Gleaning info from an email header
 

I run a group using Yahoo to host it. We seem to have a member who is sending abusive mails direct to other members in reply to posts he does not like.

He falsifies the email header as best he can, but can't remove some of the info - the key bit of which is as follows (edited slightly):

Received: from ***.demon.co.uk ([80.***.***.202] helo=rooter)
by anchor-post-36.mail.demon.net with smtp (Exim 4.67)
id 1IzZzj-00008z-Lb
for **************@btinternet.com; Tue, 04 Dec 2007 15:47:36 +0000
From: <i_am_stupid@****.com>

Demon agree that the Demon ID and the static IP address tally. I've since had a mail from the Demon account holder claiming that he is the landlord of a house with four using the broadband connection, and that he does not know who is the abuser.

However, I believe that the "helo=rooter" is unique to a single PC, as that seems to be the case on my home network.

Can PPruners advise, please.

Have looked at emails from 3 machines on my network and each displays "helo=moutng.kundenserver.de" which would seem to be a relay in the transmission path.

In each case the sending machine's name does appear in the header as one of the "Received: from ......." entries.

eg.

Received: from MYMACHINE (INTERNETMACHINENAME [IP.ADD.RE.SS])

You're basically right - the sending machine has identified itself as "rooter", and if that was my home network I would work to identify that machine, since I would feel responsible. If it's an open wireless network at that guy's house, a neighbour could be piggybacking on it, which is why wireless security is a Good Thing.

The name "rooter" is a bit "script kiddie", someone aspiring to be a hot-shot hacker. Or a Strayelian? :rolleyes:

AA,

You could try a google on "reading email headers".

You will find some excellent articles!

I'm not at all sure that helo= is definitive.

I just looked at a batch of test messages I sent when trying to sort out a domain and router problem here.

Here's the last (ie first in sequence) line of the routing of a message from my laptop to the desktop, both on the same network:

192.168.8.10 is the laptop's DHCP address from the router.
87.127.*.* is my static IP address at UKFSN.
There's no helo= anywhere in the headers.

Here, in contrast, is the first routing line of one sent from my laptop when up in the Norfolk cottage, before that had a router and network:

An imaginative helo= (totally unaltered by me) innit! That's Plusnet's server ID, not my machine's ID, so the helo= isn't meaningful. The 192.168.227.20 is from a prehistoric ADSL modem I was using then.

And here's one sent from the cottage after the router was installed:
That helo= is the laptop's DHCP address on the Norfolk router. (It uses 192.168.3.x because it often connects via VPN to the Essex machine with its 192.168.8.x addresses, whereupon Norfolk becomes 192.168.8.5x.)

I would conclude that the helo= isn't reliable as an indication of which PC sent the message - but that the DHCP address is.
If there isn't a DHCP address on the originator, then I wonder if there is a local area network involved. If there isn't, then I'd suspect there aren't four separate PCs on that broadband connection, either.

Hope that helps, and that it's clear enough.