Email Headers: Internet Detectiving 101

Time for some gibberish (for most of us, but not for some).
This is the full header of a recent Phishing email I received.

From wowaccountadmin@blizzard.com Thu Apr 15 07:49:15 2010
X-Apparently-To: me@yahoo.com via 67.195.8.205; Thu, 15 Apr 2010 00:49:33 -0700
Return-Path: sylve@hotmail.fr
X-YahooFilteredBulk: 65.55.111.76
X-Originating-IP: [65.55.111.76]
Authentication-Results: mta1059.mail.sp2.yahoo.com from=hotmail.fr; domainkeys=neutral (no sig); from=blizzard.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO blu0-omc2-s1.blu0.hotmail.com) (65.55.111.76)
by mta1059.mail.sp2.yahoo.com with SMTP; Thu, 15 Apr 2010 00:49:33 -0700
Received: from BLU0-SMTP93 ([65.55.111.71]) by blu0-omc2-s1.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 15 Apr 2010 00:49:12 -0700
X-Originating-IP: [222.94.32.217]
X-Originating-Email: [sylve@hotmail.fr]
Message-ID: BLU0-SMTP9322D8F095F0D27C44F50ECF0F0@phx.gbl
Return-Path: sylve@hotmail.fr
Received: from vlpxfrcn ([222.94.32.217]) by BLU0-SMTP93.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 15 Apr 2010 00:49:10 -0700
Sender: sylve@hotmail.fr
From: "wowaccountadmin@blizzard.com" wowaccountadmin@blizzard.com
To: me@yahoo.com
Subject: World Of Warcraft-Account Instructions
Date: Thu, 15 Apr 2010 15:49:15 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0E74_01A76424.11700BC0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-OriginalArrivalTime: 15 Apr 2010 07:49:11.0296 (UTC) FILETIME=[22DEE000:01CADC70]
Content-Length: 5211

At first glance it looks like the email came from wowaccountadmin@blizzard.com but then you notice the Return Path has a different email address, from France. Sourges to be precise (I found the guy on Facebook via his email). But did Sylvain Borreda really send this email? Or did someone hack his email account?

The earliest and most reliable record of the email entering cyberspace is the bolded line, Received: from vlpxfrcn ([222.94.32.217]). Googling this IP brings up a couple of pages, almost all being reverse IP Lookup pages...except for one, a non-existent page at: http://nj.livingchina.cn (A Chinese website. How cliché.)

If you're following along at home and you clicked the actual link on your Google search page you'll see that the specific page at livingchina.cn no longer exists/cannot be found, etc.

But back on the Google search results page we can see that along with the IP there is additional identifying information. There's a phone number and an email address, and if we now Google gftaiyq@163.com we discover the apparently true identity of Mr. 222.94.32.217 aka Guofang Tao, a Real Estate broker in Nanjing, China. (Go figure.) But is Guofang Tao really our Phisher? He is Chinese, but that doesn't automatically make him a Chinese Gold Farmer/Phisherman. He's like a Tootsie Roll Pop: the world may never know, because this is as far as my Internet sleuthing skills can take us.