[mdlug] Question on Spam

bob dion bobdion at starline-ent.com
Sun Jul 8 10:11:03 EDT 2007 

A. Kalten wrote:
> On Sat, 7 Jul 2007 14:40:01 -0400 (EDT)
> "Carl T. Miller" <millerc at cantonpl.org> wrote:
> 
>> Let's look at your headers.  The first Received shows
>> that xxxxxxxxxxxx.xxx (this must be your mail server)
>> received it from barium.ypsi.provide.net.  We can likely
>> trust them, since they are likely your ISP.  The second
>> header says it came from 221.133.163.182.  Since we don't
>> know who that is and they don't have a hostname associated
>> with that address, we can't trust anything else in this
>> message to be accurate.  Thus we don't know whether or
>> not it did come from abacus21.com.
>>
>  
>> It's most likely from a botnet or zombie.  There's big money
>> out there for people who can automate the delivery of spam
>> while hiding their identities.
>>
> 
> OK.  I see what is happening.  For some reason I had overlooked
> 221.133.163.182.
> 
> The main point is that abacus21.com is not a part
> of this botnet.  At first I actually thought about
> notifying abacus21.com to tell them that their mail server
> might be compromised.  But the header information indicates
> that it is most likely just a deception.
> 
> This pattern is similar in a lot of other spam that I
> receive.  For example, here is another header of the
> same form:
> 
> Return-Path: <a-acero at aef.wh.uni-dortmund.de>
> Received: from barium.ypsi.provide.net (root at localhost)
> 	by myserver.biz (8.12.11/8.12.11) with ESMTP id l67GSgDF021782
> 	for <info at myserver.biz>; Sat, 7 Jul 2007 12:28:43 -0400
> X-ClientAddr: 91.15.216.178
> Received: from p5B0FD8B2.dip.t-dialin.net (p5B0FD8B2.dip.t-dialin.net [91.15.216.178])
> 	by barium.ypsi.provide.net (8.12.11.20060308/8.12.11) with ESMTP id l67GSYEK021726
> 	for <info at northernlightsphoto.biz>; Sat, 7 Jul 2007 12:28:34 -0400
> Received: from [91.15.216.178] by aef.wh.uni-dortmund.de; Sat, 7 Jul 2007 16:28:22 -0100
> 
> 
> In this case, even though uni-dortmund.de is a legitimate
> university in Germany, the fact that it appears following this dubious
> 91.15.216.178 address makes the uni-dortmund.de location just another
> part of the deception.  Also, the info says uni-dortmund.de only
> receives from 91.15.216.178 but doesn't send it anywhere else.
> 
> Thanks for clearing this up.
> 
> AK
> 
> _______________________________________________
> mdlug mailing list
> mdlug at mdlug.org
> http://mdlug.org/mailman/listinfo/mdlug
> 
If you want to find where an IP address is from go here:
http://www.ip-adress.com

The first address is from 'Korea, Republic of'

hopefully helpful

BD

More information about the mdlug mailing list