 Pages: 1, 2 : All |
 Author |
 Homework for a Guru (currently 6,134 views) |
| tracker |
| Posted on: Sunday, November 26th, 2006, 12:28pm |
 |
|
Posts: 41
|
Perhaps a suggestion… I’ll speak for myself, but I’m sure I’m not alone in saying that Internet Headers are cryptic. Oh how great it would be for a guru to show a fictitious header and go through it line by line so that we… err… I could understand better what I’m looking at.
Could we go further with some wise teachings, and perhaps include a bit of wisdom on typical terminology (umm… what’s a DNS?), how email works, how scammers scam, and so forth?
I know that in various posts there’s been some helpful information, but as a suggestion, how about a Questions and Answers forum – or something like that? Inquiring minds want to know.
|
|
|
|
|
|
| Ryan |
| Posted on: Wednesday, November 29th, 2006, 2:26pm |
|
|
Spam Fighter 
Posts: 76
|
Hi Tracker,
There is alot of terminology!
I will add my 2 cents worth for you:
As simple as possible: A nameserver (commonly called DNS) is like a telephone book. It is a computer (or server, or program...) that allows a domain name (ex. tebweb.com) to point to another machine where the content is stored (ex. server). For a domain name to work, it must have at least 2 nameservers (called master and slave, or primary and secondary).
Many different domains can use the same nameservers, because all the nameservers are is a big text database that points specific requests (web, e-mail, ftp, etc.) using a domain name to the correct computer via the IP Address that is listed.
Does that make any sence?
This is why it is more effective to shut down nameservers than individual domains. By shutting down just 2 nameservers, you can close down literally hundreds of thousands of sites all at once.
A dns looks like:
ns1.dude.com
ns2.dude.com
Dude.com is the domain name (the part that you can shut down). In turn, each of the nameservers must be registered at the registry (ex. VeriSign, AFNIC, PIR, AFFILIAS...) of the TLD (ex. .com/.net..) in question. This is the 123.123.123.123 thingy (more technically known as the Internet Protocol Address, or IP address) that you will see glued (ha ha - techie joke) to the nameserver.
In a general nutshell:
A nameserver is like a telephone book that converts human language (e-mail addresses, website addresses...) into IP Addresses that computers can use to rout and find the content to display or run...
Does this help at all?
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
  |
Reply: 1 - 26 |
|
|
| tracker |
| Posted on: Wednesday, November 29th, 2006, 8:57pm |
|
|
Posts: 41
|
Thanks Ryan... what you say does make sense, but I know that's just the tip of the iceberg.
Let me throw in a question and example. I've noticed that for some domains there are several nameservers listed. I ran into one scam domain that had four nameservers listed. One nameserver had been set to zero; the other three had not. Therefore, I assume that the scammer hasn't been affected. Is this true? |
|
|
|
|
Reply: 2 - 26 |
|
|
| Ryan |
| Posted on: Thursday, November 30th, 2006, 12:06am |
|
|
Spam Fighter
Posts: 76
|
| Right. The idea behind multiple nameservers, is that if one is down, the others can resolve the zone (tell it what to do) in its place - unless it is the primary nameserver that is authoritative for the zone (or rather, the one that tells the others what to do). |
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 3 - 26 |
|
|
| tracker |
| Posted on: Saturday, December 2nd, 2006, 12:21am |
|
|
Posts: 41
|
Hmm… so as I see it, its not very likely that many fraudulent websites will be shut down, at least those that use one or more nameservers registered to Beijing Innovative Linkage Technology or XIN NET Technology Corporation in China – they’ve proved to be totally unresponsive. Xin.net even returns email. Perhaps we should start a Registrars Hall of Shame, along with a Hall of Fame.
Another question, for anyone. I’ve noticed that while looking at the Internet Headers on email, that some messages say “Received: from…” this or that address a number of times. Why the multiple relays? |
|
|
|
|
Reply: 4 - 26 |
|
|
| Ryan |
| Posted on: Saturday, December 2nd, 2006, 3:51am |
|
|
Spam Fighter
Posts: 76
|
There is a registrars hall of shame if you will, but it is a bit technical, and the rating scale is not meant for the general public. You can see it at http://rss.uribl.com/nic
Don't pay too much attention to the ranking by number, but rather, look at the percent on the right side of the screen. Also, the list of domains in the list are not always spamming sites (not 100% accurate).
Another thing: if a registrar put a domain on RIP, it is not immediately held, but on a 15-day delay before holding, meaning that they took action, but the results are not registered yet.
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 5 - 26 |
|
|
| tracker |
| Posted on: Saturday, December 2nd, 2006, 8:48pm |
|
|
Posts: 41
|
A lot of spamming and scamming can happen in 15 days before a domain is pronounced DOA. So, are we also talking about 15 days before a DNS can also be set to 0.0.0?
I’m guessing that the percentage on the blacklist shows the rise in spam while the ranking indicates perhaps the total domains reported. Maybe?
By the way, Ryan, your signature line quote by Emo Philips, reminds me of the first time I played a Radio Shack TRS-80 computer chess. A computer tech friend working at the school I was attending was proud of these computers – they were hot stuff at the time. He was so confident of them being able to play and win at chess, but after I checkmated a computer in four moves (a fools mate) his demeanor changed to pure disheartenment. Still, seeing his reaction was more entertaining than playing the computer chess. |
|
|
|
|
Reply: 6 - 26 |
|
|
| Ryan |
| Posted on: Sunday, December 3rd, 2006, 3:41am |
|
|
Spam Fighter
Posts: 76
|
Good question tracker!
I don't know...I will look in to that question. My gut reaction is "no", but this needs to be looked at more closely.
This page may interest you:
http://www.spamhaus.org/faq/answers.lasso?section=Generic%20Questions
As to the uribl list, the ranking (number in the list) is based on the number of offending domains registered with the registrar, and is not weighted for the total number that the registrar has. Therefore, a lage registrar will have a larger total number of registered spamming domains because they simily have more domains, as opposed to a small registrar that will have less.
If you were interested in turning this list into a user-friendly list, you could find the total number of domains registered by the registrar, and rank it by both the percentage of Active and Listed domains (two lists) as a proportion of the total number of domains managed.
You can use this to get the total number of domains (not 100% accurate, but good enough):
http://www.webhosting.info/registrars/top-registrars/global/
Example:
Beijing Innovative Linkage Technology has 262,100 domains, of which 76 are listed spamming namservers: thus 0.03%.
Network Solutions has 6,708,494 domains, of which 53 are listed, thus 0.008% of their domains are listed spamming nameservers.
Thus, while NS are higher on the list in uribl than Beijing Innovative, it would appear as though NS are tougher on spammers (though they should go farther!)
On top of this figure, one needs to compare the reactivity of the registrar to pulling the nameservers in their list - the importance of the "listed" figure.
And then, you need to look at the ones in the listed list of the registrar to see what the domains are (subjective assessment).
So in short, a clear "registrar hall of shame" is a GREAT idea, but one needs to really be careful to make it an accurate assessment...
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 7 - 26 |
|
|
| tracker |
| Posted on: Monday, December 4th, 2006, 7:44pm |
|
|
Posts: 41
|
Ryan, you bring up some good points and figures, not to mention those interesting links. It sounds as if the 15 day grace period doesn’t necessarily have to apply to “willful provision of inaccurate information”.
I suppose that my idea of a Hall of Shame and Hall of Fame was more simplistic and based upon a Registrars response to complaints. If they totally ignore your reports of abuse, or if they say that it’s not their problem, then as far as I’m concerned they’ve got their name in at least my Hall of Shame. Should they go as far as taking actions and responding back, then they could be placed in my Hall of Fame. For sure, a more mathematical approach based upon specifics would be more accurate, whereas my approach borders upon venting. |
|
|
|
|
Reply: 8 - 26 |
|
|
| tracker |
| Posted on: Monday, December 11th, 2006, 12:36pm |
|
|
Posts: 41
|
Question...
When checking out the status of nameservers at dnsstuff.com I've seen where at times they will list a server but mention that it does not repond to their requests. Does that mean the server has been deactivated... as I was told by one registrar? |
|
|
|
|
Reply: 9 - 26 |
|
|
| Ryan |
| Posted on: Monday, December 11th, 2006, 2:56pm |
|
|
Spam Fighter
Posts: 76
|
| Could mean a lot of things actually, but it sounds deactivated to me. What is the nameserver? |
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 10 - 26 |
|
|
| tracker |
| Posted on: Monday, December 11th, 2006, 7:47pm |
|
|
Posts: 41
|
I've seen this pop up a couple of times, and had to go back to find a response from Gandi regarding one nameserver. This was their response...
"ns2.ssauceboat.info already deactivated (2006-11-17).
217.70.185.0 is our IP address, it does not respond to DNS requests." |
|
|
|
|
Reply: 11 - 26 |
|
|
| Ryan |
| Posted on: Thursday, December 14th, 2006, 4:16am |
|
|
Spam Fighter
Posts: 76
|
That message means that the nameserver was deactivated, and no longer resolves inquiries for the domain.
The IP address 217.70.185.0 is Gandi's 'Blackhole", meaning that the corresponding nameserver will do nothing. So if you see that message it is a GOOD thing 
Does that make since? |
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 12 - 26 |
|
|
| Ryan |
| Posted on: Sunday, December 17th, 2006, 3:13pm |
|
|
Spam Fighter
Posts: 76
|
Hey Tracker,
Why not post the full header of one of your spams, so everyone in this forum can pick it apart line by line to show what is going on, and how to read it...
This would benefit everyone, I think! |
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 13 - 26 |
|
|
| tracker |
| Posted on: Sunday, December 17th, 2006, 9:53pm |
|
|
Posts: 41
|
Here is one of my typical spam messages that I send out to registrars. This particular one will have little effect, I know, since the nameservers are beyond our control.
The following domain registered by NETFIRMS, INC. is engaged in email spam, phishing, and fraud abuse:
http://slendersix.com/
These domains are using nameservers:
ns1.anatomyabstract.com.ns-not-in-service.org [0.0.0.0]
ns1.poertodas.com [83.143.12.252] Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
ns2.grettnos.com [63.223.11.14] Registrar: XIN NET TECHNOLOGY CORPORATION
ns2.seveopd.com [63.223.11.14] Registrar: XIN NET TECHNOLOGY CORPORATION
Please lock out customer access to these domains and set all address records to 0.0.0
Do not support Internet fraud abuse
|
|
|
|
|
Reply: 14 - 26 |
|
|
| tracker |
| Posted on: Sunday, December 17th, 2006, 9:57pm |
|
|
Posts: 41
|
I included the "going out" spam posted just to show what some registrars have been blocking because of spam content. Strange.
Ryan, since I don't want to give away too much personal info, I'll have to modify the header a bit. |
|
|
|
|
Reply: 15 - 26 |
|
|
| MarkGiles |
| Posted on: Sunday, December 17th, 2006, 10:23pm |
|
|
Posts: 363
|
Question...
When checking out the status of nameservers at dnsstuff.com I've seen where at times they will list a server but mention that it does not repond to their requests. Does that mean the server has been deactivated... as I was told by one registrar? |
That proves that antispammers as well as spammers read these messages.
In particular, Alex Polyakov's gang has caught on to the fact that spam trackers are using dnsstuff.com as a tool to find out which nameservers are active and which are not. So he has configured his nameserver machines to block all requests coming from dnsstuff.com. That way they show a response of "Timeout" when they are interrogated from dnsstuff. Alex trying to be clever.
That is why it pays to know that
0.0.0.0 is a sign that the registrar has acted
61.61.61.61 is a sign that Beijing Interactive has acted
217.70.185.0 is a sign that Gandi has acted
There are other sites and methods to check the status of a nameserver.
Let's take an example.
We want to know if ns1.lightwithab.com is an active Polyakov nameserver. It is registered on Ace of Domains.
From the Command Prompt (Windows - Start > Run > cmd)
ping ns1.lightwithab.com
responds with
Pinging ns1.lightwithab.com [221.12.68.2] with 32 bytes of data:
Reply from 221.12.68.2: bytes=32 time=196ms TTL=47
Reply from 221.12.68.2: bytes=32 time=110ms TTL=47
etc
Then we can do a nameserver lookup of one of the domains registered to use that nameserver. For example, plasmgkablasmaboo.com
(Hey, I don't invent these names!)
nslookup plasmgkablasmaboo.com ns1.lightwithab.com
That says "look up the details of plasmgkablasmaboo.com, using just the one name server, ns1.lightwithab.com"
Part of the response contains
> Name: plasmgkablasmaboo.com
> Address: 221.12.68.2
So the nameserver responds to a "ping" test, and it is working as a name server for the spammed web sites that are defined under it.
Let's work another example.
If you repeat the exercise for spammed site notprosay.info, you find that four name servers are found from the link http://www.dnsstuff.com/tools/traversal.ch?domain=notprosay.info&type=A
Ignoring Alex's Timeouts, we find
ns1.flockglass.com. [0.0.0.0] Thanks, Tucows, go to the Hall of Fame
ns1.happikun.com. [63.151.190.7]
ns2.dogmatrust.info. [217.70.185.0] Thanks, Gandi, join Tucows
ns2.vertubadon.com. [141.209.170.86]
A ping to the 2nd and 4th works. So we do the lookups
nslookup notprosay.info ns1.happikun.com
> Name: notprosay.info
> Address: 220.134.62.1
nslookup notprosay.info ns2.vertubadon.com
> Name: notprosay.info
> Address: 220.134.62.1
So two of the four name servers are still working. They are registered on Beijing Innovative and XIN Net respectively. You'll find them languishing in the Hall of Shame. So far. See what tomorrow brings, after you have sent your compliance request for their removal.
PS - MacAfee Site Advisor links provide background on these spammed sites
http://www.siteadvisor.com/sites/plasmgkablasmaboo.com
http://www.siteadvisor.com/sites/notprosay.info |
|
|
|
|
Reply: 16 - 26 |
|
|
| tracker |
| Posted on: Monday, December 18th, 2006, 12:51am |
|
|
Posts: 41
|
| Mark, is there a switch on the Ping command to keep the window active instead of closing immediately after it retreives the info? I tried /P but not go. Works fine if I go to DOS instead of trying to work through Windows, but without cut and paste help. Also don't have the nslookup command, as I just found out. |
|
|
|
|
Reply: 17 - 26 |
|
|
| tracker |
| Posted on: Monday, December 18th, 2006, 1:14am |
|
|
Posts: 41
|
Ryan, here is the header from one of Polykov's spam emails. I think that this was sent through a mail server in Taiwan. I also did a quicky on performing an AKA on my email address, but suppose the theory will remain the same.
Return-path: <istanbull@gforce1.com>
Received: from mmp1-v0.westbroadband.net ([192.168.17.143])
by msgs1.westbroadband.net
(Sun Java System Messaging Server 6.2-7.04 (built Aug 17 2006))
with ESMTP id <0JAG00EIQBSB7900@msgs1.westbroadband.net> for
johndoe@doepizza.com; Sun, 17 Dec 2006 20:14:35 -0800 (PST)
Received: from cuda2.westbroadband.com ([192.168.17.102])
by s1mq0.westbroadband.net
(Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005))
with ESMTP id <0JAG0074JBV6FL10@s1mq0.westbroadband.net> for
johndoe@doepizza.com (ORCPT johndoe@doepizza.com); Sun,
17 Dec 2006 20:16:18 -0800 (PST)
Received: from -1216223920 (61-228-133-113.dynamic.hinet.net [61.228.133.113])
by cuda2.westbroadband.com (Spam Firewall) with SMTP id DE07942E071 for
<johndoe@doepizza.com>; Sun, 17 Dec 2006 20:21:25 -0800 (PST)
Received: from gforce1.com (-1215544608 [-1215387776])
by 61-228-133-113.dynamic.hinet.net (Qmailv1) with ESMTP id 336FB6AB95 for
<johndoe@doepizza.com>; Sun, 17 Dec 2006 21:17:15 -0500
Date: Sun, 17 Dec 2006 21:17:15 -0500
From: "Axiom I. Incriminate" <istanbull@gforce1.com>
Subject: [SPAM:*] Girls don't like you?
To: Johndoe <johndoe@doepizza.com>
Message-id: <7698121304.20061217211715@gforce1.com>
MIME-version: 1.0
X-Mailer: The Bat! (v2.00.3) Personal
Content-type: text/plain
Content-transfer-encoding: 7BIT
X-Priority: 3
X-ASG-Debug-ID: 1166415675-7288-233-2
X-Barracuda-URL: http://cuda2.westbroadband.com:8000/cgi-bin/mark.cgi
X-ASG-Orig-Subj: Girls don't like you?
X-AntiVirus: OK! AntiVir MailGate Version 2.0.1; AVE: 6.15.0.0; VDF: 6.15.0.6
X-Barracuda-Bayes: SPAM GLOBAL 1.0000 1.0000 4.3430
X-Virus-Scanned: by Westbroadband Spam Firewall at westbroadband.com
X-ASG-Tag: INTENT (propnostril.com)
X-Barracuda-Spam-Score: 7.39
X-Barracuda-Spam-Status: Yes, SCORE=7.39 using global scores of TAG_LEVEL=3.5
QUARANTINE_LEVEL=1000.0 KILL_LEVEL=8.0 tests=DRUGS_ANXIETY,
DRUGS_ANXIETY_EREC, DRUGS_ERECTILE
X-Barracuda-Spam-Report: Code version 3.02,
rules version 3.0.29029 Rule breakdown below pts rule name description ----
---------------------- -------------------------------------------------- 1.10
DRUGS_ERECTILE Refers to an erectile drug 1.84 DRUGS_ANXIETY Refers
to an anxiety control drug 0.10 DRUGS_ANXIETY_EREC Refers to both an
erectile and an anxiety drug
X-Barracuda-Spam-Flag: YES
Original-recipient: rfc822;johndoe@doepizza.com
|
|
|
|
|
Reply: 18 - 26 |
|
|
| MarkGiles |
| Posted on: Monday, December 18th, 2006, 3:35pm |
|
|
Posts: 363
|
Mark, is there a switch on the Ping command to keep the window active instead of closing immediately after it retreives the info? I tried /P but not go. Works fine if I go to DOS instead of trying to work through Windows, but without cut and paste help. Also don't have the nslookup command, as I just found out. |
I am so ancient I don't mind using the command prompt. You can copy/paste in the DOS window by click on the top left icon. To paste, select Edit > Paste.
To copy, select Edit > Mark, then use the mouse to "swipe" the rectangular area to copy, and press Enter to copy the highlighted text to the clipboard.
Keyboard shortcuts are ep for edit > paste or ek for edit > mark after you have clicked the top left icon.
ping and nslookup are available on the web at many sites, too.
|
|
|
|
|
Reply: 19 - 26 |
|
|
| tracker |
| Posted on: Tuesday, December 19th, 2006, 12:49am |
|
|
Posts: 41
|
| Interesting... When in DOS, I only have a full screen. Have to type "exit" to get back. Time to upgrade... |
|
|
|
|
Reply: 20 - 26 |
|
|
| Ryan |
| Posted on: Tuesday, December 19th, 2006, 1:49am |
|
|
Spam Fighter
Posts: 76
|
So let's get started on this!
Ok, Part I:
Return-path: <istanbull@gforce1.com>
|
Metaphorically, this is the return-address on the envelope that was posted.
This address could be anything that the sender decided to put there, and should not be interpreted as being the real e-mail address of the sender.
Hosts (and other companies, and individuals) can have their servers or mail clients flooded, and ground to a halt when spammers mail millions of spam mails with fake return-paths. This is because all the bounced mails get sent to that address, thus crippling the system not designed to handle such a flow.
Received:
from mmp1-v0.westbroadband.net ([192.168.17.143])
by msgs1.westbroadband.net (Sun Java System Messaging Server 6.2-7.04 (built Aug 17 2006))
with ESMTP id <0JAG00EIQBSB7900 @msgs1.westbroadband.net>
for johndoe@doepizza.com; Sun, 17 Dec 2006 20:14:35 -0800 (PST)
|
The Received section indicates the origin of the mail. In your mail, there are four indications:
from: the machine that sent it (and its IP address)
by: the nameserver that received it, and its mail transfer agent (MTA) (http://en.wikipedia.org/wiki/Mail_transfer_agent)
with: The ESMTP (http://en.wikipedia.org/wiki/SMTP_extension) id of the sender. This information was added by the mail server, and not the spammer, so it is more reliable. All it does is help identify the connection associated with the handler. Not useful in anti-spam.
for: This is to whom the mail was sent. Note that this may be different than the "to" that you see in the short header! I see many cases, when spammers use a different "for" address and "to" address to the victim does not know what e-mail address of theirs is actually being spammed.
Why are there three "received"?:
This is because each server that handles "your" mail adds one to the spam. (when it was written, when it was processed by the MTA, and when transferred to you).
You can use this to trace the mail back to the source by starting from the bottom and working your way towards the top. The first one sent (by the spammer, is the bottom one).
UPDATE: See Mark's comment below regarding the original source of the message. |
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 21 - 26 |
|
|
| MarkGiles |
| Posted on: Tuesday, December 19th, 2006, 6:22pm |
|
|
Posts: 363
|
Interesting analysis. This is fun!
Received: from gforce1.com (-1215544608 [-1215387776])
by 61-228-133-113.dynamic.hinet.net (Qmailv1) with ESMTP id 336FB6AB95 for
<johndoe@doepizza.com>; Sun, 17 Dec 2006 21:17:15 -0500
So the source would most likely be at IP address 61.228.133.113 which apears to be a dynamic address on hinet.net. It is time-stamped 21:17:15 at 5 hours behing GMT (say 26:17 or 02:17 the next day, GMT)
In the next step on its journey we see
Received: from -1216223920 (61-228-133-113.dynamic.hinet.net [61.228.133.113])
by cuda2.westbroadband.com (Spam Firewall) with SMTP id DE07942E071 for
<johndoe@doepizza.com>; Sun, 17 Dec 2006 20:21:25 -0800 (PST)
That means that it arrived at westbroadband.com after leaving hinet.net. Arrival is time-stamped 20:21:25 at 8 hours behind GST (say 28:21 or 04:21 GMT - almost 2 hours time delay assuming the time zones are configured right.)
Now for the next step on the journey
Received: from cuda2.westbroadband.com ([192.168.17.102])
by s1mq0.westbroadband.net
(Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005))
with ESMTP id <0JAG0074JBV6FL10@s1mq0.westbroadband.net> for
johndoe@doepizza.com (ORCPT johndoe@doepizza.com); Sun,
17 Dec 2006 20:16:18 -0800 (PST)
The IP addresses for westbroadband are 192.168.*.* which are private, non-routable addresses.
One more hop within the westbroadband.com network, arriving 20:16:18 - seemingly a few minutes earlier than it left. Assume that the time-of-day clock on one of these two machines is a bit inaccurate.
Now for the final hop from source to destination
Received: from mmp1-v0.westbroadband.net ([192.168.17.143])
by msgs1.westbroadband.net
(Sun Java System Messaging Server 6.2-7.04 (built Aug 17 2006))
with ESMTP id <0JAG00EIQBSB7900@msgs1.westbroadband.net> for
johndoe@doepizza.com; Sun, 17 Dec 2006 20:14:35 -0800 (PST)
This timestamp shows another anomaly, it is also earlier than its departure time from the previous hop. But that is the sequence of operations, as seen in the "From" and "By" fields. The admin of those Sun Java systems should set them up to auto-synch the time from a time-server!
Origin -> Hinet -> westbroadband.com -> westbroadband.net -> westbroadband.net -> you
Does that order make sense?
Looking at the hinet address, you can see it has been reported already
http://cbl.abuseat.org/lookup.cgi?ip=61.228.133.113&.submit=Lookup
|
|
|
|
|
Reply: 22 - 26 |
|
|
| MarkGiles |
| Posted on: Tuesday, December 19th, 2006, 6:50pm |
|
|
Posts: 363
|
Now for the real analysis. The source address looks weird. Instead of being in the form 61.123.234.123 we see a long negative number, in fact two!
Received: from gforce1.com (-1215544608 [-1215387776])
by 61-228-133-113.dynamic.hinet.net (Qmailv1) with ESMTP id 336FB6AB95 for
<johndoe@doepizza.com>; Sun, 17 Dec 2006 21:17:15 -0500
We can convert long integer form into dotted IP address form. See http://www.opinionatedgeek.com/DotNet/Tools/CrazyIP/default.aspx
Converting the first of these, -121554608, we get Host: 32.sub-72-115-189.myvzw.com which is IP 72.115.189.32
Converting the second one, -1215387776, we get Host: 128.sub-72-113-88.myvzw.com which is IP 72.113.88.128
That is the most likely actual origin address, which is in the Verizon Wireless IP range. myvzw.com is a Verizon / MSN offering. The spammer used hinet as the uplink, exploiting an open relay.
|
|
|
|
|
Reply: 23 - 26 |
|
|
| Ryan |
| Posted on: Tuesday, December 19th, 2006, 11:21pm |
|
|
Spam Fighter
Posts: 76
|
I bow in the presence of greatness
Thanks for the link, Mark! |
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 24 - 26 |
|
|
| tracker |
| Posted on: Friday, December 22nd, 2006, 11:32am |
|
|
Posts: 41
|
You guys are good. I’ve always wondered about those time anomalies which I’d often see, and because of that I’d get a bit confused as to the route that the email took. So it passes from bottom up to the top of the stack? Got it. I didn't realize that those long integers were IP addresses.
Perhaps someone now could answer why or how some email, just like our pony express, gets actual real delays for days. Maybe it gets routed through the Denver airport, eh? |
|
|
|
|
Reply: 25 - 26 |
|
|
| phantazm |
| Posted on: Sunday, July 1st, 2007, 5:13pm |
|
|
New Member 
Posts: 18
|
Ryan: "So in short, a clear "registrar hall of shame" is a GREAT idea, but one needs to really be careful to make it an accurate assessment..."
If they ignore complaints, that should be enough! |
|
|
|
|
Reply: 26 - 26 |
|
Pages: 1, 2 : All |
Logged
Locked Board