Harassing email

Post your questions about IP address geolocation here.
Locked
Onkette
New Member
Posts: 3
Joined: Sun Oct 04, 2015 12:34 pm

Harassing email

Post by Onkette » Sun Oct 04, 2015 12:43 pm

I have been receiving unsolicited email newsletter subscriptions for months. Recently, I received an email from the person who has been signing me up for these newsletters via Guerrilla Mail. Guerrilla Mail includes the originating IP address in the headers.

So, I looked up the IP address and discovered the Location is A particular city in South Carolina where I happen to have one relative. I don't know anyone else in SC. So, I opened up a legitimate email I received from this relative and discovered the IP address is the same as the one from the Guerrilla Mail message.

Then, I looked up the ISP for the IP address and discovered the ISP is one of 2 available in this relative's zip code (ATT Uverse).

How likely is it that the IP address for the Guerrilla Mail message would match her legitimate email IP address if the senders were different people.

Onkette
New Member
Posts: 3
Joined: Sun Oct 04, 2015 12:34 pm

Re: Harassing email

Post by Onkette » Mon Oct 05, 2015 8:40 am

here are the headers from one email:

Delivered-To: [recipient]@gmail.com
Received: by 10.140.109.196 with SMTP id l62csp10489qgf;
Tue, 4 Aug 2015 13:03:56 -0700 (PDT)
X-Received: by 10.170.186.140 with SMTP id c134mr5899487yke.54.1438718636621;
Tue, 04 Aug 2015 13:03:56 -0700 (PDT)
Return-Path: <[sender]@me.com>
Received: from nk11p10mm-asmtp002.mac.com (nk11p10mm-asmtp002.mac.com. [17.158.185.186])
by mx.google.com with ESMTPS id h127si483889ywb.78.2015.08.04.13.03.56
for <[recipient]@gmail.com>
(version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128/128);
Tue, 04 Aug 2015 13:03:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of [sender]@me.com designates 17.158.185.186 as permitted sender) client-ip=17.158.185.186;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [sender]@me.com designates 17.158.185.186 as permitted sender) smtp.mail=[sender]@me.com;
dmarc=pass (p=NONE dis=NONE) header.from=me.com
Received: from [192.168.1.96]
(108-248-192-20.lightspeed.gnvlsc.sbcglobal.net [108.248.192.20])
by nk11p10mm-asmtp002.mac.com
(Oracle Communications Messaging Server 7.0.5.35.0 64bit (built Mar 31 2015))
with ESMTPSA id <0NSK00CLOQEFM300@nk11p10mm-asmtp002.mac.com> for
[[recipient]@gmail.com; Tue, 04 Aug 2015 20:03:53 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure
engine=2.50.10432:5.14.151,1.0.33,0.0.0000
definitions=2015-08-04_10:2015-08-04,2015-08-04,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0
reason=mlx scancount=1 engine=7.0.1-1412110000 definitions=main-1508040318
Subject: Re: [Subject 2]
References: <C1F2E0C2-1398-4101-A637-985B3ACE95AF@gmail.com>
<A7852AE5-D2E7-4DDD-BCB7-3207D8DAF611@me.com>
<01C011DF-1D3E-4CB3-A51B-C081A5206315@gmail.com>
From: [Sender] <[sender]@me.com>
Content-type: text/plain; charset=utf-8
X-Mailer: iPad Mail (11D257)
In-reply-to: <01C011DF-1D3E-4CB3-A51B-C081A5206315@gmail.com>
Message-id: <D2D330DA-07BA-416A-90A8-78B44F1CE88E@me.com>
Date: Tue, 04 Aug 2015 16:03:54 -0400
To: [Recipient] <[recipient]@gmail.com>
Content-transfer-encoding: quoted-printable
MIME-version: 1.0 (1.0)

Onkette
New Member
Posts: 3
Joined: Sun Oct 04, 2015 12:34 pm

Re: Harassing email

Post by Onkette » Mon Oct 05, 2015 8:41 am

And from the second email:

Delivered-To: [example]@gmail.com
Received: by 10.140.94.103 with SMTP id f94csp773094qge;
Thu, 1 Oct 2015 17:36:52 -0700 (PDT)
X-Received: by 10.182.28.100 with SMTP id a4mr8208307obh.38.1443746212480;
Thu, 01 Oct 2015 17:36:52 -0700 (PDT)
Return-Path: <1xjcbi+2gx4mgjhvtki6nq5b7h@guerrillamail.com>
Received: from guerrillamail.com (mail.guerrillamail.com. [198.143.169.10])
by mx.google.com with ESMTP id u1si4556700obf.56.2015.10.01.17.36.52
for <[example]@gmail.com>;
Thu, 01 Oct 2015 17:36:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of 1xjcbi+2gx4mgjhvtki6nq5b7h@guerrillamail.com designates 198.143.169.10 as permitted sender) client-ip=198.143.169.10;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of 1xjcbi+2gx4mgjhvtki6nq5b7h@guerrillamail.com designates 198.143.169.10 as permitted sender) smtp.mailfrom=1xjcbi+2gx4mgjhvtki6nq5b7h@guerrillamail.com;
dkim=pass header.i=@guerrillamail.com;
dmarc=pass (p=REJECT dis=NONE) header.from=guerrillamail.com
Received: by 198.143.169.10 with HTTP; Fri, 02 Oct 2015 00:36:21 +0000
MIME-Version: 1.0
Message-ID: <1529693212bdf241fbde10bf5b007e85f295@guerrillamail.com>
Date: Fri, 02 Oct 2015 00:36:21 +0000
To: "[example]@gmail.com" <[example]@gmail.com>
From: <1xjcbi+2gx4mgjhvtki6nq5b7h@guerrillamail.com>
Subject: [Subject]
X-Originating-IP: [108.248.192.20]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Domain-Signer: PHP mailDomainSigner 0.2-20110415 <http://code.google.com/p/php-mail-domain-signer/>
DKIM-Signature: v=1; a=rsa-sha256; s=highgrade; d=guerrillamail.com; l=281;
t=1443746186; c=relaxed/relaxed; h=to:from:subject;
bh=d5cwGVFAZiJxoHAD8mHmPYS/+wN05EudTTugiLBaAQY=;
b=CXADghpJOXz35ol+g9xt2GE8lfEMoYGRZPiZxZ+v+Y26n2U1GI/CXcAiD+gdiILnft5/4VLMSWM1
0CTAC1mAPTtwAwpPIRmnwNnxUqfRiKm4rLLI3833qtsNV3wo+4TtAeVSKRcXS2KQQ3BjUMuhZ4rP
lGpSPsxDK/RpXmljmAXo8m5ASOACl9OyDsm1F9GL5IGzcqGw+UczdTF907VC6BzvQoHdRgcPc4GR
xhA5AJgHbdY/tOb89CxsTswAAnZhetD9iNWc0Ky3vjNqVHJCIYTmGj54XExtObQ0rDTDlxlkjr5x
z0Sf3ixhVDtVtrbZ+9jTcN/4rn25QBFOMRKsrA==

Locked

Who is online

Users browsing this forum: No registered users and 3 guests