Subject: Re: spam I received

Save money on sound for your corporate events.
Received: from is2.nyu.edu (128.122.253.135) by studio42.com with ESMTP (Eudora Internet 
Mail Server 1.2); Fri, 7 Aug 1998 19:56:27 -0800
Received: from gjj1 (mcsv45-p5.med.nyu.edu [128.122.6.105])	by is2.nyu.edu (8.8.8/8.8.7) 
with SMTP id WAA24733	for <spam-hater@studio42.com>; Fri, 7 Aug 1998 22:57:47 -0400 (EDT)
Message-ID: <000b01bdc278$db120fe0$69067a80@gjj1>
From: "Glenn Jakobsen" <glenn.jakobsen@nyu.edu>
To: "Spam Hater@Studio42" <spam-hater@studio42.com>
Subject: Re: spam I received
Date: Fri, 7 Aug 1998 23:01:34 -0400
MIME-Version: 1.0
Content-Type: text/plain;	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.5
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3

Wow, I'm suitably impressed. I never knew you could follow a trail like
that. Thanks for the sleuthing. I'm going to try and emulate some of your
commands on my next spam and see if I can find out a thing or two on my own.
Thanks again!

Glenn

-----Original Message-----
From: Spam Hater@Studio42 <spam-hater@studio42.com>
To: Glenn Jakobsen <glenn.jakobsen@nyu.edu>
Date: Tuesday, August 04, 1998 9:44 PM
Subject: Re: spam I received


>Be warned:
>I'm tired of Outlook Express, and Microsoft Outlook, two of the worst
>email clients, in my opinion. Then again, I've grown to accept crappy
>software from Microsoft. Fortunately you're one of the few people who
>have figured out that the web is not the internet. I would have prefered
>the spam to be in the body, but that's OK.
>
>Back at you with the COMPLETE spam:
>
>>From - Sat Jun 13 05:51:00 1998
>Received: from mx05.globecomm.net (mx05.globecomm.net [207.51.48.28])
> by is2.nyu.edu (8.8.8/8.8.7) with ESMTP id CAA32330
> for <jakobsng@is2.nyu.edu>; Sat, 13 Jun 1998 02:17:14 -0400 (EDT)
>Received: from exchange.cityfoxes.com ([208.208.221.12]) by
>mx05.globecomm.net (8.8.8/8.8.0) with ESMTP id CAA13739 for
><jakobsen@earthling.net>; Sat, 13 Jun 1998 02:12:29 -0400 (EDT)
>Message-Id: <199806130612.CAA13739@mx05.globecomm.net>
>Received: from WEBWORKSTATION by exchange.cityfoxes.com with SMTP
>(Microsoft Exchange Internet Mail Service Version 5.0.1457.7)
> id MZ6YTVYF; Fri, 12 Jun 1998 18:05:24 -0700
>Date: Fri, 12 Jun 98 17:53:29 EST
>From: "Cindy" <20892000@somewhere>
>To: Friend@public.com
>Subject: myfriends
>X-UIDL: 8db195b9afb43db3fc1b346b25ede3c8
>X-Mozilla-Status: 9001
>
>Warning This message intended for peolpe over 21. If you want to be
>removed from list please send
>message to removelist@cityfoxes.com
>
>Hi,
>
>See Me and My Friends at
>
>http://208.208.221.24/cindy.asp
>
>Cindy
>
>
>
>
>OK, now for the useful stuff. I'm going to do a tad bit of clean up on
>this so it's easier for me to read. The entire spam will be left intact
>again.
>
>>From - Sat Jun 13 05:51:00 1998
>Received: from mx05.globecomm.net (mx05.globecomm.net [207.51.48.28])
> by is2.nyu.edu (8.8.8/8.8.7) with ESMTP id CAA32330
> for <jakobsng@is2.nyu.edu>; Sat, 13 Jun 1998 02:17:14 -0400 (EDT)
>
>Well, this was the step taken before it reached you. Let's resolve the IP
>address:
>>nslookup 207.51.48.28
>Server:  ns.mediacity.com
>Address:  205.216.172.10
>
>*** ns.mediacity.com can't find 207.51.48.28: Server failed
>Let's try again:
>
>>nslookup mx05.globecomm.net
>Server:  ns.mediacity.com
>Address:  205.216.172.10
>
>Name:    mx05.globecomm.net
>Address:  206.253.129.28
>
>OK, the relaying server resolves. Globecomm.net is responsible for this,
>as they like to keep their servers wide open for abuse of this nature.
>
>Received: from exchange.cityfoxes.com ([208.208.221.12])
>by mx05.globecomm.net (8.8.8/8.8.0) with ESMTP id CAA13739 for
><jakobsen@earthling.net>;
>Sat, 13 Jun 1998 02:12:29 -0400 (EDT)
>
>Now we should see who the sender really is:
>>nslookup 208.208.221.12
>Server:  ns.mediacity.com
>Address:  205.216.172.10
>
>*** No address (A) records available for 208.208.221.12
>>nslookup exchange.cityfoxes.com
>Server:  ns.mediacity.com
>Address:  205.216.172.10
>
>Name:    exchange.cityfoxes.com
>Address:  208.208.221.12
>
>Interesting. It too resolves. Hmm, is this an open mail server? Let's
>trace it first:
>
>>traceroute exchange.cityfoxes.com
>traceroute to exchange.cityfoxes.com (208.208.221.12), 30 hops max, 40
>byte packets
> 1  grfge002 (205.216.172.1)  0.380 ms  0.303 ms  0.339 ms
> 2  bordercore2-hssi0-0-0.SanFrancisco.mci.net (166.48.15.249)  2.532 ms
>2.347ms  2.585 ms
> 3  core7.SanFrancisco.mci.net (204.70.4.93)  3.050 ms  2.544 ms  3.001 ms
> 4  Hssi5-1-0.BR1.SFO1.alter.net (206.157.77.78)  5.207 ms  4.552 ms
>4.655 ms
> 5  114.ATM3-0.XR2.SCL1.ALTER.NET (146.188.145.210)  206.303 ms  200.933
>ms  221.435 ms
> 6  194.ATM2-0-0.TR2.SCL1.ALTER.NET (146.188.146.18)  211.144 ms  215.902
>ms  214.262 ms
> 7  107.ATM6-0.TR2.DCA1.ALTER.NET (146.188.136.225)  127.999 ms  105.191
>ms  93.779 ms
> 8  198.ATM7-0.XR2.DCA1.ALTER.NET (146.188.161.149)  90.253 ms  82.629 ms
> 83.920 ms
> 9  194.ATM1-0-0.GW1.FFX1.ALTER.NET (146.188.160.197)  84.889 ms  86.506
>ms  82.350 ms
>10  * * *
>
>This suggests the serer is down. Let's confirm:
>
>>telnet exchange.cityfoxes.com 25
>Trying 208.208.221.12...
>telnet: Unable to connect to remote host: Operation timed out
>
>Darn, server not available. That doesn't mean I'm done:
>
>>whois -h whois.arin.net 208.208.221.0
>UUNET Technologies, Inc. (NETBLK-UUNET1996B) UUNET1996B
>                                                 208.192.0.0 -
>208.243.255.255
>Focus Interactive, Inc. (NETBLK-UU-208-208-221-D1) UU-208-208-221-D1
>                                                208.208.221.0 -
>208.208.221.63
>
>>whois -h whois.arin.net NETBLK-UU-208-208-221-D1
>Focus Interactive, Inc. (NETBLK-UU-208-208-221-D1)
>   3100 Fifth Ave
>   San Diego, CA 92103
>   US
>
>   Netname: UU-208-208-221-D1
>   Netblock: 208.208.221.0 - 208.208.221.63
>
>   Coordinator:
>      Ferrel, Dave  (DF3061-ARIN)  daferrel@EARTHLINK.NET
>      (619) 488-8244
>
>   Record last updated on 14-Nov-97.
>   Database last updated on 4-Aug-98 16:13:52 EDT.
>
>Upstream located. Complain to UU.Net as well, not that it will get you
>anywhere.
>
>
>Message-Id: <199806130612.CAA13739@mx05.globecomm.net>
>Received: from WEBWORKSTATION by exchange.cityfoxes.com with SMTP
>(Microsoft Exchange Internet Mail Service Version 5.0.1457.7) id
>MZ6YTVYF; Fri, 12 Jun 1998 18:05:24 -0700
>
>Oh, well this explains a lot. A complete forgery, with the server set up
>to allow protected spamming, then relay of the Globecomm.net server.
>
>Date: Fri, 12 Jun 98 17:53:29 EST
>From: "Cindy" <20892000@somewhere>
>To: Friend@public.com
>Subject: myfriends
>X-UIDL: 8db195b9afb43db3fc1b346b25ede3c8
>X-Mozilla-Status: 9001
>
>>Warning This message intended for peolpe over 21. If you want to be
removed
>from list please
>>send
>>message to removelist@cityfoxes.com
>
>Let's investigate this domain:
>
>>whois cityfoxes.com
>
>Registrant:
>Focus Interactive, Inc. (CITYFOXES-DOM)
>   5694 Mission Center Rd., #334
>   San Diego, CA 92108
>   US
>
>   Domain Name: CITYFOXES.COM
>
>   Administrative Contact:
>      Williams, Daniel  (DW6428)  danw@CITYFOXES.COM
>      619-260-0770 (FAX) 619-299-6087
>   Technical Contact, Zone Contact:
>      Hernandez, Carlos  (CH5044)  carlosh@CITYFOXES.COM
>      619-260-0770 (FAX) 619-299-6087
>   Billing Contact:
>      Williams, Daniel  (DW6428)  danw@CITYFOXES.COM
>      619-260-0770 (FAX) 619-299-6087
>
>   Record last updated on 26-Jun-98.
>   Record created on 16-Aug-97.
>   Database last updated on 4-Aug-98 07:10:38 EDT.
>
>   Domain servers in listed order:
>
>   AUTH02.NS.UU.NET             198.6.1.82
>   AUTH60.NS.UU.NET             198.6.1.181
>
>Seems Focus Interactive is a porno shop. Let's keep digging....
>
>
>>Hi,
>
>>See Me and My Friends at
>
>>http://208.208.221.24/cindy.asp
>
>>nslookup 208.208.221.24
>Server:  ns.mediacity.com
>Address:  205.216.172.10
>
>*** No address (A) records available for 208.208.221.24
>
>Well, I've already proven who controls this netblock. Seen anything
>interesting?
>
>>Cindy
>
>Cindy needs to get off the internet.
>
>Hope this helps. That was an easy one, and it appears that the headers
>were intact.
>
>
>|Commercial and/or unsolicited email and/or spam will be processed for|
>|   a $500 handling fee. Unsolicited sending constitutes acceptance.  |
>     spam-hater@studio42.com http://www.studio42.com/kill-the-spam/
>     >>>>    We've upped out standards, so now UP YOURS!    <<<<<<
> Phone Threat: http://www.studio42.com/kill-the-spam/pages/threat.html
>
>