The Deadbeats Hall of Lame
 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Warning: Not all menu items are working. We're working on this but this site is a low-priority project. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The report for this spam can be found at: Fire Power Edition.
Return-Path: <lekee56@prodigy.com>
Received: from POP3.tu-dresden.de ([141.30.2.83])
by santaclara01.pop.internex.net (Post.Office MTA v3.1.2
release (PO203-101c) ID# 0-34792U7500L7500S0) with SMTP
id AAA8847 for <chris@lanets.com>; Sat, 4 Jul 1998 20:37:08 -0700
Received: from rmail.urz.tu-dresden.de by rks3 with SMTP (PP);
Sun, 5 Jul 1998 05:30:42 +0200
Received: from physik.phy.tu-dresden.de (actually pbtrs2.phy.tu-dresden.de)
by rmail with SMTP (PP); Sun, 5 Jul 1998 05:25:50 +0200
Received: from sf-dnpqi-050.compuserve.net
by physik.phy.tu-dresden.de (AIX 3.2/UCB 5.64/4.03) id AA21179;
Sun, 5 Jul 1998 05:30:16 +0200
Date: Sun, 5 Jul 1998 05:30:16 +0200
To: lekee56@prodigy.com
From: lekee56@prodigy.com
Comments: Authenticated sender is <lekee56@prodigy.com>
Subject: Email 57 Million People for $99
Message-Id: <199807043312DAA10020@pimaia2y.phy.tu-dresden.de>
>nslookup 141.30.2.83
Server: ns.mediacity.com
Address: 205.216.172.10
Name: POP3.tu-dresden.de
Address: 141.30.2.83
Relaying server located.
>nslookup rmail.urz.tu-dresden.de
Server: ns.mediacity.com
Address: 205.216.172.10
Name: rmail.urz.tu-dresden.de
Addresses: 141.30.2.84, 141.30.66.2
Secondary gathering server located.
>nslookup pbtrs2.phy.tu-dresden.de
Server: ns.mediacity.com
Address: 205.216.172.10
Name: pbtrs2.phy.tu-dresden.de
Address: 141.30.81.2
Hijacked server located.
>nslookup physik.phy.tu-dresden.de
Server: ns.mediacity.com
Address: 205.216.172.10
Name: physik.phy.tu-dresden.de
Address: 141.30.4.242
Forgery used by spammer. I'm going to have to do some more investigation to determinate what
is going on here.
>telnet pbtrs2.phy.tu-dresden.de 25
Trying 141.30.81.2...
Connected to pbtrs2.phy.tu-dresden.de.
Escape character is '^]'.
220 physik.phy.tu-dresden.de Sendmail AIX 3.2/UCB 5.64/4.03 ready at Sun, 5 Jul
1998 05:46:10 +0200
helo hell.org
250 physik.phy.tu-dresden.de Hello hell.org (home001.mediacity.com)
mail from:satan@hell.org
rcpt to:abuse@studio42.com
250 satan@hell.org... Sender is valid.
250 abuse@studio42.com... Recipient is valid.
data
354 Enter mail. End with the . character on a line by itself.
Subject: Reference: lekee56-1
German mail servers WIDE open.
.
250 Ok
quit
221 physik.phy.tu-dresden.de: closing the connection.
Connection closed by foreign host.
The results of the email session:
Received: from POP3.tu-dresden.de (141.30.2.83) by studio42.com with SMTP
(Eudora Internet Mail Server 1.2); Sat, 4 Jul 1998 20:47:22 -0800
Received: from rmail.urz.tu-dresden.de by rks3 with SMTP (PP);
Sun, 5 Jul 1998 05:44:11 +0200
Received: from physik.phy.tu-dresden.de (actually pbtrs2.phy.tu-dresden.de)
by rmail with SMTP (PP); Sun, 5 Jul 1998 05:39:26 +0200
Received: from home001.mediacity.com
by physik.phy.tu-dresden.de (AIX 3.2/UCB 5.64/4.03) id AA17118;
Sun, 5 Jul 1998 05:46:31 +0200
Date: Sun, 5 Jul 1998 05:46:31 +0200
From: satan@hell.org
Message-Id: <9807050346.AA17118@physik.phy.tu-dresden.de>
Subject: Reference: lekee56-1
Apparently-To: abuse@studio42.com
To: abuse@studio42.com
German mail servers WIDE open.
Again, I'll go ahead and assume the last line is correct:
>nslookup sf-dnpqi-050.compuserve.net
Server: ns.mediacity.com
Address: 205.216.172.10
Name: sf-dnpqi-050.compuserve.net
Address: 206.175.227.50
Spammer located, I hope.
My email session CONFIRMS that this came from CompuServe.