X­-Originating­-IP ...
 
Notifications
Clear all

X­-Originating­-IP with two IPs ?!?

5 Posts
5 Users
0 Likes
1,180 Views
(@wechselberger)
Posts: 11
Active Member
Topic starter
 

Hello!

A Mail Header shows after X­-Originating­-IP two IPs. What does this mean?

Mail-Header
—snipp—
X­CM­HeaderCharset UTF­8
X­-Originating-­IP [95.141.27.41, 176.34.63.150] <– What does this mean?
Date Tue, 8 Apr 2014 152904 +0800
—snipp—

regards

K.W.

 
Posted : 16/07/2014 2:01 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

I don't really know for sure, but my guess would be that someone at 95.141.27.41 used a mail client to send mail from a server at 176.34.63.150.

 
Posted : 17/07/2014 6:15 am
HexDrugsRockNRoll
(@hexdrugsrocknroll)
Posts: 60
Trusted Member
 

I'm not 100% either, but recently during testing I had two IP addresses turn up elsewhere in the headers. One was the internal IP assigned to my device, the other was the external IP address.

 
Posted : 17/07/2014 3:09 pm
(@athulin)
Posts: 1156
Noble Member
 

A Mail Header shows after X­-Originating­-IP two IPs. What does this mean?

Whatever the MTA (or MUA or firewall or application proxy or …) that created it means. (It needn't come from an MTA it could theoretically have come from the mail client or any other point of network transmission that the message passed through. MTAs that don't recognize that particular header will probably just pass it on.)

RFC 822 (which is now obsolete) allowed 'extension fields', following the format of 'X-…' in mail messages. The current specification RFC 2822 does not so, and RFC 6648 / BCP 178 deprecates the use of 'X-…' type headers. Thus, it's nonstandard today.

As far as RFC 822 goes, extensions field may have been registered, but as it now is obsolete, I suspect any such registrations may have become obsolete as well. You may want to check with the registrar, mentioned in RFC822 (SRI International) for any records.

Apart from that, as it is a nonstandard header, you can't trust it to mean anything in general. If you are able to identify the source of it, you might be able to attach a meaning to it.

You could start by examining any X-Mailer or similar headers – do those programs add this kind of header? And what semantics to they associate with it, i.e. what assertations can safely be made on the basis of that particular header?

The reason BCP 178 depractes the use of extension fields is that they usually cause more problems than they solve. Which is more or less what you have discovered.

Added In highly configurable and scriptable mail environments, the contents of extension fields could also be misconfigurations. For example, if Exchange allows the mail admin to add this field to outgoing messages, it could be that the mail admin added information useful for his own environment, but which may not make sense elsewhere. In such cases, you clearly need to find that mail admin to interpret the header…

 
Posted : 19/07/2014 12:09 pm
(@infoseccow)
Posts: 14
Active Member
 

Assuming you are not dealing with a forged header, you may be able to identify the application that generated the X header entry using entries that surround it. You can then use the documentation from that application to determine how it is using X­-Originating­-IP. Even then, you will still want the server logs from the servers in the mail chain so you can provide supporting information showing where and when the mail traversed what server.

 
Posted : 31/07/2014 7:35 pm
Share: