Ultimately twtelecom.net should be responsible. It's their customer they've allocated IP space for. Here is where the IP space was allocated to according to ARIN:
http://ws.arin.net/whois/?queryinput=!%20NET-66-162-83-176-1 On Wednesday, November 30, 2005 at 2:09:20 AM, [EMAIL PROTECTED] confabulated: > Since about the 22nd or 23nd I've been getting virus laden (Sober.U) spam > from an address at twtelecom.net (66.162.83.190). All my spam reporting is > done via two scripts, one is reporter.pl which runs sa-learn and reports to > Razor, Pyzor and DCC. The other script, which was written by Karsten Self, > called Spam Tools, actually reports the spam to the abuse addresses(s) and > to NANAS. After getting a couple of hundred infected message I wrote a > nice email to one of the contacts, he replied: > Please note that the propagation of this address is spoofed. The address you > are questioning is a global IP for a firewall and is not sending or passing > the virus. > I've continued reporting the spam using Spam Tools. I also advised him that > that ip is now blacklisted at Spamhaus.org. It was listed in the composite > blacklist but was removed today. This afternoon I got the following email: > I can assure you that it is indeed a mistake. These need to be removed > at once or this will get very ugly! > Below are complete headers from one of the messages from this ip, are these > in fact from the ip I mentioned? > Status: U > Return-Path: <[EMAIL PROTECTED]> > Received: from pop.earthlink.net [209.86.93.201] > by localhost with POP3 (fetchmail-6.2.5) > for [EMAIL PROTECTED] (single-drop); Tue, 29 Nov 2005 00:50:16 > -0600 (CST) > Received: from picpba.com ([66.162.83.190]) > by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP > id 1eGZi22e13Nl34g0 > Tue, 29 Nov 2005 01:48:26 -0500 (EST) > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Date: Tue, 29 Nov 2005 06:37:15 UTC > Subject: Registration Confirmation > Importance: Normal > X-Priority: 3 (Normal) > Message-ID: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Content-Type: multipart/mixed; boundary="=1bba52a03.f0cb" > Content-Transfer-Encoding: 7bit > X-SenderIP: 66.162.83.190 > X-ASN: ASN-4323 > X-CIDR: 66.162.83.0/24 > I've received another 18 infected messages from this ip again today. I'm > almost afraid to run my scripts. Can this guy do anything. I mean its not > my fault that this ip is being blacklisted. I'll hold off running the > scripts hoping I'll get some advice from some of you more knowledgable on > this stuff. > Thanks > Chris -- "This message is made of 100% recycled electrons."
