On Mon, Jan 25, 2010 at 3:29 PM, Bill Connelly <[email protected]> wrote: > How do you trace bad e-mails back to their origins? These things, mostly > VIAGRA ads, are also coming from the G3-G5 list, although I think this one > came from someone who has viewed my artsite recently. I usually send them on > to [email protected], but I'd like to follow this one back > if possible to their ISP.
According to the data you provided, the spam email was relayed through vms169131.mailsrvcs.net whose IP address is 67.215.65.132 which when whois'd through arin.net's IP database returns that that server is owned by OpenDNS. The sender, whose IP is 192.223.124.145 lives in Brazil and it appears either a rogue employee is sending spam or one of the company's machines (more likely) has become infested with malware as that IP returns: owner: Industrias Gessy Lever Ltda ownerid: BR-IGLL1-LACNIC address: Av. Maria Coelho Aguiar, 215 address: Bloco C - 3 andar address: Centro de Informatica address: Sao Paulo address: CEP country: BR owner-c: WG59-ARIN created: 19921120 changed: 19981012 source: ARIN-HISTORIC nic-hdl: WG59-ARIN person: Welson Giovanini e-mail: address: Av. Maria Coelho Aguiar, 215 address: Bloco C - 3 andar address: Centro de Informatica address: CEP 05805 address: Sao Paulo, BRAZIL country: BR phone: +55 11 545 4432 and when the company "Industrias Gessy Lever Ltda" is googled it turns out to be a cleaning products business (http://translate.google.com/translate?hl=en&sl=pt&u=http://industrias-gessy-lever-ltda.br.telelistas.net/vct/produtos-para-limpeza/araraquara/78082070.htm&ei=rBpeS6ClHIea8Abnvu2TBQ&sa=X&oi=translate&ct=result&resnum=1&ved=0CA4Q7gEwAA&prev=/search%3Fq%3DIndustrias%2BGessy%2BLever%2BLtda%26hl%3Den%26safe%3Doff%26sa%3DG). So my best guess as to what's going on is that "Industrias Gessy Lever Ltda" is a client of OpenDNS with one of their hosted solutions, and there is a internal issue (likely malware) that is attaching itself to the appliance and using it as a spam relay. To get the most likely reaction and action against this act, I would report it to OpenDNS as the problem is coming from one of their clients. > How do people get our e-mail addresses from the G3-G5 list? If you google "g3-5-list archive" you can see that there are multiple archives of this list being maintained apart from the google groups archive, it is possible that one of those archives does not censor email addresses contained in emails sent to the list. It is also possible that a service you at one point subscribed to sold your email address or even that at some point you became victim to a piece of malware that harvested your email address. So in short, although it is possible that your email address was harvested from one of the g3-5-list archives, it is also likely (perhaps more so even) that a service you subscribed to sold your address to spammers or a piece of malware harvested it at one point in time (if you ever used Windows). -- Best Regards, John Musbach -- You received this message because you are a member of G-Group, a group for those using G3, G4, and G5 desktop Macs - with a particular focus on Power Macs. The list FAQ is at http://lowendmac.com/lists/g-list.shtml and our netiquette guide is at http://www.lowendmac.com/lists/netiquette.shtml To post to this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/g3-5-list
