Email headers are metadata fields contained in every Simple Mail Transport Protocol (SMTP) message
transmitted over the Internet. They contain useful information about the message, from source to
destination.
Return-Path: katharyn.kathaleenip@awnet.com
Delivery-Date: Wed, 07 Oct 2009 05:26:32 -0400
Received: from syyyzf ([59.10.163.222])by mx.perfora.net (node=mxus2) with ESMTP
(Nemesis)id 0MFdfx-1N7qrp3Z7F-00FOKi ; Wed, 07 Oct 2009 05:26:31 -0400
From: "Katharyn Kathaleen" katharyn.kathaleenip@awnet.com
MIME-Version: 1.0
Sender: katharyn.kathaleenip@awnet.com
Subject: Best Buy Viagra50mg/100mgx30=$79; x60=$179; x120=$218, Fast Shipping -
100% SATISFACTION, We accept Master & Visa, 90000+ Satisfied US, UK
Customers! NoPrescription! xcijcy s7mw
To: submissions@mwgraves.com
Bcc: michael@mwgraves.com And you thought nobody could tell when you used BCC!
Date: Wed, 07 Oct 2009 00:49:06 -0700
Message-ID: 1254901746.8269@awnet.com
X-Sender: katharyn.kathaleenip@awnet.com
Content-Type: multipart/alternative; boundary="----
_NextPart_000_0EB9_517657C6.85CAC8F2" X-Nemesis-Spam: fuhafi Indicates
that my email provider’s SPAM filter identified this as spam and
redirected it to the SPAM folder. Which it did.
Envelope-To: michael@mwgraves.com This told the SMTP servers to send the
message to my email address REGARDLESS of what was viewable in the
TO: field.
Investigative Value:
This information was derived from the email seen in the first screenshot. I was a bit irritated that
my order of 500 Viagra tablets had not yet arrived. So I decided to see if I could figure out if I’d
been scammed. That shouldn’t happen to a bright guy like me! A brief check with WHOIS tells
me a couple things that make me worry that I might have gotten taken. 59.10.163.222 does not
indicate any server by the name of syyyzf. In fact, I learn that it is a server owned by an ISP
called Kornet in Korea. Wasn’t my Viagra order supposed to come from California? So who is
AWNET.COM? It’s hosted by GODADDY.COM (who has far and away the best advertisements
for an Internet Service Provider of all, but has no active user called katary.kathaleenip). The
company who registered that domain name is Awinc. LTD, yet another ISP? Wow. This could
get confusing.