Re: Giving up

08-22-2004

What is this crap ?

This post plus the below....

"Behgjet Frisch" <> wrote in message
news:...
| New comer to this newsgroup.
|
| Good luck
| Behgjet Frisch
| Tel. +1 802 560 9860
|
|

From: Bahadir-Cem Bourdo <Bahadir->
Newsgroups: comp.protocols.tcp-ip.ibmpc
X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
Subject: Giving up
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
Message-ID: <>
Date: 21 Aug 2004 03:27:05 -0500
X-Trace: news01.argolink.net 1093076825 64.180.111.134 (21 Aug 2004 03:27:05 -0500)
Lines: 7
Path:
nwrdny03.gnilink.net!cycny02.gnilink.net!cycny01.g nilink.net!cyclone1.gnilink.net!gnilink.ne
t!peer01.cox.net!cox.net!newshosting.com!nx02.iad0 1.newshosting.com!newsfeeds.sol.net!newspu
mp.sol.net!64.8.96.12.MISMATCH!news01.argolink.net !not-for-mail
Xref: cyclone1.gnilink.net comp.protocols.tcp-ip.ibmpc:1603
X-Received-Date: Sat, 21 Aug 2004 04:31:54 EDT (nwrdny03.gnilink.net)

Interesting newsgroup!

Bahadir-Cem Bourdo
Tel. +1 746 933 8112
Bahadir-
Bahadir-

~~~~~~~~~~~~~~~~~~~~~~~
From: Badaridasa Mushawick <>
Newsgroups: comp.dcom.modems.cable
X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
Subject: Giving up
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
Message-ID: <>
Date: 21 Aug 2004 05:13:32 -0500
X-Trace: news01.argolink.net 1093083212 64.180.111.134 (21 Aug 2004 05:13:32 -0500)
Lines: 7
Path:
nwrdny03.gnilink.net!cycny02.gnilink.net!cycny01.g nilink.net!cyclone1.gnilink.net!gnilink.ne
t!bigfeed2.bellsouth.net!news.bellsouth.net!elnk-atl-nf1!newsfeed.earthlink.net!newshosting.
com!nx02.iad01.newshosting.com!newsfeeds.sol.net!n ewspump.sol.net!64.8.96.12.MISMATCH!news01
..argolink.net!not-for-mail
Xref: cyclone1.gnilink.net comp.dcom.modems.cable:59008
X-Received-Date: Sat, 21 Aug 2004 06:12:58 EDT (nwrdny03.gnilink.net)

Can't help you there?!

Badaridasa Mushawick
Tel. +1 832 730 8195

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: Balakrishanan Truckmann <>
Newsgroups: alt.photography
X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
Subject: New comer
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
Message-ID: <>
Date: 22 Aug 2004 08:24:46 -0500
X-Trace: news01.argolink.net 1093181086 64.180.111.134 (22 Aug 2004 08:24:46 -0500)
Lines: 7
Path:
nwrdny01.gnilink.net!cycny02.gnilink.net!cycny01.g nilink.net!cyclone1.gnilink.net!gnilink.ne
t!in.100proofnews.com!in.100proofnews.com!news-out.visi.com!news-out.octanews.net!petbe.visi
..com!newsfeeds.sol.net!64.8.96.12.MISMATCH!news01 .argolink.net!not-for-mail
Xref: cyclone1.gnilink.net alt.photography:31137
X-Received-Date: Sun, 22 Aug 2004 09:24:08 EDT (nwrdny01.gnilink.net)

Interesting newsgroup!

Balakrishanan Truckmann
Tel. +1 984 958 1390

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: Babel Sagalov <>
Newsgroups: alt.comp.virus
X-Newsreader: AspNNTP 1.50 (ezClassifieds.com)
Subject: New comer
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: s64-180-111-134.bc.hsia.telus.net
Message-ID: <4128a372$>
Date: 22 Aug 2004 08:45:22 -0500
X-Trace: news01.argolink.net 1093182322 64.180.111.134 (22 Aug 2004 08:45:22 -0500)
Lines: 7
Path:
nwrdny03.gnilink.net!cycny02.gnilink.net!cycny01.g nilink.net!cyclone1.gnilink.net!gnilink.ne
t!peer01.cox.net!cox.net!newsfeeds.sol.net!64.8.96 .12.MISMATCH!news01.argolink.net!not-for-m
ail
Xref: cyclone1.gnilink.net alt.comp.virus:101814
X-Received-Date: Sun, 22 Aug 2004 09:44:46 EDT (nwrdny03.gnilink.net)

Interesting newsgroup!

Babel Sagalov
Tel. +1 628 274 6662

08-22-2004

Blind Carbon Copy (BCC)

It won't show for privacy issues. That's why its sued. Like when you send a message to a
coworker but also send a BCC to his boss. This way the coworker has no way of knowing his
boss knows.

I may be mistaken but, it may have originated from a AT&T node.

Dave

"Kleeb" <> wrote in message
news:...
| On Sun, 22 Aug 2004 16:47:44 GMT, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> schrieb:
|
| >What is this crap ?
|
| I wonder if you could shed some light on the following headers from a mail
| I've just received. I'm finding it difficult with my current knowledge (not
| much) to understand just exactly how this mail made it to my ISP's mailbox.
|
| Nowhere is there any mention of my email address, or even my routers' IP
| address. How is this acheivable ?
|
| <begin headers>
|
| Return-Path: <>
| Received: from localhost (localhost.localdomain [127.0.0.1])
| by localhost.localdomain (8.12.8/8.12.

08-22-2004

On Sun, 22 Aug 2004 16:47:44 GMT, David H. Lipman wrote:
> What is this crap ?

An infected machine withthe Hackarmy Trojan horse controlled
by a zombie master. Now the machine is up for renting ads spammed into
Usenet groups.

report the abusing ip (s64-180-111-134.bc.hsia.telus.net) to
with brief reason followed the full headers and at least one full post
of message.

If everyone does it, the abuse dept will shut them down just to keep
their inbox from filling up.

08-22-2004

On Sun, 22 Aug 2004 16:47:44 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> schrieb:

>What is this crap ?

I wonder if you could shed some light on the following headers from a mail
I've just received. I'm finding it difficult with my current knowledge (not
much) to understand just exactly how this mail made it to my ISP's mailbox.

Nowhere is there any mention of my email address, or even my routers' IP
address. How is this acheivable ?

<begin headers>

Return-Path: <>
Received: from localhost (localhost.localdomain [127.0.0.1])
by localhost.localdomain (8.12.8/8.12.

with ESMTP id
i7MGRYhc010915
for <me@localhost>; Sun, 22 Aug 2004 17:27:35 +0100
Received: from pop.ntlworld.com [62.253.162.50]
by localhost with POP3 (fetchmail-6.2.0)
for me@localhost (single-drop); Sun, 22 Aug 2004 17:27:35 +0100
(BST)
Received: from h000c6e55013e.ne.client2.attbi.com ([24.91.167.49])
by mta04-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with SMTP
id
<20040822162051.JCGX17972.mta04- m>;
Sun, 22 Aug 2004 17:20:51 +0100
X-Message-Info: TJHN+ap52+ewf+E+81/433818234603741
Received: (qmail 44595 invoked by uid 910); Sun, 22 Aug 2004 22:14:15 +0500
Date: Sun, 22 Aug 2004 23:22:15 +0600
Message-Id: <686876125.50504@>
From: Tanya Klinko <>
To: "Wt.thomas77" <>
Subject: New Dating Site
MIME-Version: 1.0 (produced by ameslandictum 3.7)
Content-Type: multipart/alternative;
boundary="--467192766424474342"
X-Spam-Status: No, hits=4.1 required=5.0
tests=INVALID_MSGID,PORN_4,RCVD_IN_ORBS,SPAM_PHRAS E_00_01,
TO_LOCALPART_EQ_REAL
version=2.44
X-Spam-Level: ****
Status:

<end headers>

From what I've read on the subject, the 'Received:' that is the lowest down
the headers is most likely the sender. And any more than 3 or 4 'Received:'
lines means the mail has definitely been forged. Does this sound right ?

Thanks for any info you might have.

Cordially,

Kleeb.

08-22-2004

I was beginning to think it was a NNTP spam zombie.

So what do you think the purpose is ?

Are the phone numbers high cost toll numbers ?

Dave

"Bit Twister" <> wrote in message
news:...
| On Sun, 22 Aug 2004 16:47:44 GMT, David H. Lipman wrote:
| > What is this crap ?
|
| An infected machine withthe Hackarmy Trojan horse controlled
| by a zombie master. Now the machine is up for renting ads spammed into
| Usenet groups.
|
| report the abusing ip (s64-180-111-134.bc.hsia.telus.net) to
| with brief reason followed the full headers and at least one full post
| of message.
|
| If everyone does it, the abuse dept will shut them down just to keep
| their inbox from filling up.

08-22-2004

On Sun, 22 Aug 2004 18:41:16 GMT, David H. Lipman wrote:
> I was beginning to think it was a NNTP spam zombie.
>
> So what do you think the purpose is ?
>
> Are the phone numbers high cost toll numbers ?

No idea. You could try the web page and phone number for us.

Could be a page to expooit your Microsoft Outlook Express
6.00.2800.1437 browser, Snarf email address from browser, bump his ad
counter for more money, ...

Does not matter to me, I never visit a spam post, do not use a browser
to read a text news group, and have fake email addy in my browser, and
use a serate login account for browsing and reading mail.

Browser account deletes all files and loads pristine copy on logout.

08-22-2004

On Sun, 22 Aug 2004 17:20:10 GMT, David H. Lipman <DLipman~nospam~@Verizon.Net> schrieb :
> Blind Carbon Copy (BCC)
>
> It won't show for privacy issues. That's why its sued. Like when you send a message to a
> coworker but also send a BCC to his boss. This way the coworker has no way of knowing his
> boss knows.
>
> I may be mistaken but, it may have originated from a AT&T node.
>
> Dave

Thanks Dave. I was looking for a complicated answer, and didn't think of
that.

Cordially,

Kleeb.

08-23-2004

"Kleeb" <> wrote in message
news:...
> On Sun, 22 Aug 2004 16:47:44 GMT, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> schrieb:
>
> >What is this crap ?
>
> I wonder if you could shed some light on the following headers from a mail
> I've just received. I'm finding it difficult with my current knowledge
(not
> much) to understand just exactly how this mail made it to my ISP's
mailbox.

Further to David's answer.. in SMTP (the thing that is used to send email),
there is no hard link between the message addressee and the content - SMTP
is a fairly trusting protocol.

(i.e. it doesn't take a Rocket Scientist to tell the server "RCPT TO:
lid", but with a different addressee in the message
headers. (Which, incidentally, are fairly easy to read:
http://www.codecutters.org/spam/smtpheaders.html for details)

BCC is simply a human-friendly way of doing this automatically.

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

08-23-2004

On 2004-08-23, Hairy One Kenobi <abuse@[> schrieb :

> (i.e. it doesn't take a Rocket Scientist to tell the server "RCPT TO:
> lid", but with a different addressee in the message
> headers. (Which, incidentally, are fairly easy to read:
> http://www.codecutters.org/spam/smtpheaders.html for details)
>
> BCC is simply a human-friendly way of doing this automatically.

Thanks for the link. Seems a bit clearer now. I think actually I've read
something like this before, but having had a second look, I understand the
parts about the invalid 'Received:' lines now.

Cordially,

Kleeb.

08-25-2004

"Bit Twister" <> wrote in message
news:...
> On Sun, 22 Aug 2004 16:47:44 GMT, David H. Lipman wrote:
> > What is this crap ?
>
> An infected machine withthe Hackarmy Trojan horse controlled
> by a zombie master. Now the machine is up for renting ads spammed into
> Usenet groups.
>
> report the abusing ip (s64-180-111-134.bc.hsia.telus.net) to

> with brief reason followed the full headers and at least one full post
> of message.
>
> If everyone does it, the abuse dept will shut them down just to keep
> their inbox from filling up.

Doesn't seem to be working - but then telus doesn't seem to have too good a
reputation when it comes to dealing with spam. All the spams, with all the
different email addresses, all point to the same company / address in
Vancouver, British Columbia. My guess is we'll see a huge spam run from
them soon with the addresses they collect from people complaining.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
The giving that keeps on giving	sixteenmillion	C Programming	0	11-19-2007 10:59 PM
Ctl3dCtlColorEx function giving trouble	maol	ASP .Net	0	12-08-2004 03:08 AM
PIX giving static ip's to PPTP clients	John Smith	Cisco	2	10-22-2004 05:54 AM
Giving Vonage voice packets priority with Cisco 1720	Albert Wiersch	Cisco	0	05-14-2004 07:31 PM
Re: 'ThreadState' is giving problem ?	Gaurav Khanna [.NET MVP]	ASP .Net	0	07-25-2003 12:25 PM