email headers... how to read them.

Discussion in 'NZ Computing' started by Dave - Dave.net.nz, Jun 13, 2005.

  1. Can someone tell me where this came from.
    _____________________________________________________________
    from dave.net.nz (web.synaptic.net.nz [202.150.101.5]) by
    synaptic.net.nz (8.13.3/8.11.3) with ESMTP id j5CNarex058419 for
    <my_user@my_domain.whatever>; Mon, 13 Jun 2005 11:36:54 +1200 (NZST)
    (envelope-from )
    _____________________________________________________________


    I mean it looks like it came from my ISPs webserver, to my ISPs
    mailserver, so ummm, does this mean that the webserver is relaying?

    Full headers are as follows if it helps.

    ____________________________
    From - Mon Jun 13 14:03:49 2005
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    Return-Path: <>
    Received: from dave.net.nz (web.synaptic.net.nz [202.150.101.5])
    by synaptic.net.nz (8.13.3/8.11.3) with ESMTP id j5CNarex058419
    for <my_user@my_domain.whatever>; Mon, 13 Jun 2005 11:36:54 +1200 (NZST)
    (envelope-from )
    Message-Id: <>
    From:
    To: my_user@my_domain.whatever
    Subject: Email Account Suspension
    Date: Sun, 12 Jun 2005 16:36:51 -0700
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0011_AEDF79CB.F8FB90F5"
    X-Priority: 3
    X-MSMail-Priority: Normal
    _____________________________
    Dave - Dave.net.nz, Jun 13, 2005
    #1
    1. Advertising

  2. Dave - Dave.net.nz

    Mutlley Guest

    "Dave - Dave.net.nz" <> wrote:

    >Can someone tell me where this came from.
    >_____________________________________________________________
    >from dave.net.nz (web.synaptic.net.nz [202.150.101.5]) by
    >synaptic.net.nz (8.13.3/8.11.3) with ESMTP id j5CNarex058419 for
    ><my_user@my_domain.whatever>; Mon, 13 Jun 2005 11:36:54 +1200 (NZST)
    >(envelope-from )
    >_____________________________________________________________
    >
    >
    >I mean it looks like it came from my ISPs webserver, to my ISPs
    >mailserver, so ummm, does this mean that the webserver is relaying?
    >
    >Full headers are as follows if it helps.
    >
    >____________________________
    > From - Mon Jun 13 14:03:49 2005
    >X-Mozilla-Status: 0001
    >X-Mozilla-Status2: 00000000
    >Return-Path: <>
    >Received: from dave.net.nz (web.synaptic.net.nz [202.150.101.5])
    > by synaptic.net.nz (8.13.3/8.11.3) with ESMTP id j5CNarex058419
    > for <my_user@my_domain.whatever>; Mon, 13 Jun 2005 11:36:54 +1200 (NZST)
    > (envelope-from )
    >Message-Id: <>
    >From:
    >To: my_user@my_domain.whatever
    >Subject: Email Account Suspension
    >Date: Sun, 12 Jun 2005 16:36:51 -0700
    >MIME-Version: 1.0
    >Content-Type: multipart/mixed;
    > boundary="----=_NextPart_000_0011_AEDF79CB.F8FB90F5"
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >_____________________________


    That looks like the phishing email that has being sent out eligibly
    from Xtra over the past few weeks say it's from
    and webmaster asking to click on and validate you login details..
    Mutlley, Jun 13, 2005
    #2
    1. Advertising

  3. Mutlley wrote:
    >>Can someone tell me where this came from.
    >>_____________________________________________________________

    >
    >>from dave.net.nz (web.synaptic.net.nz [202.150.101.5]) by

    >
    >>synaptic.net.nz (8.13.3/8.11.3) with ESMTP id j5CNarex058419 for
    >><my_user@my_domain.whatever>; Mon, 13 Jun 2005 11:36:54 +1200 (NZST)
    >>(envelope-from )
    >>_____________________________________________________________
    >>
    >>
    >>I mean it looks like it came from my ISPs webserver, to my ISPs
    >>mailserver, so ummm, does this mean that the webserver is relaying?
    >>
    >>Full headers are as follows if it helps.


    *snip*

    > That looks like the phishing email that has being sent out eligibly
    > from Xtra over the past few weeks say it's from
    > and webmaster asking to click on and validate you login details..


    indeed it is, but I want to stop it coming in, seeing as you can't trust
    the "sender", I looked in the headers... and from that, it appears to
    come from the webserver
    Dave - Dave.net.nz, Jun 13, 2005
    #3
  4. Dave - Dave.net.nz

    thing Guest

    Dave - Dave.net.nz wrote:
    > Can someone tell me where this came from.
    > _____________________________________________________________
    > from dave.net.nz (web.synaptic.net.nz [202.150.101.5]) by
    > synaptic.net.nz (8.13.3/8.11.3)


    8.13.3 suggests sendmail.

    IP is listed as Auckland.

    inetnum: 202.150.96.0 - 202.150.127.255
    netname: CONCEPTNET
    descr: Internet Service Provider
    descr: Auckland New Zealand
    country: NZ
    admin-c: CS20-AP
    tech-c: CS20-AP
    status: ALLOCATED PORTABLE
    mnt-by: APNIC-HM
    mnt-lower: MAINT-NZ-CONCEPTNET

    Its answering,

    [thing@kaitan thing]$ telnet 202.150.101.5 25
    Trying 202.150.101.5...
    Connected to web.synaptic.net.nz (202.150.101.5).
    Escape character is '^]'.
    helo katrina
    220 synaptic.net.nz ESMTP Sendmail 8.13.3/8.11.3; Mon, 13 Jun 2005
    22:57:05 +1200 (NZST)
    250 synaptic.net.nz Hello web.synaptic.net.nz [202.150.101.5], pleased
    to meet you

    and its sendmail.....

    From what little you have provided it looks OK.

    No other headers or data?

    regards

    Thing

    with ESMTP id j5CNarex058419 for
    > <my_user@my_domain.whatever>; Mon, 13 Jun 2005 11:36:54 +1200 (NZST)
    > (envelope-from )
    > _____________________________________________________________
    >
    >
    > I mean it looks like it came from my ISPs webserver, to my ISPs
    > mailserver, so ummm, does this mean that the webserver is relaying?
    >
    > Full headers are as follows if it helps.
    >
    > ____________________________
    > From - Mon Jun 13 14:03:49 2005
    > X-Mozilla-Status: 0001
    > X-Mozilla-Status2: 00000000
    > Return-Path: <>
    > Received: from dave.net.nz (web.synaptic.net.nz [202.150.101.5])
    > by synaptic.net.nz (8.13.3/8.11.3) with ESMTP id j5CNarex058419
    > for <my_user@my_domain.whatever>; Mon, 13 Jun 2005 11:36:54 +1200
    > (NZST)
    > (envelope-from )
    > Message-Id: <>
    > From:
    > To: my_user@my_domain.whatever
    > Subject: Email Account Suspension
    > Date: Sun, 12 Jun 2005 16:36:51 -0700
    > MIME-Version: 1.0
    > Content-Type: multipart/mixed;
    > boundary="----=_NextPart_000_0011_AEDF79CB.F8FB90F5"
    > X-Priority: 3
    > X-MSMail-Priority: Normal
    > _____________________________
    thing, Jun 13, 2005
    #4
  5. thing wrote:
    > From what little you have provided it looks OK.
    > No other headers or data?


    Full headers are below...
    Yes it is sendmail, running on either BSD(older) or debian(newer)(not
    sure if that box has been replaced yet)

    >> Full headers are as follows if it helps.
    >>
    >> ____________________________
    >> From - Mon Jun 13 14:03:49 2005
    >> X-Mozilla-Status: 0001
    >> X-Mozilla-Status2: 00000000
    >> Return-Path: <>
    >> Received: from dave.net.nz (web.synaptic.net.nz [202.150.101.5])
    >> by synaptic.net.nz (8.13.3/8.11.3) with ESMTP id j5CNarex058419
    >> for <my_user@my_domain.whatever>; Mon, 13 Jun 2005 11:36:54 +1200
    >> (NZST)
    >> (envelope-from )
    >> Message-Id: <>
    >> From:
    >> To: my_user@my_domain.whatever
    >> Subject: Email Account Suspension
    >> Date: Sun, 12 Jun 2005 16:36:51 -0700
    >> MIME-Version: 1.0
    >> Content-Type: multipart/mixed;
    >> boundary="----=_NextPart_000_0011_AEDF79CB.F8FB90F5"
    >> X-Priority: 3
    >> X-MSMail-Priority: Normal
    >> _____________________________


    It's not actually in Auckland, it is based in Dunedin, but it hangs off
    Concepts network(and a few others, but IP space belongs to Concept).

    I just want to know if it is coming from the webserver(what I suspect),
    and if so, I'll pass it on.
    Dave - Dave.net.nz, Jun 13, 2005
    #5
  6. Dave - Dave.net.nz wrote:
    >>> Full headers are as follows if it helps.
    >>> ____________________________
    >>> From - Mon Jun 13 14:03:49 2005
    >>> X-Mozilla-Status: 0001
    >>> X-Mozilla-Status2: 00000000
    >>> Return-Path: <>
    >>> Received: from dave.net.nz (web.synaptic.net.nz [202.150.101.5])
    >>> by synaptic.net.nz (8.13.3/8.11.3) with ESMTP id j5CNarex058419
    >>> for <my_user@my_domain.whatever>; Mon, 13 Jun 2005 11:36:54 +1200
    >>> (NZST)
    >>> (envelope-from )
    >>> Message-Id: <>
    >>> From:
    >>> To: my_user@my_domain.whatever
    >>> Subject: Email Account Suspension
    >>> Date: Sun, 12 Jun 2005 16:36:51 -0700
    >>> MIME-Version: 1.0
    >>> Content-Type: multipart/mixed;
    >>> boundary="----=_NextPart_000_0011_AEDF79CB.F8FB90F5"
    >>> X-Priority: 3
    >>> X-MSMail-Priority: Normal
    >>> _____________________________


    > It's not actually in Auckland, it is based in Dunedin, but it hangs off
    > Concepts network(and a few others, but IP space belongs to Concept).


    > I just want to know if it is coming from the webserver(what I suspect),
    > and if so, I'll pass it on.


    It appears that it is/was coming from the webserver... a vuln of some
    sort, being sorted now.
    Dave - Dave.net.nz, Jun 13, 2005
    #6
  7. Dave - Dave.net.nz

    Rob J Guest

    In article <> in nz.comp on
    Mon, 13 Jun 2005 15:54:20 +1200, Mutlley <> says...
    > "Dave - Dave.net.nz" <> wrote:
    >
    > >Can someone tell me where this came from.
    > >_____________________________________________________________
    > >from dave.net.nz (web.synaptic.net.nz [202.150.101.5]) by
    > >synaptic.net.nz (8.13.3/8.11.3) with ESMTP id j5CNarex058419 for
    > ><my_user@my_domain.whatever>; Mon, 13 Jun 2005 11:36:54 +1200 (NZST)
    > >(envelope-from )
    > >_____________________________________________________________
    > >
    > >
    > >I mean it looks like it came from my ISPs webserver, to my ISPs
    > >mailserver, so ummm, does this mean that the webserver is relaying?
    > >
    > >Full headers are as follows if it helps.
    > >
    > >____________________________
    > > From - Mon Jun 13 14:03:49 2005
    > >X-Mozilla-Status: 0001
    > >X-Mozilla-Status2: 00000000
    > >Return-Path: <>
    > >Received: from dave.net.nz (web.synaptic.net.nz [202.150.101.5])
    > > by synaptic.net.nz (8.13.3/8.11.3) with ESMTP id j5CNarex058419
    > > for <my_user@my_domain.whatever>; Mon, 13 Jun 2005 11:36:54 +1200 (NZST)
    > > (envelope-from )
    > >Message-Id: <>
    > >From:
    > >To: my_user@my_domain.whatever
    > >Subject: Email Account Suspension
    > >Date: Sun, 12 Jun 2005 16:36:51 -0700
    > >MIME-Version: 1.0
    > >Content-Type: multipart/mixed;
    > > boundary="----=_NextPart_000_0011_AEDF79CB.F8FB90F5"
    > >X-Priority: 3
    > >X-MSMail-Priority: Normal
    > >_____________________________

    >
    > That looks like the phishing email that has being sent out eligibly
    > from Xtra over the past few weeks say it's from
    > and webmaster asking to click on and validate you login details..


    It's not a phishing email.

    The message is sent by a virus called Mytob, and the message has an
    attached zip file that contains the virus.

    ANd they are not just affecting Xtra users. Every user on every ISP is
    getting them, because all the virus does is get email addresses it can
    send itself to, then it sends out the message, changes the from address
    to in or whatever.
    Rob J, Jun 14, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike Timbell
    Replies:
    9
    Views:
    1,489
    Don Wiss
    Nov 13, 2003
  2. Replies:
    82
    Views:
    1,200
    Brad Sims
    Jan 17, 2006
  3. Martin
    Replies:
    9
    Views:
    601
    dadiOH
    Jan 14, 2007
  4. tapyeno
    Replies:
    3
    Views:
    306
    Eric Stevens
    Aug 27, 2009
  5. Robert Coe

    CC & LR headers hard to read

    Robert Coe, Jan 24, 2014, in forum: Digital Photography
    Replies:
    20
    Views:
    250
    PeterN
    Jan 24, 2014
Loading...

Share This Page