dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2921

dolphins
Clean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ

dolphins

Premium Member

Need Help with Suspicious Email

I put a few items on my Craigslist account for my mother. I'm suspicious about an interested party because they give no information and only respond with vague short sentences. The first response I got through my Craigslist's anonymous email account was simple and to the point:

hi im interested in the bag....but I don’t know where myhometown is.

I responded and asked where the interested party was from and got this in return:

I am near Mt Holly.....


I became suspicious with the vague response and decided to dig a little. Here's the interested party's email header:

Return-Path: misk0428@aol.com
Received: from imta31.emeryville.ca.mail.comcast.net (LHLO
imta31.emeryville.ca.mail.comcast.net) (76.96.30.41) by
sz0083.wc.mail.comcast.net with LMTP; Thu, 12 Apr 2012 00:02:50 +0000 (UTC)
Received: from imr-da01.mx.aol.com ([205.188.105.143])
by imta31.emeryville.ca.mail.comcast.net with comcast
id wo2o1i00M35fDBh0Xo2oC5; Thu, 12 Apr 2012 00:02:48 +0000
X-CAA-SPAM: 00000
X-Authority-Analysis: v=2.0 cv=Wem7nTdX c=1 sm=1
a=Qwyk3xLgQ4rWInhSuW6wWQ==:17 a=EpAsA7YYuxkA:10 a=gXkYDe4DKR8A:10
a=3u-1L5pIEcoA:10 a=C_IRinGWAAAA:8 a=3oc9M9_CAAAA:8 a=b4KrJKo_AAAA:8
a=YRx74b9B9ovHlEm2Qx4A:9 a=74ijrKqp54ThlXw5bAAA:7 a=QEXdDO2ut3YA:10
a=qAuTySu94MMA:10 a=si9q_4b84H0A:10 a=U8Ie8EnqySEA:10
a=F7KvPPL4w2GVP2DobBoA:9 a=mpq9nenVXhU7WQHxLboA:7 a=tXsnliwV7b4A:10
a=YjL4tMdh51V4VZn46nJgog==:117
Received: from mtaomg-ma02.r1000.mx.aol.com (mtaomg-ma02.r1000.mx.aol.com [172.29.41.9])
by imr-da01.mx.aol.com (8.14.1/8.14.1) with ESMTP id q3C02dMH021225
for MyEmail@MyDomain; Wed, 11 Apr 2012 20:02:39 -0400
Received: from core-msb004c.r1000.mail.aol.com (core-msb004.r1000.mail.aol.com [172.29.233.141])
by mtaomg-ma02.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id BE63FE000087
for MyEmail@MyDomain; Wed, 11 Apr 2012 20:02:39 -0400 (EDT)
References:
To: MyEmail@MyDomain
Subject: Re: "Coach" Patent Leather Shoulder Bag - $99
In-Reply-To:
X-MB-Message-Source: WebUI
MIME-Version: 1.0
From: Family Screen
X-MB-Message-Type: User
Content-Type: multipart/alternative;
boundary="--------MB_8CEE656B5D20919_1E90_580D_webmail-m141.sysops.aol.com"
X-Mailer: AOL Webmail 35919-STANDARD
Received: from 68.36.115.15 by webmail-m141.sysops.aol.com (149.174.9.27) with HTTP (WebMailUI); Wed, 11 Apr 2012 20:02:39 -0400
Message-Id:
X-Originating-IP: [68.36.115.15]
Date: Wed, 11 Apr 2012 20:02:39 -0400 (EDT)
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;
s=20110426; t=1334188959;
bh=8sUuSJwOH10hJTLl6IKkYiV81I9dTiatB1i5YbDvaZ0=;
h=From:To:Subject:Message-Id:Date:MIME-Version:Content-Type;
b=i10sibf/IozS7qD9UhU+uFjlwAgJAARqRdXxqXyBrbCNYS4ZV0asVqB87MhXV51KQ
ioT7xrd+89wWc5sPybJiyGTL2JAHse1nG67ofiD0PTCHyfyqWZXKmfu8hwkayH1GPl
DHc15LMhM9TX18v94apdWT+O2rjlJEvEviPgaZSs=
X-AOL-SCOLL-SCORE: 0:2:392363104:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d29094f861b9f47bb

I tried looking up IP addresses but I get "bogus DNS" returns.

I did a reverse email look up and came up with this, »www.pipl.com/search/?q=m ··· oc=&in=5

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS

MVM

It was sent via AOL Webmail, per the header routing info. I don't get a "bogus DNS" on the "X-Originating-IP" IP address:
C:\Users\User_Name>nslookup 68.36.115.15
Server:  dsldevice.att.net
Address:  192.168.1.254
 
Name:    c-68-36-115-15.hsd1.nj.comcast.net
Address:  68.36.115.15
 

Looks like a Comcast user in New Jersey.

AVD
Respice, Adspice, Prospice
Premium Member
join:2003-02-06
Onion, NJ

AVD

Premium Member

I don't know where Westville is either.

dolphins
Clean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ

dolphins to NormanS

Premium Member

to NormanS
Wow, can't believe I missed that? I looked up the IPs under "received from" at the top of the header and missed the lower part.

So why is the reverse email so far off? I've used it several times in the past and it proved accurate.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS

MVM

I don't know. Maybe the fact that it is an AOL account is a factor. I signed up an AOL account from a 'pacbell.net' IP address, fired AT&T and hired Sonic.net, LLC, and am now posting from an interim residence 100 miles from home. I wonder where a reverse email lookup would place me? Well, only one possibly related connection showed up with my lookup. It probably is based on the Internet profile we leave as we surf, and sign up for social networking.

BTW, the top 'Received' header is added by your mail service's delivery agent. You have move down the chain towards the body of the email; though you also need to pay attention to the chaining. Those headers can be forged.

dolphins
Clean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ

dolphins

Premium Member

Thanks for the help.

I guess when the reverse email look-up returned a wanna-be gangsta from North Carolina I didn't bother digging any further. Moreover I get so many phishing emails from Craigslist that I tend to be suspicious of everyone especially when it's mom's cell phone they will be calling to make the final deal.

Guess it's time to brush up on my 007 skills.