Search Romance Scams Site:
blog Yahoo Group
Visit our FaceBook Page Yahoo Group



book

We are all volunteers. If you would

like to help, your non-deductible

donation is always welcome.

Paypal

Romance Scams Tips

fake doc

Finding Email Headers Tip Sheet

Finding Email Headers in Email Messages and Reporting Abuse- Spammers, and Scammers


Outlook (most versions)

Click the right mouse button on the message you want to view the header for, on the menu click on Options and the email header will be at the bottom of the window in a box.

 

Outlook Express (most versions)

Click the right mouse button on the message you want to view the header for, on the menu click on Properties, then at the top of the new window click the left mouse button on Details, you will see the header in the box.

 

Yahoo Mail (Web Based)

Click on the link under Subject to View the message. While viewing the message look at the top of the message on the right hand side and find the link that reads “Full Headers” and click on it. The header will be listed above the email.

 

If you need information on getting headers for another email program, just ask.

 

Reading Email Headers

It is possible for the sending address and IP address to be "spoofed" or faked but you will know that if you do some research.


Here is an Example of an Email Header
X-YPOPs-Folder: Inbox
X-RocketYMUMID: AIgmvs4AAV61QrzemAAYfy95Te4
X-Apparently-To: michael00d@y... via 206.190.38.136; Fri, 24 Jun
2005 21:33:27 -0700
X-Originating-IP: [209.73.178.244]
Return-Path: <kellyone_love@y...
X-RocketTIP: 209.73.178.244 ; YAHOO
Authentication-Results: mta350.mail.scd.yahoo.com
from=yahoo.com; domainkeys=pass (ok)
Received: from 209.73.178.244 (HELO web60916.mail.yahoo.com)
(209.73.178.244)
by mta350.mail.scd.yahoo.com with SMTP; Fri, 24 Jun 2005
21:33:27 -0700
Received: (qmail 16766 invoked by uid 60001); 25 Jun 2005 04:33:26 -
0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-
Type:Content-Transfer-Encoding;
b=d+Aj4dDTTZY2DSTE++OZbmbgd8TaDO+kxz4y/CA6cScid4vmcSP/WO7+10b455G+ZIqt
DTgDtP9z8g13rw6Xclp3EmRCX49mAYsDttna+eH+xuiJUBX7kZLDrMna

Df4yoaMt92GzB bjfdBu+SjqQgK/WYubAt9y1j4bm3czqN8= ;
Message-ID: <20050625043326.16764.qmail@w...
Received: from [80.231.4.6] by web60916.mail.yahoo.com via HTTP;
Fri, 24 Jun 2005 21:33:26 PDT
Date: Fri, 24 Jun 2005 21:33:26 -0700 (PDT)
From: kelly lizzy <kellyone_love@y...
Subject: my pics
To: michael00d@y...
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-643441667-
1119674006=:15556"
Content-Transfer-Encoding: 8bit
Content-Length: 62927


You Read Email Headers from the Bottom Up
This part can be spoofed so you can usually ignore it.

From: kelly lizzy <kellyone_love@y...
Subject: my pics
To: michael00d@y...
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-643441667-
1119674006=:15556"
Content-Transfer-Encoding: 8bit
Content-Length: 62927

Then you want to look for the first Received: from line, this is the originating IP:
80.231.4.6 is the originating IP.

Received: from [80.231.4.6] by web60916.mail.yahoo.com via HTTP;
Fri, 24 Jun 2005 21:33:26 PDT

Finding Out Where The IP Address Is Located

The easiest way to find out where an email originated is to copy the entire header and then paste it into a site like http://www.iptrackeronline.com/header.php or copy the entire header and email and paste it into the box at this site: http://nextwebsecurity.com/HeaderTool2-pub.asp.

 

Another place you can go to http://www.dnsstuff.com and paste the IP address in the IPWHOIS Lookup box to find out where this IP has come from. If you want to know who owns this IP address this is the way to do it. Here it is: COBRANET-ISP-TGB. I got this from the WHOIS look up; it is the contact person that I would imagine bought the IP block:

person: Hikmat Mardo
address: Lagos-Nigeria
address: Lekki Phase 1
address: rafiu babatunde street plot 8
phone: +23417767720
phone: +234802 832 2133
phone: +23415555656
phone: +9613666325
e-mail: ***@cobranet.org
nic-hdl: HM1517-RIPE
notify: ********@teleport-iabg.de
mnt-by: IABG-MNT
changed: *******@iabg.de 20040617
source: RIPE

Then We Googled it and the First of Two Google Results

419 Scam – Spam sources by IP address (Advance Fee Fraud) - Jun 25
COBRANET-ISP-TGB 80.231.4.18 - David Hart, Weartherbys Bank Limited
80.231.4.18 - bergerpt@t... (holocaust) ... www.joewein.de/sw/419-by-ip.htm - 64k - Jun 24, 2005 - Cached - Similar pages

TOP




 

Reporting Abuse- Spammers, and Scammers

 

When we do an IP trace, it always shows where to report abuse to. If the ISPs will take action, maybe they can shut down some of the scammers on the other end. If we report them. When we report them, it might be a good idea to add FTC., ACMA, and many others. If a bunch of people see it, a bunch of people might do something about it...... also send it to your ISP's abuse desk.
Reporting Spam - Has some good information about how to report spammers, which would work just as well with scammers. Here is some useful information I found online about where to report scams and spams. - In addition to FBI. See below.


Investment/Securities Scams

The SEC's Office of Internet Enforcement Complaint Center

 

SEC indicates that investment-related scam spam can be forwarded to SEC To see examples of the sort of litigation the SEC has brought against parties engaging in Internet-related securities manipulation.

 

Attempts to Unlawfully Sell Prescription Medications Online

If people attempt to sell you prescription medications online without requiring a physician's prescription, the Food and Drug Administration would like to know about it. You can report emails promoting illegal medical products by forwarding those emails. (see FDA ).

 

US Customs Service CyberSmuggling Center, Child Exploitation Unit

Occasionally you may receive spam related to child pornography. As noted at US Customs you should immediately report this to the US Customs Service at 1-800-BE-ALERT or the National Center for Missing and Exploited Children at 1-800-843-5678, or contact the ICE Cybersmuggling Center .


Please note that you should not download any child pornographic materials under any circumstances, since the mere possession of this type of material is a violation of federal and state laws. Let trained law enforcement officers conduct their own investigation when it comes to child porn spam.

TOP

Internet Fraud in General


Internet fraud complaints may be filed with the FBI's Internet Fraud Complaint Center (IFCC) . The IFCC is particularly active in the area of online auction fraud, but it also handles a variety of other Internet-related fraud.

4-1-9 Nigerian Advance Fee Fraud Spam
This type of scam spam, in which overseas, often Nigerian, con men typically offer you a share in millions of dollars worth of "over-invoiced contracts" (if only you will "temporarily" cover the cost of some "advance fees") can be reported to the United States Secret Service by faxing a copy of the 4-1-9 solicitation to (202) 406-5031, as noted the Secret Service also has jurisdiction over online credit card fraud, among other scams.

 

Pyramid Schemes or Chain Letters Using the U.S. Mail


If you receive spam that's a pyramid or chain-letter scheme and it uses the United States mail at any step along the way (for example, if it instructs you to send money to an address via the mail), it is illegal and should be reported to the U.S. Postal Service. As noted you should turn over a copy of the chain letter or pyramid scheme advertisement to your local postmaster or nearest postal inspector. The nearest Postal Inspection Service office for Oregonians is:

POSTAL INSPECTION SERVICE
UNITED STATES POSTAL SERVICE
PO BOX 400
SEATTLE WA 98111-4000
Phone : 206-442-6300
Fax : 206-442-6304

TOP

Unsolicited Commercial Email (Spam) In General


According to its Consumer Complaint Form site at the FTC enters Internet, telemarketing, identity theft and other fraud-related complaints into a secure, online database available to hundreds of civil and criminal law enforcement agencies worldwide.

 

If you wish to report unsolicited commercial email to the FTC, you should forward that spam.

 

Wired News writer Joanna Glasner reported in her article, "The Law Is Going After Spam" (see http://www.wired.com/news/politics/0,1283,51486,00.html ) that over ten million spam messages have been forwarded to FTC since the beginning of 1998, with over one million pieces of spam being forwarded in the month of March 2002



State Agencies and Spam

 

The Oregon Attorney General's Office indicates that consumers can report email scams to the State Department of Justice Consumer Hotline. However, there is no indication what will be done with spam that gets forwarded to that address.

Some states, such as California, have been faulted for establishing spam reporting channels but then failing to follow through.

Pointers to all states with anti-spam laws


Reporting Spam Directly to an ISP Spam Source: Get Help from SpamCop
If you decide to complain directly to the ISP that's hosting spammers--or is itself the source of spam, SpamCop can help you find the right ISP.

TOP

IP Address Resource Links

 

The ARIN database search; whois IP numbers here

http://www.arin.net/index.shtml

Regional Internet Registry; also an IP lookup

http://www.ripe.net/index.html

AfriNIC IP lookup

http://www.afrinic.net/cgi-bin/whois

InfoSpace World Directories

http://www.infospace.com/home/white-pages/world

What is my IP Address?

http://www.showip.net/

Reading Email Headers

from SpamCop.net

Track your Email

http://www.readnotify.com/

TOP

IP Address Lookups

http://www.arin.net/index.shtml

http://www.ripe.net/index.html

http://www.afrinic.net/cgi-bin/whois

http://www.geobytes.com/IpLocator.htm

http://www.apnic.net/

http://lacnic.net/en/

http://visualroute.visualware.com/

http://www.internetfrog.com/

http://www.hostip.info/

http://www.ipaddressworld.com/

http://www.dnsstuff.com/

http://cqcounter.com/whois/

http://www.ip2location.com/

http://www.psacake.com/web/eg.asp

http://www.urgentclick.com/ip_address_lookup.php

http://www.theultimates.com/email/

TOP

Tracing IP While Using Instant Messenger (IM)

Open this script. Copy and paste the text exactly as it is written into a NotePad document and Save As "chat.vbs" to your computer desktop.

Please note it can take some practice to learn to trace the IP of an IM chat. Follow these steps to use the script to track IPs while chatting online:

To run an IP check during instant messaging conversations:

  1. Click "Start" on the Task Bar.
  2. Select “run”.
  3. Type in “cmd.exe”.
    1. This will bring up a new window all black with white lettering (looks like the old dos screen).
    2. In the window, type “netstat –n” (there is a space between the netstat and the –n)
    3. Hit enter. It will bring up a list of all IPs that you are connected to. (Note: these include all your connections, etc., to the web, mail, etc.)
    4. Right click at the beginning of your list of IPs and highlight all of them. Left click and drag mouse to highlight all IP information there.
  4. Hit enter (hitting enter copies everything highlighted).
  5. Paste into any text document or go directly to the Header Analysis Tool and paste everything into that to run your trace. Otherwise copy and paste each IP address from your new text document to the whois search on the dnsstuff website (links provided above).

Once again, remember it takes practice to be able to use this tool proficiently, so be patient and don’t hesitate to ask questions when you have them.