RE: Could somebody help me check this out to be spam
- From: "DL.Exchange" <Exchange.Discussion@xxxxxxxxxxxxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Mon, 13 Oct 2003 08:38:56 -0500
Edits below, in context.
What I found looking at the headers are explained below. Good luck on
your spam hunting.
Thank you,
Mitchell D. Lawrence
**<Good|Cheap|Fast> (Pick Two)**
I presume this is not a spam
( possibly because this is from a job consultant)
Mitch: Actually, it appears to be spam to me...
2)How the message IDs are shown like xxxxxxxxxx.javamail.server@server>
Mitch: This appears to have been sent using an application of some sort,
possibly java based, maybe a web application.
( Normally message IDs are like someone@xxxxxxxxxxxxx it
purposefully***done ????)
3) Also if i do an nslookup on 202.71.152.134 it shows a non-existant
domain
Mitch: Rather than do an nslookup of something, I often go over to
ARIN.NET and look up the IP itself. Tells you a lot more.
4) A "whois" command on emrg-global shows it as "This name is available
for registration."
5) The To: address at the bottom shows a differant name also.
Can any one help me understand this ??
Mitch: I will give it a shot.
************************************************************************
****
Header
************************************************************************
****
X-Apparently-To: baby_rajan@xxxxxxxxx via 216.136.129.246; Thu, 09 Oct
2003 23:06:07 -0700
Return-Path: <raghu@xxxxxxxxxxxxxxx>
Received: from 202.71.152.134 (EHLO mail.merakdemo.com) (202.71.152.134)
by mta234.mail.scd.yahoo.com with SMTP; Thu, 09 Oct 2003 23:06:05 -0700
Received: from ermg-global.com ([202.142.75.26]) by mail.merakdemo.com
(Merak 6.0.5) with ASMTP id 617F7F9D; Fri, 10 Oct 2003 11:35:35 +0530
************************************************************************
****
Analysis
************************************************************************
****
Mitch: I hate how they always do this, this is one of the signs of spam.
Send the message from the FUTURE! This tells you the path the message
took to get to you. In reverse order. So the last received: line is
usually the source one. Unless the spammer is smart and includes some
forged Received: headers. In this case, the message originated from
ermg-global.com (presumeably 202.142.75.26, which does not reverse
lookup with nslookup, but an nslookup of ermg-global.com on my machine
comes back with 202.71.152.134, which does not reverse lookup.)
************************************************************************
****
Header
************************************************************************
****
Message-ID: <105269.1065766322030.JavaMail.Server@server>
************************************************************************
****
Analysis
************************************************************************
****
Mitch: This is generated by the mail server the sender had his message
go through first. Look like a homemade job to me (the @server) and not
something professional.
************************************************************************
****
Header
************************************************************************
****
X-MailAvAc: PostMaster AvAc (1.0.17) on [202.142.75.26] QuickHeal : 6.10
08-Oct-2003
X-Priority: 3
************************************************************************
****
Analysis
************************************************************************
****
Mitch: Somewhere along the line, it went through a virus scan.
************************************************************************
****
Header
************************************************************************
****
Subject: ERMG.......Most Urgent Req @ Digital Global Soft
From: "Raghavendra" <raghu@xxxxxxxxxxxxxxx> | This is spam | Add to
Address Book
X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
MIME-Version: 1.0
Date: Fri, 10 Oct 2003 11:35:03 +0530
X-Mailserver: Sent using PostMaster (v4.1.31)
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
************************************************************************
****
Analysis
************************************************************************
****
Mitch: "Most Urgent Req"? Yeah, sure it is. I gleaned the following from
the above info: The sender used OE to send the mail, and it went through
a "Postmaster" mail server. I have not bothered to google on 'postmaster
mail server', but I would assume it is probably a mail server used for
mass mailing.
************************************************************************
****
Header
************************************************************************
****
X-MSMail-Priority: Normal
To: thandapraljt@xxxxxxxxxxx
Content-Type: Multipart/mixed; boundary="----SIG_TOP1065766322140"
Content-Length: 4104
************************************************************************
****
Analysis
************************************************************************
****
Mitch: Nothing further to be learned from the header. Now you can take
the information that we have, and run with it further.
My first stop is networksolutions.com, to use their whois to look up
ermg-global.com:
Domain Name: ERMG-GLOBAL.COM
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Name Server: NS1.EVERYRUPEECOUNTS.COM
Name Server: NS2.EVERYRUPEECOUNTS.COM
Status: ACTIVE
Updated Date: 14-jul-2003
Creation Date: 25-jul-2000
Expiration Date: 25-jul-2004
Everyrupeecounts? Mkay. An Indian site maybe? Irregardless, follow up
with an ARIN.NET lookup of the originating IP address (202.142.75.26):
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 202.0.0.0 - 203.255.255.255
CIDR: 202.0.0.0/7
NetName: APNIC-CIDR-BLK
NetHandle: NET-202-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: RS2.ARIN.NET
NameServer: DNS1.TELSTRA.NET
Comment: This IP address range is not registered in the ARIN
database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate: 1994-04-05
Updated: 2002-09-11
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@xxxxxxxxx
This tells us to go and look on apnic. So we do:
inetnum: 202.142.64.0 - 202.142.95.255
netname: ZTL-AP
descr: Zee Telefilms Ltd
country: IN
admin-c: PSK4-AP
tech-c: SC188-AP
mnt-by: APNIC-HM
changed: hostmaster@xxxxxxxxx 20000526
status: ALLOCATED PORTABLE
source: APNIC
person: P S Kamalakannan
address: E Connect India Ltd
address: United Mansions, 3rd floor
address: M G Road Bangalore 560001
country: IN
phone: +91 80 5599999
fax-no: +91 80 5580099
e-mail: kamalakannan@xxxxxxxxxxxxxx
nic-hdl: PSK4-AP
mnt-by: MAINT-NEW
changed: hostmaster@xxxxxxxxx 20000526
source: APNIC
person: sanjay chavan
address: e-connect India Ltd., 3rd Floor,
address: United Mansion Bldg.
address: 39 M.G. Rd., Bangalore - 560 001
country: IN
phone: +91-080-5599999
fax-no: +91-080-5580099
e-mail: chavans@xxxxxxxxxxxxxx
nic-hdl: SC188-AP
mnt-by: MAINT-NEW
changed: chavans@xxxxxxxxxxxxxx 20000511
source: APNIC
And here we have it. Mr. Chavan is either sending, or allowing spam to
be sent from his block of IP addresses. And I was right. India.
Hope this gives you a little insight into how to track spam. You can do
further research and/or emails to various responsible parties, or you
can do what I have done and just reject email from APNIC addresses. (a
buttload of spam comes from asia.)
Regards,
Mitch Lawrence
Other related posts:
