Subject: Re: info

[an error occurred while processing this directive]
This spam report is at Anti-Spam Assistance Pages
Subject:     Re: info
Date:        7/3/98 16:12
To:          Scott Huffman, scooty2@webkorner.com

On 7/3/98 14:21, Scott Huffman sent the following ASCII stream:

>Hello Chris,
>
>Scott Huffman here from WebKorner.Com.  I'm sure you remember me.  Hey I 
>just got a spam from someone and they are using a mail server from the 
>Netherlands - gate.prof.net.   I just telneted over and got in send a 
>e-mail from a bogus name and it sent me the spam.  They allow anonymous 
>connections.  Was wondering what you recommend to stop the folks at 
>gate.prof.net from relaying mail.

Well, that's good news, sort of. First, I'd traceroute to find their upstream unless you can 
figure out who owns the netblock.

>whois -h whois.arin.net 194.235.89.0
European Regional Internet Registry/RIPE NCC (NETBLK-RIPE-C2)
   These addresses have been further assigned to European users.
   Their contact information can be found in the RIPE database.
   See below how to use that database to obtain up-to-date information.

   Netname: RIPE-CBLK2
   Netblock: 194.0.0.0 - 194.255.255.0
   Maintainer: RIPE

   Coordinator:
      RIPE Network Co-ordination Centre  (RNC-ORG-ARIN)  nicdb@RIPE.NET
      +31 20 535 4444
Fax- +31 20 535 4445

   Domain System inverse mapping provided by:

   NS.RIPE.NET                  193.0.0.193
   NS.EU.NET                    192.16.202.11
   AUTH03.NS.UU.NET             198.6.1.83
   NS2.NIC.FR                   192.93.0.4
   SUNIC.SUNET.SE               192.36.125.2 192.36.148.18
   MUNNARI.OZ.AU                128.250.1.21
   TECKLA.APNIC.NET             202.12.28.129

Well, that sucked. Too GLOBAL.

>traceroute gate.prof.net
traceroute to gate.prof.net (194.235.89.2), 30 hops max, 40 byte packets
 1  grfge002 (205.216.172.1)  0.359 ms  0.294 ms  0.295 ms
 2  bordercore2-hssi0-0-0.SanFrancisco.mci.net (166.48.15.249)  2.649 ms  2.306ms  2.248 ms
 3  core4.SanFrancisco.mci.net (204.70.4.81)  229.946 ms  295.547 ms  10.721 ms
 4  sl-stk-1-H9-0-T3.sprintlink.net (206.157.77.66)  4.575 ms  4.551 ms  4.640 ms
 5  sl-bb22-stk-2-3.sprintlink.net (144.232.4.33)  4.100 ms  4.037 ms  4.252 ms
 6  sl-bb10-pen-6-0.sprintlink.net (144.232.8.177)  64.347 ms  65.274 ms  66.568 ms
 7  sl-bb1-pen-0-0-0.sprintlink.net (144.232.5.6)  69.338 ms  67.155 ms  67.473ms
 8  gip-penn-2-fddi1-0.gip.net (204.59.136.194)  68.819 ms  82.660 ms  72.028 ms
 9  gip-amsterdam-1-atm6-0-0.gip.net (204.59.137.110)  189.044 ms  190.106 ms  189.927 ms
10  lbu-ams-fe3-0.global-one.nl (194.235.110.5)  188.488 ms  189.731 ms  190.450 ms
11  car1-ams-atm1-0-0.global-one.nl (194.235.236.14)  189.159 ms  190.690 ms  189.858 ms
12  go1-ams-fe0.global-one.nl (194.235.110.66)  193.138 ms  194.221 ms  189.647ms
13  go12-ams-e1.global-one.nl (194.235.96.3)  191.086 ms  190.845 ms  190.666 ms
14  proficient.global-one.nl (194.235.74.134)  205.319 ms  209.308 ms  206.393 ms
15  gate.prof.net (194.235.89.2)  206.727 ms  241.678 ms  217.547 ms

Uh oh, bad news. Sprint is involved, which means they aren't going to do anything except
 make sure they get paid on a regular basis.

Complain first to postmaster and abuse over at global-one.nl, and then if that doesn't 
get you results(wait 24-48 hours, state what you are going to do), then complain to gip.net, 
who I've had good experiences with in the past.

Hopefully this should get you some results.

What about the originating point? I know you told me they accept bogus connections. What I 
typically do is send usually to "abuse@studio42.com" since I own that domain and the 
account. I can watch the incoming session hit my mail server. I then analyze those headers. 
That method usually helps me nail those idiots, especially when a reverse look-up fails and 
when headers don't follow RFC standards. Sometimes even poorly configured servers still 
reveal the spammer's true identity.

Unfortunately, my mail server, which doesn't allow anonymous connections, will relay. I'm 
upgrading this week. Until that happens, outgoing SMTP is disabled, and when I do enable, 
it is highly monitored, and with one outgoing connection. Once the mail is sent, I disable 
sending again.

>
>How are things?

Still getting spam. Less than 20 away from breaking my grand total from all of 1997 and the 
second half of 1996.

Hopefully CALVINENTERPRISES.COM has been leaving you alone. The trend from the larger spam 
houses is to do their harvesting via their services, but spamming via stolen, ill-gotten 
and considered disposable dial-ups. I'm still waiting for something to come in clearly 
implicating them so I can nail them with extreme prejudice.