Tracing spammer - please help

Discussion in 'Computer Security' started by Neil Hindry, Mar 20, 2006.

  1. Neil Hindry

    Neil Hindry Guest

    I wonder if you can help me.

    I have been receiving spam of late and I want to report the sender to their
    ISP but I have a problem. I have looked at the header of the email to see
    who it is from but what I do not know is how to find out what ISP the
    spammer is using to send the spam.

    For example I have a message with the following header (I am pasting just
    the relevant information):-
    Return-path: <>
    Received: from [200.250.218.247] (helo=2F31F468)
    by feynman.zen.co.uk with smtp (Exim 4.43)
    id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000
    Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    [12.32.12.51])
    by pgawtn.com with SMTP id T7NAUCQN5F


    How do I find out which ISP is hosting the name chocfan.com for a customer?

    As it is possible that the name could be forged I need to check out the IP
    address. How do I find out who is hosting the IP address for the customer
    (in this case is 200.250.218.247 the correct IP address)?

    Is there any other information that you think will be useful to me in trying
    to trace the spammer and complain to their ISP?

    I apologise if I have used the incorrect terminology.

    I hope you can help me.

    I appreciate any help or information given.

    Thanks

    --


    -------------------------------------------------------------------------
    FIGHT BACK AGAINST SPAM!
    Download Spam Inspector, the Award Winning Anti-Spam Filter
    http://mail.giantcompany.com
     
    Neil Hindry, Mar 20, 2006
    #1
    1. Advertising

  2. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Neil Hindry wrote:

    > Received: from [200.250.218.247] (helo=2F31F468)
    > [...]
    > How do I find out which ISP is hosting the name chocfan.com for a
    > customer?


    hss@athlon:~> whois 200.250.218.247

    % Copyright registro.br
    % The data below is provided for information purposes
    % and to assist persons in obtaining information about or
    % related to domain name and IP number registrations
    % By submitting a whois query, you agree to use this data
    % only for lawful purposes.
    % 2006-03-20 14:25:23 (BRT -03:00)

    inetnum: 200.250.218/24
    aut-num: AS4230
    abuse-c: GSE6
    owner: Net Sul Comunicaes Ltda.
    ownerid: 073.676.512/0001-46
    responsible: Lauro Fernando Costa Barbosa
    address: Silveiro, 1111, 3 andar
    address: 90850-000 - Porto Alegre - RS
    phone: (51) 3218-7210 []
    owner-c: LFB
    tech-c: LFB
    created: 20051114
    changed: 20051114
    inetnum-up: 200.250/16

    nic-hdl-br: GSE6
    person: Grupo de Segurana Internet da Embratel
    e-mail:
    created: 20001005
    changed: 20001005

    nic-hdl-br: LFB
    person: Lauro Fernando Costa Barbosa
    e-mail:
    created: 19971218
    changed: 20040910

    remarks: Security issues should also be addressed to
    remarks: , http://www.cert.br/
    remarks: Mail abuse issues should also be addressed to
    remarks:

    % whois.registro.br accepts only direct match queries.
    % Types of queries are: domains (.BR), BR POCs, CIDR blocks,
    % IP and AS numbers.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2 (GNU/Linux)

    iD8DBQFEHuZNF/Ya8KAszi0RAoKzAKCys70kTdq1KmVxEgFggsICQfm34ACgh9Sr
    pUvIvJl24hqK5B1JaDPIGgs=
    =ZOAP
    -----END PGP SIGNATURE-----
     
    Hans-Stefan Suhle, Mar 20, 2006
    #2
    1. Advertising

  3. Neil Hindry

    Martin Guest

    Neil Hindry wrote:
    > I wonder if you can help me.
    >
    > I have been receiving spam of late and I want to report the sender to their
    > ISP but I have a problem. I have looked at the header of the email to see
    > who it is from but what I do not know is how to find out what ISP the
    > spammer is using to send the spam.
    >
    > For example I have a message with the following header (I am pasting just
    > the relevant information):-
    > Return-path: <>
    > Received: from [200.250.218.247] (helo=2F31F468)
    > by feynman.zen.co.uk with smtp (Exim 4.43)
    > id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000
    > Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    > [12.32.12.51])
    > by pgawtn.com with SMTP id T7NAUCQN5F
    >
    >
    > How do I find out which ISP is hosting the name chocfan.com for a customer?


    If you can't do lookups yourself, start with
    http://www.samspade.org

    Just put your IP address in and press Do Stuff :)

    It's a good starting point. Pop over news.admin.net-abuse.email and they
    will help as well

    Good luck
     
    Martin, Mar 20, 2006
    #3
  4. Neil Hindry

    Don Taylor Guest

    "Neil Hindry" <n_nospam_hindry@_nospam_hotmail.com> writes:

    >I wonder if you can help me.


    >I have been receiving spam of late and I want to report the sender to their
    >ISP but I have a problem. I have looked at the header of the email to see
    >who it is from but what I do not know is how to find out what ISP the
    >spammer is using to send the spam.


    >For example I have a message with the following header (I am pasting just
    >the relevant information):-
    >Return-path: <>
    >Received: from [200.250.218.247] (helo=2F31F468)


    Top most Received ip address 200.250.218.247
    (now I don't see a reverse confirmation so that can be forged,
    but I don't think folks in that ip range even bother forging)

    Most of the 200.x.x.x block is Latin America.
    So hop over to
    http://lacnic.net/en/index.html
    pop ip address into the Whois box
    and you get
    netnum: 200.250.218/24
    aut-num: AS4230
    abuse-c: GSE6
    owner: Net Sul Comunicações Ltda.
    ownerid: 073.676.512/0001-46
    responsible: Lauro Fernando Costa Barbosa
    address: Silveiro, 1111, 3º andar
    address: 90850-000 - Porto Alegre - RS
    phone: (51) 3218-7210 []
    ....
    nic-hdl-br: GSE6
    person: Grupo de Segurança Internet da Embratel
    e-mail:
    created: 20001005
    changed: 20001005

    nic-hdl-br: LFB
    person: Lauro Fernando Costa Barbosa
    e-mail:
    created: 19971218
    changed: 20040910

    remarks: Security issues should also be addressed to
    remarks: , http://www.cert.br/
    remarks: Mail abuse issues should also be addressed to
    remarks:

    So you can throw a complaint at embratel.net.br and cert.br
    but in my years of experience you will probably have more
    luck flapping your arms and flying.


    >by feynman.zen.co.uk with smtp (Exim 4.43)
    >id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000
    >Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    >[12.32.12.51])
    >by pgawtn.com with SMTP id T7NAUCQN5F


    >How do I find out which ISP is hosting the name chocfan.com for a customer?


    >As it is possible that the name could be forged I need to check out the IP
    >address. How do I find out who is hosting the IP address for the customer
    >(in this case is 200.250.218.247 the correct IP address)?


    lacnic.net/en/index.html for south america
    www.afrinic.net for africa
    www.ripe.net for europe/eastern europe
    www.apnic.net for pacific/asia
    www.arin.net/whois/index.html for north america

    There are other ways to get this information, some will think
    their way is the best way, I have no reason to argue with them.
    I hope that some of what I've written here helps out.

    >Is there any other information that you think will be useful to me in trying
    >to trace the spammer and complain to their ISP?


    >I apologise if I have used the incorrect terminology.
    >I hope you can help me.
    >I appreciate any help or information given.


    >Thanks
    >-------------------------------------------------------------------------
    >FIGHT BACK AGAINST SPAM!
    >Download Spam Inspector, the Award Winning Anti-Spam Filter
    >http://mail.giantcompany.com
     
    Don Taylor, Mar 20, 2006
    #4
  5. Neil Hindry

    MCheu Guest

    On Mon, 20 Mar 2006 13:00:30 -0000, "Neil Hindry"
    <n_nospam_hindry@_nospam_hotmail.com> wrote:

    >I wonder if you can help me.
    >
    >I have been receiving spam of late and I want to report the sender to their
    >ISP but I have a problem. I have looked at the header of the email to see
    >who it is from but what I do not know is how to find out what ISP the
    >spammer is using to send the spam.
    >
    >For example I have a message with the following header (I am pasting just
    >the relevant information):-
    >Return-path: <>
    >Received: from [200.250.218.247] (helo=2F31F468)
    >by feynman.zen.co.uk with smtp (Exim 4.43)
    >id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000
    >Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    >[12.32.12.51])
    >by pgawtn.com with SMTP id T7NAUCQN5F
    >
    >
    >How do I find out which ISP is hosting the name chocfan.com for a customer?
    >
    >As it is possible that the name could be forged I need to check out the IP
    >address. How do I find out who is hosting the IP address for the customer
    >(in this case is 200.250.218.247 the correct IP address)?
    >
    >Is there any other information that you think will be useful to me in trying
    >to trace the spammer and complain to their ISP?
    >
    >I apologise if I have used the incorrect terminology.
    >
    >I hope you can help me.
    >
    >I appreciate any help or information given.
    >
    >Thanks


    I find the ARIN domain registry (for North America) whois site to be a
    good starting point.

    http://www.arin.net/whois/

    If the IP isn't registered in North America, you'll get a link or
    message directing you to a similar whois search engine for another
    region, where the suspect IP is registered.
    ---------------------------------------------
    Thanks.


    MCheu
     
    MCheu, Mar 20, 2006
    #5
  6. Neil Hindry

    f/fgeorge Guest

    They are from:
    OrgName: AT&T WorldNet Services
    OrgID: ATTW
    Address: AT&T
    Address: 200 S. LAUREL AVE.
    City: MIDDLETOWN
    StateProv: NJ
    PostalCode: 07748
    Country: US

    NetRange: 12.0.0.0 - 12.255.255.255
    CIDR: 12.0.0.0/8
    NetName: ATT
    NetHandle: NET-12-0-0-0-1
    Parent:
    NetType: Direct Allocation
    NameServer: DBRU.BR.NS.ELS-GMS.ATT.NET
    NameServer: DMTU.MT.NS.ELS-GMS.ATT.NET
    NameServer: CBRU.BR.NS.ELS-GMS.ATT.NET
    NameServer: CMTU.MT.NS.ELS-GMS.ATT.NET
    Comment: For abuse issues contact
    RegDate: 1983-08-23
    Updated: 2002-08-23

    RTechHandle: DK71-ARIN
    RTechName: Kostick, Deirdre
    RTechPhone: +1-919-319-8249
    RTechEmail:

    OrgAbuseHandle: ATTAB-ARIN
    OrgAbuseName: ATT Abuse
    OrgAbusePhone: +1-919-319-8130
    OrgAbuseEmail:

    OrgTechHandle: ICC-ARIN
    OrgTechName: IP Customer Care
    OrgTechPhone: +1-888-613-6330
    OrgTechEmail:

    OrgTechHandle: IPSWI-ARIN
    OrgTechName: IP SWIP
    OrgTechPhone: +1-888-613-6330
    OrgTechEmail:
    I used http://www.geektools.com/whois.php


    On Mon, 20 Mar 2006 13:00:30 -0000, "Neil Hindry"
    <n_nospam_hindry@_nospam_hotmail.com> wrote:

    >I wonder if you can help me.
    >
    >I have been receiving spam of late and I want to report the sender to their
    >ISP but I have a problem. I have looked at the header of the email to see
    >who it is from but what I do not know is how to find out what ISP the
    >spammer is using to send the spam.
    >
    >For example I have a message with the following header (I am pasting just
    >the relevant information):-
    >Return-path: <>
    >Received: from [200.250.218.247] (helo=2F31F468)
    >by feynman.zen.co.uk with smtp (Exim 4.43)
    >id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000
    >Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    >[12.32.12.51])
    >by pgawtn.com with SMTP id T7NAUCQN5F
    >
    >
    >How do I find out which ISP is hosting the name chocfan.com for a customer?
    >
    >As it is possible that the name could be forged I need to check out the IP
    >address. How do I find out who is hosting the IP address for the customer
    >(in this case is 200.250.218.247 the correct IP address)?
    >
    >Is there any other information that you think will be useful to me in trying
    >to trace the spammer and complain to their ISP?
    >
    >I apologise if I have used the incorrect terminology.
    >
    >I hope you can help me.
    >
    >I appreciate any help or information given.
    >
    >Thanks
     
    f/fgeorge, Mar 20, 2006
    #6
  7. Neil Hindry wrote:

    > For example I have a message with the following header (I am pasting just
    > the relevant information):-
    > Return-path: <>
    > Received: from [200.250.218.247] (helo=2F31F468) by feynman.zen.co.uk with
    > smtp (Exim 4.43) id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000
    > Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    > [12.32.12.51])
    > by pgawtn.com with SMTP id T7NAUCQN5F


    Assuming for a second that that "Received:" header is the correct one...

    Your problem appears to be someone using a free webmail provider from an
    IP in the NE United states belonging to AT&T Worldnet. I'd say the
    webmail provider would be your best bet. AT&T gets so many complaints
    you'd probably be pissing into a strong headwind. <sigh>

    Now you can ping/whois/tracerout all day long and come up with a lot of
    interesting information, but sometimes the laughably simple is the best
    detective tool...

    http://www.chocofan.com

    :)
     
    George Orwell, Mar 21, 2006
    #7
  8. Neil Hindry

    donnie Guest

    On Tue, 21 Mar 2006 01:04:35 +0100 (CET), George Orwell
    <> wrote:


    >Top most Received ip address 200.250.218.247
    >(now I don't see a reverse confirmation so that can be forged,
    >but I don't think folks in that ip range even bother forging)



    >Now you can ping/whois/tracerout all day long and come up with a lot of
    >interesting information, but sometimes the laughably simple is the best
    >detective tool...

    #######################################################
    I'm answering two posts at the same time.
    170 ms 180 ms 180 ms ctbdccmt01.ctb.virtua.com.br [200.250.77.3]
    181 ms 260 ms 190 ms 200.250.218.247
    That's the last two stops on a traceroute which takes us to Brazil.
    Then I ran host -l virtua.com.br on a Unix box had to stop the output
    when it reached 5 megabytes. I cut it down to
    host -l virtua.com.br | grep mail
    I showed one SMTP server and 2 other machines w/ mail in the name. I
    checked them for open relays and none of them had port 25 opened.
    Then I ran ftp virtua.com.br and I got
    Connected to virtua.com.br.net
    mbox.argentina.com FTP server (Version 6.00LS) ready.
    Argentina?? I thought I was in Brazil. It didn't allow anon logins,
    so I stopped there. That's where the second quote comes in about
    searching all day and finding interesting but no necessarily unseful
    things.

    I would try an email to and
    If that doesn't work, just block it in your email client.
     
    donnie, Mar 21, 2006
    #8
  9. MCheu wrote:

    >>Received: from [200.250.218.247] (helo=2F31F468) by feynman.zen.co.uk
    >>with smtp (Exim 4.43) id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03
    >>+0000 Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    >>[12.32.12.51])
    >>by pgawtn.com with SMTP id T7NAUCQN5F


    [...]

    > I find the ARIN domain registry (for North America) whois site to be a
    > good starting point.
    >
    > http://www.arin.net/whois/
    >
    > If the IP isn't registered in North America, you'll get a link or message
    > directing you to a similar whois search engine for another region, where
    > the suspect IP is registered.


    IP addresses aren't registered, they're leased. Domain names are
    registered, and the location of the registrar has little or nothing to do
    with the physical location of the machine whose IP address is referenced
    by that domain in many, or even most cases. In this particular case the
    domain name was "purchased" through an agency in one country, but it's
    hosted on a machine that's apparently located in another.
     
    George Orwell, Mar 21, 2006
    #9
  10. donnie wrote:

    >>Now you can ping/whois/tracerout all day long and come up with a lot of
    >>interesting information, but sometimes the laughably simple is the best
    >>detective tool...

    > ####################################################### I'm answering two
    > posts at the same time.
    > 170 ms 180 ms 180 ms ctbdccmt01.ctb.virtua.com.br [200.250.77.3] 181
    > ms 260 ms 190 ms 200.250.218.247


    <snip>

    That IP isn't relevant because it's not the last entry in the Received:
    header chain. Wrapping sort of munged the original quoted headers. Here
    they are, reformatted for clarity...

    Received: from [200.250.218.247] (helo=2F31F468) by feynman.zen.co.uk
    with smtp (Exim 4.43) id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03
    +0000

    Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    [12.32.12.51]) by pgawtn.com with SMTP id T7NAUCQN5F

    The message seems to have passed thorough a relay in the 200 block or
    ended up there, but it originated from the 12.32.12.51 address. Assuming
    that was the last Received: header of course, the IP inside the []
    braackets would have been the sender's actual IP, and "elastomer" would
    have been the server that person was connected to. The reference to
    "featherbrain" would be the actual MTA machine at chocofan.

    The IP 12.32.12.51 is from a pool of customer addresses owned by AT&T. My
    guess would be a DSL subscriber. AT&T cares little or nothiong about
    individual SPAM complaints, they have bigger fish to fry. But the people
    at chocofan.com might have something to say about someone abusing their
    apparently free (from simply visiting the www URL for that doamin) email
    addresses for nefarious purposes.

    > I would try an email to and


    Id speculate and say that would be complaining to the OP's own email
    provider. ;) Of course, that might not be a horrible idea either....
     
    George Orwell, Mar 21, 2006
    #10
  11. Neil Hindry

    Eli Coten Guest

    Neil Hindry wrote:
    > I wonder if you can help me.
    >
    > I have been receiving spam of late and I want to report the sender to their
    > ISP but I have a problem. I have looked at the header of the email to see
    > who it is from but what I do not know is how to find out what ISP the
    > spammer is using to send the spam.
    >
    > For example I have a message with the following header (I am pasting just
    > the relevant information):-
    > Return-path: <>
    > Received: from [200.250.218.247] (helo=2F31F468)
    > by feynman.zen.co.uk with smtp (Exim 4.43)
    > id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000
    > Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    > [12.32.12.51])
    > by pgawtn.com with SMTP id T7NAUCQN5F
    >
    >
    > How do I find out which ISP is hosting the name chocfan.com for a customer?
    >
    > As it is possible that the name could be forged I need to check out the IP
    > address. How do I find out who is hosting the IP address for the customer
    > (in this case is 200.250.218.247 the correct IP address)?
    >
    > Is there any other information that you think will be useful to me in trying
    > to trace the spammer and complain to their ISP?
    >
    > I apologise if I have used the incorrect terminology.
    >
    > I hope you can help me.
    >
    > I appreciate any help or information given.
    >
    > Thanks
    >

    Try taking the IP address http://www.dnsstuff.com/ and put it in there.
    You might find the information you need (along with an email address) there.

    Hope you get somewhere
    Eli

    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
     
    Eli Coten, Mar 21, 2006
    #11
  12. Neil Hindry

    mcheu Guest

    George Orwell wrote:
    > MCheu wrote:
    >
    > >>Received: from [200.250.218.247] (helo=2F31F468) by feynman.zen.co.uk
    > >>with smtp (Exim 4.43) id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03
    > >>+0000 Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    > >>[12.32.12.51])
    > >>by pgawtn.com with SMTP id T7NAUCQN5F

    >
    > [...]
    >
    > > I find the ARIN domain registry (for North America) whois site to be a
    > > good starting point.
    > >
    > > http://www.arin.net/whois/
    > >
    > > If the IP isn't registered in North America, you'll get a link or message
    > > directing you to a similar whois search engine for another region, where
    > > the suspect IP is registered.

    >
    > IP addresses aren't registered, they're leased. Domain names are
    > registered, and the location of the registrar has little or nothing to do
    > with the physical location of the machine whose IP address is referenced
    > by that domain in many, or even most cases. In this particular case the
    > domain name was "purchased" through an agency in one country, but it's
    > hosted on a machine that's apparently located in another.


    Please read what I actually wrote. It is considered extremely rude to
    comment on what was "written between the lines" (ie. stuff you imagined
    was there, but I never wrote).

    I never said that you actually have to be physically within a
    particular region to register a domain or reserve IP blocks with a
    particular region's registrar. You may have read that somewhere, but
    it wasn't in my post.

    Further, while the process of registering a domain name and leasing an
    IP block are separate, that isn't what I was talking about. When you
    register a domain name, you do two things, you reserve the name (so
    cybersquatter#2 can't take it) and associate an IP address to it in the
    registration entry. That is what I meant by registering an IP.
     
    mcheu, Mar 21, 2006
    #12
  13. Neil Hindry

    Moe Trin Guest

    On Mon, 20 Mar 2006, in the Usenet newsgroup alt.computer.security, in article
    <441ea779$0$8341$>, Neil Hindry wrote:

    >I have been receiving spam of late and I want to report the sender to their
    >ISP but I have a problem. I have looked at the header of the email to see
    >who it is from but what I do not know is how to find out what ISP the
    >spammer is using to send the spam.


    The ONLY two pieces of information you have to trust are the Received:
    header put on by your ISP, and the address of the website/mail forwarder
    that the spammer is directing you to.

    >For example I have a message with the following header (I am pasting just
    >the relevant information):-
    >Return-path: <>
    >Received: from [200.250.218.247] (helo=2F31F468)
    >by feynman.zen.co.uk with smtp (Exim 4.43)
    >id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000


    The mail was delivered from this IP - which the others have shown how to
    locate in Porto Alegre, in the Brazilian state of Rio Grande do Sul (at
    roughly 30S/50W, about 800 miles/1300 KM Southwest of Rio de Janeiro).

    >Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    >[12.32.12.51])
    >by pgawtn.com with SMTP id T7NAUCQN5F


    That one is an obvious forgery. The receiving host (pgawtn.com) is located
    in the US - so how did the mail get received there, and sent to you from
    Brazil. Where is the "Received:" header indicating such transfer? Further,
    the supposed sender 12.32.12.51 is a host with AT&T, but it doesn't have an
    IP to name record. Also, neither of the chocofan.com host names exist. This
    is just the usual BS put on by the spammer to confuse things, and is pretty
    much meaningless.

    >How do I find out which ISP is hosting the name chocfan.com for a customer?


    You ask a whois server - it's being hosted by XO.com - but what relevance
    is that? Are they the ones who are being advertised? The domain is actually
    registered in Hong Kong to a gaming company.

    >Is there any other information that you think will be useful to me in trying
    >to trace the spammer and complain to their ISP?


    Complaining to 'Net Sul Comunicaes Ltda' (the assignee of 200.250.218.247) or
    Grupo de Segurana Internet da Embratel is a waste of time, effort, and
    bandwidth on your part. If you are running a receiving mail server, you can
    simply block 200.250.0.0/16 or even 200.0.0.0/7, and ignore this crap.

    You can also post the complete mail to news.admin.net-abuse.sightings, but
    the rest of the world pretty much knows that accepting unknown mail from
    Brazil is a waste of bandwidth. The site that the spammer is advertising
    is probably going to be more interesting to the Internet community.

    Old guy
     
    Moe Trin, Mar 21, 2006
    #13
  14. Neil Hindry

    Moe Trin Guest

    On Tue, 21 Mar 2006, in the Usenet newsgroup alt.computer.security, in article
    <>, George Orwell wrote:

    >That IP isn't relevant because it's not the last entry in the Received:
    >header chain. Wrapping sort of munged the original quoted headers. Here
    >they are, reformatted for clarity...


    > Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    > [12.32.12.51]) by pgawtn.com with SMTP id T7NAUCQN5F
    >
    >The message seems to have passed thorough a relay in the 200 block or
    >ended up there, but it originated from the 12.32.12.51 address.


    Guess again.

    [compton ~]$ host 12.32.12.51
    Host not found.
    [compton ~]$

    There is no PTR record for that host, so the *.chocofan.com BS is a
    forgery. Also, there is no explanation of how the mail might have originated
    at the AT&T address, and been sent to pgawtn.com which is also in the US and
    has no connection to the Brazilian header.

    Old guy
     
    Moe Trin, Mar 21, 2006
    #14
  15. Neil Hindry

    donnie Guest


    >
    >Guess again.
    >
    >[compton ~]$ host 12.32.12.51
    >Host not found.
    >[compton ~]$
    >
    >There is no PTR record for that host, so the *.chocofan.com BS is a
    >forgery. Also, there is no explanation of how the mail might have originated
    >at the AT&T address, and been sent to pgawtn.com which is also in the US and
    >has no connection to the Brazilian header.
    >
    > Old guy

    ######################################
    12.32.12.51
    12.x.x.x is usally a dialup IP. I used to be on AT&T and that's what
    was given.
     
    donnie, Mar 22, 2006
    #15
  16. Neil Hindry

    Ant Guest

    "Neil Hindry" wrote:

    > I have been receiving spam of late and I want to report the sender to their
    > ISP but I have a problem. I have looked at the header of the email to see
    > who it is from but what I do not know is how to find out what ISP the
    > spammer is using to send the spam.
    >
    > For example I have a message with the following header (I am pasting just
    > the relevant information):-


    If you're unclear about decoding headers, how do you know what is
    relevant?

    Based on the the information you gave, The spam appears to have come
    from a proxified machine in Brazil. There's no point in looking at
    headers below this, since they are very likely to have been forged by
    the spammer. This is almost always the case with spam these days; i.e.
    you can only trust in the headers what your ISP says about from where
    it received the mail.

    > Received: from [200.250.218.247] (helo=2F31F468)
    > by feynman.zen.co.uk with smtp (Exim 4.43)
    > id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000


    I assume this header was added by your ISP (Zen) and is correctly
    reporting that the host feynman.zen.co.uk received the mail from
    200.250.218.247. If you go to http://www.dnsstuff.com and plug the
    number into their spam database lookup tool you will see it appears
    on a few blocklists as an open proxy. You can also find out to whom
    the IP address is allocated by using their "whois" lookup tool.

    See the links here for information about reading headers:
    http://spamlinks.net/track-trace-headers.htm
     
    Ant, Mar 22, 2006
    #16
  17. Neil Hindry

    Moe Trin Guest

    On Wed, 22 Mar 2006, in the Usenet newsgroup alt.computer.security, in article
    <>, donnie wrote:

    >>[compton ~]$ host 12.32.12.51
    >>Host not found.
    >>[compton ~]$


    >12.32.12.51
    >12.x.x.x is usally a dialup IP. I used to be on AT&T and that's what
    >was given.


    12.x.x.x is 16.8 million addresses. They are sub-allocated to a huge
    number of entities, such as cable services, businesses, and commercial
    ISPs - everything from Argonet in Altoona, PA.us to Boeing, to Classicnet,
    to Cox, Hilton Hotels, or ThePlanet.com. One of my ISPs has a /23 they
    are leasing in the 12.22.x.x range as well as one in the 63.67.x.x range,
    and they're certainly not AT&T or UU.net/MCI/what-ever they're calling
    themselves at the moment. ARIN has over a hundred SWIP (Shared WhoIs
    Project) listings within the 12.x.x.x block. _A_ problem is that AT&T
    doesn't bother to provide a rwhois server, and in this particular case
    doesn't have a PTR record in their DNS. Their DNS servers are indicating
    that the address doesn't exit (NXDOMAIN), though packets do get routed to
    the Arlington, Virginia area before going missing at a firewall.

    Old guy
     
    Moe Trin, Mar 22, 2006
    #17
  18. Neil Hindry

    Jim Michaels Guest

    "Neil Hindry" <n_nospam_hindry@_nospam_hotmail.com> wrote in message
    news:441ea779$0$8341$...
    >I wonder if you can help me.
    >
    > I have been receiving spam of late and I want to report the sender to
    > their ISP but I have a problem. I have looked at the header of the email
    > to see who it is from but what I do not know is how to find out what ISP
    > the spammer is using to send the spam.
    >
    > For example I have a message with the following header (I am pasting just
    > the relevant information):-
    > Return-path: <>
    > Received: from [200.250.218.247] (helo=2F31F468)
    > by feynman.zen.co.uk with smtp (Exim 4.43)
    > id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000
    > Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    > [12.32.12.51])
    > by pgawtn.com with SMTP id T7NAUCQN5F
    >


    part of the problem with mail headers is, you can telnet to the SMTP box and
    type in a hostname. or do it with software. the return path is also a header
    you can type in.
    I don't know for sure, but I think you can still do that. they may not be
    able to fake the IP address, but I *think* that is also something they can
    type in, but the server may or may not verify that. possibly not.


    >
    > How do I find out which ISP is hosting the name chocfan.com for a
    > customer?
    >
    > As it is possible that the name could be forged I need to check out the IP
    > address. How do I find out who is hosting the IP address for the customer
    > (in this case is 200.250.218.247 the correct IP address)?
    >
    > Is there any other information that you think will be useful to me in
    > trying to trace the spammer and complain to their ISP?
    >
    > I apologise if I have used the incorrect terminology.
    >
    > I hope you can help me.
    >
    > I appreciate any help or information given.
    >
    > Thanks
    >
    > --
    >
    >
    > -------------------------------------------------------------------------
    > FIGHT BACK AGAINST SPAM!
    > Download Spam Inspector, the Award Winning Anti-Spam Filter
    > http://mail.giantcompany.com
    >
    >
    >
     
    Jim Michaels, Apr 7, 2006
    #18
  19. Neil Hindry

    Moe Trin Guest

    On Thu, 6 Apr 2006, in the Usenet newsgroup alt.computer.security, in article
    <>, Jim Michaels wrote:

    >"Neil Hindry" <n_nospam_hindry@_nospam_hotmail.com> wrote


    [back on 19 March 2006]

    >> For example I have a message with the following header (I am pasting just
    >> the relevant information):-
    >> Return-path: <>
    >> Received: from [200.250.218.247] (helo=2F31F468)
    >> by feynman.zen.co.uk with smtp (Exim 4.43)
    >> id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000
    >> Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    >> [12.32.12.51])
    >> by pgawtn.com with SMTP id T7NAUCQN5F

    >
    >part of the problem with mail headers is, you can telnet to the SMTP box and
    >type in a hostname. or do it with software.


    Yeah, telnet works, but you've got to know a little bit about the SMTP
    protocol.

    >the return path is also a header you can type in.


    Actually the receiving SMTP application inserts that header using the
    information from the "MAIL FROM" exchange.

    >I don't know for sure, but I think you can still do that. they may not be
    >able to fake the IP address, but I *think* that is also something they can
    >type in, but the server may or may not verify that. possibly not.


    See 'Practical Unix & Internet Security' 3rd edition, by Garfinkel,
    Spafford & Schwartz, (O'Reilly, ISBN 0-586-00323-4), the appropriate RFCs
    (RFC0821 and RFC2821), and http://www.stopspam.org/email/headers.html.
    There are only two headers inserted by default by the receiving mail
    server.

    "Return-path:" comes from the "MAIL FROM" exchange during the SMTP dialog.
    "Received:" is generated by the receiving mail server. Taking the line above
    and breaking it into the component parts:

    >> Received: from [200.250.218.247] (helo=2F31F468)
    >> by feynman.zen.co.uk with smtp (Exim 4.43)
    >> id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000


    "[200.250.218.247]" is the IP address that the receiving mail server got
    the mail from. This can not be faked. There _may_ be a hostname in
    parentheses in front of this, such as

    "(host.example.com [192.0.2.54])" and that means the receiving mail server
    looked up the IP address and got that name. Different mail servers put the
    "HELO" or "ELHO" name - the name that the sending mail server announced itself
    as during the SMTP exchange - either before or after this mess. In the quoted
    example, the sending host announced itself as "2F31F468" which is just
    meaningless babble by the spammer.

    The remaining stuff in the "Received:" header, here

    >> by feynman.zen.co.uk with smtp (Exim 4.43)
    >> id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000


    identifies the receiving mail server (you can ONLY trust those under your
    control - and perhaps those of your ISP), the application used (Exim is
    one of a handful of mail server applications), a "transaction number" and
    timestamp.

    >> Received: from featherbrain.chocofan.com (elastomer.chocofan.com
    >> [12.32.12.51])
    >> by pgawtn.com with SMTP id T7NAUCQN5F


    This line was obviously faked, because the "receiving server" (here
    claimed to be "pgawtn.com") claims to have received the mail from IP
    12.32.12.51 which it then claims to have looked up and found to be
    "elastomer.chocofan.com". The big red flag waving in front of your eyes
    is that first, the 12.32.12.51 doesn't resolve - you can't look it up
    to get a name. Second, neither of the chocofan.com hostnames resolve
    either. Thus, you have a classic demonstration of the first law of
    spammers - "spammers lie".

    Another clue is that "Received:" headers should track. If the mail really
    did originate at chocofan.com, how did it get from pgawtn.com to the
    unidentified Brazilian host 200.250.218.247? Where is the Received:
    line for that transfer?

    The final clue is if the mail really did originate in .us (the 12.32.12.51
    address and pgawtn.com are both in the .us), why was it sent to the O/P in
    England via some untrustworthy host in Brazil instead of direct? The answer
    is again "spammers lie".

    Old guy
     
    Moe Trin, Apr 7, 2006
    #19
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. rc@die@you@!spammers.sandworm.demon.co.uk

    Tracing a route question

    rc@die@you@!spammers.sandworm.demon.co.uk, Nov 7, 2004, in forum: Cisco
    Replies:
    5
    Views:
    467
  2. dexx

    tracing a mac address?

    dexx, May 25, 2005, in forum: Cisco
    Replies:
    6
    Views:
    32,548
    H.U.A. Koers
    May 26, 2005
  3. GeeBee

    windows XP boot tracing

    GeeBee, Nov 9, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    549
    GeeBee
    Nov 9, 2003
  4. AltTest

    Re: Please educate that newsgroup spammer

    AltTest, Jun 1, 2005, in forum: Computer Support
    Replies:
    0
    Views:
    383
    AltTest
    Jun 1, 2005
  5. Alan
    Replies:
    11
    Views:
    2,459
    Enkidu
    Mar 16, 2006
Loading...

Share This Page