Does nslookup show hacker's location?

[no.to...@gmail.com]

I've got some false <email warnings from my bank> that I should <klik>
http://capeziodance.com.ve/contacto/use/web/form1.html
http://capeziodance.com.ve/contacto/use/file/form1.html

And `nslookup capeziodance.com.ve` ==
Formatting page, please wait...
root@darkstar:~# nslookup capeziodance.com.ve
Server: 41.160.0.36
Address: 41.160.0.36#53

Non-authoritative answer:
Name: capeziodance.com.ve
Address: 63.246.145.80
-------------------

Does '63.246' indicate the country?

Part of the mail header looks like:----
To: undisclosed-recipients:;
From: war...@absamail.co.za
Subject: FINAL WARNING
Reply-To: nonr...@absamail.co.zabfm.hr
Organization: Your Email Account Will Be Terminated
Message-ID: <20120929084...@bio.bg.ac.rs>
Date: Sat, 29 Sep 2012 10:42:13 +0200
X-Mailer: Kerio Connect 7.4.2 WebMail
X-User-Agent: Opera/9.80 (Windows NT 5.1; U; Edition Next; en) Presto/2.8.131
---------------------

BTW, what's a better group to discuss this?

== TIA.

[Bit Twister]

On Sat, 29 Sep 2012 18:22:11 +0000 (UTC), no.to...@gmail.com wrote:
> I've got some false <email warnings from my bank> that I should <klik>

>

> And `nslookup capeziodance.com.ve` ==

> root@darkstar:~# nslookup capeziodance.com.ve
> Server: 41.160.0.36
> Address: 41.160.0.36#53
>

> Does '63.246' indicate the country?

Not always. If you want country, try

whois capeziodance.com.ve

That assumes you have whois installed.

[unruh]

On 2012-09-29, no.to...@gmail.com <no.to...@gmail.com> wrote:
> I've got some false <email warnings from my bank> that I should <klik>
> http://capeziodance.com.ve/contacto/use/web/form1.html
> http://capeziodance.com.ve/contacto/use/file/form1.html
>
> And `nslookup capeziodance.com.ve` ==

.ve is the country.

And "whois" will give you information about the web address and who owns
it.
But phishing operators make use of machines around the world which have
been hijacked. Ie, there is no reason to expect that the cracker is at
any of the addresses listed. You could let them know that their machines
hae been hijacked if you wished.

> Formatting page, please wait...
> root@darkstar:~# nslookup capeziodance.com.ve
> Server: 41.160.0.36
> Address: 41.160.0.36#53
>
> Non-authoritative answer:
> Name: capeziodance.com.ve
> Address: 63.246.145.80
> -------------------
>
> Does '63.246' indicate the country?

no.

>
> Part of the mail header looks like:----
> To: undisclosed-recipients:;
> From: war...@absamail.co.za
> Subject: FINAL WARNING
> Reply-To: nonr...@absamail.co.zabfm.hr
> Organization: Your Email Account Will Be Terminated
> Message-ID: <20120929084...@bio.bg.ac.rs>
> Date: Sat, 29 Sep 2012 10:42:13 +0200
> X-Mailer: Kerio Connect 7.4.2 WebMail
> X-User-Agent: Opera/9.80 (Windows NT 5.1; U; Edition Next; en) Presto/2.8.131

That is not the full header. Try Looking at the ReceivedFrom lines.

[Allodoxaphobia]

On Sat, 29 Sep 2012 18:22:11 +0000 (UTC), no.to...@gmail.com wrote:
>

> BTW, what's a better group to discuss this?

news.admin.net-abuse.email

[no.to...@gmail.com]

> .
Thanks; it gives a big story about Venezuella.
But can you belive any thing?

My ISP2's pop & smtp and my ISP1's smtp failed
about 2 months ago. As if MicroSoft had made a
new change, which my old software doesn't satisfy.

Or is there something bad with email GLOBALLY
recently? Since the phone enquiries don't reply,
as if they're attenting to a crisis on their server.

[Bit Twister]

On Sun, 30 Sep 2012 02:44:12 +0000 (UTC), no.to...@gmail.com wrote:
> In article <slrnk6eghq.8...@wb.home.test>, Bit Twister <BitTw...@mouse-potato.com> wrote:
>

> Thanks; it gives a big story about Venezuella.
> But can you belive any thing?

All I can say is the provided information is what was
provide/maintained by the entity who is leasing that ip range from the
indicated vendor.

> My ISP2's pop & smtp and my ISP1's smtp failed
> about 2 months ago. As if MicroSoft had made a
> new change, which my old software doesn't satisfy.

Your not providing much information there. If you are talking about
your MTA (qmail, postfix, sendmail, exim,..), upgrade it.
If it's your MUA (thunderbird, kontact, kwrite. knode..), upgrade it.

My ISP wanted an encrypted connection to their incoming server so I
had to install stunnel.
http://freecode.com/projects/stunnel

> Or is there something bad with email GLOBALLY
> recently?

No such thing as "email GLOBALLY".
email is routed to the indicated MTA given in the sender's email
address.

The only "GLOBALLY" requirement is a path to target after translating
the domain into an ip address.

[Rick Jones]

unruh <un...@invalid.ca> wrote:
> On 2012-09-29, no.to...@gmail.com <no.to...@gmail.com> wrote:
> > I've got some false <email warnings from my bank> that I should <klik>
> > http://capeziodance.com.ve/contacto/use/web/form1.html
> > http://capeziodance.com.ve/contacto/use/file/form1.html
> >
> > And `nslookup capeziodance.com.ve` ==

> .ve is the country.

Well, it is the two character country code used for the domain in DNS.
However, it would be up to the folks running com.ve (or just .ve) as
to whether or not all names registered therein must actually reside in
that country. For example, I suspect that by far most of the names
registered in ".tv" are not for systems actually residing in Tuvalu.

> But phishing operators make use of machines around the world which
> have been hijacked. Ie, there is no reason to expect that the
> cracker is at any of the addresses listed. You could let them know
> that their machines hae been hijacked if you wished.

Agreed.

rick jones
--
firebug n, the idiot who tosses a lit cigarette out his car window
these opinions are mine, all mine; HP might not want them anyway... :)
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...