| gabriel rosenkoetter on Mon, 30 Sep 2002 11:13:07 -0400 |
|
Oh, wait, I take it back. Your bounces DO have a return path, Art! On Sun, Sep 29, 2002 at 08:46:47PM -0400, Arthur S. Alexion wrote: > ----- Transcript of session follows ----- > 554 MX list for smkr.ru points back to semikar.donpac.ru > 554 <and@smkr.ru>... Local configuration error Well, getting back in touch with those folks is going to be complicated until they fix their DNS. > ----- Original message follows ----- > > Return-Path: <arthur@alexion.com> > Received: from silmaril.donpac.ru (silmaril.donpac.ru > [195.161.172.248]) by semikar.donpac.ru (8.9.3/8.9.3/-) with ESMTP id > FAA82770 > for <and@smkr.ru>; Sat, 28 Sep 2002 05:33:03 +0400 (MSD) > (envelope-from arthur@alexion.com) > From: arthur@alexion.com > Received: from donpac.ru (alb-66-24-199-116.nycap.rr.com > [66.24.199.116]) by silmaril.donpac.ru (8.11.3/8.11.3/cae2.2.0.4) with > SMTP id g8S01PS40413 for <and@smkr.ru>; Sat, 28 Sep 2002 04:01:29 > +0400 (MSD) > (envelope-from arthur@alexion.com) > Date: Fri Sep 27 19:00:36 2002 > To: and@smkr.ru > Subject: Äåëîâîå ïðåäëîæåíèå > Mime-Version: 1.0 > Content-type: text/plain; charset="windows-1252" > Message-ID: <1364@know.de> > X-Logged: Logged by silmaril.donpac.ru as g8S01PS40413 at Sat Sep 28 > 04:01:29 2002 So silmaril.donpac.ru (the ligitimate hostname of that machine, as near as I can tell) received the email at Sat, 28 Sep 2002 04:01:29 +0400 (MSD) (hope silmaril's clock is in sync!) from a host claiming to have silmaril's domain (uselessly; it's more likely that the author of this software doesn't understand what the argument to the SMTP EHLO command is supposed to do) but that was actually alb-66-24-199-116.nycap.rr.com [66.24.199.116]. That's RoadRunner, a US national ISP. You could report this to their abuse department. They definitely have logs of who was connected and using that IP address at that time (they need them for billing). I'm willing to wager that, though sending the spam is quasi-legal, it's against RR's service contract. What you'll find, though, is that this is one of two things: a dialup account that has been hacked (and the dialer came in from abroad--plausibly Russia, but there's no good reason to assume that, really), or an RR cable modem account where someone has an open relay. In either case, letting the ISP know is a good-neighbor thing to do, and it'll either get the user to chaing their password or close their relay, but the spammer will just steal someone else's password or find another open mail relay, so it's not going to have an immediate effect on the volume of spam you get. Chasing down just what Road Runner's acceptable use policy allows and what it does not is significantly harder than it really should be. This document: http://www.scbusinessrr.com/acceptuse.pdf might matter, or it might now. I can find abuse reporting programs on a variety of localized RR pages, but not on the main one (well, not in sixty seconds of clicking, anyway, which is too damn long). If you're persistant, especially if you start calling phone numbers and get to real people, I bet you can make a dent here. > +7-861-37-5-53-11, +7-902-485-05-47 Ooo... neat. Not that I'd suggest calling them, but this tracks things directly to a business (or home?). Not that that helps much; spam's probably perfectly legal there (as, btw, it is in the US; opt-out, pshaw). > Email: > > contact@kingarthurmail.com That might be more helpful. Provided that this spammer is actually running some kind of business and, thus, actually wants responses, they might well have provided a moderately valid email address. Now, this could just be a free, throw-away address (you know, the kind *you* use in web forms to avoid scum like this ;^>), but I don't think that's the case this time. For starters, what are the chances that anyone'd get "contact" as the username portion of an email address at a free email account, especially if they were just going to throw the address away anyhow? Second, neither http://www.kingarthurmail.com/ nor http://kingarthurmail.com is, as one might expect a "set up your free email here!" web site. So maybe we can get somewhere with this. First off: humbug:~% whois -h whois.enom.com kingarthurmail.com Domain name: kingarthurmail.com Registrant : N/A ANNA LORY (wugivefog@popstar.com) 434 336 1156 FAX: 434 336 1156 406 mount holly drive PORTS MOUTH, VA 23707 US Administrative : N/A ANNA LORY (wugivefog@popstar.com) 434 336 1156 FAX: 434 336 1156 406 mount holly drive PORTS MOUTH, VA 23707 US Billing : N/A ANNA LORY (wugivefog@popstar.com) 434 336 1156 FAX: 434 336 1156 406 mount holly drive PORTS MOUTH, VA 23707 US Technical : N/A ANNA LORY (wugivefog@popstar.com) 434 336 1156 FAX: 434 336 1156 406 mount holly drive PORTS MOUTH, VA 23707 US [...] Created: 2002-09-09 00:47:02 Expires: 2003-09-09 00:47:46 Perhaps it's worth finding out more about Anna Lory? Of course, it's quite plausible that *all* the information there is completely faked, but if it is, a lot of unnecessary care was put into it (domain name registries regularly accept 800-555-1212 as the contact phone number). Things get more interesting, though: humbug:~% nslookup Default Server: x.z.com Address: p.q.r.s > set q=ANY > kingarthurmail.com Server: x.z.com Address: p.q.r.s Non-authoritative answer: kingarthurmail.com origin = dns1.name-services.com mail addr = info.name-services.com serial = 2002050701 refresh = 3600 (1H) retry = 120 (2M) expire = 86400 (1D) minimum ttl = 3600 (1H) kingarthurmail.com nameserver = dns1.name-services.com kingarthurmail.com nameserver = dns2.name-services.com kingarthurmail.com nameserver = dns3.name-services.com kingarthurmail.com nameserver = dns4.name-services.com kingarthurmail.com nameserver = dns5.name-services.com kingarthurmail.com internet address = 216.168.60.84 kingarthurmail.com preference = 10, mail exchanger = smtp.name-services.com Authoritative answers can be found from: [clip] > www.kingarthurmail.com Server: x.z.com Address: p.q.r.s Non-authoritative answer: www.kingarthurmail.com internet address = 66.150.5.22 Authoritative answers can be found from: [clip] I show most of that because it might be useful in other contacts. The part we care about right now is the mail exchanger, smtp.name-services.com. Here's where things start to get fun: humbug:~% host smtp.name-services.com smtp.name-services.com is a nickname for smtp.enom.com smtp.enom.com has address 66.150.5.180 Oh, really. Who's enom.com? Remember the use of whois.enom.com before? They're a domain registrar. Apparently they'll also provide SMTP forwarding services. Perhaps they would be interested in an email address related to their mail system being attached to spam? Especially in light of http://www.enom.com/help/AbusePolicy.asp. Seems pretty cut and dry to me. Art, does this explain the research tools you need to chase spam down? It's a bit of a hassle, and almost definitely not worth it for every piece of spam out there, but for this little email-address hijacking escapade you're dealing with, where the sender has gone to such an extent to hide their identity, it might be worth while to smack them back a bit. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpupWsH9n3La.pgp
|
|