steve,
I’ve received emails from individuals whom I pretty much know for sure
are Eastern European scammers using web-based email services. One was
using Yahoo and claimed to be located in Texas, though I believe his
location to be Romania. In his emails, the originating IP would be,
e.g.,
X-Originating-IP: [69.147.97.27]
Running a whois on this IP only gives me Yahoo’s base address in
California and there are no long strings of consecutive IP numbers in
the headers. However, in emails I get from anyone using web-based
email services, a number of lines will be present regarding "domain
key-signature". These are the lines I mentioned with long strings of
numbers and letters, and these lines never seem to appear in the
headers of those who have paid POP/SMTP accounts and are not using
web-based services. For example, the email with the "originating" IP
above (whose "whois" base address was definitely not the scammer’s
home address/home country) contained the following:
DomainKey-Signatu a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received
ate:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
b=FAFkR3d6omYn6VtPjCY6+ymucO3MGorOR7WnFNqM9zKKBY2Y VIzJr+3TsECv1ikbjxS7MtbSLiBq30H6a1b9BDnFABJQLM5Kgv eJrpAZITqHIDIUmiNoahWdHjGhhm06GoQbfHXsQjo9z4a7XS2x TFp4IwOmGdSP3Y8BZpuPThM=
;
X-YMail-OSG:
vA5jNJQVM1mlwSc9krXxyd6J1m6FfDSsxmYWhKr9D1t8nWwoqW LREB3wmv9YDpWB0uF3JvO.H8CPKvPeQB.Lj0sq8Dw8kdZX70UW WHTO.dueRI_zdOZn0ctRdtFpNU.V
Do you know of any way to use this information to determine the actual
country/city of origin ??
badwolf
On Sat, 10 Mar 2007 21:22:21 -0600, Steve Wertz
> wrote:
>On Sat, 10 Mar 2007 02:23:50 -0500, badwolf wrote:
>
>> If you are emailing back and forth with seller, check seller’s email
>> address to see if it is a free web-based email account (hotmail.com,
>> yahoo.com, gmail.com, etc.). Legit sellers with a fixed address will
>> typically not be using a free web-based email service. Scammers
>> prefer the extra layer of anonymity and untracability the free
>> services provide.
>
>Usually email sent from hotmail (and yahoo) contains the IP
>address of the originating computer that sent the email. You can
>tell which ISP they have (or if they're using a public access
>site), and in most cases, where that host is located.
>
>Using an email address separate from your ISP is actually a wise
>decision. Leaving it up to hotmail or yahoo ... well, there are
>much better mail services out there.
>
>But always check the IP address of the originating message to see
>if the person lives where they claim (or imply).
>
>> You can also just examine the email headers. If it’s
>> from a paid nntp server, there will usually not be any very long
>> lines. If it’s a web-based service, there will be 2 or 3 long lines
>> with long unintelligle strings of numbers and letters.
>
>Mail is transferred VIA SMTP (in most cases), NNTP is news and
>it's protocol has no support for email. Mail usually has several
>long "from" headers to tell you how the message was received.
>
>Read the 'from' lines in your email headers, starting from the
>bottom up. The first IP you encounter is usually the originating
>email host.
>
>-sw