Your
analysis of the header starts from top to bottom.? The first Received: line you get is the "trusted" line
from your provider.? You can almost
*always* trust this line.? The further
you get down the Received: lines the less you can trust the information.
>Received:
from cpimssmtpc05.msn.com - 207.46.193.224 by email.msn.com with
>Microsoft
SMTPSVC;
>? Sat, 19 May 2001
12:22:21 -0700
Received at your provider from email.msn.com.? Essentially you can "trust" these
machines because they are from your provider.
>Received: from
mta1.tm.net.my ([202.188.0.145]) by cpimssmtpc05.msn.com
>with
Microsoft SMTPSVC(5.0.2195.3225);
>?
Sat, 19 May 2001 12:22:18 -0700
Received at
cpimssmtpc05.msn.com from 202.188.0.145.?
You cannot trust the "mta1.tm.net.my" because it is outside
the parenthesis that has the IP addresses.?
Now we go to Sam Spade ( http://samspade.org/t/ ), put in the IP address
202.188.0.145 into the top slot, click on ipblock and traceroute and click on "Do
Stuff".? This tells us where the
real address is:
Official name: mta1.tm.net.my
Addresses:
202.188.0.145
If the "contact" information is in the
United States or the spam is in English then the fact that this address is
outside the United States typically means that the spammer is abusing an open
SMTP (mail) server.? Specifically this
one is in Malaysia (the .my part of the address).? This spammer knows some tricks apparently.? So I complain to postmaster@tm.net.my and
tell them that they should close their open SMTP server.? That is a start to killing off your
spammer.
>Received: from trooper.tm.net.my ([202.188.0.188]) by
mta1.tm.net.my
>?????????
(InterMail v03.02.05 118 121 101) with ESMTP
>????????? id
<20010510183454.HBRJ16950@trooper.tm.net.my>;
>????????? Fri, 11 May 2001 02:34:54
+0800
Next we see that the message *actually* came from
trooper.tm.net.my to the server mta1.tm.net.my.? These mail messages are handed along in a fire bucket brigade
fashion, the link from machine to machine should never break.? So I would tell postmaster@tm.net.my that
the open SMTP server that they have is specifically trooper.tm.net.my, and that
it should be secured.? Like so:
postmaster@tm.net.my
- Your SMTP mail server trooper.tm.net.my ([202.188.0.188]) was used as a mule
to pass (and waste your system resources) this e-mail on to me.? You can stop your SMTP port from allowing
rerouting of e-mail back outside of your domain if you wish to.? FYI only.?
Info on how to block your server, see:
http://maps.vix.com/tsi/
http://mail-abuse.org/rbl/usage.html
http://samspade.org/t/
http://www.abuse.net/relay.html
- Test for server vulnerability
>Received: from
arauco.bomberos.cl (ip161.chicago31.il.pub-ip.psi.net
>[38.33.74.161])
>
by trooper.tm.net.my (8.8.8+Sun/8.8.8) with SMTP id CAA05488;
> Fri, 11
May 2001 02:15:42 +0800 (SGT)
O.K... *Now* we have the spammer in
our clutches.? Note that we have in the
received: line:
arauco.bomberos.cl (ip161.chicago31.il.pub-ip.psi.net
[38.33.74.161])
The spammer "named" their machine
"arauco.bomberos.cl", but notice that this portion is outside the
parenthesis.? Inside the parenthesis we
find ip161.chicago31.il.pub-ip.psi.net [38.33.74.161].? This is where the spammer actually resides.? So complain to psi.net.? We can also assume that the spammer lives
somewhere in the Chicago area.
>From: flo345@oceanfree.net
>Message-ID:
<000001211c81$00002bbe$00004505@arauco.bomberos.cl>
>To:
<Owner@trooper.tm.net.my>
>Subject: Spam: Rates DROPPED! Free
Mortgage Loan Analysis. No obligation!
>Date: Fri, 11 May 2001 13:01:31
-0500
>MIME-Version: 1.0
>Content-Type: text/html;
>
charset="iso-8859-1"
>Content-Transfer-Encoding:
quoted-printable
>X-Priority: 3
>X-MSMail-Priority:
Normal
>Reply-To: flo345@oceanfree.net
>Return-Path:
flo345@oceanfree.net
>X-OriginalArrivalTime: 19 May 2001 19:22:19.0278
(UTC)
>FILETIME=[057892E0:01C0E099]
All the above can be
easily faked.? Now onto the HTML.? Lets see if we can get the spammers e-mail
or web site shut down.
><META content=3D"Microsoft
FrontPage 4.0" name=3DGENERATOR>
><META
content=3D"Cheryl N Knowles" name=3DAuthor>
Look.? They were kind enough to leave us their
name.? So maybe you want to look up
Cheryl N Knowles in the Chicago area and give them a call :-) ...
><!--
CHANGE EMAIL ADDRESS IN ACTION OF FORM --><FORM name=3D"form"
method=3D=
>"post"
action=3D"mailto:geo=
>;posti@uole.c=
>1;m?subject=Mor=
>;t-Loan"
enctype=3D"text/plain"
O.K... They have attempted to
"encrypt" their e-mail return address here, but Sam Spade is your
buddy.? Paste this into the
"Obfuscated URL" portion and it will magically turn it into plain
text for you to see.? I paste the
following portion (take the "=" signs off the end of the lines, they
are put in by the software that mailed this to me) in:
mailto:geoposti@uole.com?subject=Mort-Loan
Sam
Spade comes back with mailto:geoposti@uole.com?subject=Mort-Loan ... Now we
have a somewhere to complain to.? First
go to www.uole.com and see if the web site "looks" like the
spammer.? It looks like www.uole.com is
a provider of some sort, so send a complaint to abuse@uole.com (the
"standard" complaint address) and see what comes back.? if you get back a message confirming receipt
of your complaint, or no message back at all them the complaint probably went
thru OK.? There is also an address
uolmail@uole.com (bottom of the page).?
You might want to send the complaint to them also.
Obviously
this spammer is experienced (but not too bright if they leave their name in the
HTML code of the message) and is using throw away accounts for their
spam.
>"><b>Removal Instructions<br>
></b>Click
on the below link to be exclude from further communication.</fon=
>t><br>
><b><a
href=3D"mailto:a_jose@uole.com?subject=3DDelete-Mort">Click
Here</a>=
NEVER never never reply to a "Remove Me"
link.? That only confirms that your
e-mail address is "live" and it will then get passed along to other
spammers.
You can, however, complain to uole.com about this address
also to get it canceled.