How to trace email sender's domain ?

Please list the steps to determine an email sender's domain.
Or perhaps point to a tut.
Can this be traced also to the town ?

This is the one which interests me now:--

Return-Path: <(E-Mail Removed)>
Received: from smtp10.atl.mindspring.net not authenticated
[207.69.200.246]
Received: from h-67-101-134-168.nycmny83.dynamic.covad.net
([67.101.134.168] helo=Anon)
by smtp10.atl.mindspring.net with smtp (Exim 3.33 #1)
id 1DAWVn-0002Dq-00; Sun, 13 Mar 2005 12:04:19 -0500
From: (E-Mail Removed)


Thanks,

== Chris Glur.

PS. you might notice that I'm not posting via linux, but I
expect a linux-based solution

(E-Mail Removed) writes:

> Please list the steps to determine an email sender's domain.

A Google search with the keywords "tracing email sender" gave 73600
hits; all of the first 10 seem promising.

--
Maurizio Loreti http://www.pd.infn.it/~loreti/mlo.html
Dept. of Physics, Univ. of Padova, Italy ROT13: (E-Mail Removed)

(E-Mail Removed) wrote:
> Please list the steps to determine an email sender's domain.
> Or perhaps point to a tut.
> Can this be traced also to the town ?
>
> This is the one which interests me now:--
>
> Return-Path: <(E-Mail Removed)>
> Received: from smtp10.atl.mindspring.net not authenticated
> [207.69.200.246]
> Received: from h-67-101-134-168.nycmny83.dynamic.covad.net
> ([67.101.134.168] helo=Anon)
> by smtp10.atl.mindspring.net with smtp (Exim 3.33 #1)
> id 1DAWVn-0002Dq-00; Sun, 13 Mar 2005 12:04:19 -0500
> From: (E-Mail Removed)

There are loads of anti-spam advice pages out there on the web.

Headers are quite easy to understand if you work your way back down,
but don't forget that it is very easy for asomeone to forge in a
spurious 'recieved' header on the original message so you go past the
actual point of injection and try to trace the spurious domain they
have directed you toward. It's not easy.

I always compare the IP address with the helo and the fqdn to decide if
a header is worth chasing.

On Mon, 14 Mar 2005, (E-Mail Removed) <(E-Mail Removed)> wrote:
> Please list the steps to determine an email sender's domain.
> Or perhaps point to a tut.
> Can this be traced also to the town ?
>
> This is the one which interests me now:--
>
> Return-Path: <(E-Mail Removed)>
> Received: from smtp10.atl.mindspring.net not authenticated
> [207.69.200.246]
> Received: from h-67-101-134-168.nycmny83.dynamic.covad.net
> ([67.101.134.168] helo=Anon)
> by smtp10.atl.mindspring.net with smtp (Exim 3.33 #1)
> id 1DAWVn-0002Dq-00; Sun, 13 Mar 2005 12:04:19 -0500
> From: (E-Mail Removed)

It is not clear if these are full headers, unless your ISP is Earthlink or
Mindspring related (because the first Received header looks incomplete).
Anything beyond the hop it arrives from to a known server could be forged.

But it appears that an Earthlink smtp server received it from a Covad
dynamic IP in New York city. That Covad user could be infected with some
worm or trojan, assuming they would not be stupid enough to originate it
from their own connection.

The ...covad.net name is the name the IP resolved to.
67.101.134.168 is the IP it arrived from.
Anon is what that machine identified itself as in the smtp negotiation.

You could also use 'host' command to confirm what the IP resolves to.
Looking up the IP with 'whois' can sometimes further narrow it down
(especially if IP does not resolve) and may tell you where to report abuse.

On 2005-03-14, (E-Mail Removed) <(E-Mail Removed)> wrote:
> Please list the steps to determine an email sender's domain.
> Or perhaps point to a tut.
> Can this be traced also to the town ?
>
> This is the one which interests me now:--
>
> Return-Path: <(E-Mail Removed)>
> Received: from smtp10.atl.mindspring.net not authenticated
> [207.69.200.246]
> Received: from h-67-101-134-168.nycmny83.dynamic.covad.net
> ([67.101.134.168] helo=Anon)
> by smtp10.atl.mindspring.net with smtp (Exim 3.33 #1)
> id 1DAWVn-0002Dq-00; Sun, 13 Mar 2005 12:04:19 -0500
> From: (E-Mail Removed)

As an email message is transported across the internet, each mail server
that handles the message adds a "Received:" line to the top of the list of
headers. The bottom "Received:" line is therefore the first mail server to
handle the message; in this case "smtp10.atl.mindspring.net" recieved it
from "h-67-101-134-168.nycmny83.dynamic.covad.net" which is a dynamically
assigned IP. Running a whois aginst the IP address 67.101.134.168
associated with this address, you find it is registered to "Covad
Communications" in San Jose CA and the abuse reporting address is
"abuse-(E-Mail Removed)"

This is most likely some household Windows machine that has been
compromised by a spam-bot. If you report it to the abuse address above,
they can contact the owner of the machine to have them take it off line
and clean it up. It is unlikely that it could be traced back to its
utimate spammer origin, though, as the current spam practice is to relay
through a number of dynamically changing proxies before attempting to
inject the mail in to the mail delivery system. The body of the message
likely contains an address (probably overseas someplace) intended to
direct the recipient to a site where they can be exploited. You may be
able to find an abuse address for the owner of that IP, but responding in
that why may not be effective and in fact may expose you to further spam.
I've had the best luck with European and North American sites; Asian
sites, particularly in China and Korea don't seem to give a rip.

Your best bet is to put a good spam filter, e.g. spamassassin, in front
of your mail system.

--

John ((E-Mail Removed))