[an error occurred while processing this directive]
This spam report is at Anti-Spam Assistance Pages
Subject: Re: Great page!!!
Date: 1/20/98 21:51
To: Kyle Boddy, bboddy@stratos.net
First, may I have your permission to post this private mail threat to my new third-party
area? If not, then oh well. Regardless, here's the assistance you request, no strings
attached.
>Received: from mail.t-1net.com [209.136.153.21] by home.stratos.net with
>ESMTP
> (SMTPD32-4.02) id A5202FAB0060; Sun, 18 Jan 1998 01:45:52 est
>Date: Fri, 16 Jan 1998 11:01:39 -0600
>Message-Id: <199801161701.LAA01104@mail.t-1net.com>
>From: MAILER-DAEMON@localhost
>Bcc:
>Subject: Accept Major Credit Cards Online For $39.95!
>X-UIDL: 881357630
>Status: U
>X-Mozilla-Status: 2001
Read what I say VERY carefully:
T-1net.com was disconnected by Spring on January 2.
See the problem?
Ok, now onto this one. It appears to have two problems, but I could be wrong.
The first is the invalid DNS entry for T-1net.com.
Using nslookup:
>nslookup 209.136.153.21
Server: dns.mediacity.com
Address: 205.216.172.10
*** dns.mediacity.com can't find 209.136.153.21: Non-existent host/domain
But never give up.
>nslookup mail.t-1net.com
Server: dns.mediacity.com
Address: 205.216.172.10
*** dns.mediacity.com can't find mail.t-1net.com: Non-existent host/domain
Hmm. OK, let me trying this:
>traceroute 209.136.153.21
traceroute to 209.136.153.21 (209.136.153.21), 30 hops max, 40 byte packets
1 grfge002 (205.216.172.1) 0.456 ms 0.295 ms 0.265 ms
2 bordercore2-hssi0-0.SanFrancisco.mci.net (166.48.15.249) 2.842 ms 2.809 ms 2.896 ms
3 core3.SanFrancisco.mci.net (204.70.4.17) 5.454 ms 3.598 ms *
4 mae-west4-nap.SanFrancisco.mci.net (204.70.10.250) 4.976 ms 4.685 ms 4.894 ms
5 mae-west.acsi.net (198.32.136.79) 22.615 ms 16.302 ms 17.464 ms
6 tucson-az-1-a12-0.acsi.net (206.222.97.8) 47.642 ms 41.255 ms 42.327 ms
7 elpaso-tx-1-a11-0.acsi.net (206.222.97.7) 48.128 ms 46.941 ms 46.954 ms
8 * * fortwo-tx-1-a12-0.acsi.net (206.222.97.6) 55.385 ms
9 housto-tx-1-a12-0-6.acsi.net (206.222.100.130) 75.299 ms 82.263 ms 67.841 ms
10 206.222.105.114 (206.222.105.114) 82.482 ms 83.051 ms 79.143 ms
11 * * *
12 * * *
It just keeps dying. It does clearly show ACSI.Net's involvement. They are something of
a spam haven.
One more thing to do:
(wow, all three of your questions in the web board used here in a practical application!)
>whois t-1net.com
Taylor Made Communications (T-1NET-DOM)
3800 East 42nd Street
Odessa, TX 79767
Domain Name: T-1NET.COM
Administrative Contact, Technical Contact, Zone Contact:
David Taylor (DT86-ORG) postmaster@T-1NET.COM
915-550-3039
Billing Contact:
David Taylor (DT86-ORG) postmaster@T-1NET.COM
915-550-3039
Record last updated on 28-Aug-97.
Record created on 12-May-97.
Database last updated on 20-Jan-98 04:02:04 EDT.
Domain servers in listed order:
MAIL.T-1NET.COM 208.21.213.10
QUICK.WE-DELIVER.NET 208.211.205.66
Yeah, typical. That doesn't tell me anything other than the whois entry has not been updated.
Let's see who owns the netblock:
>whois 209.136.153.0
ACSI (NETBLK-ACSI-4) ACSI-4 209.136.0.0 - 209.136.255.255
Golfballs Unlimited USA (NETBLK-GOLFBALLS1) GOLFBALLS1
209.136.153.0 - 209.136.153.255
Two words: Oh shit!
Dana Jones of golf ball spam fame has moved to ACSI for the time being. BAD NEWS!!!!
Complaints have to go to ACSI: postmaster and abuse @acsi.net. Anythign else is a
waste of time. Inform them this downstream customer is deliberatelym violating ACSI's
PUBLICALLY posted AUP(acceptable usage policy). I doubt ACSI will do anything, but be
annoying.
>Received: from smtp2.mailsrvcs.net [207.115.153.31] by home.stratos.net
>with ESMTP
> (SMTPD32-4.02) id A07A24E9011E; Fri, 16 Jan 1998 07:20:10 est
>Received: from smtp2.gte.net (1Cust107.tnt1.everett2.wa.da.uu.net
>[153.35.253.107])
> by smtp2.mailsrvcs.net with SMTP id GAA26983;
> Fri, 16 Jan 1998 06:24:50 -0600 (CST)
>From: klpxse3@gte.net
>Message-Id: <199801161224.GAA26983@smtp2.mailsrvcs.net>
>To: userx43@ydt.ca
>Date: Fri, 16 Jan 98 03:25:03 EST
>Subject: Credit Information
>X-UIDL: 881357618
>Status: U
>X-Mozilla-Status: 2001
The previous one was a bad example mainly because if this was t-1net.com, they are now
getting better at masking the originating address. This one is better. Note the of the
headers:
First, we'll look up the relaying server, which always appears BEFORE your local server.
Unfortunately, this is ANOTHER spam house that likes to abuse GTE.
>nslookup 207.115.153.31
Server: dns.mediacity.com
Address: 205.216.172.10
Name: smtp2.gte.net
Address: 207.115.153.31
OK, the IP address is what you need to be concerned about. Now onto the DNS entry:
>nslookup smtp2.mailsrvcs.net
Server: dns.mediacity.com
Address: 205.216.172.10
*** dns.mediacity.com can't find smtp2.mailsrvcs.net: Non-existent host/domain
How they got the mail server to return a bad DNS entry is beyond me unless the server
does multi-homing.
Complaints to GTE.Met for SMTP hijacking. Complain to abuse and postmaster@gte.net
Let's get more info on the forged domain:
>whois mailsrvcs.net
GTE Internet Solutions (MAILSRVCS-DOM)
5525 MacArthur Ste. 320
Irving, TX 75038
US
Domain Name: MAILSRVCS.NET
Administrative Contact, Technical Contact, Zone Contact, Billing Contact:
hostmaster (HOS180-ORG) hostmaster@GTE.NET
800-927-3000
Record last updated on 06-Aug-97.
Record created on 06-Aug-97.
Database last updated on 20-Jan-98 04:02:04 EDT.
Domain servers in listed order:
BIGGUY.GTE.NET 206.124.64.253
OTHERGUY.GTE.NET 206.124.65.253
I think I got this one the other day....
Now let's look CAREFULLY at where I go to next:
>nslookup 153.35.253.107
Server: dns.mediacity.com
Address: 205.216.172.10
Name: 1Cust107.tnt1.everett2.wa.da.uu.net
Address: 153.35.253.107
OK, we have the point of origination. Now it is possible that the spam was sent via SMTP
from this IP address with everything else being forged. Complaints go to:
fraud@uu.net
spam-complaint@uu.net
security@uu.net
Everything else is either forged, bogus or pointless as far as I'm concerned.
>Received: from webserv.timetrend.com [209.137.31.10] by home.stratos.net
>with ESMTP
> (SMTPD32-4.02) id A1C52A28013C; Sun, 18 Jan 1998 11:45:57 est
>Received: from timetrend.com ([199.174.253.221]) by webserv.timetrend.com
> (Post.Office MTA v3.1 release PO205e ID# 0-36782U110L100S0)
> with SMTP id AAC184; Sun, 18 Jan 1998 10:41:52 -0600
>Date: Sun, 18 Jan 98 11:39:03 EST
>From: 47768128@aol.com
>To: 589568934@aol.com
>Subject: DIRECT YOUR OWN XXX ADULT VIDEO RIGHT NOW!! XXX! OVER 18 ONLY!
>Message-ID: <>
>X-UIDL: 881357633
>Status: U
>X-Mozilla-Status: 2001
Oh boy, more spam house-style porno.
>nslookup 209.137.31.10
Server: dns.mediacity.com
Address: 205.216.172.10
*** dns.mediacity.com can't find 209.137.31.10: Server failed
That's interesting...
>nslookup webserv.timetrend.com
Server: dns.mediacity.com
Address: 205.216.172.10
Non-authoritative answer:
Name: webserv.timetrend.com
Address: 209.137.31.10
See what not giving up gets me? It gets me the relaying server.
Complain to postmaster and abuse at this domain, as well as these addresses:
>whois timetrend.com
Time Trend Computers, Inc. (TIMETREND-DOM)
3330 Jackson Street P.O. Box
12898
Alexandria, LA 71315-2898
Domain Name: TIMETREND.COM
Administrative Contact, Technical Contact, Zone Contact:
Carr, Maurice (MC473) carrmf@TIMETREND.COM
318-4738707
Billing Contact:
ICI Accounts Payable (IAP4-ORG) ldrussell@INTERMEDIA.COM
813 829-2447
Fax- 813 829-2508
Record last updated on 17-Dec-97.
Record created on 03-May-95.
Database last updated on 20-Jan-98 04:02:04 EDT.
Domain servers in listed order:
NS.TIMETREND.COM 209.137.31.10
NS0.ICIX.NET 206.72.128.34
Now onto the point of origination:
>nslookup 199.174.253.221
Server: dns.mediacity.com
Address: 205.216.172.10
Name: hd73-221.hil.compuserve.com
Address: 199.174.253.221
Notice I grabbed the IP address, which shows this originating from CompuServe, DESPITE
the forgery. AOL is also forged. Complain to abuse and postmaster at compuserve.com
and aol.com, but aol.com only for informational purposes.
There you go! Glad I could help you.
