Gleaning info from an email header
Red On, Green On
Thread Starter
Join Date: May 2004
Location: Between the woods and the water
Age: 24
Posts: 6,487
Likes: 0
Received 2 Likes
on
2 Posts
Gleaning info from an email header
I run a group using Yahoo to host it. We seem to have a member who is sending abusive mails direct to other members in reply to posts he does not like.
He falsifies the email header as best he can, but can't remove some of the info - the key bit of which is as follows (edited slightly):
Received: from ***.demon.co.uk ([80.***.***.202] helo=rooter)
by anchor-post-36.mail.demon.net with smtp (Exim 4.67)
id 1IzZzj-00008z-Lb
for **************@btinternet.com; Tue, 04 Dec 2007 15:47:36 +0000
From: <i_am_stupid@****.com>
Demon agree that the Demon ID and the static IP address tally. I've since had a mail from the Demon account holder claiming that he is the landlord of a house with four using the broadband connection, and that he does not know who is the abuser.
However, I believe that the "helo=rooter" is unique to a single PC, as that seems to be the case on my home network.
Can PPruners advise, please.
He falsifies the email header as best he can, but can't remove some of the info - the key bit of which is as follows (edited slightly):
Received: from ***.demon.co.uk ([80.***.***.202] helo=rooter)
by anchor-post-36.mail.demon.net with smtp (Exim 4.67)
id 1IzZzj-00008z-Lb
for **************@btinternet.com; Tue, 04 Dec 2007 15:47:36 +0000
From: <i_am_stupid@****.com>
Demon agree that the Demon ID and the static IP address tally. I've since had a mail from the Demon account holder claiming that he is the landlord of a house with four using the broadband connection, and that he does not know who is the abuser.
However, I believe that the "helo=rooter" is unique to a single PC, as that seems to be the case on my home network.
Can PPruners advise, please.
Have looked at emails from 3 machines on my network and each displays "helo=moutng.kundenserver.de" which would seem to be a relay in the transmission path.
In each case the sending machine's name does appear in the header as one of the "Received: from ......." entries.
eg.
Received: from MYMACHINE (INTERNETMACHINENAME [IP.ADD.RE.SS])
In each case the sending machine's name does appear in the header as one of the "Received: from ......." entries.
eg.
Received: from MYMACHINE (INTERNETMACHINENAME [IP.ADD.RE.SS])
Join Date: Feb 2007
Location: Dublin, Ireland. (No, I just live here.)
Posts: 733
Likes: 0
Received 5 Likes
on
4 Posts
You're basically right - the sending machine has identified itself as "rooter", and if that was my home network I would work to identify that machine, since I would feel responsible. If it's an open wireless network at that guy's house, a neighbour could be piggybacking on it, which is why wireless security is a Good Thing.
The name "rooter" is a bit "script kiddie", someone aspiring to be a hot-shot hacker. Or a Strayelian?
The name "rooter" is a bit "script kiddie", someone aspiring to be a hot-shot hacker. Or a Strayelian?
Official PPRuNe Chaplain
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
I'm not at all sure that helo= is definitive.
I just looked at a batch of test messages I sent when trying to sort out a domain and router problem here.
Here's the last (ie first in sequence) line of the routing of a message from my laptop to the desktop, both on the same network:
192.168.8.10 is the laptop's DHCP address from the router.
87.127.*.* is my static IP address at UKFSN.
There's no helo= anywhere in the headers.
Here, in contrast, is the first routing line of one sent from my laptop when up in the Norfolk cottage, before that had a router and network:
An imaginative helo= (totally unaltered by me) innit! That's Plusnet's server ID, not my machine's ID, so the helo= isn't meaningful. The 192.168.227.20 is from a prehistoric ADSL modem I was using then.
And here's one sent from the cottage after the router was installed:
That helo= is the laptop's DHCP address on the Norfolk router. (It uses 192.168.3.x because it often connects via VPN to the Essex machine with its 192.168.8.x addresses, whereupon Norfolk becomes 192.168.8.5x.)
I would conclude that the helo= isn't reliable as an indication of which PC sent the message - but that the DHCP address is.
If there isn't a DHCP address on the originator, then I wonder if there is a local area network involved. If there isn't, then I'd suspect there aren't four separate PCs on that broadband connection, either.
Hope that helps, and that it's clear enough.
I just looked at a batch of test messages I sent when trying to sort out a domain and router problem here.
Here's the last (ie first in sequence) line of the routing of a message from my laptop to the desktop, both on the same network:
Received: from [192.168.8.10] (unknown [87.127.*.*])
by mail.ukfsn.org (Postfix) with ESMTP id 86BE2DF20A
for <keef@******.***>; Sat, 1 Dec 2007 21:17:40 +0000
by mail.ukfsn.org (Postfix) with ESMTP id 86BE2DF20A
for <keef@******.***>; Sat, 1 Dec 2007 21:17:40 +0000
87.127.*.* is my static IP address at UKFSN.
There's no helo= anywhere in the headers.
Here, in contrast, is the first routing line of one sent from my laptop when up in the Norfolk cottage, before that had a router and network:
Received: from [192.168.227.20] (helo=penitentiary.servers.plus.net)
And here's one sent from the cottage after the router was installed:
Received: from [87.113.69.49] (helo=[192.168.3.10])
by ptb-relay02.plus.net with esmtp (Exim) id 1HmeuN-0008Tf-Dm; Sat, 12 May 2007 00:52:23 +0100
by ptb-relay02.plus.net with esmtp (Exim) id 1HmeuN-0008Tf-Dm; Sat, 12 May 2007 00:52:23 +0100
I would conclude that the helo= isn't reliable as an indication of which PC sent the message - but that the DHCP address is.
If there isn't a DHCP address on the originator, then I wonder if there is a local area network involved. If there isn't, then I'd suspect there aren't four separate PCs on that broadband connection, either.
Hope that helps, and that it's clear enough.
