tracing spam
Wolfgang Rupprecht
bec...@quip.eecs.umich.edu (Becki Kain) writes:
> $_1Cust24.tnt18.atl2.da.uu.net [153.36.118.24]
...
> Is there any way of tracing where it actually came from or can I assume that
> the uu.net address was a forgery too?
If you trust the security on your mail relay, you can trust the IP
addr that it says the mail came from. Spam from uunet is nothing
unusual.
-wolfgang
Becki Kain
How do I trace this spam? Someone sent it out and used a domain name my
machine answers for as the from, so when domains that ban spam refused it,
it came back to me. Here are the headers of the bounce:
MDeferred: 451 <tcse...@get-more-hits.com>... Domain must resolve
Fw8b
$rSMTP
$sNETEFFECTINC.COM
$_1Cust24.tnt18.atl2.da.uu.net [153.36.118.24]
S<tcse...@get-more-hits.com>
RPFD:<roger.l...@mailbox.swipnet.se>
H?P?Return-Path: <tcse...@get-more-hits.com>
HReceived: from NETEFFECTINC.COM (1Cust24.tnt18.atl2.da.uu.net
[153.36.118.24]) by josephus.furph.com (8.8.0/8.8.0) with SMTP id DAA21665;
Fri, 21 Nov 1997 03:27:46 -0500 (EST)
H?F?From: tcse...@get-more-hits.com
Is there any way of tracing where it actually came from or can I assume that
the uu.net address was a forgery too? Also, will the check_* stuff in 8.x
help in this even though the messages look to be not relayed through me? I
was working on 8.8.8 just as this happen.
thanks. and please mail me the answers or help.
beckers
John McCormac
Becki Kain wrote:
>
> How do I trace this spam? Someone sent it out and used a domain name
> my
> machine answers for as the from, so when domains that ban spam refused
> it,
> it came back to me. Here are the headers of the bounce:
>
> $_1Cust24.tnt18.atl2.da.uu.net [153.36.118.24]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This looks like the same perp who was trying to relay via European
servers a while back. UUnet killed one of the accounts while the perp
was on-line - I had to call the US numbers to uunet. However it seems
that their AUP is not shutting out spammers so many a few of the
European servers have blocked these IPs.
> S<tcse...@get-more-hits.com>
> RPFD:<roger.l...@mailbox.swipnet.se>
> H?P?Return-Path: <tcse...@get-more-hits.com>
> HReceived: from NETEFFECTINC.COM (1Cust24.tnt18.atl2.da.uu.net
> [153.36.118.24]) by josephus.furph.com (8.8.0/8.8.0) with SMTP id
> DAA21665;
> Fri, 21 Nov 1997 03:27:46 -0500 (EST)
> H?F?From: tcse...@get-more-hits.com
>
> Is there any way of tracing where it actually came from or can I
> assume that
> the uu.net address was a forgery too? Also, will the check_* stuff in
The uu.net address is apparently the origin of the spam. That C of IPs
(152.36.118) has a history of being used by a spammer operation.
Regards...jmcc
--
********************************************
John McCormac * Hack Watch News
jm...@hackwatch.com * 22 Viewmount,
Voice: +353-51-873640 * Waterford,
BBS&Fax: +353-51-850143 * Ireland
http://www.hackwatch.com/~kooltek
********************************************
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6
mQCNAzAYPNsAAAEEAPGTHaNyitUTNAwF8BU6mF5PcbLQXdeuHf3xT6UOL+/Od+z+
ZOCAx8Ka9LJBjuQYw8hlqvTV5kceLlrP2HPqmk7YPOw1fQWlpTJof+ZMCxEVd1Qz
TRet2vS/kiRQRYvKOaxoJhqIzUr1g3ovBnIdpKeo4KKULz9XKuxCgZsuLKkVAAUX
tCJKb2huIE1jQ29ybWFjIDxqbWNjQGhhY2t3YXRjaC5jb20+tBJqbWNjQGhhY2t3
YXRjaC5jb20=
=sTfy
-----END PGP PUBLIC KEY BLOCK-----
James A. Cooley
Michael:
This guy might have the basis for a Flowers.com precedent lawsuit. Did
you mention that to him?
James
P.S. Sue a Spammer for the environment! A bandwidth is a terrible
thing to waste....
Michael Fleming wrote:
>
> [This followup was posted to news.admin.net-abuse.email and a copy was
> sent to the cited author.]
>
> In chapter news.admin.net-abuse.email, dated 21 Nov 1997 13:48:09 GMT,
> bec...@quip.eecs.umich.edu in the Great Tome of Farnarkling wrote...
> > How do I trace this spam? Someone sent it out and used a domain name my
> > machine answers for as the from, so when domains that ban spam refused it,
> > it came back to me. Here are the headers of the bounce:
> >
> > MDeferred: 451 <tcse...@get-more-hits.com>... Domain must resolve
> > Fw8b
> > $rSMTP
> > $sNETEFFECTINC.COM
> > $_1Cust24.tnt18.atl2.da.uu.net [153.36.118.24]
> > S<tcse...@get-more-hits.com>
> > RPFD:<roger.l...@mailbox.swipnet.se>
> > H?P?Return-Path: <tcse...@get-more-hits.com>
> > HReceived: from NETEFFECTINC.COM (1Cust24.tnt18.atl2.da.uu.net
> > [153.36.118.24])
>
> Well, there's your answer - it is indeed UUNet (not that they seem to
> *do* much about spammers.. :-( )
>
> Bingo - there's your sender. another from UUNet. (Why does it not
> surprise me?
>
> > by josephus.furph.com (8.8.0/8.8.0) with SMTP id DAA21665;
> > Fri, 21 Nov 1997 03:27:46 -0500 (EST)
> > H?F?From: tcse...@get-more-hits.com
> >
> > Is there any way of tracing where it actually came from or can I assume that
> > the uu.net address was a forgery too? Also, will the check_* stuff in 8.x
> > help in this even though the messages look to be not relayed through me? I
> > was working on 8.8.8 just as this happen.
>
> I usually trust anything in the [brackets], as 99.999+ percent of the
> time it returns a truthful result. eg from Sam Spade
>
> nslookup 153.36.118.24
> Canonical name: 1Cust24.tnt18.atl2.da.uu.net
> Addresses:
> 153.36.118.24
>
> The sendmail stuff I'll leave to others *way* more qualified, as I'm not
> even remotely conversant with Unix MTA's. I'm stuck on a Win95 box..
>
> > thanks. and please mail me the answers or help.
>
> HTH, HAND,
>
> > beckers
>
> Michael Fleming
>
> --
> Michael Fleming
> "If a tree falls on a spammer, does everybody cheer?"
> Note my address is not munged. At least they'll send
> one to ky...@asiaonline.net, en...@direcpc.com and bo...@kickass.com
> too...
--
___________________________________________________
Q & A Research "My employer loves my opinions.
11000 Applewood Drive I own the company."
Austin, TX 78758-4202 All SPAMMERS WILL BE FLAMED!
James A. Cooley, Owner DON'T ADD ME TO E-MAIL LISTS!
Michael Fleming
Steven Buehler
--------------5652220D794CCE74A1B2D009
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
At the end of this email I have added the MA law for this. MA is the postal
address this guy has in his email:
EVA, Inc.
43 Riverside Ave.
Suite 72
Medford, MA 02155
USA
The "Suite 72" is probably a PO type box though.
So if anybody wants to prosecute this guy, they can. BTW, something is happening
along that lines now (can't say more then that), but the more that prosecutes, the
merrier.
Michael Fleming wrote:
> Massachusetts House Bill 4581
>
> IN THE COMMONWEALTH OF MASSACHUSETTS
> In the Year One Thousand Nine Hundred and Ninety-Seven.
>
> Introduced June 12, 1997
>
>
>
> AN ACT RELATIVE TO UNSOLICITED ELECTRONIC MAIL.
>
> Be it enacted by the Senate and House of Representatives in
> General Court
> assembled and by the authority of the same, as follows:
>
> SECTION 1. Chapter 166 of the General Laws is hereby amended by
> inserting
> after section 42B the following section: -
>
> Section 42C. Except as otherwise provided herein, a person
> shall not send or cause to be sent unsolicited electronic mail to
> solicit the purchase of real property, goods, or services.
>
> The provisions of this section shall not apply to
> unsolicited mail
> that is sent to a person who has a pre-existing business
> relationship with the sender.
>
> As used in this section, "electronic mail" means an electronic
> message that is transmitted between two or more computers or
> electronic terminals. The term shall include an electronic message
> that is transmitted through a local, regional or global network of
> computers, regardless of whether the message is viewed by the
> recipient, stored for later retrieval or printed on paper after
> receipt.
>
> SECTION 2. This act shall take effect as of October first,
> nineteen hundred
> ninety-seven.
>
--------------5652220D794CCE74A1B2D009
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<HTML>
At the end of this email I have added the MA law for this. MA is
the postal address this guy has in his email:
<P>EVA, Inc.
<BR>43 Riverside Ave.
<BR>Suite 72
<BR>Medford, MA 02155
<BR>USA
<P>The "Suite 72" is probably a PO type box though.
<P>So if anybody wants to prosecute this guy, they can. BTW, something
is happening along that lines now (can't say more then that), but the more
that prosecutes, the merrier.
<P>Michael Fleming wrote:
<BLOCKQUOTE TYPE=CITE>[This followup was posted to news.admin.net-abuse.email
and a copy was
<BR>sent to the cited author.]
<P>In chapter news.admin.net-abuse.email, dated 21 Nov 1997 13:48:09 GMT,
<BR>bec...@quip.eecs.umich.edu in the Great Tome of Farnarkling
wrote...
<BR>> How do I trace this spam? Someone sent it out and used a domain
name my
<BR>> machine answers for as the from, so when domains that ban spam refused
it,
<BR>> it came back to me. Here are the headers of the bounce:
<BR>>
<BR>> MDeferred: 451 <tcse...@get-more-hits.com>... Domain must resolve
<BR>> Fw8b
<BR>> $rSMTP
<BR>> $sNETEFFECTINC.COM
<BR>> $_1Cust24.tnt18.atl2.da.uu.net [153.36.118.24]
<BR>> S<tcse...@get-more-hits.com>
<BR>> RPFD:<roger.l...@mailbox.swipnet.se>
<BR>> H?P?Return-Path: <tcse...@get-more-hits.com>
<BR>> HReceived: from NETEFFECTINC.COM (1Cust24.tnt18.atl2.da.uu.net
<BR>> [153.36.118.24])
<P>Well, there's your answer - it is indeed UUNet (not that they seem to
<BR>*do* much about spammers.. :-( )
<P>Bingo - there's your sender. another from UUNet. (Why does it not
<BR>surprise me?
<P>> by josephus.furph.com (8.8.0/8.8.0) with SMTP id DAA21665;
<BR>> Fri, 21 Nov 1997 03:27:46 -0500 (EST)
<BR>> H?F?From: tcse...@get-more-hits.com
<BR>>
<BR>> Is there any way of tracing where it actually came from or can I
assume that
<BR>> the uu.net address was a forgery too? Also, will the check_*
stuff in 8.x
<BR>> help in this even though the messages look to be not relayed through
me? I
<BR>> was working on 8.8.8 just as this happen.
<P>I usually trust anything in the [brackets], as 99.999+ percent of the
<BR>time it returns a truthful result. eg from Sam Spade
<P>nslookup 153.36.118.24
<BR>Canonical name: 1Cust24.tnt18.atl2.da.uu.net
<BR>Addresses:
<BR> 153.36.118.24
<P>The sendmail stuff I'll leave to others *way* more qualified, as I'm
not
<BR>even remotely conversant with Unix MTA's. I'm stuck on a Win95 box..
<P>> thanks. and please mail me the answers or help.
<P>HTH, HAND,
<P>> beckers
<P>Michael Fleming
<BR> </BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<PRE>Massachusetts House Bill 4581
IN THE COMMONWEALTH OF MASSACHUSETTS
In the Year One Thousand Nine Hundred and Ninety-Seven.
Introduced June 12, 1997
AN ACT RELATIVE TO UNSOLICITED ELECTRONIC MAIL.
Be it enacted by the Senate and House of Representatives in
General Court
assembled and by the authority of the same, as follows:
SECTION 1. Chapter 166 of the General Laws is hereby amended by
inserting
after section 42B the following section: -
Section 42C. Except as otherwise provided herein, a person
shall not send or cause to be sent unsolicited electronic mail to
solicit the purchase of real property, goods, or services.
The provisions of this section shall not apply to
unsolicited mail
that is sent to a person who has a pre-existing business
relationship with the sender.
As used in this section, "electronic mail" means an electronic
message that is transmitted between two or more computers or
electronic terminals. The term shall include an electronic message
that is transmitted through a local, regional or global network of
computers, regardless of whether the message is viewed by the
recipient, stored for later retrieval or printed on paper after
receipt.
SECTION 2. This act shall take effect as of October first,
nineteen hundred
ninety-seven.</PRE>
</BLOCKQUOTE>
</HTML>
--------------5652220D794CCE74A1B2D009--