[an error occurred while processing this directive]
The report for this spam can be found at: Young Hot Girls Edition. 
Return-Path: <hey@delphi.com>
Received: from www.kdb.co.kr ([203.233.10.2])          
by santaclara01.pop.internex.net (Post.Office MTA v3.1.2          
release (PO203-101c) ID# 0-34792U7500L7500S0) with ESMTP          
id AAA4832 for <chris@lanets.com>; Wed, 4 Feb 1998 12:16:46 -0800
Received: from prettygirls ([38.30.63.39]) by www.kdb.co.kr          
(Netscape Mail Server v2.02) with SMTP id AAA11452;          
Wed, 4 Feb 1998 23:08:24 +0900
To: hey@delphi.com
From: hey@delphi.com
Comments: Authenticated sender is <hey@delphi.com>
Reply-to: jonniebob@storm.edu
Subject: Young Hot Girls New Site
Message-Id: <19980203575GAA48066@smtpverification99.kdb.co.kr>

>nslookup 203.233.10.2
Server:  dns.mediacity.com
Address:  205.216.172.10

Name:    www.kdb.co.kr
Address:  203.233.10.2
Yet another hijacked Korean server. I find no point in complaining to them, I'll just complain
to their access provider, and let's find out who that is:

>traceroute 203.233.10.2
traceroute to 203.233.10.2 (203.233.10.2), 30 hops max, 40 byte packets
 1  grfge002 (205.216.172.1)  0.453 ms  0.265 ms  0.255 ms
 2  bordercore2-hssi0-0.SanFrancisco.mci.net (166.48.15.249)  3.834 ms  2.853 ms  2.784 ms
 3  core4.SanFrancisco.mci.net (204.70.4.81)  5.139 ms  3.242 ms  3.483 ms
 4  core2-hssi-3.Sacramento.mci.net (204.70.1.234)  11.690 ms  5.832 ms  7.000 ms
 5  borderx2-fddi-1.Sacramento.mci.net (204.70.164.68)  5.846 ms  5.656 ms  9.096 ms
 6  dacom.Sacramento.mci.net (204.70.164.122)  170.348 ms  172.151 ms  169.340 ms
 7  210.120.128.3 (210.120.128.3)  171.012 ms  169.842 ms  168.661 ms
 8  210.120.254.55 (210.120.254.55)  176.147 ms  170.693 ms  167.705 ms
 9  203.252.13.10 (203.252.13.10)  179.904 ms  179.761 ms  179.256 ms
10  www.kdb.co.kr (203.233.10.2)  179.819 ms  181.413 ms  182.562 ms

And just to be sure: 
>whois 203.233.10.0
Asia Pacific Network Information Center (APNIC2)
   Tokyo Central Post Office Box 351
   Tokyo
   100-91
   JAPAN

   Netname: APNIC-CIDR-BLK
   Netblock: 202.0.0.0 - 203.255.255.0
   Maintainer: AP

   Coordinator:
      Conrad, David Randolph  (DC396)  davidc@APNIC.NET
      +81-3-5500-0480 (FAX) +81-3-5500-0481

   Domain System inverse mapping provided by:

   NS.TELSTRA.NET               203.50.0.137
   TECKLA.APNIC.NET             202.12.28.129
   NS.KRNIC.NET                 202.30.64.21
   NS.RIPE.NET                  193.0.0.193
   MOZART.TECHNET.SG            192.169.33.107

   *** please refer to whois.apnic.net for more information ***
   *** before contacting APNIC                              ***
   *** use whois -h whois.apnic.net                 ***

   Record last updated on 19-Sep-97.
   Database last updated on 4-Feb-98 04:14:08 EDT.

>whois -h whois.apnic.net 203.233.10.2
inetnum:     203.233.0.0 - 203.233.127.0
netname:     DACOM-NET
descr:       DACOM Co.
country:     KR
admin-c:     KB1-AP
tech-c:      SJ1-AP
changed:     bluejin@rs.krnic.net   960715
source:      APNIC

person:      Kangho Bae
address:     DACOM CO.
country:     KR
phone:       +82 02 220 5201
e-mail:      khbae@bora.dacom.co.kr
nic-hdl:     KB1-AP
changed:     bluejin@rs.krnic.net   960715
source:      APNIC

person:      Sanggyu Jang
address:     DACOM CO.
country:     KR
phone:       +82 02 220 5202
e-mail:      sgjang@bora.dacom.co.kr
nic-hdl:     SJ1-AP
changed:     bluejin@rs.krnic.net   960715
source:      APNIC

inetnum:     203.233.0.0 - 203.233.127.0
netname:     DACOM-NET
descr:       DACOM Co.
country:     KR
admin-c:     KB1-AP
tech-c:      SJ1-AP
changed:     bluejin@rs.krnic.net   960715
source:      APNIC

Oh boy, lots of people to annoy!!

Now onto the originating point:

>nslookup 38.30.63.39
Server:  dns.mediacity.com
Address:  205.216.172.10

Name:    ip39.rocky-mount.nc.pub-ip.psi.net
Address:  38.30.63.39

Normally I would be done, but I want to see where this spammer is located:

>traceroute 38.30.63.39
traceroute to 38.30.63.39 (38.30.63.39), 30 hops max, 40 byte packets
 1  grfge002 (205.216.172.1)  0.444 ms  0.312 ms  0.305 ms
 2  bordercore2-hssi0-0.SanFrancisco.mci.net (166.48.15.249)  2.852 ms  2.967 ms  2.768 ms
 3  core6.SanFrancisco.mci.net (204.70.4.89)  3.481 ms  3.222 ms  3.393 ms
 4  hay-psi-nap.SanFrancisco.mci.net (206.157.77.162)  3.532 ms  3.464 ms  3.821 ms
 5  se2.sc.psi.net (38.1.2.5)  93.206 ms  97.068 ms  93.898 ms
 6  38.1.25.34 (38.1.25.34)  179.415 ms  108.624 ms  101.240 ms
 7  raleigh.nc.southeast.us.psi.net (38.1.45.189)  106.778 ms  124.392 ms  125.470 ms
 8  rocky-mount.nc.isdn.psi.net (38.20.6.114)  226.787 ms  156.421 ms  122.953 ms
 9  ip39.rocky-mount.nc.pub-ip.psi.net (38.30.63.39)  258.612 ms  245.692 ms  256.074 ms

Wow, high tech! Pushing porn via ISDN. I sure hope that's a measured business line!!

What about that web site?

>nslookup WW.Hotlovin.com
Server:  dns.mediacity.com
Address:  205.216.172.10

*** dns.mediacity.com can't find WW.Hotlovin.com: Non-existent host/domain

>nslookup hotlovin.com
Server:  dns.mediacity.com
Address:  205.216.172.10

Non-authoritative answer:
Name:    hotlovin.com
Address:  209.50.167.66

OK, now let's dig deeper:

>whois hotlovin.com
hotlovin Inc. (HOTLOVIN-DOM)
   2620 S. Maryland Pkwy.
   Las Vegas, NV 89109

   Domain Name: HOTLOVIN.COM

   Administrative Contact, Technical Contact, Zone Contact:
      Furst, Sheri  (SF2828)  sheri@HOTLOVIN.COM
      702-675-0391
   Billing Contact:
      Furst, Sheri  (SF2828)  sheri@HOTLOVIN.COM
      702-675-0391

   Record last updated on 21-Jan-98.
   Record created on 11-Dec-97.
   Database last updated on 4-Feb-98 04:14:08 EDT.

   Domain servers in listed order:

   DNS.HOTLOVIN.COM             209.50.167.66
   NS2.HOTLOVIN.COM             209.50.167.67

Looks like a porno domain.

>traceroute hotlovin.com
traceroute to hotlovin.com (209.50.167.66), 30 hops max, 40 byte packets
 1  grfge002 (205.216.172.1)  0.371 ms  0.269 ms  0.256 ms
 2  bordercore2-hssi0-0.SanFrancisco.mci.net (166.48.15.249)  6.382 ms  20.535 ms  8.103 ms
 3  core7.SanFrancisco.mci.net (204.70.4.93)  5.599 ms  3.345 ms  3.781 ms
 4  206.157.77.74 (206.157.77.74)  5.014 ms  6.135 ms  4.956 ms
 5  105.ATM2-0-0.XR2.SCL1.ALTER.NET (146.188.145.158)  12.712 ms  10.534 ms  8.117 ms
 6  146.188.145.238 (146.188.145.238)  6.740 ms  11.707 ms  8.147 ms
 7  107.ATM8-0-0.TR1.LAX2.ALTER.NET (146.188.137.141)  24.083 ms  16.525 ms  18.217 ms
 8  100.ATM9-0-0.XR1.LAX2.ALTER.NET (146.188.248.125)  16.974 ms  29.045 ms  27.373 ms
 9  195.ATM1-0-0.CR2.LAX1.ALTER.NET (146.188.248.9)  21.776 ms  18.929 ms  18.232 ms
10  126.Hssi4-0.GW1.VEG1.Alter.Net (137.39.68.145)  25.896 ms  24.842 ms  24.708 ms
11  mgsinet-gw.customer.ALTER.NET (157.130.224.54)  27.798 ms  27.008 ms  27.084 ms
12  mgsinet-gw.customer.ALTER.NET (157.130.224.54)  31.423 ms  32.020 ms  31.031 ms
13  209.50.166.254 (209.50.166.254)  27.319 ms  29.421 ms  32.445 ms
14  gateway1.citywan.net (209.50.167.1)  30.247 ms  33.563 ms  52.439 ms
15  209.50.167.66.citywan.net (209.50.167.66)  38.002 ms  27.428 ms  35.238 ms

Now onto the folks providing acccess to these porno pushers:

>nslookup 209.50.167.66
Server:  dns.mediacity.com
Address:  205.216.172.10

Name:    209.50.167.66.citywan.net
Address:  209.50.167.66

WAIT, that's the same address as these porno pushers.

>whois citywan.net
CityWAN, LLC. (CITYWAN-DOM)
   4021 Industrial Road
   Las Vegas, NV 89103

   Domain Name: CITYWAN.NET

   Administrative Contact, Technical Contact, Zone Contact:
      Carl, Nolan  (NC311)  nolan@CITYWAN.NET
      702-791-7036 (FAX) 702-791-7009
   Billing Contact:
      Carl, Nolan  (NC311)  nolan@CITYWAN.NET
      702-791-7036 (FAX) 702-791-7009

   Record last updated on 21-Feb-97.
   Record created on 31-Jul-96.
   Database last updated on 4-Feb-98 04:14:08 EDT.

   Domain servers in listed order:

   KEVIN.CITYWAN.NET            209.50.166.1
   BIGBOY.CITYWAN.NET           209.50.167.4





16mm, 8mm and Super8 Films put to DVD. Fast Turn-Around for your priceless family films