header question

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

Elite Baiter Joined: 28 Feb 2007 Posts: 1731

One of my mentees has a question I cannot answer about headers.
I would appreciate it if someone can help us out.

Quote:

Am I reading this correctly so that this contact of mine is located in Finland but possibly using a webmail or similar through the USA? I see "The Bat" is involved so I'm not sure what changes that can make (if any)with regards to IP addresses. Can I assume they are from either Finland or USA or could they really be in Russia?

Quote:

Return-Path:
Received: from mailfreedom4u.net (mailfreedom4u.net [208.72.169.176])
by mail08.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id m1OAZai6014583
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for ; Sun, 24 Feb 2008 21:35:39 +1100
Received: (qmail 29249 invoked by uid 89); 24 Feb 2008 18:41:55 -0000
X-Mail-Scanner: Scanned by qSheff-II-2.1-r2 (http://www.enderunix.org/qsheff/)
Received: from unknown (HELO ?172.17.22.170?) (192.194.197.194)
by mailfreedom4u.net with SMTP; 24 Feb 2008 18:41:40 -0000
Date: Sun, 24 Feb 2008 14:52:08 +0500
From: Anastasija
X-Mailer: The Bat! (v3.95.3) Professional
Reply-To: Anastasija
Organization: Anastasija
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: [email protected]
Subject: Re: Your profile
In-Reply-To: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------72154343E8E0256"

------------72154343E8E0256
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Posted: Thu Mar 06, 2008 5:43 am

Alot of the russians use proxies which change the ip info.
the best thing to do is cheack the ip daily if it keeps jumping all around the world they are on a proxy. Unfortunately not much can be done about pinpoint them. Other than arranging a meeting.

Posted: Thu Mar 06, 2008 9:24 am

Redshoes17 posted that header info request on my behalf. I just had a look at the last bunch of emails I have received and they all contain those same 2 IP addresses from USA and Finland.

I guess it doesn't really matter where they are from. Just thought the extra knowledge might come in handy.

Posted: Thu Mar 06, 2008 10:50 am

Once "the bat" is involved it's hard to locate them. As you said it doesn't really matter. If you really want to know where they are then setting up a meet under a public web cam is really the only to be sure. However the well organised ones do have friends around the world to sit in for them when required.
Romance scammers are a slow bait, take your time push them into a corner.

They can be a great deal of fun.

Also "The Bat" is a legit piece of software ( it has some dubious features) it is great for mass mail out etc.
However for person to person contact it is over the top, thus the assumption that a person using it is most likely a scammer.

Posted: Thu Mar 06, 2008 10:57 am

If you get an odd IP address, then Google it as well, Sometimes you'll find it listed as a proxy. Sometimes you'll find other "ladies" using the same IP address as well.

Elite Baiter Joined: 19 Jan 2008 Posts: 1043

I think i may have got the wrong end of the stick, but you don't mean that the headers show as follows:

With both the USA and Finland ones showing?

If so, then the email is either sent from Finland, or they are using a proxy, or they have faked their headers to have an IP from Finland. The USA part is just the way it was routed to you.

Posted: Thu Mar 06, 2008 12:30 pm

Yes those were the 2 IP's I was refering too. I was thinking along those lines Newdonym with the original meassage coming from Finland but I just noticed something else in the header.

See the referencence to:
Message-ID: <[email protected]>

I just did a search on the slogamail.info domain and the page http://www.aboutus.org/SlogaMail.info come with what seems to look like Russian text as do some of the links. So if that domain name comes last could it really be coming from somewhere else like Russia? From the translations I can find it seems like some sort of mail filtering service.

anyone heard of this?

Elite Baiter Joined: 19 Jan 2008 Posts: 1043

I'm not to sure on that. Can't say i've read up on it.

With the above header, you can get a list, say 10 IPs long. It is based on how many routers and exchanges the email has passed through. As the image says. The last IP is usually the origin.

Master Baiter Joined: 16 Jul 2007 Posts: 214

The Finnish IP is also in use by one near the end of this post -

are these the photos being used?

http://www.romancescam.com/forum/viewtopic.php?t=1093

Elite Baiter Joined: 19 Jan 2008 Posts: 1043

Also used,

HERE and HERE

IP's should be highlighted.

Master Baiter Joined: 16 Jul 2007 Posts: 214

See later postings

Posted: Thu Mar 06, 2008 1:25 pm

Thanks for posting those links Skerrett and Newdonym but those photos don't match the "girl" in my photos. I will read up on those links as a quick look shows the scripts in play to be almost the same as what I'm getting now so that can give me a heads on on what's coming.

Master Baiter Joined: 16 Jul 2007 Posts: 214

Those two are from the same computer!!

The HELO in them is the same Wink

There is one in one of the replies on a link from the same PC as the one I posted again same HELO in the header.

The original IP has a different HELO so is from a different PC so it could show three or four guys writing using the script and photos

Posted: Thu Mar 06, 2008 1:37 pm

The names and the photos aren't important. They're easily interchangeable. It's the email headers and the emails themselves that are the important things to look at.