|
Tracing Spam
I have been getting spam on a usaully completely spam free address, from the same company, for a few weeks now. Its annoying me. So I try to be clever. I look at the headers. I get what I think is the host ISP, and go to their website, find their abuse email address, and politely complain to them, including a full copy of the spam, including headers. They send back what looks vaguely like an autoresponse saying basically go away, the email header was forged.
I am rather new to this, but is that host isn't the ISP, then I have no idea what is. Here is the full copy. ------------------------------------------------------------------------- Return-Path: <[email protected]> Received: from 210.83.5.55 (HELO 209.99.226.105) (210.83.5.55) by mta559.mail.yahoo.com with SMTP; 17 Jun 2002 18:31:50 -0700 (PDT) Received: from unknown (201.187.168.97) by smtp-server1.cfl.rr.com with QMQP; Jun, 18 2002 02:08:28 -0100 Received: from [130.91.58.120] by mta6.snfc21.pbi.net with SMTP; Jun, 18 2002 01:11:37 +0300 Received: from unknown (148.179.169.246) by rly-yk05.mx.aol.com with QMQP; Jun, 18 2002 00:05:34 -0800 Received: from 167.90.49.93 ([167.90.49.93]) by mailout2-eri1.midsouth.rr.com with esmtp; Jun, 17 2002 23:05:26 -0100 From: "UK Prank Calls" <[email protected]> | Block Address | Add to Address Book To: Iloveukprankcalls@ CC: Subject: Play a Hilarious Prank on Any UK phone Sender: UK Prank Calls <[email protected]> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Date: Tue, 18 Jun 2002 02:31:56 +0100 X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Content-Length: 36 Please Visit http://ukprankcalls.com ---------------------------------------------------------------------- Naturally, I complained to the first recieved from, midsouth.rr.com , but they said it was forged. So how do I find the ISP? Or is it from midsouth.rr.com and they don't care? Thanks for any help |
I've had a look at this and at first glance I would say that the mail server at midsouth.rr.com has open relay which is prohibited. By having open relay means any spammer can use their mail server to spam.
If they don't have open relay then they will have a log of incoming mail messages and origin - they can trace through that. B |
Rob, have a look at the 'Mailwasher' programme talked about on this forum here.
It will bounce your address to the spammer as a 'dead' email address and should stop it. Its good, its simple, its worth a donation to the writer! PS That's not me! |
It is probably very good, but I use web mail, yahoo to be precise, so I'll have to wait until they update it, as they say on their website.
I'm just trying this at the moment. Not had much sucess yet:( |
There are a couple of organisations which monitor open relay mail servers, and blacklist ones which won't fix the problem.
There is a we page you can use for reporting a suspected open relay mail server. Have used it in the past with good resulys. If you want the address, let me know and i will look it out |
Spam
rob,
Unfortunately, the only Received: header that you can believe with anything approaching certainty is the "last" one, added by your own ISP (yahoo in this case). Thie will be the first Received: header that you read in the message, as the server writes out its own Received: header first, then simply adds those taken from the message, so it's easy to see why you cannot rely on those. In this case we have: Received: from 210.83.5.55 (HELO 209.99.226.105) (210.83.5.55) by mta559.mail.yahoo.com with SMTP; 17 Jun 2002 18:31:50 -0700 (PDT) From this we can see that the mesage actually came from the host with the IP address 210.83.5.55 (the "from 210.83.5.55" clause). The host lied about who it actually was by claiming to be 209.99.226.105 (the "(HELO 209.99.226.105" clause). A lookup of the records for 210.83.5.55 show it to being connected to a network in China: inetnum: 210.83.5.0 - 210.83.5.15 netname: MODERN-WINDOW descr: modern window,xi'an city country: CN admin-c: YQ13-AP tech-c: YQ13-AP mnt-by: MAINT-CN-ZM28 changed: [email protected] 20011024 source: APNIC person: youjun qu address: xi'an city country: CN phone: +86-029-8472775 e-mail: [email protected] nic-hdl: YQ13-AP mnt-by: MAINT-CN-ZM28 changed: [email protected] 20011130 source: APNIC As What_does_this_button_do? suggests, this is probably because they are an open relay, but given that they are in China, your chances of getting them to close their relay or indeed help you identify the source of the spam are small. We've seen significant increases in spam from this part of the world in recent months. Unless you can persuade your ISP to introduce more agressive anti-spam filtering, perhaps by using one of the realtime blocking lists mentioned by stickyb, you're going to be stuck getting these. The big "free mail" providers don't seem to like doing much in the way of anti-spam. Whether that's just becasue it's too much effort (which it isn't, really) or for other reasons (go figure for yourself ;) ) You could try reporting the message to www.spamcop.net Get back to me if you need further advice on this, Regards DS |
Thanks for all the help. I had tried tracing all the IP address, and I had got the China one, but also about 5 others, from medicals centres and universities etc. So I had no idea which was the true IP.
As to china-netcom.com, I tried their website, www.china-netcom.com, and I get a password thing, and a load of giberish. So I thing complaining there would be futile. Stickyb, If you could find that address I'd be pleased. As you huys have said, if you go to this it is a known hosting exploited open relay . Search google, it get this site Where's spam from , which gives Spam Site: http://www.bulkmailbusiness.com/ and some other stuff. Not sure complaining to them would help:D I'll have a further look around. Thanks for all the help. |
try this for general and useful info
http://www.abuse.net/index.phtml and this for relay testing http://www.abuse.net/relay.html Cheers |
http://combat.uxn.com
trace the bastards and complain direct to the idiots who host these arseholes... hours of fun...and very effective it would seem! |
General rule when emailing complaints about Spam is to go for the first major upstream provider you come across in the trace, i.e. Sprintnet, etc. I have found emailing the company sending the spam doesnt usually work as they as not interested in ceasing the emails!
|
| All times are GMT. The time now is 04:40. |
Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.