Email Headers. Are They From The Same Person?

[ChiangMaiThai]

If anyone can help me with this, I would be very, very grateful. I have pasted headers from emails I received from two different people below. I have not altered them in any way except for replacing the front part of their email address with XXXX for privacy concerns.

PLEASE can anyone tell me if these two emails came from the same computer? The originating IP is the same. The other info is not. Please help!

MIME-Version: 1.0

X-Originating-IP: 205.233.109.211

Received: from priv-edtnes51.telusplanet.net ([199.185.220.223]) by bay0-mc6-f5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 15 Feb 2006 14:47:56 -0800

Received: from localhost ([199.185.220.240]) by priv-edtnes51.telusplanet.net (InterMail vM.6.01.05.04 201-2131-123-105-20051025) with ESMTP id <20060215224755.JMUH18866.priv-edtnes51.telusplanet.net@localhost>; Wed, 15 Feb 2006 15:47:55 -0700

Received: from 205.233.109.211 ( [205.233.109.211])as user [email protected]@192.168.200.1 by www.webmail.telus.net with HTTP;Wed, 15 Feb 2006 14:47:54 -0800

X-Message-Info: UZmYcfFpTCezaeJ2up0/KlLcxwM+Tl8KOkx3EGjH+Jg=

References: <[email protected]>

User-Agent: Internet Messaging Program (IMP) 3.1-cvs

Return-Path: [email protected]

X-OriginalArrivalTime: 15 Feb 2006 22:47:56.0666 (UTC) FILETIME=[DD0155A0:01C63281]

MIME-Version: 1.0

X-Originating-IP: [205.233.109.211]

X-Originating-Email: [[email protected]]

X-Sender: [email protected]

Received: from omc1-s29.bay6.hotmail.com ([65.54.248.231]) by bay0-mc11-f19.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 15 Feb 2006 09:21:59 -0800

Received: from hotmail.com ([64.4.53.53]) by omc1-s29.bay6.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 15 Feb 2006 09:00:52 -0800

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 15 Feb 2006 09:00:52 -0800

Received: from 205.233.109.211 by by19fd.bay19.hotmail.msn.com with HTTP;Wed, 15 Feb 2006 17:00:52 GMT

X-Message-Info: EoYTbT2lH2MOvvlZkzTxfU5heBu0IVDgnxmK4e3g9es=

X-OriginalArrivalTime: 15 Feb 2006 17:00:52.0307 (UTC) FILETIME=[60B85230:01C63251]

Return-Path: [email protected]

[ChiangMaiThai]

I have one more. Did this email also come from the same person? Your knowledge is greatly appreciated here. They all have the same IP address 205.233.109.211 somewhere in the header. Yet they all came from different email addresses and from supposedly different people.

MIME-Version: 1.0

Received: from web37812.mail.mud.yahoo.com ([209.191.87.125]) by bay0-mc7-f15.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 15 Feb 2006 15:38:43 -0800

Received: (qmail 53856 invoked by uid 60001); 15 Feb 2006 23:38:43 -0000

Received: from [205.233.109.211] by web37812.mail.mud.yahoo.com via HTTP; Wed, 15 Feb 2006 15:38:43 PST

X-Message-Info: JGTYoYF78jENGLSNYrHj0AGlQfEAtjk8JDQVvKfgsf8=

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=QgXjSoxMNSvsoh5E27UbPa1E55GxJJnq4pBYqSTIIMF7C7shlSZPDz5p2q4uoNkzh3eeqT82lABO2o

tkV4TPsuioSOAar+SE+KNlT1IFlITwDgnDTKQS/n9Z3pxCAYa2QYSXx8NNeZGwO22/CpWHd0xGV3nH24elW0tjCQAPvg= ;

Return-Path: [email protected]

X-OriginalArrivalTime: 15 Feb 2006 23:38:43.0847 (UTC) FILETIME=[F5444170:01C63288]

[BangnaBound]

I can’t tell you if these came from the same computer, I’m not sure if that can be confirmed. But it does appear that all three messages originated from hind the same internet access point, most likely a static corporate connection. All 3 used a webmail client, so although it would be easy to send them from the same computer, it could just mean they were sent by different computers on the same LAN. I hope that helps.

[ChiangMaiThai]

I can’t tell you if these came from the same computer, I’m not sure if that can be confirmed. But it does appear that all three messages originated from hind the same internet access point, most likely a static corporate connection. All 3 used a webmail client, so although it would be easy to send them from the same computer, it could just mean they were sent by different computers on the same LAN. I hope that helps.

Hi. Thanks very much for spending some time looking at it! At the very least, if not being sent from the same computer, they have to be being sent from the same LAN, correct? And a LAN most likely means a number of computers in an office or home right?

So we can say that maybe they are being sent from the same computer and for sure they are being sent from the same location, whether its a home or an office, correct?

THANKS!

[Tywais]

Hi. Thanks very much for spending some time looking at it! At the very least, if not being sent from the same computer, they have to be being sent from the same LAN, correct? And a LAN most likely means a number of computers in an office or home right?

So we can say that maybe they are being sent from the same computer and for sure they are being sent from the same location, whether its a home or an office, correct?

THANKS!

If behind a corporate firewall and probably using an e-mail server (gateway) they will appear as the same IP (masqueraded).

[ChiangMaiThai]

Hi. Thanks very much for spending some time looking at it! At the very least, if not being sent from the same computer, they have to be being sent from the same LAN, correct? And a LAN most likely means a number of computers in an office or home right?

So we can say that maybe they are being sent from the same computer and for sure they are being sent from the same location, whether its a home or an office, correct?

THANKS!

If behind a corporate firewall and probably using an e-mail server (gateway) they will appear as the same IP (masqueraded).

So that mean at least that these emails are all being sent from the same building?

[cdnvic]

All three came from Alberta, Canada. The last two from Edmonton based servers.

ISP: Telus Http://www.telus.net/

cv

[Tywais]

So that mean at least that these emails are all being sent from the same building?

Not necessarily. If a corporate WAN (wide area network) there could be several buildings involved even spread over wide distances but still use a centralized e-mail server. However they would still be from the same enitity (corporation) so to speak. My system handles two buildings and they all go through the same firewall and use the same e-mail server.

[ChiangMaiThai]

So that mean at least that these emails are all being sent from the same building?

Not necessarily. If a corporate WAN (wide area network) there could be several buildings involved even spread over wide distances but still use a centralized e-mail server. However they would still be from the same enitity (corporation) so to speak. My system handles two buildings and they all go through the same firewall and use the same e-mail server.

Okay, so even if it is multiple buildings, the people sending these emails are all connected in some way, right?

Maybe they are the same person.

Maybe they are in the same house or office.

Maybe they work for the same company.

But they are indisputably, without a doubt, connected, correct?

[Rimmer]

Network Contact Information: The following details refer to the network that the system is on.

AGT Advanced Communications Ste 200, 355 - 4th Ave SW Calgary AB T2P-0J1 CA

Domain Contact Information: The following details refer to a name registered for this address.

Telus Corporation

[email protected]

(403) 543 2000 - - - (543) 543 2030 Ste 200, Fracmaster Tower 355 - 4th Ave Calgary, ALBERTA T2P 0J1 CA

OrgName: AGT Advanced Communications

OrgID: AAC-3

Address: Ste 200, 355 - 4th Ave SW

City: Calgary

StateProv: AB

PostalCode: T2P-0J1

Country: CA

NetRange: 205.233.108.0 - 205.233.111.255

CIDR: 205.233.108.0/22

NetName: AGTAC-POP

NetHandle: NET-205-233-108-0-1

Parent: NET-205-0-0-0-0

NetType: Direct Assignment

NameServer: F02S01.TAC.NET

NameServer: F02S02.TAC.NET

Comment:

RegDate: 1995-09-15

Updated: 2001-11-15

SECOND ONE

AGT Advanced Communications Ste 200, 355 - 4th Ave SW Calgary AB T2P-0J1 CA

Domain Contact Information: The following details refer to a name registered for this address.

Telus Corporation [email protected] (403) 543 2000 - - - (543) 543 2030 Ste 200, Fracmaster Tower 355 - 4th Ave SW Calgary, ALBERTA T2P 0J1 CA

OrgName: AGT Advanced Communications

OrgID: AAC-3

Address: Ste 200, 355 - 4th Ave SW

City: Calgary

StateProv: AB

PostalCode: T2P-0J1

Country: CA

NetRange: 205.233.108.0 - 205.233.111.255

CIDR: 205.233.108.0/22

NetName: AGTAC-POP

NetHandle: NET-205-233-108-0-1

Parent: NET-205-0-0-0-0

NetType: Direct Assignment

NameServer: F02S01.TAC.NET

NameServer: F02S02.TAC.NET

Comment:

RegDate: 1995-09-15

Updated: 2001-11-15

THIRD ONE

AGT Advanced Communications

Ste 200, 355 - 4th Ave SW Calgary AB T2P-0J1 CA

Domain Contact Information: The following details refer to a name registered for this address.

Telus Corporation

[email protected]

(403) 543 2000

- - - (543) 543 2030

Ste 200, Fracmaster Tower 355 - 4th Ave SW Calgary, ALBERTA T2P 0J1 CA

[Tywais]

But they are indisputably, without a doubt, connected, correct?

Sorry for making it so convoluted (won't go into open relays,etc.) but it appears they are.

[ChiangMaiThai]

But they are indisputably, without a doubt, connected, correct?

Sorry for making it so convoluted (won't go into open relays,etc.) but it appears they are.

Thank you everybody for the assistance! I have one more twist to add to this. I sent an email to one of the above email addresses and this time I tracked it. The reader opened it three different times. The tracking details from each open are as follows:

Opened on colteng.tac.net (205.233.109.211:39736)

Opened on colteng.tac.net (205.233.109.211:33670)

Opened on colteng.tac.net (205.233.109.211:56945)

What exactly does it mean that each time the email is opened, the last 5 digits changes? The tracking information does not show the email as being forwarded. It shows that it was opened three separate times.

THANK YOU!

[Tywais]

Opened on colteng.tac.net (205.233.109.211:39736)

Opened on colteng.tac.net (205.233.109.211:33670)

Opened on colteng.tac.net (205.233.109.211:56945)

What exactly does it mean that each time the email is opened, the last 5 digits changes? The tracking information does not show the email as being forwarded. It shows that it was opened three separate times.

THANK YOU!

The IP notation in that format usually means the IP followed by the socket number. Whenever a protocol is used it also creates a socket for identification purposes due to many people using a protocol at the same time the server needs to keep track of the user by assigning a socket to them. The socket number will change dynamically.

[spog]

are you going to share more about this little mystery?

[ChiangMaiThai]

Opened on colteng.tac.net (205.233.109.211:39736)

Opened on colteng.tac.net (205.233.109.211:33670)

Opened on colteng.tac.net (205.233.109.211:56945)

What exactly does it mean that each time the email is opened, the last 5 digits changes? The tracking information does not show the email as being forwarded. It shows that it was opened three separate times.

THANK YOU!

The IP notation in that format usually means the IP followed by the socket number. Whenever a protocol is used it also creates a socket for identification purposes due to many people using a protocol at the same time the server needs to keep track of the user by assigning a socket to them. The socket number will change dynamically.

Okay, does a change in the socket number mean a change in the user or if you opened an email now and an email an hour later, would two different socket numbers be assigned?

are you going to share more about this little mystery?

At this point, let's just say that some people are very, very stupid.

[Tywais]

Okay, does a change in the socket number mean a change in the user or if you opened an email now and an email an hour later, would two different socket numbers be assigned?

The socket number doesn't reflect the user but the opening of the port (IP) and will change each time it is opened/closed by the same user. I'm with spog, really curious as to what this is all about.

[Crushdepth]

Yeah come on, spill. Don't leave us in suspense...

[Chopper]

ChaingMaiThai, I am with Spog and Crushdepth you have me intrigued. Or you could say I am just a nosey sod!

Edit: jsut just- Sid Lexic :-)

Edited February 16, 2006 by Chopper

[ChiangMaiThai]

Okay. Thanks guys for all your help. In short, I had a 'group' of people claiming they were cooperating in an investigation and lawsuit against me. I was forwarded an official looking letter from the Department of the Treasury claiming as such as well. They had personal info I don't know how they came by. But thanks to their incompetency and your help, I've uncovered it as a huge scam. The emails of the different people involved were all coming from the same IP address belonging to a company in Canada as I now know thanks to your help. Last night I spoke with Financial Crimes Network and Secret Service who confirmed that it is a fraud. I don't know who tries to pull a scam like this without first learning about IP addresses. But this person has ######ed with the wrong Chiang Mai Thai. Thanks again!

[BangnaBound]

That’s great to hear! Not that someone was trying to scam you, but you caught on and got the authorities involved. I hope they can track the guy down.

[Chopper]

Glad you have sorted out the problem in your favour.

I would be concerned at the source of where the personal information came from though.

[Carmine6]

Okay. Thanks guys for all your help. In short, I had a 'group' of people claiming they were cooperating in an investigation and lawsuit against me. I was forwarded an official looking letter from the Department of the Treasury claiming as such as well. They had personal info I don't know how they came by. But thanks to their incompetency and your help, I've uncovered it as a huge scam. The emails of the different people involved were all coming from the same IP address belonging to a company in Canada as I now know thanks to your help. Last night I spoke with Financial Crimes Network and Secret Service who confirmed that it is a fraud. I don't know who tries to pull a scam like this without first learning about IP addresses. But this person has ######ed with the wrong Chiang Mai Thai. Thanks again!

A few months ago there was a news story about a pedophile in Germany who received some scam thing saying the authorities were monitoring him. He was so convinced, he went to the police and confessed.

[Rimmer]

Okay. Thanks guys for all your help. In short, I had a 'group' of people claiming they were cooperating

SNIP

Wow what an amazing story. So pleased it's gonna turn out OK for you though, what a narrow escape!

If anything else breaks I am sure we would all be very interested to hear it.

Very scary about the personal information! Anything on the computer that could have been hacked into by malware from a remote teminal at all?

[ChiangMaiThai]

It looks like the source was a disgruntled customer who is a small time con artisit. I already refunded his money for a purchase he had made, under $200. It was after the refund had been made that the doctored letter was sent to me and half a dozen false emails. He had me going for a couple days, but like I said, he ######ed with the wrong Chiang Mai Thai. The US Government doesn't take kindly to being impersonated.

[Crushdepth]

Cool...I hope they nail his nuts to something jagged and rusty.