The Received lines are a chain. You start at the top and that is the most *RECENT* place the e-mail came from. The *BOTTOM* is where the e-mail started from ---> With one caveat. The spammer can add Received: lines onto the bottom making it look like it really originated from somewhere else, but as you get experience you will figure out what "looks wrong" and ignore those lines.
> Received: from smtp.your.isp ([192.168.16.1]) by smtp.your.isp with
> Microsoft SMTPSVC(5.0.2195.5329);
> Wed, 6 Aug 2003 22:25:06 +0100
Received by your ISP (Internet Service Provider).
> Received: from adsl-141-154-84-234.ba-dsg.net ([184.108.40.206]) by
> smtp.your.isp with Microsoft SMTPSVC(5.0.2195.5329);
> Wed, 6 Aug 2003 22:25:00 +0100
Received from 220.127.116.11 by your ISP. Double check that 18.104.22.168 actually is adsl-141-154-84-234.ba-dsg.net at Sam Spade:
22.214.171.124 has valid reverse DNS of adsl-141-154-84-234.ba-dsg.net
So that is correct. Please note that 126.96.36.199 is a DSL connection. I would almost bet that the e-mail originated from 188.8.131.52 and that the next line was put into the e-mail to confuse the issue.
> Received: from sq.38hhzc6.org ([184.108.40.206])
> by adsl-141-154-84-234.ba-dsg.net with ESMTP id 31E493C63CF
> for <firstname.lastname@example.org>; Wed, 06 Aug 2003 18:17:34 -0400
Again we check that 220.127.116.11 is sq.38hhzc6.org:
Same Spade says:
18.104.22.168 has valid reverse DNS of CPE0010db25c8b1-CM0f2029968262.cpe.net.cable.rogers.com
Something is not right here.
We look up sq.38hhzc6.org in Sam Spade:
Nothing is found.
We look up sq.38hhzc6.org in Google:
Google hasn't heard of it. Also note that the times for the Received line above is:
Wed, 06 Aug 2003 18:17:34 -0400
The Received line above it is:
Wed, 6 Aug 2003 22:25:00 +0100
So we correct for the same time zones we get:
Received #1: Wed, 6 Aug 2003 21:25:06 +0000
Received #2: Wed, 6 Aug 2003 21:25:00 +0000
Received #3: Wed, 06 Aug 2003 22:17:34 -0000
So either the third Received line was faked (A very good possibility) or the machines times were all screwed up (less and less a possibility). I would discard the last line as faked.
Therefore we would send a complaint to whoever owns:
We go to Google and search for abuse and ba-dsg.net:
Don't find much so we go to Sam Spade or Abuse Net and take a look for ba-dsg.net:
Sam Spade tells us:
It traces through Verizon so I would send the complaint to email@example.com. If it tells me that the person to complain to is not a "major" Internet Provider I take a look at their web page. If it looks like they address spam issues then I send them the complaint otherwise I let the major Internet Provider handle it.
Everything below this line is easily faked, so you can ignore this part for the most part.
> Message-ID: <u-64i-8se8$q476-5b49-7y@tjb1voib2>
> From: "Molly Baxter" <firstname.lastname@example.org>
> To: YourEMail@your.provider.com
> Subject: Jenni Lopez exposed nipple pics
> Date: Wed, 06 Aug 03 18:17:34 GMT
> X-Mailer: Microsoft Outlook Express 5.50.4522.1200
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> X-Priority: 3
> X-MSMail-Priority: Normal
> Return-Path: email@example.com
> X-OriginalArrivalTime: 06 Aug 2003 21:25:04.0639 (UTC)
One more note, some of the spammers "name" their computer something that looks real, like "supersoftware.com" or "abcmail.com".
> Received: from fcmail.com ([22.214.171.124]) by mc2-f14.law16.hotmail.com with
> Microsoft SMTPSVC(5.0.2195.5600);
What is fake is the portion "fcmail.com". That is what the spammer "named" their computer. Complain to firstname.lastname@example.org.
126.96.36.199 has valid reverse DNS of dhcp9552135.columbus.rr.com
Next we reverse check with Sam Spade:
The DNS search shows nothing, and traceroute said it doesn't exist. So the initial Sam Spade lookup is correct.