Detective work needed with email headers.

Topic

New Reply

I need help in determining if two emails were sent by the same person using different yahoo email accounts. I have the headers from both emails:
To protect privacy, I have changed the plain text email and individual names. In the emails, bob.xxxxxxx@gmail.com is the recipient of both emails,
and the sender of header one is yyyyyyy@yahoo.cn and the sender of header two is zzzzzzz12@yahoo.cn.
With what I //THINK\ I have determined is that both came from the same IP of 112.246.217.52 which I think is either the senders home
IP or that of something like an internet café.
Can anyone out there shed some more light on these two emails? I think both emails may be from the same person, and
could be leading up to a scam of some sort. I am trying to save a friend from a lot of long term grief.
Thanks

HEADER ONE:

[HTML]
Delivered-To: bob.xxxxxxx@gmail.com
Received: by 10.49.94.78 with SMTP id da14csp65396qeb;
Sun, 10 Feb 2013 20:54:58 -0800 (PST)
X-Received: by 10.68.200.230 with SMTP id jv6mr15580365pbc.137.1360558498255;
Sun, 10 Feb 2013 20:54:58 -0800 (PST)
Return-Path:
Received: from nm9-vm5.bullet.mail.tp2.yahoo.com (nm9-vm5.bullet.mail.tp2.yahoo.com. [203.188.200.191])
by mx.google.com with ESMTPS id w6si8547290pax.330.2013.02.10.20.54.57
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Sun, 10 Feb 2013 20:54:58 -0800 (PST)
Received-SPF: neutral (google.com: 203.188.200.191 is neither permitted nor denied by best guess record for domain of yyyyyyy@yahoo.cn) client-ip=203.188.200.191;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 203.188.200.191 is neither permitted nor denied by best guess record for domain of yyyyyy@yahoo.cn) smtp.mail=yyyyyy@yahoo.cn;
dkim=pass header.i=@yahoo.cn
Received: from [203.188.200.143] by nm9.bullet.mail.tp2.yahoo.com with NNFMP; 11 Feb 2013 04:54:56 -0000
Received: from [119.42.242.52] by tm5.bullet.mail.tp2.yahoo.com with NNFMP; 11 Feb 2013 04:54:55 -0000
Received: from [127.0.0.1] by omp1001.mail.cnh.yahoo.com with NNFMP; 11 Feb 2013 04:54:55 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 744818.12351.bm@omp1001.mail.cnh.yahoo.com
Received: (qmail 40890 invoked by uid 60001); 11 Feb 2013 04:54:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.cn; s=s1024; t=1360558495; bh=GFPMLOVTg52DZYkrNJBXQwaiVJTSJ1VbHCKSmqOxdrQ=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=bSE5xqsZRGl/7iJwcM1fX/u3HLP4XrvnKxtfKJuMt7QWD95ECN9QGkOnjVhaHmlAz0ZZxRuMERmc2DvpP3o8xtcu1hntrL7+uDapdiHJQg5ku0wgyCieBtSJJHe+as9+LCuMq71uixLKq7v4varT7eIairRFzrC9dgBXmf97/dM=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.cn;
h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type;
b=EegBHIpdpEyPWBwd4O3qMzx+8/3+gkIz8fp3S2rxy+vQKpaAb3al9PBhFl7wCWAIQYug87okp6ApOEb2cxJ3FFY+NLXKA+KhVFozgMlbtikm4l+996X1fosWx5cMBqg4VS4plQrqcwOhIGL2RU9IdFzf8TV6ALsOoO3wssLgz2s=;
X-YMail-OSG: 3faASrgVM1kmD6jmDdNwSLOw9XPggk2d.myZHygSwlJ7vrL
ywDJFXLRksFni__zT1fqU_a4kGkkWy3CgkdJLqMMeiw_hl4JAlHgOgQNYADn
o17eM6NQtbXgfmwtbszCWAeFK5HGoenhhpnWgcGGpXkrPghv6kNzctOnxH0Z
kn8ISV6kvRqLDG7N1QVDMZithHPiFI60uDJa2J_8ydfwEWDeu7SEVYVqqB0X
S39EVzhlDV.Y0a63IDBjgKpf9S4F7p_wjJjBXOQOYv9EcTM.VhfEZVxOm2Eu
20yEVPpcSx.xZ4hG8B3DL3ObTOo.T9lTnvUDMoJfZjaPZxCXfSgDdPGLmcf4
8RdXdNZydpBPnmM8ZiOqzcaaf
Received: from [112.246.217.52] by web92402.mail.cnh.yahoo.com via HTTP; Mon, 11 Feb 2013 12:54:55 CST
X-Rocket-MIMEInfo: 001.001,aGVsbG8gwqBkZWEgciByb2IKwqB0aGFua3MgZm9yIHlvciB3YXJtIHNpbmNldmVyIG1lc3NhZ2UgM3RoIGZlYiBpIHNlbmQgeW91IGVtYWlsIMKgeW91IG5vdCBoYXZlIHRvIGdldCB0aGVtID8KwqB5ZXMgaGVyZSBuZXcgeXJzIMKgaSDCoGhvcGUgeW91IGhlcmUgd2l0aCBtZSBzaGFyZSBoYXBweSBuZXcgeXJzwqAKaSDCoHN1cmUgd2Ugd2lsbCBzaGFyZSBuY2llIGhhcHB5IHZhY2F0aW4gb2sgeWVzIHlvdSBhbHdheXMgaW4gbXkgbWluZCBpbiBteSDCoGhlYXJ0CsKgaW4gbXkgZHJlYW0gaSBob3BlIG15IGQBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.132.503
References:
Message-ID:
Date: Mon, 11 Feb 2013 12:54:55 +0800 (CST)
From: Yyyyy Yyy
Reply-To: Yyyyy Yyy
Subject: =?utf-8?B?5Zue5aSN77yaIEhlbGxvIGFnYWlu?=
To: Robert Xxxxxx
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=”373869220-829038882-1360558495=:22666″

–373869220-829038882-1360558495=:22666
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
[/HTML]

HEADER TWO:

[HTML]
Delivered-To: bob.xxxxxx@gmail.com
Received: by 10.49.94.78 with SMTP id da14csp67317qeb;
Sun, 10 Feb 2013 22:14:16 -0800 (PST)
X-Received: by 10.66.82.67 with SMTP id g3mr38528605pay.58.1360563255807;
Sun, 10 Feb 2013 22:14:15 -0800 (PST)
Return-Path:
Received: from nm16-vm8.bullet.mail.sg3.yahoo.com (nm16-vm8.bullet.mail.sg3.yahoo.com. [106.10.149.71])
by mx.google.com with ESMTPS id l7si17520461paz.9.2013.02.10.22.14.14
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Sun, 10 Feb 2013 22:14:15 -0800 (PST)
Received-SPF: neutral (google.com: 106.10.149.71 is neither permitted nor denied by best guess record for domain of zzzzzzzz12@yahoo.com.cn) client-ip=106.10.149.71;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 106.10.149.71 is neither permitted nor denied by best guess record for domain of zzzzzzz12@yahoo.com.cn) smtp.mail=zzzzzzz12@yahoo.com.cn;
dkim=pass header.i=@yahoo.com.cn
Received: from [106.10.166.120] by nm16.bullet.mail.sg3.yahoo.com with NNFMP; 11 Feb 2013 06:14:12 -0000
Received: from [106.10.151.234] by tm9.bullet.mail.sg3.yahoo.com with NNFMP; 11 Feb 2013 06:14:12 -0000
Received: from [127.0.0.1] by omp1018.mail.sg3.yahoo.com with NNFMP; 11 Feb 2013 06:14:12 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 883197.53944.bm@omp1018.mail.sg3.yahoo.com
Received: (qmail 64756 invoked by uid 60001); 11 Feb 2013 06:14:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.cn; s=s1024; t=1360563251; bh=1bDqKGYHmCPKD6QrSrtMnidWHoTmAKMcRmeQdWNMzt0=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=LYtkmHXPtZsXgw6KQ+6PDRw30S1+BdU4IozM3oNajZxG6+c4VfL3L8cJ2/qHjTWMubleiwhwupfzjreiWiP3P03Ma3EFrQRfU+lDoUNcVMk3SCbHM7t8GiXtCvFPWN8j4HMUYgvlv7dZpI7AFAXKFvgfJu4netBvTH5DW5EJD4M=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com.cn;
h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type;
b=FGSxJQeb07PAIqGWmaVU9qACzL37lyX392RRagm49yh6P4GrLm6654EbjKp3654KSMhEerzqRptnHyd8wGCW/1XxUcPl6VLOT06aftW0vhT9BCG5exb4btk/1SVg/rlt/2LFObgiFpTcRWj0I6Qw9xu4VVG8Xf94xJdW/80f4Jk=;
X-YMail-OSG: DcbQTewVM1nn4LkJ.nKPD1ki5HJaR522FANBjJQUX8RTNMG
ZXdLhNS3Im.P_DR3K3tXbDIm5GYxEPpi2_7QkWMszl4LUJ4kKCoiPfVCpet7
8QDAXhcqVr1xfZRnUrF2LxRGcyvfY9F4hQ5KeJNDB.EMgO0qvezWIseBkwyq
.9NasguTZCsA_sCra0_AhPkD9CLjS66Yzz.CYJ7OkF3AMgO4rVrXtlusFfO8
VxuDUQ6z88b4kaAzAtMgGHECcIYp5e0cabaFSbC8zmPDmDM8.3fsAaRAsaOw
QDz6u8vTgvYfrD5hvUxqMLebccJ1Hn.PDp69fodiIPwr1.tB_2SUnT34fnVJ
Tfroyv.DRlbpt5bogruRp9XShh1s28FEqgLSZQG7fDiE7V9GNFDfTx_6OBoj
qte0U
Received: from [112.246.217.52] by web15703.mail.cnb.yahoo.com via HTTP; Mon, 11 Feb 2013 14:14:11 CST
X-Rocket-MIMEInfo: 001.001,aGVsbG8gZGVhciByb2JlcnTCoAp0aGFua3MgZm9yIHlvdXIgbWVzc2FnZSB5ZXMgaSBzZW5kIHlvdSBlbWFpbCB5b3Ugbm90IGhhdmUgdG8gZ2V0IHRoZW0gPwrCoHBscyBsZXQgaSBrbm93IG9rIHllcyBpIGhvcGUgeW91IGhhdmUgbmNpZSBkYXnCoApob3BlIHRvIGdldCB5b3VyIHJlcGx5CsKgc2luY2V2ZXJseSBodWHCoAoKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCiDlj5Hku7bkurrvvJogUm9iZXJ0IENpcmVsbGkgPGJvYi5jaXJlbGxpQGdtYWlsLmNvbT4K5pS25Lu25Lq677yaIFBlaWgBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.132.503
References:
Message-ID:
Date: Mon, 11 Feb 2013 14:14:11 +0800 (CST)
From: Zzzzzz Zzzz
Reply-To: Zzzzzz Zzzz
Subject: =?utf-8?B?5Zue5aSN77yaIEhlbGxv?=
To: Robert Xxxxx
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=”1263515812-509779858-1360563251=:64660″

–1263515812-509779858-1360563251=:64660
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

[/HTML]

Reply | Quote

Replies

Go here and paste your headers for a very good report.
http://www.iptrackeronline.com/email-header-analysis.php

Reply | Quote

Go here and paste your headers for a very good report.
http://www.iptrackeronline.com/email-header-analysis.php

How do I find the Header in WL Mail 2012

Reply | Quote

How do I find the Header in WL Mail 2012

Right click on the email and select properties.

Jerry

Reply | Quote

Right click on the email and select properties.

Jerry

This is what it showed. What is the header?
–
Delivered-To:
Received: by 10.58.69.8 with SMTP id a8csp130382veu;
Tue, 12 Feb 2013 04:17:55 -0800 (PST)
X-Received: by 10.194.103.163 with SMTP id fx3mr18481074wjb.58.1360671475086;
Tue, 12 Feb 2013 04:17:55 -0800 (PST)
Return-Path:
Received: from euedimxc012.emea.sykes.com (euedimxc012.emea.sykes.com. [195.254.180.104])
by mx.google.com with ESMTPS id bn10si15481753wjb.150.2013.02.12.04.17.54
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Tue, 12 Feb 2013 04:17:55 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning customercare.advisor@eu.panasonic.com does not designate 195.254.180.104 as permitted sender) client-ip=195.254.180.104;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning customercare.advisor@eu.panasonic.com does not designate 195.254.180.104 as permitted sender) smtp.mail=customercare.advisor@eu.panasonic.com
X-AuditID: 0a700868-b7fbd6d0000046dd-57-511a32f1d6fa
Received: from eu.panasonic.com (Unknown_Domain [10.112.8.1])
by euedimxc012.emea.sykes.com (Symantec Messaging Gateway) with SMTP id A4.5D.18141.1F23A115; Tue, 12 Feb 2013 12:17:53 +0000 (GMT)
CaseID: [419118]
From: “Panasonic Customer Service”
To:
Message-ID:
Date: Tue, 12 Feb 2013 12:17:53 +0000
Subject: RE: Panasonic – HOME ENTERTAINMENT Enquiry [Case ID #: 419118]
MIME-Version: 1.0
Content-type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPJMWRmVeSWpSXmKPExsXCVcDBqPvRSCrQ4NQOQ4tXjz6zOzB67Jx1
lz2AMYrLJiU1J7MstUjfLoErY/b7lawF14srpj5ZwNbAuCS+i5GTQ0LARGLSozPMELaYxIV7
69m6GLk4hAQOM0p8PHWJCSTBLCAgsf7kXUYQm03AS+LplD9gtoiAhMSyM41gzbwC9hLPlixm
B7FZBFQlDj/8wgpiCwu4S+z7vIgRokZQ4uTMJywQM9UkFv5eBDVfW2LZwtfMExh5ZiEpm4Wk
bBaSsgWMzKsYpVJLU1MycyuSDQyN9FJzUxP1iiuzU4v1kvNzNzFCgiVjB+Pmf/qHGAU4GJV4
eI+qSAUKsSaWFVfmHmKU4GBWEuGV0QcK8aYkVlalFuXHF5XmpBYfYpTmYFES513FGhwgJJCe
WJKanZpakFoEk2Xi4JRqYLSePiHT+25X3Kd6+x/TjqzYJ13gJ7v1ZfwGhr6Eg3svfGTYV/xM
sfZbxHr3TSUh87oXx50IW76O6eyLs7W7HvidmMaeIGkqvZKP1To867K11heJdu7aVct4Ojn5
X3IU3/y36zyr70fB3VfVHbZE2k9sr7zpXmD1MONX3/wpIfcC/s+QuV3E3aPEUpyRaKjFXFSc
CAC3cv28EgIAAA==
X-Antivirus: avast! (VPS 130212-0, 12/02/2013), Inbound message
X-Antivirus-Status: Clean

Reply | Quote

My reading of those emails is they are from compromised machines in China, unless people are being paid to write spam on their computers.
The server names match the IP addresses reported Received: from nm16-vm8.bullet.mail.sg3.yahoo.com (nm16-vm8.bullet.mail.sg3.yahoo.com. [106.10.149.71]). The only IP addresses that do not have matching names are the HTTP senders and they are both in China.

cheers, Paul

Reply | Quote

@RR, the whole thing is generically “the header”. See the results at email header explained for links to investigate for details.

Joe

--Joe

Reply | Quote

Thanks Joe

Reply | Quote