can one tr=ell where an email originates from?

Post your questions about tracing the source IP address of an email here.
Locked
aspencherub
New Member
Posts: 1
Joined: Sun Dec 11, 2016 11:16 am

can one tr=ell where an email originates from?

Post by aspencherub » Sun Dec 11, 2016 11:23 am

Return-Path: {removed}@outlook.com
Received: from reszmta-ch2-02v.sys.comcast.net (LHLO
reszmta-ch2-02v.sys.comcast.net) (69.252.207.66) by
resmail-po-448v.sys.comcast.net with LMTP; Sun, 17 Apr 2016 11:15:15 +0000
(UTC)
Received: from resimta-ch2-11v.sys.comcast.net ([69.252.207.11])
by comcast with SMTP
id rkaqaloZ0vNbdrkfbaDgAO; Sun, 17 Apr 2016 11:15:15 +0000
Received: from BLU004-OMC1S36.hotmail.com ([65.55.116.47])
by resimta-ch2-11v.sys.comcast.net with comcast
id jPFF1s03C11RrXD01PFFCG; Sun, 17 Apr 2016 11:15:15 +0000
X-CAA-SPAM: N00000
X-Authority-Analysis: v=2.1 cv=QKaVPV/L c=1 sm=1 tr=0
a=S41bZ1Dlwh+8bxorBcDYYQ==:117 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10
a=s5jvgZ67dGcA:10 a=xqWC_Br6kY4A:10 a=kziv93cY1bsA:10
a=klaHyzbkpz2phxsXNOQA:9 a=wPNLvfGTeEIA:10 a=T8o9m6ilJmah9XTB:21
a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10
Authentication-Results: resimta-ch2-11v.sys.comcast.net;
dkim=pass header.d=outlook.com header.b=mok6JlOT
Received: from EUR01-DB5-obe.outbound.protection.outlook.com ([65.55.116.7]) by BLU004-OMC1S36.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008);
Sun, 17 Apr 2016 04:15:15 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=luKNG0AJH/MUY63T2A2HZnq0ohyB7MOeRopPc9ql39s=;
b=mok6JlOTo65NF4YzHV10yju2xY2AUrxntfcHUrjiqHk8eQXYO4v8rYPB7rl8WaW3PnhXL5LfmPI0YLoMmDZ0L7OmqrPVpGfeVoUlYJMjcmzdAg0OQJKazUZmc9HbEzL7Jn4P8gYASX6a/y1zVk2JnQCQGWV75weB3HCyIpbAAUFNUU3JRz5nj+XoFiUk2oqKrw3tC3vLQJ1y5AXY2xYWRHz+M/aB8KwJmVG0XtB8z7RIgDpdlh7daij4BLBtjAaSYcnuBQPVyV7XlO+zhxzS13bcMt2arZaLYZRlUDc/yQJmpNmrkU24cyqMC75HTSNNW3DqICWRDidL8Oo0FgKIlg==
Received: from DB5EUR01FT034.eop-EUR01.prod.protection.outlook.com
(10.152.4.52) by DB5EUR01HT086.eop-EUR01.prod.protection.outlook.com
(10.152.5.125) with Microsoft SMTP Server (TLS) id 15.1.472.8; Sun, 17 Apr
2016 11:15:13 +0000
Received: from AM3PR06MB0774.eurprd06.prod.outlook.com (10.152.4.56) by
DB5EUR01FT034.mail.protection.outlook.com (10.152.4.246) with Microsoft SMTP
Server (TLS) id 15.1.472.8 via Frontend Transport; Sun, 17 Apr 2016 11:15:13
+0000
Received: from AM3PR06MB0774.eurprd06.prod.outlook.com
([fe80::d955:81c2:1484:8621]) by AM3PR06MB0774.eurprd06.prod.outlook.com
([fe80::d955:81c2:1484:8621%16]) with mapi id 15.01.0453.031; Sun, 17 Apr
2016 11:15:13 +0000
From: fabio branchini <{removed}@outlook.com>
To: jo-ann <{removed}@comcast.net>
Subject: You Make Me Happy
Thread-Topic: You Make Me Happy
Thread-Index: AQHRmJpphzhAIUQQckSmY1f+6O+lRA==
Date: Sun, 17 Apr 2016 11:15:13 +0000
Message-ID: <AM3PR06MB07747A0B564153B67412877EC06A0@AM3PR06MB0774.eurprd06.prod.outlook.com>
References: <132579423.10308797.1460842654680.JavaMail.zimbra@comcast.net>,<530278844.10310385.1460843007390.JavaMail.zimbra@comcast.net>
In-Reply-To: <530278844.10310385.1460843007390.JavaMail.zimbra@comcast.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=softfail (sender IP is 25.152.4.56)
smtp.mailfrom=outlook.com; comcast.net; dkim=none (message not signed)
header.d=none;comcast.net; dmarc=fail action=none header.from=outlook.com;
received-spf: SoftFail (protection.outlook.com: domain of transitioning
outlook.com discourages use of 25.152.4.56 as permitted sender)
x-tmn: [0OWV07bCSmsW5Nh6dEK+AVArK4wOGJlcR+YtD0zyIvY=]
x-eopattributedmessage: 0
x-forefront-antispam-report: CIP:25.152.4.56;IPV:NLI;CTRY:GB;EFV:NLI;SFV:NSPM;SFS:(10019020)(98900003);DIR:OUT;SFP:1102;SCL:1;SRVR:DB5EUR01HT086;H:AM3PR06MB0774.eurprd06.prod.outlook.com;FPR:;SPF:SoftFail;MLV:ovrnspm;MX:1;A:1;LANG:en;
x-ms-office365-filtering-correlation-id: 9a755a2a-a408-44f1-98a8-08d366b18c5f
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(5061506196)(5061507196);SRVR:DB5EUR01HT086;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(432015012)(82015046);SRVR:DB5EUR01HT086;BCL:0;PCL:0;RULEID:;SRVR:DB5EUR01HT086;
x-forefront-prvs: 0915875B28
Content-Type: multipart/alternative;
boundary="_000_AM3PR06MB07747A0B564153B67412877EC06A0AM3PR06MB0774eurp_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Apr 2016 11:15:13.8597
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5EUR01HT086
Return-Path: {removed}@outlook.com
X-OriginalArrivalTime: 17 Apr 2016 11:15:15.0342 (UTC) FILETIME=[6ABA12E0:01D1989A]

--_000_AM3PR06MB07747A0B564153B67412877EC06A0AM3PR06MB0774eurp_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

If I could put into words how you make me feel when I think of you, and how=
much you excite me when I hear your sweet voice, I would be talking foreve=
r. You're all that I need and want,Honey. I live for the day that I can sit=
next to you and whisper into your ear and tell you that I love you, and ki=
ss you ever so lightly, but passionately on your lips, and to look into you=
r beautiful eyes as you take my breath away. I live for that first look int=
o your eyes, that first passionate kiss, that first embrace, and that first=
time that we make love together. I live to love, to spend a lifetime with =
you as your man and to grow old with you, loving you for all time..


Fabio
Last edited by Chrispcritters on Mon Dec 12, 2016 3:29 pm, edited 1 time in total.
Reason: Removed email addresses and removed duplicated HTML content.

User avatar
Chrispcritters
Forum Administrator
Posts: 2445
Joined: Tue Mar 02, 2010 5:41 pm
Location: 127.0.0.1 | ::1
Contact:

Re: can one tr=ell where an email originates from?

Post by Chrispcritters » Mon Dec 12, 2016 3:26 pm

Unfortunately the sender's IP address is not included in the headers. (There is a suspect reference to 25.152.4.56 but I believe that's a forged header).

Based on the content of the email I suspect this is a romance scam. If someone you've never met in person, and only chatted/skyped with for a short period of expresses such feelings you should trust your gut (which is probably why you are here digging into this guy) and assume it's a scam. At some point they will ask for money.

Would you be so kind as to share some of this persons' story with us, why you can't currently meet them in person, and why you were suspicious of them?
Founder & CEO of WhatIsMyIPAddress.com.
You can follow me on Twitter and Facebook for some behind the scenes info.

Locked

Who is online

Users browsing this forum: No registered users and 2 guests