|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Sorry to all for quoting the entire thing, but this is incredibly
helpful. Do you thing a threatening fax to Anna Lorry regarding
"identity theft" with a copy to the Attorney General Consumer
Protection Divisions of PA and VA might do the trick? I just want it
to stop.
Thanks again.
On Monday 30 September 2002 11:12 am, gabriel rosenkoetter wrote:
> Oh, wait, I take it back. Your bounces DO have a return path, Art!
>
> On Sun, Sep 29, 2002 at 08:46:47PM -0400, Arthur S. Alexion wrote:
> > ----- Transcript of session follows -----
> > 554 MX list for smkr.ru points back to semikar.donpac.ru
> > 554 <and@smkr.ru>... Local configuration error
>
> Well, getting back in touch with those folks is going to be
> complicated until they fix their DNS.
>
> > ----- Original message follows -----
> >
> > Return-Path: <arthur@alexion.com>
> > Received: from silmaril.donpac.ru (silmaril.donpac.ru
> > [195.161.172.248]) by semikar.donpac.ru (8.9.3/8.9.3/-) with ESMTP
> > id FAA82770
> > for <and@smkr.ru>; Sat, 28 Sep 2002 05:33:03 +0400 (MSD)
> > (envelope-from arthur@alexion.com)
> > From: arthur@alexion.com
> > Received: from donpac.ru (alb-66-24-199-116.nycap.rr.com
> > [66.24.199.116]) by silmaril.donpac.ru (8.11.3/8.11.3/cae2.2.0.4)
> > with SMTP id g8S01PS40413 for <and@smkr.ru>; Sat, 28 Sep 2002
> > 04:01:29 +0400 (MSD)
> > (envelope-from arthur@alexion.com)
> > Date: Fri Sep 27 19:00:36 2002
> > To: and@smkr.ru
> > Subject: Äåëîâîå ïðåäëîæåíèå
> > Mime-Version: 1.0
> > Content-type: text/plain; charset="windows-1252"
> > Message-ID: <1364@know.de>
> > X-Logged: Logged by silmaril.donpac.ru as g8S01PS40413 at Sat Sep
> > 28 04:01:29 2002
>
> So silmaril.donpac.ru (the ligitimate hostname of that machine, as
> near as I can tell) received the email at Sat, 28 Sep 2002 04:01:29
> +0400 (MSD) (hope silmaril's clock is in sync!) from a host claiming
> to have silmaril's domain (uselessly; it's more likely that the
> author of this software doesn't understand what the argument to
> the SMTP EHLO command is supposed to do) but that was actually
> alb-66-24-199-116.nycap.rr.com [66.24.199.116]. That's RoadRunner,
> a US national ISP. You could report this to their abuse department.
> They definitely have logs of who was connected and using that IP
> address at that time (they need them for billing).
>
> I'm willing to wager that, though sending the spam is quasi-legal,
> it's against RR's service contract. What you'll find, though, is
> that this is one of two things: a dialup account that has been
> hacked (and the dialer came in from abroad--plausibly Russia, but
> there's no good reason to assume that, really), or an RR cable
> modem account where someone has an open relay. In either case,
> letting the ISP know is a good-neighbor thing to do, and it'll
> either get the user to chaing their password or close their relay,
> but the spammer will just steal someone else's password or find
> another open mail relay, so it's not going to have an immediate
> effect on the volume of spam you get.
>
> Chasing down just what Road Runner's acceptable use policy allows
> and what it does not is significantly harder than it really should
> be. This document: http://www.scbusinessrr.com/acceptuse.pdf might
> matter, or it might now. I can find abuse reporting programs on a
> variety of localized RR pages, but not on the main one (well, not in
> sixty seconds of clicking, anyway, which is too damn long). If
> you're persistant, especially if you start calling phone numbers and
> get to real people, I bet you can make a dent here.
>
> > +7-861-37-5-53-11, +7-902-485-05-47
>
> Ooo... neat. Not that I'd suggest calling them, but this tracks
> things directly to a business (or home?). Not that that helps much;
> spam's probably perfectly legal there (as, btw, it is in the US;
> opt-out, pshaw).
>
> > Email:
> >
> > contact@kingarthurmail.com
>
> That might be more helpful.
>
> Provided that this spammer is actually running some kind of business
> and, thus, actually wants responses, they might well have provided a
> moderately valid email address.
>
> Now, this could just be a free, throw-away address (you know, the
> kind *you* use in web forms to avoid scum like this ;^>), but I
> don't think that's the case this time.
>
> For starters, what are the chances that anyone'd get "contact" as
> the username portion of an email address at a free email account,
> especially if they were just going to throw the address away anyhow?
>
> Second, neither http://www.kingarthurmail.com/ nor
> http://kingarthurmail.com is, as one might expect a "set up your
> free email here!" web site. So maybe we can get somewhere with this.
>
> First off:
>
> humbug:~% whois -h whois.enom.com kingarthurmail.com
> Domain name: kingarthurmail.com
>
> Registrant :
> N/A
> ANNA LORY (wugivefog@popstar.com)
> 434 336 1156
> FAX: 434 336 1156
> 406 mount holly drive
> PORTS MOUTH, VA 23707
> US
>
>
> Administrative :
> N/A
> ANNA LORY (wugivefog@popstar.com)
> 434 336 1156
> FAX: 434 336 1156
> 406 mount holly drive
> PORTS MOUTH, VA 23707
> US
>
>
> Billing :
> N/A
> ANNA LORY (wugivefog@popstar.com)
> 434 336 1156
> FAX: 434 336 1156
> 406 mount holly drive
> PORTS MOUTH, VA 23707
> US
>
>
> Technical :
> N/A
> ANNA LORY (wugivefog@popstar.com)
> 434 336 1156
> FAX: 434 336 1156
> 406 mount holly drive
> PORTS MOUTH, VA 23707
> US
> [...]
> Created: 2002-09-09 00:47:02
> Expires: 2003-09-09 00:47:46
>
> Perhaps it's worth finding out more about Anna Lory? Of course, it's
> quite plausible that *all* the information there is completely
> faked, but if it is, a lot of unnecessary care was put into it
> (domain name registries regularly accept 800-555-1212 as the contact
> phone number).
>
> Things get more interesting, though:
>
> humbug:~% nslookup
> Default Server: x.z.com
> Address: p.q.r.s
>
> > set q=ANY
> > kingarthurmail.com
>
> Server: x.z.com
> Address: p.q.r.s
>
> Non-authoritative answer:
> kingarthurmail.com
> origin = dns1.name-services.com
> mail addr = info.name-services.com
> serial = 2002050701
> refresh = 3600 (1H)
> retry = 120 (2M)
> expire = 86400 (1D)
> minimum ttl = 3600 (1H)
> kingarthurmail.com nameserver = dns1.name-services.com
> kingarthurmail.com nameserver = dns2.name-services.com
> kingarthurmail.com nameserver = dns3.name-services.com
> kingarthurmail.com nameserver = dns4.name-services.com
> kingarthurmail.com nameserver = dns5.name-services.com
> kingarthurmail.com internet address = 216.168.60.84
> kingarthurmail.com preference = 10, mail exchanger =
> smtp.name-services.com
>
> Authoritative answers can be found from:
> [clip]
>
> > www.kingarthurmail.com
>
> Server: x.z.com
> Address: p.q.r.s
>
> Non-authoritative answer:
> www.kingarthurmail.com internet address = 66.150.5.22
>
> Authoritative answers can be found from:
> [clip]
>
> I show most of that because it might be useful in other contacts.
> The part we care about right now is the mail exchanger,
> smtp.name-services.com. Here's where things start to get fun:
>
> humbug:~% host smtp.name-services.com
> smtp.name-services.com is a nickname for smtp.enom.com
> smtp.enom.com has address 66.150.5.180
>
> Oh, really. Who's enom.com? Remember the use of whois.enom.com
> before? They're a domain registrar. Apparently they'll also provide
> SMTP forwarding services. Perhaps they would be interested in an
> email address related to their mail system being attached to spam?
> Especially in light of http://www.enom.com/help/AbusePolicy.asp.
> Seems pretty cut and dry to me.
>
> Art, does this explain the research tools you need to chase spam
> down? It's a bit of a hassle, and almost definitely not worth it for
> every piece of spam out there, but for this little email-address
> hijacking escapade you're dealing with, where the sender has gone to
> such an extent to hide their identity, it might be worth while to
> smack them back a bit.
--
_______________________________
Art Alexion
Arthur S. Alexion LLC
mailto:arthur@alexion.com
http://www.alexion.com
_________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion -- http://lists.netisland.net/mailman/listinfo/plug
|
|