How can I trace the source of this email?

Discussion in 'Computer Security' started by Randell D., Nov 5, 2003.

  1. Randell D.

    Randell D. Guest

    Can someone tell me how I received the following email?

    Its junk email - I used to have several pop3 boxes, but now I have one and
    have all my previous emails forwarded to the one pop3 box. I know it came
    from one of my alias or mail forwarding accounts, and not directly to my
    pop3 account because I use zoneedit.com for my mail forwarding and they are
    mentioned in the email path. I have replaced my real pop3 account with
    in the path... If I can find out the original address it
    was sent to, then I figure out who has sold my email address without my
    permission...

    Cheers
    Randell D.


    04 Nov 2003 16:09:57 -0700 (MST)
    Received: from pd8mi1no.prod.shaw.ca
    (pd8mi1no-qfe2.prod.shaw.ca [10.0.149.144]) by l-daemon
    (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003))
    with ESMTP id <[email protected]> for
    (ORCPT ); Tue, 04 Nov 2003 16:09:57 -0700 (MST)
    Received: from mail.zoneedit.com (mail.zoneedit.com [67.29.152.143])
    by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003))
    with ESMTP id <[email protected]> for ; Tue,
    04 Nov 2003 16:09:57 -0700 (MST)
    Received: from maxio3.uk2net.com (maxlb1ip.uk2net.com [213.239.57.81])
    by mail.zoneedit.com (Postfix) with ESMTP id 91A7E625978; Tue,
    04 Nov 2003 18:09:56 -0500 (EST)
    Received: from [10.0.1.221] (helo=mail.uk2.net) by maxio3.uk2net.com with
    smtp
    (Exim 4.24) id 1AHAHp-00038p-Ea; Tue, 04 Nov 2003 23:08:33 +0000
    Received: from 81.199.84.12 (SquirrelMail authenticated user complotto)
    by maxproxy2.uk2net.com with HTTP; Tue, 04 Nov 2003 23:08:19 +0000 (GMT)
    Date: Tue, 04 Nov 2003 23:08:19 +0000 (GMT)
    From: manager lotto <>
    Subject: CONGRATULATIONS
    To: undisclosed-recipients: ;
    Message-id: <2net.com>
    MIME-version: 1.0
    Content-type: text/plain; charset=iso-8859-1
    Content-transfer-encoding: 8BIT
    Importance: Normal
    X-Priority: 3
    User-Agent: SquirrelMail/1.4.1
    X-SA-Exim-Mail-From:
    X-Spam-Checker-Version: SpamAssassin 2.60-rc6 (1.208-2003-09-19-exp) on
    maxio3.uk2net.com
    X-Spam-Status: No, hits=4.0 required=5.0 tests=LINES_OF_YELLING,
    MAILTO_TO_SPAM_ADDR,PRIORITY_NO_NAME,SELECTED_YOU autolearn=no
    version=2.60-rc6
    X-Spam-Level: ***
    X-SA-Exim-Version: 3.0 (built Tue May 27 21:41:10 CEST 2003)
    Original-recipient: rfc822;

    For the hell of it, I include everything I have manged to find out about it
    below:


    Domain Name: LINKFINANCEANDTRUSTLTD.NET
    Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
    Whois Server: whois.melbourneit.com
    Referral URL: http://www.melbourneit.com
    Name Server: YNS1.YAHOO.COM
    Name Server: YNS2.YAHOO.COM
    Status: ACTIVE
    Updated Date: 15-oct-2003
    Creation Date: 15-oct-2003
    Expiration Date: 15-oct-2004


    [whois.melbourneit.com]

    Domain Name.......... linkfinanceandtrustltd.net
    Creation Date........ 2003-10-16
    Registration Date.... 2003-10-16
    Expiry Date.......... 2004-10-16
    Organisation Name.... Richard Forbes
    Organisation Address. 105 B North Milledge Ave.
    Organisation Address.
    Organisation Address. athens
    Organisation Address. 30612
    Organisation Address. GA
    Organisation Address. UNITED STATES

    Admin Name........... Richard Forbes
    Admin Address........ 105 B North Milledge Ave.
    Admin Address........
    Admin Address........ athens
    Admin Address........ 30612
    Admin Address........ GA
    Admin Address........ UNITED STATES
    Admin Email..........
    Admin Phone.......... +1.7065468122 <==== ## Holiday Inn Express ##


    Tech Name............ YahooDomains TechContact
    Tech Address......... 701 First Ave.
    Tech Address.........
    Tech Address......... Sunnyvale
    Tech Address......... 94089
    Tech Address......... CA
    Tech Address......... UNITED STATES
    Tech Email...........
    Tech Phone........... +1.6198813096
    Tech Fax............. +1.6198813010
    Name Server.......... yns1.yahoo.com
    Name Server.......... yns2.yahoo.com


    -----Original Message-----
    FROM: THE PRIZE AWARD DEPARTMENT
    WORLDWIDE PREMIER LOTTO, UK


    Congratulations Category A prize winner! You have been
    selected as one of two winners of the Worldwide Premier Lotto
    UK computer ballot draws and thus will be a privileged recipient
    of the grand draw prize of £ 7,500,000 (Seven million five
    hundred thousand Great Britain Pounds only). Winning File
    Reference number for your prize is WWPL/UK/ 61-812087; ticket
    number 003-214-39/A.

    We in the Worldwide Premier Lotto UK is by this
    program, launching our model computer balloting lottery draws,
    developed and designed to satisfy the cravings of the ever
    growing number of participants in our various lottery programs. With
    funds accrued exclusively from previous draws, payouts to
    all winners are guaranteed and will be transferred in record time.

    After randomly selecting 15,000 participants from an
    initial database of 300,000 emails and zoning all
    participants by their respective continents from across the
    globe, we produced an extensive list from which you have emerged as one of
    the winners of the Grand Draw prize.

    To ensure a smooth collection of your winnings, the
    transfer of your prize is to be handled by our Prize
    Transfer agents. You are to contact our agents by email
    and/or fax within a week of receiving this notice.
    Please find full contact details below:

    Mr. Simon Perchard
    Finance Director
    Link Finance and Trust Ltd.
    20 - 24 St. Leonard's Road
    Windsor SL4 3BB, United Kingdom
    Great Britain
    Tel: (+44) 709 204 1843
    Fax: (+44) 709 203 9288

    Email:

    Also find all other relevant winning lottery
    information
    below:
    Draw Serial No: 35/751346
    Batch No: 06-A852
    Zonal Draw No: A2-003
    Grand Draw No: 12099

    You are seriously advised to keep all winning lottery
    information and numbers from the public in line with
    our companysecurity protocol to avoid double claiming
    and unwarranted abuse of this program by unscrupulous individuals.

    Please direct all further correspondences and queries
    to your respective category Prize Transfer handlers.
    Congratulations once again from the Worldwide Premier Lotto family.


    Sincerely,


    Joseph Finn
    International Promotions Manager
    WORLDWIDE PREMIER LOTTO, UK
     
    Randell D., Nov 5, 2003
    #1
    1. Advertisements

  2. Randell D.

    Kevin Guest

    Why don't you just report these guys to ?

     
    Kevin, Nov 5, 2003
    #2
    1. Advertisements

  3. looks to be the first email server to catch the mail... but if you don't
    have an email address handled by their servers, it would be up the
    list... you're the only one of us so far that knows what email addresses
    you have :)




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Nov 5, 2003
    #3
  4. Randell D.

    Vanguard Guest

    Received:
    from <untrusted_helo_string> (pd8mi1no-qfe2.prod.shaw.ca
    [10.0.149.144])
    by l-daemon ...; Tue, 04 Nov 2003 16:09:57 -0700 (MST)
    Received:
    from <untrusted_helo_string> (mail.zoneedit.com [67.29.152.143])
    by l-daemon ...; Tue, 04 Nov 2003 16:09:57 -0700 (MST)
    Received:
    from maxio3.uk2net.com (maxlb1ip.uk2net.com [213.239.57.81])
    by mail.zoneedit.com ...; Tue, 04 Nov 2003 18:09:56 -0500 (EST)
    Received:
    from [10.0.1.221] (helo=<untrusted_helo_string>)
    by maxio3.uk2net.com ...; Tue, 04 Nov 2003 23:08:33 +0000
    Received:
    from 81.199.84.12 (...)
    by maxproxy2.uk2net.com with HTTP; Tue, 04 Nov 2003 23:08:19 +0000
    (GMT)

    You can't go by the HELO/EHLO string that the sender ("from" host)
    claimed that identifies them. The first 2 Received headers seem to be
    used by whatever e-mail forwarding provider that you are using to bounce
    your e-mail around inside their service. The 3rd Received header with a
    uk2net.com looks to have the first step outside your providers domain,
    reinforced by the distinct change in the timezone. Also note that the
    "by" host in the 3rd Received header says the sender is at IP address
    213.239.57.81 but the "from" host reported by that same server shows an
    internal host at 10.0.1.221 (so now you're inside the spam source
    domain). I wouldn't trust any Received headers after that (but then
    uk2net.com is also listed).

    It looks like uk2net.com is running an open proxy or has otherwise been
    compromised by spammers. If the open (abused) proxy at uk2net.com is
    actually reporting a valid IP address of whomever connected to it, the
    the IP address 81.199.84.12 belong to CIDR-COMMUNICATION-01 in Nigeria
    (another Nigerian scam?), according to RIPE's WhoIs. However, bitch to
    uk2net.com for operating an open relay. Bitching to the spammer won't
    help and can only hurt you more.

    You might want to use e-mail aliases instead of forwarding accounts. I
    think the paid-for Yahoo accounts have e-mail aliases. Otherwise, you
    can use Sneakemail.com to create aliases to your e-mail account. When
    registering for a web site or software or when having to divulge a valid
    e-mail account, you can create a Sneakemail alias on the fly. Just
    create a unique alias that only that recipient will ever get. If you
    ever get spammed through that alias then you know who screwed you.
    E-mails delivered through the alias account will have a comment in the
    To header from Sneakemail telling you the alias account through which
    the e-mail was delivered. SpamMotel also provides e-mail aliases but I
    dislike them inserting a statistics table at the start of my e-mails.
    SpamEx, I think, also provides e-mail aliases but costs money.
    Sneakemail is free for a basic account (i.e., daily and monthly quota
    restrictions on bandwidth and quota restriction on max message size) but
    for whom I am dispensing e-mail aliases this is more than sufficient for
    me, but you can get their paid account with larger quotas.
     
    Vanguard, Nov 5, 2003
    #4
  5. Randell D.

    Don Kelloway Guest

    The header indicates that someone using a system assigned with IP
    81.199.84.12 logged into http://mailme.uk2net.com/ with the user account
    of 'complotto'. While logged in, they sent this email.

    --
    Best regards,
    Don Kelloway
    Commodon Communications

    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
     
    Don Kelloway, Nov 6, 2003
    #5
  6. Randell D.

    Randell D. Guest

    Thanks to all who replied...
     
    Randell D., Nov 6, 2003
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.