> How do I track down this person's isp? ... > Received: from sparky895l095q ([67.69.60.207]) > by simmts6-srv.bellnexxia.net > (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP > id <[EMAIL PROTECTED]> > for <[EMAIL PROTECTED]>; Thu, 4 Dec 2003 23:35:23 -0500 The person that sent the email sent it from 67.96.60.207, assuming that bellnexxia.net can be trusted. If you have reason not to trust this bellnexxia.net to have not modified or forged the headers then assuming you can trust sfcn.org the email did come from 206.47.199.164: > Received: from simmts6-srv.bellnexxia.net not authenticated [206.47.199.164] > by sfcn.org with NetMail SMTP Agent $Revision: 3.22.1.5 $ on Novell NetWare; > Thu, 04 Dec 2003 21:35:35 -0700
Now, let's check those IPs. $ host 67.69.60.207 207.60.69.67.in-addr.arpa domain name pointer Toronto-HSE-ppp3804328.sympatico.ca. $ host 206.47.199.164 164.199.47.206.in-addr.arpa domain name pointer simmts6.bellnexxia.net. So, the ISP to target is sympatico.ca (looks like a dialup). You will want to notify bellnexxia.net that they may have an open relay (and you probably wouldn't be the first[1]). The real mystery of course is the connection with doyleandsons.com. Is doyleandsons a legitimate family business as their website says, or a fantastic fa�ade for some dementoid? If the perpetrator is not connected with them, and is merely pretending to be, then I would expect the real Mark Doyle and family would be more than happy to work with you in sorting it out. There's a phone number on the web site; I'm no expert in the Canadian phone system, but Dr. Google informs me 416 is an Ontario area code. Toronto is in Ontario. A whois on doyleandsons.com reveals the contact info: Domain name: doyleandsons.com Registrant Info: Doyle and Sons LTD Mark Doyle ([EMAIL PROTECTED]) 416-526-0795 Fax: none 214 Melville Ave Maple, ONL6A 1Z1 CA Administrative Info: Doyle and Sons LTD Mark Doyle ([EMAIL PROTECTED]) 416-526-0795 Fax: none 214 Melville Ave Maple, ONL6A 1Z1 CA Technical Info: BlueGenesis.com Inc. BlueGenesis.com NOC ([EMAIL PROTECTED]) 905-673-7575 Fax: none 5915 Airport Road. Mississauga, L4V 1T1 CA Billing Info: Doyle and Sons LTD Mark Doyle ([EMAIL PROTECTED]) 416-526-0795 Fax: none 214 Melville Ave Maple, ONL6A 1Z1 CA Status: registrar-lock Same info and phone number as the web site. BlueGenesis might be a good contact as well. Lastly, [EMAIL PROTECTED]:~$ host doyleandsons.com doyleandsons.com has address 64.62.201.212 [EMAIL PROTECTED]:~$ host 64.62.201.212 Host 212.201.62.64.in-addr.arpa not found: 3(NXDOMAIN) So they apparently don't have reverse dns set up correctly. [EMAIL PROTECTED]:~$ host -t any doyleandsons.com doyleandsons.com has address 64.62.201.212 doyleandsons.com name server ns1.userver84.com. doyleandsons.com name server ns2.userver84.com. [EMAIL PROTECTED]:~$ host ns1.userver84.com ns1.userver84.com has address 64.62.201.212 [EMAIL PROTECTED]:~$ host ns2.userver84.com ns2.userver84.com has address 64.62.201.213 [EMAIL PROTECTED]:~$ host -t mx doyleandsons.com doyleandsons.com mail is handled by 0 doyleandsons.com. [EMAIL PROTECTED]:~$ host -t mx userver84.com userver84.com mail is handled by 0 userver84.com. So they apparently are hosted by this userver84.com (virtual hosting on apache, it seems), and email is handled by that same server. I don't see anything about this company on google. doyleandsons has done at least one real transaction[2] with positive feedback at sell.com. You may find that doyleandsons is a victim of impersonation, or you may not. Either seems just as likely - this is hardly businesslike behavior and they seem to be a real business at least, but the dialup ISP is Toronto, and Maple is but 15 mi north of Toronto and so it just as well could be a Doyle (or whoever likes to pretend to be a doyle family). In summary, start with the phone number, then work on ISP, hosting facility, dns technical contact, etc. 1. http://mailman.cauce.ca/pipermail/archives/canadian-spam-discuss/2003-January/000032.html 2.�http://www.sell.com/feedback/index.x?_list=1&uname=doyleandsons -- Hans Fugal | De gustibus non disputandum est. http://hans.fugal.net/ | Debian, vim, mutt, ruby, text, gpg http://gdmxml.fugal.net/ | WindowMaker, gaim, UTF-8, RISC, JS Bach --------------------------------------------------------------------- GnuPG Fingerprint: 6940 87C5 6610 567F 1E95 CB5E FC98 E8CD E0AA D460
pgp00000.pgp
Description: PGP signature
____________________ BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
