NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
 ·Pacific Bell - SBC
| reply to joewesh
Re: X-Originating-IP
said by joewesh  :Can I rely on the X-Originating-IP header to be accurate? Maybe yes, maybe no. In every case where you can trust them, you can also trust the Received line which contains the same IP address. Or, should that be the other way around. Here is an example with three X-Headers, of that type, which can be trusted:
Received: from spooler by aosake.net (Mercury/32 v4.01b); 8 May 2005 00:21:52 -0700
X-Envelope-To:
Return-path:
Received: from mta807.mail.scd.yahoo.com (66.94.225.147) by aosake.net (Mercury/32 v4.01b) ID MG00018E;
8 May 2005 00:21:48 -0700
X-Yahoo-Forwarded: from ***@pacbell.net to ***@aosake.net
X-Rocket-Track: -40 ; IPCR=n-w0,n100,g0 ; IP=64.4.16.194
Authentication-Results: mta807.mail.scd.yahoo.com
from=hotmail.com; domainkeys=neutral (no sig)
X-Originating-IP: [64.4.16.194]
Received: from 207.115.57.80 (EHLO ylpvm49.prodigy.net) (207.115.57.80)
by mta807.mail.scd.yahoo.com with SMTP; Sun, 08 May 2005 00:21:34 -0700
X-Originating-IP: [64.4.16.194]
Received: from hotmail.com (bay22-dav14.bay22.hotmail.com [64.4.16.194])
by ylpvm49.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id j487LXxk016832
for ; Sun, 8 May 2005 03:21:33 -0400
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Sun, 8 May 2005 00:21:33 -0700
Message-ID:
Received: from 67.116.50.149 by BAY22-DAV14.phx.gbl with DAV;
Sun, 08 May 2005 07:21:32 +0000
X-Originating-IP: [67.116.50.149]
X-Originating-Email: [***@hotmail.com]
X-Sender: ***@hotmail.com
From: "***"
The MSN Hotmail server, "BAY22-DAV14.phx.gbl" added the first one, way down near the bottom. The SBC server, "ylpvm49.prodigy.net" added the middle one. The Yahoo! server, "mta807.mail.scd.yahoo.com", added the top one.
Spammers are also known to add them. Knowing that MSN Hotmail puts them in for the source IP address of the message received by their WebDAV servers, and that SBC and Yahoo! put them in for the IP address of the source MTA connecting to the MX helps. Better, though, to rely on the Received lines, and start working down from the ones added by your mail system. In the case of these headers, the first trusted Received line is at the very top, where aosake.net reports receiving the message from yahoo.com (in bold typeface).
--
Norman
~A deam, dream, no dream
~Voices of the night go across the forest
~A dream, dream, no dream
~Good night my good child |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T Midwest
|
inetnum: 194.201.99.224 - 194.201.99.239
netname: HORSDIST02
descr: Horsham District Council
country: GB
admin-c: SF3576-RIPE
tech-c: MW20016-RIPE
status: ASSIGNED PA
mnt-by: AS1849-MNT
remarks: Please send abuse notification to abuse@uk.uu.net
|
Jon_Hanson
Mountain Dew Rules
Premium
join:2001-07-09
Gilbert, AZ
| reply to JimCarver
said by JimCarver:
I am currently being scammed by a 419 scammer but i know this and am having some fun with them. There is this in the header "X-Originating-Ip: 194.201.99.237" the received is the same. The funny thing is though that i am having contact with a guy in Nigeria and a one in Amsterdam. They both have the same IP address as above. does this mean they are using the same computer?
As has been said before in this thread, you really can't trust the X-Originating-IP header. I wouldn't put a lot of faith in that information. |
