First, as as already been said, never put your real email in a ng post!
As a public service here is how to deal with this and similar spam. The more
victims who actively pursue spammers, the less worthwhile spamming becomes.
In this case, the important bits of the header appear to be ...
Received: from pcp03933018pcs.sthind01.mo.comcast.net
(pcp03933018pcs.sthind01.mo.comcast.net [68.34.139.159])
.... and ...
Received: from 235.168.30.88 by 68.34.139.159; Fri, 14 May 2004
23:38:48 -0300
Ultimately, the goal is to look up an abuse contact for the source here ...
http://www.abuse.net/lookup.phtml
.... but to do that we need a domain name and we only have an IP.
So first we look up the domain for 235.168.30.88 here ...
http://www.whois.sc/
http://www.whois.sc/235.168.30.88, gives:
name type result
235.IN-ADDR.ARPA.
SOA source=dot.ep.net.; responsible person=(E-Mail Removed).
As indicated by the WhoIs page, the abuse contact for ep.net,
http://www.abuse.net/lookup.phtml?DOMAIN=ep.net, is
(E-Mail Removed), ie:
unhelpful default, so next we do a tracert from a DOS box to see who is
hosting ep.net:
C:\TEMP>tracert ep.net
Tracing route to ep.net [198.32.6.68]
over a maximum of 30 hops:
[snip]
8 411 ms 430 ms 471 ms so-7-0-0.cr1.dca2.us.above.net
[64.125.31.186]
9 561 ms 521 ms 631 ms sl-gw19-rly-3-0.sprintlink.net
[144.232.247.85]
10 180 ms 210 ms 291 ms sl-bb23-rly-3-1.sprintlink.net
[144.232.14.41]
11 90 ms 110 ms 120 ms sl-bb27-rly-10-0.sprintlink.net
[144.232.14.142]
12 * 200 ms 240 ms sl-bb22-rly-10-0.sprintlink.net
[144.232.14.177]
13 360 ms 401 ms 521 ms sl-bb22-sj-10-0.sprintlink.net
[144.232.20.186]
14 551 ms 591 ms 641 ms sl-bb25-sj-12-0.sprintlink.net
[144.232.3.210]
15 571 ms 711 ms 681 ms sl-bb23-ana-6-0.sprintlink.net
[144.232.20.158]
16 741 ms 752 ms 831 ms sl-gw25-ana-0-0.sprintlink.net
[144.232.1.114]
17 671 ms 801 ms 871 ms sl-epnet-1-0.sprintlink.net [160.81.102.134]
18 500 ms 631 ms 691 ms vacation.karoshi.com [198.32.6.68]
Trace complete.
Now we work backwards up the list until we get a real abuse contact:
http://www.abuse.net/lookup.phtml?DOMAIN=karoshi.com,
(E-Mail Removed), default, no good.
http://www.abuse.net/lookup.phtml?DOMAIN=sprintlink.net,
(E-Mail Removed),
there's your abuse contact address for the source machine of that particular
email.
But that's only half the story, there is also the linked website:
xc4xzzd.com, which is presumably responsible for originating the spamming,
possibly by proxy through captured machines.
Again we get the default for an abuse contact, so we're going to have work
out this one as well. WhoIs for this domain,
http://www.whois.sc/xc4xzzd.com, gives
IP Address: 61.233.138.58 (ARIN & RIPE IP search)
IP Location: China - China Railway Telecommunications Center
Someone is probably abusing their work facilities there.
So again we use tracert to see who is hosting China Railways / xc4xzzd.com.
C:\TEMP>tracert xc4xzzd.com
Tracing route to xc4xzzd.com [61.233.138.58]
over a maximum of 30 hops:
[snip]
8 471 ms 501 ms 511 ms so-7-0-0.cr1.dca2.us.above.net
[64.125.31.186]
9 701 ms 661 ms 711 ms pos0-0.pr1.atl4.us.above.net [64.125.28.230]
10 561 ms 661 ms 731 ms pos12-0.er1.atl4.us.above.net
[64.125.30.233]
11 651 ms 620 ms 471 ms so-3-3-0.mpr2.iah1.us.above.net
[64.125.29.66]
12 701 ms 661 ms 772 ms so-0-0-0.mpr1.iah1.us.above.net
[64.125.31.61]
13 631 ms 681 ms 761 ms so-5-1-0.mpr2.lax9.us.above.net
[64.125.29.97]
14 621 ms 400 ms 421 ms above-oc12.china-telecom.net [64.125.12.126]
15 660 ms 732 ms 741 ms 202.97.49.65
[snip]
Trace complete.
So it's fairly clear that the linked website is being hosted by
china-telecom.net. However,
http://www.abuse.net/lookup.phtml?DO...na-telecom.net, gives:
(E-Mail Removed) (for china-telecom.net)
(E-Mail Removed) (for china-telecom.net)
ie: a default and a second contact within abuse.net, which suggests that
they are either having trouble with that domain, or else abuse complaints
have to go through a particular protocol which they handle directly. Anyway,
despite this, address your complaint to both these contacts, because in this
case, it's all you can do.
I would suggest your complaint is worded something along the lines of: ...
To:
(E-Mail Removed),
(E-Mail Removed),
(E-Mail Removed)
Subject: SPAM - <cut'n'paste the spam mail subject here>
The email enclosed is unsolicited SPAM.
Please take appropriate action against the mail source apparently posting
through ep.net [235.168.30.88]
Please take appropriate action against the linked website, xc4xzzd.com,
apparently hosted through china-telecom.net [195.149.20.137].
Please share information concerning these sources' abuse with other ISPs and
NSPs
Original Header
===============
<cut'n'paste the spam mail header here>
Original Post
=============
<cut'n'paste the spam mail body here>
"Terry Pinnell" <belatedly removed all these for spam trap reasons> wrote in
message news:(E-Mail Removed)...
> Viewing my email this morning I see one message that MailWasher has
> marked as from a Friend has my correct address as both the To *and
> From addresses. Is that a common spam technique?
>
>
> Its full header is:
> ====================
> Return-Path: <>
> X-Envelope-To:
> Delivered-To:
> Received: from pcp03933018pcs.sthind01.mo.comcast.net
> (pcp03933018pcs.sthind01.mo.comcast.net [68.34.139.159])
> by gophers.systems.pipex.net (Postfix) with SMTP id 495F5E000096
> for <t>; Fri, 14 May 2004 23:40:43 +0100
> (BST)
> Received: from 235.168.30.88 by 68.34.139.159; Fri, 14 May 2004
> 23:38:48 -0300
> Message-ID: <x7fRY3UpC3PeN2RGGC etc>
> From: "" <>
> To: "" <>
> Subject: Joseph
> MIME-Version: 1.0
> Content-type: text
> Date: Fri, 14 May 2004 23:40:43 +0100 (BST)
>
>
>
> http://puppet.xc4xzzd.com/ti/#statutory
>
> off
> http://stopgap.xc4xzzd.com/b.html#wrestle
>
> Joseph
>
>
>
> ----0537831089286035--
> ====================
>
> Anyone know what it is and where it comes from please?
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (
http://www.grisoft.com).
Version: 6.0.683 / Virus Database: 445 - Release Date: 12/05/2004
Similar Threads
Linear Mode
