EmailDiscussions.com

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > Google Gmail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Google Gmail Forum Discussions related to Google's Gmail service should go here: suggestions, tips, comments, requests for help, tech issues etc.

Reply
 
Thread Tools
Old 22 Oct 2004, 10:18 AM   #1
jeronimus
Member
 
Join Date: Jul 2004
Location: NL
Posts: 73
gmail.com in message header

I have some spam containing in the header:

mproxy.gmail.com
and/or
Message-Id: <{?}@www3.gmail.com>

(I replaced the code with {?}

In ' 'goodmail' i don't find this in the header.
Only mail.gmail.com and mx.gmail.com

Has this been happenning to other people?
Is mproxy.gmail.com and Message-Id: <{?}@www3.gmail.com from gmail or is this a faked part of the header ?
jeronimus is offline   Reply With Quote

Old 22 Oct 2004, 10:28 AM   #2
Killer
Intergalactic Postmaster
 
Join Date: Nov 2000
Location: Singapore
Posts: 6,737

Representative of:
Killer.kkk.sg
You need to show us the full header instead of that few sentences. Only the from server will indicate where the mail comes from.
Killer is offline   Reply With Quote
Old 22 Oct 2004, 12:09 PM   #3
fmnewbee
Master of the @
 
Join Date: Aug 2004
Location: Sweden
Posts: 1,135
you could still protect your username

show us the full header, you could still xxx out your username.

Trew
fmnewbee is offline   Reply With Quote
Old 22 Oct 2004, 12:28 PM   #4
SusanUKF
Intergalactic Postmaster
 
Join Date: Oct 2003
Location: Canada
Posts: 5,428
Re: you could still protect your username

Quote:
Originally posted by fmnewbee
show us the full header, you could still xxx out your username.

Trew
You just need to XXXXXX out any personal information that is not relevant to reading the headers( As Trew has indicated above). That way people can help you still and your privacy is not compromised.

Susan.
SusanUKF is offline   Reply With Quote
Old 22 Oct 2004, 06:13 PM   #5
Daniel S
Guest
 
Posts: n/a
If this is the only Message-ID header in the message, then it probably isn't fake.

As to the "mproxy.gmail.com", that depends on where exactly it appeared in the headers - it may or may not be fake.
  Reply With Quote
Old 23 Oct 2004, 12:59 AM   #6
jeronimus
Member
 
Join Date: Jul 2004
Location: NL
Posts: 73
Thanks for the postings.

I did post here the complete raw mail
with information between {} changed.
However after this i read the rules of this forum once more and decided to strip it much more. I hope as this is about gmail.com it can stay here.

I also have other samples ( www5.gmail.com )
This one does not has the mproxy.gmail.com I 'll try to analyze one with mproxy.gmail.com and perhaps post it after stripping.
This Message-Ids are given by gmail ?

=== RAW MAIL SAMPLE 1 ==
X-Gmail-Received:
{A_long_header_txt_I_did_not_see_strange_things_in_it}
From: "Muriel Mayberry" {A_Email_ADDRESS}
Date: Sat, 9 Oct 2004 06:36:10 -0700
Message-Id: <200410031404.i93PvjTw008596@www1.gmail.com>
From: "Muriel Mayberry" <{A_Email_ADDRESS_.COM}>
To: bolden@{MYDOMAIN.COM}, bompane@{MYDOMAIN.COM},
bonilla@{MYDOMAIN.COM}, boswell@{MYDOMAIN.COM}, bowden@{MYDOMAIN.COM},
bower@{MYDOMAIN.COM}
Subject:
Mime-Version: 1.0
Content-Type: text/plain;
{The_message}

Last edited by jeronimus : 23 Oct 2004 at 07:19 AM.
jeronimus is offline   Reply With Quote
Old 23 Oct 2004, 09:00 AM   #7
Killer
Intergalactic Postmaster
 
Join Date: Nov 2000
Location: Singapore
Posts: 6,737

Representative of:
Killer.kkk.sg
You stripped the important portion. Example header is like this. The important part is in red.




Return-Path: admin@xxx.com
Errors-To: admin@xxx.com
Bounce-To: admin@xxx.com
Reply-To: "XXX" <net@xxx.com>
From: "XXX" <net@xxx.com>
To: "zzz@zzz.com" <zzz@zzz.com>
Delivered-To: zzz@zzzz.com
X-Apparently-From: zzz@zzz.net

Received: (qmail 16309 invoked from network); 22 Oct 2004 14:12:41 -0000
Received: from unknown (HELO mailshell.com) (xx.x.x.xxx)
by xxxx.xxx.com with SMTP; 22 Oct 2004 14:12:41 -0000
Received: (qmail 30212 invoked by uid 99); 22 Oct 2004 14:12:42 -0000
Received: (qmail 18852 invoked from network); 22 Oct 2004 14:12:25 -0000
Received: from unknown (HELO omta08.mta.xxxx.xxx) (xxx.xxx.xxx.xx)
by mail.xxxx.xxx with SMTP; 22 Oct 2004 14:12:25 -0000
Received: from imta41 (bigip34 [xxx.xxx.xxx.xx])
by omta08.mta.xxxx.xxx (Postfix) with ESMTP id 72CEF4076C
for <zzz@xxx.com>; Fri, 22 Oct 2004 06:44:41 -0700 (PDT)

Message-ID: <11873727.1098452681444.JavaMail.root@imta41>
Subject: New Mail
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Precedence: Bulk
X-EON-NOTIFY: 1
Date: Fri, 22 Oct 2004 06:44:41 -0700 (PDT)
X-Apparently-To: xxx
X-JUNK1: 0
Killer is offline   Reply With Quote
Old 24 Oct 2004, 08:45 AM   #8
jeronimus
Member
 
Join Date: Jul 2004
Location: NL
Posts: 73
Here is a less stripped one with mproxy.gmail.com
and wproxy.gmail.com

=== RAW SPAM MESSAGE STARTS BELOW ====

X-Gmail-Received: {LongHEX_NR}
Delivered-To: {GMAIL_ACCOUNT}+{MYDOMAIN.COM}@gmail.com
Received: by {IPnr_K} with SMTP id {SomeNumber};
Fri, 22 Oct 2004 12:05:47 -0700 (PDT)
Received: by {IPnr_L} with SMTP id {SomeNumer2};
Fri, 22 Oct 2004 12:05:47 -0700 (PDT)
Return-Path: <{Some_Email_Addres}>
Received: from omta14.mta.{MAILPROVIDER.DOM} (sitemail.{MAILPROVIDER.DOM} [{IPnr_Z}])
by mx.gmail.com with ESMTP id {SomeNumer4};
Fri, 22 Oct 2004 12:05:47 -0700 (PDT)
Received-SPF: neutral (gmail.com: {IPnr_Z} is neither permitted nor denied by domain of {Some_Email_Addres})
Received: from imta14.mta.{MAILPROVIDER.DOM} (bigip34 [{IPnr_Y}])
by omta14.mta.{MAILPROVIDER.DOM} (Postfix) with ESMTP
id {SomeID9}; Fri, 22 Oct 2004 12:05:46 -0700 (PDT)
Received: by imta14.mta.{MAILPROVIDER.DOM} (Postfix)
id {SomeID8}; Fri, 22 Oct 2004 12:05:46 -0700 (PDT)
Delivered-To: {MYDOMAIN.COM}@{OTHER_DOMAIN.COM}
Received: from pmta04.mta.{MAILPROVIDER.DOM} (bigiplb-dsnat [{IPnr_Z}])
by imta14.mta.{MAILPROVIDER.DOM} (Postfix) with ESMTP id {SomeHexNR2}
for <{MYDOMAIN.COM}@{OTHER_DOMAIN.COM}>; Fri, 22 Oct 2004 12:05:46 -0700 (PDT)
Received: from chugmail2.{ANOTHERDOMAIN1.COM} ({IPnr_W} [{IPnr_W}])
by pmta04.mta.{MAILPROVIDER.DOM} (EON-PMTA) with ESMTP id {SomeHexNr3}
for <{MYDOMAIN.COM}@{OTHER_DOMAIN.COM}>; Fri, 22 Oct 2004 12:05:46 -0700
Received: from mail.{ANOTHERDOMAIN2.COM} (mws-mail.{ANOTHERDOMAIN1.COM} [{IPnr_M}])
by chugmail2.{ANOTHERDOMAIN1.COM} (Postfix) with ESMTP id {SomeID7};
Fri, 22 Oct 2004 00:40:27 -0600 (MDT)
Received: from dsl-{XX}-{XX}-{XX}-{XX}.access.uk.tiscali.com (unknown [{XX}.{XX}.{XX}. {XX}]) by mail.{ANOTHERDOMAIN2.COM} (Postfix) with SMTP id {SomeHexNr3};
Fri, 22 Oct 2004 00:35:51 -0600 (MDT)
Received: from wproxy.gmail.com ([{IP_G}]:61893 "EHLO mproxy.gmail.com")
by avas-mx35.{SomeDomain4} with ESMTP id {SomeID_X};
Sat, 9 Oct 2004 10:36:23 -0300
Received: by mproxy.gmail.com with SMTP id {SomeIDxx}
for <xsjTasa58.{SomeDomain5}>; Sat, 09 Oct 2004 06:36:10 -0700 (PDT)
Received: by {IPnr_F} with SMTP id {SomeNr4};
Sat, 09 Oct 2004 06:36:10 -0700 (PDT)
Received: by {IPnr_Q} with HTTP; Sat, 9 Oct 2004 06:36:10 -0700 (PDT)
Date: Sat, 9 Oct 2004 06:36:10 -0700
Message-Id: <200410031475.i93FwoTw008312@www5.gmail.com>
From: "{A_NAME} " <{Some_Email_Addres}>
To: field@{MYDOMAIN.COM}, fink@{MYDOMAIN.COM}, finn@{MYDOMAIN.COM},
rusba@{MYDOMAIN.COM}, rushing@{MYDOMAIN.COM},
russell_shute@{MYDOMAIN.COM}, rutherford@{MYDOMAIN.COM},
sadler@{MYDOMAIN.COM}
Subject:
Mime-Version: 1.0
Content-Type: text/plain;

{The message}

= = END OF RAWMSG = =
I expect that the line
Received: from dsl-{XX}-{XX}-{XX}-{XX}.access.uk.tiscali.com (unknown [{XX}.{XX}.{XX}. {XX}]) by mail.{ANOTHERDOMAIN2.COM} (Postfix) with SMTP id {SOME_HEX_NR}; "
is the address of the sender or the (abused) system dsl system used to send this spam ?

{XX}.{XX}.{XX}. {XX} is a Tiscali IPnr

If {IP_G} is realy a IP number, it is from a big non internet company that normally should have noting to do with spam or email handling.
jeronimus is offline   Reply With Quote
Old 24 Oct 2004, 11:25 AM   #9
Killer
Intergalactic Postmaster
 
Join Date: Nov 2000
Location: Singapore
Posts: 6,737

Representative of:
Killer.kkk.sg
Since you strripped them barred of numbers and domains, I have a tough time trying to know which domain recieve from which domain. But I come to this conclusion. This 2 IPs is the IPs that send the spam through. IPne_Q is probably the workstation IP or the user IP when logged on with the ISP.


Received: by {IPnr_F} with SMTP id {SomeNr4};
Sat, 09 Oct 2004 06:36:10 -0700 (PDT)
Received: by {IPnr_Q} with HTTP; Sat, 9 Oct 2004 06:36:10 -0700 (PDT)
Killer is offline   Reply With Quote
Old 24 Oct 2004, 11:37 AM   #10
Killer
Intergalactic Postmaster
 
Join Date: Nov 2000
Location: Singapore
Posts: 6,737

Representative of:
Killer.kkk.sg
I just remembered, Gmail have the forwarding feature. If someone set it as a forwarding gateway, mails that pass through will have the gmail names there. So their names will usually be in the middle to indicate gmail.server recieved from incoming.isp and gmail.server sending out to outgoing.isp.
Killer is offline   Reply With Quote
Old 24 Oct 2004, 08:36 PM   #11
fmnewbee
Master of the @
 
Join Date: Aug 2004
Location: Sweden
Posts: 1,135
jeronimus send a pm to somebody knowledgeable?

Maybe some of the more knowledgeable of us here could accept you send a non stripped version to them in a mutual trust agreement to not reveal anything if you want to keep things anon. As Killer indicate one need to see the flow of it from node to node to get what it is all about.

Maybe it is redirected which would make it not look a clear as most email headers do.

Even me at times desipte me knowing almost nothing get a hang of it but the one you provided was above my capacity.

Trew
fmnewbee is offline   Reply With Quote
Old 25 Oct 2004, 07:23 AM   #12
jeronimus
Member
 
Join Date: Jul 2004
Location: NL
Posts: 73
With a trust agreement I mail the full raw message to a limited group of people.
- not reveal anything
- not use the information
- especially not use the inforamtion for illegal activities
- conclusion may be posted after anonimization and my permission is given.
jeronimus is offline   Reply With Quote
Old 25 Oct 2004, 09:01 AM   #13
Killer
Intergalactic Postmaster
 
Join Date: Nov 2000
Location: Singapore
Posts: 6,737

Representative of:
Killer.kkk.sg
Quote:
Originally posted by jeronimus
With a trust agreement I mail the full raw message to a limited group of people.
- not reveal anything
- not use the information
- especially not use the inforamtion for illegal activities
- conclusion may be posted after anonimization and my permission is given.
Take note that if you suspect of any illegal happenings, you cannot alter the headers in anyway. And that headers from your I don't think gmail have anything do with it.
Killer is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 03:30 AM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy