E-mail tracing
18 October 2002, 02:54 PM
#1
Scooby Regular
Thread Starter
Join Date: May 2002
Posts: 38
Likes: 0
Received 0 Likes
on
0 Posts
I have recently taken over a domain name (sastek.net) that was previously used. I keep getting "Message undeliverable" type e-mails with 8Mb worth of photo attachments 
for messages I have not sent.
It looks to me like someone who used to have an e-mail address ending @sastek.net has still got their reply address set to this in their mail program, they are trying to send this big message to someone but the someone's mail servers are rejecting it cos it's too big, and the message is getting bounced back to me (phew, pause for breath!!)
Is there any way I can try to trace the sender's real e-mail address or ISP using the header info in the e-mail message??
SS
for messages I have not sent.It looks to me like someone who used to have an e-mail address ending @sastek.net has still got their reply address set to this in their mail program, they are trying to send this big message to someone but the someone's mail servers are rejecting it cos it's too big, and the message is getting bounced back to me (phew, pause for breath!!)
Is there any way I can try to trace the sender's real e-mail address or ISP using the header info in the e-mail message??
SS
18 October 2002, 03:56 PM
#2
Scooby Regular
Join Date: Oct 2000
Location: Surrey, UK
Posts: 8,384
Likes: 0
Received 0 Likes
on
0 Posts
I might be able to help, if you email me the header info - no promises - but if there is sufficient info, I might be able to give you some pointers.
I will not have access to personal email until about 7pm tonight thou.
Rgds, Alex
I will not have access to personal email until about 7pm tonight thou.
Rgds, Alex
18 October 2002, 04:11 PM
#3
Scooby Regular
You may as well give up. I had the same thing happen to me, someone was spamming using my private email address and I got all the bounces (something like 2000 over a few days), there's nothing you can do since they're probably spamming using an open relay anyway, so the headers become meaningless.
This type of DoS attack is becoming more common now, a friend of mine runs an Internet cafe in Edinburgh and he had so many bounced mails from someone spamming as him it actually brought down his mailserver
Steve.
This type of DoS attack is becoming more common now, a friend of mine runs an Internet cafe in Edinburgh and he had so many bounced mails from someone spamming as him it actually brought down his mailserver
Steve.
18 October 2002, 05:56 PM
#4
Scooby Regular
Join Date: Oct 2000
Location: Surrey, UK
Posts: 8,384
Likes: 0
Received 0 Likes
on
0 Posts
Good point Steve - in my haste didn't think it might be malicious. Could be a DoS, but worth having a look through just incase it is a mistake on someone elses part.
Alex
Alex
18 October 2002, 06:01 PM
#5
Scooby Regular
Join Date: Oct 2000
Location: Surrey, UK
Posts: 8,384
Likes: 0
Received 0 Likes
on
0 Posts
Dunno if this might help:
http://www.samspade.org/
But you could identify who owns the domain/ip-address (if its in the header info) of the sender of the original email that got bounced - via the website above, you could then email them and report the issue to them.
I might be completely off track here...
http://www.samspade.org/
But you could identify who owns the domain/ip-address (if its in the header info) of the sender of the original email that got bounced - via the website above, you could then email them and report the issue to them.
I might be completely off track here...
18 October 2002, 06:15 PM
#6
Scooby Regular
Thread Starter
Join Date: May 2002
Posts: 38
Likes: 0
Received 0 Likes
on
0 Posts
I'm sure it's not malicious (sp?) it appears to be someone trying to send someone else some pictures.
I just had the thought that I could send an e-mail to the intended receiver and see if they could relay a message to the sender for me.
SS
I just had the thought that I could send an e-mail to the intended receiver and see if they could relay a message to the sender for me.
SS
Trending Topics
18 October 2002, 08:44 PM
#8
Scooby Regular
Join Date: Oct 2000
Location: Surrey, UK
Posts: 8,384
Likes: 0
Received 0 Likes
on
0 Posts
Stuart,
Regarding the header info you sent:
> Return-path: <llund@sastek.net>
> Received: from mail.usask.ca by mail.usask.ca (PMDF V6.1-1 #40949)
> id <0H460B76V05PRN@mail.usask.ca>; Fri, 18 Oct 2002 00:46:38 -0600 (CST)
> Received: from CONVERSION-DAEMON.mail.usask.ca by mail.usask.ca
> (PMDF V6.1-1 #40949) id <0H4303201UYZK3@mail.usask.ca> for
> cll805@mail.usask.ca (ORCPT cll805@mail.usask.ca); Wed,
> 16 Oct 2002 20:59:34 -0600 (CST)
> Received: from mail.qlo.com ([142.165.150.52])
> by mail.usask.ca (PMDF V6.1-1 #40949)
> with ESMTP id <0H4302WHOUX54I@mail.usask.ca> for cll805@mail.usask.ca
> (ORCPT cll805@mail.usask.ca); Wed, 16 Oct 2002 20:59:16 -0600 (CST)
> Received: from sastek.net ([204.83.135.95])
> by mail.qlo.com (Netscape Messaging Server 4.15 blitzen Jan 17 2002
00:23:08)
> with ESMTP id H43UC400.N4G; Wed, 16 Oct 2002 20:45:40 -0600
> Date: Wed, 16 Oct 2002 19:45:43 -0700
> From: Laine Lund <llund@sastek.net>
> Subject: geeks
> To: cll805@mail.usask.ca, paulalund@hotmail.com
> Message-id: <3DAE2457.BA1117BD@sastek.net>
> MIME-version: 1.0
> X-Mailer: Mozilla 4.76 [en] (Win98; U)
> Content-type: multipart/mixed;
boundary="Boundary_(ID_PeayRWjZH3BtvQ15kPEg2w)"
> X-Accept-Language: en
>
> This is a multi-part message in MIME format.
>
> --Boundary_(ID_PeayRWjZH3BtvQ15kPEg2w)
> Content-type: text/plain; charset=us-ascii
> Content-transfer-encoding: 7BIT
It looks like the email service provider may be mail.qlo.com?
(someone is bound to correct me if I am wrong - go on you firewall peeps!
).
The details returned by SAMSPADE are:
dns mail.qlo.com
mail.qlo.com resolves to 142.165.150.61
whois -h magic mail.qlo.com
qlo.com is registered with REGISTER.COM, INC. - redirecting to whois.register.com
whois -h whois.register.com qlo.com
The data in Register.com's WHOIS database is provided to you by
Register.com for information purposes only, that is, to assist you in
obtaining information about or related to a domain name registration
record. Register.com makes this information available "as is," and
does not guarantee its accuracy. By submitting a WHOIS query, you
agree that you will use this data only for lawful purposes and that,
under no circumstances will you use this data to: (1) allow, enable,
or otherwise support the transmission of mass unsolicited, commercial
advertising or solicitations via direct mail, electronic mail, or by
telephone; or (2) enable high volume, automated, electronic processes
that apply to Register.com (or its systems). The compilation,
repackaging, dissemination or other use of this data is expressly
prohibited without the prior written consent of Register.com.
Register.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by these terms.
You may be able to buy this domain name through http://www.afternic.com/offer
Organization:
SaskTel
Lex Pattison
2121 Saskatchewan Dr.
Regina, SK S4P3Y2
CA
Phone: (306)777-2005
Email: domain.admin@sasktel.sk.ca
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com
Domain Name: QLO.COM
Created on..............: Thu, Jan 08, 1998
Expires on..............: Tue, Jan 07, 2003
Record last updated on..: Mon, Dec 03, 2001
Administrative Contact:
SaskTel
Lex Pattison
2121 Saskatchewan Dr.
Regina, SK S4P3Y2
CA
Phone: (306)777-2005
Email: domain.admin@sasktel.sk.ca
Technical Contact, Zone Contact:
Register.Com
Domain Registrar
575 8th Avenue - 11th Floor
New York, NY 10018
US
Phone: 212-798-9200
Fax..: 212-629-9305
Email: domain-registrar@register.com
Domain servers in listed order:
HARRIER.SASKNET.SK.CA 142.165.5.2
SPITFIRE.SASKNET.SK.CA 142.165.5.4
Register your domain name at http://www.register.com
You may be able to buy this domain name through http://www.afternic.com/offer
whois -h magic 142.165.150.61
mail.qlo.com resolves to 142.165.150.61
SamSpade.org is being null-routed by ARIN due to high traffic. This service will not be available until that is resolved. Please do not contact ARIN about this.
traceroute mail.qlo.com
mail.qlo.com resolves to 142.165.150.61
Do not contact either Los Nettos (ln.net) or Centergate Research Group (centergate.com) based on the results of this traceroute.
3 130.152.80.30 5.405 ms isi-1-lngw2-pos.ln.net [AS226] Los Nettos origin AS
4 4.24.4.249 8.538 ms gigabitethernet5-0.lsanca1-cr3.bbnplanet.net [AS1] GTE Internetworking
5 4.24.4.2 5.835 ms p6-0.lsanca1-cr6.bbnplanet.net [AS1] GTE Internetworking
6 4.24.5.49 7.703 ms p6-0.lsanca2-br1.bbnplanet.net [AS1] GTE Internetworking
7 4.25.112.1 8.701 ms p1-0.lsanca2-cr2.bbnplanet.net [AS1] GTE Internetworking
8 4.24.118.106 9.921 ms p1-0.xlsanca13-teleglobe.bbnplanet.net [AS1] GTE Internetworking
9 64.86.80.14 268.185 ms if-8-0.core2.LosAngeles2.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
10 64.86.83.145 88.370 ms if-9-0.core2.LosAngeles.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
11 64.86.83.173 86.513 ms if-5-0.core3.NewYork.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
12 64.86.83.217 85.349 ms if-5-0.core2.Chicago3.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
13 207.45.222.181 107.601 ms if-9-0.core2.Scarborough.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
14 207.45.222.205 85.249 ms if-4-0.core1.Scarborough.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
15 207.45.208.134 85.670 ms ix-7-0.core1.Scarborough.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
16 206.108.107.233 85.864 ms core4-toronto12-pos6-2.in.bellnexxia.net [AS577] Bell Backbone
17 64.230.242.198 89.042 ms core1-toronto12-pos0-1.in.bellnexxia.net [AS577] Bell Backbone
18 206.108.102.45 124.328 ms core2-regina-pos9-2.in.bellnexxia.net [AS577] Bell Backbone
19 206.108.102.10 123.055 ms dis4-regina-pos2-1.in.bellnexxia.net [AS577] Bell Backbone
20 64.230.231.142 122.681 ms DNS error [AS577] Bell Backbone
21 142.165.3.170 121.888 ms DNS error [AS803] SaskNet Backbone
22 142.165.150.251 122.139 ms tornado.sk.sympatico.ca [AS803] SaskNet Backbone
23 *
NOTE that the suggested email of domain.admin@sasktel.sk.ca for the administrator - may try mailing them?
Anyone else got some bright ideas?
Cheers, Alex
Regarding the header info you sent:
> Return-path: <llund@sastek.net>
> Received: from mail.usask.ca by mail.usask.ca (PMDF V6.1-1 #40949)
> id <0H460B76V05PRN@mail.usask.ca>; Fri, 18 Oct 2002 00:46:38 -0600 (CST)
> Received: from CONVERSION-DAEMON.mail.usask.ca by mail.usask.ca
> (PMDF V6.1-1 #40949) id <0H4303201UYZK3@mail.usask.ca> for
> cll805@mail.usask.ca (ORCPT cll805@mail.usask.ca); Wed,
> 16 Oct 2002 20:59:34 -0600 (CST)
> Received: from mail.qlo.com ([142.165.150.52])
> by mail.usask.ca (PMDF V6.1-1 #40949)
> with ESMTP id <0H4302WHOUX54I@mail.usask.ca> for cll805@mail.usask.ca
> (ORCPT cll805@mail.usask.ca); Wed, 16 Oct 2002 20:59:16 -0600 (CST)
> Received: from sastek.net ([204.83.135.95])
> by mail.qlo.com (Netscape Messaging Server 4.15 blitzen Jan 17 2002
00:23:08)
> with ESMTP id H43UC400.N4G; Wed, 16 Oct 2002 20:45:40 -0600
> Date: Wed, 16 Oct 2002 19:45:43 -0700
> From: Laine Lund <llund@sastek.net>
> Subject: geeks
> To: cll805@mail.usask.ca, paulalund@hotmail.com
> Message-id: <3DAE2457.BA1117BD@sastek.net>
> MIME-version: 1.0
> X-Mailer: Mozilla 4.76 [en] (Win98; U)
> Content-type: multipart/mixed;
boundary="Boundary_(ID_PeayRWjZH3BtvQ15kPEg2w)"
> X-Accept-Language: en
>
> This is a multi-part message in MIME format.
>
> --Boundary_(ID_PeayRWjZH3BtvQ15kPEg2w)
> Content-type: text/plain; charset=us-ascii
> Content-transfer-encoding: 7BIT
It looks like the email service provider may be mail.qlo.com?
(someone is bound to correct me if I am wrong - go on you firewall peeps!
).The details returned by SAMSPADE are:
dns mail.qlo.com
mail.qlo.com resolves to 142.165.150.61
whois -h magic mail.qlo.com
qlo.com is registered with REGISTER.COM, INC. - redirecting to whois.register.com
whois -h whois.register.com qlo.com
The data in Register.com's WHOIS database is provided to you by
Register.com for information purposes only, that is, to assist you in
obtaining information about or related to a domain name registration
record. Register.com makes this information available "as is," and
does not guarantee its accuracy. By submitting a WHOIS query, you
agree that you will use this data only for lawful purposes and that,
under no circumstances will you use this data to: (1) allow, enable,
or otherwise support the transmission of mass unsolicited, commercial
advertising or solicitations via direct mail, electronic mail, or by
telephone; or (2) enable high volume, automated, electronic processes
that apply to Register.com (or its systems). The compilation,
repackaging, dissemination or other use of this data is expressly
prohibited without the prior written consent of Register.com.
Register.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by these terms.
You may be able to buy this domain name through http://www.afternic.com/offer
Organization:
SaskTel
Lex Pattison
2121 Saskatchewan Dr.
Regina, SK S4P3Y2
CA
Phone: (306)777-2005
Email: domain.admin@sasktel.sk.ca
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com
Domain Name: QLO.COM
Created on..............: Thu, Jan 08, 1998
Expires on..............: Tue, Jan 07, 2003
Record last updated on..: Mon, Dec 03, 2001
Administrative Contact:
SaskTel
Lex Pattison
2121 Saskatchewan Dr.
Regina, SK S4P3Y2
CA
Phone: (306)777-2005
Email: domain.admin@sasktel.sk.ca
Technical Contact, Zone Contact:
Register.Com
Domain Registrar
575 8th Avenue - 11th Floor
New York, NY 10018
US
Phone: 212-798-9200
Fax..: 212-629-9305
Email: domain-registrar@register.com
Domain servers in listed order:
HARRIER.SASKNET.SK.CA 142.165.5.2
SPITFIRE.SASKNET.SK.CA 142.165.5.4
Register your domain name at http://www.register.com
You may be able to buy this domain name through http://www.afternic.com/offer
whois -h magic 142.165.150.61
mail.qlo.com resolves to 142.165.150.61
SamSpade.org is being null-routed by ARIN due to high traffic. This service will not be available until that is resolved. Please do not contact ARIN about this.
traceroute mail.qlo.com
mail.qlo.com resolves to 142.165.150.61
Do not contact either Los Nettos (ln.net) or Centergate Research Group (centergate.com) based on the results of this traceroute.
3 130.152.80.30 5.405 ms isi-1-lngw2-pos.ln.net [AS226] Los Nettos origin AS
4 4.24.4.249 8.538 ms gigabitethernet5-0.lsanca1-cr3.bbnplanet.net [AS1] GTE Internetworking
5 4.24.4.2 5.835 ms p6-0.lsanca1-cr6.bbnplanet.net [AS1] GTE Internetworking
6 4.24.5.49 7.703 ms p6-0.lsanca2-br1.bbnplanet.net [AS1] GTE Internetworking
7 4.25.112.1 8.701 ms p1-0.lsanca2-cr2.bbnplanet.net [AS1] GTE Internetworking
8 4.24.118.106 9.921 ms p1-0.xlsanca13-teleglobe.bbnplanet.net [AS1] GTE Internetworking
9 64.86.80.14 268.185 ms if-8-0.core2.LosAngeles2.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
10 64.86.83.145 88.370 ms if-9-0.core2.LosAngeles.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
11 64.86.83.173 86.513 ms if-5-0.core3.NewYork.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
12 64.86.83.217 85.349 ms if-5-0.core2.Chicago3.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
13 207.45.222.181 107.601 ms if-9-0.core2.Scarborough.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
14 207.45.222.205 85.249 ms if-4-0.core1.Scarborough.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
15 207.45.208.134 85.670 ms ix-7-0.core1.Scarborough.Teleglobe.net [AS6453] BCE Teleglobe Canada Inc.
16 206.108.107.233 85.864 ms core4-toronto12-pos6-2.in.bellnexxia.net [AS577] Bell Backbone
17 64.230.242.198 89.042 ms core1-toronto12-pos0-1.in.bellnexxia.net [AS577] Bell Backbone
18 206.108.102.45 124.328 ms core2-regina-pos9-2.in.bellnexxia.net [AS577] Bell Backbone
19 206.108.102.10 123.055 ms dis4-regina-pos2-1.in.bellnexxia.net [AS577] Bell Backbone
20 64.230.231.142 122.681 ms DNS error [AS577] Bell Backbone
21 142.165.3.170 121.888 ms DNS error [AS803] SaskNet Backbone
22 142.165.150.251 122.139 ms tornado.sk.sympatico.ca [AS803] SaskNet Backbone
23 *
NOTE that the suggested email of domain.admin@sasktel.sk.ca for the administrator - may try mailing them?
Anyone else got some bright ideas?
Cheers, Alex
19 October 2002, 06:55 PM
#10
Scooby Regular
Join Date: Aug 2002
Posts: 703
Likes: 0
Received 0 Likes
on
0 Posts
Taking a look at it..
> Received: from mail.qlo.com ([142.165.150.52])
> by mail.usask.ca (PMDF V6.1-1 #40949)
> with ESMTP id <0H4302WHOUX54I@mail.usask.ca> for cll805@mail.usask.ca
> (ORCPT cll805@mail.usask.ca); Wed, 16 Oct 2002 20:59:16 -0600 (CST)
> Received: from sastek.net ([204.83.135.95])
> by mail.qlo.com (Netscape Messaging Server 4.15 blitzen Jan 17 2002
00:23:08)
The email originator seems to be a machine called sastek.net at IP 204.83.135.95. This maybe a PC or could be a server - though theres no email server tag - just an email server tag added on by mail.qlo.com.
Anyways 204.83.135.95 resolves to hsdbwb204-83-135-95.sasknet.sk.ca which is presumably a dial-up connection for sasknet (www.sasknet.com), who seem to be part of sasktel (www.sasktel.com) - the telephone/internet provider in that area of canada.
They tell the users to set up the outgoing mail server to be mail.sasktel.net which is also known as mail.qlo.com so that all seems to add up, though the IP Im getting for mail.qlo.com is a couple of digits out - probably on a server farm with multiple Ip addresses.
You already have the correct email address - maybe you can email them the headers and see if they can contact the customer in question, though its doubtful..
They dont seem to have a web server running or be telnetted to although that Ip address is live - it could be the same machine or likely to be not unless its a dsl connection or similar.
Paul..
> Received: from mail.qlo.com ([142.165.150.52])
> by mail.usask.ca (PMDF V6.1-1 #40949)
> with ESMTP id <0H4302WHOUX54I@mail.usask.ca> for cll805@mail.usask.ca
> (ORCPT cll805@mail.usask.ca); Wed, 16 Oct 2002 20:59:16 -0600 (CST)
> Received: from sastek.net ([204.83.135.95])
> by mail.qlo.com (Netscape Messaging Server 4.15 blitzen Jan 17 2002
00:23:08)
The email originator seems to be a machine called sastek.net at IP 204.83.135.95. This maybe a PC or could be a server - though theres no email server tag - just an email server tag added on by mail.qlo.com.
Anyways 204.83.135.95 resolves to hsdbwb204-83-135-95.sasknet.sk.ca which is presumably a dial-up connection for sasknet (www.sasknet.com), who seem to be part of sasktel (www.sasktel.com) - the telephone/internet provider in that area of canada.
They tell the users to set up the outgoing mail server to be mail.sasktel.net which is also known as mail.qlo.com so that all seems to add up, though the IP Im getting for mail.qlo.com is a couple of digits out - probably on a server farm with multiple Ip addresses.
You already have the correct email address - maybe you can email them the headers and see if they can contact the customer in question, though its doubtful..
They dont seem to have a web server running or be telnetted to although that Ip address is live - it could be the same machine or likely to be not unless its a dsl connection or similar.
Paul..
20 October 2002, 01:32 PM
#11
Scooby Regular
Thread Starter
Join Date: May 2002
Posts: 38
Likes: 0
Received 0 Likes
on
0 Posts
solved it the easy way (for now) My e-mail forwarding was set up so that anything @sastek.net came to me, I've changed that so only specified names will come to be and the rest get automatically bounced away, not ideal but it will do for now.
Also e-mailed the intended recipient of the message to see if they can get in touch with the sender.
Cheers for your help guys
SS
Also e-mailed the intended recipient of the message to see if they can get in touch with the sender.
Cheers for your help guys
SS
21 October 2002, 11:14 AM
#12
Scooby Regular
Join Date: Oct 2000
Location: Surrey, UK
Posts: 8,384
Likes: 0
Received 0 Likes
on
0 Posts
Glad you got somewhere.
RallyMarshall - was the same conclusion I came to.. even found a parent site for the sasktel.com site... but my computer crashed on me, and I lost the whole damn email I was about to send Steve..
Rgds, Alex
RallyMarshall - was the same conclusion I came to.. even found a parent site for the sasktel.com site... but my computer crashed on me, and I lost the whole damn email I was about to send Steve..
Rgds, Alex
Thread
Thread Starter
Forum
Replies
Last Post
Mister:E
Subaru Parts
2
24 September 2015 01:37 PM
soupy6667
Lighting and Other Electrical
0
21 September 2015 06:19 AM
MeisterR
Car Parts For Sale
1
15 September 2015 07:07 PM