Re: spam CAUGHT, now how to catch spammer

Tue, 07 Sep 2010 16:05:53 -0700 

From: "John Hardin" <jhar...@impsec.org>
Sent: Tuesday, 2010/September/07 10:02



On Tue, 7 Sep 2010, Per Jessen wrote:


John Hardin wrote:


Sorry to mislead. SPAM was caught by spamassassin.
How can I get this guy stopped?
IP addresses are: 67.50.37.35,.36,.69,.75


Ah. Yes, that's a different question.

(1) Find out who owns those network addresses.

Use tools like http://enc.com.au/itools/inetnum.php and
http://enc.com.au/itools/person.php to do that.


whois will also tell you.


True, but at the time I was composing that message both command-line whois
and several US-based web UIs were returning a "unable to return results due to high traffic" message. 

Works from here, John.
===8<---
whois 67.50.37.35
[Querying whois.arin.net]
[Redirected to whois.integraonline.com:43]
[Querying whois.integraonline.com]
[whois.integraonline.com]
%rwhois V-1.5:003fff:00 adns5 (by Network Solutions, Inc. V-1.5.7.2)
network:Auth-Area:67.50.0.0/15
network:Class-Name:network
network:ID:67-50-36-0/23-NET
network:Network-Name:67-50-36-0/23-NET
network:IP-Network:67.50.36.0/23
network:Org-Name;I:GIGLINX INC
network:Street-Address:250 STOCKTON AVE
network:City:SANTA CLARA
network:State:CA
network:Postal-Code:95126
network:Country-Code:US
network:Admin-Contact;I:ITIA-ARIN
network:Tech-Contact;I:ITIA-ARIN
network:Updated:2010-02-24
network:Updated-By:tradz...@integra.net

network:Auth-Area:67.50.0.0/15
network:Class-Name:network
network:ID:67-50-0-0/15-NET
network:Network-Name:67-50-0-0/15-NET
network:IP-Network:67.50.0.0/15
network:Org-Name;I:ELI-NETWORK-ELIX
network:Street-Address:1201 NE Lloyd Blvd, Ste 500
network:City:Portland
network:State:OR
network:Postal-Code:97232
network:Country-Code:US
network:Admin-Contact;I:ITIA-ARIN
network:Tech-Contact;I:ITIA-ARIN
network:Updated:2009-12-03
network:Updated-By:hostmas...@integra.net

%error 350 Invalid Query Syntax
%ok
===8<---
I'm not sure where the error 350 came from. GIGLINX or ELI-NETWORK-ELIX
may have a bad setup.

GIGLINX may be a formal spam source. The address "looks" bad to me. 95126
is San Jose. I don't know if it includes Santa Clara or not. (I'm not
familiar with that area.) I'd email integra.net about it at abuse,
hostmaster, and after an MTR run integra's upstream provider.

It's easier to simply let it accumulate and get a decent picture of what
the spam hydra is doing of late, which is about 3 times the volume of a
month ago. <sigh>
{^_^}

Reply via email to