Advert.

Do NOT tell your scammer he is posted here, or report their accounts as it puts others at risk!

Headers. What needs to be put into a report here? A guide.

The FAQs of life. Things your momma was too embarrassed to tell you about scammers.

Headers. What needs to be put into a report here? A guide.

Unread postby Wayne » Thu Aug 02, 2012 4:52 pm

Headers are big old things, and to be honest, unless you're reporting a phishing site or fake webpage then most of what it has isn't essential. I'll show you how to cut an email header down to just the essentials. Firstly, here's a full header from a recent post:

Delivered-To: XXXXXX
Received: by 10.64.60.231 with SMTP id k7csp56759ier;
Thu, 2 Aug 2012 06:37:15 -0700 (PDT)
Received: by 10.205.134.133 with SMTP id ic5mr8590052bkc.15.1343914633624;
Thu, 02 Aug 2012 06:37:13 -0700 (PDT)
Return-Path: <kalifa.abdullah@hotmail.fr>
Received: from nm22-vm9.bullet.mail.ird.yahoo.com (nm22-vm9.bullet.mail.ird.yahoo.com. [212.82.109.228])
by mx.google.com with SMTP id go4si5775846bkc.136.2012.08.02.06.37.13;
Thu, 02 Aug 2012 06:37:13 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning kalifa.abdullah@hotmail.fr does not designate 212.82.109.228 as permitted sender) client-ip=212.82.109.228;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning kalifa.abdullah@hotmail.fr does not designate 212.82.109.228 as permitted sender) smtp.mail=kalifa.abdullah@hotmail.fr; dkim=pass (test mode) header.i=@yahoo.com
Received: from [77.238.189.232] by nm22.bullet.mail.ird.yahoo.com with NNFMP; 02 Aug 2012 13:37:12 -0000
Received: from [212.82.108.236] by tm13.bullet.mail.ird.yahoo.com with NNFMP; 02 Aug 2012 13:37:12 -0000
Received: from [127.0.0.1] by omp1001.mail.ird.yahoo.com with NNFMP; 02 Aug 2012 13:37:12 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 744273.26210.bm@omp1001.mail.ird.yahoo.com
Received: (qmail 3235 invoked by uid 60001); 2 Aug 2012 13:37:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1343914632; bh=t+n8KpDumf8OiBgKTREhtjYEOx+SARVk5VRW6ahxfBA=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=lP+qAnc+VSCtCNCbMgaXHRaZ6g+N+7eQoUO0sSZHhPeaKD93TJuJMNYu5YW+Ab1kCgavyFszuiqCP68soDlxzqoJHGB5pPSLvdJ4DkGbIKCeejd3yBu62cGI5B62UfryWPGAjxdooLbz2K4VxV9FFrqW6sGmySu9yuVtJxcsYJI=
X-YMail-OSG: 1EpwNPIVM1nXZ9Mzp02PQmIY60VO_pfs0SuLaHL6WrZaf_d
ZkT9yHahTkBFGfYUb_6SLbld9Br_k5Iq8mUFpBZqWApQgLMo93CggU24toUi
0ugp4VVeE5K23P6LFUu7tlgtiNxgnuwdjZALXgKYlDINbB9cjwArVTKoJYsg
7Piba_3J8q_P04RjZdYrVWqgxuOx14mEAsndhfJNv5ZhmBJ_QBNcbXm8trMp
6JmIoBw5XEMeU0SpIKDqzXjDyNGHye1sIQQWBuE2e6ABIk7_FyRm08nUEAn4
6sG6gpCOEzi.7d59ghcVspme0CrECjT4aM2YSmPrZKZzkZNS3EFN4YuMUlR.
CdW348wcnkhwQCgBk37C5P6GBrxSLdkOvJl30ZZsa5orUl3TkAWzl0BIKHaj
8HvXp_Awtk8cqPlx8T.arJe6V3qK2a3EG9SKIDEm_p2PoyUPeqBouhADdvJn
GtiynndcgIOttZnckRx0TbaD8oUG.ykhxdnwmD2OLUTEBX5OS4PQV9ley9vv
3FKbyDfRgSSObtF0.Cg--
Received: from [41.138.46.133] by web29505.mail.ird.yahoo.com via HTTP; Thu, 02 Aug 2012 14:37:12 BST
X-RocketYMMF: zoladanicec
X-Mailer: YahooMailClassic/15.0.8 YahooMailWebService/0.8.120.356233
Message-ID: <1343914632.98314.YahooMailClassic@web29505.mail.ird.yahoo.com>
Date: Thu, 2 Aug 2012 14:37:12 +0100 (BST)
From: KALIFA ABDULLAH <kalifa.abdullah@hotmail.fr>
Reply-To: kalifa.abdullah@gmail.com
Subject: FROM KALIFA ABDULLAH/ LIBYA
To: undisclosed recipients: ;
MIME-Version: 1.0


At this point, you can already cut a huge part of the beginning off. Look for DKIM-Signature: (highlighted in red in the above header) and remove everything above it. Now you have this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1343914632; bh=t+n8KpDumf8OiBgKTREhtjYEOx+SARVk5VRW6ahxfBA=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=lP+qAnc+VSCtCNCbMgaXHRaZ6g+N+7eQoUO0sSZHhPeaKD93TJuJMNYu5YW+Ab1kCgavyFszuiqCP68soDlxzqoJHGB5pPSLvdJ4DkGbIKCeejd3yBu62cGI5B62UfryWPGAjxdooLbz2K4VxV9FFrqW6sGmySu9yuVtJxcsYJI=
X-YMail-OSG: 1EpwNPIVM1nXZ9Mzp02PQmIY60VO_pfs0SuLaHL6WrZaf_d
ZkT9yHahTkBFGfYUb_6SLbld9Br_k5Iq8mUFpBZqWApQgLMo93CggU24toUi
0ugp4VVeE5K23P6LFUu7tlgtiNxgnuwdjZALXgKYlDINbB9cjwArVTKoJYsg
7Piba_3J8q_P04RjZdYrVWqgxuOx14mEAsndhfJNv5ZhmBJ_QBNcbXm8trMp
6JmIoBw5XEMeU0SpIKDqzXjDyNGHye1sIQQWBuE2e6ABIk7_FyRm08nUEAn4
6sG6gpCOEzi.7d59ghcVspme0CrECjT4aM2YSmPrZKZzkZNS3EFN4YuMUlR.
CdW348wcnkhwQCgBk37C5P6GBrxSLdkOvJl30ZZsa5orUl3TkAWzl0BIKHaj
8HvXp_Awtk8cqPlx8T.arJe6V3qK2a3EG9SKIDEm_p2PoyUPeqBouhADdvJn
GtiynndcgIOttZnckRx0TbaD8oUG.ykhxdnwmD2OLUTEBX5OS4PQV9ley9vv
3FKbyDfRgSSObtF0.Cg--
Received: from [41.138.46.133] by web29505.mail.ird.yahoo.com via HTTP; Thu, 02 Aug 2012 14:37:12 BST
X-RocketYMMF: zoladanicec
X-Mailer: YahooMailClassic/15.0.8 YahooMailWebService/0.8.120.356233
Message-ID: <1343914632.98314.YahooMailClassic@web29505.mail.ird.yahoo.com>
Date: Thu, 2 Aug 2012 14:37:12 +0100 (BST)
From: KALIFA ABDULLAH <kalifa.abdullah@hotmail.fr>
Reply-To: kalifa.abdullah@gmail.com
Subject: FROM KALIFA ABDULLAH/ LIBYA
To: undisclosed recipients: ;
MIME-Version: 1.0


It can be cut down even more, but looking for the first IP address shown below it (in green) and cutting everything above it. Now we have this:

Received: from [41.138.46.133] by web29505.mail.ird.yahoo.com via HTTP; Thu, 02 Aug 2012 14:37:12 BST
X-RocketYMMF: zoladanicec
X-Mailer: YahooMailClassic/15.0.8 YahooMailWebService/0.8.120.356233
Message-ID: <1343914632.98314.YahooMailClassic@web29505.mail.ird.yahoo.com>
Date: Thu, 2 Aug 2012 14:37:12 +0100 (BST)
From: KALIFA ABDULLAH <kalifa.abdullah@hotmail.fr>
Reply-To: kalifa.abdullah@gmail.com
Subject: FROM KALIFA ABDULLAH/ LIBYA

To: undisclosed recipients: ;
MIME-Version: 1.0


You could even cut it down more if you wanted to by only posting the originating IP address, from and reply to address, along with the email subject (again shown in green), but it's not absolutely necessary.

Gmail will often hide the originating IP address, so if you have an Gmail address that has a lot of 10.xxx.xxx.xxx IP addresses, then all you'd need to post is the email addresses themselves. Here's an example:

Received: by 10.50.213.39 with SMTP id np7mr538385igc.51.1343875920540; Wed,
01 Aug 2012 19:52:00 -0700 (PDT)
Received: by 10.64.46.164 with HTTP; Wed, 1 Aug 2012 19:52:00 -0700 (PDT)
Date: Wed, 1 Aug 2012 19:52:00 -0700
Message-ID: <CAOKYyBsWYZ79SmQV_eOYs_uGdJ5XaDgcKc=sdBa61uPZXP7yKg@mail.gmail.com>
Subject:
From: SARAH JAMES <sarahjamesfinancialhelp@gmail.com>
To: undisclosed-recipients:;
Content-Type: text/plain; charset=ISO-8859-1
Bcc: XXXXXX


In this case, the IP addresses aren't even necessary, so you could just post up this part:

From: SARAH JAMES <sarahjamesfinancialhelp@gmail.com>


With practice, you'll be able to do this in pretty much the same time as it would take to post up the entire header and remove your own details, probably less.
Click HERE for webcam blackmail/sextortion help.
Do NOT email me for sextortion help. Use the link above. If you ignore this, your message WILL be deleted.
Image
User avatar
Wayne
Site owner/"cruel and sarcastic" admin.
 
Posts: 58347
Joined: Mon Apr 16, 2012 5:13 pm

Return to Important information.

Who is online

Users browsing this forum: No registered users and 10 guests