• blog Yahoo Group
    Visit our FaceBook Page Yahoo Group


    We are all volunteers. If you would

    like to help, your non-deductible

    donation is always welcome.


  • Romance Scams Tips

    fake doc

    Finding Email Headers Tip Sheet

    Finding Email Headers in Email Messages and Reporting Abuse- Spammers, and Scammers

    Outlook (most versions)

    Click the right mouse button on the message you want to view the header for, on the menu click on Options and the email header will be at the bottom of the window in a box.


    Outlook Express (most versions)

    Click the right mouse button on the message you want to view the header for, on the menu click on Properties, then at the top of the new window click the left mouse button on Details, you will see the header in the box.


    Yahoo Mail (Web Based)

    Click on the link under Subject to View the message. While viewing the message look at the top of the message on the right hand side and find the link that reads “Full Headers” and click on it. The header will be listed above the email.


    If you need information on getting headers for another email program, just ask.


    Reading Email Headers

    It is possible for the sending address and IP address to be "spoofed" or faked but you will know that if you do some research.

    Here is an Example of an Email Header
    X-YPOPs-Folder: Inbox
    X-RocketYMUMID: AIgmvs4AAV61QrzemAAYfy95Te4
    X-Apparently-To: michael00d@y... via; Fri, 24 Jun
    2005 21:33:27 -0700
    X-Originating-IP: []
    Return-Path: <kellyone_love@y...
    X-RocketTIP: ; YAHOO
    Authentication-Results: mta350.mail.scd.yahoo.com
    from=yahoo.com; domainkeys=pass (ok)
    Received: from (HELO web60916.mail.yahoo.com)
    by mta350.mail.scd.yahoo.com with SMTP; Fri, 24 Jun 2005
    21:33:27 -0700
    Received: (qmail 16766 invoked by uid 60001); 25 Jun 2005 04:33:26 -
    DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
    s=s1024; d=yahoo.com;

    Df4yoaMt92GzB bjfdBu+SjqQgK/WYubAt9y1j4bm3czqN8= ;
    Message-ID: <20050625043326.16764.qmail@w...
    Received: from [] by web60916.mail.yahoo.com via HTTP;
    Fri, 24 Jun 2005 21:33:26 PDT
    Date: Fri, 24 Jun 2005 21:33:26 -0700 (PDT)
    From: kelly lizzy <kellyone_love@y...
    Subject: my pics
    To: michael00d@y...
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="0-643441667-
    Content-Transfer-Encoding: 8bit
    Content-Length: 62927

    You Read Email Headers from the Bottom Up
    This part can be spoofed so you can usually ignore it.

    From: kelly lizzy <kellyone_love@y...
    Subject: my pics
    To: michael00d@y...
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="0-643441667-
    Content-Transfer-Encoding: 8bit
    Content-Length: 62927

    Then you want to look for the first Received: from line, this is the originating IP: is the originating IP.

    Received: from [] by web60916.mail.yahoo.com via HTTP;
    Fri, 24 Jun 2005 21:33:26 PDT

    Finding Out Where The IP Address Is Located

    The easiest way to find out where an email originated is to copy the entire header and then paste it into a site like http://www.iptrackeronline.com/email-header-analysis.php or copy the entire header and email and paste it into the box at this site: http://nextwebsecurity.com/HeaderTool2-pub.asp.


    OR use this alternative:


    Another place you can go to http://www.dnsstuff.com and paste the IP address in the IPWHOIS Lookup box to find out where this IP has come from. If you want to know who owns this IP address this is the way to do it. Here it is: COBRANET-ISP-TGB. I got this from the WHOIS look up; it is the contact person that I would imagine bought the IP block:

    person: Hikmat Mardo
    address: Lagos-Nigeria
    address: Lekki Phase 1
    address: rafiu babatunde street plot 8
    phone: +23417767720
    phone: +234802 832 2133
    phone: +23415555656
    phone: +9613666325
    e-mail: ***@cobranet.org
    nic-hdl: HM1517-RIPE
    notify: ********@teleport-iabg.de
    mnt-by: IABG-MNT
    changed: *******@iabg.de 20040617
    source: RIPE

    Then We Googled it and the First of Two Google Results

    419 Scam – Spam sources by IP address (Advance Fee Fraud) - Jun 25
    COBRANET-ISP-TGB - David Hart, Weartherbys Bank Limited - bergerpt@t... (holocaust) ... www.joewein.de/sw/419-by-ip.htm - 64k - Jun 24, 2005 - Cached - Similar pages



    Reporting Abuse- Spammers, and Scammers


    When we do an IP trace, it always shows where to report abuse to. If the ISPs will take action, maybe they can shut down some of the scammers on the other end. If we report them. When we report them, it might be a good idea to add FTC., ACMA, and many others. If a bunch of people see it, a bunch of people might do something about it...... also send it to your ISP's abuse desk.
    Reporting Spam - Has some good information about how to report spammers, which would work just as well with scammers. Here is some useful information I found online about where to report scams and spams. - In addition to FBI. See below.

    Investment/Securities Scams

    The SEC's Office of Internet Enforcement Complaint Center


    SEC indicates that investment-related scam spam can be forwarded to SEC To see examples of the sort of litigation the SEC has brought against parties engaging in Internet-related securities manipulation.


    Attempts to Unlawfully Sell Prescription Medications Online

    If people attempt to sell you prescription medications online without requiring a physician's prescription, the Food and Drug Administration would like to know about it. You can report emails promoting illegal medical products by forwarding those emails. (see FDA ).


    US Customs Service CyberSmuggling Center, Child Exploitation Unit

    Occasionally you may receive spam related to child pornography. As noted at US Customs you should immediately report this to the US Customs Service at 1-800-BE-ALERT or the National Center for Missing and Exploited Children at 1-800-843-5678, or contact the ICE Cybersmuggling Center .

    Please note that you should not download any child pornographic materials under any circumstances, since the mere possession of this type of material is a violation of federal and state laws. Let trained law enforcement officers conduct their own investigation when it comes to child porn spam.


    Internet Fraud in General

    Internet fraud complaints may be filed with the FBI's Internet Fraud Complaint Center (IFCC) . The IFCC is particularly active in the area of online auction fraud, but it also handles a variety of other Internet-related fraud.

    4-1-9 Nigerian Advance Fee Fraud Spam
    This type of scam spam, in which overseas, often Nigerian, con men typically offer you a share in millions of dollars worth of "over-invoiced contracts" (if only you will "temporarily" cover the cost of some "advance fees") can be reported to the United States Secret Service by faxing a copy of the 4-1-9 solicitation to (202) 406-5031, as noted the Secret Service also has jurisdiction over online credit card fraud, among other scams.


    Pyramid Schemes or Chain Letters Using the U.S. Mail

    If you receive spam that's a pyramid or chain-letter scheme and it uses the United States mail at any step along the way (for example, if it instructs you to send money to an address via the mail), it is illegal and should be reported to the U.S. Postal Service. As noted you should turn over a copy of the chain letter or pyramid scheme advertisement to your local postmaster or nearest postal inspector. The nearest Postal Inspection Service office for Oregonians is:

    PO BOX 400
    SEATTLE WA 98111-4000
    Phone : 206-442-6300
    Fax : 206-442-6304


    Unsolicited Commercial Email (Spam) In General

    According to its Consumer Complaint Form site at the FTC enters Internet, telemarketing, identity theft and other fraud-related complaints into a secure, online database available to hundreds of civil and criminal law enforcement agencies worldwide.


    If you wish to report unsolicited commercial email to the FTC, you should forward that spam.


    Wired News writer Joanna Glasner reported in her article, "The Law Is Going After Spam" (see http://archive.wired.com/news/politics/0,1283,51486,00.html ) that over ten million spam messages have been forwarded to FTC since the beginning of 1998, with over one million pieces of spam being forwarded in the month of March 2002

    State Agencies and Spam


    The Oregon Attorney General's Office indicates that consumers can report email scams to the State Department of Justice Consumer Hotline. However, there is no indication what will be done with spam that gets forwarded to that address.

    Some states, such as California, have been faulted for establishing spam reporting channels but then failing to follow through.

    Pointers to all states with anti-spam laws

    Reporting Spam Directly to an ISP Spam Source: Get Help from SpamCop
    If you decide to complain directly to the ISP that's hosting spammers--or is itself the source of spam, SpamCop can help you find the right ISP.


    IP Address Resource Links


    The ARIN database search; whois IP numbers here


    Regional Internet Registry; also an IP lookup


    InfoSpace World Directories


    What is my IP Address?


    Reading Email Headers

    from SpamCop.net

    Track your Email



    IP Address Lookups

















    Tracing IP While Using Instant Messenger (IM)

    Open this script. Copy and paste the text exactly as it is written into a NotePad document and Save As "chat.vbs" to your computer desktop.

    Please note it can take some practice to learn to trace the IP of an IM chat. Follow these steps to use the script to track IPs while chatting online:

    To run an IP check during instant messaging conversations:

    1. Click "Start" on the Task Bar.
    2. Select “run”.
    3. Type in “cmd.exe”.
      1. This will bring up a new window all black with white lettering (looks like the old dos screen).
      2. In the window, type “netstat –n” (there is a space between the netstat and the –n)
      3. Hit enter. It will bring up a list of all IPs that you are connected to. (Note: these include all your connections, etc., to the web, mail, etc.)
      4. Right click at the beginning of your list of IPs and highlight all of them. Left click and drag mouse to highlight all IP information there.
    4. Hit enter (hitting enter copies everything highlighted).
    5. Paste into any text document or go directly to the Header Analysis Tool and paste everything into that to run your trace. Otherwise copy and paste each IP address from your new text document to the whois search on the dnsstuff website (links provided above).

    Once again, remember it takes practice to be able to use this tool proficiently, so be patient and don’t hesitate to ask questions when you have them.