the mail won't have his IP, just the IP of his mail server. However, you can usually get their ISP that way, and then tattle to them. hmmm....
ok, since I promised to show you how to dissect a message header but didn't deliver, let me right the wrong... first, here's the message header of some spam I received.
X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD
Received: from m4.COMSTATENET.NET ([205.235.78.4]) by mc5-f39.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Sun, 17 Aug 2003 06:02:03 -0700
To: [My email address]
Date: Sun, 17 Aug 2003 21:00:59 -0500
Message-ID: <1061168459.21032@a.mx.mxdat.org>
X-Mailer: Pine.GSO.4.31
From: "Credit Line Guaranteed" <ifard@mxdat.org>
Return-Path: <ifard@mxdat.org>
Reply-To: <ifard@mxdat.org>
Subject: $5000 - Get the things you need...guaranteed
I'll dissect it piece by piece for anyone interested, at least as much as I can. I'm not an expert, but I know more than most.
X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD
I have no idea what this means.
Received: from m4.COMSTATENET.NET ([205.235.78.4]) by mc5-f39.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
the sending mail server was m4.comstatenet.net with an ip address of 205.235.78.4. I've seen the hostname forged before, but I don't think the I've ever seen a forged IP address. Take the ip, drop to dos, and run 'ping -a 205.235.78.4'. That'll force a DNS lookup on the IP address... in this case, DNS lookup failed. So, I then go to
http://all-nettools.com/ to the tools section, and do a smart whois on the ip address. That returned:
205.235.64.0 - 205.235.79.255
Internet America, Inc.
620 B Industry Driv
Tukwila, WA, 98188
US
I then tried to do one on comstatenet.net (NOT m4.comstatenet.net, that won't work) and there is no DNS entry...so, it's a forged domain name. Funny how that works. However, the IP points to Internet America... either a customer (probably), an open-relay mail server that basically anyone can send through (possibly) or a forged ip (probably not).
The rest of that line refers to the receiving mail server and ip, which is hotmail, as well as the version of SMTP the server is running. Doesn't really matter for our purposes, but why not be complete. Next line.
Sun, 17 Aug 2003 06:02:03 -0700
I believe this is the date and time the message was received. This is local time to the server, which is at -7 hours from GMT.
To: [My email address]
duh
Date: Sun, 17 Aug 2003 21:00:59 -0500
I believe this is the date and time the message was sent, local date/time of the sending server. Notice it's at -5 GMT. Since I'm in -7 in central time, that puts the server in Maine, far eastern Canada, or somewhere in South America. Also notice that the times are screwed up... basically, the server sent it after hotmail received it. Typically that just means the timestamp on the server is screwed up, which happens regularly. Of course, that kinda throws the -5 GMT into question as well.
Message-ID: <1061168459.21032@a.mx.mxdat.org>
Anytime an SMTP server (outgoing mail server) sends a message, it gives a unique message ID. In this case, it's
1061168459.21032@a.mx.mxdat.org. Notice how the domain name doesn't match the name further up the message header? Another indication that the hostname is forged.
So, I dropped to dos and pinged mxdat.org. The result? It came back with an ip address of 205.235.78.2. Look familiar? Yep... it's 2 numbers off from the sender's ip address, so probably right. Doing a smartwhois lookup on that ip with all-nettools yields Internet America again. Doing a smartwhois on mxdat.com also yields Internet America. Seeing a pattern?
X-Mailer: Pine.GSO.4.31
This, I believe, defines the mail client used to create the message. In this case, it's Pine and what I assume is the version number. Pine is an old mail client that I used on a VAX system... of course, this is only as accurate as whoever wrote the spamming program wants it to be.
From: "Credit Line Guaranteed" <ifard@mxdat.org>
This is usually forged. It's the sender's 'friendly name' and email address. In this case, it looks like it might actually exist, which is wierd for spam.
Return-Path: <ifard@mxdat.org>
I believe this is where the message goes if it gets bounced before reaching the recipient. A downed mail server or a mail server rejecting the message would probably use this info.
Reply-To: <ifard@mxdat.org>
If you hit 'reply', this is where the reply message gets sent by default.
Subject: $5000 - Get the things you need...guaranteed
duh
X-OriginalArrivalTime: 17 Aug 2003 13:02:03.0338 (UTC) FILETIME=[C0D76AA0:01C364BF]
I suppose this is when the message originally arrived and was probably queued by the mail server. I have no idea what the FILETIME part of the string means. Notice it says UTC, which means it's adjusted to GMT. If you take our original arrival time at the top (6:02:03) and add 7 hours to adjust to GMT, it equals the above time. So it wasn't queued for more than .9661 seconds.
And that, ladies and gentleman, is a dissected mail header for some spam I received on one of my hotmail accounts. Any questions?