i have 2 emails from same sender and am trying to figure out if they were both sent from the same computer/ip i have outlook express i cant seem to find it. thanks

click on properties, then details (mail)


Return-Path: <Online#3.18074.60-eG1AgRb3hhwR0dRR.1.b@newsletter.online.com>
Received: from tom.inbox.lv ([unix socket]) (authenticated user=Online#3.18074.60-eG1AgRb3hhwR0dRR.1.b@newsletter.online.com bits=0)
by tom.inbox.lv (Cyrus v2.1.0pre) with LMTP; Thu, 20 Jun 2002 16:59:47 +0300
X-Sieve: CMU Sieve 2.0
Received: (from root@localhost)
by tom.inbox.lv (8.11.2/8.11.2) id g5KDxj231716
for calssified@zzz.zz.AVP; Thu, 20 Jun 2002 16:59:45 +0300
Received: from abv-sfo1-ac-agent5 (64.124.237.240) by ABV-SFO1-ACMTA6.CNET.COM (PowerMTA(TM) v1.5); Thu, 20 Jun 2002 07:20:37 -0700 (envelope-from <Online#3.18074.60-eG1AgRb3hhwR0dRR.1.b@newsletter.online.com>)
Message-ID: <4841559.1024582714544.JavaMail.root@abv-sfo1-ac-agent5>
Date: Thu, 20 Jun 2002 07:18:34 -0700 (PDT)
From: "IT News at TechRepublic.com" <Online#3.18074.60-eG1AgRb3hhwR0dRR.1@newsletter.online.com>
To: calssified@zzz.zz
Subject: [TechRepublic] Top DRAM makers questioned in U.S. antitrust case
Mime-Version: 1.0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Mailer: Accucast (http://www.accucast.com)
X-Mailer-Version: 2.8.4-2

ok these are them?

1st ([64.12.136.161]) 2nd ([64.12.136.163])
if so were they not sent by the same computer?


1st


Return-Path:
Received: from imo-m06.mx.aol.com ([64.12.136.161])
by mtiwgwc28.worldnet.att.net
(InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
id <20020623040712.WBSN7515.mtiwgwc28.worldnet.att.net @imo-m06.mx.aol.com>
for <>; Sun, 23 Jun 2002 04:07:12 +0000
Received: from
by imo-m06.mx.aol.com (mail_out_v32.21.) id 2.18a.99fd808 (3733)
for Sun, 23 Jun 2002 00:06:57 -0400 (EDT)
From:
Message-ID: <18a.99fd808.2a46a361@wmconnect.com>
Date: Sun, 23 Jun 2002 00:06:57 EDT
Subject:
To:
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="part1_18a.99fd808.2a46a361_boundary"
X-Mailer: WalMart 6.0 for Windows US sub 12



2nd

Return-Path:
Received: from imo-m08.mx.aol.com ([64.12.136.163])
by mtiwgwc22.worldnet.att.net
(InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
id <20020623142009.YMCP20527.mtiwgwc22.worldnet.att.ne t@imo-m08.mx.aol.com>
for ; Sun, 23 Jun 2002 14:20:09 +0000
Received:
by imo-m08.mx.aol.com (mail_out_v32.21.) id 2.fe.19bf7ebc (14377)
for <>; Sun, 23 Jun 2002 10:20:05 -0400 (EDT)
From:
Message-ID: <fe.19bf7ebc.2a473314@wmconnect.com>
Date: Sun, 23 Jun 2002 10:20:04 EDT
Subject:
To:
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="part1_fe.19bf7ebc.2a473314_boundary"
X-Mailer: WalMart 6.0 for Windows US sub 12




i dont see the ip do you?

here's the info about the first IP
Name: imo-m06.mx.aol.com
IP Address: 64.12.136.161
Location: 39.017N, 77.417W
Network: America Online, Inc.
Registrant:
America Online, Inc.
22000 AOL Way
Dulles, VA 20166
US

Created on..............: Jun 22 1995 12:00AM
Expires on..............: Nov 23 2002 7:02AM
Record Last Updated on..: Jun 17 2002 2:38PM
Registrar...............: America Online, Inc.
http://whois.registrar.aol.com/whois/

Administrative, Technical Contact:
AOL Domain Administration (America Online, Inc.)
22000 AOL Way
Dulles, VA 20166
US
Tel. 703 265 4670
Email: domains@aol.net

Domain servers:
DNS-01.NS.AOL.COM
152.163.159.232
DNS-02.NS.AOL.COM
205.188.157.232
DNS-06.NS.AOL.COM
149.174.211.8
DNS-07.NS.AOL.COM
64.12.51.132

and here is the other

Name: imo-m08.mx.aol.com
IP Address: 64.12.136.163
Location: 39.017N, 77.417W
Network: America Online, Inc.

Registrant:
America Online, Inc
22000 AOL Way
Dulles, VA 20166
USRegistrant:
America Online, Inc.
22000 AOL Way
Dulles, VA 20166
US

Created on..............: Jun 22 1995 12:00AM
Expires on..............: Nov 23 2002 7:02AM
Record Last Updated on..: Jun 17 2002 2:38PM
Registrar...............: America Online, Inc.
http://whois.registrar.aol.com/whois/

Administrative, Technical Contact:
AOL Domain Administration (America Online, Inc.)
22000 AOL Way
Dulles, VA 20166
US
Tel. 703 265 4670
Email: domains@aol.net

Domain servers:
DNS-01.NS.AOL.COM
152.163.159.232
DNS-02.NS.AOL.COM
205.188.157.232
DNS-06.NS.AOL.COM
149.174.211.8
DNS-07.NS.AOL.COM
64.12.51.132

I don't know about the AOL structure (because I live on the other part of the globe), but I think tht it could be one AOL user....although I strongly suggest tht you wait till someone tht has more knowledge about AOL replyes. I don't know if AOL changes IP's or not on log-on. And even if it does- these IP's are suspicioussly alike (tht suggests a close time interval of being relogged-on)

sorry , I really don't know anything about the AOL if not tht it really sucks.;)

so if they do change ur ip when u relog then theres noway to tell if they are sending mail from different computers/locations?

unfortunately- yes , but because those IP's are so alike, there is a chance tht they are one and the same user, but tht chance is about some 5% or less I think. The smaller the time interval between them, the greater the probability. I don't really know about AOL:o

however- if smth illegal or criminal was present in those emails or you have any other good reason to know the real person behind the IP's, e-mail AOL and ask them giving the time these IP's were used. They keep log files for 3 months.

tht way you can surely tack the user right to his name and home address

There are a bunch of points here though:

AOL is a DYNAMICALLY assigned IP, so logging in would change your IP. AOL would have a record of the users logging into those IP and do keep them for some months afterwards.

It's possible to send messages through the AOL messenger in a mail format, especially with some dodgy program from some odd warez distribution. It's possible that a messenger (or hack/clone) could send a message that goes through "Both" IP addresses.

(Namely the same mail could be sent to two servers etc)

With this messenger system though, it's possible to Spam through a network of machines.

I go with the disconnection and reconnnection. Perhaps it disconnected and the user thought he hadn't sent what s/he was trying to send so reconnected and sent again.

The IP addresses and names above, imo-m0n.mx.aol.com, are the <u>mail servers</u> the mail came from. The user will not have control over which server they go through and likely exist in another network altogether. If you have access to the nslookup tool you can see that imo-m0n.mx.aol.com, for n 1->9, is in the 64.12.136.0 network, registered to AOHell.

In DNS (name server) speak, an MX record is used to designate a domains mail servers. Note the above subdomain of the servers.

Using nslookup we can search for the registered MX servers for AOL.COM and find,

nslookup
> set q=mx
> aol.com
Server: *******
Address: *******

Non-authoritative answer:
aol.com preference = 15, mail exchanger = mailin-01.mx.aol.com
aol.com preference = 15, mail exchanger = mailin-02.mx.aol.com
aol.com preference = 15, mail exchanger = mailin-03.mx.aol.com
aol.com preference = 15, mail exchanger = mailin-04.mx.aol.com

Authoritative answers can be found from:
aol.com nameserver = dns-01.ns.aol.com
aol.com nameserver = dns-02.ns.aol.com
aol.com nameserver = dns-06.ns.aol.com
aol.com nameserver = dns-07.ns.aol.com
dns-01.ns.aol.com inet address = 152.163.159.232
dns-02.ns.aol.com inet address = 205.188.157.232
dns-06.ns.aol.com inet address = 149.174.211.8
dns-07.ns.aol.com inet address = 64.12.51.132

> set q=a
> mailin-01.mx.aol.com
Server: ********
Address: ********

Non-authoritative answer:
Name: mailin-01.mx.aol.com
Addresses: 205.188.156.122, 64.12.136.57, 64.12.137.89, 64.12.137.184
152.163.224.26

It looks like AOL have external mail servers (mailin-0n.mx.aol.com) that forward to internal servers (imo-mon.mx.aol.com) and vice versa. AOL uses it's own mail subsystem so these internal ones are likely gateways.

In short, the mail probably came from the same user.

In short, the mail probably came from the same user.

but were the emails sent from the same computer both times? thats what i need to know thx!

look at the time interval

if it is some 5 minutes from each mail then the computer could be in the same room

20 minutes- from a internet cafe across the street

30 sec- the same computer or a computer next to it


are you going to tell us why you need to know that?
Me and Stryder are quite curious

Mortrox,

If you look at your e-mail info again you will see:
Message-ID: <18a.99fd808.2a46a361@wmconnect.com>
for one of them and the other has been left Blank.

Message-ID: <18a.99fd808.2a46a361@wmconnect.com>
In this case has revealed a SERVER NAME www.wmconnect.com, if the e-mail had come from a persons computer then the likelihood is that the ending would have been a Computer name.

A followup has revealed that the www.wmconnect.com happens to be a portal to compuserve (which is being changed fully now to AOL). On the site is a Online WAL-MART e-mail page, apparently if you have a WAL-MART Connect Screen name, you can send mail from this location through the AOL mailing subsystem.

Looking at:
X-Mailer: WalMart 6.0 for Windows US sub 12

This occurs to both of them, X-Mailer is information on the program you use to send an e-mail. In this cas WalMart 6.0 (which I gather comes from a CD and dialup courtesy of Walmart.

Looking at the Times that the mail was sent, although I can see there is almost 6 hours apart from each other, you can not that both are EST. (namely the -0400 and +0000 are the same on each, meaning the timezones the same)

I would say in all likelihood it's the same user, sending a mail through the WalMart dialup package.

Originally posted by Mortox


but were the emails sent from the same computer both times? thats what i need to know thx!

You can't tell as the the sending client details are not in the headers. I for one find it strange that one mail has a message ID and the other is missing. Removing the message ID and return paths is a standard spammers trick to make it difficult to trace the mail back to the sender.

Like Avatar says, it would be usefull to know why you need to know if these originated at the same computer. If I was you, send an E-Mail to abuse@aol.com or root@aol.com with the full contents of the mail. Explain to them what the problem is, what you are concerned about. AOL should have logs of who sent what, where and when. They can then take action against whomever.