RE: Could somebody help me check this out to be spam
- From: Raj baby <braj@xxxxxxxxxx>
- To: [ExchangeList] <exchangelist@xxxxxxxxxxxxx>
- Date: Sat, 18 Oct 2003 10:59:12 +0200
Hi Mitch,
Thanks for the terrific explanation.
I tried it and i have 2 questions .
1) When i do an nslookup on 202.142.75.26 it says a "Non Existant " domain.
The same thing happens when i do it on emrg-global.com.You already said that
for you,it resolved ,but donot reverse lookup.
2)Network solution's "whois" command on emrg-global shows it as "This name is
available
for registration.Also trying with Apnic.net who is serach gives me
*** "No records found for 'emrg-global.com'
Why is this differance when we both try it ( only differance seems to be that
we are trying from two parts of the world!)
Thanks & regards
Raj
> AD: Get Thawte?s New Step-by-Step SSL Guide for MSIIS:
> http://www.msexchange.org.org/thawte/
> Edits below, in context.
>
> What I found looking at the headers are explained below. Good luck on
> your spam hunting.
>
> Thank you,
> Mitchell D. Lawrence
> **<Good|Cheap|Fast> (Pick Two)**
>
> I presume this is not a spam
> ( possibly because this is from a job consultant)
>
> Mitch: Actually, it appears to be spam to me...
>
> 2)How the message IDs are shown like xxxxxxxxxx.javamail.server@server>
>
> Mitch: This appears to have been sent using an application of some sort,
> possibly java based, maybe a web application.
>
> ( Normally message IDs are like someone@xxxxxxxxxxxxx it
> purposefully***done ????)
>
> 3) Also if i do an nslookup on 202.71.152.134 it shows a non-existant
> domain
>
> Mitch: Rather than do an nslookup of something, I often go over to
> ARIN.NET and look up the IP itself. Tells you a lot more.
>
>
> 4) A "whois" command on emrg-global shows it as "This name is available
> for registration."
>
> 5) The To: address at the bottom shows a differant name also.
> Can any one help me understand this ??
>
> Mitch: I will give it a shot.
>
> ************************************************************************
> ****
> Header
> ************************************************************************
> ****
> X-Apparently-To: baby_rajan@xxxxxxxxx via 216.136.129.246; Thu, 09 Oct
> 2003 23:06:07 -0700
>
> Return-Path: <raghu@xxxxxxxxxxxxxxx>
>
> Received: from 202.71.152.134 (EHLO mail.merakdemo.com) (202.71.152.134)
> by mta234.mail.scd.yahoo.com with SMTP; Thu, 09 Oct 2003 23:06:05 -0700
>
> Received: from ermg-global.com ([202.142.75.26]) by mail.merakdemo.com
> (Merak 6.0.5) with ASMTP id 617F7F9D; Fri, 10 Oct 2003 11:35:35 +0530
>
> ************************************************************************
> ****
> Analysis
> ************************************************************************
> ****
> Mitch: I hate how they always do this, this is one of the signs of spam.
> Send the message from the FUTURE! This tells you the path the message
> took to get to you. In reverse order. So the last received: line is
> usually the source one. Unless the spammer is smart and includes some
> forged Received: headers. In this case, the message originated from
> ermg-global.com (presumeably 202.142.75.26, which does not reverse
> lookup with nslookup, but an nslookup of ermg-global.com on my machine
> comes back with 202.71.152.134, which does not reverse lookup.)
>
> ************************************************************************
> ****
> Header
> ************************************************************************
> ****
> Message-ID: <105269.1065766322030.JavaMail.Server@server>
>
> ************************************************************************
> ****
> Analysis
> ************************************************************************
> ****
> Mitch: This is generated by the mail server the sender had his message
> go through first. Look like a homemade job to me (the @server) and not
> something professional.
>
> ************************************************************************
> ****
> Header
> ************************************************************************
> ****
> X-MailAvAc: PostMaster AvAc (1.0.17) on [202.142.75.26] QuickHeal : 6.10
> 08-Oct-2003
> X-Priority: 3
>
> ************************************************************************
> ****
> Analysis
> ************************************************************************
> ****
> Mitch: Somewhere along the line, it went through a virus scan.
>
> ************************************************************************
> ****
> Header
> ************************************************************************
> ****
> Subject: ERMG.......Most Urgent Req @ Digital Global Soft
>
> From: "Raghavendra" <raghu@xxxxxxxxxxxxxxx> | This is spam | Add to
> Address Book
> X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
> MIME-Version: 1.0
> Date: Fri, 10 Oct 2003 11:35:03 +0530
> X-Mailserver: Sent using PostMaster (v4.1.31)
> X-Mailer: Microsoft Outlook Express 5.00.2919.6600
>
> ************************************************************************
> ****
> Analysis
> ************************************************************************
> ****
> Mitch: "Most Urgent Req"? Yeah, sure it is. I gleaned the following from
> the above info: The sender used OE to send the mail, and it went through
> a "Postmaster" mail server. I have not bothered to google on 'postmaster
> mail server', but I would assume it is probably a mail server used for
> mass mailing.
>
> ************************************************************************
> ****
> Header
> ************************************************************************
> ****
> X-MSMail-Priority: Normal
>
> To: thandapraljt@xxxxxxxxxxx
>
> Content-Type: Multipart/mixed; boundary="----SIG_TOP1065766322140"
> Content-Length: 4104
>
> ************************************************************************
> ****
> Analysis
> ************************************************************************
> ****
> Mitch: Nothing further to be learned from the header. Now you can take
> the information that we have, and run with it further.
>
> My first stop is networksolutions.com, to use their whois to look up
> ermg-global.com:
>
> Domain Name: ERMG-GLOBAL.COM
> Registrar: TUCOWS, INC.
> Whois Server: whois.opensrs.net
> Referral URL: http://www.opensrs.org
> Name Server: NS1.EVERYRUPEECOUNTS.COM
> Name Server: NS2.EVERYRUPEECOUNTS.COM
> Status: ACTIVE
> Updated Date: 14-jul-2003
> Creation Date: 25-jul-2000
> Expiration Date: 25-jul-2004
>
> Everyrupeecounts? Mkay. An Indian site maybe? Irregardless, follow up
> with an ARIN.NET lookup of the originating IP address (202.142.75.26):
>
> OrgName: Asia Pacific Network Information Centre
> OrgID: APNIC
> Address: PO Box 2131
> City: Milton
> StateProv: QLD
> PostalCode: 4064
> Country: AU
>
> ReferralServer: whois://whois.apnic.net
>
> NetRange: 202.0.0.0 - 203.255.255.255
> CIDR: 202.0.0.0/7
> NetName: APNIC-CIDR-BLK
> NetHandle: NET-202-0-0-0-1
> Parent:
> NetType: Allocated to APNIC
> NameServer: NS1.APNIC.NET
> NameServer: NS3.APNIC.NET
> NameServer: NS.RIPE.NET
> NameServer: RS2.ARIN.NET
> NameServer: DNS1.TELSTRA.NET
> Comment: This IP address range is not registered in the ARIN
> database.
> Comment: For details, refer to the APNIC Whois Database via
> Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
> Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
> Comment: for the Asia Pacific region. APNIC does not operate networks
> Comment: using this IP address range and is not able to investigate
> Comment: spam or abuse reports relating to these addresses. For more
> Comment: help, refer to http://www.apnic.net/info/faq/abuse
> Comment:
> RegDate: 1994-04-05
> Updated: 2002-09-11
>
> OrgTechHandle: AWC12-ARIN
> OrgTechName: APNIC Whois Contact
> OrgTechPhone: +61 7 3858 3100
> OrgTechEmail: search-apnic-not-arin@xxxxxxxxx
>
> This tells us to go and look on apnic. So we do:
>
> inetnum: 202.142.64.0 - 202.142.95.255
> netname: ZTL-AP
> descr: Zee Telefilms Ltd
> country: IN
> admin-c: PSK4-AP
> tech-c: SC188-AP
> mnt-by: APNIC-HM
> changed: hostmaster@xxxxxxxxx 20000526
> status: ALLOCATED PORTABLE
> source: APNIC
>
> person: P S Kamalakannan
> address: E Connect India Ltd
> address: United Mansions, 3rd floor
> address: M G Road Bangalore 560001
> country: IN
> phone: +91 80 5599999
> fax-no: +91 80 5580099
> e-mail: kamalakannan@xxxxxxxxxxxxxx
> nic-hdl: PSK4-AP
> mnt-by: MAINT-NEW
> changed: hostmaster@xxxxxxxxx 20000526
> source: APNIC
>
> person: sanjay chavan
> address: e-connect India Ltd., 3rd Floor,
> address: United Mansion Bldg.
> address: 39 M.G. Rd., Bangalore - 560 001
> country: IN
> phone: +91-080-5599999
> fax-no: +91-080-5580099
> e-mail: chavans@xxxxxxxxxxxxxx
> nic-hdl: SC188-AP
> mnt-by: MAINT-NEW
> changed: chavans@xxxxxxxxxxxxxx 20000511
> source: APNIC
>
>
> And here we have it. Mr. Chavan is either sending, or allowing spam to
> be sent from his block of IP addresses. And I was right. India.
>
> Hope this gives you a little insight into how to track spam. You can do
> further research and/or emails to various responsible parties, or you
> can do what I have done and just reject email from APNIC addresses. (a
> buttload of spam comes from asia.)
>
> Regards,
> Mitch Lawrence
>
> Get Thawte?s New Step-by-Step SSL Guide for MSIIS
> Find out how to test, purchase, and install a Thawte Digital Certificate on
> your MSIIS web server:
> http://www.msexchange.org/thawte/
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> braj@xxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
--------------------
Do You need a professional and afordable web hosting service?
Try HostEcom.com NOW
* This email account is a FREE 20MB email box from DirNow.com
Please report any abuse to postmaster@xxxxxxxxxx
Other related posts:
