Subject: Re: spam I received

The Deadbeats Hall of Lame
Warning: Not all menu items are working. We're working on this but this site is a low-priority project.
Want to do some recording? On-Site recording available, up to 48 tracks with full mixdown and mastering capabilities.
Subject:     Re: spam I received
Date:        8/4/98 18:39
To:          Glenn Jakobsen, glenn.jakobsen@nyu.edu

Be warned:
I'm tired of Outlook Express, and Microsoft Outlook, two of the worst email clients, in my 
opinion. Then again, I've grown to accept crappy software from Microsoft. Fortunately you're 
one of the few people who have figured out that the web is not the internet. I would have 
prefered the spam to be in the body, but that's OK.

Back at you with the COMPLETE spam:

From - Sat Jun 13 05:51:00 1998
Received: from mx05.globecomm.net (mx05.globecomm.net [207.51.48.28])
	by is2.nyu.edu (8.8.8/8.8.7) with ESMTP id CAA32330
	for ; Sat, 13 Jun 1998 02:17:14 -0400 (EDT)
Received: from exchange.cityfoxes.com ([208.208.221.12]) by mx05.globecomm.net (8.8.8/8.8.0) 
with ESMTP id CAA13739 for ; Sat, 13 Jun 1998 02:12:29 -0400 (EDT)
Message-Id: <199806130612.CAA13739@mx05.globecomm.net>
Received: from WEBWORKSTATION by exchange.cityfoxes.com with SMTP (Microsoft Exchange 
Internet Mail Service Version 5.0.1457.7)
	id MZ6YTVYF; Fri, 12 Jun 1998 18:05:24 -0700
Date: Fri, 12 Jun 98 17:53:29 EST
From: "Cindy" <20892000@somewhere>
To: Friend@public.com
Subject: myfriends
X-UIDL: 8db195b9afb43db3fc1b346b25ede3c8
X-Mozilla-Status: 9001

Warning This message intended for peolpe over 21. If you want to be removed from list please 
send 
message to removelist@cityfoxes.com

Hi,

See Me and My Friends at

http://208.208.221.24/cindy.asp

Cindy




OK, now for the useful stuff. I'm going to do a tad bit of clean up on this so it's easier for me to 
read. The entire spam will be left intact again.

From - Sat Jun 13 05:51:00 1998
Received: from mx05.globecomm.net (mx05.globecomm.net [207.51.48.28])
	by is2.nyu.edu (8.8.8/8.8.7) with ESMTP id CAA32330
	for ; Sat, 13 Jun 1998 02:17:14 -0400 (EDT)

Well, this was the step taken before it reached you. Let's resolve the IP address:
>nslookup 207.51.48.28
Server:  ns.mediacity.com
Address:  205.216.172.10

*** ns.mediacity.com can't find 207.51.48.28: Server failed
Let's try again:

>nslookup mx05.globecomm.net
Server:  ns.mediacity.com
Address:  205.216.172.10

Name:    mx05.globecomm.net
Address:  206.253.129.28

OK, the relaying server resolves. Globecomm.net is responsible for this, as they like to keep 
their servers wide open for abuse of this nature.

Received: from exchange.cityfoxes.com ([208.208.221.12]) 
by mx05.globecomm.net (8.8.8/8.8.0) with ESMTP id CAA13739 for ; 
Sat, 13 Jun 1998 02:12:29 -0400 (EDT)

Now we should see who the sender really is:
>nslookup 208.208.221.12
Server:  ns.mediacity.com
Address:  205.216.172.10

*** No address (A) records available for 208.208.221.12
>nslookup exchange.cityfoxes.com
Server:  ns.mediacity.com
Address:  205.216.172.10

Name:    exchange.cityfoxes.com
Address:  208.208.221.12

Interesting. It too resolves. Hmm, is this an open mail server? Let's trace it first:

>traceroute exchange.cityfoxes.com
traceroute to exchange.cityfoxes.com (208.208.221.12), 30 hops max, 40 byte packets
 1  grfge002 (205.216.172.1)  0.380 ms  0.303 ms  0.339 ms
 2  bordercore2-hssi0-0-0.SanFrancisco.mci.net (166.48.15.249)  2.532 ms  2.347ms  2.585 ms
 3  core7.SanFrancisco.mci.net (204.70.4.93)  3.050 ms  2.544 ms  3.001 ms
 4  Hssi5-1-0.BR1.SFO1.alter.net (206.157.77.78)  5.207 ms  4.552 ms  4.655 ms
 5  114.ATM3-0.XR2.SCL1.ALTER.NET (146.188.145.210)  206.303 ms  200.933 ms  221.435 ms
 6  194.ATM2-0-0.TR2.SCL1.ALTER.NET (146.188.146.18)  211.144 ms  215.902 ms  214.262 ms
 7  107.ATM6-0.TR2.DCA1.ALTER.NET (146.188.136.225)  127.999 ms  105.191 ms  93.779 ms
 8  198.ATM7-0.XR2.DCA1.ALTER.NET (146.188.161.149)  90.253 ms  82.629 ms  83.920 ms
 9  194.ATM1-0-0.GW1.FFX1.ALTER.NET (146.188.160.197)  84.889 ms  86.506 ms  82.350 ms
10  * * *

This suggests the serer is down. Let's confirm:

>telnet exchange.cityfoxes.com 25
Trying 208.208.221.12...
telnet: Unable to connect to remote host: Operation timed out

Darn, server not available. That doesn't mean I'm done:

>whois -h whois.arin.net 208.208.221.0
UUNET Technologies, Inc. (NETBLK-UUNET1996B) UUNET1996B
                                                 208.192.0.0 - 208.243.255.255
Focus Interactive, Inc. (NETBLK-UU-208-208-221-D1) UU-208-208-221-D1
                                                208.208.221.0 - 208.208.221.63

>whois -h whois.arin.net NETBLK-UU-208-208-221-D1
Focus Interactive, Inc. (NETBLK-UU-208-208-221-D1)
   3100 Fifth Ave
   San Diego, CA 92103
   US

   Netname: UU-208-208-221-D1
   Netblock: 208.208.221.0 - 208.208.221.63

   Coordinator:
      Ferrel, Dave  (DF3061-ARIN)  daferrel@EARTHLINK.NET
      (619) 488-8244

   Record last updated on 14-Nov-97.
   Database last updated on 4-Aug-98 16:13:52 EDT.

Upstream located. Complain to UU.Net as well, not that it will get you anywhere.


Message-Id: <199806130612.CAA13739@mx05.globecomm.net>
Received: from WEBWORKSTATION by exchange.cityfoxes.com with SMTP (Microsoft Exchange Internet 
Mail Service Version 5.0.1457.7)	id MZ6YTVYF; Fri, 12 Jun 1998 18:05:24 -0700

Oh, well this explains a lot. A complete forgery, with the server set up to allow protected spamming, 
then relay of the Globecomm.net server.

Date: Fri, 12 Jun 98 17:53:29 EST
From: "Cindy" <20892000@somewhere>
To: Friend@public.com
Subject: myfriends
X-UIDL: 8db195b9afb43db3fc1b346b25ede3c8
X-Mozilla-Status: 9001

>Warning This message intended for peolpe over 21. If you want to be removed from list please 
>send 
>message to removelist@cityfoxes.com

Let's investigate this domain:

>whois cityfoxes.com

Registrant:
Focus Interactive, Inc. (CITYFOXES-DOM)
   5694 Mission Center Rd., #334
   San Diego, CA 92108
   US

   Domain Name: CITYFOXES.COM

   Administrative Contact:
      Williams, Daniel  (DW6428)  danw@CITYFOXES.COM
      619-260-0770 (FAX) 619-299-6087
   Technical Contact, Zone Contact:
      Hernandez, Carlos  (CH5044)  carlosh@CITYFOXES.COM
      619-260-0770 (FAX) 619-299-6087
   Billing Contact:
      Williams, Daniel  (DW6428)  danw@CITYFOXES.COM
      619-260-0770 (FAX) 619-299-6087

   Record last updated on 26-Jun-98.
   Record created on 16-Aug-97.
   Database last updated on 4-Aug-98 07:10:38 EDT.

   Domain servers in listed order:

   AUTH02.NS.UU.NET             198.6.1.82
   AUTH60.NS.UU.NET             198.6.1.181

Seems Focus Interactive is a porno shop. Let's keep digging....


>Hi,

>See Me and My Friends at

>http://208.208.221.24/cindy.asp

>nslookup 208.208.221.24
Server:  ns.mediacity.com
Address:  205.216.172.10

*** No address (A) records available for 208.208.221.24

Well, I've already proven who controls this netblock. Seen anything interesting?

>Cindy

Cindy needs to get off the internet.

Hope this helps. That was an easy one, and it appears that the headers were intact.