Email Origin from Yahoo - Expert Help Required!

Discussion in 'other security issues & news' started by craigpe, Jun 26, 2006.

Thread Status:
Not open for further replies.
  1. craigpe

    craigpe Registered Member

    Joined:
    Jun 26, 2006
    Posts:
    4
    Hi all,

    I need to confirm whether a number of emails have been sent from the UK or New Zealand. They are not SPAM or malicious in any way however this information is very important for personal reasons.

    The emails have all been sent from a known, UK yahoo web mail account (<something>@yahoo.co.uk) and I believe are sent using the web interface rather than SMTP. Here are three examples (I have for the moment highlighted what I think is the most important element of the headers):

    Received: from [84.69.6.17] by web26912.mail.ukl.yahoo.com via HTTP; Fri, 24 Feb 2006 17:23:39 GMT
    Received: from [84.64.206.53] by web26909.mail.ukl.yahoo.com via HTTP; Thu, 16 Mar 2006 16:41:36 GMT
    Received: from [84.68.15.95] by web26905.mail.ukl.yahoo.com via HTTP; Thu, 15 Jun 2006 15:27:31 GMT

    Here are the full headers from the 15th June email (the most important one – obviously names and email addresses have been replaced with ***):

    X-Symantec-TimeoutProtection: 0
    X-Symantec-TimeoutProtection: 1
    X-Symantec-TimeoutProtection: 2
    Return-Path: <***********@yahoo.co.uk>
    Received: from aamtain10-winn.ispmail.ntl.com ([81.103.221.35])
    by mtain02-winn.ispmail.ntl.com with ESMTP
    id <20060615152739.YWAK18988.mtain02-winn.ispmail.ntl.com@aamtain10-winn.ispmail.ntl.com>
    for <***********@ntlworld.com>; Thu, 15 Jun 2006 16:27:39 +0100
    Received: from web26905.mail.ukl.yahoo.com ([217.146.176.94])
    by aamtain10-winn.ispmail.ntl.com with SMTP
    id <20060615152737.NNBB14335.aamtain10-winn.ispmail.ntl.com@web26905.mail.ukl.yahoo.com>
    for <***********@ntlworld.com>; Thu, 15 Jun 2006 16:27:37 +0100
    Received: (qmail 20924 invoked by uid 60001); 15 Jun 2006 15:27:32 -0000
    DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
    s=s1024; d=yahoo.co.uk;
    h=Message-ID:Receivedate:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=jyAx+96wqqsMn4gWrcqie7sUiCCEX3pllJf1Wwar1EUgNa5eOVEufCIQYuyqhN8ymDZ5e8mHTEywNV ;9pBTM/PGts1GqPMetAOF9nwl0k/lVgDCYi82OCcoaMIJ/SOPn1Dgn6f4chNyIrthKzfGvaCC3L6VPCvnplV4uCeHCjJbw=
    Message-ID: <20060615152731.20922.qmail@web26905.mail.ukl.yahoo.com>
    Received: from [84.68.15.95] by web26905.mail.ukl.yahoo.com via HTTP; Thu, 15 Jun 2006 15:27:31 GMT
    Date: Thu, 15 Jun 2006 15:27:31 +0000 (GMT)
    From: *********** <***********@yahoo.co.uk>
    Reply-To: *********** <***********@yahoo.co.uk>
    Subject: Re: ***********
    To: ***********@ntlworld.com
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="0-1716187056-1150385251=:20607"


    I have checked out the three addresses using a number of different Internet tools and they all suggest that these IP addresses are UK-based and also sent from the same ISP. DNSSTUFF.com links below:

    http://www.dnsstuff.com/tools/ipall....ain=84.69.6.17
    http://www.dnsstuff.com/tools/ipall....n=84.64.206.53
    http://www.dnsstuff.com/tools/ipall....in=84.68.15.95

    The above site also suggests that all three emails were sent from DNS names that end in “dsl.pol.co.uk”. This also suggests to me that these emails were received over a broadband UK connection. (i.e. it would not be possible to dial into the UK from abroad using dialup to get one of these IP addresses). The sender of these emails claimed to be in the UK for the first two emails but in New Zealand for the third.

    So the question is … can anyone confirm 100% whether or not it is possible that the above email (15th June) was sent from someone residing in New Zealand (including the possibility of UK-dialup connection I suppose). As I explained previously this has significant personal ramifications so I need to be sure. I also mentioned that this is not SPAM or malicious and I have no particular reason to doubt the validity of the header information.

    All serious advice welcomed (even if it is to inform me why the above information is not conclusive)

    Kind regards

    Craig
     
    Last edited by a moderator: Jun 26, 2006
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Here is where the email on the 15th came from. actually they all came from the same place.
     

    Attached Files:

  3. craigpe

    craigpe Registered Member

    Joined:
    Jun 26, 2006
    Posts:
    4
    Thanks for the reply bigc! :)

    I also saw this information on a number of info sites and I understand it points towards all emails originating in the UK.

    But does it guarantee that the emails were all sent from the UK? Is there any way that an ISP in New Zealand could use this range of IP addresses for example? Could a dial-up connection to the UK obtain one of these addresses? Any other reason that I haven't considered??

    I really appretiate any help here :doubt:
     
  4. Eldar

    Eldar Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    2,126
    Location:
    Vilvoorde (Belgium)
  5. craigpe

    craigpe Registered Member

    Joined:
    Jun 26, 2006
    Posts:
    4
    Hi Eldar and thanks for the welcome :D

    I have indeed read this (and other) articles and they all suggest to me that the emails above must all have been sent from within the UK. None of these articles are a substitute for genuine expertise/experience though which is why I am asking the question here.

    Is it at all possible that the last email was sent from New Zealando_O?
     
  6. Eldar

    Eldar Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    2,126
    Location:
    Vilvoorde (Belgium)
  7. craigpe

    craigpe Registered Member

    Joined:
    Jun 26, 2006
    Posts:
    4
    Hi Eldar and thanks for looking into this further for me :)

    I haven't seen that particular output and again it does seem to point towards all emails originating in the UK but to re-phrase my question:

    Does this PROVE that the third email (the one with the headers above) MUST have been sent from the UK?
     
  8. Eldar

    Eldar Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    2,126
    Location:
    Vilvoorde (Belgium)
    My pleasure helping you with it. ;)
    IP Address Locator Tool :cool:
    It would appear so, as I pasted that entire email header into the Spam Origin Locator and still it gave me UK. :)

    I don't know what other proof I could give you. o_O
     
  9. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma

    Yes it was sent from the UK.
     
Loading...
Thread Status:
Not open for further replies.