The Received lines are a chain. You start at the top and that is the most *RECENT* place the e-mail came from. The *BOTTOM* is where the e-mail started from ---> With one caveat. The spammer can add Received: lines onto the bottom making it look like it really originated from somewhere else, but as you get experience you will figure out what "looks wrong" and ignore those lines.
> Received: from smtp.your.isp ([192.168.16.1]) by smtp.your.isp with
> Microsoft SMTPSVC(5.0.2195.5329);
> Wed, 6 Aug 2003 22:25:06 +0100
Received by your ISP (Internet Service Provider).
> Received: from adsl-141-154-84-234.ba-dsg.net ([141.154.84.234]) by
> smtp.your.isp with Microsoft SMTPSVC(5.0.2195.5329);
> Wed, 6 Aug 2003 22:25:00 +0100
Received from 141.154.84.234 by your ISP. Double check that 141.154.84.234 actually is adsl-141-154-84-234.ba-dsg.net at Sam Spade:
http://samspade.org/t/lookat?a=141.154.84.234
SamSpade says:
141.154.84.234 has valid reverse DNS of adsl-141-154-84-234.ba-dsg.net
So that is correct. Please note that 141.154.84.234 is a DSL connection. I would almost bet that the e-mail originated from 141.154.84.234 and that the next line was put into the e-mail to confuse the issue.
> Received: from sq.38hhzc6.org ([65.49.45.211])
> by adsl-141-154-84-234.ba-dsg.net with ESMTP id 31E493C63CF
> for <garfield_@netcabo.pt>; Wed, 06 Aug 2003 18:17:34 -0400
Again we check that 65.49.45.211 is sq.38hhzc6.org:
http://samspade.org/t/lookat?a=65.49.45.211
Same Spade says:
65.49.45.211 has valid reverse DNS of CPE0010db25c8b1-CM0f2029968262.cpe.net.cable.rogers.com
Something is not right here.
We look up sq.38hhzc6.org in Sam Spade:
http://samspade.org/t/lookat?a=sq.38hhzc6.org
Nothing is found.
We look up sq.38hhzc6.org in Google:
http://www.google.com/search?q=sq.38hhzc6.org
Google hasn't heard of it. Also note that the times for the Received line above is:
Wed, 06 Aug 2003 18:17:34 -0400
The Received line above it is:
Wed, 6 Aug 2003 22:25:00 +0100
So we correct for the same time zones we get:
Received #1: Wed, 6 Aug 2003 21:25:06 +0000
Received #2: Wed, 6 Aug 2003 21:25:00 +0000
Received #3: Wed, 06 Aug 2003 22:17:34 -0000
So either the third Received line was faked (A very good possibility) or the machines times were all screwed up (less and less a possibility). I would discard the last line as faked.
Therefore we would send a complaint to whoever owns:
adsl-141-154-84-234.ba-dsg.net.
We go to Google and search for abuse and ba-dsg.net:
http://www.google.com/search?q=abuse+ba-dsg.net
Don't find much so we go to Sam Spade or Abuse Net and take a look for ba-dsg.net:
http://www.abuse.net/lookup.phtml
Tells us:
Sam Spade tells us:
http://samspade.org/t/lookat?a=adsl-141-154-84-234.ba-dsg.net
It traces through Verizon so I would send the complaint to abuse@verizon.net. If it tells me that the person to complain to is not a "major" Internet Provider I take a look at their web page. If it looks like they address spam issues then I send them the complaint otherwise I let the major Internet Provider handle it.
Everything below this line is easily faked, so you can ignore this part for the most part.
> Message-ID: <u-64i-8se8$q476-5b49-7y@tjb1voib2>
> From: "Molly Baxter" <lvwm86pem@msn.com>
> To: YourEMail@your.provider.com
> Subject: Jenni Lopez exposed nipple pics
> Date: Wed, 06 Aug 03 18:17:34 GMT
> X-Mailer: Microsoft Outlook Express 5.50.4522.1200
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="A45.B_.CD.5.EC46"
> X-Priority: 3
> X-MSMail-Priority: Normal
> Return-Path: lvwm86pem@msn.com
> X-OriginalArrivalTime: 06 Aug 2003 21:25:04.0639 (UTC)
> FILETIME=[33C138F0:01C35C61]
One more note, some of the spammers "name" their computer something that looks real, like "supersoftware.com" or "abcmail.com".
> Received: from fcmail.com ([24.95.52.135]) by mc2-f14.law16.hotmail.com with
> Microsoft SMTPSVC(5.0.2195.5600);
What is fake is the portion "fcmail.com". That is what the spammer "named" their computer. Complain to abuse@rr.com.
http://samspade.org/t/lookat?a=24.95.52.135 gives us
24.95.52.135 has valid reverse DNS of dhcp9552135.columbus.rr.com
Next we reverse check with Sam Spade:
http://samspade.org/t/lookat?a=fcmail.com
The DNS search shows nothing, and traceroute said it doesn't exist. So the initial Sam Spade lookup is correct.