Tracking Sourceless SPAM 10
Booker asks:
"Lately I've seen a disturbing trend in my spam - there seems to be no originating machine in the headers. They typically go through an insecure mail host, and list only a toll free number for a contact. How do I track these people down? I need the satisfaction, however fleeting, of helping to terminate a spammer's account!" There is
an example header of this sourceless SPAM. Click below for more.
Here's the example:
I thought there were laws that prevented this sort of things. How can we help prevent spam if the spammers are becoming more and more anonymous?Return-Path: jdekrpzsad@hotbot.com
Received: from ns.mobic.co.jp (ns.mobic.co.jp [210.162.104.178])by deliverator.io.com
(8.9.3/8.9.3) with ESMTP id XAA14862;Tue, 27 Jul 1999 23:51:58 -0500
From: jdekrpzsad@hotbot.com
Received: from default by ns.mobic.co.jp (2.5 Build 2630 (Berkeley 8.8.6)/8.8.4) with SMTP id NAA02786; Wed, 28 Jul 1999 13:58:25 +0900
Message-Id: 199907280458.NAA02786@ns.mobic.co.jp
To:
Subject: $15,000 Monthly Guaranteed! No Work Required!
Date: Tue, 27 Jul 1999 21:08:01 -0700
MIME- Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_4264_00005913.00007A3E"
X-Priority: 3
X-MSMail-Priority: Normal
X-UIDL: 29f083c057306b12c10f509e156f7a87
Status: U
Becareful of links at the bottom too! (Score:1)
Received:
by mail.one.net for samus (with Cubic Circle's cucipop (v1.21 1997/08/10) Tue
Jul 27 23:13:14 1999)
X-From_:
jons@prontomail.com Tue Jul 27 23:12:36 1999
Received:
from [210.9.54.13] ([210.9.54.13] EHLO quest.netrix.net.au ident:
IDENT-NOT-QUERIED [port 5411]) by mail.one.net with ESMTP id
convert rfc822-to-8bit; Tue, 27 Jul 1999 23:12:29 -0400
Received:
from unniss (ts001d03.pro-ri.CONCENTRIC.NET [206.173.46.15]) by
quest.netrix.net.au (8.9.3/8.8.3) with ESMTP id OAA27352; Wed, 28 Jul 1999
14:07:27 +1000
Message-ID:
From:
"Roy"
Subject:
Do you have a product or service to offer?
To:
allnetbiz89h3@quest.netrix.net.au
X-Mailer:
Microsoft Outlook Express 4.72.1712.3
X-MimeOLE:
Produced By Microsoft MimeOLE V(null).1712.3
Mime-Version:
1.0
Date:
Tue, 27 Jul 1999 22:13:44 -0500
Content-Type:
text/plain; charset="iso-8859-1"
Content-Transfer-Encoding:
8BIT
X-Mozilla-Status:
8003
X-Mozilla-Status2:
00000000
X-UIDL:
b49e5a103e070000
...spam text removed..
CALL (888) 264-9272 9AM - 6PM MST
//////////////////////////////////////////////
////////////Please remove at mailto:tmon34@yahoo.com?subject=remove
//////////////////////////////////////////////
IP Whois (Score:2)
inetnum: 210.162.104.176 - 210.162.104.191
netname: MOBIC-NET-JP
descr: Mobic Corporation
descr: 22,Obara,Tsuyama-city,
descr: Okayama 708-0001 Japan
country: JP
admin-c: MO821JP
tech-c: ST901JP
changed: apnic-ftp@nic.ad.jp 19990729
source: JPNIC
Hmmm... usually it's a bit more helpful and supplies an admin's name, phone number, and email address.
Re:Remember, SPAM is for profit! (Score:2)
Remember, SPAM is for profit! (Score:1)
This may not help you find the source of the email, but you can attack the spammers in these other places.
BTW, spamcop.net is great at doing all of this automagically, although I don't know good it would be with "sourceless" email.
Sorry, I read that a little fast ... (Score:2)
If they ONLY give a phone number, then I can only think of two things:
1. Try to find a reverse look-up type of phone directory, and then hunt down the company
2. Try to identify which mail server was exploited to obscure the source, and have them fix their problem
Don't accept that kind of mail (Score:1)
-russ
'Sourceless' (Score:1)
Received: from default by ns.mobic.co.jp (2.5 Build 2630 (Berkeley 8.8.6)/8.8.4) with SMTP id NAA02786; Wed, 28 Jul 1999 13:58:25 +0900
the machine 'ns.mobic.co.jp' received the message from a machine who gave the HELO of 'default', and didn't put its IP address into the message.
My normal procedure for this? I send a simple little message to postmaster@ns.mobic.co.jp:
The following unsolicited commercial e-mail was received.
You are being informed for the following reason:
ns.mobic.co.jp : as the message was relayed through your system. Please see http://spam.abuse.net/ for information on securing your system.
And of course, attach a .sig, and the message with full headers.
Get some help (Score:1)
Ive had to deal with this lately...as hard as Ive tried to keep my email out of the hands of those who would use it to do me harm.
Fortunately I work for my ISP...so it makes for easy access to our maillogs and individuals of importance who can counteract such problems *if it becomes a pain to enough users we will filter the domain*.
I lodged complaints with the relay and used the contact information to make sure they knew I was unhappy about this *and of course to make it clear I would be causing them some grief*.
Its been a good week now and I havent been spammed *as it had been occuring on a day by day basis previously*.
So...when I say get some help...lodge complaints with your ISP and the relay...make yourself heard...most likely you are not the only one *the definition of spam* and hopefully your cries will be heard and offending domains dealt with.
Its not a fun process, but if it becomes clear these actions will not be tolerated all parties involved will shape up.
Hope this helps..
Re:Sorry, I read that a little fast ... (Score:1)
better yet, get someone from somewhere else to call them collect from Peru or something. they cause you grief, so they deserve some yourself. got a snailmail address? send them a couple of bricks, without stamps. again, more distance is better...
Radja, the bastard