[pistons92] Tracking Spam
- From: Hasta Purnama <hasta_purnama@xxxxxxxxxxx>
- To: pistons92@xxxxxxxxxxxxx
- Date: Sun, 9 Feb 2003 06:28:09 +0700
Dengan Hormat.
http://www.claws-and-paws.com/spam-l/tracking.html#headers
Tracking Spam
This section deals with the technical aspects of spam, like telling where it
came from. Having a UNIX shell account will be extremely helpful as a lot of
the utilities are native to UNIX; however, you can perform most of these
functions with other operating systems using third-party (usually shareware)
tools, unlike UNIX, which comes with many of the tools mentioned already
installed.
OK, I just got spammed. Now what?
First, please make sure that it is indeed spam and that you didn't subscribe
yourself to a list and ended up forgetting about it. This is more common than
you might think -- ever fill out one of those web forms and forget to check
whether the "Send me Info" box was checked or unchecked? It's usually set on by
default.
Also make certain that it's not from someone you met or corresponded with
briefly, and have since forgotten. (It's happened to me!)
Here's a list of things to look for:
Forged headers.
Sent from a throwaway account. Common ISP's that supply throwaway account
include Compuserve, Prodigy, and Netcom.
Relayed through a third-party mailserver.
Promotes a webpage on another site.
Directs replies to an e-mail address on another system. Common examples include
AOL and hotmail accounts.
If you're certain it's spam, continue on!
But I only got one copy. How do I know it was really sent in bulk and therefore
spam?
You don't.
To elaborate, you don't need to. If it looks like spam and smells like it (be
sure to check the headers for signs of forgery), it's best to complain to the
ISPs involved and let them make that determination. If yours is the only
complaint they have received, then perhaps it wasn't a spam at all. If however
the ISP receives hundreds of complaints, they can then conclude that their
client did spam and take appropriate action against them.
What are these "headers" you folks keep talking about?
An e-mail message is divided into two parts, the headers and the body. The
headers contain all the technical information, such as who the sender and
recipient are, and what systems it has passed through. The body contains the
actual message text. The headers and body are separated by a blank line. In
some mail programs, the headers are shown separately.
How can I view the headers with mail client X?
What follows are instructions for viewing headers with some of the more popular
mail clients:
Elm, Pine, and Mutt
Press "h" from the message selection menu to view the full headers of the
currently selected message.
Eudora
Open the message. Under the title bar are four options. The second from the
left is a box which says "Blah, Blah, Blah." Click on that to display the full
headers.
Hotmail
Go into "Options", "Preferences", and choose "Message headers". You'll want to
choose the "Full" option to display Received: headers. "Advanced" will display
that as well as MIME headers.
Do note, however, that sometimes Hotmail has to press some previous generation
mailservers into service, and messages sent through those mailservers won't
show any headers no matter what. :-(
Lotus Notes 4.6.x
Open the offending mail. Click on "Actions", then "Delivery information". Cut
and paste the text from the bottom box, marked "Delivery information:".
Netscape Mail
Choose "OPTIONS" from the options menu bar. Listed as an option is "Show
Headers". Choose full headers.
Outlook Express
Open the message. Choose "File" from the options menu bar. Listed as an option
is "properties". Another window will open, showing two tabs. You want to choose
the one titled "Details". Then cut and paste the headers into the message you
want to forward.
Outlook 2000
Double click on the message to open itup, click on "View --> Options", and you
will see the message headers in a box at the bottom of the window. You can
copy/paste them from that window.
Pegasus
Choose "READER" from the options menu bar. Listed as an option is: "Show all
Headers". This does not work for HTML messages, however. A workaround is to
select the message properties, and de-selecting "Contains HTML data".
How do I read them?
This depends on your mail reading program. Most programs have an option that
will display all the headers of the message. Another technique is to read your
e-mail with a standard text editor as opposed to an e-mail program. Check the
docs that come with your email reader or read the online help. You could also
contact your ISP for assistance or talk to your help desk if this takes place
at work.
You'll know that you're viewing the headers when you see several lines that
start with the word "Received: ". These lines are very important to tracking
the source of a spam, as you'll see later.
What does "forging" mean?
"Forging" means trying to disguise where the message came from. Spammers do
this a lot so that you won't know whom to complain to. It can be done by a
variety of methods, from simply placing deliberately erroneous information in
their email program, to manually sending mail using Telnet to an SMTP server
(port 25). This requires fairly intimate knowledge of the SMTP protocol, which
is, unfortunately, not hard to understand. (RFC 821. A slightly more readable
version is available at the faqs.org site).
Forging e-mail headers is not presently illegal in the US. Some argue that it
should be.
Uh, what's Telnet?
Telnet is the name of both a program and a part of the TCP/IP protocol suite
which allows you to remotely access a computer. In the case of services such as
mail, which run on port 25, you can telnet into that port and interact with the
service manually. You can also do this to webservers on port 80 or finger
daemons on port 79. It's kinda neat. :-)
Anyway, to access telnet if you are on a UNIX system, just type telnet hostname
<port>, where the port number is optional. If you are on Windows 95/98/NT,
choose "Run" from the start menu and type telnet hostname <port> from there.
Otherwise, searching Tucows http://www.tucows.com/ for a Telnet program would
be a good thing (NiftyTelnet for Macintosh is pretty good).
In a typical spam, there are two different kinds of systems involved:
The sending system. This is the actual machine that the spammer is on, assuming
that they are using a SLIP/PPP connection. Its name usually has "dialup" or
"ppp" somewhere in the name.
The mailing system. This is the "point of injection". Most e-mail clients (or
MTAs under UNIX) allow the user to designate a "smarthost", or more commonly
known as a "relay". This will take the load off of the user's machine and place
it on the ISP's mailserver so the user can do other things. When forging a
message, the spammer will choose another host elsewhere on the Internet so that
their provider will not know what they are up to.
How can I track down the sending system?
Look in the headers and you will find a series of lines starting with the line
"Received:". One of these is added for every system the e-mail passes through.
The synopsis for a Received: header is:
Received: from <one system> by <the next system> <the current date>
Therefore, the following example headers:
--------QUOTED HEADERS-------------
Received: from hermes.ntview.com by oasis.ot.com (8.7.6/8.7.3) with ESMTP
id CAA26482 for <dmuth@xxxxxx>; Tue, 28 Jan 1997 02:25:42 -0500 (EST)
-------END QUOTED HEADERS----------
demonstrate that the original message was sent by hermes.ntview.com.
The Received: headers are added at the top of the message by each MTA (Mail
Transport Agent), so that your own system's Received: line should be the first
you read, and the spammer's will be somewhere down the list. The list should
form an unbroken path (i.e. from B by A, from C by B, from D by C). If the path
is broken somewhere, it is often a sign that the rest of the Received: lines
are forged.
One other way to get an idea of the sending system is to look for the first
occurence of a PPP or SLIP hostname, or something similar indicating a dialup
connection. Spammers don't relay through dialups very much. :-)
What about these "stealth" mailers?
Some of the newer spamming programs put in fake Received: headers in order to
prevent users from finding the first ones. This is rather foolish, as most
spammers don't understand the net and put in wildly bogus values.
Here are a few things that let you know a header has been forged:
Look for a wrong Eastern Timezone of "-0600 (EST)" (EST is normally -0500,
while EDT is -0400) in conjunction with an SMTP id which will always start with
"GAA..." This is perhaps the most common Stealth Mailer signature seen (an
example of it appears below)
A new, laughably "repaired" Stealth Mailer has surfaced recently; its signature
errors are an SMTP id which always starts with "XAA..." and an Eastern Timezone
correction which is even more wrong than before, now listing "-0700 (EDT)"
Look for a spoofed address in the Received: header. A real Received: header has
the address of the recipient as the address (i.e. dmuth@xxxxxx in the above
example). If the address there isn't yours, it's a forged header.
Look for a spoofed SMTP id. A real one generally matches its first letter to
the hour of the time the hand-off occurred; e.g., if the time listed in this
header is between midnight and 1:00 a.m., its SMTP id should start with "A...";
between 1:00 a.m. and 2:00 a.m. should indicate "B..." and so on.
Look for IP node numbers of 0 or greater than 254. IP addresses only range from
1 to 254. (0 indicates a network address and 255 is for broadcasting).
Look for a system named "alt1", this can be filtered on as I have caught many
spams with zero false positives in this manner.
A few examples of spoofed headers:
Received: from email4all@xxxxxxx by email4all@xxxxxxx (8.8.5/8.6.5) with
SMTP id GAA02084 for <email4all@xxxxxxx>; Thu, 26 Jun 1997
10:52:37 -0600 (EST)
Received: from lconn.net (alt1.lconn.net(206.25.61.0)) by lconn.net
(8.8.5/8.6.5) with SMTP id GAA06154 for <gpg@xxxxxxxxx>; Wed, 25 Jun 1997
23:00:38 -0600 (EST)
A word about firewalls and forwarders
If your ISP has a firewall, or you have some sort of forwarding from another
e-mail address, there may be one or more extra sets of Received: headers
present. Please mention this when reporting a spam to the list.
For example, if I have an e-mail address of dmuth@xxxxxxxxxxxxx which forwards
e-mail to the address dmuth@xxxxxxxxxx, there will be an extra Received: header
put in by forwarder.com:
Received: from forwarder.com (forwarder.com [201.96.1.32])
by myhost.com (8.8.7/8.8.7) with ESMTP id SAA02629
for <dmuth@xxxxxxxxxx>; Thu, 18 Sep 1997 18:31:46 -0400 (EDT)
What's this stuff in parentheses in the Received: header?
When there is stuff in a set of parentheses, it is due to the receiving host
adding in the IP address (and possibly a reverse DNS as well) of the host which
sent them the e-mail. This prevents the sending host from lying about its name
(A Good Thing).
For example:
--------QUOTED HEADERS-------------
Received: from q.qqq.com (ppp-206-171-250-20.vntrcs.pacbell.net
[206.171.250.20]) by mail.themall.net (8.8.5/8.8.2/IIAM 1.0 (DCH)) with
SMTP id IAA00719; Wed, 5 Mar 1997 08:40:22 -0800 (PST)
-------END QUOTED HEADERS----------
mail.themall.net did a reverse DNS and determined that this mail really came
from pacbell.net as opposed to qqq.com, which is really in the Netherlands.
Whoever sent this lied about their origin, but the system did a "callback" of
sorts.
Just a note though, a forged header could have a forged "reverse DNS" lookup as
well.
How do I track down the point of injection?
The point of injection is usually the second host in the mail path (i.e. the
second bottom-most Received: line); the first is usually the spammer's machine.
Remember, if the spammer is trying to cover their tracks, they won't use their
own ISP's mailserver.
For example:
--------QUOTED HEADERS-------------
Received: from smtp.gte.net (radius3.gte.net [206.124.68.25]) by
oasis.ot.com (8.7.6/8.7.3) with SMTP id SAA18708 for <dmuth@xxxxxx>;
Wed, 5 Mar 1997 18:41:30 -0500 (EST)
Received: from r9892423 (Cust118.Max60.Los-Angeles.CA.MS.UU.NET
[153.34.100.118]) by smtp.gte.net (SMI-8.6/) via SMTP id QAA16410; Wed, 5
Mar 1997 16:31:34 -0600
-------END QUOTED HEADERS----------
The spammer set their relay to smtp.gte.net, an innocent system. Also, as you
can see, smtp.gte.net did a reverse DNS, which is good as the spammer put a
bogus name in for their system (r9802423).
Sometimes, they're an attempt by the spammer to conceal the host's name. If
you're lucky, you can find out the host's name just by running an nslookup or
similar. However, not all hosts have a human-readable name; if the host you
want to investigate only has an IP number, you can at least try to find out who
owns the netblock via whois. See below.
The single big number is a special case of a raw IP address. All Internet
addresses (IPv4) are really 32-bit numbers (between 0 and roughly 4.2 billion)
but they're conventionally broken up into 8-bit pieces with periods between
them. If you are familiar with hexadecimal notation, this should be fairly easy
to understand: 3735928559 is equal to 0xdeadbeef which, if you insert periods
between the octets, is 0xde.0xad.0xbe.0xef, which is 222.173.190.239. (This is
not really an existing host address, at the time of this writing.)
Many, many hosts are badly configured so that there is no reverse DNS for
looking them up by IP number, even though there is a host name associated with
that IP number. Sometimes you can find a host's name by probing it a little
bit. For example, telnetting to port 25 will get you a standard SMTP greeting
which contains a host name, if that host is running an SMTP (mail) server. (Of
course, the host name there could still be forged or incomplete.)
Why should I bother to track down the point of injection?
Most sysadmins do not like it when another user sends out hundreds of thousands
or even millions of pieces of e-mail through their system without their
permission. Therefore, they will appreciate you telling them that their system
was/is being abused in such a manner.
Secondly, it is also a theft of service to use another system for sending your
e-mail. When Cyberpromo sends out its 2 million bulk e-mails, all they send to
the innocent mailhost is the text of the message and a list of the recipients.
This poor system now has to create one copy of the message for every address on
that list and deliver them, which is a huge waste of resources on that system.
At this point, the sysadmin may want to sue the spammer.
What's Traceroute, and how do I use it?
Traceroute is a UNIX tool (there are versions for other OSes) for determining
the path that your data packets take from one system to another. In the case
where a spammer has their own domain, you can use it to determine who their ISP
is and complain to them directly.
The synopsis of the traceroute command on UNIX is:
traceroute <hostname>
For example:
$ traceroute whitehouse.gov
traceroute to whitehouse.gov (198.137.241.30), 30 hops max, 40 byte packets
1 milo.ot.net (199.234.240.100)
2 slab.ot.net (199.234.240.1)
3 ucsc2-gw-hssi1-0.phl.prep.net (129.250.201.1)
4 ucsc1-gw-fddi-1-0.phl.prep.net (192.204.183.1)
5 border2-hssi1-0.WestOrange.mci.net (204.70.66.5)
6 core1-fddi-1.WestOrange.mci.net (204.70.64.33)
7 somerouter.sprintlink.net (206.157.77.106)
8 sl-pen-18-P4/0/0-155M.sprintlink.net (144.232.0.73)
9 144.232.8.2 (144.232.8.2)
10 sl-dc-17-F0/0.sprintlink.net (144.228.20.17)
11 sl-eop-1-S0-T1.sprintlink.net (144.228.72.66) **The upstream**
12 whitehouse.gov (198.137.241.30)
As you can see, whitehouse.gov has sprintlink.net as an ISP, also known as
their "Upstream Provider".
I don't have/use/understand UNIX. Can I still use traceroute?
Yes. Most operating systems, including Win 3.x, Win95, and WinNT, have a
traceroute tool. On Windows systems, open a DOS session and use the command
tracert <hostname>
This tool is present on most Win95 and WinNT machines, and on Windows for
Workgroups 3.11 with the TCP/IP-32b drivers installed. (Hint: Try it. If it
doesn't work, it's probably not installed. Easier than figuring out the
gibberish above) ;-)
http://www.cyberkit.net/. On the Macintosh, you can use the shareware product
called IPNetMonitor, which has a full suite of I.P. tools, including Trace
Route, Whois, NS Lookup & Ping. It is available at: http://www.sustworks.com.
Also available is AGNet Tools, which can be found at Lycos
(Tucows)http://shareware.lycos.com/tucows/preview/68724.shtml.
The rest of the information on traceroute applies. Note that you may
not have this program installed, especially if you use a third-party TCP/IP
stack. In this case, see
http://www.claws-and-paws.com/spam-l/tracking.html#traceroute-web the section
on web based traceroutes for Web-based gateways to traceroute.
Traceroute says "unknown host", now what?
You probably have chosen a mail alias -- a system that handles mail for a given
Internet domain. Use the nslookup command to search for MX records and run
traceroute to the resulting system(s).
The synopsis for using nslookup is:
nslookup -q=mx <hostname>
Although nslookup's output is verbose and a bit cryptic to the neophyte, you
should be able to glean some good host names from the list you get.
Example:
dmuth:~$ nslookup -q=mx ot.com
Server: ns.ot.com
Address: 199.234.240.5
ot.com preference = 10, mail exchanger = mail.ot.com
ot.com nameserver = ns.ot.com
ot.com nameserver = dns-east.prep.net
mail.ot.com internet address = 199.234.240.2
ns.ot.com internet address = 199.234.240.5
dns-east.prep.net internet address = 129.250.252.10
In this case, the mail alias for ot.com is mail.ot.com, which you could then do
a traceroute to.
Traceroute hangs, now what?
Since traceroute does a reverse DNS on every host it encounters, there may be a
DNS server not responding that prevents traceroute from finishing the trace.
Try a "traceroute -n" to display only the IP addresses. You can use nslookup
later to determine the host names.
I get a bunch of asterisks (**), now what?
This means that the host you're trying to reach didn't respond. This may
indicate that the spammer has been disconnected! (Joy!)
Of course, it could be that the system is just down for a while, such as a
dialup host which is not currently dialed up to the net.
Web Based Tracerouting
Point your web browser to http://www.traceroute.org for a list of traceroute
servers you can use.
What's WHOIS, and how do I use it?
'Whois' specifies a protocol by which a whois client (link to whois clients)
can query a 'Whois' server for information regarding domain names, IP ranges or
people.
In general, the syntax of the Whois command (under Unix) is:
$ whois -h <whois.host.to.query> "search string"
Certain whois clients are installed to query a particular whois server
(normally whois.internic.net) by default.
Usually when querying a particular whois server, you can always ask for 'help' .
Using 'Whois' for Domains (.com, .net, .edu, .org ):
Before using 'whois' randomly, it pays to understand a certain hierarchy in the
organisation of domain names. Historically, the InterNIC handled all domains
under .com, .net, .edu, and .org . Recent changes have forced this system to be
split up into a Registry (the core database) and many Registrars (organisations
which register domains into the Registry ).
To query the Registry for domains within the .com, .net .edu, and .org TLD (Top
Level Domains), first query the InterNIC Registry:
$ whois -h whois.internic.net suck.com (www-whois link may change in future)
This will return a *redirection* to the database of the appropriate Registrar.
( Formerly, Network Solutions was both the Registry (as InterNIC) and Registrar
), ie:
Whois Server Version 1.1
Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: SUCK.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: www.networksolutions.com
Name Server: NS3.HOTWIRED.COM
Name Server: NS2.HOTWIRED.COM
Name Server: NS1.HOTWIRED.COM
Updated Date: 16-may-2000
>>> Last update of whois database: Tue, 25 Jul 00 03:43:32 EDT <<<
The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.
Then, query the appropriate Registrar, ie:
$ whois -h whois.networksolutions.com suck.com (www-whois search link may
change in future)
(output abbreviated)
Registrant:
The Vacuum Cleaner Company (SUCK-DOM)
c/o Wired Ventures, Inc. 660
Third Street, 4th Fl.
San Francisco, CA 94107
US
Domain Name: SUCK.COM
Administrative Contact:
Contact, Domain Administration (DAC11) domain-admin@xxxxxxxxxxxx
Technical Contact, Zone Contact:
Contact, Domain Technical (DTC5) domain-tech@xxxxxxxxxxxx
Billing Contact:
Domain Billing Contact (DBC4-ORG) domain-billing@xxxxxxxxxxxx
Record last updated on 16-May-2000.
Record expires on 25-May-2001.
Record created on 24-May-1995.
Database last updated on 24-Jul-2000 22:59:05 EDT.
Domain servers in listed order:
NS1.HOTWIRED.COM 204.62.131.44
NS2.HOTWIRED.COM 209.185.151.6
NS3.HOTWIRED.COM 204.62.130.122
Using Whois for Country-Code Top Level Domains (ccTLDs, .au, .ch etc):
Sometimes you will want to find out information about domains that are not in
the traditional international .com, .net, .org, .edu etc TLDs.
These are usually handled by the Registry for that specific country, identified
by the ISO3166 Two Letter code for that country.
As there are far too many to list here, you can usually get away with using
'XX.whois-servers.net' where 'XX' is the two-letter country code (ie,
'au.whois-servers.net' for domains within .au, Australia) for the whois server,
ie:
$ whois -h au.whois-servers.net sofcom.com.au
Note that a lot of ccTLDs have a further hierarchy, such as 'com' for
Commercial Entities, 'net' for Networks, 'org' for organisations etc etc, so
the actual organisation may be on the third or fourth level of the domain name
(reading from the right)
Geektools http://www.geektools.com/cgi-bin/proxy.cgi will happily query the
appropriate whois server for you
Using Whois for IP ranges and ASNs:
Historically, the former InterNIC managed (under the auspices of IANA ) the
allocation of IP numbers to ISPs and other organisations. This changed somewhat
when the Regional Internet Registry system was started, with the creation of
three Regional Internet Registries (RIRs) around the world, each managing the
allocation of IP addresses to organisations within differing physical areas. (
See also RFC2050, http://ftp.isi.edu/in-notes/rfc2050.txt )
This means that there is no central whois database for IP numbers, or ASNs.
Each RIR maintains an authoritative Whois database detailing these allocations.
The RIRs sometimes allocate large IP ranges to particular countries
(specifically to the National Internet Registry of that country) which usually
runs another database. Be careful to fully read the output of any whois search.
Note that ARIN took over the former InterNIC's role in managing IP numbers, and
a large number of whois clients point by default to whois.ARIN.net. The other
two RIRs have placed redirection notices in the ARIN database informing users
to go query the appropriate RIR.
Sending spam complaints to the Regional Internet Registries tends to be an
excercise in futility, as the RIRs have no authority to deal with spam
complaints, limited resources, and dearly wish that people would use the
appropriate databases rather than continually mistakenly claiming that the RIRs
hide/are spammers. If you see a reference to another database, follow the
reference. Don't annoy the Happy Fun RIRs.
The IP ranges for each RIR are detailed at:
http://www.iana.org/assignments/ipv4-address-space
APNIC's Prettified Version
Autonomous System numbers (ASNs) are detailed at:
http://www.iana.org/assignments/as-numbers
APNIC's Prettified Version
An ASN is used by an Autonomous System (ie, an ISP) as an identifier when they
announce their routes to the rest of the Internet world. It is a numeric 16bit
number, from 1 to 65535. In most cases, you won't need to know about this.
Huh, what was all that?:
If you find this confusing, try to find a whois program which will
sort out the complexities for you. Look at e.g. Sam Spade
http://www.samspade.org/ or IPW in the Tools section
I'm too lazy to use WHOIS or don't have enough time. Is there a "default"
address which I can e-mail?
Yes. While it's not an offical standard, many sites, including big companies
like Netcom and PSI have begun implmenting the username "abuse" for network
abuse issues. So if you got spam from a psi.net user, writing to
<abuse@xxxxxxx> is the recommended course of action.
Of course, since it's not required, not all sites support the abuse
address. If you get a bounce, it's recommended that you write to "postmaster"
instead. Since every site is required to have such an address by RFC 822
http://www.ietf.org/rfc/rfc0822.txt, that will most likely work for you.
Postmaster bounced! Now what?!?
Sometimes spammers with their own sites intentionally do this to deflect
complaints, sometimes it's a result of extreme cluelessness on the part of the
site owner. At any rate, you have several options at this point, which include:
Using WHOIS to find another contact address to complain to or a phone number to
call.
Using traceroute to find who provides the feed to that site, then using WHOIS
to complain to the upstream.
Going to the website to get a contact e-mail address and/or phone number.
Just remember, don't flame the ISP, I've already had postmaster bouncing from
major ISPs because of new configurations which weren't fully tested at the time.
What are netblocks, and how are they useful?
An IP address is divided into two parts, the address of the network, and the
address of the machine. Which is which depends on what the first number of the
IP address is:
Class A
A class A network uses the first number as the network address, so you can have
16.7 million (2^24) nodes in that network. The network address must also be
between 1 and 126. (127 is loopback). For example, net 38 is owned by psi.net.
Class B
A class B network uses the first 2 numbers as a network address which makes for
65,535 (2^16) possible nodes. Class B networks range between 128.0 and 191.255.
For example, 153.34 is owned by uu.net.
Class C
Class C networks use the first 3 numbers as a network address with 256 possible
nodes. Class Cs range between 192.0.0 and 223.255.255. For example, 199.234.240
is owned by Oasis Telecommunications.
Class D and Class E
Class D is for networks 224 to 239.255.255.255. Class E is for networks 240 to
255.255.255.255. Class D is for multicast messages and class E is reserved for
experimentation and development. If you see one of these IP addresses in a
header, you can be quite certain that the header has been forged. (Or there is
a serious configuration problem somewhere.)
To do a whois on a netblock, all you need to do is type "whois <net
number>@whois.arin.net". You can have zeros trailing after the net number if
you like.
For example:
dmuth:~$ whois 153.34.0.0@xxxxxxxxxxxxxx
[rs.internic.net]
UUNET Technologies, Inc. (NET-UUNETCUSTB)
3060 Williams Drive
Fairfax, VA 22031
US
Netname: UU-153-34
Netblock: 153.34.0.0 - 153.34.255.255
Maintainer: UU
Coordinator:
Uunet, AlterNet [Technical Support] (OA12) help@xxxxxxxxxxxx
+1 (800) 900-0241
Alternate Contact:
UUNET Postmaster (UUPM) postmaster@xxxxxxxxxxxx
703-206-5440
Domain System inverse mapping provided by:
HUGIN.UU.NET 153.39.242.112
MUNIN.UU.NET 153.39.242.113
AUTH60.NS.UU.NET 198.6.1.181
Another interesting note is that you can find groups of netblocks with whois.
Type <whois 153@xxxxxxxxxxxxxx> will give you a listing of all of the class B
networks from 153.0 to 153.255.
Note, however, that the listed owner might have leased out portions of their
bigger netblock to clients of theirs. UU.NET is a good example -- some of their
netblocks are leased out to customer ISP:s whom you should probably contact
about spam you received from them.
What's nslookup, and how do I use it?
Nslookup will perform DNS and reverse DNS queries for you. DNS is the Domain
Name System, which is what associates human-friendly host names ("www.ot.com")
with IP numbers (subject to change -- at the time of writing, www.ot.com is
199.234.240.8).
When a mailhost in the Received: header has only an IP address listed, you may
want to do a DNS query to find out what host name the IP number corresponds to.
The synopsis for nslookup is:
nslookup (IP address|machine name) [dns server]
Here's a reverse DNS example:
$ nslookup 199.234.240.8
Server: ns.ot.com
Address: 199.234.240.5
Name: www.ot.com
Address: 199.234.240.8
Your server: and address: lines will vary as per your ISP but the resulting
name and address will be the same.
Here's a DNS example:
$ nslookup ans.net
Server: ns.ot.com
Address: 199.234.240.5
Non-authoritative answer:
Name: ans.net
Address: 147.225.5.5
The "non-authoritative answer" is because I used my ISP's DNS server
(ns.ot.com) instead of one of ans's servers. Here, I correct that and use
ns.ans.net as my DNS server:
nslookup ans.net ns.ans.net
Server: ns.ans.net
Address: 192.103.63.100
Name: ans.net
Address: 147.225.5.5
You can find out the name of an authoritative server from the whois info for a
domain, or with the -q=ns option to nslookup.
How to do some web-based spam tracking
If you don't have access to any of the afore mentioned tools (maybe you are
using a public terminal at a library), you could use Sam Spade, which can be
found at http://www.samspade.org. Sam Spade can do a nslookup, whois,
traceroute, and find out who owns the netblock of the machine.
This tool will benefit novices the most.
How can I test a system to see if it relays e-mail?
Since mail servers usually reside on port 25, you need to telnet to port 25 of
the host that you suspect to be relayable. Once connected, you should see
something like this:
220 relay.com ESMTP Sendmail 8.8.7/8.8.7; Sun, 4 Jan 1998 17:54:11 -0500 (EST)
^^^^^^^^^^^^^^^^^^^^
Take note of the MTA and its version number. To start, type:
HELO somesite.com
with whatever domain name you want. While the name doesn't matter, I like to
use "forged" or something similar so I can tell apart this e-mail when I get
it. This value will appear in the Received: header that the site generates.
Now type:
mail from: address
with whatever address you want. This is the address that will appear in the
From_ header at the start of the e-mail.
Type:
rcpt to: your e-mail address
This will tell the system where to send the e-mail. Note that you can type this
line multiple times with multiple e-mail addresses. This is how a spammer sends
an e-mail to thousands of people at once.
Now, type:
DATA
At this point, you can enter in your e-mail message. I would suggest putting in
at least a Subject: header, with a space after the colon and separating the
headers from the body by an empty line. However, no headers are necessary.
To finish the e-mail, type a period at the start of a line and hit enter. If
you made it this far and the server returned a message saying that the message
was accepted for delivery, then it is very likely that the server allows
relaying, at least from your particular IP address.
However, Stephen J Friedl warns that some servers use front ends which accept
SMTP connections on port 25, then pass the e-mail to another server or program
which does the real processing. In these cases, your message may not be relayed
even though it appears otherwise. The only way to make certain that a
particular server does do relaying is to see if you actually get the e-mail
that you sent.
Also, to see if the server logs the original IP address and does a reverse DNS
on your host, check the Received: header that the server generated.
For further information, read RFC 821 (SMTP Commands)
http://www.ietf.org/rfc/rfc0821.txt and RFC 822(The format of
e-mail)http://www.ietf.org/rfc/rfc0822.txt.
Terima Kasih.
--
Menur 29A Surabaya 60116
031-5941153 08155158070
http://asia.profiles.yahoo.com/hasta_purnama
Other related posts:
- » [pistons92] Tracking Spam