[an error occurred while processing this directive]
Received: from is2.nyu.edu (128.122.253.135) by studio42.com with ESMTP (Eudora Internet
Mail Server 1.2); Fri, 7 Aug 1998 19:56:27 -0800
Received: from gjj1 (mcsv45-p5.med.nyu.edu [128.122.6.105]) by is2.nyu.edu (8.8.8/8.8.7)
with SMTP id WAA24733 for <spam-hater@studio42.com>; Fri, 7 Aug 1998 22:57:47 -0400 (EDT)
Message-ID: <000b01bdc278$db120fe0$69067a80@gjj1>
From: "Glenn Jakobsen" <glenn.jakobsen@nyu.edu>
To: "Spam Hater@Studio42" <spam-hater@studio42.com>
Subject: Re: spam I received
Date: Fri, 7 Aug 1998 23:01:34 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.5
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Wow, I'm suitably impressed. I never knew you could follow a trail like
that. Thanks for the sleuthing. I'm going to try and emulate some of your
commands on my next spam and see if I can find out a thing or two on my own.
Thanks again!
Glenn
-----Original Message-----
From: Spam Hater@Studio42 <spam-hater@studio42.com>
To: Glenn Jakobsen <glenn.jakobsen@nyu.edu>
Date: Tuesday, August 04, 1998 9:44 PM
Subject: Re: spam I received
>Be warned:
>I'm tired of Outlook Express, and Microsoft Outlook, two of the worst
>email clients, in my opinion. Then again, I've grown to accept crappy
>software from Microsoft. Fortunately you're one of the few people who
>have figured out that the web is not the internet. I would have prefered
>the spam to be in the body, but that's OK.
>
>Back at you with the COMPLETE spam:
>
>>From - Sat Jun 13 05:51:00 1998
>Received: from mx05.globecomm.net (mx05.globecomm.net [207.51.48.28])
> by is2.nyu.edu (8.8.8/8.8.7) with ESMTP id CAA32330
> for <jakobsng@is2.nyu.edu>; Sat, 13 Jun 1998 02:17:14 -0400 (EDT)
>Received: from exchange.cityfoxes.com ([208.208.221.12]) by
>mx05.globecomm.net (8.8.8/8.8.0) with ESMTP id CAA13739 for
><jakobsen@earthling.net>; Sat, 13 Jun 1998 02:12:29 -0400 (EDT)
>Message-Id: <199806130612.CAA13739@mx05.globecomm.net>
>Received: from WEBWORKSTATION by exchange.cityfoxes.com with SMTP
>(Microsoft Exchange Internet Mail Service Version 5.0.1457.7)
> id MZ6YTVYF; Fri, 12 Jun 1998 18:05:24 -0700
>Date: Fri, 12 Jun 98 17:53:29 EST
>From: "Cindy" <20892000@somewhere>
>To: Friend@public.com
>Subject: myfriends
>X-UIDL: 8db195b9afb43db3fc1b346b25ede3c8
>X-Mozilla-Status: 9001
>
>Warning This message intended for peolpe over 21. If you want to be
>removed from list please send
>message to removelist@cityfoxes.com
>
>Hi,
>
>See Me and My Friends at
>
>http://208.208.221.24/cindy.asp
>
>Cindy
>
>
>
>
>OK, now for the useful stuff. I'm going to do a tad bit of clean up on
>this so it's easier for me to read. The entire spam will be left intact
>again.
>
>>From - Sat Jun 13 05:51:00 1998
>Received: from mx05.globecomm.net (mx05.globecomm.net [207.51.48.28])
> by is2.nyu.edu (8.8.8/8.8.7) with ESMTP id CAA32330
> for <jakobsng@is2.nyu.edu>; Sat, 13 Jun 1998 02:17:14 -0400 (EDT)
>
>Well, this was the step taken before it reached you. Let's resolve the IP
>address:
>>nslookup 207.51.48.28
>Server: ns.mediacity.com
>Address: 205.216.172.10
>
>*** ns.mediacity.com can't find 207.51.48.28: Server failed
>Let's try again:
>
>>nslookup mx05.globecomm.net
>Server: ns.mediacity.com
>Address: 205.216.172.10
>
>Name: mx05.globecomm.net
>Address: 206.253.129.28
>
>OK, the relaying server resolves. Globecomm.net is responsible for this,
>as they like to keep their servers wide open for abuse of this nature.
>
>Received: from exchange.cityfoxes.com ([208.208.221.12])
>by mx05.globecomm.net (8.8.8/8.8.0) with ESMTP id CAA13739 for
><jakobsen@earthling.net>;
>Sat, 13 Jun 1998 02:12:29 -0400 (EDT)
>
>Now we should see who the sender really is:
>>nslookup 208.208.221.12
>Server: ns.mediacity.com
>Address: 205.216.172.10
>
>*** No address (A) records available for 208.208.221.12
>>nslookup exchange.cityfoxes.com
>Server: ns.mediacity.com
>Address: 205.216.172.10
>
>Name: exchange.cityfoxes.com
>Address: 208.208.221.12
>
>Interesting. It too resolves. Hmm, is this an open mail server? Let's
>trace it first:
>
>>traceroute exchange.cityfoxes.com
>traceroute to exchange.cityfoxes.com (208.208.221.12), 30 hops max, 40
>byte packets
> 1 grfge002 (205.216.172.1) 0.380 ms 0.303 ms 0.339 ms
> 2 bordercore2-hssi0-0-0.SanFrancisco.mci.net (166.48.15.249) 2.532 ms
>2.347ms 2.585 ms
> 3 core7.SanFrancisco.mci.net (204.70.4.93) 3.050 ms 2.544 ms 3.001 ms
> 4 Hssi5-1-0.BR1.SFO1.alter.net (206.157.77.78) 5.207 ms 4.552 ms
>4.655 ms
> 5 114.ATM3-0.XR2.SCL1.ALTER.NET (146.188.145.210) 206.303 ms 200.933
>ms 221.435 ms
> 6 194.ATM2-0-0.TR2.SCL1.ALTER.NET (146.188.146.18) 211.144 ms 215.902
>ms 214.262 ms
> 7 107.ATM6-0.TR2.DCA1.ALTER.NET (146.188.136.225) 127.999 ms 105.191
>ms 93.779 ms
> 8 198.ATM7-0.XR2.DCA1.ALTER.NET (146.188.161.149) 90.253 ms 82.629 ms
> 83.920 ms
> 9 194.ATM1-0-0.GW1.FFX1.ALTER.NET (146.188.160.197) 84.889 ms 86.506
>ms 82.350 ms
>10 * * *
>
>This suggests the serer is down. Let's confirm:
>
>>telnet exchange.cityfoxes.com 25
>Trying 208.208.221.12...
>telnet: Unable to connect to remote host: Operation timed out
>
>Darn, server not available. That doesn't mean I'm done:
>
>>whois -h whois.arin.net 208.208.221.0
>UUNET Technologies, Inc. (NETBLK-UUNET1996B) UUNET1996B
> 208.192.0.0 -
>208.243.255.255
>Focus Interactive, Inc. (NETBLK-UU-208-208-221-D1) UU-208-208-221-D1
> 208.208.221.0 -
>208.208.221.63
>
>>whois -h whois.arin.net NETBLK-UU-208-208-221-D1
>Focus Interactive, Inc. (NETBLK-UU-208-208-221-D1)
> 3100 Fifth Ave
> San Diego, CA 92103
> US
>
> Netname: UU-208-208-221-D1
> Netblock: 208.208.221.0 - 208.208.221.63
>
> Coordinator:
> Ferrel, Dave (DF3061-ARIN) daferrel@EARTHLINK.NET
> (619) 488-8244
>
> Record last updated on 14-Nov-97.
> Database last updated on 4-Aug-98 16:13:52 EDT.
>
>Upstream located. Complain to UU.Net as well, not that it will get you
>anywhere.
>
>
>Message-Id: <199806130612.CAA13739@mx05.globecomm.net>
>Received: from WEBWORKSTATION by exchange.cityfoxes.com with SMTP
>(Microsoft Exchange Internet Mail Service Version 5.0.1457.7) id
>MZ6YTVYF; Fri, 12 Jun 1998 18:05:24 -0700
>
>Oh, well this explains a lot. A complete forgery, with the server set up
>to allow protected spamming, then relay of the Globecomm.net server.
>
>Date: Fri, 12 Jun 98 17:53:29 EST
>From: "Cindy" <20892000@somewhere>
>To: Friend@public.com
>Subject: myfriends
>X-UIDL: 8db195b9afb43db3fc1b346b25ede3c8
>X-Mozilla-Status: 9001
>
>>Warning This message intended for peolpe over 21. If you want to be
removed
>from list please
>>send
>>message to removelist@cityfoxes.com
>
>Let's investigate this domain:
>
>>whois cityfoxes.com
>
>Registrant:
>Focus Interactive, Inc. (CITYFOXES-DOM)
> 5694 Mission Center Rd., #334
> San Diego, CA 92108
> US
>
> Domain Name: CITYFOXES.COM
>
> Administrative Contact:
> Williams, Daniel (DW6428) danw@CITYFOXES.COM
> 619-260-0770 (FAX) 619-299-6087
> Technical Contact, Zone Contact:
> Hernandez, Carlos (CH5044) carlosh@CITYFOXES.COM
> 619-260-0770 (FAX) 619-299-6087
> Billing Contact:
> Williams, Daniel (DW6428) danw@CITYFOXES.COM
> 619-260-0770 (FAX) 619-299-6087
>
> Record last updated on 26-Jun-98.
> Record created on 16-Aug-97.
> Database last updated on 4-Aug-98 07:10:38 EDT.
>
> Domain servers in listed order:
>
> AUTH02.NS.UU.NET 198.6.1.82
> AUTH60.NS.UU.NET 198.6.1.181
>
>Seems Focus Interactive is a porno shop. Let's keep digging....
>
>
>>Hi,
>
>>See Me and My Friends at
>
>>http://208.208.221.24/cindy.asp
>
>>nslookup 208.208.221.24
>Server: ns.mediacity.com
>Address: 205.216.172.10
>
>*** No address (A) records available for 208.208.221.24
>
>Well, I've already proven who controls this netblock. Seen anything
>interesting?
>
>>Cindy
>
>Cindy needs to get off the internet.
>
>Hope this helps. That was an easy one, and it appears that the headers
>were intact.
>
>
>|Commercial and/or unsolicited email and/or spam will be processed for|
>| a $500 handling fee. Unsolicited sending constitutes acceptance. |
> spam-hater@studio42.com http://www.studio42.com/kill-the-spam/
> >>>> We've upped out standards, so now UP YOURS! <<<<<<
> Phone Threat: http://www.studio42.com/kill-the-spam/pages/threat.html
>
>
