with SMTP id {SomeIDxx} for <xsjTasa58.{SomeDomain5}>; Sat, 09 Oct 2004 06:36:10 -0700 (PDT) Received: by {IPnr_F} with SMTP id {SomeNr4}; Sat, 09 Oct 2004 06:36:10 -0700 (PDT) Received: by {IPnr_Q} with HTTP; Sat, 9 Oct 2004 06:36:10 -0700 (PDT) Date: Sat, 9 Oct 2004 06:36:10 -0700 Message-Id: <200410031475.i93FwoTw008312@www5.gmail.com> From: "{A_NAME} " <{Some_Email_Addres}> To: field@{MYDOMAIN.COM}, fink@{MYDOMAIN.COM}, finn@{MYDOMAIN.COM}, rusba@{MYDOMAIN.COM}, rushing@{MYDOMAIN.COM}, russell_shute@{MYDOMAIN.COM}, rutherford@{MYDOMAIN.COM}, sadler@{MYDOMAIN.COM} Subject: Mime-Version: 1.0 Content-Type: text/plain; {The message} = = END OF RAWMSG = = I expect that the line Received: from dsl-{XX}-{XX}-{XX}-{XX}.access.uk.tiscali.com (unknown [{XX}.{XX}.{XX}. {XX}]) by mail.{ANOTHERDOMAIN2.COM} (Postfix) with SMTP id {SOME_HEX_NR}; " is the address of the sender or the (abused) system dsl system used to send this spam ? {XX}.{XX}.{XX}. {XX} is a Tiscali IPnr If {IP_G} is realy a IP number, it is from a big non internet company that normally should have noting to do with spam or email handling.

24th October 2004, 11:25 AM	#9
Killer Intergalactic Postmaster Join Date: Nov 2000 Location: Singapore Posts: 6,734 Representative of: Killer.kkk.sg	Since you strripped them barred of numbers and domains, I have a tough time trying to know which domain recieve from which domain. But I come to this conclusion. This 2 IPs is the IPs that send the spam through. IPne_Q is probably the workstation IP or the user IP when logged on with the ISP. Received: by {IPnr_F} with SMTP id {SomeNr4}; Sat, 09 Oct 2004 06:36:10 -0700 (PDT) Received: by {IPnr_Q} with HTTP; Sat, 9 Oct 2004 06:36:10 -0700 (PDT)

24th October 2004, 11:37 AM	#10
Killer Intergalactic Postmaster Join Date: Nov 2000 Location: Singapore Posts: 6,734 Representative of: Killer.kkk.sg	I just remembered, Gmail have the forwarding feature. If someone set it as a forwarding gateway, mails that pass through will have the gmail names there. So their names will usually be in the middle to indicate gmail.server recieved from incoming.isp and gmail.server sending out to outgoing.isp.

25th October 2004, 07:23 AM	#12
jeronimus Member Join Date: Jul 2004 Location: NL Posts: 73	With a trust agreement I mail the full raw message to a limited group of people. - not reveal anything - not use the information - especially not use the inforamtion for illegal activities - conclusion may be posted after anonimization and my permission is given.