On Wed, 22 Sep 2004, Al Poulin wrote: > Date: Wed, 22 Sep 2004 11:46:52 -0400 > From: Al Poulin <[EMAIL PROTECTED]> > Reply-To: iMac List <[EMAIL PROTECTED]> > To: iMac List <[EMAIL PROTECTED]> > Subject: Re: How to Read SPAM Message Headers > > Thanks Chris for the feedback. But where and how do you get that data you > found from the IP address and the return e-mail address? > > Thanks, > > -- > Al Poulin > Anger, hate, and revenge are for the devil, forgiveness is for God, > proactive self-defense is for the rest of us. > > > > Chris Dailey at Badger Clan <[EMAIL PROTECTED]> wrote: > >> > > The first receive line is where your mail server got the message from. > > Anything after that can be forged. So: > > > > 4.78.193.101 becomes mx101.mxhs03.net The domain is MXHS03.NET > > Admin contact: > > Hotstripe Media > > PO Box 3469 #322 > > Newport Beach, CA 92659 > > PH# 949-273-4025 > > > > The return email address drmx01.net > > Organization: > > DQ > > Administrative Contact > > 3434 Via Lido Suite 300 > > Newport Beach, CA 92663 > > PH# 949-273-4028 > > > >> COPY OF HEADER BELOW: > >> Return-Path: <[EMAIL PROTECTED]> > >> Received: from mx1.mxhs04.net ([4.78.193.101]) by lakermmtai07.cox.net > >> (InterMail vM.6.01.03.04 201-2131-111-106-20040729) with SMTP > >> id <[EMAIL PROTECTED]> > >> for <[EMAIL PROTECTED]>; Tue, 21 Sep 2004 18:09:18 -0400 > >> To: [EMAIL PROTECTED] > >> Date: Tue, 21 Sep 2004 15:12:29 -0800 > >> Message-ID: <[EMAIL PROTECTED]> > >> MIME-Version: 1.0 > >> Content-Type: text/html; charset=ISO-8859-1 > >> X-HSID: 122620936 > >> Rot: > >> From: "Testers Needed" <[EMAIL PROTECTED]> > >> Subject: Free Apple 17" iMac G5 Desktop - Find out how! > >> END COPY > Normally I use a variety of Linux tools from the command line. OS X has most of them built into Network Utility found in the utility folder under Applications. Copy 4.78.193.101 into the Lookup entry box. In this case just use the nslookup feature instead of dig. This gives you the correct name of the suspected SMTP server.: mx101.mxhs03.net Then use the whois feature to find out who owns mxhs03.net & drmx01.net using whois.internic.net on the drmx01.net address shows it's registry is whois.register.com so replacing the whois.internic.net with whois.register.com in the whois server box will yield the Admin contact info. This particular spam was very easy to locate. Ones from say Korea aren't going to give you very much info without using other tools such as netcat and nmap. Hijacked servers are another story all together.
As far as disconnecting your cable to stop confirmation of your address from the feedback of the HTML code in the message, it's already too late once your POP or IMAP server has accepted the message. Our server here at Eskimo gets about two million spams a day. Most spammers searching for addresses will pound a server with random user names. If the name does not exist the message gets bounced back to the spammers as "No such user". Then they just run a comparison against their senders list and will know if it's good or not. I suspect in this case that a web spider picked up your name in some search for Mac related entries, since the subject was Mac related. The HTML feedback usually just gives them your current IP address and port. A good way to learn about filtering spam and how it works is to obtain a shell account and learn to use a wonderful program called procmail. I believe you can still get a free shell account by telnetting or ssh into sdf.lonestar.org. Using procmail with Pine is the safest way to get mail since everything is plain text. As you can see from my header I used Pine to write this. > Chris Dailey Eskimo North Ministry of Propaganda Dept: Social Engineering QUOTE: "We do not wish to be ruled. And by this very fact, do we not declare that we ourselves wish to rule nobody?" --Peter Kropotkin, 'Anarchist Morality' -- The iMac List is sponsored by <http://lowendmac.com/> and... Small Dog Electronics http://www.smalldog.com | Refurbished Drives | - Epson Stylus Color 580 Printers - new at $69 | & CDRWs on Sale! | Support Low End Mac <http://lowendmac.com/lists/support.html> iMac List info: <http://lowendmac.com/imac/list.shtml> --> AOL users, remove "mailto:"; Send list messages to: <mailto:[EMAIL PROTECTED]> To unsubscribe, email: <mailto:[EMAIL PROTECTED]> For digest mode, email: <mailto:[EMAIL PROTECTED]> Subscription questions: <mailto:[EMAIL PROTECTED]> Archive: <http://www.mail-archive.com/imac-list%40mail.maclaunch.com/> --------------------------------------------------------------- >The Think Different Store http://www.ThinkDifferentStore.com ---------------------------------------------------------------
