Who sent me this spam?

Discussion in 'NZ Computing' started by Howard, Jul 28, 2003.

  1. Howard

    Howard Guest

    Hi All,

    I've been reviewing the anitspam measures recommended reacently in this
    group and on /., namely

    Spampal
    SAProxy (Spam Assassin) and
    Trustic.

    Seting up these services as taught me a lot about email message headers and
    how to read them, but some of them get complicated when the spammers fake
    the headers. I have copied below one of the more dastardly ones, with my
    analysis. Can anyone confirm whether my analysis is correct?

    01. Return-Path: <>
    02. Received: from mta6-rme.xtra.co.nz ([210.86.15.141]) by
    mta203-rme.xtra.co.nz
    03. with ESMTP id
    <>;
    04. Mon, 28 Jul 2003 06:56:53 +1200
    05. Received: from [203.96.92.132] ([202.181.232.156]) by
    mta6-rme.xtra.co.nz
    06. with SMTP id
    <20030727185649.GSAB22334.mta6-rme.xtra.co.nz@[203.96.92.132]>;
    07. Mon, 28 Jul 2003 06:56:49 +1200
    08. Received: from [182.72.99.61] by 203.96.92.132 id <5756415-04974>; Mon,
    28
    09. Jul 2003 00:54:50 +0500
    10. Message-ID: <7$7vtzti$$111$qs7e-qt$1e>
    11. From: "Muriel Casey" <>
    12. Reply-To: "Muriel Casey" <>
    13. To:
    14. Subject: RE: dkuxmhadw gfohy
    15. Date: Mon, 28 Jul 2003 00:54:50 +0500

    Analysis Legend
    Line Number.
    IP observed.
    NSLookup Result.
    My Comment.

    Line 2.
    210.86.15.141
    mta102-rme.xtra.co.nz
    Valid. Xtra mail transfer agent.
    One of four at 210.86.15.140 .141 .142 or .143

    Line 5.
    203.96.92.132
    pop3.xtra.co.nz
    faked - added by spammer to attempt to disguise 202.181.232.156.
    No valid reason for the pop3 server IP address to be in the message headers.

    Line 5.
    202.181.232.156
    No reverse DNS (WSANO_DATA)
    Spammers IP.

    Line 8.
    182.72.99.61 No reverse DNS (WSANO_DATA) & 203.96.92.132
    pop3.xtra.co.nz
    Entire line faked by spammer.

    TIA.
    -H
    Howard, Jul 28, 2003
    #1
    1. Advertising

  2. "Howard" <> wrote in message
    news:pE_Ua.94431$...
    > Hi All,
    >
    > I've been reviewing the anitspam measures recommended reacently in this
    > group and on /., namely
    >
    > Spampal
    > SAProxy (Spam Assassin) and
    > Trustic.
    >
    > Seting up these services as taught me a lot about email message headers

    and
    > how to read them, but some of them get complicated when the spammers fake
    > the headers. I have copied below one of the more dastardly ones, with my
    > analysis. Can anyone confirm whether my analysis is correct?


    Remove the thinking, shove it into the free service http://www.spamcop.com
    and their engine will do the work for you, and will send abuse reports to
    the right places.

    Cheers,
    Nicholas Sherlock
    Nicholas Sherlock, Jul 28, 2003
    #2
    1. Advertising

  3. Howard

    Steve Guest

    Howard allegedly said:

    > Hi All,
    >
    > I've been reviewing the anitspam measures recommended reacently in this
    > group and on /., namely
    >
    > Spampal
    > SAProxy (Spam Assassin) and
    > Trustic.
    >
    > Seting up these services as taught me a lot about email message headers
    > and how to read them, but some of them get complicated when the spammers
    > fake the headers. I have copied below one of the more dastardly ones, with
    > my analysis. Can anyone confirm whether my analysis is correct?
    >
    > 01. Return-Path: <>
    > 02. Received: from mta6-rme.xtra.co.nz ([210.86.15.141]) by
    > mta203-rme.xtra.co.nz
    > 03. with ESMTP id
    > <>;
    > 04. Mon, 28 Jul 2003 06:56:53 +1200
    > 05. Received: from [203.96.92.132] ([202.181.232.156]) by
    > mta6-rme.xtra.co.nz
    > 06. with SMTP id
    > <20030727185649.GSAB22334.mta6-rme.xtra.co.nz@[203.96.92.132]>;
    > 07. Mon, 28 Jul 2003 06:56:49 +1200
    > 08. Received: from [182.72.99.61] by 203.96.92.132 id <5756415-04974>;
    > Mon, 28
    > 09. Jul 2003 00:54:50 +0500
    > 10. Message-ID: <7$7vtzti$$111$qs7e-qt$1e>
    > 11. From: "Muriel Casey" <>
    > 12. Reply-To: "Muriel Casey" <>
    > 13. To:
    > 14. Subject: RE: dkuxmhadw gfohy
    > 15. Date: Mon, 28 Jul 2003 00:54:50 +0500
    >
    > Analysis Legend
    > Line Number.
    > IP observed.
    > NSLookup Result.
    > My Comment.
    >
    > Line 2.
    > 210.86.15.141
    > mta102-rme.xtra.co.nz
    > Valid. Xtra mail transfer agent.
    > One of four at 210.86.15.140 .141 .142 or .143
    >
    > Line 5.
    > 203.96.92.132
    > pop3.xtra.co.nz
    > faked - added by spammer to attempt to disguise 202.181.232.156.
    > No valid reason for the pop3 server IP address to be in the message
    > headers.
    >
    > Line 5.
    > 202.181.232.156
    > No reverse DNS (WSANO_DATA)
    > Spammers IP.


    inetnum: 202.181.224.0 - 202.181.255.255
    netname: HKCIX
    descr: - HKCIX -
    descr: HongKong Commercial Internet Exchange
    country: HK
    admin-c: CW57-AP
    tech-c: KY28-AP
    mnt-by: MAINT-HKCIX-AP
    changed: 19990416
    status: ALLOCATED PORTABLE
    source: APNIC

    person: CM Wu
    address: IXTech Limited
    address: 7/F Ever Gain Plaza, Tower 2,
    address: 88 Container Port Road,
    address: Kwai Chung, N.T.
    country: HK
    phone: +852-2603-7955
    fax-no: +852-2603-7952
    e-mail:
    nic-hdl: CW57-AP
    mnt-by: MAINT-HKCIX-AP
    changed: 20000313
    source: APNIC

    person: Katson Yeung
    address: IXTech Limited
    address: 7/F Ever Gain Plaza, Tower 2,
    address: 88 Container Port Road,
    address: Kwai Chung, N.T.
    country: HK
    phone: +852-2603-7955
    fax-no: +852-2603-7952
    e-mail:
    nic-hdl: KY28-AP
    mnt-by: MAINT-HKCIX-AP
    changed: 20000313
    source: APNIC



    >
    > Line 8.
    > 182.72.99.61 No reverse DNS (WSANO_DATA) & 203.96.92.132
    > pop3.xtra.co.nz
    > Entire line faked by spammer.
    >
    > TIA.
    > -H


    --
    Steve
    --
    "Naturally, the common people don't want war;
    neither in Russia nor in England nor in America,
    nor for that matter in Germany.
    That is understood. But, after all, it is the leaders
    of the country who determine the policy and
    it is always a simple matter to drag the people
    along, whether it is a democracy or a fascist
    dictatorship or a Parliament or a Communist
    dictatorship. Voice or no voice, the people can
    always be brought to the bidding of the leaders.
    That is easy. All you have to do is tell them
    they are being attacked and denounce the
    pacifists for lack of patriotism and exposing
    the country to danger. It works the same way
    in any country."
    - Hermann Goering, Nazi Reichsmarshall
    Steve, Jul 28, 2003
    #3
  4. Howard

    totojepast Guest

    From http://www.trustic.com/:

    "We regret to inform you that we are no longer taking registrations
    and will soon be closing the service."

    Very sad. Is anybody willing to take over the Trustic service?


    "Howard" <> wrote in message news:<pE_Ua.94431$>...
    > Hi All,
    >
    > I've been reviewing the anitspam measures recommended reacently in this
    > group and on /., namely
    >
    > Spampal
    > SAProxy (Spam Assassin) and
    > Trustic.
    >
    > Seting up these services as taught me a lot about email message headers and
    > how to read them, but some of them get complicated when the spammers fake
    > the headers. I have copied below one of the more dastardly ones, with my
    > analysis. Can anyone confirm whether my analysis is correct?
    >
    > 01. Return-Path: <>
    > 02. Received: from mta6-rme.xtra.co.nz ([210.86.15.141]) by
    > mta203-rme.xtra.co.nz
    > 03. with ESMTP id
    > <>;
    > 04. Mon, 28 Jul 2003 06:56:53 +1200
    > 05. Received: from [203.96.92.132] ([202.181.232.156]) by
    > mta6-rme.xtra.co.nz
    > 06. with SMTP id
    > <20030727185649.GSAB22334.mta6-rme.xtra.co.nz@[203.96.92.132]>;
    > 07. Mon, 28 Jul 2003 06:56:49 +1200
    > 08. Received: from [182.72.99.61] by 203.96.92.132 id <5756415-04974>; Mon,
    > 28
    > 09. Jul 2003 00:54:50 +0500
    > 10. Message-ID: <7$7vtzti$$111$qs7e-qt$1e>
    > 11. From: "Muriel Casey" <>
    > 12. Reply-To: "Muriel Casey" <>
    > 13. To:
    > 14. Subject: RE: dkuxmhadw gfohy
    > 15. Date: Mon, 28 Jul 2003 00:54:50 +0500
    >
    > Analysis Legend
    > Line Number.
    > IP observed.
    > NSLookup Result.
    > My Comment.
    >
    > Line 2.
    > 210.86.15.141
    > mta102-rme.xtra.co.nz
    > Valid. Xtra mail transfer agent.
    > One of four at 210.86.15.140 .141 .142 or .143
    >
    > Line 5.
    > 203.96.92.132
    > pop3.xtra.co.nz
    > faked - added by spammer to attempt to disguise 202.181.232.156.
    > No valid reason for the pop3 server IP address to be in the message headers.
    >
    > Line 5.
    > 202.181.232.156
    > No reverse DNS (WSANO_DATA)
    > Spammers IP.
    >
    > Line 8.
    > 182.72.99.61 No reverse DNS (WSANO_DATA) & 203.96.92.132
    > pop3.xtra.co.nz
    > Entire line faked by spammer.
    >
    > TIA.
    > -H
    totojepast, Aug 5, 2003
    #4
  5. Howard

    Howard Guest

    totojepast wrote:
    > From http://www.trustic.com/:
    >
    > "We regret to inform you that we are no longer taking registrations
    > and will soon be closing the service."
    >
    > Very sad. Is anybody willing to take over the Trustic service?


    Further from their site " the system as it currently is designed will not
    achieve the level of accuracy that we require, and an inaccurate system is
    worse than no system".

    And from their Yahoo group

    "The issue of handling large ISPs that, for the most part,
    deal with spam complaints is one of the main flaws in the Trustic system
    for which we see no apparent solution."

    "the key issues for trustic.com, or any successor, are
    a) an appropriate weighting/reputation on recommendations; and
    b) dealing with high volume servers with small % but detectable
    quantity throughput of spam. I suspect this is compounded by a
    natural huamn tendency to report negatives recommendations and not
    positive."

    Several offers to take it over have been made to Mark Fletcher to take over
    the project code &/or data, with an indication that such offers may yet be
    accepted.
    Howard, Aug 5, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stefano
    Replies:
    5
    Views:
    4,345
    Moz Champion
    Feb 9, 2005
  2. C A Preston

    Spam-Spam and more Spam

    C A Preston, Apr 12, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    505
    Hywel
    Apr 12, 2004
  3. Like you would like to know!

    I received a spam mail bounced back that said I sent it

    Like you would like to know!, Jun 19, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    1,534
    Reid Decker
    Jun 20, 2004
  4. Clwddncr
    Replies:
    6
    Views:
    599
    Dave - Dave.net.nz
    Feb 7, 2005
  5. Vista
    Replies:
    2
    Views:
    349
    Vista
    Sep 13, 2006
Loading...

Share This Page