[SOLVED] Help interpret Received: from email header
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have the following Received: line in an email header (sendmail is email server):
Code:
Received: from [172.16.65.222] ([4.78.219.126])
(authenticated bits=0)
by mail.hprs.local (8.15.2/8.15.2) with ESMTPSA id w48Evhcf016855
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <hotelwifi@ohprs.org>; Tue, 8 May 2018 10:57:44 -0400
The first one, 172.16.65.222, has a huge range: 172.16.0.0 - 172.31.255.255, and is "owned" by Internet Assigned Numbers Authority.
The 2nd address, 4.78.219.126, has an even bigger range: 4.0.0.0 - 4.255.255.255, and is "owned" by Level 3 Parent, LLC.
I was expecting to see an actual provider in here like Time-Warner, or WOW. This email was sent from a conference center. This is the only Received: line in the header. What am I looking at?
Is that the complete "received from" trail? It looks incomplete to me. Both those addresses look as if they are intermediate; neither looks like the origination address.
As an aside, whois is a big help in these sorts of inquiries. Try
Is that the complete "received from" trail? It looks incomplete to me. Both those addresses look as if they are intermediate; neither looks like the origination address.
Yes, that is the complete header.
Quote:
As an aside, whois is a big help in these sorts of inquiries.
I did do 'whois' which is where I got those "owned" by names. ohprs.org is me and is the final destination for the message.
Quote:
Originally Posted by TenTenths
And is a private network range NOT a public routable range.
So that line means that somewhere in transit the mail passed through servers on someones private network.
Thanks for the link. I didn't realize 172. was private. So, in this case there is no way of knowing what the public IP of the sending site is, eh? The user sent this message from a conference center or hotel. I would have expected a downstream IP address which is the public one in front of those private ones. As frankbell noted, it's not a very complete Received: line. Is there something I can do on my (server) end to increase verbosity?
Habitual: Thanks for that trace-email site. That is useful and I'll keep it for future use. However, it gives 4.78.219.126 as the source IP, which really tells me nothing. Doing a whois on that IP gives:
Although your (Habitual's) first link doesn't seem to assign anything special to the 4.0.0.0 - 4.255.255.255, this surely isn't an end ISP providers, right? "Direct Allocation" means:
Quote:
Direct Allocation: IP address space allocated directly from ARIN to an organization. The organization may reallocate or reassign that space to downstream customers.
Level 3 is a very large ISP provider. In fact, when visiting level3.com, I see "Level 3 is now Century Link."
Don't know when that happened...but as you hopefully know, Century Link is a long-standing ISP that has also gobbled up a couple of phone companies (like Mountain Bell/US West).
The "organization" to which ARIN has "directly allocated space" is Level 3/Century Link.
FWIW, I find level3 to be very responsive to abuse complaints, if that's the issue here.
OK, well I guess that answers my question. It didn't seem to me that level3 was the actual provider due to it being "very large". I thought that must be some class A regional pipline, but I guess level3 is the actual ISP provider! I didn't realize a single entity could own an entire Class A subnet.
No, this is not abuse related. Our office has been having occasional problem with employees at conferences getting blocked because the Center's ISP provider doesn't have correct A/PTR records and Sendmail generates "(may be forged)" warnings. If the mail server gets enough of these from a single IP it blocks it. I have created a script whereby conference goers can send a message to a specific local address from the Center and it will temporarily let any message through for that IP. This question resulted from my puzzlement as to what the actual sending IP was in this case. Now I can fix my script!
I suppose I'll just have to consider 4.78.219.126 to be what I'm looking for with this question.
I live by this utility and that says Level3 Communications (or L3Comm, or just L3 colloquially) in
Dublin, Ohio
There are 1198 IPv4 prefixes announced by AS3356. Examples of prefixes are 4.0.0.0/9 and 4.0.0.0/8. There are 1070 IPv6 prefixes announced by AS3356. Examples of prefixes are 2001:450:2015::/48 and 2001:450:203d::/48.
Habitual/scasey: Who knew! I learned something. Habitual, the mail server in question is in Columbus, Ohio. Dublin is a suburb thereof. Thanks for that utility. I'll make use of it in the future.
I have the following Received: line in an email header (sendmail is email server):
Code:
Received: from [172.16.65.222] ([4.78.219.126])
(authenticated bits=0)
by mail.hprs.local (8.15.2/8.15.2) with ESMTPSA id w48Evhcf016855
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <hotelwifi@ohprs.org>; Tue, 8 May 2018 10:57:44 -0400
Soooo.... your Class C IP received an email from a Class A host at 4.78.219.126
I "know" this because
Code:
ipcalc -b <ip>
Quote:
Originally Posted by mfoley
sendmail is the email server
is informational, but not an actionable detail.
My Toaster could be a "sendmail server"
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.