Subject: Re: FW: Email 57 Million People for $99

[an error occurred while processing this directive]
This spam report is at Anti-Spam Assistance Pages
Subject:     Re: FW: Email 57 Million People for $99
Date:        7/4/98 18:57
To:          Scott Huffman, scooty2@webkorner.com

On 7/4/98 15:55, Scott Huffman sent the following ASCII stream:

>Chris,
>
>I'm trying to trace this spam I got today.  What techniques, software do 
>you use to trace down the information.  I haven't been able to find an 
>e-mail address for the mail server located at ccshst09.cs.uoguelph.ca 
>[131.104.96.18].  
>
>Any suggestions?
>
>Scott

You too? Damn. I just created a new page just for these jerks, but I'm also going to help 
you out. They are apparently roaming around from free disposable account to disposable 
account. Thanks for including the full headers.

http://www.studio42.com/kill-the-spam/1998/reports/firepower.html

OH:
DO you mind if I use this in one of my "assistance" sections? It has zero bearings on 
anything else, you get the same level of service regardless.

OK, onto your goodies:

>From doedea44@prodigy.com Sat Jul 04 16:56:57 1998
Received: by mail.webkorner.com from localhost
    (router,SLMail V3.0); Sat, 04 Jul 1998 16:56:56 -0400

Seems this is your local exchange. OK, I'll ignore.

Received: by mail.webkorner.com from ccshst09.cs.uoguelph.ca [131.104.96.18]
    (SLmail 3.0.2421 ()); Sat, 04 Jul 1998 16:56:55 -0400

>nslookup 131.104.96.18
Server:  ns.mediacity.com
Address:  205.216.172.10

Name:    ccshst09.cs.uoguelph.ca
Address:  131.104.96.18

OK, this confirms, but seem to be a rather odd name for a server, don't you agree? It almost 
sounds ilke a dial-up. Headers prove otherwise. Key here is that this is the relaying server. 
This is a spam that I've noticed is following a new trend. You'll see.

This reminds me: get off my ass and find a "nslookup" cgi and install it on the web site...

Received: from ornet.nw.uoguelph.ca (ornet.nw.uoguelph.ca [131.104.56.2])
	by ccshst09.cs.uoguelph.ca (8.8.6/8.8.6) with ESMTP id QAA15727;
	Sat, 4 Jul 1998 16:51:27 -0400 (EDT)

>nslookup 131.104.56.2
Server:  ns.mediacity.com
Address:  205.216.172.10

Name:    ornet.nw.uoguelph.ca
Address:  131.104.56.2

Again, this resolves. This is the HIJACKED server. Most likely this was intended for internal 
use only. Most likely the idiots behind this telneted on port 25 until they found something 
other than the MX A record server.

Date: Sat, 4 Jul 1998 16:51:27 -0400 (EDT)
From: doedea44@prodigy.com
Received: from ORNET/MAILQ by ornet.nw.uoguelph.ca (Mercury 1.21);
    4 Jul 98 15:57:00 GMT-5

Oh crap, it accepts bogus HELO statements. Typical of this version of Mercury. Then again, 
this server wasn't intended for use by OUTSIDERS.

Received: from MAILQ by ORNET (Mercury 1.21); 4 Jul 98 15:53:23 GMT-5
Received: from IBM by ornet.nw.uoguelph.ca (Mercury 1.21);
    4 Jul 98 15:52:57 GMT-5

Don't know what these lines are, but they are definately WORTHLESS as the spammer is not 
located.

To: doedea44@prodigy.com
Comments: Authenticated sender is <doedea44@prodigy.com>

Forgery. Duh. Don't expect Prodigy to care.

Subject: Email 57 Million People for $99
Message-Id: <199807043210XAA32898@pimaia2y.nw.uoguelph.ca>

My guess: came out of CompuServe, based on what I got earlier today. Compuserve doesn't care.

Does this help any? I've already gotten 5 spams today, one being by the above idiots.

Anyhow, I've got to leave. I am de-emailing my lame personal site. Some idiot I don't know 
seems to think he knows me and is pouring his guts out to me. I'm debating on posting these 
messages. I've refused to reply to any of these messages. Sometimes i just hate the internet.