> Checking my sendmail logs I can confirm the spam orginally came from
> 192.90.127.17. www.bull.net. Since Bull is a respected company, either
> someone broke into their system, or bull doesn't have mail relaying
> disabled, and someone is simply relaying via there.
No, not quite.
Time for Spam Fighter 201...
here are the FULL headers...
Received: from acid.base.com (adsl-209-233-24-120.dsl.pacbell.net
[209.233.24.120])
by scruz.net (8.8.5/1.34) with ESMTP id AAA15619
for <[EMAIL PROTECTED]>; Wed, 17 Mar 1999 00:34:55 -0800 (PST)
(envelope-from [EMAIL PROTECTED])
From: [EMAIL PROTECTED]
Received: (from majordomo@localhost)
by acid.base.com (8.8.5/8.8.5) id VAA12996
for mersenne-outgoing; Tue, 16 Mar 1999 21:52:01 -0800
Received: from www.bull.net (www.bull.net [192.90.127.17])
by acid.base.com (8.8.5/8.8.5) with ESMTP id VAA12992
for <[EMAIL PROTECTED]>; Tue, 16 Mar 1999 21:52:00 -0800
Received: from pegase.bull.fr (pegase.bull.fr [192.44.49.46]) by www.bull.net
(8.8.2/8.8.2) with ESMTP id GAA70746; Wed, 17 Mar 1999 06:49:48 +0100
Received: from dzbull.frdz.bull.fr (dzbull.frdz.bull.fr [129.184.3.21])
by pegase.bull.fr (8.9.2/8.9.1) with ESMTP id GAA38362;
Wed, 17 Mar 1999 06:35:58 +0100
Date: Wed, 17 Mar 1999 06:35:58 +0100
Message-Id: <[EMAIL PROTECTED]>
Received: from primus ([208.251.61.175]) by dzbull.frdz.bull.fr
(Post.Office MTA v3.5.2 release 221 ID# 511-52867U100L2S100V35)
with SMTP id fr; Wed, 17 Mar 1999 06:43:28 +0100
To: [EMAIL PROTECTED]
Subject: Mersenne: --= Free Software Club =--
Sender: [EMAIL PROTECTED]
Precedence: bulk
X-UIDL: f6f1c18dd2bd83da11bd17890e05a416
Ok. The first two "Received" headers are merely the list serve rdoing its
thing. The next one is where the list server got the message from
www.bull.net. The next two appear to be internal firewall type relays at
bull.fr The message-id is consistent with this
But, note the LAST Recieved line? "from primus ([208.251.61.175]) by ..." ?
Ok, the 'primus' part is what the spammer's bulk mail program replied with on
the 'HELO' command. But, the part in the [ ]'s was logged by the recieving
server. And guess who 208.251.61.175 is?
$ nslookup -q=PTR 208.251.61.175
... 1Cust175.tnt2.ithaca.ny.da.uu.net
the spammers friend, DA.UU.NET.
The account undoubtably was terminated about 2 hours after the spam was sent,
but since those dialup nodes are used by literally dozens of different ISPs on
a sort of 'lease' basis, and many of these ISP's have free 30 day trial
accounts, the spammer merely needs to sign up again, and pump out as many
relays off of innocent european and asian servers as he can. At least the
dzbull.frdz.bull.fr actually logged the source IP address.
Another relatively new stunt of these spammers.... Note the advertised
website?
http://3634122867 ?
funny address, eh? Traditional lookup tools tend to choke on those. Well,
convert that decimal integer 3634122867 into hex, and its D89C5073. Now break
that into bytes-er-octets... D8.9C.50.73 Now convert those back to decimal
(ugh, what tangled webs these spammers weave), and its 216.156.80.115. A
$ whois -h whois.arin.net 216.156.80.115
will show its owned by '9netave.com' who is a legitmate ISP and web hosting
company. A bit more poking will discover that this web account has already
been disabled, rendering the spam useless. But, grrrr, the spammers latest
'trick' seems to be to use 1-800 numbers instead of email addresses or
websites, and we have nowhere to complain to ("The Phone Company" ? Hah!)...
Anyways, when I got the spam, I promptly sent my standard complaint form to
... [EMAIL PROTECTED], [EMAIL PROTECTED], and [EMAIL PROTECTED] with a CC: to
[EMAIL PROTECTED] (the Federal Trade Commission claims to use that address to track
unsolicited email activities).
Thanks for your patience. We now return you to your regularly scheduled
programming.
-jrp
________________________________________________________________
Unsubscribe & list info -- http://www.scruz.net/~luke/signup.htm
