An E-Mail to OJAS, hallo, how are you?, I'm JJ from Spain, how goes the anti-scamms crusade?, I know you are an expert in headers, I post this one from an scammer 'lady' I am writing now with her, if you would be so kind to explain me about what it means, I did get any like this with that of AntiAbuse.
The IP one is from Houston Texas, the other Yoskar-Ola as usual and the other Marina del Rey CA. but the E-Mail is not google or yahoo and then the times between Spain and Calif. you go 7 hrs. in advance and we, with Yoskar-Ola, we go 2 hrs. in advance.
Received: from s52.avahost.net ([22.214.171.124])
Sun, 19 Jul 2009 03:04:28 +0200
Received: from [126.96.36.199] (helo=[10.81.0.138])
by s52.avahost.net with esmtpa (Exim 4.69)
Sat, 18 Jul 2009 11:43:31 -0500
Date: Sat, 18 Jul 2009 20:37:47 +0400
X-Mailer: The Bat! (v188.8.131.52) Professional
X-Priority: 3 (Normal)
Subject: Re: Fw: Hello dear Elena
Content-Type: text/plain; charset=us-ascii
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - s52.avahost.net
X-AntiAbuse: Original Domain
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - lvmail.ru
X-OriginalArrivalTime: 19 Jul 2009 01:04:29.0281 (UTC) FILETIME=[DE20ED10:01CA080C].
@ JJ from Spain
If I may help, even though I know you have asked OJAS, he gets very busy, as do we all!
I've been doing this for more than 1 year, and helping out here for nearly the same time.
I've just seen your main question 'X-AntiAbuse: means??' The email is being tracked. As you can see it's known to be a mail server and dictionary attacker.
I can see your confusion regarding the originating IP 184.108.40.206 United States
Many spam emails are re-routed through many servers to disguise there origin. This is what I believe has happened here. The original IP is most probably 220.127.116.11 Russian Federation (Yoshkar-ola)
WHOIS - 18.104.22.168
Location: Russian Federation (high) [City: Yoshkar-Ola, Mariy-El]
Information related to '22.214.171.124 - 126.96.36.199'
inetnum: 188.8.131.52 - 184.108.40.206
descr: ZAO 'Company 'ER-Telecom' Yoshkar-Ola
descr: Enterprise customers (PPPoE)
IP 220.127.116.11 [Spam Server] [Dictionary Attacker]
The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server and dictionary attacker.
Very defiantly the originating IP, each scammer in Russia sends up to 300 emails each day using The Bat! (v18.104.22.168) Professional, email program. Ensuring the IP is identified as a mail server through 'The Project Honey Pot'
Emails been re-routed through IP 22.214.171.124
WHOIS - 126.96.36.199
Location: United States [City: Monroe, New York]
OrgName: General Electric Company
Address: Internet Registrations
Address: 3135 Easton Turnpike
The Houston Texas IP is the server before it got to you, (I suppose you already know that) has no significance in your search.
One of the main things in the header is the X-Mailer: The Bat! (v188.8.131.52) Professional
Leads me to believe you have a scammer in tow.
Are you being scammed and this is your first visit here?