July 27th, 2004, 11:09 PM
Misleading Email Header
First - noone, please get upset if this is the wrong forum for this post - it was either this one or Misc. security quests and I decided on this one...........
Regard this email header from a post sent to my hotmail account:
Received: from 3w-smtp-ac.korea.com ([22.214.171.124]) by mc3-f26.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Fri, 30 Apr 2004 15:29:26 -0700
Received: from 3w-smtp-ah.korea.com ([172.31.1.67]) by 3w-smtp-ac.korea.com with Microsoft SMTPSVC(5.0.2195.6713); Sat, 1 May 2004 03:02:35 +0900
Received: from 3w-owa-bg.korea.com ([126.96.36.199]) by 3w-smtp-ah.korea.com with Microsoft SMTPSVC(5.0.2195.6713); Sat, 1 May 2004 03:02:39 +0900
Received: from mail pickup service by 3w-owa-bg.korea.com with Microsoft SMTPSVC; Sat, 1 May 2004 03:02:34 +0900
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4927.1200
X-OriginalArrivalTime: 16 Mar 2004 18:16:10.0992 (UTC) FILETIME=[C27E2F00:01C40B82]
X-TERRACE-SPAMRATE: g=8.92 l=-129.94T YET spam-rated.
The oddity hear is this email came from someone in Asia (Korea) as you will see but the return path: (my hotmail account address) and the X-originating-email: are both my account address that I recieved the mail in. I am already sure the mail attached to this header was written by a person who got the password of the owner of the account and sent the mail (mostly I know this from the content of the post) - I have done some rudimentary research into email headers and am fairly familiar with them - my question is: "how did he get my account address into the 2 above mentioned fields (if this is indeed the case)?"
Remember: my hotmail account is 'firstname.lastname@example.org' and it is on lines in this header that it seems to me it shouldn't be. Also, the originating IP (X-originating-IP) comes from the same place that my ISP's would come from.
I am really curious as to what happened here....................
July 31st, 2004, 06:59 AM
July 31st, 2004, 07:03 AM
I don't think there is enough information in this to make a proper diagnosis. It could be too much Cpt. Morgan talking but the more I look at this the more I think what do you want? Looks like someone sent a message from a spoofed IP address with your email address to your email address......the originating IP, located in NY, possibly spoofed, the reason I say that is that it has no business being in Korea, sent through what is obviously Korean based servers back to your email.
My first question is, what was the email? Second, did you change your password? Third, why am I wearing this ball gown?
All kidding aside I think you need to give a little background info it first... throw me a bone....will ya?
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
August 2nd, 2004, 12:46 AM
It is no surprise it came from Korea - my mate whos email address it 'supposedly' came from is in Korea - What happened is that my mate (where the email came from) thought that someone got her password (nothing clever like hacking it - more like looking over her shoulder) and sent shitty emails to some of her friends (jilted ex syndrome).
But when I was researching email headers I learned something (at least) and one thing I did learn is that the above header was made to appear (to me at least) to come from my email address to my email address.
If this guy (whom I know) managed to spoof an IP address (without someones help) then I seriously underestimated him (or over estimated his stupidity)............
I hope this is enough background for you, Korpdeath...................