Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

EMAIL


  • Please log in to reply
13 replies to this topic

#1 LOVEMYPC

LOVEMYPC

  • Members
  • 661 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 06 May 2012 - 08:40 AM

HI,Is there way to check or track as to where an email has been sent from (i.e. country,town,city),THANKS

BC AdBot (Login to Remove)

 


#2 Guest_Xircal_*

Guest_Xircal_*

  • Guests
  • OFFLINE
  •  

Posted 06 May 2012 - 09:14 AM

Yes. Copy/paste the email headers into the space on this site to get their IP address and then use the IP Lookup tool on the same site to see where they're located.

#3 LOVEMYPC

LOVEMYPC
  • Topic Starter

  • Members
  • 661 posts
  • OFFLINE
  •  

Posted 06 May 2012 - 02:10 PM

HI,Xircal,thank you for info.,will check it out today and let you know how it went.
The reason for tracking this email is i have something on craigslist that a buyer wants
and he is going to send me a cashiers check for item plus shipping which is more than
the cost of item,this has been used as a common scam whereas a person mistakenly sends
more by accident then tells you to go ahead and cash said and send overage to them,then
when the check bounces your bank comes after you for the BAD CHECK they have your item and you
have something to throw darts at,THANKS AGAIN

#4 Guest_Xircal_*

Guest_Xircal_*

  • Guests
  • OFFLINE
  •  

Posted 06 May 2012 - 02:34 PM

HI,Xircal,thank you for info.,will check it out today and let you know how it went.
The reason for tracking this email is i have something on craigslist that a buyer wants
and he is going to send me a cashiers check for item plus shipping which is more than
the cost of item,this has been used as a common scam whereas a person mistakenly sends
more by accident then tells you to go ahead and cash said and send overage to them,then
when the check bounces your bank comes after you for the BAD CHECK they have your item and you
have something to throw darts at,THANKS AGAIN

Ouch. But that also means his email addy could be spoofed. He could also mail via Tor which routes email through a series of anonymous servers making virtually impossible to track down the origin.

How long does a cashiers check take to clear? Hang on before sending the goods maybe until you've been properly paid.

#5 frankp316

frankp316

  • Members
  • 2,677 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 06 May 2012 - 05:56 PM

Honestly, I would not accept a cashiers check from anyone buying over the internet. Too many scammers out there. My policy is Paypal or nothing.

#6 LOVEMYPC

LOVEMYPC
  • Topic Starter

  • Members
  • 661 posts
  • OFFLINE
  •  

Posted 06 May 2012 - 08:03 PM

WE are going to see where this goes,we tried your link and like what was said could not find him or his IP.
The x-wifes husband had a postal money order sent to him,he took to the USPS and they said it was a fake.
Also if you watch the way their spelling its not the way we string a sentence together so it made me think
of all scams i get from people wanting me to help get millions of dollars out of their country,THANKS

#7 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:04 AM

Posted 06 May 2012 - 09:28 PM

send me a cashiers check for item plus shipping which is more than
the cost of item


Please be aware this *IS* a scam, no question about it. A check "clearing" doesn't mean what it used to, and even after a check has 'cleared' it can still end up being fraudulent and charged back to you. And in this case it *Will* be fraudulent.
Derfram
~~~~~~

#8 Guest_Xircal_*

Guest_Xircal_*

  • Guests
  • OFFLINE
  •  

Posted 07 May 2012 - 04:18 AM

WE are going to see where this goes,we tried your link and like what was said could not find him or his IP.
The x-wifes husband had a postal money order sent to him,he took to the USPS and they said it was a fake.
Also if you watch the way their spelling its not the way we string a sentence together so it made me think
of all scams i get from people wanting me to help get millions of dollars out of their country,THANKS

Here's a lesson on how to interpret email message headers. The following one arrived in my mailbox last week and purportedly came from Western Union asking my to update my account, or risk losing privileges.

Return-Path: support@westernunion.nl
Received: from mx08.back.prod.mail.xxxxxxxxxxx (LHLO mx08.xxxxxxxxxx)
 (10.160.210.168) by mailstore11.back.prod.mail.xxxxxx with LMTP; Mon, 30
 Apr 2012 11:54:40 +0200 (CEST)
Received: from localhost (filterin02.back.prod.mail.xxxxxxxx [10.160.210.222])
        by mx08.xxxxxx (Postfix) with ESMTP id A51054401A
        for xxxxxxxxxxxxxxxxx Mon, 30 Apr 2012 11:54:40 +0200 (CEST)
Received: from mx08.xxxxxx.nl ([10.160.210.168])
        by localhost (filterin02.back.prod.mail.xxxxxx.nl [10.160.210.247]) (amevisd-new, port 10024)
        with ESMTP id jB-wArfGBl4e for xxxxxxxxxxxxxxxxxxxxx
        Mon, 30 Apr 2012 11:54:40 +0200 (CEST)
Received: from mx08.xxxxxxx (localhost [127.0.0.1])
        by mx08.xxxxxxxxxx (Postfix) with ESMTP id 776D314003
        for xxxxxxxxxxxxxx Mon, 30 Apr 2012 11:54:40 +0200 (CEST)
Received: from smtp1.dnsmadeeasy.com (smtp1.dnsmadeeasy.com [208.94.147.131]) <---------------------
        by mx08.xxxxxxxxxx (Postfix) with ESMTP
        for xxxxxxxxxxxxxxxxxxxx Mon, 30 Apr 2012 11:54:40 +0200 (CEST)
X-Authenticated-Name: futura
Content-Type: text/html
SUBJECT: Required Account Identification
FROM: Western Union <support@westernunion.nl>
Message-ID: <GEEKSERVERx8dyDd3OJ000007fb@173-160-13-141-littlerock.hfc.comcastbusiness.net> <-----------------------
X-OriginalArrivalTime: 30 Apr 2012 09:55:02.0201 (UTC) FILETIME=[2C8E5B10:01ED26B7]
Date: 30 Apr 2012 04:55:02 -0500
To: undisclosed-recipients:;
X-Scanned: by Cloudmark authority (on mx.xxxxxxxx)
X-CMAE-Analyze: .v=2.0 cv=AKVff71K c=1 sm=0 p=R7FwDBW0AtIKHl2Gip0A:9 p=zfX96Siy-_xNKIXO:21 p=8cwSxBenOf7snzQm:21 a=MEzQdxvfAAAA:8 a=IWhvKg0ZaJyearvoOA
X-CMAE-Score: .100

It looks like indecipherable to a novice, but what you're looking for is the third "Received" part of the headers and the Message-ID. I've identified both these with arrows. Where you see a series of "xxxxxxxxx", this is just personal info I've erased.

So now we go to a handy tool you can download from Nirsoft.net called IPNetInfo. This doesn't really help us very much in tracking down the origin since DNSEasy is tool belonging to a perfectly legitimate company called Tiggee LLC. However, it further confirms that the mail definitely didn't come from Western Union.

The Message-ID on the other hand helps us a little more with tracking down the origin. You can simply paste "littlerock.hfc.comcastbusiness.net" into Google which will provide links to company profiles. This particular business is owned by a company called Curtis H. Stout which manufactures electrical equipment. So maybe our dirty little scammer works there and wants to make a bit on the side.

EDIT: Almost forgot. If the mail arrived by webmail, follow instructions on here on how to read webmail headers.

Edited by Xircal, 07 May 2012 - 04:31 AM.


#9 LOVEMYPC

LOVEMYPC
  • Topic Starter

  • Members
  • 661 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 07 May 2012 - 05:20 AM

Thanks Xircal,like you said unless you know how to read between the lines its all GREEK to a novice.
What i decided to do was send his letter back to him unopened and told him if he still wanted items
please bring cash,THANKS

#10 Guest_Xircal_*

Guest_Xircal_*

  • Guests
  • OFFLINE
  •  

Posted 07 May 2012 - 07:34 AM

Probably the best course of action other than what frankp316 suggested which was to use Paypal.

However, even that alternative method can go pear-shaped: 23-year-old hacker accessed 200,000 PayPal accounts

#11 LOVEMYPC

LOVEMYPC
  • Topic Starter

  • Members
  • 661 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 13 May 2012 - 03:19 PM

HI,Xircal,is that link to H SECURITY web site a reasonably safe site root around in,THANK'S

#12 Guest_Xircal_*

Guest_Xircal_*

  • Guests
  • OFFLINE
  •  

Posted 14 May 2012 - 05:06 AM

HI,Xircal,is that link to H SECURITY web site a reasonably safe site root around in,THANK'S

Yes. You need have no fears about site safety there. It's one of my favourites. :cool:

#13 LOVEMYPC

LOVEMYPC
  • Topic Starter

  • Members
  • 661 posts
  • OFFLINE
  •  

Posted 14 May 2012 - 06:51 PM

HI,Xircal,running across these web sites is like going to youtube and spending the rest of the nite on it,THANK'S

#14 Guest_Xircal_*

Guest_Xircal_*

  • Guests
  • OFFLINE
  •  

Posted 15 May 2012 - 01:52 AM

HI,Xircal,running across these web sites is like going to youtube and spending the rest of the nite on it,THANK'S

Well, you can pretty much skip the topics which don't apply to you like Linux, UNIX and the like, but I often glean some interesting tips there. This morning for example, I was reading about the Notepad++ site being compromised. While I don't have a Facebook account myself, that report contains a link to MyPermissions.org which is a site I didn't know about until today.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users