Hi Mitch, Thanks for the terrific explanation. I tried it and i have 2 questions . 1) When i do an nslookup on 202.142.75.26 it says a "Non Existant " domain. The same thing happens when i do it on emrg-global.com.You already said that for you,it resolved ,but donot reverse lookup. 2)Network solution's "whois" command on emrg-global shows it as "This name is available for registration.Also trying with Apnic.net who is serach gives me *** "No records found for 'emrg-global.com' Why is this differance when we both try it ( only differance seems to be that we are trying from two parts of the world!) Thanks & regards Raj > AD: Get Thawte?s New Step-by-Step SSL Guide for MSIIS: > http://www.msexchange.org.org/thawte/ > Edits below, in context. > > What I found looking at the headers are explained below. Good luck on > your spam hunting. > > Thank you, > Mitchell D. Lawrence > **<Good|Cheap|Fast> (Pick Two)** > > I presume this is not a spam > ( possibly because this is from a job consultant) > > Mitch: Actually, it appears to be spam to me... > > 2)How the message IDs are shown like xxxxxxxxxx.javamail.server@server> > > Mitch: This appears to have been sent using an application of some sort, > possibly java based, maybe a web application. > > ( Normally message IDs are like someone@xxxxxxxxxxxxx it > purposefully***done ????) > > 3) Also if i do an nslookup on 202.71.152.134 it shows a non-existant > domain > > Mitch: Rather than do an nslookup of something, I often go over to > ARIN.NET and look up the IP itself. Tells you a lot more. > > > 4) A "whois" command on emrg-global shows it as "This name is available > for registration." > > 5) The To: address at the bottom shows a differant name also. > Can any one help me understand this ?? > > Mitch: I will give it a shot. > > ************************************************************************ > **** > Header > ************************************************************************ > **** > X-Apparently-To: baby_rajan@xxxxxxxxx via 216.136.129.246; Thu, 09 Oct > 2003 23:06:07 -0700 > > Return-Path: <raghu@xxxxxxxxxxxxxxx> > > Received: from 202.71.152.134 (EHLO mail.merakdemo.com) (202.71.152.134) > by mta234.mail.scd.yahoo.com with SMTP; Thu, 09 Oct 2003 23:06:05 -0700 > > Received: from ermg-global.com ([202.142.75.26]) by mail.merakdemo.com > (Merak 6.0.5) with ASMTP id 617F7F9D; Fri, 10 Oct 2003 11:35:35 +0530 > > ************************************************************************ > **** > Analysis > ************************************************************************ > **** > Mitch: I hate how they always do this, this is one of the signs of spam. > Send the message from the FUTURE! This tells you the path the message > took to get to you. In reverse order. So the last received: line is > usually the source one. Unless the spammer is smart and includes some > forged Received: headers. In this case, the message originated from > ermg-global.com (presumeably 202.142.75.26, which does not reverse > lookup with nslookup, but an nslookup of ermg-global.com on my machine > comes back with 202.71.152.134, which does not reverse lookup.) > > ************************************************************************ > **** > Header > ************************************************************************ > **** > Message-ID: <105269.1065766322030.JavaMail.Server@server> > > ************************************************************************ > **** > Analysis > ************************************************************************ > **** > Mitch: This is generated by the mail server the sender had his message > go through first. Look like a homemade job to me (the @server) and not > something professional. > > ************************************************************************ > **** > Header > ************************************************************************ > **** > X-MailAvAc: PostMaster AvAc (1.0.17) on [202.142.75.26] QuickHeal : 6.10 > 08-Oct-2003 > X-Priority: 3 > > ************************************************************************ > **** > Analysis > ************************************************************************ > **** > Mitch: Somewhere along the line, it went through a virus scan. > > ************************************************************************ > **** > Header > ************************************************************************ > **** > Subject: ERMG.......Most Urgent Req @ Digital Global Soft > > From: "Raghavendra" <raghu@xxxxxxxxxxxxxxx> | This is spam | Add to > Address Book > X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 > MIME-Version: 1.0 > Date: Fri, 10 Oct 2003 11:35:03 +0530 > X-Mailserver: Sent using PostMaster (v4.1.31) > X-Mailer: Microsoft Outlook Express 5.00.2919.6600 > > ************************************************************************ > **** > Analysis > ************************************************************************ > **** > Mitch: "Most Urgent Req"? Yeah, sure it is. I gleaned the following from > the above info: The sender used OE to send the mail, and it went through > a "Postmaster" mail server. I have not bothered to google on 'postmaster > mail server', but I would assume it is probably a mail server used for > mass mailing. > > ************************************************************************ > **** > Header > ************************************************************************ > **** > X-MSMail-Priority: Normal > > To: thandapraljt@xxxxxxxxxxx > > Content-Type: Multipart/mixed; boundary="----SIG_TOP1065766322140" > Content-Length: 4104 > > ************************************************************************ > **** > Analysis > ************************************************************************ > **** > Mitch: Nothing further to be learned from the header. Now you can take > the information that we have, and run with it further. > > My first stop is networksolutions.com, to use their whois to look up > ermg-global.com: > > Domain Name: ERMG-GLOBAL.COM > Registrar: TUCOWS, INC. > Whois Server: whois.opensrs.net > Referral URL: http://www.opensrs.org > Name Server: NS1.EVERYRUPEECOUNTS.COM > Name Server: NS2.EVERYRUPEECOUNTS.COM > Status: ACTIVE > Updated Date: 14-jul-2003 > Creation Date: 25-jul-2000 > Expiration Date: 25-jul-2004 > > Everyrupeecounts? Mkay. An Indian site maybe? Irregardless, follow up > with an ARIN.NET lookup of the originating IP address (202.142.75.26): > > OrgName: Asia Pacific Network Information Centre > OrgID: APNIC > Address: PO Box 2131 > City: Milton > StateProv: QLD > PostalCode: 4064 > Country: AU > > ReferralServer: whois://whois.apnic.net > > NetRange: 202.0.0.0 - 203.255.255.255 > CIDR: 202.0.0.0/7 > NetName: APNIC-CIDR-BLK > NetHandle: NET-202-0-0-0-1 > Parent: > NetType: Allocated to APNIC > NameServer: NS1.APNIC.NET > NameServer: NS3.APNIC.NET > NameServer: NS.RIPE.NET > NameServer: RS2.ARIN.NET > NameServer: DNS1.TELSTRA.NET > Comment: This IP address range is not registered in the ARIN > database. > Comment: For details, refer to the APNIC Whois Database via > Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl > Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry > Comment: for the Asia Pacific region. APNIC does not operate networks > Comment: using this IP address range and is not able to investigate > Comment: spam or abuse reports relating to these addresses. For more > Comment: help, refer to http://www.apnic.net/info/faq/abuse > Comment: > RegDate: 1994-04-05 > Updated: 2002-09-11 > > OrgTechHandle: AWC12-ARIN > OrgTechName: APNIC Whois Contact > OrgTechPhone: +61 7 3858 3100 > OrgTechEmail: search-apnic-not-arin@xxxxxxxxx > > This tells us to go and look on apnic. So we do: > > inetnum: 202.142.64.0 - 202.142.95.255 > netname: ZTL-AP > descr: Zee Telefilms Ltd > country: IN > admin-c: PSK4-AP > tech-c: SC188-AP > mnt-by: APNIC-HM > changed: hostmaster@xxxxxxxxx 20000526 > status: ALLOCATED PORTABLE > source: APNIC > > person: P S Kamalakannan > address: E Connect India Ltd > address: United Mansions, 3rd floor > address: M G Road Bangalore 560001 > country: IN > phone: +91 80 5599999 > fax-no: +91 80 5580099 > e-mail: kamalakannan@xxxxxxxxxxxxxx > nic-hdl: PSK4-AP > mnt-by: MAINT-NEW > changed: hostmaster@xxxxxxxxx 20000526 > source: APNIC > > person: sanjay chavan > address: e-connect India Ltd., 3rd Floor, > address: United Mansion Bldg. > address: 39 M.G. Rd., Bangalore - 560 001 > country: IN > phone: +91-080-5599999 > fax-no: +91-080-5580099 > e-mail: chavans@xxxxxxxxxxxxxx > nic-hdl: SC188-AP > mnt-by: MAINT-NEW > changed: chavans@xxxxxxxxxxxxxx 20000511 > source: APNIC > > > And here we have it. Mr. Chavan is either sending, or allowing spam to > be sent from his block of IP addresses. And I was right. India. > > Hope this gives you a little insight into how to track spam. You can do > further research and/or emails to various responsible parties, or you > can do what I have done and just reject email from APNIC addresses. (a > buttload of spam comes from asia.) > > Regards, > Mitch Lawrence > > Get Thawte?s New Step-by-Step SSL Guide for MSIIS > Find out how to test, purchase, and install a Thawte Digital Certificate on > your MSIIS web server: > http://www.msexchange.org/thawte/ > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > braj@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') -------------------- Do You need a professional and afordable web hosting service? Try HostEcom.com NOW * This email account is a FREE 20MB email box from DirNow.com Please report any abuse to postmaster@xxxxxxxxxx