Tracing Spam
Thread Starter
Joined: Jun 2000
Posts: 88
Likes: 0
From: somewhere near you
Tracing Spam
I have been getting spam on a usaully completely spam free address, from the same company, for a few weeks now. Its annoying me. So I try to be clever. I look at the headers. I get what I think is the host ISP, and go to their website, find their abuse email address, and politely complain to them, including a full copy of the spam, including headers. They send back what looks vaguely like an autoresponse saying basically go away, the email header was forged.
I am rather new to this, but is that host isn't the ISP, then I have no idea what is. Here is the full copy.
-------------------------------------------------------------------------
Return-Path: <[email protected]>
Received: from 210.83.5.55 (HELO 209.99.226.105) (210.83.5.55) by mta559.mail.yahoo.com with SMTP; 17 Jun 2002 18:31:50 -0700 (PDT)
Received: from unknown (201.187.168.97) by smtp-server1.cfl.rr.com with QMQP; Jun, 18 2002 02:08:28 -0100
Received: from [130.91.58.120] by mta6.snfc21.pbi.net with SMTP; Jun, 18 2002 01:11:37 +0300
Received: from unknown (148.179.169.246) by rly-yk05.mx.aol.com with QMQP; Jun, 18 2002 00:05:34 -0800
Received: from 167.90.49.93 ([167.90.49.93]) by mailout2-eri1.midsouth.rr.com with esmtp; Jun, 17 2002 23:05:26 -0100
From: "UK Prank Calls" <[email protected]> | Block Address | Add to Address Book
To: Iloveukprankcalls@
CC:
Subject: Play a Hilarious Prank on Any UK phone
Sender: UK Prank Calls <[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Date: Tue, 18 Jun 2002 02:31:56 +0100
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
Content-Length: 36
Please Visit http://ukprankcalls.com
----------------------------------------------------------------------
Naturally, I complained to the first recieved from, midsouth.rr.com , but they said it was forged. So how do I find the ISP? Or is it from midsouth.rr.com and they don't care?
Thanks for any help
I am rather new to this, but is that host isn't the ISP, then I have no idea what is. Here is the full copy.
-------------------------------------------------------------------------
Return-Path: <[email protected]>
Received: from 210.83.5.55 (HELO 209.99.226.105) (210.83.5.55) by mta559.mail.yahoo.com with SMTP; 17 Jun 2002 18:31:50 -0700 (PDT)
Received: from unknown (201.187.168.97) by smtp-server1.cfl.rr.com with QMQP; Jun, 18 2002 02:08:28 -0100
Received: from [130.91.58.120] by mta6.snfc21.pbi.net with SMTP; Jun, 18 2002 01:11:37 +0300
Received: from unknown (148.179.169.246) by rly-yk05.mx.aol.com with QMQP; Jun, 18 2002 00:05:34 -0800
Received: from 167.90.49.93 ([167.90.49.93]) by mailout2-eri1.midsouth.rr.com with esmtp; Jun, 17 2002 23:05:26 -0100
From: "UK Prank Calls" <[email protected]> | Block Address | Add to Address Book
To: Iloveukprankcalls@
CC:
Subject: Play a Hilarious Prank on Any UK phone
Sender: UK Prank Calls <[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Date: Tue, 18 Jun 2002 02:31:56 +0100
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
Content-Length: 36
Please Visit http://ukprankcalls.com
----------------------------------------------------------------------
Naturally, I complained to the first recieved from, midsouth.rr.com , but they said it was forged. So how do I find the ISP? Or is it from midsouth.rr.com and they don't care?
Thanks for any help
Joined: Feb 2000
Posts: 776
Likes: 0
From: [edited by PPRuNe Admin]
I've had a look at this and at first glance I would say that the mail server at midsouth.rr.com has open relay which is prohibited. By having open relay means any spammer can use their mail server to spam.
If they don't have open relay then they will have a log of incoming mail messages and origin - they can trace through that.
B
If they don't have open relay then they will have a log of incoming mail messages and origin - they can trace through that.
B
Per Ardua ad Astraeus
Joined: Mar 2000
Posts: 18,575
Likes: 4
From: UK
Rob, have a look at the 'Mailwasher' programme talked about on this forum here.
It will bounce your address to the spammer as a 'dead' email address and should stop it.
Its good, its simple, its worth a donation to the writer!
PS That's not me!
It will bounce your address to the spammer as a 'dead' email address and should stop it.
Its good, its simple, its worth a donation to the writer!
PS That's not me!
Last edited by BOAC; 18th June 2002 at 21:08.
Thread Starter
Joined: Jun 2000
Posts: 88
Likes: 0
From: somewhere near you
It is probably very good, but I use web mail, yahoo to be precise, so I'll have to wait until they update it, as they say on their website.
I'm just trying this at the moment. Not had much sucess yet
I'm just trying this at the moment. Not had much sucess yet
Joined: Feb 2000
Posts: 542
Likes: 0
From: asia
There are a couple of organisations which monitor open relay mail servers, and blacklist ones which won't fix the problem.
There is a we page you can use for reporting a suspected open relay mail server.
Have used it in the past with good resulys.
If you want the address, let me know and i will look it out
There is a we page you can use for reporting a suspected open relay mail server.
Have used it in the past with good resulys.
If you want the address, let me know and i will look it out
Joined: Mar 2002
Posts: 448
Likes: 0
From: London, UK
Spam
rob,
Unfortunately, the only Received: header that you can believe with anything approaching certainty is the "last" one, added by your own ISP (yahoo in this case). Thie will be the first Received: header that you read in the message, as the server writes out its own Received: header first, then simply adds those taken from the message, so it's easy to see why you cannot rely on those. In this case we have:
Received: from 210.83.5.55 (HELO 209.99.226.105) (210.83.5.55) by mta559.mail.yahoo.com with SMTP; 17 Jun 2002 18:31:50 -0700 (PDT)
From this we can see that the mesage actually came from the host with the IP address 210.83.5.55 (the "from 210.83.5.55" clause). The host lied about who it actually was by claiming to be 209.99.226.105 (the "(HELO 209.99.226.105" clause).
A lookup of the records for 210.83.5.55 show it to being connected to a network in China:
inetnum: 210.83.5.0 - 210.83.5.15
netname: MODERN-WINDOW
descr: modern window,xi'an city
country: CN
admin-c: YQ13-AP
tech-c: YQ13-AP
mnt-by: MAINT-CN-ZM28
changed: [email protected] 20011024
source: APNIC
person: youjun qu
address: xi'an city
country: CN
phone: +86-029-8472775
e-mail: [email protected]
nic-hdl: YQ13-AP
mnt-by: MAINT-CN-ZM28
changed: [email protected] 20011130
source: APNIC
As What_does_this_button_do? suggests, this is probably because they are an open relay, but given that they are in China, your chances of getting them to close their relay or indeed help you identify the source of the spam are small.
We've seen significant increases in spam from this part of the world in recent months. Unless you can persuade your ISP to introduce more agressive anti-spam filtering, perhaps by using one of the realtime blocking lists mentioned by stickyb, you're going to be stuck getting these.
The big "free mail" providers don't seem to like doing much in the way of anti-spam. Whether that's just becasue it's too much effort (which it isn't, really) or for other reasons (go figure for yourself
)
You could try reporting the message to www.spamcop.net
Get back to me if you need further advice on this,
Regards
DS
Unfortunately, the only Received: header that you can believe with anything approaching certainty is the "last" one, added by your own ISP (yahoo in this case). Thie will be the first Received: header that you read in the message, as the server writes out its own Received: header first, then simply adds those taken from the message, so it's easy to see why you cannot rely on those. In this case we have:
Received: from 210.83.5.55 (HELO 209.99.226.105) (210.83.5.55) by mta559.mail.yahoo.com with SMTP; 17 Jun 2002 18:31:50 -0700 (PDT)
From this we can see that the mesage actually came from the host with the IP address 210.83.5.55 (the "from 210.83.5.55" clause). The host lied about who it actually was by claiming to be 209.99.226.105 (the "(HELO 209.99.226.105" clause).
A lookup of the records for 210.83.5.55 show it to being connected to a network in China:
inetnum: 210.83.5.0 - 210.83.5.15
netname: MODERN-WINDOW
descr: modern window,xi'an city
country: CN
admin-c: YQ13-AP
tech-c: YQ13-AP
mnt-by: MAINT-CN-ZM28
changed: [email protected] 20011024
source: APNIC
person: youjun qu
address: xi'an city
country: CN
phone: +86-029-8472775
e-mail: [email protected]
nic-hdl: YQ13-AP
mnt-by: MAINT-CN-ZM28
changed: [email protected] 20011130
source: APNIC
As What_does_this_button_do? suggests, this is probably because they are an open relay, but given that they are in China, your chances of getting them to close their relay or indeed help you identify the source of the spam are small.
We've seen significant increases in spam from this part of the world in recent months. Unless you can persuade your ISP to introduce more agressive anti-spam filtering, perhaps by using one of the realtime blocking lists mentioned by stickyb, you're going to be stuck getting these.
The big "free mail" providers don't seem to like doing much in the way of anti-spam. Whether that's just becasue it's too much effort (which it isn't, really) or for other reasons (go figure for yourself
)You could try reporting the message to www.spamcop.net
Get back to me if you need further advice on this,
Regards
DS
Thread Starter
Joined: Jun 2000
Posts: 88
Likes: 0
From: somewhere near you
Thanks for all the help. I had tried tracing all the IP address, and I had got the China one, but also about 5 others, from medicals centres and universities etc. So I had no idea which was the true IP.
As to china-netcom.com, I tried their website, www.china-netcom.com, and I get a password thing, and a load of giberish. So I thing complaining there would be futile.
Stickyb, If you could find that address I'd be pleased.
As you huys have said, if you go to this it is a known hosting exploited open relay .
Search google, it get this site
Where's spam from , which gives Spam Site:
http://www.bulkmailbusiness.com/
and some other stuff. Not sure complaining to them would help
I'll have a further look around. Thanks for all the help.
As to china-netcom.com, I tried their website, www.china-netcom.com, and I get a password thing, and a load of giberish. So I thing complaining there would be futile.
Stickyb, If you could find that address I'd be pleased.
As you huys have said, if you go to this it is a known hosting exploited open relay .
Search google, it get this site
Where's spam from , which gives Spam Site:
http://www.bulkmailbusiness.com/
and some other stuff. Not sure complaining to them would help
I'll have a further look around. Thanks for all the help.
Joined: Feb 2000
Posts: 542
Likes: 0
From: asia
try this for general and useful info
http://www.abuse.net/index.phtml
and this for relay testing
http://www.abuse.net/relay.html
Cheers
http://www.abuse.net/index.phtml
and this for relay testing
http://www.abuse.net/relay.html
Cheers
Joined: Nov 2000
Posts: 1,016
Likes: 0
From: London,Bucharest...wherever...
http://combat.uxn.com
trace the bastards and complain direct to the idiots who host these arseholes...
hours of fun...and very effective it would seem!
trace the bastards and complain direct to the idiots who host these arseholes...
hours of fun...and very effective it would seem!
Joined: Apr 2001
Posts: 1,040
Likes: 0
From: Yorkshire
General rule when emailing complaints about Spam is to go for the first major upstream provider you come across in the trace, i.e. Sprintnet, etc. I have found emailing the company sending the spam doesnt usually work as they as not interested in ceasing the emails!
