Edits below, in context. What I found looking at the headers are explained below. Good luck on your spam hunting. Thank you, Mitchell D. Lawrence **<Good|Cheap|Fast> (Pick Two)** I presume this is not a spam ( possibly because this is from a job consultant) Mitch: Actually, it appears to be spam to me... 2)How the message IDs are shown like xxxxxxxxxx.javamail.server@server> Mitch: This appears to have been sent using an application of some sort, possibly java based, maybe a web application. ( Normally message IDs are like someone@xxxxxxxxxxxxx it purposefully***done ????) 3) Also if i do an nslookup on 202.71.152.134 it shows a non-existant domain Mitch: Rather than do an nslookup of something, I often go over to ARIN.NET and look up the IP itself. Tells you a lot more. 4) A "whois" command on emrg-global shows it as "This name is available for registration." 5) The To: address at the bottom shows a differant name also. Can any one help me understand this ?? Mitch: I will give it a shot. ************************************************************************ **** Header ************************************************************************ **** X-Apparently-To: baby_rajan@xxxxxxxxx via 216.136.129.246; Thu, 09 Oct 2003 23:06:07 -0700 Return-Path: <raghu@xxxxxxxxxxxxxxx> Received: from 202.71.152.134 (EHLO mail.merakdemo.com) (202.71.152.134) by mta234.mail.scd.yahoo.com with SMTP; Thu, 09 Oct 2003 23:06:05 -0700 Received: from ermg-global.com ([202.142.75.26]) by mail.merakdemo.com (Merak 6.0.5) with ASMTP id 617F7F9D; Fri, 10 Oct 2003 11:35:35 +0530 ************************************************************************ **** Analysis ************************************************************************ **** Mitch: I hate how they always do this, this is one of the signs of spam. Send the message from the FUTURE! This tells you the path the message took to get to you. In reverse order. So the last received: line is usually the source one. Unless the spammer is smart and includes some forged Received: headers. In this case, the message originated from ermg-global.com (presumeably 202.142.75.26, which does not reverse lookup with nslookup, but an nslookup of ermg-global.com on my machine comes back with 202.71.152.134, which does not reverse lookup.) ************************************************************************ **** Header ************************************************************************ **** Message-ID: <105269.1065766322030.JavaMail.Server@server> ************************************************************************ **** Analysis ************************************************************************ **** Mitch: This is generated by the mail server the sender had his message go through first. Look like a homemade job to me (the @server) and not something professional. ************************************************************************ **** Header ************************************************************************ **** X-MailAvAc: PostMaster AvAc (1.0.17) on [202.142.75.26] QuickHeal : 6.10 08-Oct-2003 X-Priority: 3 ************************************************************************ **** Analysis ************************************************************************ **** Mitch: Somewhere along the line, it went through a virus scan. ************************************************************************ **** Header ************************************************************************ **** Subject: ERMG.......Most Urgent Req @ Digital Global Soft From: "Raghavendra" <raghu@xxxxxxxxxxxxxxx> | This is spam | Add to Address Book X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 MIME-Version: 1.0 Date: Fri, 10 Oct 2003 11:35:03 +0530 X-Mailserver: Sent using PostMaster (v4.1.31) X-Mailer: Microsoft Outlook Express 5.00.2919.6600 ************************************************************************ **** Analysis ************************************************************************ **** Mitch: "Most Urgent Req"? Yeah, sure it is. I gleaned the following from the above info: The sender used OE to send the mail, and it went through a "Postmaster" mail server. I have not bothered to google on 'postmaster mail server', but I would assume it is probably a mail server used for mass mailing. ************************************************************************ **** Header ************************************************************************ **** X-MSMail-Priority: Normal To: thandapraljt@xxxxxxxxxxx Content-Type: Multipart/mixed; boundary="----SIG_TOP1065766322140" Content-Length: 4104 ************************************************************************ **** Analysis ************************************************************************ **** Mitch: Nothing further to be learned from the header. Now you can take the information that we have, and run with it further. My first stop is networksolutions.com, to use their whois to look up ermg-global.com: Domain Name: ERMG-GLOBAL.COM Registrar: TUCOWS, INC. Whois Server: whois.opensrs.net Referral URL: http://www.opensrs.org Name Server: NS1.EVERYRUPEECOUNTS.COM Name Server: NS2.EVERYRUPEECOUNTS.COM Status: ACTIVE Updated Date: 14-jul-2003 Creation Date: 25-jul-2000 Expiration Date: 25-jul-2004 Everyrupeecounts? Mkay. An Indian site maybe? Irregardless, follow up with an ARIN.NET lookup of the originating IP address (202.142.75.26): OrgName: Asia Pacific Network Information Centre OrgID: APNIC Address: PO Box 2131 City: Milton StateProv: QLD PostalCode: 4064 Country: AU ReferralServer: whois://whois.apnic.net NetRange: 202.0.0.0 - 203.255.255.255 CIDR: 202.0.0.0/7 NetName: APNIC-CIDR-BLK NetHandle: NET-202-0-0-0-1 Parent: NetType: Allocated to APNIC NameServer: NS1.APNIC.NET NameServer: NS3.APNIC.NET NameServer: NS.RIPE.NET NameServer: RS2.ARIN.NET NameServer: DNS1.TELSTRA.NET Comment: This IP address range is not registered in the ARIN database. Comment: For details, refer to the APNIC Whois Database via Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry Comment: for the Asia Pacific region. APNIC does not operate networks Comment: using this IP address range and is not able to investigate Comment: spam or abuse reports relating to these addresses. For more Comment: help, refer to http://www.apnic.net/info/faq/abuse Comment: RegDate: 1994-04-05 Updated: 2002-09-11 OrgTechHandle: AWC12-ARIN OrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3100 OrgTechEmail: search-apnic-not-arin@xxxxxxxxx This tells us to go and look on apnic. So we do: inetnum: 202.142.64.0 - 202.142.95.255 netname: ZTL-AP descr: Zee Telefilms Ltd country: IN admin-c: PSK4-AP tech-c: SC188-AP mnt-by: APNIC-HM changed: hostmaster@xxxxxxxxx 20000526 status: ALLOCATED PORTABLE source: APNIC person: P S Kamalakannan address: E Connect India Ltd address: United Mansions, 3rd floor address: M G Road Bangalore 560001 country: IN phone: +91 80 5599999 fax-no: +91 80 5580099 e-mail: kamalakannan@xxxxxxxxxxxxxx nic-hdl: PSK4-AP mnt-by: MAINT-NEW changed: hostmaster@xxxxxxxxx 20000526 source: APNIC person: sanjay chavan address: e-connect India Ltd., 3rd Floor, address: United Mansion Bldg. address: 39 M.G. Rd., Bangalore - 560 001 country: IN phone: +91-080-5599999 fax-no: +91-080-5580099 e-mail: chavans@xxxxxxxxxxxxxx nic-hdl: SC188-AP mnt-by: MAINT-NEW changed: chavans@xxxxxxxxxxxxxx 20000511 source: APNIC And here we have it. Mr. Chavan is either sending, or allowing spam to be sent from his block of IP addresses. And I was right. India. Hope this gives you a little insight into how to track spam. You can do further research and/or emails to various responsible parties, or you can do what I have done and just reject email from APNIC addresses. (a buttload of spam comes from asia.) Regards, Mitch Lawrence