I think you have not logged of your mail id. that is the main reason for such problem.
Vijayalakshmi.K
(ICWA Final )
(324 Points)
Replied 29 June 2012
I think you have not logged of your mail id. that is the main reason for such problem.
Zeeshan Khan
(Account Officer)
(35 Points)
Replied 29 June 2012
Z
( )
(2965 Points)
Replied 29 June 2012
If someone receives msg from your mail id does not concludes that your account was compromised
First you should check wheter your account was accessed. You mentioned mail was received by your colleague around 4 am
in your yahoo mail go to account info > view your recent login activity
Check whether account was accessed around that time
If you normally log in by using same system or place then ip range will be very very similar if its some other then your account was prolly compromised
If the person who received the mail still has it then ask that person for headers (enable full header option to view) This function is available in almost every such service provider
It is possible to send mail by using someone else id and in that case non pro would use help of third party and genrally the third party will include all the relevant info you need
Example of info in header (from my mail) I will falsify some info in header for obvious reasons .Its just an simple overview
IPs wont be exact unless static and always used the same static ip . Which genrally does not happens but to solve it out agencies contact the gate from where the info is coming and a lots of procedures
Compare the header info b/w 2 and see the difference
You should be able to identify whether this particular technique was used or not
When received from (AUTHENTIC)
From (site)CAClubindia.com PM Sun Jun 24 20:08:43 2012 (time etc) X-Apparently-To: yourid here via 106.10.145.238 (to be received by yahoo) We access yahoo all info is given to yahoo and we just use that ; Sun, 24 Jun 2012 12:08:46 +0000 Return-Path: <donotreply @ caclubindia.com> (from which id it was sent) Received-SPF: softfail (transitioning domain of caclubindia.com does not designate 67.227.132.44 as permitted sender) We can not easily understand this text which contains some more info. X-YMailISG: 5bo9NhwWLDsMvrT0R5W7qhV7OJlpY2hPiYn68H0sUL_8ytmv mck7qyTbA9EzxtG4WRv5tVH236.q0UhJJODtfoBF3vvIsOL3ciLkHZfOLQaH TlDqlRRu639wfvnDuoZuu5zr_wCT1rbbf1bWnjuISpfiN4pRoerC2LZAipBP VgGcSFPMfuac89qp3NnrUTaChuM2g4I7R_Z6AusHEnR70donBihtlU3H_isx xKvHOXcF8qvTZXPxOwtJmNtck3pM_Cy9247KnEJMFE6Gp.l1J9lELMSW1y53 XsEK0.m2Dr60pwVljPuUNgYMLzMprFvzyjuis4.lEJ8qPsVwytj9.B0gOg6h NTd1Qpkitda0Ac1vt6aH8neWbtYmNrhnsjAHkVtELTB6qyAiD9Irseu9mlGC .GvGJ7eF1QhSFi_0kIWMixKwvrgbkxS7kp7_.FwEr2BQaRv6cQY85QW0OmyX CRKNWkn.KbkOOAaJjiM1a4PB7bAkaDqnkWUgV9tr0GnCZH69IrsJSO8o7IN3 XKKHNwaZFHuGrkiK45LWyawXvcQqI9aE.2zMEFgdBAbpSKTjpkmgv4Ie.w7m B3cWyAkcI68V9bDpRe_KE5fEukv9lW1r.aRsPyHf8pslL3NMsLMK_bJWxEKg qemYfvdx1KsIONyk8CmJ9mGSuLrCYZLspevDEnfgYDPRwMZF4kJOEhSBK1i8 0.Ttl3O8T1TYRI6yMMjJO70mjJJvslKk2NS2qao1CrnQDs2lVgoch8zRoOYT 0gppvPHUcELmVH8A8YkqufEnLmNfornWnFv8D69LuFYGuwkCm8gcgPFURqbn TojryoHCPavrBNZ9kVYbWRWmBlbKKXBY0XhwUOczg7MYYbc1cluxBNxTG4a9 7X0kcdLeTEGITcfcb5FI6IEsf7N41lqi_FzWD8OP_Rnu0hXUusEr..t0PXNN OYzoYOTUV8uE6fTBqXSkY.RBeZquso1deGe.NlGG93Dxw7lVbQwFW.MXokAG TxC0lo5U9rGGmN7AcMM6Fg3CSqkXAUVlPM7vfrq7Pxf3acoHacfSNS7MUnpY poxFAX8VCi9k1LgIQo36cvDnpmgpEzR4U.dPQtBfV5B8x3svHFbbHhbJt607 ZRDdU.wNu0PlNVTolaVPh6cAhHdZOvTjm0FO_qyGYUf4d7nUicb4j.HktS.4 hOLLeKp8LdDOMNXbmRr_W.KEGXGaFd47RLpFksY1J9jCfm9vL4qDtYqPTfOG ROhRYoD5QN6_YS4E4nkFbIVsGh3zIA2ZegFtU7QIL8QcZbPErAmCI87.vjoT 5zWOlaCCnjjNOgUxXUq3AJ4.WoPbIQvIgZha X-Originating-IP: [67.227.132.44] (SAME AS ABOVE ADDRESS) CHECK https://www.iplocationfinder.com/67.227.132.44 SEE ITS FROM CACLUBINDIA SERVERS which is in Michigan Authentication-Results: mta1140.mail.sg3.yahoo.com from=caclubindia.com; domainkeys=neutral (no sig); from=caclubindia.com; dkim=neutral (no sig) Received: from 127.0.0.1 (EHLO mail.calclubindia.com) Hi hello process of system. Like we meet someone we say hello , identify ourselves, shake hand and then start talking (Don't we? atleast for 1st time :XD) But system have more manners, they say hello everytime they meet someone Same process is going on , system says EHLO pal am caclubindia.com from (67.227.132.44) Same This is the process of identifying each other (not the only process) by mta1140.mail.sg3.yahoo.com , this info is required not only for managing purpose but also many times under some laws and if you see the name and cross check it you can see its FROM one of the many servers of Yahoo THIS IS EVIDENCE OF YOU RECEIVING MAIL THROUGH YAHOO. HAD IT BEED SOMETHING ELSE THEN YOU SHOULD WORRY with SMTP;(Protocol used) Sun, 24 Jun 2012 12:08:46 +0000 Received: from H2CACLUBINDIA ([127.0.0.1]) by calclubindia.com with MailEnable ESMTP; Sun, 24 Jun 2012 17:38:43 +0530 Thread-Topic: Whatever the topic was thread-index: Ac1SAhnG7gzdof7+RGalg2pVapIpKg== From: "CAClubindia.com PM"To: "reg. name" <your id> reg. name > your name used by the system Subject: Whatever it is Date: Sun, 24 Jun 2012 17:38:43 +0530 Message-ID: <5AFAE0EE723848DF868920662B8F650F @ win.liquidweb.com> MIME-Version: 1.0 (Multipurpose Internet Mail Extensions) Very popular . We need it even more if the msg we received was not complete so that we can rebuild w/e info we have Content-Type: multipart/alternative; boundary="----=_NextPart_000_1622_01CD5230.337ED3B0" X-Mailer: Microsoft CDO for Windows 2000 Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913 Content-Length: 1904
in case of spam mails they either block msg originating from those ips range of ips (even continent wise)
Like Asia is not much welcomed in some countries because of very high spam rate (mainly 'cause of CHINDIA)
or send them to spam mail
Sending mail using third party (used authentic one and not the naughty ones , you know what I mean)
Headers info
From ID YOU WANT TO BE SHOWN (Lets say F) Fri Jun 29 14:01:46 2012
X-Apparently-To: PERSONS MAIL ID via 106.10.145.239 (IP address of the Third party the site I used)
Fri, 29 Jun 2012 06:02:02 +0000
Earlier the IP was 106.10.145.238 but now its 106.10.145.239
Different IP used but from the same entity . An entity may own series of Ip address
(In both the examples IPV4 been used because many entities use IPV4 'cause of many benefit even after paying
abnormally high price for it as compared to IPv6 and even before IPv6 (google a live example it bought many
IPv4 at huge cost)
Lets check the address
https://www.ip-adress.com/whois/yahoo.com
Return-Path: <ID you want to show as YOURS>
Received-SPF: none (domain of yahoo.in does not designate permitted sender hosts)
X-YMailISG: 4vtvt_8WLDut3jP.3kY3hembE6J5uT1CMtTSzRruWnPBEQwG
LiF.ed9p0GmIfctv4lbv0ifumNEmjoMiGHlWiqlUNmVeKKrx1uN1L1CtEV1U
XaMZFsZcNzXgmsqNf6wvfaa3sa5kFk26Htm91kGlGClkCzjzkYy5_k.SQihm
kvLATGqN51NiNDpXyIayqCpTfFB_pSbVw5ealAg8GXN7syZOGl3bD4iWiXDL
HfVmi8V62A9FZrO5_e_FO_ZUIxsKxSZJvp4gHEh4tWW6bHQQg9V_WbfPHDyJ
ZS0SlVbqZCVQv681C80Fu.AvPKHkPA8oZlHxxDQJ_cvNbpBj1EGsfPX4ciVY
UkrwuPGQKJUpZ9v3wMmbaLqvUtzh8OSVsRv21uRmhNIFEeZYvFplPNpmMlXK
_WZ8z7ua97cK_if3y0HHcksFilrvd3P5rdG6wxsl_.PvukqcYgfEeaVK29Wf
IHQGRiaRfUYpVlGdBeudvCUpmaenkRZNJl2Sye7O2Rdmhkop9kz1KemAhEBG
76hkWZdc3DavLexn7imIz94m3.4gknNrLLx_msf0L2n5Yd.fuFdG43X.5g7P
e0ibOpxhwAVNjeQmhw0xtCcemtAO.C0dRhLSUQ6OmVvA68oepXM9htUlqgSK
q4SxjBRPs71.thTXWdSOoRpZxoGTpfUWj7A3YPkxzNuxlvI3ca6ECCDdkjD6
0NGq43VJu65ajaMQ50judfhGNpj9IyaWtKhBU8EgKdHcSlJyfT3fGlorzOLK
rpc766r0SNRvROc2HW7cU6qYIG_bl7dCrC9bexZvUu5LzSnXqAoGnWmQppf6
OfHfjUgx_kOq67pUnk40eFMrVgi9r7rJfzzkIfFdixWyoYie4airSBpi9i7b
j6I2yfJ_mYC0fe52WUfdtG_S59piS6NIS1j7M8LoWCqYhMvTKCdzoTKajDQt
SUQL0LLK4oTvEYFhOQqXxKO4IUotjg89wf4J4QKyZNYnTKN6V1F46EPezPjL
TazcTkNqzEuH3.5mtMHyeNUtrTQsIh9tHUMq3k6AwVU_KEA8YC9FQgA2ufEv
YZX9Nw4E5Nim.Q0tXNyxkXzdufaeAnuirWALX_yxgMy13TaSkfPMm9_yJSS6
tNZva9h_Ynsc3gvqbOCgPFMQ_rL2gLdRHHMx1dxnHbwRKaYleC6rDKLF5wNL
_ZyBDfCkVgWb9dSpPiohEwauJeB8pkF4TIYGfFUQmicoC93TAG24kh8Fyz3k
7lyLL.D2Ikp7UQ5MMEGLjrc1ddn8SNTah8lQn4SNdnqq62XZnhLArAXxJJSq
KdeHgUF4lbEeucBo6hQ_ROTr24WcPBB7Og--
X-Originating-IP: [212.143.22.13]
Authentication-Results: mta1102.mail.sg3.yahoo.com from=yahoo.in; domainkeys=neutral (no sig);
from=yahoo.in; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO smtpgw1.speedbit.com) (212.143.22.13)
SEE now the msg is different . ITs not EHLO am caclubindia, its EHLO am smtpgw1.speedbit.com
Lets search SpeedBit and we get its prolly from FILEFLYER.COM
https://www.speedbit.com/services/
by mta1102.mail.sg3.yahoo.com with SMTP; Fri, 29 Jun 2012 06:02:02 +0000
Received: from FFWC1 ([81.218.19.11])
Why the new IP?
Lets check this ip first
https://www.ip-adress.com/ip_tracer/81.218.19.11
from speedbit server
Lets see in totality
Received: from 127.0.0.1 (EHLO smtpgw1.speedbit.com) (212.143.22.13)
by mta1102.mail.sg3.yahoo.com with SMTP; Fri, 29 Jun 2012 06:02:02 +0000
Received: from FFWC1 ([81.218.19.11]) by smtpgw1.speedbit.com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 29 Jun 2012 09:02:01 +0300
Yahoo received from speedbit 212.143.22.13
Speedbit received from FFWC1
But why ?
Because its not necessary that the server which is receiving the info should send the info
Lets check
https://website.informer.com/81.218.19.11
It says the msg of person sending msg was received by 81.218.19.11
Msg was sent from different gate 212.143.22.13 to yahoo
Msg recevied at 106.10.145.239
Thats what happens when we recieve msg indirectly . Bah its becomes lenghty when you use
CC and BCC and forwards in your mail :(
by smtpgw1.speedbit.com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 29 Jun 2012 09:02:01 +0300
MIME-Version: 1.0
From: ID WE WANT TO BE SHOWN AS ORIGINATING (F)
To: RECEIVERS ID
Date: 29 Jun 2012 09:01:46 +0300
Subject: WHATEVER
Content-Type: multipart/alternative;
boundary=--boundary_43_dd535161-8caf-4a62-acfd-c31555eaa140
Return-Path: ID )F)
Message-ID:
X-OriginalArrivalTime: 29 Jun 2012 06:02:01.0001 (UTC) FILETIME=[B3103990:01CD55BC]
Content-Length: 3095
It is also possible to falsify the info in headers but that can also be known and a few other ways to MAJEY LENA PRAKRIYA and we counter it and cycle continues
If you want then you can complain to yahoo and if its found that account was compromised you may file complain