Email tracing tool results question.

Post your questions about tracing the source IP address of an email here.
Locked
AgingKeeper
New Member
Posts: 2
Joined: Fri May 06, 2016 10:26 am

Email tracing tool results question.

Post by AgingKeeper »

I pasted the email header I included below into the tool and it said the email came from cpanelmail.sagonet.com however there are two "Received" blocks in the header the first block does show the email coming from cpanelmail.sagonet.com at 16:44:37 UTC but the second Received block shows that cpanelmail.sagonet.com received the email at 12:44:35 -0400 (which is 16:44:35 UTC I believe) from an IP address in Romania ( 5-12-84-60.residential.rdsnet.ro) so wouldn't the email origin be Romania??

Just trying to understand this and I am new to it.

Thanks!
--------------------- EMAIL HEADER BELOW
Return-Path: [email protected]
Delivered-To: [email protected]
X-FDA: 71485191036.04.store22_b52399e66c52
X-Spam-Summary: 50,0,0,25da85091f721e96,d41d8cd98f00b204,[email protected],:,RULES_HIT:41:355:379:541:967:973:988:989:1260:1263:1277:1311:1313:1314:1345:1381:1513:1515:1516:1518:1521:1526:1534:1536:1569:1593:1594:1711:1714:1730:1747:1755:1777:1792:2237:2393:2525:2549:2560:2563:2682:2685:2859:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3770:3876:3877:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:5007:6114:6261:6642:6646:6653:7266:7653:8599:8985:8987:9025:9121:10004:10400:11658:11815:11914:12043:12196:12517:12519:12682:13017:13018:13019:13025:13069:13090:13099:13110:13311:13357:13439:14181:14721:14725:14746:21080:21088:21227:21326,0,RBL:64.16.205.152:@genesiswholesale.com:.lbl8.mailshell.net-62.14.0.100 64.201.201.201,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:aprendajs.com-dnsbl7.mailshell.net-127.0.0.120,Custom_rules:0:0:0,LFtime:26,LUA_SUMMARY:none
X-HE-Tag: store22_b52399e66c52
X-Filterd-Recvd-Size: 2141
Received: from cpanelmail.sagonet.com (cpanelmail.sagonet.com [64.16.205.152])
by imf06.hostedemail.com (Postfix) with ESMTP
for <[email protected]>; Fri, 6 May 2016 16:44:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=genesiswholesale.com; s=default; h=To:Date:Message-Id:Subject:Mime-Version:
Content-Transfer-Encoding:Content-Type:From:Sender:Reply-To:Cc:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=gnLZNaRCO6LR//acOvH9YP0oo0gVu94z5Kk8fnRbhr0=; b=Pu6wNP6pOFx3vgqoOZAwA9Cwmc
pUfWMSja788Qq1Nn2lJ/a+kVbPgsdAg4lDqBuf5ku0LlKvEUiSwxqp3ndTx8xENpY1jfTxEz4Q57v
P2qTQr0nKbJ5l13Fff02nK6JSVzicx0Gzv43XGx0XpnTI1xMCJY539ugl9S347+rLdBQ=;
Received: from 5-12-84-60.residential.rdsnet.ro ([5.12.84.60]:54934 helo=genesiswholesale.com)
by cpanelmail.sagonet.com with esmtpa (Exim 4.87)
(envelope-from <[email protected]>)
id 1ayiri-0001yG-PN
for [email protected]; Fri, 06 May 2016 12:44:35 -0400
From: "mattnhsiu" <[email protected]>
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Subject: hello
Message-Id: <[email protected]>
Date: Fri, 6 May 2016 18:44:35 +0200
To: "gct3" <[email protected]>
X-Mailer: iPhone Mail (11A465)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cpanelmail.sagonet.com
X-AntiAbuse: Original Domain - chipandmel.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - genesiswholesale.com
X-Get-Message-Sender-Via: cpanelmail.sagonet.com: authenticated_id: [email protected]
X-Authenticated-Sender: cpanelmail.sagonet.com: [email protected]
X-Source:
X-Source-Args:
X-Source-Dir:

Good afternoon=20


<< snip >>





mattnhsiu
Last edited by Chrispcritters on Fri May 06, 2016 4:17 pm, edited 1 time in total.
Reason: spammer's link removed.
User avatar
Chrispcritters
Forum Administrator
Posts: 2555
Joined: Tue Mar 02, 2010 5:41 pm
Location: 127.0.0.1 | ::1
Contact:

Re: Email tracing tool results question.

Post by Chrispcritters »

The tool does it's best to track the chain. Some headers do not chain nicely. I would agree that 5.12.84.60 is the origination.
Founder & CEO of WhatIsMyIPAddress.com.
You can follow me on Twitter and Facebook for some behind the scenes info.
AgingKeeper
New Member
Posts: 2
Joined: Fri May 06, 2016 10:26 am

Re: Email tracing tool results question.

Post by AgingKeeper »

Thanks for taking the time to reply!
Locked