Forged Sender

nic1027

New Email
Help!

Someone I know sent that is a frequent email contact of mine had to of forged an email "sent" from me to him. I don't want to get into the specifics of why this person would do this, but I absolutely did not send the email in question; my account was not hacked; and after comparing the header to the email in question to others that I've sent, it looks like nothing I've ever seen. Alsom there are no other suspicious emails in my account, not even spam messages.

Please note - the email header in question DOES contain my IP address - which I found to be compltely trackable, all the way down to the name of my cable provider and my zip code.

Would someone be willing to look at the header and try and help me determine at least that I DID NOT send this email?

If so, please let me know and I will gladly post it.

Kind Regards,

Cathleen
 

EQ Admin

EQ Forum Admin
Staff member
Hi Cathleen,

Sure, no problem. Please feel free to post the full email headers from both an email you sent and from an email that you suspect was forged.

:welcome: to Email Questions!
 

nic1027

New Email
Hi,

Thank you for responding! First I will post a normal header from an email I sent to the same person. I deleted the content of the message - only included the header:

MIME-Version: 1.0
Received: by 10.216.181.21 with HTTP; Thu, 18 Nov 2010 11:07:47 -0800 (PST)
Date: Thu, 18 Nov 2010 14:07:47 -0500
Delivered-To: cathleencouch@gmail.com
Message-ID: <AANLkTi=mW+FmApArijF+gv2U0ZKzJh8=6j9Mq4hhtTb+@mail.gmail.com>
Subject: Professional Misconduct
From: Cathleen Couch <cathleencouch@gmail.com>
To: Ben Berlin <Ben@benberlinlaw.com>
Content-Type: multipart/alternative; boundary=0016e6dbdf5b68bf4004955881cb

--0016e6dbdf5b68bf4004955881cb
Content-Type: text/plain; charset=ISO-8859-1

Next I will post the header from the suspicious email - please note that I suspect the "recipent" to be the actual sender and also note that the IP address and system info following the "Received From" line is actually MY information! When every other single email I've ever sent says "received by" and contains the recipients info? Also, after going through over a hundred emails I've sent, not one header starts with "return path" and has my gmail address. OK, header of suspicious email is below: Thanks!

Return-Path: <cathleencouch@gmail.com>
Received: from acere817fae0d8 (cpe-68-173-51-63.nyc.res.rr.com [68.173.51.63])
by mx.google.com with ESMTPS id x9sm2790213qco.46.2010.11.06.12.19.43
(version=TLSv1/SSLv3 cipher=RC4-MD5);
Sat, 06 Nov 2010 12:19:44 -0700 (PDT)
From: "Cathleen Couch" <cathleencouch@gmail.com>
To: "'Ben Berlin'" <Ben@benberlinlaw.com>
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAFFFcrdFMBhGlQtn16qx2xLCgAAAEAAAAFtPf9LHBhpFiaQ5b+ZMvVIBAAAAAA==@benberlinlaw.com>
Subject: Not read: Couch Morfit visitation - Tomorrow and going forward.
Date: Sat, 6 Nov 2010 15:19:35 -0400
Message-ID: <000a01cb7de7$8edac350$ac9049f0$@com>
MIME-Version: 1.0
Content-Type: multipart/report;
report-type=disposition-notification;
boundary="----=_NextPart_000_000B_01CB7DC6.07C92350"
X-Priority: 1 (Highest)
X-MSMail-Priority: High
X-Mailer: Microsoft Office Outlook 12.0
Importance: High
Thread-Index: ActZ+E0w35Xi7LTrQZujZT5rsQ89eQj7z1/k

This is a multipart message in MIME format.

------=_NextPart_000_000B_01CB7DC6.07C92350
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000C_01CB7DC6.07C92350"


------=_NextPart_001_000C_01CB7DC6.07C92350
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Your message

To: 'Maria Coffinas'; 'tonydefender'
Subject: Couch Morfit visitation - Tomorrow and going forward.
Sent: 9/21/2010 9:48 PM

was deleted on 11/6/2010 3:19 PM.
 

EQ Admin

EQ Forum Admin
Staff member
Received: from acere817fae0d8 (cpe-68-173-51-63.nyc.res.rr.com [68.173.51.63])
by mx.google.com with ESMTPS id x9sm2790213qco.46.2010.11.06.12.19.43
(version=TLSv1/SSLv3 cipher=RC4-MD5);
Sat, 06 Nov 2010 12:19:44 -0700 (PDT)
From: "Cathleen Couch" <cathleencouch@gmail.com>
To: "'Ben Berlin'" <Ben@benberlinlaw.com>
What is the source of the email headers?

The headers say that an email was received by Gmail from your IP address.

It is very odd that your Time Warner connection would be used to send an email directly to Gmail.

I would expect you to be sending an email through the road runner smtp relays such as smtp-server.nyc.rr.com

What is your SMTP server setting? Do you use Gmail or Time Warner for sending email?

Also, their domain does not appear to be hosted by anything related to Google, but hosted by Network Solutions :

;; ANSWER SECTION:
benberlinlaw.com. 7200 IN MX 10 inbound.benberlinlaw.com.netsolmail.net.

;; ANSWER SECTION:
7.149.178.205.in-addr.arpa. 36000 IN PTR mail.networksolutionsemail.com.

I agree that something does not seem right here.

Remember, you can only trust the email headers created by a mail server that you control.
 
Top