Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Spam

Tracking Sourceless SPAM 10

Posted by Cliff from the and-the-spam-wars-escalate dept.
Booker asks: "Lately I've seen a disturbing trend in my spam - there seems to be no originating machine in the headers. They typically go through an insecure mail host, and list only a toll free number for a contact. How do I track these people down? I need the satisfaction, however fleeting, of helping to terminate a spammer's account!" There is an example header of this sourceless SPAM. Click below for more.

Here's the example:

Return-Path: jdekrpzsad@hotbot.com

Received: from ns.mobic.co.jp (ns.mobic.co.jp [210.162.104.178])by deliverator.io.com
(8.9.3/8.9.3) with ESMTP id XAA14862;Tue, 27 Jul 1999 23:51:58 -0500
From: jdekrpzsad@hotbot.com
Received: from default by ns.mobic.co.jp (2.5 Build 2630 (Berkeley 8.8.6)/8.8.4) with SMTP id NAA02786; Wed, 28 Jul 1999 13:58:25 +0900
Message-Id: 199907280458.NAA02786@ns.mobic.co.jp
To:
Subject: $15,000 Monthly Guaranteed! No Work Required!
Date: Tue, 27 Jul 1999 21:08:01 -0700
MIME- Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_4264_00005913.00007A3E"
X-Priority: 3
X-MSMail-Priority: Normal
X-UIDL: 29f083c057306b12c10f509e156f7a87
Status: U
I thought there were laws that prevented this sort of things. How can we help prevent spam if the spammers are becoming more and more anonymous?
This discussion has been archived. No new comments can be posted.

Tracking Sourceless SPAM More

Tracking Sourceless SPAM

Comments Filter:
  • Below is a spam I received last week. Unfortunately I fell for the trick. At the end of the message is a link that says click here to remove or some other removal directive. Sending the mail only resulted in more spam from someone else matching the same format. What happened in reality is that I just verified my address as being an active account. I don't think I have received after I sent an e-mail to the isp of one of the messages requesting the users information so that I could persue legal action. I hope this helps somebody else.

    Received:
    by mail.one.net for samus (with Cubic Circle's cucipop (v1.21 1997/08/10) Tue
    Jul 27 23:13:14 1999)
    X-From_:
    jons@prontomail.com Tue Jul 27 23:12:36 1999
    Received:
    from [210.9.54.13] ([210.9.54.13] EHLO quest.netrix.net.au ident:
    IDENT-NOT-QUERIED [port 5411]) by mail.one.net with ESMTP id
    convert rfc822-to-8bit; Tue, 27 Jul 1999 23:12:29 -0400
    Received:
    from unniss (ts001d03.pro-ri.CONCENTRIC.NET [206.173.46.15]) by
    quest.netrix.net.au (8.9.3/8.8.3) with ESMTP id OAA27352; Wed, 28 Jul 1999
    14:07:27 +1000
    Message-ID:

    From:
    "Roy"
    Subject:
    Do you have a product or service to offer?
    To:
    allnetbiz89h3@quest.netrix.net.au
    X-Mailer:
    Microsoft Outlook Express 4.72.1712.3
    X-MimeOLE:
    Produced By Microsoft MimeOLE V(null).1712.3
    Mime-Version:
    1.0
    Date:
    Tue, 27 Jul 1999 22:13:44 -0500
    Content-Type:
    text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding:
    8BIT
    X-Mozilla-Status:
    8003
    X-Mozilla-Status2:
    00000000
    X-UIDL:
    b49e5a103e070000



    ...spam text removed..

    CALL (888) 264-9272 9AM - 6PM MST
    //////////////////////////////////////////////
    ////////////Please remove at mailto:tmon34@yahoo.com?subject=remove
    //////////////////////////////////////////////

  • IP Whois (Score:2)

    by jab ( 9153 )
    Usually IP Whois [marina-del-rey.ca.us] works like a charm. If you enter the IP address of the originating computer (from the earliest Received: header), it will tell you someone just high up on the IP address foodchain that they will care about stopping spammers. In this case, the IP is 210.162.104.178, which gives

    inetnum: 210.162.104.176 - 210.162.104.191
    netname: MOBIC-NET-JP
    descr: Mobic Corporation
    descr: 22,Obara,Tsuyama-city,
    descr: Okayama 708-0001 Japan
    country: JP
    admin-c: MO821JP
    tech-c: ST901JP
    changed: apnic-ftp@nic.ad.jp 19990729
    source: JPNIC

    Hmmm... usually it's a bit more helpful and supplies an admin's name, phone number, and email address.

  • It often is not hard to convert from decimal to dotted quad form. Some of the tools which you mentioned will emit the dotted quad from when given a single decimal number.
  • I haven't had to deal with sourceless spam myself, but I think I can help anyways. The important thing to remember is that spam is for profit, and therefore they will give you some sort of contact info. If they give you an email address, use tools like dig, nslookup, and whois to find out what ISP hosts that email address. If they give a web address, find out what ISP owns the ip address given. (sometimes they try to hide thier address by putting it as a long decimal number i.e. http://3213213213 ... convert this to base 256 (I know ... painfull ...) and that'll be the dotted ip address)

    This may not help you find the source of the email, but you can attack the spammers in these other places.

    BTW, spamcop.net is great at doing all of this automagically, although I don't know good it would be with "sourceless" email.
  • I guess I read that question a little too fast.

    If they ONLY give a phone number, then I can only think of two things:

    1. Try to find a reverse look-up type of phone directory, and then hunt down the company ... not very practical.

    2. Try to identify which mail server was exploited to obscure the source, and have them fix their problem ... it's not direct, but it would keep the spammers running.
  • Subscribe to one of the DNS-based blocking services. There's a listing of them at www.crynwr.com/spam/ [crynwr.com]. That particular host isn't on the RBL, but they are on RRSS, and no doubt ORBS.
    -russ
  • There's a source, it's just not being recorded. Your problem lies in this line:

    Received: from default by ns.mobic.co.jp (2.5 Build 2630 (Berkeley 8.8.6)/8.8.4) with SMTP id NAA02786; Wed, 28 Jul 1999 13:58:25 +0900

    the machine 'ns.mobic.co.jp' received the message from a machine who gave the HELO of 'default', and didn't put its IP address into the message.

    My normal procedure for this? I send a simple little message to postmaster@ns.mobic.co.jp:

    The following unsolicited commercial e-mail was received.
    You are being informed for the following reason:

    ns.mobic.co.jp : as the message was relayed through your system. Please see http://spam.abuse.net/ for information on securing your system.

    And of course, attach a .sig, and the message with full headers.

  • *Sigh*

    Ive had to deal with this lately...as hard as Ive tried to keep my email out of the hands of those who would use it to do me harm.

    Fortunately I work for my ISP...so it makes for easy access to our maillogs and individuals of importance who can counteract such problems *if it becomes a pain to enough users we will filter the domain*.

    I lodged complaints with the relay and used the contact information to make sure they knew I was unhappy about this *and of course to make it clear I would be causing them some grief*.

    Its been a good week now and I havent been spammed *as it had been occuring on a day by day basis previously*.

    So...when I say get some help...lodge complaints with your ISP and the relay...make yourself heard...most likely you are not the only one *the definition of spam* and hopefully your cries will be heard and offending domains dealt with.

    Its not a fun process, but if it becomes clear these actions will not be tolerated all parties involved will shape up.

    Hope this helps..
  • they give a phone number? then call them. collect.
    better yet, get someone from somewhere else to call them collect from Peru or something. they cause you grief, so they deserve some yourself. got a snailmail address? send them a couple of bricks, without stamps. again, more distance is better...

    Radja, the bastard

Slashdot Top Deals

Neutrinos have bad breadth.

Close