Re: [spamcon-general] SPAM REPORTING HELP> Where have you been???

Fri, 10 May 2002 16:39:07 -0700 

On 05/10/02, Doug Mehus <[EMAIL PROTECTED]> wrote: 

> Okay, folks ... I need a bit of help reporting this nasty spammer. You'll 
> notice there are multiple "Received:" lines, and I'm unsure which one to 
> report it to so any information you might have would really help. I've 
> figured out that one of these three "Received:" lines is the source, but not 
> sure which one:

        As a general rule, it'll be the one(s) on top -- but that's not
        always certain.  Let's look at the full headers....

> ----------begin forwarded spam---------
> Return-path: <[EMAIL PROTECTED]>
> Received: from pd4mr1so.prod.shaw.ca
>  (pd4mr1so-qfe2.prod.shaw.ca [10.0.162.212]) by l-daemon
>  (iPlanet Messaging Server 5.1 HotFix 0.6 (built Apr 26 2002))
>  with ESMTP id <0GVV00C3FYBBS1@l-daemon> for dmehus@ims-ms-daemon
>  (ORCPT [EMAIL PROTECTED]); Fri, 10 May 2002 02:02:07 -0600 (MDT)
> Received: from pd4mi3so.prod.shaw.ca
>  (pd4mi3so-qfe3.prod.shaw.ca [10.0.121.196]) by l-daemon
>  (iPlanet Messaging Server 5.1 (built May  7 2001))
>  with ESMTP id <0GVV0009LYBDPY@l-daemon> for [EMAIL PROTECTED]
>  (ORCPT [EMAIL PROTECTED]); Fri, 10 May 2002 02:02:01 -0600 (MDT)

        You're @shaw.ca, so we can assume these are both correct (looks
        like Shaw does some funky internal mail routing.)  Next is:

> Received: from 211.22.252.2 ([211.34.23.194])
>  by l-daemon (iPlanet Messaging Server 5.1 (built May  7 2001))
>  with SMTP id <0GVV00EHQYAM7T@l-daemon> for [EMAIL PROTECTED]; Fri,
>  10 May 2002 02:02:01 -0600 (MDT)

        The iPlanet Messaging Server doesn't identify itself here,
        but we can assume it's the same one @shaw.ca shown in the
        second header up top.  So, shaw.ca (your ISP) got the message
        from 211.22.252.2.

        211.22.252.2 doesn't have reverse DNS, but traceroute brings
        us inside of hinet.net in Taipei.  Since it's not an open
        relay, I'd guess that this is an unsecured proxy -- so the
        trail ends here.  The remaining headers are almost certain 
        to be bogus.

        My advice would be to go after the benificiary of the spam,
        starting with the URL's in the body of the message.

-- 
J.D. Falk                              "...eternity is defined by impatience."
<[EMAIL PROTECTED]>                           -- Laura Kasischke
_______________________________________________
spamcon-general mailing list
[EMAIL PROTECTED]
http://mail.spamcon.org/mailman/listinfo/spamcon-general#subscribers
Subscribe, unsubscribe, etc: Use the URL above or send "help" in body
    of message to [EMAIL PROTECTED] 
Contact administrator: [EMAIL PROTECTED]

Reply via email to