[ale] Tracing spam (EMAIL MARKETING WORKS)

Robert L. Harris robert at ast.lmco.com
Thu Dec 4 09:54:33 EST 1997 

Alexander Barton wrote:
> 
> I'm looking at the headers of the two "EMAIL MARKETING WORKS"
> spams sent to the ALE mailing list Thursday morning.  I'd like
> try to figure out where the spam came from and ultimately do
> something to make it stop.  (Yes, I really do need a hobby.)
> If anyone has experience doing this, I'd appreciate feedback on
> the correctness of my deductions.
> 
> Here goes.
> 
> 1.  I'm sure the From, To, and Reply-To headers are bogus, intended
> to direct spam complaints to innocent parties.  If this is true,
> it would be worse than useless if we were to complain to
> administrators at the purported source sites, worldnet.att.com
> and ix.netcom.com.
> 
> 2.  The two spams have a few identical "Received" headers:
> 
>         Received: from SMTP.XServer     (Smail4.1.19.1 #20) id
>                 m0wBzN7-009vdR; Thursday, December 4th, 1997
>         Received: from mail.apache.net(really [164/187]) by
>                 relay.comanche.com Tuesday, December 2nd, 1997
>         Received: from 32776.21445(really [80110/80111]) by
>                 relay.denmark.nl Sunday, November 30th, 1997
>         Received: from local.nethost.org(really [24553/24554]) by
>                 relay.SS621.net Saturday, November 29th, 1997
> 
> I think it's impossible for two messages to have the same ID
> numbers ("m0wBzN7-009vdR", etc.) on the same mail server.
> Therefore these four headers are bogus.  Their purpose is to
> distract our attention.
> 
> 3.  If I trust the most recent headers on one message and go
> backwards to burdell, it looks like burdell.cc.gatech.edu got
> the message from smtp.alphasoft.com:
> 
>         Received: from [207.217.4.56] by smtp.alpha-soft.com
>                 (SMTPD32-4.0) id AD6E4EE00BC; Thu, 04 Dec 1997
>                 02:36:14 -0500
> 
> If I trust alphasoft, they got the message from 207.217.4.56, which
> nslookup says is pool056-max4.la-ca-us.dialup.earthlink.net.
> The other message seems to have passed through
> pool046-max1.la-ca-us.dialup.earthlink.net.  The bogus
> headers start immediately after the entry for earthlink.net.
> 
> earthlink.net is:
>         $ whois earthlink.net
>            EarthLink Network, Inc. (EARTHLINK-DOM)
>            3100 New York Drive
>            Pasadena, CA 91107
>            US
>            [...]
> 
> 4.  Now what?  Do I send a politely worded complaint to
> postmaster at earthlink.net?  Has someone complained to them already?
> 
> -Alexander


Nice tracking.  I've traced a few and found owners also.  From what
you've got above, I'd say your right.  

As per what to do, I'd email the admin (cc yourself for your records)
and inform him he has users forging email which is illegal (is it?)
and that if it continues someone will be sued.  You might wish to be
a little more polite the first time and leave off the threat if they
actually do put a stop to it.  Some admins care, some don't.

Robert
-- 
---------------------------------------------------------------------------
Robert L. Harris          |   NT is secure.... 
System Engineer For Hire. \_   as long as you don't remove the shrink
wrap.

DISCLAIMER:
  These are MY OPINIONS ALONE.  I speak for no-one else.
perl -e 'print
$i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

More information about the Ale mailing list