E-mail header experts, where is this mail from?
 

The only legible IP address I can get is from Pakistan, but this person is supposedly in Africa (no, not a scam or for business lol!)... Can anyone help me find out where it truly came from? Is it possible that Yahoo is using their Pakistani server or something? What is that IP number, the IP where the person truly is sending the mail from?

Any help would be great:



X-Gmail-Received: 733661906dc453d3050f3d63a45516540687dc50
Delivered-To: @gmail.com
Received: by 10.35.129.20 with SMTP id g20cs578859pyn;
Tue, 23 May 2006 11:48:58 -0700 (PDT)
Received: by 10.70.60.6 with SMTP id i6mr6719532wxa;
Tue, 23 May 2006 11:48:57 -0700 (PDT)
Return-Path: <[email protected]>
Received: from web35905.mail.mud.yahoo.com (web35905.mail.mud.yahoo.com [66.163.179.189])
by mx.gmail.com with SMTP id h14si5619979wxd.2006.05.23.11.48.57;
Tue, 23 May 2006 11:48:57 -0700 (PDT)
Received-SPF: pass (gmail.com: domain of [email protected] designates 66.163.179.189 as permitted sender)
DomainKey-Status: good (test mode)
Received: (qmail 99347 invoked by uid 60001); 23 May 2006 18:48:56 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
b=vUCS6O1jZ9o+kf1Zf0zTBhGjOH/aLxMlk05GkMRVuj5OODN5J1eYg+61j9D2P41oP4Ej4EC3VUOjt co7j+hDaJzgehvOftqWegh/V7tG+m2LPaLcj+iv9Slnr7ancFG101E= ;
Message-ID: <[email protected] o.com>
Received: from [80.87.84.30] by web35905.mail.mud.yahoo.com via HTTP; Tue, 23 May 2006 11:48:56 PDT
Date: Tue, 23 May 2006 11:48:56 -0700 (PDT)
From: TRACY WILLIAMS <[email protected]>
Subject: Thanks.
To: Admin <@gmail.com>
In-Reply-To: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-683701543-1148410136=:97164"
Content-Transfer-Encoding: 8bit

--0-683701543-1148410136=:97164
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

sec let me analoyze

hmm actually that IP says from the US... damn.. any other ideas?

looks like that one 80.87.84.30

I'm much better with usenet headers :winkwink:

ip is from ghana (gh)

Information related to '80.87.80.0 - 80.87.87.255'

inetnum: 80.87.80.0 - 80.87.87.255
netname: ghanatel
descr: Ghana Telecom ADSL ADDRESS POOL
country: GH

no clue....

I make it 80.87.84.30 - Ghana i tried to ping its down so I doubt its a proxy


some nigerians trying to scam u?

Is it send to your yahoo account?

Received: from [80.87.84.30] Unless it's spoofer this is the IP address...And that one looks like to be fron Ghana(as posted above) And Ghana is somewhere in Africa(like it should like you said)

Good luck with helping the king of oekibaki, and receiving your 100.000 reward for sending just 30.000USD (j/k)

Andre

In general you cannot trust SMTP headers, apart from the ones that the receiving system creates (assuming you do trust that :) )

This means that the only IP which is pretty much guaranteed to be accurate is the one that your server marks as delivering the mail. Anything else, including lines like

Received: from [80.87.84.30] by web35905.mail.mud.yahoo.com via HTTP; Tue, 23 May 2006 11:48:56 PDT

... can be forged.

gmail said it received from a yahoo.com server. The yahoo.com is SHA Authed, so its probably genuine.

Which would mean that the
Received: from [80.87.84.30] by web35905.mail.mud.yahoo.com via HTTP; Tue, 23 May 2006 11:48:56 PDT
Header is genuine too because it was made by yahoo.

So the mail account most likely is [email protected] and actually owned by the person that sent the mail, which was definately sent from 80.87.84.30 in that case.

so now you can drive right over to 80.87.84.30 and call him a name:1orglaugh

well that would make sense, the person has told me they're from Ghana... so that checks out... thx guys =)