Re: How to ID origin in email headers?

On Wed, 5 Dec 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <8859813b-18b2-4cff-b9d0-7d81bf9f8c93@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
Ohmster wrote:

I have to reply with google groups, for some reason, my server will
not accept this post. Says posting, done, waiting on confirmation
forever and it never goes up to Usenet.

I don't see it here either. Lessee, you were unhappy with the comcast
(giganews) server for some reason.

http://www.codecutters.org/spam/smtpheaders.html
http://www.stopspam.org/email/headers.html

The codecutters site does not come up but stopspam does. Thanks Moe.

OK - I'll strike them off the list.

IP address-to-country mapping is notoriously inaccurate.

The headers are too long to paste into a post, they wrap terribly and
the servers won't accept them if they are badly wrapped. Here are the
headers for you to see:
http://www.ohmster.com/~ohmster/email/

I also saw the post in comp.mail.sendmail

I tried checking them with this email checker and it appears both
originate in Nigeria.
http://www.ip2location.com/emailtracer.aspx

As noted above - "IP address-to-country mapping is notoriously inaccurate"

Looking at the ~ohmster/email web page you listed, here's a quick one

]Received: from imta22.emeryville.ca.mail.comcast.net ([76.96.30.39])

]X-Originating-IP: [76.96.30.39]

You asked about that in comp.mail.sendmail - something weird put on there
by comcast. OK

]Received: from n4.bullet.ukl.yahoo.com ([217.146.182.181])
by IMTA22.emeryville.ca.mail.comcast.net

Comcast claims to have received it from 'Yahoo! Europe'

]Received: from [217.12.4.215] by n4.bullet.ukl.yahoo.com

]Received: from [216.252.122.217] by t2.bullet.ukl.yahoo.com

]Received: from [69.147.65.182] by t2.bullet.sp1.yahoo.com

]Received: from [127.0.0.1] by omp301.mail.sp1.yahoo.com with NNFMP; 05
Dec 2007 10:39:10 -0000

Seems to be bouncing around yahoo servers - I see no obvious reason to
disbelieve this, but "do you trust yahoo?".

]Received: from [196.220.4.134] by web45406.mail.sp1.yahoo.com via HTTP;
Wed, 05 Dec 2007 02:39:10 PST

Yahoo claims to have received this (and the timestamps don't look
completely unreasonable) from IP space owned by Netcom Africa Ltd in
Lagos, and netcomng.com says that the IP is part of a /30 (4 addresses)
that has been sub-assigned to Skye Communications Surulere Lagos. If
you google for the first three words, you hit

Web Results 1 - 10 of about 138 for Skye Communications Surulere.
(0.31 seconds)

Your call.

]This is supposed to come from the Benin Republic, that is in Africa, off
the coast of Nigeria.

No, Benin is the next country to the West of Nigeria - formerly called
Dahomey. It has a coastline of about 60-70 miles, and I'm not aware of
any significant islands off it's coast.

]Received: by 10.141.52.7

]Received: by 10.115.23.12

No clue, but context suggests google internal servers. Your call.

]Received: from n8.bullet.mail.tp2.yahoo.com
(n8.bullet.mail.tp2.yahoo.com [203.188.202.89])
by mx.google.com with SMTP id j6si1937378wah.2007.12.03.11.25.26;
Mon, 03 Dec 2007 11:25:35 -0800 (PST)

]Received: from [202.43.196.225] by n8.bullet.mail.tp2.yahoo.com

Those two match up to yahoo blocks in Taiwan.

]Received: from [217.12.4.215] by t2.bullet.tpe.yahoo.com

]Received: from [216.252.122.216] by t2.bullet.ukl.yahoo.com

]Received: from [69.147.65.157] by t1.bullet.sp1.yahoo.com

]Received: from [127.0.0.1] by omp405.mail.sp1.yahoo.com

As above. I'm GUESSING that the 216.252 and 69.147 are not in Sunnyvale
where 'whois' identifies them, as that is about 11000 feet as the crow
flies from google in Mountain View, and there wouldn't be a very good
reason to route the packets half way around the world instead of just
following the perimeter fence around Moffett Field.

]Received: from [41.223.24.125] by web44913.mail.sp1.yahoo.com via HTTP;
Mon, 03 Dec 2007 11:25:17 PST

41.223.24.0/22 is a block allocated to "Best Communications Ltd" in
Lagos, Nigeria. Hitting google again, I see

Web Results 1 - 10 of about 406 for "Best Communications Ltd". (0.29
seconds)

Your call.

Comment: I don't know Lagos that well (haven't been there since the mid
1970s) but this doesn't smell ANYTHING like freshly caught seafood.

Old guy
.

Relevant Pages

  • http://snofreh19.007gb.com/msn-plus2a/map.html msn plus log hacking
    ... http://snofreh15.007gb.com/yahoo-chd0/harlerediase.html cards yahoo ... http://snofreh15.007gb.com/yahoo-chd0/fangati.html msn mesenger 7 o ... http://snofreh15.007gb.com/yahoo-chd0/vesthask.html google calendar ... http://snofreh15.007gb.com/yahoo-chd0/rin.html msn instant messenger ...
    (sci.space.policy)
  • Google, Yahoo, Microsoft Set Common Voice Abroad
    ... Google, Yahoo, Microsoft Set Common Voice Abroad ... Principles Aim to Define Conduct With Nations That Restrict Speech, ... Lack Privacy Protections and Censor Search Results ...
    (soc.culture.romanian)
  • Re: Structuring informational content for commercial site
    ... >would be good to use subsubdirectories or not as much as it concerns search ... >>> I think that Yahoo, for example, does a better job than Google ... I don't totally agree with "at giving better rank to pages which have ...
    (alt.internet.search-engines)
  • Re: Structuring informational content for commercial site
    ... >>>At giving a better rank to pages which have high valuable content. ... and I have sites/pages that rank well in Yahoo ... rolled out their new search engine - I ranked higher on them than I ... Google just took me a little while ...
    (alt.internet.search-engines)
  • [Full-disclosure] Re: Google and Yahoo search engine zero-day code
    ... On 7/4/06, n3td3v wrote: ... Hi-Jack corporate crawler machines which have vulnerable robot ... Today's disclosure involves Google and Yahoo search engines: ... Yahoo visit it, then the code exploits the software they use and makes ...
    (Full-Disclosure)
Loading