Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

E-mail originating IPs

  • 07-04-2005 8:46am
    #1
    Closed Accounts Posts: 15,552 ✭✭✭✭


    Sorry if this isn't appropriate, couldn't see where else to post it and it seems ok by the charter.

    I received two emails that I suspect are from the same sender (one is claiming to be a forward from the other).

    In the header from the mail I got I see this:
    Received: from [XXX.YYY.229.102] by web50510.mail.yahoo.com via HTTP; Wed, 06 Apr 2005 17:55:08 PDT

    and from the mail forwarded to me I see this:
    Received: from [XXX.YYY.229.102] by web42108.mail.yahoo.com via HTTP; Wed, 06 Apr 2005 17:44:57 PDT

    Does this indicate the same source (PC) for both e-mails or is there another way of telling?

    Thank

    Psi


Comments

  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    Unfortunatly all it would show is the address of the server that they emailed from. And more than one person could use Yahoo

    But a quick nslookup doesn't pick that server address on thier list of INcoming servers. Yahoo might still use a different server for sending or the header of the email may have been spoofed using a fake yahoo name.

    Check if the first two numbers match any of ranges below

    Lookup the address on http://cqcounter.com/whois/

    [php]Nslookup
    > set type=mx
    > yahoo.com
    Server: UnKnown
    Address: 192.168.10.5

    Non-authoritative answer:
    yahoo.com MX preference = 5, mail exchanger = mx4.mail.yahoo.com
    yahoo.com MX preference = 1, mail exchanger = mx1.mail.yahoo.com
    yahoo.com MX preference = 1, mail exchanger = mx2.mail.yahoo.com
    yahoo.com MX preference = 1, mail exchanger = mx3.mail.yahoo.com

    yahoo.com nameserver = ns5.yahoo.com
    yahoo.com nameserver = ns1.yahoo.com
    yahoo.com nameserver = ns2.yahoo.com
    yahoo.com nameserver = ns3.yahoo.com
    yahoo.com nameserver = ns4.yahoo.com
    mx1.mail.yahoo.com internet address = 67.28.113.11
    mx1.mail.yahoo.com internet address = 64.157.4.78
    mx1.mail.yahoo.com internet address = 67.28.113.10
    mx2.mail.yahoo.com internet address = 67.28.114.36
    mx2.mail.yahoo.com internet address = 64.156.215.8
    mx2.mail.yahoo.com internet address = 67.28.114.35
    mx3.mail.yahoo.com internet address = 64.156.215.7
    mx3.mail.yahoo.com internet address = 64.156.215.18
    mx3.mail.yahoo.com internet address = 64.156.215.5
    mx3.mail.yahoo.com internet address = 64.156.215.6
    mx4.mail.yahoo.com internet address = 68.142.202.11
    mx4.mail.yahoo.com internet address = 68.142.202.12
    mx4.mail.yahoo.com internet address = 4.79.181.12
    mx4.mail.yahoo.com internet address = 4.79.181.13
    ns1.yahoo.com internet address = 66.218.71.63
    ns2.yahoo.com internet address = 66.163.169.170
    ns3.yahoo.com internet address = 217.12.4.104
    ns4.yahoo.com internet address = 63.250.206.138
    ns5.yahoo.com internet address = 216.109.116.17[/php]


  • Registered Users, Registered Users 2 Posts: 2,934 ✭✭✭egan007




  • Registered Users, Registered Users 2 Posts: 16,414 ✭✭✭✭Trojan


    Doesn't yahoo normally add an "X-Originating-IP: " header?


  • Registered Users, Registered Users 2 Posts: 861 ✭✭✭Professor_Fink


    Having the same received from address usually does indicate the same source PC. There are several exceptions to this, however. If XXX.YYY.229.102 is an smtp server then there should be a previous received from. Also, people can, and spammers often do, add extra recieved from lines, to make it look like it was only relayed through their computer. I doubt this is the case with your mails however. Another possibility is that the IP address was dynamically assigned to two different people at different times, by their ISP , and they both happened to send you emails.

    Check XXX.YYY.229.102 on RIPE and see who it belongs to (Its no doubt part of a larger block).


  • Registered Users, Registered Users 2 Posts: 16,414 ✭✭✭✭Trojan


    Just confirmed that the very first IP in received is originating host (a proxy in this case) for a mail I sent myself on yahoo.


  • Advertisement
  • Closed Accounts Posts: 15,552 ✭✭✭✭GuanYin


    Thanks lads yeah I confirmed it after some googling. Silly girl send sme an e-mail to say she's sick at home with her family and the IP address is the same as the previous email she sent form her college address.

    Now, to fail or just dock marks.

    Incidently, this:
    Unfortunatly all it would show is the address of the server that they emailed from. And more than one person could use Yahoo

    Is utter bollix.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    Ok - it shows the external firewall address , all users behind it would have the same address.


  • Closed Accounts Posts: 15,552 ✭✭✭✭GuanYin


    Ok - it shows the external firewall address , all users behind it would have the same address.

    wrong again, the IP address posted is the originating IP.

    That is, the IP assigned tothe PC connectedto the net.


    Jesus, this isn't even my area and I can see you're talking nonsense.


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    He isn't (for the most part)

    The mail headers say that the mail was initiated through http i.e a web page.
    The ip address will be that of the first computer/router/firewall with a public internet address. All desktop computers behind the router, will be using private ip's.


    E.g. all internet traffic from my house laptop, desktop, pda is given the address assigned to my dsl router. Internal addresses are rewritten by NAT.


    You can traceroute the ip, the final steps will probably roughly what area of the country the mail was sent from.

    Also to make sure that she doesn't send email through web on mobile phone, which is unlikely for a student, even less likely for two different people. A common wap or sms-email gateway might hide the origins, if you need to cover all avenues.


  • Registered Users, Registered Users 2 Posts: 1,562 ✭✭✭Snaga


    Have students remote access to their college/network society mail via ssh/telnet? Maybe as a member of the computing/network society?

    Its quite possibly they were remotely logged into a machine in college(from home) to send the mail. I would make an effort to find out if the ip address was a normal lab pc in the college or one of the network societies machines before docking marks or failing someone because you have a hunch they may be fobbing you off for a day. (Im sure your IT dept can help here).


  • Advertisement
  • Closed Accounts Posts: 15,552 ✭✭✭✭GuanYin


    Snaga wrote:
    Have students remote access to their college/network society mail via ssh/telnet? Maybe as a member of the computing/network society?

    Its quite possibly they were remotely logged into a machine in college to send the mail. I would make an effort to find out if the ip address was a normal lab pc in the college or one of the network societies machines before docking marks or failing someone because you have a hunch they may be fobbing you off for a day. (Im sure your IT dept can help)

    The IP addresses are both from DSL, so nope, and these aren't computer students so I doubt many of them (particularly this one) would be remotely logging in to send yahoo mail.


  • Registered Users, Registered Users 2 Posts: 2,934 ✭✭✭egan007


    psi wrote:
    Thanks lads yeah I confirmed it after some googling. Silly girl send sme an e-mail to say she's sick at home with her family and the IP address is the same as the previous email she sent form her college address.

    Now, to fail or just dock marks.

    Incidently, this:


    Is utter bollix.

    Presumably you are a lecturer - how much do you really care if a student was not in your lecture?
    In fact if this is the case then there is more then one thing that is utter bollix here


  • Registered Users, Registered Users 2 Posts: 16,414 ✭✭✭✭Trojan


    psi wrote:
    Now, to fail or just dock marks.

    It all depends. Maybe she could make it up to you.


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    egan007 wrote:
    Presumably you are a lecturer - how much do you really care if a student was not in your lecture?

    Surely you could think for 5 seconds and realise that there's plenty of scenarios where sickness would be more relevant to marking than attending a lecture.

    This thread is tenuous enough wrt being on topic here as things stand, don't drag it off on a tangent.


  • Closed Accounts Posts: 15,552 ✭✭✭✭GuanYin


    Just to clarify, it was missing a second deadline for a project assignment and an exam.

    I just docked marks, I'm a softy. Thanks for the help guys.


Advertisement