X-Originating-IP in Spam, Scam and Phishbusters

X-Originating-IP in Spam, Scam and Phishbusters http://www.dslreports.com/forum/r13344299 en Mon, 06 Oct 2008 11:20:47 EDT Mon, 06 Oct 2008 11:20:47 EDT Re: X-Originating-IP http://www.dslreports.com/forum/remark,13398945 Jon_Hanson :

said by JimCarver:

I am currently being scammed by a 419 scammer but i know this and am having some fun with them. There is this in the header "X-Originating-Ip: 194.201.99.237" the received is the same. The funny thing is though that i am having contact with a guy in Nigeria and a one in Amsterdam. They both have the same IP address as above. does this mean they are using the same computer?

As has been said before in this thread, you really can't trust the X-Originating-IP header. I wouldn't put a lot of faith in that information.]]> http://www.dslreports.com/forum/remark,13398945 Fri, 13 May 2005 12:25:13 EDT Re: X-Originating-IP http://www.dslreports.com/forum/remark,13397430 nwrickert :


inetnum:      194.201.99.224 - 194.201.99.239
netname:      HORSDIST02
descr:        Horsham District Council
country:      GB
admin-c:      SF3576-RIPE
tech-c:       MW20016-RIPE
status:       ASSIGNED PA
mnt-by:       AS1849-MNT
remarks:      Please send abuse notification to abuse@uk.uu.net

]]> http://www.dslreports.com/forum/remark,13397430 Fri, 13 May 2005 08:16:54 EDT Re: X-Originating-IP http://www.dslreports.com/forum/remark,13396930 anon : I am currently being scammed by a 419 scammer but i know this and am having some fun with them. There is this in the header "X-Originating-Ip: 194.201.99.237" the received is the same. The funny thing is though that i am having contact with a guy in Nigeria and a one in Amsterdam. They both have the same IP address as above. does this mean they are using the same computer?]]> http://www.dslreports.com/forum/remark,13396930 Fri, 13 May 2005 04:14:49 EDT Re: X-Originating-IP http://www.dslreports.com/forum/remark,13357487 NormanS :

said by joewesh

:

Can I rely on the X-Originating-IP header to be accurate?

Maybe yes, maybe no. In every case where you can trust them, you can also trust the Received line which contains the same IP address. Or, should that be the other way around. Here is an example with three X-Headers, of that type, which can be trusted:


Received: from spooler by aosake.net (Mercury/32 v4.01b); 8 May 2005 00:21:52 -0700
X-Envelope-To: 
Return-path:

Received: from mta807.mail.scd.yahoo.com (66.94.225.147) by aosake.net (Mercury/32 v4.01b) ID MG00018E;
8 May 2005 00:21:48 -0700


X-Yahoo-Forwarded: from ***@pacbell.net to ***@aosake.net
X-Rocket-Track: -40 ; IPCR=n-w0,n100,g0 ; IP=64.4.16.194
Authentication-Results: mta807.mail.scd.yahoo.com
  from=hotmail.com; domainkeys=neutral (no sig)
X-Originating-IP: [64.4.16.194]
Received: from 207.115.57.80  (EHLO ylpvm49.prodigy.net) (207.115.57.80)
  by mta807.mail.scd.yahoo.com with SMTP; Sun, 08 May 2005 00:21:34 -0700
X-Originating-IP: [64.4.16.194]
Received: from hotmail.com (bay22-dav14.bay22.hotmail.com [64.4.16.194])
	by ylpvm49.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id j487LXxk016832
	for ; Sun, 8 May 2005 03:21:33 -0400
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Sun, 8 May 2005 00:21:33 -0700
Message-ID: 
Received: from 67.116.50.149 by BAY22-DAV14.phx.gbl with DAV;
	Sun, 08 May 2005 07:21:32 +0000
X-Originating-IP: [67.116.50.149]
X-Originating-Email: [***@hotmail.com]
X-Sender: ***@hotmail.com
From: "***"

The MSN Hotmail server, "BAY22-DAV14.phx.gbl" added the first one, way down near the bottom. The SBC server, "ylpvm49.prodigy.net" added the middle one. The Yahoo! server, "mta807.mail.scd.yahoo.com", added the top one.

Spammers are also known to add them. Knowing that MSN Hotmail puts them in for the source IP address of the message received by their WebDAV servers, and that SBC and Yahoo! put them in for the IP address of the source MTA connecting to the MX helps. Better, though, to rely on the Received lines, and start working down from the ones added by your mail system. In the case of these headers, the first trusted Received line is at the very top, where aosake.net reports receiving the message from yahoo.com (in bold typeface).

--
Norman
~A deam, dream, no dream
~Voices of the night go across the forest
~A dream, dream, no dream
~Good night my good child]]> http://www.dslreports.com/forum/remark,13357487 Sun, 08 May 2005 03:41:34 EDT Re: X-Originating-IP http://www.dslreports.com/forum/remark,13344506 Mordy : An X- entry is a comment that a mail program can insert to the headers. It can contain any text, and thus it can be easily made to create a false X-Originating-IP record in the header. I don't trust the X- record information; the Received: header records contain the actual IP addresses, but fake records and false information can be put in the Received: records as well.
--
Facts do not cease to exist because they are ignored - Aldous Huxley]]> http://www.dslreports.com/forum/remark,13344506 Fri, 06 May 2005 11:12:43 EDT Re: X-Originating-IP http://www.dslreports.com/forum/remark,13344436 nwrickert : No, you cannot rely on that.

If you receive the mail from hotmail or yahoo, then the top "X-Originating-IP:" appears to be accurate. But I have seen mail with more than one of these headers, and the ones not added by yahoo or hotmail were forged by the spammer.

The basic principle of examining headers:
•You can trust headers added by your own server (or your ISP server)•If those headers show that the mail was received from a trusted site (a site that you trust), then you can also rely on the headers added by that trusted site.
Be suspicious of anything else.]]> http://www.dslreports.com/forum/remark,13344436 Fri, 06 May 2005 11:05:06 EDT X-Originating-IP http://www.dslreports.com/forum/remark,13344299 joewesh : Can I rely on the X-Originating-IP header to be accurate?]]> http://www.dslreports.com/forum/remark,13344299 Fri, 06 May 2005 10:48:22 EDT