The Deadbeats Hall of Lame
 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Warning: Not all menu items are working. We're working on this but this site is a low-priority project. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This spam report is at Anti-Spam Assistance Pages
Subject: Re: Fwd: Returned mail: User unknown
Date: 1/13/98 7:20 PM
To: Jae Jae, jae@hotmail.com
OK, you've prevented me with quite a challenge.
On 1/13/98 3:25 PM, Jae Jae sent the following ASCII stream:
USELESS AOL HEADERS OMITTED.
Well, they aren't useless, it does show the message did in fact come from AOL and
was addressed specifically to you.
>>
>>The original message was received at Mon, 5 Jan 1998 20:00:25 -0500
>(EST)
>>from everest.pr.Sun.COM [210.138.200.3]
Hmm, seems that this is where the spam perhaps originated from, maybe relayed from.
I would NOT expect this behavior from SUN. Let me see...
>nslookup 210.138.200.3
Server: dns.mediacity.com
Address: 205.216.172.10
Name: everest.pr.Sun.COM
Address: 210.138.200.3
Interesting. AOL resolved the IP address.
>> NOTE: we cannot and will not divulge private information about
>>members. Please only use the search resource if you believe that you
>>may have misspelled a member's e-mail address.
>>
>> -AOL Postmaster
>>
>> ----- The following addresses had permanent fatal errors -----
>>
>>Return-Path: <jae@hotmail.com>
>>Received: from everest.pr.Sun.COM (everest.pr.Sun.COM [210.138.200.3])
>> by relay31.mail.aol.com (8.8.5/8.8.5/AOL-4.0.0)
>> with SMTP id UAA13236;
>> Mon, 5 Jan 1998 20:00:25 -0500 (EST)
OK, I just resolved that one.
>>From: jae@hotmail.com
>>Received: from news.sun.co.jp (news.sun.co.jp [202.32.138.61]) by
The name just doesn't make sense. You would expect this to be usenet.
>nslookup 202.32.138.61
Server: dns.mediacity.com
Address: 205.216.172.10
Name: news.sun.co.jp
Address: 202.32.138.61
Wow, it resolves, showing the ORIGINATING server. Somehow I just don't expect the
folks in Japan to really be into spamming, especially since they don't as many PC's
over there.
It could be some dolt telneting to that machine and issuing raw SMTP commands and
forging a DNS entry. I don't know how to use this, but this could be a very efficient
way of getting around a LOT of stuff. I practice occasionaly on my OWN mail server to
test accounts on my mail server.
>everest=
>>.pr.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id KAA11257; Tue, 6 Jan
>1998 =
>>10:00:10 +0900
>>Received: from badboys (user12179.theonramp.net) by news.sun.co.jp
I have a feeling this is the forged HELO entry "badboys", which was resolved to:
user12179.theonramp.net
which resolves to:
>nslookup user12179.theonramp.net
Server: dns.mediacity.com
Address: 205.216.172.10
Name: user12179.theonramp.net
Address: 208.136.12.179
Hmm, I think I've found the point of origination, but this could be forged.
>(5.x/S=
>>MI-SVR4)
>> id AA15703; Tue, 6 Jan 1998 10:05:27 +0900
>>Date: Tue, 6 Jan 1998 10:05:17 +0900
>>Errors-To: robinhood@hotmail.com
Yeah right.
>>To: jae@hotmail.com
Oh, there you are!
>>Comments: Authenticated sender is <jae@hotmail.com>
Not from my point of view it ain't.
>>Errors-To: robinhood@hotmail.com
How kind, abuse two accounts at once.
>>Subject: Do you love golf?
No, I hate golf.
>>Message-Id: <199801053107EAA15667@post.sun.co.jp>
>>MIME-Version: 1.0
>>Content-Type: text/plain; charset=3Dunknown-8bit
>>Content-Transfer-Encoding: 8bit
>>
SNIP of some lamer golf spam.
>>u for your time. =20
>></P><P ALIGN=3DLEFT>
>>Best Reguards,
>>B.Apple=20
>>
>>PS: Call 1-414-835-3142 now for the two minute overview and to
Well, we have the NUMBER of the people who are supporting this spam.
>receive =
>>your free comprehensive information package. =20
>>
>></FONT><FONT COLOR=3D"#ff0000" SIZE=3D2>
>>TO BE REMOVED TYPE REMOVE IN SUBJECT AND REPLY TO sowell@bizzy.net
>></FONT><FONT COLOR=3D"#000000" SIZE=3D3>
>><FONT COLOR=3D"#000000" SIZE=3D3></B>
>></PRE></HTML>
>>e=BD=02a
Hmm, we have ANOTHER account that appears to be responsible:
>whois bizzy.net
Triple Invest (BIZZY2-DOM)
2234 Main Street
Henderson, NV 90872
US
Domain Name: BIZZY.NET
Administrative Contact, Technical Contact, Zone Contact:
Wheeler, David (DW5035) ti@BIZZY.NET
913-342-8345
Billing Contact:
Wheeler, David (DW5035) ti@BIZZY.NET
913-342-8345
Record last updated on 06-Oct-97.
Record created on 06-Oct-97.
Database last updated on 13-Jan-98 04:06:07 EDT.
Domain servers in listed order:
NS1.ICSINC.NET 151.201.64.7
WWW.ICSINC.NET 151.201.64.2
MAIL.ICSINC.NET 151.201.64.8
I'm sure those folks would love to hear how their service is being abused.