Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Reading faked mail headers

0 views
Skip to first unread message

Bam C. Rock

unread,
Feb 21, 1998, 3:00:00 AM2/21/98
to

im sick of getting spam. i get it everyday now. id like to mail their ISP
or something but they just fake their email address. so now when i go to
mail them back....i cant cause its not their real email. i was wondering
if there was any way to get past this. if you know of a way could you
please email me personally and tell me how. thanks

DaTa_PiMp

bachrach

unread,
Feb 22, 1998, 3:00:00 AM2/22/98
to

Bam C. Rock <bam...@gate.net> wrote in article
<01bd3f15$c3d4acc0$1f63e3c7@bam>...

Well, here is a quick crash course in reading forged headers. (Basically,
as much as I can say in the amount of time I feel like spending)

Here is an example of a spammer that tried to route the message through
other servers so I wouldn't be able to trace it back:

Return-Path: <fax...@hotmail.com>
Received: from tikehau.netreach.net (tikehau-b.netreach.net) by
tahiti.netreach.net (5.x/SMI-SVR4)
id AA13523; Sat, 21 Feb 1998 18:11:34 -0500
Received: from smtp1.erols.com (smtp1.erols.com [207.172.3.234])
by tikehau.netreach.net (8.8.8/8.8.5) with ESMTP id SAA03285
for <bach...@netreach.net>; Sat, 21 Feb 1998 18:10:24 -0500 (EST)
Received: from www.faxalot.com (207-172-38-13.s13.tnt8.ann.erols.com
[207.172.38.13])
by smtp1.erols.com (8.8.8/8.8.5) with SMTP id SAA18519
for <bach...@netreach.net>; Sat, 21 Feb 1998 18:11:49 -0500 (EST)
Message-Id: <1998022123...@smtp1.erols.com>
From: Fax...@hotmail.com
Date: Sat, 21 Feb 1998 18:04:16 PST
Subject: Make Money with Broadcast Faxing
Apparently-To: <bach...@tahiti.netreach.net>
Content-Type: text

What we want to concern ourselves with right now is the Recieved: lines.
Each server that te message passes through leaves a little line that says
who it is, and where it came from. Always start from the bottom since the
first server it went through is on the bottom. In this header we can
deducee that the message went like this:
www.faxalot.com --> smtp1.erols.com
smtp1.erols --> tikehau.netreach.net
Netreach is the ISP I use, so it is the final destination of the letter.
The return address was a hotmail one, but we know that's a fake one since
the message never went through hotmail. It's always a good idea to run a
nameserver lookup on the first server in the list, in this case
www.faxalot.com If you try it, you'll see that it doesn't exist, and thus
it's a fake, which would make sense anyway since servers almost never leave
beind www.something. Erols on the other hand does exist. (I heard them
advertise on the radio not more than ten minutes ago.) In this case,
complain to erols. Remember, when you complain always incluse the entire
message and internet header.
There is also another way to try and trace these messages. Look at the
message-Id line. In this case we can clearly see that it's from erols.
Headers can get more complicated though, here is another example:

>Return-Path: <bi...@ix.netcom.com>
>Received: from tikehau.netreach.net (tikehau-b.netreach.net) by
>tahiti.netreach.net (5.x/SMI-SVR4)
> id AA19304; Tue, 17 Feb 1998 22:41:32 -0500
>Received: from dfw-ix16.ix.netcom.com (dfw-ix16.ix.netcom.com
>[206.214.98.16])
> by tikehau.netreach.net (8.8.8/8.8.5) with ESMTP id WAA13036
> for <bach...@netreach.net>; Tue, 17 Feb 1998 22:40:28 -0500 (EST)
>Received: (from smap@localhost)
> by dfw-ix16.ix.netcom.com (8.8.4/8.8.4)
> id VAA10165; Tue, 17 Feb 1998 21:39:38 -0600 (CST)
>Received: from hdn89-161.hil.compuserve.com(206.175.98.161) by
>dfw-ix16.ix.netcom.com via smap (V1.3)
> id rma025323; Tue Feb 17 21:25:03 1998
>Received: from biz4u by ix.netcom.com (8.8.5/8.6.5) with SMTP id GAA01855
>for <>; Tue, 17 Feb 1998 21:29:02 -0600 (EST)
>From: bi...@ix.netcom.com
>Date: Tue, 17 Feb 98 21:29:02 EST
>To: Fri...@public.com
>Subject: Look what I found out...
>Message-Id: <2234098787676768980>
>Comments: Authenticated sender is <bi...@ix.netcom.com>
>Content-Type: text

In this header, they want us to believe that it's from netcom. The return
path is a netcom address, but that is something that you can change in the
prefernces window so never believe that unless you have another reason to.
In this case we can use the received lines to put together the following:
biz4u --> netcom
compuserve --> netcom
localhost --> netcom
netcom --> netreach
netreach --> netreach

First of all, the last part may look weird but netreach does route much of
it's mail through two servers. Don't ask me why, they just do. Now, look at
the first serve it came through. biz4u is not a valid server since it
doesn't have an IP and doesn't have .com, .org, .mil, .gov, .edu, or
something else at the end of it. That line must have been forged so we can
just discount it. Localhost by the way means that the message was sent from
one serve within a system to another within the same system, so just ignore
it since it never changes systems. In the case of this message, it
originated from compuserve, and was routed through netcom. Remember, when
something doesn't look like a valid server, it probably isn't so just
ignore it. (Run a nameserver check first though). The message ID might
help, but don't always rely on it. The recieved line are the best bet.
Hope that helps a little.
Ari
bach...@netreach.net
---------------------------------------
Spam for the spammers okay?
ste...@dungeon.netlink.co.uk pri...@tm.net.my dave....@tfb.net
c...@hotmail.com drug...@aol.com drug...@aol.com more...@total.net
drug...@aol.com drug...@aol.com QQat...@aol.com
gwanote...@ameritech.net gw...@juno.com gwa...@aol.com
w...@webtdcenter.com he...@gsd.com.au ho...@gsd.com.au drug...@aol.com
admini...@gsd.com.au din...@worldnet.att.net jtsr...@sprintmail.com
Ilw...@hotmail.com th...@2umail.com j...@dasnet.com
eur...@eureka.abc-web.com

what do you say we end spam by getting the current heads of the FCC annoyed
at spam. Here are their addresses:
Chairman Reed Hundt: rhu...@fcc.gov
Commissioner James Quello: jqu...@fcc.gov
Commissioner Susan Ness: sn...@fcc.gov
Commissioner Rachelle Chong: rch...@fcc.gov
please go ahead and send me more spam, I need more names for this list.
oh yeah, my e-mail address so that you can send me spam:
bach...@netreach.net
for fun: pres...@whitehouse.gov


Micheal Brown

unread,
Feb 22, 1998, 3:00:00 AM2/22/98
to

>> im sick of getting spam. i get it everyday now. id like to mail their
ISP
>> or something but they just fake their email address. so now when i go to
>> mail them back....i cant cause its not their real email. i was wondering
>> if there was any way to get past this. if you know of a way could you
>> please email me personally and tell me how. thanks


If you post you should read the group. Not mailed, just posted.

>There are two routes you can take with spam.
>
>1. Passive
>
>Spam Exterminator
>
>2. Active
>
>Spam Hater
>

Problem with these programs (and Spammerslammer, and Spam-X, and all the
others) is that they don't know how to read headers. To accurately read the
headers, you have to be a human, and know how to use whois, tracert, and
nslookup. Spam killer programs will just fire off complaints to every
address referenced in the headers, even if they're forged.

>The originating ip can be found in the last Recieved header thingie. You
>can send a letter of complaint to postmaster@ and abuse@ to the host
>name that comes up from the DNS.
>


The originating IP can be found in the last *VALID* received header.
Usually you can follow the received lines until you come to the raped relay,
or the anonymous remailer, and then you have to check every single IP to
find the right origin. You can't just say it's the last address you came to,
that's usually forged.

>As a rule, I rarely send a complaint to the sender. As we already know,
>these people have no honor and they will harass you.

>
>There are "remove lists" sometimes with spam, but... some believe that
>this is a ploy to see if the address is really valid.

As a rule, I NEVER send a complaint to the sender (or a 'remove' request.
This is the easiest way to get your address verified as 'live' and have it
spewed all over the 'net.

For more discussion of this topic, try news.admin.net-abuse.email
We'd be glad to have all spam-haters come, join us, and learn!

Post for fastest response. ICQ 7197276
hairy...@bigfoot.com for personal interaction *only*
Do not send mail to these spamtrap addresses:
ta...@hotmail.com must...@mailcity.com
All spam sent to me will be chopped, fried, and fed to the wolves.

Note to:Pascal Brunet, WWJD, forcep, and all the others who e-mailed me
asking questions: If you're gonna mail me, don't forge the headers. How the
hell am I supposed to answer your questions? Heh.

Joel Rubin

unread,
Feb 23, 1998, 3:00:00 AM2/23/98
to

On 22 Feb 1998 22:16:47 GMT, "bachrach" <bach...@netreach.net> wrote:

>>Return-Path: <bi...@ix.netcom.com>
>>Received: from tikehau.netreach.net (tikehau-b.netreach.net) by
>>tahiti.netreach.net (5.x/SMI-SVR4)
>> id AA19304; Tue, 17 Feb 1998 22:41:32 -0500
>>Received: from dfw-ix16.ix.netcom.com (dfw-ix16.ix.netcom.com
>>[206.214.98.16])
>> by tikehau.netreach.net (8.8.8/8.8.5) with ESMTP id WAA13036
>> for <bach...@netreach.net>; Tue, 17 Feb 1998 22:40:28 -0500 (EST)
>>Received: (from smap@localhost)
>> by dfw-ix16.ix.netcom.com (8.8.4/8.8.4)
>> id VAA10165; Tue, 17 Feb 1998 21:39:38 -0600 (CST)
>>Received: from hdn89-161.hil.compuserve.com(206.175.98.161) by
>>dfw-ix16.ix.netcom.com via smap (V1.3)
>> id rma025323; Tue Feb 17 21:25:03 1998

Of course, the one thing you SHOULD complain to Netcom about this
email for is that they're allowing free relaying from Compuserve to
Netreach.

When someone with an "@ix.netcom.com" account wants to send mail, they
are told to use "smtp.ix.netcom.com" which aliases to
"smtp.best.ix.netcom.com" which aliases, on a mob control basis, to
"dfw-ix1.ix.netcom.com", "dfw-ix2.ix.netcom.com" and so on.

Incoming ix Netcom mail goes to a bunch of different servers. In fact,
the outgoing servers are in Dallas and the MX incoming servers are in
San Jose'.

So, the only people who should use the dfw-ix*.ix.netcom.com mail
servers are people with "@ix.netcom.com" accounts.

There is a problem. People are allowed to login, for an extra fee, to
another ISP (e.g. in another country) via the information given on
http://www.gric.com. (People are also allowed to login, for free, to
netcom.ca and netcomuk.co.uk dial-ups.)

On the other hand, people with "@netcom.com" accounts can't use this
system, and the mail servers associated with such accounts have almost
crashed due to spam relayed from outside Netcom to outside Netcom. So,
there's definitely a factor of negligence on the part of Netcom--it is
letting spammers abuse its facilities not only to the detriment of
spamees but to the detriment of its paying customers and it has more
of a duty to the latter group.

Some other ISP's also have a certain ammount of problems in this area.
Earthlink doesn't allow relaying but they rent shared dial-up access
from UU.NET and PSI.NET and it is hard to distinguish between
customers of different ISP's in real time. So, it is easy for a
customer of one of several other ISP's to relay spam via Earthlink.

It also means that if you get spam from the ISP's sharing these
dial-ups, you have to depend on the company owning the dial-up finding
out which ISP was using the dial-up at a certain time and relay your
complaint to the ISP/wholesale customer who is supposed to take care
of its retail customer.

One more note--some mail server programs are better than others. If
you get mail which went through a server running an old program, you
may not be able to tell who sent it. For example, in the email below,
the sender was able to scam the Chilean server because of that
SMI-8.6/SMI-SVR4 stuff. I am morally certain that [165.183.93.1] did
NOT receive the email from itself (dicomnet.dicom.cl) but this progie
accepts the scam "helo dicomnet.dicom.cl" command ("helo" is spelled
correctly--simple mail protocol transport commands have 4 letters) and
didn't bother to stamp the mail with the sender's REAL IP.

Return-Path: <mktmast...@juno.com>
Received: from dicomnet ([165.183.93.1])
by ixmail5.ix.netcom.com (8.8.7-s-4/8.8.7/(NETCOM v1.01)) with
SMTP id GAA14413; ;
Mon, 9 Feb 1998 06:16:24 -0800 (PST)
From: mktmast...@juno.com
Received: from dicomnet.dicom.cl by dicomnet (SMI-8.6/SMI-SVR4)
id LAA24756; Mon, 9 Feb 1998 11:05:07 -0300
Date: Mon, 09 Feb 98 05:08:51 EST


=======
No honest business is promoted by spam
with the possible exception of Hormel.

Rust

unread,
Feb 24, 1998, 3:00:00 AM2/24/98
to

Jennifer Martino wrote:

>
> Bam C. Rock wrote:
> >
> > im sick of getting spam. i get it everyday now. id like to mail their ISP
> > or something but they just fake their email address. so now when i go to
> > mail them back....i cant cause its not their real email. i was wondering
> > if there was any way to get past this. if you know of a way could you
> > please email me personally and tell me how. thanks
> >
> > DaTa_PiMp

>
> There are two routes you can take with spam.
>
> 1. Passive
>
> There are some programs out there (Spam Exterminator, for example) that
> will let you view or delet your mail before you download it straight
> from the server. Do a search for it and you will prolly find more
> programs like it.
>
> 2. Active
>
> If you would like yo complain about spam you recieve, you can use a
> program called "Spam Hater" to extract all the appropriate e-mail
> addresses (postmaster, root, the senders) and send a nifty form letter
> of complaint that you can customize.

>
> The originating ip can be found in the last Recieved header thingie. You
> can send a letter of complaint to postmaster@ and abuse@ to the host
> name that comes up from the DNS.

{snip}

Or, if you really want to piss off the actual spammer, you could go to
the web page that they're promising you the world at, and find their
address there. That's the only tried and true method I know (sometimes
they coverup their real IP in the path). Just think... if every person
sent a copy of the spam back to the original spammer...

-Rust

I be who I am.

Lewarx

unread,
Feb 26, 1998, 3:00:00 AM2/26/98
to

If you do get their ISP, their was this thing that causes an IP address to
crash. I dunno if it works or not but it sorta sounds cool in a
breaking-the-law kind of way. I am not saying it works and I am not saying
that there is a program that does this. I am saying that I am under the
impression that there is one out there so do not yell at me asking where to
find it or saying there isn't one.

Jennifer Martino

unread,
Feb 27, 1998, 3:00:00 AM2/27/98
to

Yeah.. it exists. There's a few ways.. One would be ping flooding
another would be nuking. For more info, do a search for it.
--
"The Web Page You Have Reached"
http://www.ameritech.net/users/jmartino/index.html
^^^^^^^^^^
(You need to have the index.html in the address
otherwise you will be transported to
Ameritech's Member Information about me.)
Telephone sounds/recordings!
Over 125 sounds and growing!
(Usually) Updated weekly!

They say spam isn't just for LUNCH (Happy? =) ) anymore:
gwanote...@ameritech.net, gwa...@aol.com, gw...@juno.com,
infob...@ameritech.net

Lewarx

unread,
Feb 28, 1998, 3:00:00 AM2/28/98
to

I always search for things before I ask. Makes me look all dependant so I look
first, then ask :)

Joe Pritchard

unread,
Mar 3, 1998, 3:00:00 AM3/3/98
to

Jennifer Martino <jmar...@ameritech.net> wrote:


>Yeah.. it exists. There's a few ways.. One would be ping flooding
>another would be nuking. For more info, do a search for it.

Hiya,

A lot of ISPs have a degree of protection against Denial Of Service
attacks via the ping of Death.

Also, thelonger an attack lasts the more chances there are of getting
caught, unless you do something to spoof your IP address.

Joe
There's only one decision to make;
get busy living or get busy dying.

Andy Dufresne, The Shawshank redemption.


0 new messages