Decipher outlook email headder
Discussion
I have just got an email from someone enquiring about some work but I think its a scam, I have viewed the message source but it doesn't make a lot of sense to me.
The email if from a gmail address so hardly a professional setup and in the many many lines of text in the headers is this.
Authentication-Results: spf=pass (sender IP is 209.85.192.195) when you look it up it originates from the USA in California, Mountain view or something, is this not Googles headquarters and just what the email is routed through?
I just use outlook.live to view my emails.
The email if from a gmail address so hardly a professional setup and in the many many lines of text in the headers is this.
Authentication-Results: spf=pass (sender IP is 209.85.192.195) when you look it up it originates from the USA in California, Mountain view or something, is this not Googles headquarters and just what the email is routed through?
I just use outlook.live to view my emails.
Yup.
Whois IP 209.85.192.195Updated 2 days ago
CIDR: 209.85.128.0/17
NetName: GOOGLE
NetHandle: NET-209-85-128-0-1
Parent: NET209 (NET-209-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Google LLC (GOGL)
RegDate: 2006-01-13
Updated: 2012-02-24
Ref: https://whois.arin.net/rest/net/NET-209-85-128-0-1
OrgName: Google LLC
OrgId: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2000-03-30
Updated: 2017-12-21
Ref: https://whois.arin.net/rest/org/GOGL
OrgAbuseHandle: ABUSE5250-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-650-253-0000
OrgAbuseEmail: email@google.com
OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE5250-ARIN
OrgTechHandle: ZG39-ARIN
OrgTechName: Google LLC
OrgTechPhone: +1-650-253-0000
OrgTechEmail: email@google.com
OrgTechRef: https://whois.arin.net/rest/poc/ZG39-ARIN
Whois IP 209.85.192.195Updated 2 days ago
- ARIN WHOIS data and services are subject to the Terms of Use
- available at: https://www.arin.net/whois_tou.html
- If you see inaccuracies in the results, please report at
- https://www.arin.net/public/whoisinaccuracy/index....
- The following results may also be obtained via:
- https://whois.arin.net/rest/nets;q=209.85.192.195?...
CIDR: 209.85.128.0/17
NetName: GOOGLE
NetHandle: NET-209-85-128-0-1
Parent: NET209 (NET-209-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Google LLC (GOGL)
RegDate: 2006-01-13
Updated: 2012-02-24
Ref: https://whois.arin.net/rest/net/NET-209-85-128-0-1
OrgName: Google LLC
OrgId: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2000-03-30
Updated: 2017-12-21
Ref: https://whois.arin.net/rest/org/GOGL
OrgAbuseHandle: ABUSE5250-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-650-253-0000
OrgAbuseEmail: email@google.com
OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE5250-ARIN
OrgTechHandle: ZG39-ARIN
OrgTechName: Google LLC
OrgTechPhone: +1-650-253-0000
OrgTechEmail: email@google.com
OrgTechRef: https://whois.arin.net/rest/poc/ZG39-ARIN
- ARIN WHOIS data and services are subject to the Terms of Use
- available at: https://www.arin.net/whois_tou.html
- If you see inaccuracies in the results, please report at
- https://www.arin.net/public/whoisinaccuracy/index....
Email headers record the trace as the email is passed from one email system to another.
In this instance, the originating email system IS gmail, as you can use the web interface to send emails. The web interface does not pass on the original machine on which a web browser was used to send the email. You'd most likely need to contact Google themselves to dig further, although that may simply go as far as the proxy server for a mobile provider.
Look further down the header list until just before the From: header and you may see this which is a giveaway that the email was sent via the web interface.
X-Received: by 10.107.11.130 with SMTP id 2mr6125140iol.80.1516568644644; Sun, 21 Jan 2018 13:04:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.143.194 with HTTP; Sun, 21 Jan 2018 13:04:04 -0800 (PST)
In this instance, the originating email system IS gmail, as you can use the web interface to send emails. The web interface does not pass on the original machine on which a web browser was used to send the email. You'd most likely need to contact Google themselves to dig further, although that may simply go as far as the proxy server for a mobile provider.
Look further down the header list until just before the From: header and you may see this which is a giveaway that the email was sent via the web interface.
X-Received: by 10.107.11.130 with SMTP id 2mr6125140iol.80.1516568644644; Sun, 21 Jan 2018 13:04:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.143.194 with HTTP; Sun, 21 Jan 2018 13:04:04 -0800 (PST)
Edited by eltawater on Sunday 21st January 21:14
It says something similar, slighly different IP address and code but is -8hrs etc.
Would it be likely that an email sent from a person in the UK to another person in the UK would be routed via California though?
I'm pretty confident its ascam email and don't want to reply in case I get obliterated with spam but at the same time don't want to lose a decent in the unlikely event its not a scam.
Thanks.
Would it be likely that an email sent from a person in the UK to another person in the UK would be routed via California though?
I'm pretty confident its ascam email and don't want to reply in case I get obliterated with spam but at the same time don't want to lose a decent in the unlikely event its not a scam.
Thanks.
https://testconnectivity.microsoft.com/MHA/Pages/m...
Handy MS site - will take the whole message header and break the routing down into a table to make it easy to read.
SSL certificate is is expired on the site at the moment though (tut tut MS)
Handy MS site - will take the whole message header and break the routing down into a table to make it easy to read.
SSL certificate is is expired on the site at the moment though (tut tut MS)
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff