IP addresses in email headers

[boxofrocks]

I know there are several sites that allow me it look up geographic IP locations with varying degrees of accuracy, but which IP address should I use when looking at an Outlook header?


For example, this one shows 3 different IPs:

Received: from unknown (HELO gw02.mail.saunalahti.fi) (195.197.172.116)
by mail16.opentransfer.com with SMTP; 2 Jan 2007 20:01:09 -0000
Received: from saimaza.webmail.saunalahti.fi (saimaza.webmail.saunalahti.fi [195.197.55.116])
by gw02.mail.saunalahti.fi (Postfix) with ESMTP id 5A536139399
for <info@thomasmanchester.com>; Tue, 2 Jan 2007 22:01:05 +0200 (EET)
Date: Tue, 2 Jan 2007 22:01:05 +0200 (EET)
From: xxxxxx
To: Thomas Manchester Photography <xxxxxx>
Message-ID: <9905708.1228891167768065006.JavaMail.xxxxxxx>
Subject: RE: Thomas Manchester Photography - Request for Information -
GatheringGuide.com
MIME-Version: 1.0
Content-Type: text/plain; Charset=iso-8859-1; Format=Flowed
Content-Transfer-Encoding: quoted-printable
X-Mailer: Saunalahti webmail - http://www.saunalahti.fi
X-Originating-IP: 81.197.201.127
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on localhost
X-Spam-Status: No, score=0.1 required=5.0 tests=NO_REAL_NAME
autolearn=disabled version=3.0.2
X-Spam-Level:

Is the "Originating-IP" the IP from the computer from which it was sent?

Thanks!

[ratbert]

Tom,

I think that is correct. I had to do some investigationg a while back on an email that I would get anwhere from 10 to 20 times a day. The Originating IP was always the same. ( I new the guy that sent it originally, and it showed a delivery failure to him and for every email that I received, he got a delivery failure notice.) The other two IP addresses were routers in the isp's network. It took me almost a month to get the emails stopped.

[boxofrocks]

Quote:

Originally Posted by ratbert

Tom,

I think that is correct. I had to do some investigationg a while back on an email that I would get anwhere from 10 to 20 times a day. The Originating IP was always the same. ( I new the guy that sent it originally, and it showed a delivery failure to him and for every email that I received, he got a delivery failure notice.) The other two IP addresses were routers in the isp's network. It took me almost a month to get the emails stopped.

So how did you track down the individual computer and confirmed that it belonged to that guy? Did you have to go through the company's IT dept?

I think these emails I'm receiving are part of another scam, but it sounds curiously legit (he says pessimistically). The originating IP addresses are from the same town, but different computers0--could be home and work, or web cafe, or he could be stealing wireless access points, I guess.

[ratbert]

Quote:

Originally Posted by boxofrocks

So how did you track down the individual computer and confirmed that it belonged to that guy? Did you have to go through the company's IT dept?

The email was a joke from a friend and I am on his joke distribution list. I emailed him and asked him if he had a virus and that's when he told me what he was receiving. I had to send several emails to his ISP's customer service department and to their abuse email address. My friend did get a call from the abuse department and he explained to them what was goibg on. It took them a week to finally stop after that. I'm still not sure why it was happening because out of several emails I get from him a week that was the only one that did that.

[boxofrocks]

What a pain.

I actually confirmed this as a legit email. It was from a bride to be in Finland that was looking for a photographer for her wedding in Coppell, TX. Sounded fishy, but the Church confirmed the ceremony!

I was reluctant to reply at all, but it may actually be worthwhile. I guess you never know.

[ratbert]

Quote:

Originally Posted by boxofrocks

What a pain.

I actually confirmed this as a legit email. It was from a bride to be in Finland that was looking for a photographer for her wedding in Coppell, TX. Sounded fishy, but the Church confirmed the ceremony!

I was reluctant to reply at all, but it may actually be worthwhile. I guess you never know.

Hope it all works out for you. These days it's getting harder to filter legit emails from all of the spam.

[CalebSimpson]

Wow, I would have called scam myself. I have received a couple of wedding scam emails from somebody in another country. Be careful though. They could be playing it out in detail. If they ask for something suspicious like sending you a cashiers check for over the amount then just walk away.

[boxofrocks]

Quote:

Originally Posted by CalebSimpson

Wow, I would have called scam myself. I have received a couple of wedding scam emails from somebody in another country. Be careful though. They could be playing it out in detail. If they ask for something suspicious like sending you a cashiers check for over the amount then just walk away.

I read you loud and clear, and couldn't agree more.

Look what I have on my bulletin board (A fake check sent to me for a fake wedding with a bogus account number):

[Jeff]

The worst part about SPAM, particularly recently, is that it is causing legitimate email to be blocked. Companies like AOL/Time Warner are enforcing such incredibly stringent policies with emails that companies managing mail servers spend time every day just responding to blacklisting and rejected email issues.

There are TONS of scam emails out there. Just make sure you know it is a scam if you are going to report it because, if it isn't, someone's mail server is going to get blacklisted causing problems for potentially hundreds of innocent individuals that use the server.

[boxofrocks]

What's worse, is that even if you didn't spam anyone, you could get blacklisted. If you have a website with a sharred email server (dedicated email servers are relatively very expensive when hosted), anyone sharing the same email server ip address that spams can cause you to get blacklisted.

It's happened to me at least 3 times, and takes a long time for your hosting company to fix. verizon.net and comcast.net blacklist shared servers often.