The Deadbeats Hall of Lame
 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Warning: Not all menu items are working. We're working on this but this site is a low-priority project. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This spam report is at Anti-Spam Assistance Pages
Subject: Re: Hi Again Chris
Date: 1/17/98 5:21 PM
To: cheron@fda.net
On 1/17/98 4:59 PM, Cheri sent the following ASCII stream:
>Chris, remember me, I sent you a message about some spam we both got. I
>am forwarding another spam message I received that I need help with. I
>would like to complain to their server or ISP, but I can't tell from
>their message just who that is. Can you tell?
>
>Thanks,
>Cheri
No, I don't rember you(I get so many emails a day!), but since you were so kind as to
send complete headers, I'll go ahead and assist you anyways because I'm such a nice guy.
Just for future reference, please send stuff like this to "spam-hater@studio42.com" as
it gets my attention better.
Excuse me as I only examine the headers. I've gotten a few spams from these dorks recently
myself. I think they may be due for a page of their own. PERHAPS they used the same services
to send this spam to you as they sent it to me. I'll go ahead and do the work-up for you.
First, the complete headers (again!), just for reference:
Received: from kinsey.fia.net (root@mail.fia.net [206.171.100.7])
by ns2.fda.net (8.8.5/8.7.3) with ESMTP id QAA03416 for <cheron@fda.net>;
Sat, 17 Jan 1998 16:33:30 -0800 (PST)
From: webnet123@mailcity.com
Received: from successconcepts.com (successconcepts.com [192.41.13.115])
by kinsey.fia.net (8.8.5/8.7.3) with ESMTP id QAA11104 for <cheron@fia.net>;
Sat, 17 Jan 1998 16:32:07 -0800 (PST)
Received: from successconcepts.com (1Cust112.max3.las-vegas.nv.ms.uu.net [153.34.59.240])
by successconcepts.com (8.8.5) id RAA15967; Sat, 17 Jan 1998 17:26:22 -0700 (MST)
X-Authentication-Warning: successconcepts.com: Host 1Cust112.max3.las-vegas.nv.ms.uu.net
[153.34.59.240] claimed to be successconcepts.com
Date: Sat, 17 Jan 98 15:58:26 EST
To: you@this.net
Subject: Easiest Cash Generating Program Ever !
Message-ID: <>
Now I will disect the headers:
Received: from kinsey.fia.net (root@mail.fia.net [206.171.100.7])
Hmm, that looks good at least from a formatting perspective. Is it really good?:
>nslookup 206.171.100.7
Server: dns.mediacity.com
Address: 205.216.172.10
Name: mail.fia.net
Address: 206.171.100.7
That doesn't seem quite right. Remember, nslookup goes both ways. Yes, it's bi!
>nslookup kinsey.fia.net
Server: dns.mediacity.com
Address: 205.216.172.10
Non-authoritative answer:
Name: kinsey.fia.net
Address: 206.171.100.7
Yup, it checks out. The first one is the TRUE name, the second one shows an alias ID. Nothing
out of the ordinary so nothing to panic or get worried over.
by ns2.fda.net (8.8.5/8.7.3) with ESMTP id QAA03416 for <cheron@fda.net>;
Normal.
Sat, 17 Jan 1998 16:33:30 -0800 (PST)
Definately normal for Pacific Coast time, but then again, this is YOUR local server adding the
"-800" stuff.
From: webnet123@mailcity.com
Forged, possible fraudulent address.
Received: from successconcepts.com (successconcepts.com [192.41.13.115])
Now this is where things get ugly:
>nslookup 192.41.13.115
Server: dns.mediacity.com
Address: 205.216.172.10
Name: successconcepts.com
Address: 192.41.13.115
It checks out. But normally it is a "recieved by" not "from".
by kinsey.fia.net (8.8.5/8.7.3) with ESMTP id QAA11104 for <cheron@fia.net>;
Sat, 17 Jan 1998 16:32:07 -0800 (PST)
Received: from successconcepts.com (1Cust112.max3.las-vegas.nv.ms.uu.net [153.34.59.240])
by successconcepts.com (8.8.5) id RAA15967; Sat, 17 Jan 1998 17:26:22 -0700 (MST)
I think we're making progress on this one:
>nslookup 153.34.59.240
Server: dns.mediacity.com
Address: 205.216.172.10
Name: 1Cust112.max3.las-vegas.nv.ms.uu.net
Address: 153.34.59.240
That resolves and checks out.
X-Authentication-Warning: successconcepts.com: Host 1Cust112.max3.las-vegas.nv.ms.uu.net
[153.34.59.240] claimed to be successconcepts.com
This person put a BOGUS DNS entry into their IP stack, but the server didn't let that go
unnoticed. Interesting how a spamming site is protecting itself against relaying.
Date: Sat, 17 Jan 98 15:58:26 EST
To: you@this.net
Leave those folks alone, they don't care, nor do their upstream providers.
Subject: Easiest Cash Generating Program Ever !
Message-ID: <>
Complaints go to:
postmaster and abuse @ mailcity.com
fraud, spam-complaint and security @ UU.Net
postmaster and abuse @ successconcepts.com
postmaster and abuse @ fia.net
Now for that all important whois for more complaint addresses:
>whois fia3-dom
First Internet Franchise Corp (FIA3-DOM)
1060 Calle Cordillera, Suite 101
San Clemente, CA 92673
Domain Name: FIA.NET
Administrative Contact:
Gibbs, Michael (MG211) mgibbs@FIA.NET
714-498-7400 (FAX) 714-498-7401
Technical Contact, Zone Contact:
Network Operations Center (NO161-ORG) domain.entries@FIA.NET
714-498-7400
Fax- 714-498-7401
Billing Contact:
McLaughlin, Ron (RM1331) ronm@FIA.NET
(714) 498-7400
Record last updated on 06-Jan-98.
Record created on 16-Oct-95.
Database last updated on 17-Jan-98 04:13:10 EDT.
Domain servers in listed order:
NS.FIA.NET 206.171.100.5
NS.HTP.NET 206.112.34.13
>whois mailcity.com
WhoWhere? Inc. (MAILCITY-DOM)
2570, W. El Camino Real, Suite 309
Mountain View, CA 94040
USA
Domain Name: MAILCITY.COM
Administrative Contact:
Srinivasan, Murali V (MVS8) vsm@WHOWHERE.COM
(415) 917-1300 (FAX) 415) 917-0754
Technical Contact, Zone Contact:
Aguirre, Jerry (JA1767) jerry@WHOWHERE.COM
(415) 917-1300 (FAX) 415) 917-0754
Billing Contact:
Smit, Eric (ES1580) eric@WHOWHERE.COM
+1-415-917-1300 (FAX) 94040
Record last updated on 19-Dec-97.
Record created on 22-Jan-97.
Database last updated on 17-Jan-98 04:13:10 EDT.
Domain servers in listed order:
DNS-X.WHOWHERE.COM 209.1.236.42
RIGEL.WHOWHERE.COM 205.230.7.21
And because I know you're curious about this:
>whois successconcepts.com
Success Concepts (SUCCESSCONCEPTS-DOM)
88 Trottingham CT
Saratoga Springs, NY 12866
US
Domain Name: SUCCESSCONCEPTS.COM
Administrative Contact:
Shannon W Brown, Charles D Wiggins or (CDS26) swbrown@SUCCESSCONCEPTS.COM
518-587-1806 (FAX) 518-587-1806
Technical Contact, Zone Contact:
Hostmaster DNSCENTRAL (HD125-ORG) hostmaster@DNSCENTRAL.NET
Serving the World 24 hours a day
Fax
Billing Contact:
Shannon W Brown, Charles D Wiggins or (CDS26) swbrown@SUCCESSCONCEPTS.COM
518-587-1806 (FAX) 518-587-1806
Record last updated on 25-Jun-97.
Record created on 27-Mar-97.
Database last updated on 17-Jan-98 04:13:10 EDT.
Domain servers in listed order:
NS1.DNSCENTRAL.NET 192.41.1.24
NS2.DNSCENTRAL.NET 192.41.2.24
Seems FIA was the victim site of the day, either that or the spam software inserted BOGUS
information based on real information, and the it came directly from UU.Net to FIA.com. It's
not quite clear to me, but it is obvious it did originate from UU.Net and a server at FIA.com
was relay-raped to send the spam to other people.
All the people listed in the BODY of this spam are guilty of postal fraud and a make money
fast scam.
BTW: The copyright is invalid. You can't copyright scams. This only means that this person's
threat is invalid, so don't give it a second thought.
Question:
Do you think I should make a section for "outsider" spams? This would mean folks such as you
could have spams listed here. I have to give this some thought myself, especially how I would
put it togther and organize it.
Do you have shell or telnet access? If so, you might have tools such as traceroute, nslookup
and whois available to you.
Once again, glad to help.