internet email header question

[Allen Crawford]

Title: internet email header question





I often get confused when looking at these headers and I was wondering if anyone could help describe exactly what this means to me. I'm trying to determine where the source of the spam is coming from on this particular email. The part that is confusing me is where it is received by two different servers, first by my server (noelani.mailcode.com) from server2000.kunchien.idv.tw and then again by that server from mailin-01.mx.aol.com. Even on legitimate email messages it usually has two received by lines (like my bottom example), but that makes more sense to me since my server has the later date/time stamp, unlike the first example. Unless I'm reading the data/time wrong. If anyone can explain it to me that would be great (either online or offline) and/or point me in the right direction to figure it out myself. Thanks a lot.


FIRST HEADER


Received: from server2000.kunchien.idv.tw (61-219-228-138.HINET-IP.hinet.net [61.219.228.138]) by noelani.mailcode.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)

 id YYVQL2HY; Fri, 14 Dec 2001 07:10:14 -0500
Received: from mailin-01.mx.aol.com ([209.31.211.115]) by server2000.kunchien.idv.tw with Microsoft SMTPSVC(5.0.2195.1600);

 Fri, 14 Dec 2001 20:11:44 +0800
Message-ID: 63f07644$38ec$[EMAIL PROTECTED]
To: [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]

Cc: [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Subject: Isn't It Time You Solved Your little Problem? 29102
Date: Fri, 14 Dec 2001 04:19:13 -2000
MIME-Version: 1.0
Content-Type: text/plain;
 charset=Windows-1252
Content-Transfer-Encoding: 7bit
Reply-To: [EMAIL PROTECTED]
X-Mailer:: Internet Mail Service (5.5.2650.21)
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 14 Dec 2001 12:11:45.0699 (UTC) FILETIME=[7FCAFF30:01C18498]




SECOND HEADER


Received: from uuout11smtp2.uu.flonetwork.com ([205.150.6.42]) by noelani.mailcode.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)

 id YYVQL2C8; Fri, 14 Dec 2001 00:31:25 -0500
Received: from uucore10pumper1 (uuout11relay1.uu.flonetwork.com [172.20.71.10])
 by uuout11smtp2.uu.flonetwork.com (Postfix) with SMTP id 3991E24EED
 for [EMAIL PROTECTED]; Fri, 14 Dec 2001 00:24:19 -0500 (EST)
Message-Id: [EMAIL PROTECTED]
From: eWEEK News [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: OS Flaw Opens Systems to Remote Attackers
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Date: Fri, 14 Dec 2001 00:24:19 -0500 (EST)

RE: internet email header question

[msharik]

Title: internet email header question



Allen, go to www.samspade.org and download Sam Spade for 
Windows. It's a great utility that will help you track info in headers, 
etc. FYI, it won't work if you're inside a Proxy, but you can run it on 
the Proxy server and it will work then.
Good 
luck.
-MichèleImmigration site: http://LadySun1969.tripod.com The 
Miata: http://members.cardomain.com/bpituley 
Tiggercam: http://www.tiggercam.co.uk 
- I'm Out of 
Estrogen And I Have A Gun 
- 
-Original Message-From: Allen Crawford 
[mailto:[EMAIL PROTECTED]]Sent: Friday, December 14, 2001 8:10 
AMTo: MS-Exchange Admin IssuesSubject: internet email 
header question
I often get confused when looking at these headers and I was 
wondering if anyone could help describe exactly what this means to me. I'm 
trying to determine where the source of the spam is coming from on this 
particular email. The part that is confusing me is where it is received by 
two different servers, first by my server (noelani.mailcode.com) from 
server2000.kunchien.idv.tw and then again by that server from 
mailin-01.mx.aol.com. Even on legitimate email messages it usually has two 
received by lines (like my bottom example), but that makes more sense to me 
since my server has the later date/time stamp, unlike the first example. 
Unless I'm reading the data/time wrong. If anyone can explain it to me 
that would be great (either online or offline) and/or point me in the right 
direction to figure it out myself. Thanks a lot.
FIRST HEADER 
Received: from server2000.kunchien.idv.tw 
(61-219-228-138.HINET-IP.hinet.net [61.219.228.138]) by noelani.mailcode.com 
with SMTP (Microsoft Exchange Internet Mail Service Version 
5.5.2653.13)
 id YYVQL2HY; Fri, 14 
Dec 2001 07:10:14 -0500 Received: from 
mailin-01.mx.aol.com ([209.31.211.115]) by server2000.kunchien.idv.tw with 
Microsoft SMTPSVC(5.0.2195.1600);
 Fri, 14 Dec 
2001 20:11:44 +0800 Message-ID: 
63f07644$38ec$[EMAIL PROTECTED] To: 
[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], 
 [EMAIL PROTECTED], 
 [EMAIL PROTECTED], 
 [EMAIL PROTECTED], 
 [EMAIL PROTECTED] From: 
[EMAIL PROTECTED] Subject: Isn't It Time You Solved 
Your "little" 
Problem? 
29102 Date: Fri, 14 Dec 2001 04:19:13 -2000 
MIME-Version: 1.0 Content-Type: 
text/plain;  charset="Windows-1252" Content-Transfer-Encoding: 
7bit Reply-To: [EMAIL PROTECTED] X-Mailer:: Internet Mail Service (5.5.2650.21) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 14 Dec 2001 12:11:45.0699 (UTC) 
FILETIME=[7FCAFF30:01C18498] 
SECOND HEADER 
Received: from uuout11smtp2.uu.flonetwork.com ([205.150.6.42]) 
by noelani.mailcode.com with SMTP (Microsoft Exchange Internet Mail Service 
Version 5.5.2653.13)
 id YYVQL2C8; Fri, 14 
Dec 2001 00:31:25 -0500 Received: from uucore10pumper1 
(uuout11relay1.uu.flonetwork.com [172.20.71.10]) 
 by 
uuout11smtp2.uu.flonetwork.com (Postfix) with SMTP id 3991E24EED 
 for 
[EMAIL PROTECTED]; Fri, 14 Dec 2001 00:24:19 -0500 (EST) 
Message-Id: 
[EMAIL PROTECTED] From: eWEEK News [EMAIL PROTECTED] 
To: [EMAIL PROTECTED] Subject: OS 
Flaw Opens Systems to Remote Attackers MIME-Version: 
1.0 Content-Type: text/html; charset="us-ascii" 
Content-Transfer-Encoding: 7bit Date: 
Fri, 14 Dec 2001 00:24:19 -0500 (EST)