Page 1 of 1

Financial Fraud

Posted: Tue Jan 05, 2016 6:26 am
by FraudCase
Hi. I am trying to locate where this email was sent from. I have one other also which I will post in a new thread. I have looked up the IP addresses I can see but it is showing only Apple's location and the location of 1&1 hosting company.

If this is unable to be traced, can anyone advise the legal situation of the police being able to trace it through the host?

Thank you

Return-path:<accounts@tw50.co.uk>Received:from nk11p00mm-smtpin001.mac.com ([17.158.160.110]) by ms05573.mac.com (Oracle Communications Messaging Server 7u4-27.08(7.0.4.27.7) 64bit (built Aug 22 2013)) with ESMTP id <0NW70075HLQFJQA0@ms05573.mac.com> for kedownie@icloud.com; Wed, 14 Oct 2015 12:08:39 +0000 (GMT)Original-recipient:rfc822;kedownie@icloud.comReceived:from mout.kundenserver.de (mout.kundenserver.de [212.227.126.130]) by nk11p00mm-smtpin001.mac.com (Oracle Communications Messaging Server 7.0.5.35.0 64bit (built Mar 31 2015)) with ESMTPS id <0NW700ISZLQC3KO0@nk11p00mm-smtpin001.mac.com> for kedownie@icloud.com (ORCPT kedownie@icloud.com); Wed, 14 Oct 2015 12:08:39 +0000 (GMT)Received-SPF:none (nk11p00mm-smtpin001.mac.com: accounts@tw50.co.uk does not designate permitted sender hosts) receiver=nk11p00mm-smtpin017.mac.com; client-ip=212.227.126.130; helo=mout.kundenserver.de; envelope-from=accounts@tw50.co.uk;Authentication-results:nk11p00mm-smtpin001.mac.com; spf=none (nk11p00mm-smtpin001.mac.com: accounts@tw50.co.uk does not designate permitted sender hosts) smtp.mailfrom=accounts@tw50.co.uk;Received:from dyn1214-200.wlan.ic.ac.uk ([129.31.214.200]) by mrelayeu.kundenserver.de (mreue002) with ESMTPSA (Nemesis) id 0Lle6K-1aLfbc3tBI-00ZLOY; Wed, 14 Oct 2015 14:08:25 +0200From:Accounts <accounts@tw50.co.uk>Content-type:multipart/alternative; boundary="Apple-Mail=_66F4E7DD-12C2-4805-BDE7-ADB9E2225F91"Message-id:<AFDA3E51-A6E7-495C-9C60-765D6B509B01@tw50.co.uk>MIME-version:1.0 (Mac OS X Mail 8.2 \(2104\))Date:Wed, 14 Oct 2015 13:08:22 +0100Subject:Webinar LinkCc:Tradewith Fifty <tradewith50@mail.com>To:support@tw50.co.ukX-Mailer:Apple Mail (2.2104)Authentication-results:nk11p00mm-smtpin001.mac.com; dkim=none reason="no signature"; dkim-adsp=nonex-icloud-spam-score:30002230 f=tw50.co.uk;e=tw50.co.uk;is=yes;ir=no;pp=ham;spf=?;dkim=?;dmarc=?;wl=absent;pwl=absent;clxs=ham;clxl=absentx-dmarc-info:pass=?; dmarc-policy=(noPolicy); s=; d=X-MANTSH:1TEIXREEbG1oaGkdHB0lGUkdDRl5PWBoaHxEKTEMXGx0EGx8SBBscHwQdGxAbHho fGhEKWE0XSxEKbX4XBxsRCkxZFxgcHBEKWU0XZEVETxEKWUkXHXEbBhsedwYbGBMGGRpABhoGG xoaBhpxGhAadwYaBhoGGgYaBhoGGnEaEBp3BhoRClleF2hjeREKQ04XSxsbGmJOTRxoGnxaGXh zBxNvGxgaEkkYYBEKW0MXGmR9HRoaY3lwZntpGWFlGhEKWFwXGQQaBBgeB00YHh4fHk4ZBRsdB BsfEgQbHB8EHRsQGx4aHxsRCl5ZF2R/AVpCEQpNXBcYExgRCkxaF2lNa2sRCkVYF2gRCk1OF2h rEQpMRhdpEQpDWhcYGxgEGBgdBBsYHAQbGRoRCkJeFxsRCkRJFxsRCkJFF2VvfV9ETXtNaRpTE QpCThdva18BW2RvbXhiXhEKQkwXbBN5XhloUGFOUxwRCkJsF2tAZl5dbkVfbnlrEQpCQBdoHBl
mHVsbBXBcWREKQlgXemdeYBJtY2YfEkIRCk1eFwcbEQpwaBdvW21DRltQWUh7fBEKcGgXZVxLU F1kRHlHb08RCnBoF2FwX2BQeB5jeENuEQpwaBdsfnpuS01lSxphUxEKcGgXY2xTWlBNAXxrYU4 RCnB/F2dPBV1ge3JOZmxLEQpwXxduRBNAfFtjaE4eWxEKcH8XZVpneB18XkFpRBwRCnBfF24FH R1sRU99aWh8EQpwbBdiE0trfW5EAWhtSxEKcEMXZ0B9Yh5sSVtcHWERX-CLX-Spam:falseX-CLX-Score:266X-CLX-Shades:NoneX-Proofpoint-Virus-Version:vendor=fsecure engine=2.50.10432:,, definitions=2015-10-14_05:,, signatures=0X-Proofpoint-Spam-Details:rule=notspam policy=default score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1510090000 definitions=main-1510140153X-Provags-ID:V03:K0:5P55yWhw5Sd/O3yaUttJSft6pWF9KS49RKesTkB4E68Q6mfL1yw v7bGXu4fXkHbt7ldwbG5YAfFOukaYzGQdTjjM8mJZlC0ojcKFzyz8CoK5jtSWy8OqDx+mCs gbGyOBIATxJSuOa74pSPG/m9hsgTszOR0KxLJByUKVsXPnO4AaujbwqLfRhDNFSwCLe/B/C Apt3LJTNS4J95j0JoBffg==X-UI-Out-Filterresults:notjunk:1;V01:K0:qic/dH2Adp4=:sqNCjXtdj4ET9Fuda/rUib WOlfQxgKN94GiVhLDO33Kg7iLGgvpfOIKqqlLtnTT6iP3NjlL8N4wzS5jTXrZnGCl9YN4YDDH 9T7Fmh9fjkbqbAUCn56aqjKjels3rKw03/awlks02hOGQnqiHCfJvHyv0jbRt2fLxIkbp9Pq7 P9mNcW7VInabBY0ccqJn3Dt43Dal2yZ4+OHzHU72HOtM5rVf2b8G8m+UqXrzAU0PJDkZog13G Lm60DTJZEq7mQRzLwIQ6cuAtgpGiVvYYYmdSCnO/Ez2Lj/LAYp2U4RSpcxcRrddH3Lh63u1dm M2qYQQmG96jzVz4ROscn7ZbJqmkMGlDqHrcf74M4wIAIoapSAQmoIuXR1OfTkbRYNYczsNsrd tmtGoCfB+KpoQqyPk1xsO+6jEq+WSeKMlLTGd5JA7pd7fjN0BFJhJxWITe8IzQKsdYeRUrmXp Lj+wzyTsrMvYjTyfQ3KUfgcExTA9/rhSPw3Ty0QrG94wATzL08tmcHgNcXr791cV5+2CyT4T1 XFQRa+/aCOVriJOFwc5iOYWQG07G6HvE7OmuyTa7ZtO1AtXJNqvTaGjtB2ctOdTZ/vZX7boGm tDmWtQmN4928flgpdRq3KP6Y2ZQg25F+cXENMaoFalwSnD840hoG6c6XbZSkvdVUGxAXDNkjl WrH07L8myZApZwxICkYHVbuuCmsp3nSX/kWQEdD4wHIwFBsiV29Y2/AcQaeyEV/jToG2xjZpu 0BMBICmPfNHm+/Dm

Financial Fraud

Posted: Tue Jan 05, 2016 6:27 am
by FraudCase
Hi again, this is the other email information…

Thanks in advance

Return-path:<tradewith50@mail.com>Received:from nk11p00mm-smtpin013.mac.com ([17.158.160.108]) by ms05573.mac.com (Oracle Communications Messaging Server 7u4-27.08(7.0.4.27.7) 64bit (built Aug 22 2013)) with ESMTP id <0NTD001SNM1YDE50@ms05573.mac.com> for kedownie@icloud.com; Thu, 20 Aug 2015 10:20:22 +0000 (GMT)Original-recipient:rfc822;kedownie@icloud.comReceived:from mout.gmx.com ([74.208.4.200]) by nk11p00mm-smtpin013.mac.com (Oracle Communications Messaging Server 7.0.5.35.0 64bit (built Mar 31 2015)) with ESMTPS id <0NTD002MRM1WZ520@nk11p00mm-smtpin013.mac.com> for kedownie@icloud.com (ORCPT kedownie@icloud.com); Thu, 20 Aug 2015 10:20:22 +0000 (GMT)Received-SPF:pass (nk11p00mm-smtpin013.mac.com: domain of tradewith50@mail.com designates 74.208.4.200 as permitted sender) receiver=nk11p00mm-smtpin004.mac.com; client-ip=74.208.4.200; helo=mout.gmx.com; envelope-from=tradewith50@mail.com;Authentication-results:nk11p00mm-smtpin013.mac.com; spf=pass (nk11p00mm-smtpin013.mac.com: domain of tradewith50@mail.com designates 74.208.4.200 as permitted sender) smtp.mailfrom=tradewith50@mail.com;Received:from [86.177.209.127] by msvc-mesg-gmxus003.server.lan (via HTTP) ; Thu, 20 Aug 2015 12:20:20 +0200MIME-version:1.0Message-id:<trinity-e7816c2e-7459-4b5e-9db7-333a224e16a8-1440066019681@msvc-mesg-gmxus003>From:tradewith50@mail.comTo:Karen Downie <kedownie@icloud.com>Subject:Re: SignalsContent-type:text/plain; charset=UTF-8Date:Thu, 20 Aug 2015 12:20:20 +0200In-reply-to:<4C4288AE-86B7-4375-855B-2C6664F81A31@icloud.com>References:<93A5A2B7-CF7B-4DC9-AA8B-14011439E183@icloud.com> <trinity-cea1f875-60a0-46fc-b42e-f4181cb75ad4-1440064907523@msvc-mesg-gmxus001> <4C4288AE-86B7-4375-855B-2C6664F81A31@icloud.com>Authentication-results:nk11p00mm-smtpin013.mac.com; dkim=none reason="no signature"; dkim-adsp=nonex-icloud-spam-score:33002230 f=mail.com;e=mail.com;is=yes;ir=no;pp=ham;spf=pass;dkim=?;dmarc=?;wl=absent;pwl=absent;clxs=ham;clxl=absentx-dmarc-info:pass=?; dmarc-policy=(noPolicy); s=; d=X-MANTSH:1TEIXREEbG1oaGkdHB0lGUkdDRl5PWBoaEhEKTEMXGx0EGx8SBBscHwQdGxAbHho fGhEKWE0XSxEKbX4XGxEKTFkXGxoaHxEKWU0XZEVeYF9EQREKX1kXHxIdEQpZSRcdH3EbBhsfG ncGGxsYBh0aQAYaBhsaGgYYGhpxGxoaEBp3BhoGGgYZGgYaBhoGGnEaEBp3BhoRClleF2hueRE KQ04XSxsbGmJOTR1bGnxfGXhzBx1hGxoYGmYbWBEKW0MXGmR+bhoaGGd4Zxt9cB8YGhEKWFwXG QQaBBgeB00YHh4fHk4ZBRsdBBsfEgQbHB8EHRsQGx4aHxsRCl5ZF2RpGhxrEQpNXBcYGhMRCkx aF01rEQpFWBdoEQpMRhdia2sRCkNaFx0eBBgaEgQeBBgaGhEKQl4XGxEKQkUXY2tgHWViRB0Ff
E4RCkJOF259QUJ6RlNOZmMBEQpCTBdja2AdZWJEHQV8ThEKQmwXY2tgHWViRB0FfE4RCkJAF25 mekRIXENdemZdEQpCWBd6Z15gEm1jZh8SQhEKTV4XGxEKcGgXaEYBZ05QRFkcSBwRCnBoF2tef npFSENmQl9sEQpwaBdoGmZ8ZnNoHGJZRREKcGgXaUIecEJGZHxCY0MRCnBoF25aRm5pTh5hY1p rEQpwfxdlAWh7QHpnSxtzAREKcF8XbWFMQlxiWHN7SEkRCnBMF2dYRF9wWVp7fUtdEQpwQxdiB XhZfHAdWk9dchE=X-CLX-Spam:falseX-CLX-Score:1005X-CLX-Shades:NotJunkX-Proofpoint-Virus-Version:vendor=fsecure engine=2.50.10432:5.14.151,1.0.33,0.0.0000 definitions=2015-08-20_06:2015-08-20,2015-08-20,1970-01-01 signatures=0X-Proofpoint-Spam-Details:rule=notspam policy=default score=0 spamscore=0 suspectscore=1 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1412110000 definitions=main-1508200163X-Provags-ID:V03:K0:jy311Bu4M3WYRsYL9Q4W8QirDORJ8ILqjAOYVmwAB0A Tvydl8stKYT0nQXiWsNf14YfQD04CTtBuntUDjUIvYlFXQTq9E RIDoTYdnQf/5ye5Bl+HhszOqUjTPSUkR+AjBsZ5D+LH2hJ5HEy 2YKd4zWxMcDjVBgPMQ0z5vqOVCsnQo5ttXQiBK+yP3wxqO4C8V MW+v4yAV4Wf/v8KHfN8PoI2EMntjWymYqYlqgYWJbLx33omvbL Lb1x0TOM5h/VRAIYXoK0kt34dXJnDpWxAeCuro2xdENP7abY/v kUqIcw0wIc05sTOvgmrliEG/GPtX-UI-Out-Filterresults:notjunk:1;V01:K0:+lcju50Izk8=:mAdTWHv7Qpbg6Dzxs0zRCJ 9KrmqelpIh6BdVYme4Mk4CIvrA0FukQDsLm7Lw9+C7TfPJIbADpx/e4O9fy5juVZ4rZWXpx0w lQRNnqILaUlTlqK9GDyWPYl4qM+P0/o1jhFTewXfEQ29RFbNJYiTMVLobqwrrNuldu5c1jjig wKs6DbIvhOFIOwEUgVmZK9GPyOlDckpJ/EBGMgvx3bkcGb0bYSWXU4J5wA+WCEuDRKmVkmsl5 1mHSnmP5btAswhJHTfX7D5dBC1miUkIrBbz+784q+B2MyltTRH2rWOPLy07Eeg5HAzbFFmbXV +SUP7PRAnxnJRqCYiKY58MafdiOS/ZVIgFZ/nAeJHhhUHwMXN5NeZdmUPTqMjJdBDrfoBV2SR c+61BTvE8ebmiabTwNwOegQU7IawpeqKuBA8IEhj/X679nHx3JTavEBOnmapdE9eTmff87bko Scw8SxyfXe2YhaQpRDr7ReB3XpideeN2EkhgMsD6XNWtxU7sGYHR

Re: Financial Fraud

Posted: Tue Jan 05, 2016 8:05 am
by Chrispcritters
The headers are a bit hard to read since all the line breaks have been removed but the first one appears to come from 129.31.214.200.

The second appears to come from 86.177.209.127

The police can subpoena records from the the mail provider, ISP, etc.

Re: Financial Fraud

Posted: Tue Jan 05, 2016 11:27 am
by FraudCase
Thank you I missed the second one..

I have entered it into this website https://www.iplocation.net

It displays a few different locations - York, Lincolnshire, London. Is that normal or is there a more accurate site to use?

Thank you it is very helpful and it is good to know that the police will have something to go on.

Re: Financial Fraud

Posted: Tue Jan 05, 2016 11:32 am
by Chrispcritters
Each of the sites will vary with where they get their geolocation data -- which is normal.

Yes, getting law enforcement involved is the best solution. They can subpoena ISP records to find out the customer service address for the IP addresses that was used to send the emails.