Where did this e-mail originate ?

[DaveO]

Hi All

Busy having a dispute with a supplier who says that he sent an e-mail to me from a wireless connection.

Below is a copy of the Message Source ( real names have been substituted with 'supplier' and 'client' ).

Is there any way to tell if this was sent from a dial-up or wireless connection ?

Thanks in advance for any info, DaveO


Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from postwall01.mweb.co.za (postwall01.mweb.co.za [196.2.42.21])
by mailhost09.mweb.co.za (Postfix) with ESMTP id B4D38728E25
for <[email protected]>; Sun, 24 Jul 2005 16:17:03 +0200 (SAST)
Received: from spamwall11.mweb.co.za (viruswall02.mweb.co.za [196.2.50.228])
by pwfilter01.mweb.co.za (Postfix) with ESMTP id 637FC4C06E;
Sun, 24 Jul 2005 16:17:04 +0200 (SAST)
Received: from spamwall11.mweb.co.za (spamwall11.mweb.co.za [196.2.50.205])
by viruswall02.mweb.co.za (nod32smtp); Sun, 24 Jul 2005 16:17:09 +0200
Received: from postwall07.mweb.co.za ([196.2.42.27])
by spamwall11.mweb.co.za (spamwall11.mweb.co.za [196.2.50.205]) (amavisd-new, port 10024)
with LMTP id 16837-03-79; Sun, 24 Jul 2005 16:17:06 +0200 (SAST)
Received: from urchin.mweb.co.za (urchin.mweb.co.za [196.2.24.26])
by postwall07.mweb.co.za (Postfix) with ESMTP id 0A87C3FB7D
for <[email protected]>; Sun, 24 Jul 2005 16:17:05 +0200 (SAST)
Received: from urchin.mweb.co.za (localhost.localdomain [127.0.0.1])
by pwfilter01.mweb.co.za (Postfix) with ESMTP id 6020CFCF5;
Sun, 24 Jul 2005 16:16:47 +0200 (SAST)
Received: from urchin.mweb.co.za (localhost.localdomain [127.0.0.1])
by urchin.mweb.co.za (nod32smtp); Sun, 24 Jul 2005 16:16:47 +0200
Received: from Supplier (c5-411-1.vic.dial.mweb.co.za [196.23.237.157])
by urchin.mweb.co.za (Postfix) with SMTP id 55E90EDD6;
Sun, 24 Jul 2005 16:16:03 +0200 (SAST)
Message-ID: <001301c5905a$440f58c0$9ded17c4@supplier>
From: "The Supplier" <[email protected]>
To: <[email protected]>
Subject: Supplier letters
Date: Sun, 24 Jul 2005 16:15:21 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000D_01C5906A.E43BE1F0"
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

This is a multi-part message in MIME format.

<<< rest of message deleted >>>

 

[DFantom]

The only bit thats important is the initial connection in the "log":

Received: from Supplier (c5-411-1.vic.dial.mweb.co.za [196.23.237.157])
by urchin.mweb.co.za (Postfix) with SMTP id 55E90EDD6;
Sun, 24 Jul 2005 16:16:03 +0200 (SAST)

This shows the email was recieved by the mweb mail server from an IP address 196.23.237.157 with the reverse DNS c5-411-1.vic.dial.mweb.co.za

Now I DO NOT WORK AT MWEB, so this is just an educated guess, but vic.dial.mweb.co.za does remind me of the Victory Park Mweb dialup infrastructure. So I would guess dialup. The only ones that could say for sure are Mweb. Using that IP address and their radius logs they could say for sure
a) What connection was used
b) If dialup, most likely the phone number dialed up from
c) Username used (which would link to the account)

Interesting enough that is an IS IP (http://www.afrinic.net/cgi-bin/whois?searchtext=TF-196-36-0-0-196-39-127-255-MNT&form_type=simple) which means Mweb is now running dialups on the IS backbone (one of the major parts of their move away from UUNet done).

Anyway best you can do is get hold of Mweb and speak to them. Doubt you will get far with out a court order though, but you never know.

 

[TheRoDent]

Using my trusty 56k modem I can verify that *.vic.dialup.mweb.co.za adresses are given to dialup users. I don't know of mweb having any "wireless" services other than the sentech stuff they're supposedly reselling, which would have a sentech domain.

 

[LoneGunman]

the app known as sam spade could probably parse the email header quite thoroughly and provide a solid load of data showing everything needed about the header..
(used to use it when bothering to try track down origins of spam)
http://www.samspade.org/ssw/

 

[Mean_Monster]

the dial part in that reverse DNS comfirms dial-up... unless if the DHCP is handing out adresses wrongly. Normally M-Web dial-up users have that dial part in their dns.

 

[arf9999]

Maybe he dialed up from a cellphone...that's wireless...