IP Addresses & All That Stuff

From RWDWiki

Latest revision as of 12:15, 29 April 2013

A discussion occasionally arises in some RWD thread about IP addresses and E-mail Headers, usually when wondering about the possible origin of some dubious letter from an FSUW.

What follows aims at clarifying some basic aspects of the subject.

What's IP?

The IP acronym stands for Internet Protocol. A communications protocol is a set of conventions, rules, etc. governing the exchange of data between network entities, much like a language is - you have to share the same language to make yourself understood by someone else you are communicating with.

The Internet Protocol is the basis upon which all Internet communications occur, be they accessing an Internet website (TCP/IP), sending/receiving mail (SMTP/IP), making an Internet file transfer (FTP/IP), and so on.

An IP address is what uniquely identifies someone/something communicating over the Internet network, and has that weird-looking numerical form (like RWD's 67.222.30.14) that belies the actual antiquity of the Internet, born in the 1960s at the initiative of the US Department of Defense's Advanced Research Projects Agency (DARPA).

Who creates an IP address?

In order to access the Internet, first you have to obtain the services of an Internet Provider, usually through a paid subscription.

In order to operate, your Internet Provider in turn must have previously acquired the authorisation to use a unique set of IP addesses (IP range) from its 'regional' authority, one of the following depending on geographical location:

• AfriNIC (Africa)
• APNIC (Asia Pacific region)
• ARIN (North America, a portion of the Caribbean and sub-Saharan Africa)
• LACNIC (Latin American and Caribbean region)
• RIPE (Europe, the Middle East and parts of Africa and Asia)

The Internet Provider will allocate one IP address from its 'pool' to a user requesting to log on to the Internet on a first-come/first-served basis - i.e. a dynamic IP address, which means that the next time you log on, your IP address will probably be different from the one you are using now - although one always comprised within your Provider's assigned IP range.

Your PC needs this specific bit of numerical information because, in compliance with the IP Protocol, it HAS to be included into ANY packet that it will subsequently send out over the Internet, i.e. in any network activity. Once you log off the Internet and hence from your Provider, the same IP address that identified you may well be assigned to a different user now requesting to log on.

You could access RWD by giving your browser the address http://67.222.30.14. However, this is obviously too cumbersome to contemplate and you will normally use http://www.russianwomendiscussion.com instead. This is possible because your Provider relies on a Domain Name Server (DNS) that stores tables where one entry will read something like:

The DNS allows your Provider to translate the RWD symbolic address that you wrote to its actual, physical IP address - which, incidentally, is a fixed IP address since RWD is its own only client - RWD member activity is managed at a higher, application level by the Forum SW.

All the above implies that the IP address which you can see in the header of an E-mail you received, may only help you identify your correspondent's Internet Provider and its location, NOT that of its specific but temporary user.

Furthermore, many hackers, spammers and some sophisticated scammers mask their identity/location by interposing a Proxy Server (see http://en.wikipedia.org/wiki/Proxy_server) between their PC and their Internet Provider.

Nevertheless, the information contained in a header may yet be of SOME use.

The E-mail Header

Sending/receiving electronic mail via the Internet involves additional participants - the Mail Servers that make electronic mailboxes available. These services may be offered by the Internet Providers themselves or by some independent entity, in which case they do not necessarily reside in the same geographical location - just to mention some examples, the Yahoo Mail and Google Mail servers are located in the USA but have mail clients from all over the world.

An E-mail header contains information on ALL the HW participants to the exchange, as well as on the SW participants, i.e. the PC-resident Mail Programs - such as MS Outlook - and any installed anti-virus/anti-spam SW that may filter your E-mail.

The header is the 'service' part of an E-mail and therefore is not normally visible: use the Help function of your Mail Program to learn how it can be made to appear - in MS Outlook, for instance, use the View menu, click Layout and select an option of Preview Pane.

The following is the example of an E-mail that I received from a highly suspect FSU girl - with decidedly marginal English capabilities:

And this is its header - in tabular form with comments (information in blue was obtained with the tools listed below):

X-Persona: ALICE	My Mail Server (@alice.it). X is a time-honored acronym for message.
Received: from FBCMMI01B08.fbc.local [192.168.171.30] by FBCMST14V04.fbc.local with Microsoft SMTPSVC(6.0.3790.3959); Fri, 14 May 2010 03:34:26 +0200	My Mail Server is operated by my Internet Provider (Telecom Italia) through their own internal, private network using MS SMTP (Simple Mail Transfer Protocol) Services. IP addresses 192.168.171.30, 192.168.69.32 resolve to: inetnum: 192.168.0.0 - 192.168.255.255 netname: IANA-CBLK-RESERVED1 descr: Class C address space for private internets country: EU # Country is really world wide Italy's Summer Time is +02:00 hours GMT.
Received: from FBCMMX01B03.fbc.local [192.168.69.32] by FBCMMI01B08.fbc.local with Microsoft SMTPSVC(6.0.3790.3959); Fri, 14 May 2010 03:34:27 +0200
Received: from maild.rambler.ru [81.19.66.33] by FBCMMX01B03.fbc.local with Microsoft SMTPSVC(6.0.3790.3959); Fri, 14 May 2010 03:34:24 +0200	My Mail Server received the E-mail from Dina's Mail Server (rambler.ru), whose 81.19.66.33 IP address resolves to: inetnum: 81.19.64.0 - 81.19.66.255 netname: RAMTEL descr: Rambler main network country: RU address: "Rambler Internet Holding" OJSC address: 3 floor, Leninskaya Sloboda st., 19, Omega Plaza address: Moscow, RU
Received: from max [unknown 77.40.33.85]	Dina's Internet Provider, whose 77.40.33.85 IP address resolves to: inetnum: 77.40.8.0 - 77.40.79.255 netname: MARI-VOLGATELECOM address: VolgaTelecom Mari El branch address: Sovetskaya 138 address: 424000 Yoshkar-Ola ISP: XDSL DYNAMIC POOLS Net Speed: DSL
(Authenticated sender: dinalove1977@rambler.ru) by maild.rambler.ru (Postfix) with ESMTP id 919608441E for <sanfloriani@alice.it>; Fri, 14 May 2010 05:34:22 +0400 (MSD) Date: Thu, 13 May 2010 19:18:57 +0400 From: dinalove1977@rambler.ru	Dina's Mail Server runs on an open-source Unix E-mail server (Postfix) using Extended SMTP. Dina logged on correctly there on Thu, 13 May 2010 at 19:18:57 +0400 Her E-mail was sent out on Fri, 14 May 2010 at 05:34:22 +0400 (MSD) MSD mean Moscow Summer Time, +04:00 hours GMT.
X-Mailer: The Bat! (v1.62r) UNREG / CD5BF9353B3B7091 Reply-To: dinalove1977@rambler.ru X-Priority: 3 (Normal) Message-ID: <1136748830.20100513191857@rambler.ru> To: sanfloriani@alice.it Subject: <spam] Hollo the stranger!! MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------119EE621096919" Return-Path: dinalove1977@rambler.ru	Dina's Mail Program (The Bat!) The Bat! is the most popular FSU mail program, in this case an UNREGistered copy for personal use. The registered copy allows for mass-mailing and is a favorite tool of spammers. A MIME (Multipurpose Internet Mail Extensions) Content-Type: multipart/mixed means Dina's E-mail was text plus attachments - a photo:
X-OriginalArrivalTime: 14 May 2010 01:34:25.0018 (UTC) FILETIME=<95FBE5A0:01CAF305] X-Antivirus: AVG for E-mail 9.0.819 [271.1.1/2869] X-Text-Classification: spam X-POPFile-Link: http://127.0.0.1:8080/jump_to_message?view=131	My Mail Server received Dina's E-mail 3 seconds later on 14 May 2010 at 01:34:25.0018 (UTC) - UTC or CUT is Coordinated Universal Time. My anti-virus program (AVG) and my anti-spam program (POP File), which judiciously classified Dina's E-mail as spam.
Helpful Tools To separate an E-mail header into more easily legible chunks: MX Toolbox: http://www.mxtoolbox.com/EmailHeaders.aspx To resolve an IP address: DNS Stuff: http://www.dnsstuff.com/ What Is My IP Address: http://whatismyipaddress.com/ Geobytes: http://www.geobytes.com/IpLocator.htm Next Web Security: http://www.nextwebsecurity.com/HeaderTool2-pub.asp IP 2 Location: http://www.ip2location.com/demo.aspx Arul's Tech Info: http://aruljohn.com/info/howtofindipaddress/ Most of the above tools access the regional authority databases through the WHO IS function, which you can do directly yourself: Afrinic: http://www.afrinic.net/cgi-bin/whois Apnic: http://wq.apnic.net/apnic-bin/whois.pl Arin: http://ws.arin.net/whois Lacnic: http://lacnic.net/cgi-bin/lacnic/whois RIPE: http://www.db.ripe.net/whois Another useful tool in this area is Tin Eye (http://www.tineye.com/) where you can submit a photo from your PC or some Internet website, and it will tell you where else on the Internet, to its not infinite knowledge, that photo also appears, be it a dating site, a scammer-listing site or elsewhere.
Conclusions What have we learned from decoding Dina's E-mail header information? Dina uses a PC, and probably lives, in Yoshkar-Ola, a city as famous for scammers as Lugansk. Her Internet Provider is the local VolgaTelecom, Mari-El branch, giving her a DSL connection with a dynamic IP address (77.40.33.85). Given that private DSL is not as widely available in Russia as in the West, it MAY mean that Dina wrote her E-mail from a PC installed at some public facility (Internet Café, school, office, etc.) Her Mail Server is Moscow's Rambler.ru. Her Mail Program is The Bat!. The above, and most of all her E-mail text, warrant further investigation. Google can be a great aid in this - Dina's E-mail address dinalove1977@rambler.ru produces a page on the Zoqy Net blog (http://zoqy.net/?p=1734) written by a French wine lover who also received the SAME letter and photo a week earlier on May 10 through Yahoo Mail. Therefore, Dina is very likely a scammer with a penchant for European Latins :-)) Further hints on how to spot a scammer can be obtained from RWD's Scammer Score Card (Scam Card: http://www.russianwomendiscussion.com/index.php?pid=34).