Question

Locked

Email headers

By jardinier ·
For more than three years I have been emailing an orphan, Magdalene, who was a refugee from Liberia, living in a refugee camp in Ghana.

Recently she returned to Liberia (or so she said). However with my basic knowledge of reading email headers, I could readily see that her emails were still coming from Ghana. I did not worry too much about this as I have found that emails from some African countries will appear to originate from a neighbouring country.

That is until I read the headers of an email from an orphanage in Liberia with which I have regular contact. The emails were clearly from Liberia.

So I accused my friend of lying and blocked her email. I received a phone call from her begging me to reopen her email.

Before I make a final judgment I would like opinions as to whether an email allegedly from Liberia might appear to come from Ghana. These are not adjacent countries as they are separated by Ivory Coast.

This conversation is currently closed to new comments.

13 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

A lot can be happening here

by Deadly Ernest In reply to Email headers

the ISP may be routing through another country or an organisational HQ. Some of the emails I send through church have headers originating in the US as they go from the chapel via VPN to the corporate computer in the USA before hitting the Internet.

But the main things is, if it's just emails, why not just open it and continue talking?

I remind you of a very famous persons words - "I came to help the sinner not the sinless."

Collapse -

why not just open it and continue talking?

by jardinier In reply to A lot can be happening he ...

There is 3 1/2 years of personal interaction between us which you don't need to know about. I simply want an answer to the question of the email headers.

Collapse -

Please see the reply below as I just gave a lengthy reply

by Deadly Ernest In reply to why not just open it and ...

to the one with the header info.

PS. you having trouble getting to sleep too. bleeding ten to one in the morning.

Collapse -

Questions:

by robo_dev In reply to Email headers

Do they have email in refugee camps?

Have you been sending money to this person?

The first obvious email header issue would be the time zone offset, and the second would be the IP address of the originator.

It is possible that if she is using something like a webmail service from an ISP based in ghana, then the emails would still appear to come from ghana, regardless of where the email client originates the email. So if I have a gmail account, all my email appears to originate from California, where Google is based.

However an institution-based POP3 email service, with an email address assigned by a school or orphanage, would be much more likely to be strictly associated with an IP/location. This would happen becuase the school/orphange may be running their own email server, and it's IP address would be tied to whatever local ISP they use.

Additionally, the time of day of the email may provide some incidental information. For example, at an orphanage, I would doubt that a resident would be allowed to use email at 4AM, or the time of multiple messages might hint that the time zone of the sender is not legitimate.

Of course if there is evidence of header spoofing, such as faked domains or source IP addresses, that would be a big red flag....

Collapse -

Do they have email in refugee camps?

by jardinier In reply to Questions:

Yes email is very accessible in Africa. You would no doubt be surprised to learn just how accessible.

As for sending money, I am not asking you to mind my business for me. I am asking a technical question.

All the various people I "talk" to in Africa have Yahoo email accounts. It is nearly always easy to ascertain the point of origin of the email. I have been doing this for two years so I know what I am talking about regarding African countries. I have received emails from various African countries from these same people as they move around, and nearly always the actual country in which they happen to be at the time is verified by the headers with the exception, which I have mentioned, that occasionally it appears to come from an adjacent country, but never from a country that is not immediately adjacent.

Ghana is GMT so 4 am Sydney time (where I live) is 6 pm Ghana time.

Here are the headers from an email allegedly from Liberia but obviously from Ghana:

Return-Path: <magdalenenimely@yahoo.com>
Received: from rly-mc03.mx.aol.com (rly-mc03.mail.aol.com [172.21.164.87]) by air-mc08.mail.aol.com (v123.4) with ESMTP id MAILINMC083-d614a008feb1bb; Tue, 05 May 2009 15:14:02 -0400
Received: from web56507.mail.re3.yahoo.com (web56507.mail.re3.yahoo.com [66.196.97.36]) by rly-mc03.mx.aol.com (v123.4) with ESMTP id MAILRELAYINMC031-d614a008feb1bb; Tue, 05 May 2009 15:13:47 -0400
Received: (qmail 76814 invoked by uid 60001); 5 May 2009 19:13:47 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1241550827; bh=8Qv24K0pYZapvwjIkPVbO8WtvRp/bu4aG+z6qI4v1PM=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=FfA3JhuSIVOh3/93zXS9CliQERVIKEfESsrFIWBK6/Bw3J+xv/Ti8gxJsQ1hgUZkFVWgy/JIlmpRZqNPFcYyV85eLkCILhYGSLD4YmT1QQx39U/vVr5Z0thxMbfbXHa7y1dENElVUKzMKdzq7LxwExfOgfQedqZzzD8RlReJ1xE=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
b=NUqBbZAA09uSOjVidWfLYffarANdlaFaSYN+j7wcCKtK1nVY9N4PJdqK0fXTdXNGi8luLwpboOicYvZaJ6aSOoVffzxWHTE4rPOjj77vhv6idLeBnl/Xjh1cTpvWj5wgwUMN940FXmn0YXfr4SfyKg0SRSAQ16q8X6BXMR081fI=;
Message-ID: <30023.70873.qm@web56507.mail.re3.yahoo.com>
X-YMail-OSG: 5FNBkiYVM1ldzQ1ORclYI_JB3awOBAFIPiY1N.C1BLpOHjZxLHVLcRUt_Jg4hjDe5oDn6Fqnm.YO9zJB365QpU8iphoMCUkh6ObIn0L7ka4mRPUHLY38XYMgHytGEUIyjqVPew9QrczgdDWyb.jB.Av8eltO0hGRYmcd6_kOCxayM05e0RogjXShD_jimL5YaiaZ1fawNZh2UbGHwDT1WW46TnE8Wv_GjwvzwUCbg4vPEc_T.XYwgXVc6uzSpUFLgIajWcp6z4myEEBCuYuwWgIYxu0LWOP0Qp2M
Received: from [41.211.3.241] by web56507.mail.re3.yahoo.com via HTTP; Tue, 05 May 2009 12:13:46 PDT
X-Mailer: YahooMailWebService/0.7.289.1
Date: Tue, 5 May 2009 12:13:46 -0700 (PDT)
From: magdalene nimely <magdalenenimely@yahoo.com>
Reply-To: magdalenenimely@yahoo.com
Subject: Am sorry.
To: jul646@aol.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-647650486-1241550826=:70873"
X-AOL-IP: 66.196.97.36
X-AOL-SCOLL-SCORE:0:2:487409344:93952408
X-AOL-SCOLL-URL_COUNT:0
X-AOL-SCOLL-AUTHENTICATION: mail_rly_antispam_dkim-d227.2 ; domain : yahoo.com DKIM : pass


Here are the headers of an email from the orphanage in Liberia.

Return-Path: <churchaidliberia@hotmail.com>
Received: from rly-mf07.mx.aol.com (rly-mf07.mail.aol.com [172.20.29.177]) by air-mf10.mail.aol.com (v123.4) with ESMTP id MAILINMF101-96c4a1d21fa140; Wed, 27 May 2009 07:20:34 -0400
Received: from col0-omc2-s11.col0.hotmail.com (col0-omc2-s11.col0.hotmail.com [65.55.34.85]) by rly-mf07.mx.aol.com (v123.4) with ESMTP id MAILRELAYINMF072-96c4a1d21fa140; Wed, 27 May 2009 07:20:27 -0400
Received: from COL120-W17 ([65.55.34.72]) by col0-omc2-s11.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 27 May 2009 04:20:26 -0700
Message-ID: <COL120-W17D30F4B445C2353B6516BDC530@phx.gbl>
Content-Type: multipart/alternative;
boundary="_6699c1a8-8b2d-4f1a-81c8-fe963418abdb_"
X-Originating-IP: [62.90.252.210]
From: Church Aid <churchaidliberia@hotmail.com>
To: Julian <jul646@aol.com>
Subject: RE: About Magdalene
Date: Wed, 27 May 2009 11:20:26 +0000
Importance: Normal
In-Reply-To: <c6e.3b598354.374e726d@aol.com>
References: <c6e.3b598354.374e726d@aol.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 27 May 2009 11:20:26.0592 (UTC) FILETIME=[22824E00:01C9DEBD]
X-AOL-IP: 65.55.34.85
X-AOL-SCOLL-SCORE:1:2:455137984:93952408
X-AOL-SCOLL-URL_COUNT:1

Collapse -

G'day mate, am I right in reading this as coming from a Yahoo

by Deadly Ernest In reply to Do they have email in ref ...

web mail account? If that's the case then it can be coming from anywhere, depending upon which Yahoo mail server she's logged into at the time she sends. Also, it may be her account is linked to the server she first logged in through, Yahoo sometimes do that.

Web mail access does NOT work the same as normal email access.

Using my normal mail I contact my ISP and send the mail to them as a SMTP message where it gets hit with a time stamp by the ISP and sent off to another mail server and moves between mail servers around the world.

With a web mail account (such as Yahoo and Gmail) I log into the web mail service web site and enter my message there as an entry on the web page. That is saved to their server (where ever it be) and that server then tosses it into the mail server network after I hit send.

At one stage I was using a free web mail service that had all my mail from it telling people I was in the middle east as their web server is in Saudi Arabia. I typed it on the web page and their server in Saudi Arabia then sent it from a Saudi ISP. I had a lot of fun playing with some people's minds about where I was at the time.

The headers for Yahoo mail, Hotmail, Gmail and the other web mail services are absolutely useless for telling where someone is sending from. generally they will log in and send from the nearest Yahoo, Hotmail, Gmail server, but if it has a heavy load it can end up on any of their servers. In some cases I've heard some of these services lock an account to the server they first used and all future mails appear to come from that server, they do that to simplify their storage process.

Hope this helps you

edit to add.

I'm currently sitting in Junee NSW and can send you a personal email from any one of three accounts. The one from my hosting service will tell you it comes from Melbourne if I use that mail server, another will tell you it comes from Sydney as that's where the main Gmail server I end up connected to is, while the third will tell you it comes from Perth as that's where that server is. ****, I sometimes get mails from my son through one of his web mail services that tells me he's in the USA and not in the room next door - the lazy sod does that to send me links he thinks I should look at. Crazy, the electronic signals go halfway around the world and back to cover about three metres of physical space.

Collapse -

If you can't find the answer at Techrepublic .....

by jardinier In reply to G'day mate, am I right in ...

probably there is no answer. :)

Thanks Ernie. I will unblock the young lady's email and apologize.

I have a lot of interaction with people in various African countries. Some of this is related to my website:

http://thirdworldorphans.org

In about 60 per cent of instances, dnsstuff.com gives the correct point of origin of the email. Another 15 per cent do not give the precise point of origin, but say the DNS numbers belong to servers in Africa. Another 10 per cent will point to an adjacent country in Africa.

The other 15 per cent can point anywhere -- usually the USA but sometimes a European country.

I also get a lot of would-be scammers -- mostly from Russia but also from Africa. In most cases the correct point of origin is given.

Collapse -

The quality of the DNS headers will depend a lot on

by Deadly Ernest In reply to If you can't find the ans ...

the mail system used to send the email.

Some web mail organisations like Gmail, Hotmail, and Yahoo have servers all around the world, so when you see a Yahoo mail with a header from Russia, you can expect it's from somewhere near there. Sometimes the nearest web mail server is not accessible when people want to send a mail, so it jumps to the next available of the organisation's head office server - mostly in the USA. Some web mail services only have one server (like Gaweb used to have when I used them) and all mail shows as coming from that server in the Middle East. If they are using a normal mail server via an ISP, then it will come from where the ISP is located and most people will sign on with a local ISP.

A DNS check can only tell you where the originating server is - yes it's a good start point, but it shouldn't be seen as an absolute answer either. ****, people do a dns on my web site and think I live where my hosting service is located - again because most people look for something local.

I hope all works out well.

Collapse -

In addition..........

by ThumbsUp2 In reply to The quality of the DNS he ...

If you've got a web site hosted on a server located in another country and your web space provider gives you email addresses for that site, you can send email using web access through that email account and it will look as if you're sending from that country.

I setup and maintain several web sites. The main hosting company I use has servers in both China and the USA. When I setup an account, they automatically put it on their China server unless I specify otherwise. For the first few sites I set up using this provider, I didn't know the repercussions of using a server in China until my clients began telling me that when they sent mail through their web site email address, for example using info@somedomain.com, they were getting notices of their email being blocked because of the country of origin even though they were sitting in their living room in the USA. Once I had the hosting company move the sites to the USA based servers, that problem went away.

So, even if you're not using one of the free web based email providers, the DNS of the origin of the email MAY not be an accurate representation of where you're physically located.

Collapse -

She has a new Yahoo email address

by jardinier In reply to Email headers

which indicates it is coming from Guyana, South America.

It is a very strange and complex process this sytem of tracking emails. B-)

Back to Software Forum
13 total posts (Page 1 of 2)   01 | 02   Next

Software Forums