EASYOFFICE
EASYOFFICE

Somebody sent msg through my mail id

Page no : 2

Vijayalakshmi.K (ICWA Final ) (324 Points)
Replied 29 June 2012

I think you have not logged of your mail id. that is the main reason for such problem.


sagar (C.A Finals) (41 Points)
Replied 29 June 2012

Shift to gmail.Yahoo is useless these days


Zeeshan Khan (Account Officer) (35 Points)
Replied 29 June 2012

I think....Kishore may be right. but for security reason....change your passward, passward recovery mail id and change u'r security question too.

Nidhi Jain (CS ) (987 Points)
Replied 29 June 2012

Thanks everybody.


Z (         ) (2965 Points)
Replied 29 June 2012

If someone receives msg from your mail id does not concludes that your account was compromised

First you should check wheter your account was accessed. You mentioned mail was received by your colleague around 4 am

in your yahoo mail  go to account info > view your recent login activity

Check whether account was accessed around that time

If you normally log in by using same system or place then ip range will be very very similar if its some other then your account was prolly compromised

 

If the person who received the mail still has it then ask that person for headers (enable full header option to view) This function is available in almost every such service provider

 

It is possible to send mail by using someone else id and in that case non pro would use help of third party and genrally the third party will include all the relevant info you need

 

Example of info in header (from my mail) I will falsify some info in header for obvious reasons .Its just an simple overview

 

IPs wont be exact unless static and always used the same static ip . Which genrally does not happens but to solve it out agencies contact the gate from where the info is coming and a lots of procedures

 

Compare the header info b/w 2 and see the difference

You should be able to identify whether this particular technique was used or not

 

 

 

When received from  (AUTHENTIC)

From (site)CAClubindia.com PM Sun Jun 24 20:08:43 2012 (time etc)
X-Apparently-To: yourid here via 106.10.145.238 (to be received by yahoo) We access yahoo
all info is given to yahoo and we just use that 

 ; Sun, 24 Jun 2012 12:08:46 +0000
Return-Path: <donotreply  @  caclubindia.com> (from which id it was sent)

Received-SPF: softfail (transitioning domain of caclubindia.com 
does not designate 67.227.132.44 as permitted sender)


We can not easily understand this text which contains some more info.
 
X-YMailISG: 5bo9NhwWLDsMvrT0R5W7qhV7OJlpY2hPiYn68H0sUL_8ytmv
mck7qyTbA9EzxtG4WRv5tVH236.q0UhJJODtfoBF3vvIsOL3ciLkHZfOLQaH
TlDqlRRu639wfvnDuoZuu5zr_wCT1rbbf1bWnjuISpfiN4pRoerC2LZAipBP
VgGcSFPMfuac89qp3NnrUTaChuM2g4I7R_Z6AusHEnR70donBihtlU3H_isx
xKvHOXcF8qvTZXPxOwtJmNtck3pM_Cy9247KnEJMFE6Gp.l1J9lELMSW1y53
XsEK0.m2Dr60pwVljPuUNgYMLzMprFvzyjuis4.lEJ8qPsVwytj9.B0gOg6h
NTd1Qpkitda0Ac1vt6aH8neWbtYmNrhnsjAHkVtELTB6qyAiD9Irseu9mlGC
.GvGJ7eF1QhSFi_0kIWMixKwvrgbkxS7kp7_.FwEr2BQaRv6cQY85QW0OmyX
CRKNWkn.KbkOOAaJjiM1a4PB7bAkaDqnkWUgV9tr0GnCZH69IrsJSO8o7IN3
XKKHNwaZFHuGrkiK45LWyawXvcQqI9aE.2zMEFgdBAbpSKTjpkmgv4Ie.w7m
B3cWyAkcI68V9bDpRe_KE5fEukv9lW1r.aRsPyHf8pslL3NMsLMK_bJWxEKg
qemYfvdx1KsIONyk8CmJ9mGSuLrCYZLspevDEnfgYDPRwMZF4kJOEhSBK1i8
0.Ttl3O8T1TYRI6yMMjJO70mjJJvslKk2NS2qao1CrnQDs2lVgoch8zRoOYT
0gppvPHUcELmVH8A8YkqufEnLmNfornWnFv8D69LuFYGuwkCm8gcgPFURqbn
TojryoHCPavrBNZ9kVYbWRWmBlbKKXBY0XhwUOczg7MYYbc1cluxBNxTG4a9
7X0kcdLeTEGITcfcb5FI6IEsf7N41lqi_FzWD8OP_Rnu0hXUusEr..t0PXNN
OYzoYOTUV8uE6fTBqXSkY.RBeZquso1deGe.NlGG93Dxw7lVbQwFW.MXokAG
TxC0lo5U9rGGmN7AcMM6Fg3CSqkXAUVlPM7vfrq7Pxf3acoHacfSNS7MUnpY
poxFAX8VCi9k1LgIQo36cvDnpmgpEzR4U.dPQtBfV5B8x3svHFbbHhbJt607
ZRDdU.wNu0PlNVTolaVPh6cAhHdZOvTjm0FO_qyGYUf4d7nUicb4j.HktS.4
hOLLeKp8LdDOMNXbmRr_W.KEGXGaFd47RLpFksY1J9jCfm9vL4qDtYqPTfOG
ROhRYoD5QN6_YS4E4nkFbIVsGh3zIA2ZegFtU7QIL8QcZbPErAmCI87.vjoT
5zWOlaCCnjjNOgUxXUq3AJ4.WoPbIQvIgZha


X-Originating-IP: [67.227.132.44] (SAME AS ABOVE ADDRESS)

CHECK https://www.iplocationfinder.com/67.227.132.44
SEE ITS FROM CACLUBINDIA SERVERS which is in Michigan




Authentication-Results: mta1140.mail.sg3.yahoo.com  from=caclubindia.com;
 domainkeys=neutral (no sig);  from=caclubindia.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO mail.calclubindia.com) 


Hi hello process of system. Like we meet someone we say hello , identify ourselves, 
shake hand and then start talking (Don't we? atleast for 1st time :XD)
But system have more manners, they say hello everytime they meet someone

Same process is going on , system says EHLO pal am caclubindia.com from (67.227.132.44) Same
This is the process of identifying each other (not the only process)

  by mta1140.mail.sg3.yahoo.com , this info is required not only for managing purpose
  but also many times under some laws 
and if you see the name and cross check it you can see its 
FROM one of the many servers of Yahoo


THIS IS EVIDENCE OF YOU RECEIVING MAIL THROUGH YAHOO.
 HAD IT BEED SOMETHING ELSE THEN YOU SHOULD WORRY



 with SMTP;(Protocol used)  Sun, 24 Jun 2012 12:08:46 +0000
Received: from H2CACLUBINDIA ([127.0.0.1]) by calclubindia.com with MailEnable ESMTP;
 Sun, 24 Jun 2012 17:38:43 +0530
Thread-Topic: Whatever the topic was
thread-index: Ac1SAhnG7gzdof7+RGalg2pVapIpKg==
From: "CAClubindia.com PM" 
To: "reg. name" <your id> reg. name > your name used by the system
Subject: Whatever it is
Date: Sun, 24 Jun 2012 17:38:43 +0530
Message-ID: <5AFAE0EE723848DF868920662B8F650F  @  win.liquidweb.com>
MIME-Version: 1.0 (Multipurpose Internet Mail Extensions) Very popular .
 We need it even more if
the msg we received was not complete so that we can rebuild w/e info we have


Content-Type: multipart/alternative;
boundary="----=_NextPart_000_1622_01CD5230.337ED3B0"
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913
Content-Length: 1904

 

 

in case of spam mails they either block msg originating from those ips range of ips (even continent wise)

Like Asia is not much welcomed in some countries because of very high spam rate (mainly 'cause of CHINDIA)

or send them to spam mail

 

 

 

 

 

Sending mail using third party (used authentic one and not the naughty ones , you know what I mean)

Headers info

 

From ID YOU WANT TO BE SHOWN (Lets say F)  Fri Jun 29 14:01:46 2012
X-Apparently-To: PERSONS MAIL ID via 106.10.145.239 (IP address of the Third party the site I used)  

Fri, 29 Jun 2012 06:02:02 +0000

Earlier the IP was  106.10.145.238 but now its 106.10.145.239

Different IP used but from the same entity . An entity may own series of Ip address

(In both the examples IPV4 been used because many entities use IPV4 'cause of many benefit even after paying

abnormally high price for it as compared to IPv6 and even before IPv6 (google a live example it bought many

IPv4 at huge cost)

Lets check the address

https://www.ip-adress.com/whois/yahoo.com


Return-Path: <ID you want to show as YOURS>


Received-SPF: none (domain of yahoo.in does not designate permitted sender hosts)

 


X-YMailISG: 4vtvt_8WLDut3jP.3kY3hembE6J5uT1CMtTSzRruWnPBEQwG
LiF.ed9p0GmIfctv4lbv0ifumNEmjoMiGHlWiqlUNmVeKKrx1uN1L1CtEV1U
XaMZFsZcNzXgmsqNf6wvfaa3sa5kFk26Htm91kGlGClkCzjzkYy5_k.SQihm
kvLATGqN51NiNDpXyIayqCpTfFB_pSbVw5ealAg8GXN7syZOGl3bD4iWiXDL
HfVmi8V62A9FZrO5_e_FO_ZUIxsKxSZJvp4gHEh4tWW6bHQQg9V_WbfPHDyJ
ZS0SlVbqZCVQv681C80Fu.AvPKHkPA8oZlHxxDQJ_cvNbpBj1EGsfPX4ciVY
UkrwuPGQKJUpZ9v3wMmbaLqvUtzh8OSVsRv21uRmhNIFEeZYvFplPNpmMlXK
_WZ8z7ua97cK_if3y0HHcksFilrvd3P5rdG6wxsl_.PvukqcYgfEeaVK29Wf
IHQGRiaRfUYpVlGdBeudvCUpmaenkRZNJl2Sye7O2Rdmhkop9kz1KemAhEBG
76hkWZdc3DavLexn7imIz94m3.4gknNrLLx_msf0L2n5Yd.fuFdG43X.5g7P
e0ibOpxhwAVNjeQmhw0xtCcemtAO.C0dRhLSUQ6OmVvA68oepXM9htUlqgSK
q4SxjBRPs71.thTXWdSOoRpZxoGTpfUWj7A3YPkxzNuxlvI3ca6ECCDdkjD6
0NGq43VJu65ajaMQ50judfhGNpj9IyaWtKhBU8EgKdHcSlJyfT3fGlorzOLK
rpc766r0SNRvROc2HW7cU6qYIG_bl7dCrC9bexZvUu5LzSnXqAoGnWmQppf6
OfHfjUgx_kOq67pUnk40eFMrVgi9r7rJfzzkIfFdixWyoYie4airSBpi9i7b
j6I2yfJ_mYC0fe52WUfdtG_S59piS6NIS1j7M8LoWCqYhMvTKCdzoTKajDQt
SUQL0LLK4oTvEYFhOQqXxKO4IUotjg89wf4J4QKyZNYnTKN6V1F46EPezPjL
TazcTkNqzEuH3.5mtMHyeNUtrTQsIh9tHUMq3k6AwVU_KEA8YC9FQgA2ufEv
YZX9Nw4E5Nim.Q0tXNyxkXzdufaeAnuirWALX_yxgMy13TaSkfPMm9_yJSS6
tNZva9h_Ynsc3gvqbOCgPFMQ_rL2gLdRHHMx1dxnHbwRKaYleC6rDKLF5wNL
_ZyBDfCkVgWb9dSpPiohEwauJeB8pkF4TIYGfFUQmicoC93TAG24kh8Fyz3k
7lyLL.D2Ikp7UQ5MMEGLjrc1ddn8SNTah8lQn4SNdnqq62XZnhLArAXxJJSq
KdeHgUF4lbEeucBo6hQ_ROTr24WcPBB7Og--
X-Originating-IP: [212.143.22.13]


Authentication-Results: mta1102.mail.sg3.yahoo.com  from=yahoo.in; domainkeys=neutral (no sig); 

from=yahoo.in; dkim=neutral (no sig)


Received: from 127.0.0.1  (EHLO smtpgw1.speedbit.com) (212.143.22.13)

SEE now the msg is different . ITs not EHLO am caclubindia, its EHLO am smtpgw1.speedbit.com

Lets search SpeedBit and we get its prolly from FILEFLYER.COM

https://www.speedbit.com/services/


  by mta1102.mail.sg3.yahoo.com with SMTP; Fri, 29 Jun 2012 06:02:02 +0000


Received: from FFWC1 ([81.218.19.11])

Why the new IP?

Lets check this ip first

https://www.ip-adress.com/ip_tracer/81.218.19.11

from speedbit server

 

Lets see in totality

Received: from 127.0.0.1  (EHLO smtpgw1.speedbit.com) (212.143.22.13)
  by mta1102.mail.sg3.yahoo.com with SMTP; Fri, 29 Jun 2012 06:02:02 +0000
Received: from FFWC1 ([81.218.19.11]) by smtpgw1.speedbit.com with Microsoft SMTPSVC(6.0.3790.4675);
     Fri, 29 Jun 2012 09:02:01 +0300

 

Yahoo received from speedbit 212.143.22.13

Speedbit received from FFWC1

But why ?

Because its not necessary that the server which is receiving the info should send the info

Lets check

https://website.informer.com/81.218.19.11

It says the msg of person sending msg was received by 81.218.19.11

Msg was sent from different gate 212.143.22.13 to yahoo

Msg recevied at 106.10.145.239

Thats what happens when we recieve msg indirectly . Bah its becomes lenghty when you use

CC and BCC and forwards in your mail :(

 

by smtpgw1.speedbit.com with Microsoft SMTPSVC(6.0.3790.4675);
  Fri, 29 Jun 2012 09:02:01 +0300
MIME-Version: 1.0
From: ID WE WANT TO BE SHOWN AS ORIGINATING  (F)
To: RECEIVERS ID
Date: 29 Jun 2012 09:01:46 +0300
Subject: WHATEVER
Content-Type: multipart/alternative;
boundary=--boundary_43_dd535161-8caf-4a62-acfd-c31555eaa140

Return-Path: ID )F)

Message-ID: smtpgw1.speedbit.com> compare
X-OriginalArrivalTime: 29 Jun 2012 06:02:01.0001 (UTC) FILETIME=[B3103990:01CD55BC]
Content-Length: 3095

 

 

 

It is also possible to falsify the info in headers but that can also be known and a few other ways to MAJEY LENA PRAKRIYA and we counter it and cycle continues

 

 

 

If you want then you can complain to yahoo and if its found that account was compromised you may file complain




Leave a reply

Your are not logged in . Please login to post replies

Click here to Login / Register  

Join CCI Pro


Subscribe to the latest topics :

Search Forum: