Tracking down the source(s) of the latest spam attacks
1 view
Skip to first unread message
Scott Villarosa
Dec 13, 2004, 5:52:07 PM12/13/04
to Gmail-Ge...@googlegroups.com
also posted on gmail-lounge <http://tinyurl.com/3o6ys>.
looking at a header from one of these latest "software" emails, is there a
definitive way to tell what the email's source is? i've realised the sender
has forged the email's header, but do other lines in the header reveal where
the spam came from? i ask only so i know in future what domain to send abuse
reports to. yes, i could of searched google for this information but figured
it would be a good topic to bounce around the group. anyway, here's the
header:
=====
X-Gmail-Received: cb55ea3586e756bfdd1272e0a3bcda83984f3d76
Delivered-To: sjvilla**@gmail.com
Received: by 10.54.44.69 with SMTP id r69cs41374wrr;
Mon, 13 Dec 2004 01:20:32 -0800 (PST)
Received: by 10.54.33.33 with SMTP id g33mr388626wrg;
Mon, 13 Dec 2004 01:20:31 -0800 (PST)
Return-Path: <DK...@aol.com>
Received: from 69-165-217-144.atlsfl.adelphia.net
(69-165-217-144.atlsfl.adelphia.net [69.165.217.144])
by mx.gmail.com with SMTP id 66si171431wra;
Mon, 13 Dec 2004 01:20:31 -0800 (PST)
Received-SPF: neutral (gmail.com: 69.165.217.144 is neither permitted nor
denied by domain of DK...@aol.com)
X-Message-Info: LJ10Q946JIA04ufPAcU642BYL0cFOKxbkM69
Received: from [209.204.100.110] by seize28842.ag...@aol.com via
HTTP; Mon, 13 Dec 2004 03:17:21 -0600
Date: Mon, 13 Dec 2004 13:11:21 +0400
Message-ID: <638581470.41694@DKHCR@aol.com>
Reply-To: "Gino Evans" <DK...@aol.com>
From: "Gino Evans" <DK...@aol.com>
To: "Sjvil" <sj...@gmail.com>
Subject: Sjvil cheap oem s0ftware shipping worldwide
Date: Mon, 13 Dec 2004 10:18:21 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--1168197525125224"
=====
so, i figure "DK...@aol.com" is a forge address, and emailing AOL will just
get a "this didn't come from us" reply. but, what about the
"atlsfl.adelphia.net " part? is that who to track down, like
"ab...@adelphia.net". can the spammer even forge this line? i'm
semi-confused about this.
scott
==
Scott Villarosa
http://s90215429.onlinehome.us/sjvilla79/blog/
===================
Lortie feu faccumm loreetuercin et lor sequi blandiam.
looking at a header from one of these latest "software" emails, is there a
definitive way to tell what the email's source is? i've realised the sender
has forged the email's header, but do other lines in the header reveal where
the spam came from? i ask only so i know in future what domain to send abuse
reports to. yes, i could of searched google for this information but figured
it would be a good topic to bounce around the group. anyway, here's the
header:
=====
X-Gmail-Received: cb55ea3586e756bfdd1272e0a3bcda83984f3d76
Delivered-To: sjvilla**@gmail.com
Received: by 10.54.44.69 with SMTP id r69cs41374wrr;
Mon, 13 Dec 2004 01:20:32 -0800 (PST)
Received: by 10.54.33.33 with SMTP id g33mr388626wrg;
Mon, 13 Dec 2004 01:20:31 -0800 (PST)
Return-Path: <DK...@aol.com>
Received: from 69-165-217-144.atlsfl.adelphia.net
(69-165-217-144.atlsfl.adelphia.net [69.165.217.144])
by mx.gmail.com with SMTP id 66si171431wra;
Mon, 13 Dec 2004 01:20:31 -0800 (PST)
Received-SPF: neutral (gmail.com: 69.165.217.144 is neither permitted nor
denied by domain of DK...@aol.com)
X-Message-Info: LJ10Q946JIA04ufPAcU642BYL0cFOKxbkM69
Received: from [209.204.100.110] by seize28842.ag...@aol.com via
HTTP; Mon, 13 Dec 2004 03:17:21 -0600
Date: Mon, 13 Dec 2004 13:11:21 +0400
Message-ID: <638581470.41694@DKHCR@aol.com>
Reply-To: "Gino Evans" <DK...@aol.com>
From: "Gino Evans" <DK...@aol.com>
To: "Sjvil" <sj...@gmail.com>
Subject: Sjvil cheap oem s0ftware shipping worldwide
Date: Mon, 13 Dec 2004 10:18:21 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--1168197525125224"
=====
so, i figure "DK...@aol.com" is a forge address, and emailing AOL will just
get a "this didn't come from us" reply. but, what about the
"atlsfl.adelphia.net " part? is that who to track down, like
"ab...@adelphia.net". can the spammer even forge this line? i'm
semi-confused about this.
scott
==
Scott Villarosa
http://s90215429.onlinehome.us/sjvilla79/blog/
===================
Lortie feu faccumm loreetuercin et lor sequi blandiam.
Kishyr Ramdial
Dec 13, 2004, 11:29:18 PM12/13/04
to Gmail-Ge...@googlegroups.com
On Tue, 14 Dec 2004 09:52:07 +1100, Scott Villarosa <sjvi...@gmail.com> wrote:
<snip>
> so, i figure "DK...@aol.com " is a forge address, and emailing AOL will just
> get a "this didn't come from us" reply. but, what about the
> "atlsfl.adelphia.net " part? is that who to track down, like
> "ab...@adelphia.net ". can the spammer even forge this line? i'm
> semi-confused about this.
I's usually the first "Recieved:" (the sender's first smtp server)
header that you can tell who sent you the mail, but this can be hacked
and removed. I've seen instances where the only "Received" line was to
me. Okay, this can be done if you're sended an email to another gmail
user, but if it's from another account (Yahoo!, MSN etc), then that's
fishy.
--
Kishyr Ramdial
http://kishyr.ramdial.co.za
Get Firefox! http://www.getfirefox.com
<snip>
> Received: from 69-165-217-144.atlsfl.adelphia.net
> (69-165-217-144.atlsfl.adelphia.net [69.165.217.144 ])
> by mx.gmail.com with SMTP id 66si171431wra;
> Mon, 13 Dec 2004 01:20:31 -0800 (PST)
</snip>
> (69-165-217-144.atlsfl.adelphia.net [69.165.217.144 ])
> by mx.gmail.com with SMTP id 66si171431wra;
> Mon, 13 Dec 2004 01:20:31 -0800 (PST)
> so, i figure "DK...@aol.com " is a forge address, and emailing AOL will just
> get a "this didn't come from us" reply. but, what about the
> "atlsfl.adelphia.net " part? is that who to track down, like
> "ab...@adelphia.net ". can the spammer even forge this line? i'm
> semi-confused about this.
header that you can tell who sent you the mail, but this can be hacked
and removed. I've seen instances where the only "Received" line was to
me. Okay, this can be done if you're sended an email to another gmail
user, but if it's from another account (Yahoo!, MSN etc), then that's
fishy.
--
Kishyr Ramdial
http://kishyr.ramdial.co.za
Get Firefox! http://www.getfirefox.com
Scott Villarosa
Dec 13, 2004, 11:35:03 PM12/13/04
to Gmail-Ge...@googlegroups.com
you say hacked and removed. do you mean "hacked and removed" from the email,
resulting in not being able to see the "Received" line, or do you mean
"hacked" or "removed", which would indicate the line can be tampered with.
sorry to go on about this, but i'd like to know.
resulting in not being able to see the "Received" line, or do you mean
"hacked" or "removed", which would indicate the line can be tampered with.
sorry to go on about this, but i'd like to know.
Ashish Poddar
Dec 13, 2004, 11:41:21 PM12/13/04
to Gmail-Ge...@googlegroups.com
i am not sure but i am under the impression that unless u have a
malicious mail server to ur command, u cannot alter the Originating
From or the 1st Received line from the header !!!
i am not very confident of this impression .... anyways...
regards,
Ashish.
--
Ashish Poddar
Y! - ashish_poddar | MSN - ashish...@yahoo.com
- If you expect nothing, nothing is unexpected.
- If you expect everything, everything is as expected.
malicious mail server to ur command, u cannot alter the Originating
From or the 1st Received line from the header !!!
i am not very confident of this impression .... anyways...
regards,
Ashish.
Ashish Poddar
Y! - ashish_poddar | MSN - ashish...@yahoo.com
- If you expect nothing, nothing is unexpected.
- If you expect everything, everything is as expected.
Scott Villarosa
Dec 13, 2004, 11:43:35 PM12/13/04
to Gmail-Ge...@googlegroups.com
thanks ashish, but i'm looking for concrete ideas on this. good input,
however. cheers.
however. cheers.
Ashish Poddar
Dec 14, 2004, 4:11:40 AM12/14/04
to Gmail-Ge...@googlegroups.com
here's a sample mail i got on my yahoo mail account... though gmail is
not involved here but in the series of search for spam origin... maybe
you ll find it interesting piece of art in your collection....
-----------------------------------BEGIN
MAIL------------------------------------------
X-Apparently-To: ashish...@yahoo.com via 66.218.93.198; Tue, 14
Dec 2004 01:05:41 -0800
Authentication-Results: mta155.mail.re2.yahoo.com from=yahoo.co.uk;
domainkeys=neutral (no sig)
X-Originating-IP: [217.12.10.78]
Return-Path: <brown_...@yahoo.co.uk>
Received: from 217.12.10.78 (HELO web25306.mail.ukl.yahoo.com)
(217.12.10.78) by mta155.mail.re2.yahoo.com with SMTP; Tue, 14 Dec
2004 01:05:41 -0800
Received: (qmail 13741 invoked by uid 60001); 14 Dec 2004 09:05:40 -0000
Message-ID: <2004121409054...@web25306.mail.ukl.yahoo.com>
Received: from [80.248.64.59] by web25306.mail.ukl.yahoo.com via HTTP;
Tue, 14 Dec 2004 09:05:40 GMT
Date: Tue, 14 Dec 2004 09:05:40 +0000 (GMT)
From: "brown cain" <brown_...@yahoo.co.uk>
Subject: PRIVATE FOR YOU..............Poddar
To: ashish...@yahoo.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1286113556-1103015140=:12965"
Content-Transfer-Encoding: 8bit
Content-Length: 2728
STRICTLY CONFIDENTIAL
OFFICE OF THE SECRETARY
CONTRACT AWARDING COMMITTEE
ECOWAS HEADQUARTERS
LOME, REPUBLIC OF TOGO.
ATTN: Poddar .
ACCOUNT PROVISION FOR USD14M.
FORGIVE MY INDIGNATION IF THIS MESSAGE COMES TO YOU AS
A SURPRISE AND IF IT MIGHT OFFEND YOU WITHOUT YOUR
PRIOR CONSENT AND WRITING THROUGH THIS CHANNEL. I HEREBY INTRODUCING
MYSELF TO YOU, I AM MR BROWN CAIN , THE GENERAL SECRETARY OF FINANCE
CONTRACT AWARDING COMMITEE OF THE ECONOMIC COMMUNITY OF WEST AFRICAN
STATES ( ECOWAS) WITH HEADQUATERS IN LOME, TOGO. I GOT YOUR
INFORMATION IN A BUSINESS DIRECTORY FROM THE TOGOLESS CHAMBER OF
COMMERCE AND INDUSTRIES
WHEN I WAS SEARCHING FOR A RELIABLE, HONEST AND
TRUSTWORTHY PERSON TO ENTRUST THIS BUSINESS WITH. I
WAS DIVINELY INSPIRED AND MOTIVATED TO PICK YOUR
CONTACT FROM THE MANY NAMES AND LIST IN THE DIRECTORY.
I WISH TO TRANSFER THE SUM OF US$ 14,000,000.00 UNITED
STATES DOLLARS INTO YOUR PERSONAL OR COMPY'S BANK
ACCOUNT.
THIS FUND WAS ASRESIDUE OF THE OVERINVOICED
CONTRACT BILLS AWARDED BY US FOR THE SUPPLY HARD/SOFT
WARES, PHARMACEUTICAL/MEDICAL ITEMS, LIGHT AND HEAVY
DUTY VEHICLES, APPARELS AND OTHER ADMINISTRATIVE
LOGISTICES ETC FOR THE ECOMOG IN SIERRA LEONE AND
LIBERIA DURING THE PEACE KEEPING PROJECTS.
THIS DEAL WAS DELIBERATELY HATCH OUT AND CAREFULLY
PROTECTED WITH ALL THE ATTENDANT LIPE HOLES SEALED
OFF. AS THE DIRECTOR OF FINANCE OF CAC, I ARRANGED AND
OVERINVOICED THE CONTRACT FUNDS SUPPLIED BY DIFFERENT
COMPANIES FROM DIFFERENT COUNTRIES DURING THE CRISIS.
IT WAS MY CONSENSUS TO SEEK THE ASSISTANCE OF A
WILLING FOREIGNER TO PROVIDES ALL THE FACILITIES TO
TRANSFER THIS FUND OUT OF WEST AFRICA. THIS IS BORNE
OUT OF MY BELIEF IN THE NON-STABLE AND SPURIOUS
POLITICAL NATURE OF THIS SUB-REGION.
THE ORIGINAL CONTRACTORS HAVE BEEN DULY PAID BY THE BANQUE CENTRALE
DES ETATS DE L' AFRIQUE DE L'OUEST (CENTRAL BANK OF THE WEST AFRICAN
STATES) THROUGH OUR BANKERS. THIS BALANCE IS SUSPENDED IN HE ESCROW
ACCOUNTS AWAITING CLAIMS BY ANY FOREIGN COMPANY OF MY CHOICE.
I INTEND TO PAY OUT THIS FUND NOW AS THE ORGANIZATION IS
WINDING UP IT'S ACTIVITIES SINCE THE AIM OF RETURNING
PEACE TO THE COUNTRIES AND THE COAST HAS BEEN
ACHIEVED. BASED ON THE LAWS AND ETHICS OF EMPLOYMENTS,
I AS A CIVIL SERVANT WORKING UNDER THIS ORGANIZATION,
IS NOT ALLOWED TO OPERATE A FOREIGN ACCOUNT.
THIS IS THE MORE REASON WHY I NEEDED YOUR ASSISTANCE
TO PROVIDE AN ACCOUNT THAT SUSTAIN THIS FUND FOR FOR
SAFE KEEPING AND MY FUTURE INVESTMENT WITH YOUR
COMPREHENSIVE ADVISE, ASSISTANCE AND PARTNERSHIP IN
YOUR COUNTRY.
IT IS HOWEVER AGREED , AS THE ACCOUNT OWNER IN THIS DEAL TO ALLOW YOU
15% OF THE TOTAL SUM AS COMPENSATION, 80% WILL BE HELD ON TRUST FOR ME
WHILE 5% WILL BE USED TO DEFRAY ANY INCIDENTAL CHARGES
AND COST DURING THE COURSE OF THE TRANSACTION.
THISTRANSACTION WILL SUCCESSFULLY CONCLUDED WITHIN 14 DAYS IF YOU
ACCORD ME YOUR UNALLOYED AND DUE COOPERATION.YOU SHOULD PROVIDE THE
FOLLOWINGS: YOUR COMPANY'S NAME WITH COMPLETE ADDRESS, TEL AND FAX
NUMBERS. (IF A VALABLE, THE NAME OF YOUR BANK, IT'S ADDRESS WITH
TELEPHONE AND FAX NUMBERS). THE COMPLETE MAILING ADDRESS OF THE
BENEFICIARY WITH TELEPHONE AND FAX NUMBERS.
UPON THE RECEIPT OF THIS INFORMATION, THE DOCUMENTS AND APPROVAL WITH
TEXT WILL BE SENT TO YOU FOR CONFIRMATION AND THEN FORWARDED TO THE
ORGANIZATION FOR RATIFICATION AND SUBSQUENT PAYMENT.
AS WITH THE CASE OF ALL ORGANIZATION (SENSITIVE AND
CONSPIRED DEALS, WE SOLBUSINESS LIFE AFTERWARDS. THERE ARE NO RISKS
INVOLVE. PLEASE GET BACK TO ME IMMEDIATLY YOU REVIEVED THIS MAIL.
THANKS AND GOD BLESS
WITH REGARDS
BROWN CAIN.
not involved here but in the series of search for spam origin... maybe
you ll find it interesting piece of art in your collection....
-----------------------------------BEGIN
MAIL------------------------------------------
X-Apparently-To: ashish...@yahoo.com via 66.218.93.198; Tue, 14
Dec 2004 01:05:41 -0800
Authentication-Results: mta155.mail.re2.yahoo.com from=yahoo.co.uk;
domainkeys=neutral (no sig)
X-Originating-IP: [217.12.10.78]
Return-Path: <brown_...@yahoo.co.uk>
Received: from 217.12.10.78 (HELO web25306.mail.ukl.yahoo.com)
(217.12.10.78) by mta155.mail.re2.yahoo.com with SMTP; Tue, 14 Dec
2004 01:05:41 -0800
Received: (qmail 13741 invoked by uid 60001); 14 Dec 2004 09:05:40 -0000
Message-ID: <2004121409054...@web25306.mail.ukl.yahoo.com>
Received: from [80.248.64.59] by web25306.mail.ukl.yahoo.com via HTTP;
Tue, 14 Dec 2004 09:05:40 GMT
Date: Tue, 14 Dec 2004 09:05:40 +0000 (GMT)
From: "brown cain" <brown_...@yahoo.co.uk>
Subject: PRIVATE FOR YOU..............Poddar
To: ashish...@yahoo.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1286113556-1103015140=:12965"
Content-Transfer-Encoding: 8bit
Content-Length: 2728
STRICTLY CONFIDENTIAL
OFFICE OF THE SECRETARY
CONTRACT AWARDING COMMITTEE
ECOWAS HEADQUARTERS
LOME, REPUBLIC OF TOGO.
ATTN: Poddar .
ACCOUNT PROVISION FOR USD14M.
FORGIVE MY INDIGNATION IF THIS MESSAGE COMES TO YOU AS
A SURPRISE AND IF IT MIGHT OFFEND YOU WITHOUT YOUR
PRIOR CONSENT AND WRITING THROUGH THIS CHANNEL. I HEREBY INTRODUCING
MYSELF TO YOU, I AM MR BROWN CAIN , THE GENERAL SECRETARY OF FINANCE
CONTRACT AWARDING COMMITEE OF THE ECONOMIC COMMUNITY OF WEST AFRICAN
STATES ( ECOWAS) WITH HEADQUATERS IN LOME, TOGO. I GOT YOUR
INFORMATION IN A BUSINESS DIRECTORY FROM THE TOGOLESS CHAMBER OF
COMMERCE AND INDUSTRIES
WHEN I WAS SEARCHING FOR A RELIABLE, HONEST AND
TRUSTWORTHY PERSON TO ENTRUST THIS BUSINESS WITH. I
WAS DIVINELY INSPIRED AND MOTIVATED TO PICK YOUR
CONTACT FROM THE MANY NAMES AND LIST IN THE DIRECTORY.
I WISH TO TRANSFER THE SUM OF US$ 14,000,000.00 UNITED
STATES DOLLARS INTO YOUR PERSONAL OR COMPY'S BANK
ACCOUNT.
THIS FUND WAS ASRESIDUE OF THE OVERINVOICED
CONTRACT BILLS AWARDED BY US FOR THE SUPPLY HARD/SOFT
WARES, PHARMACEUTICAL/MEDICAL ITEMS, LIGHT AND HEAVY
DUTY VEHICLES, APPARELS AND OTHER ADMINISTRATIVE
LOGISTICES ETC FOR THE ECOMOG IN SIERRA LEONE AND
LIBERIA DURING THE PEACE KEEPING PROJECTS.
THIS DEAL WAS DELIBERATELY HATCH OUT AND CAREFULLY
PROTECTED WITH ALL THE ATTENDANT LIPE HOLES SEALED
OFF. AS THE DIRECTOR OF FINANCE OF CAC, I ARRANGED AND
OVERINVOICED THE CONTRACT FUNDS SUPPLIED BY DIFFERENT
COMPANIES FROM DIFFERENT COUNTRIES DURING THE CRISIS.
IT WAS MY CONSENSUS TO SEEK THE ASSISTANCE OF A
WILLING FOREIGNER TO PROVIDES ALL THE FACILITIES TO
TRANSFER THIS FUND OUT OF WEST AFRICA. THIS IS BORNE
OUT OF MY BELIEF IN THE NON-STABLE AND SPURIOUS
POLITICAL NATURE OF THIS SUB-REGION.
THE ORIGINAL CONTRACTORS HAVE BEEN DULY PAID BY THE BANQUE CENTRALE
DES ETATS DE L' AFRIQUE DE L'OUEST (CENTRAL BANK OF THE WEST AFRICAN
STATES) THROUGH OUR BANKERS. THIS BALANCE IS SUSPENDED IN HE ESCROW
ACCOUNTS AWAITING CLAIMS BY ANY FOREIGN COMPANY OF MY CHOICE.
I INTEND TO PAY OUT THIS FUND NOW AS THE ORGANIZATION IS
WINDING UP IT'S ACTIVITIES SINCE THE AIM OF RETURNING
PEACE TO THE COUNTRIES AND THE COAST HAS BEEN
ACHIEVED. BASED ON THE LAWS AND ETHICS OF EMPLOYMENTS,
I AS A CIVIL SERVANT WORKING UNDER THIS ORGANIZATION,
IS NOT ALLOWED TO OPERATE A FOREIGN ACCOUNT.
THIS IS THE MORE REASON WHY I NEEDED YOUR ASSISTANCE
TO PROVIDE AN ACCOUNT THAT SUSTAIN THIS FUND FOR FOR
SAFE KEEPING AND MY FUTURE INVESTMENT WITH YOUR
COMPREHENSIVE ADVISE, ASSISTANCE AND PARTNERSHIP IN
YOUR COUNTRY.
IT IS HOWEVER AGREED , AS THE ACCOUNT OWNER IN THIS DEAL TO ALLOW YOU
15% OF THE TOTAL SUM AS COMPENSATION, 80% WILL BE HELD ON TRUST FOR ME
WHILE 5% WILL BE USED TO DEFRAY ANY INCIDENTAL CHARGES
AND COST DURING THE COURSE OF THE TRANSACTION.
THISTRANSACTION WILL SUCCESSFULLY CONCLUDED WITHIN 14 DAYS IF YOU
ACCORD ME YOUR UNALLOYED AND DUE COOPERATION.YOU SHOULD PROVIDE THE
FOLLOWINGS: YOUR COMPANY'S NAME WITH COMPLETE ADDRESS, TEL AND FAX
NUMBERS. (IF A VALABLE, THE NAME OF YOUR BANK, IT'S ADDRESS WITH
TELEPHONE AND FAX NUMBERS). THE COMPLETE MAILING ADDRESS OF THE
BENEFICIARY WITH TELEPHONE AND FAX NUMBERS.
UPON THE RECEIPT OF THIS INFORMATION, THE DOCUMENTS AND APPROVAL WITH
TEXT WILL BE SENT TO YOU FOR CONFIRMATION AND THEN FORWARDED TO THE
ORGANIZATION FOR RATIFICATION AND SUBSQUENT PAYMENT.
AS WITH THE CASE OF ALL ORGANIZATION (SENSITIVE AND
CONSPIRED DEALS, WE SOLBUSINESS LIFE AFTERWARDS. THERE ARE NO RISKS
INVOLVE. PLEASE GET BACK TO ME IMMEDIATLY YOU REVIEVED THIS MAIL.
THANKS AND GOD BLESS
WITH REGARDS
BROWN CAIN.
Kishyr Ramdial
Dec 14, 2004, 12:18:37 PM12/14/04
to Gmail-Ge...@googlegroups.com
On Tue, 14 Dec 2004 15:35:03 +1100, Scott Villarosa <sjvi...@gmail.com> wrote:
> you say hacked and removed. do you mean "hacked and removed" from the email,
> resulting in not being able to see the "Received" line, or do you mean
> "hacked" or "removed", which would indicate the line can be tampered with.
> sorry to go on about this, but i'd like to know.
I mean "hacked *and* removed". You can easily hack your own SMTP
> you say hacked and removed. do you mean "hacked and removed" from the email,
> resulting in not being able to see the "Received" line, or do you mean
> "hacked" or "removed", which would indicate the line can be tampered with.
> sorry to go on about this, but i'd like to know.
server: just use an already opensource one, remove the code that
inserts the "Received:" header, recompile et voila. You could also
crack into your ISP's server (though probably quite difficult) and
changed theirs in the same way. For my primary email address
(non-gmail) I use my own SMTP server that resides on my Gateway (on my
home network), and if I wanted I could probably add or remove any of
the normal headers. Whether or not the receiving mail server accepts
my email it is another story.
Scott Villarosa
Dec 14, 2004, 5:03:41 PM12/14/04
to Gmail-Ge...@googlegroups.com
that explains things. i guess there's really no way of being sure
where the spam came from then, which sucks. thanks kishyr.
--
==
Scott Villarosa
where the spam came from then, which sucks. thanks kishyr.
==
Scott Villarosa
Crogon
Dec 18, 2004, 6:06:40 PM12/18/04
to Gmail-Ge...@googlegroups.com
Just looking at this, the 10.54.x.x could be an internal ip stack, but
the 69.165.x.x probably isn't.
the 69.165.x.x probably isn't.
Received-SPF: neutral (gmail.com: 69.165.217.144 is neither permitted
nor
denied by domain of D...@aol.com)
I would take that IP to spamcop:
http://www.spamcop.net/bl.shtml
I was right! :D At least it's listed in their database.
More tracking tools:
http://visualroute.visualware.com/
online visual route server
http://www.spamcop.net/sc?action=trackhost&host=204.127.199.8
Quick and dirty name check. Change the IP adddress as needed.
http://www.dshield.org/
They actually track internet based attacks, but you may get lucky and
find someone who's spamming and attacking from the same ip.
The best source I've found for tracking people is VisualZone. It's
actually for tracking attacks using the log from ZoneAlarm, but there
are a bunch of links for tracking utilities and websites in it. It may
be worth your time to grab it just for that purpose. Of course the
closer in time you can backtrace an IP to when the email was sent, the
better. ;)
Oo! I just ran across a tutorial, enjoy:
http://www.visualware.com/resources/tutorials/email.html
Reply all
Reply to author
Forward
0 new messages