Email spam tracking

Home
Quick Tour
Product Info

Freeware eMail CRM Maximize the life-time value of your clients and getting them to smile at you

Art of eMail CRM Applying minimum efforts for maximum result, at the shortest time?

eMail Bolts & Nuts Interesting emails stuff that you should know eMail Broadcast FAQ's

eMail Marketing Tips
Great email strategies to help you increase sales

Email Spam tracking 102 - The many uses of DejaNews

Email Spam tracking 103 - The WHOIS database

Email Spam tracking 104 - A spammer unmasked

Thinking of bulk emailing - Consequences of spamming?

Figuring out fake eMail - Deciphering fake email or posting?

Email Spam tracking 101 by Bill Mattocks

Here's where it gets amusing!
So, let's just enjoy this spam for a moment, shall we?
Are you sitting comfortably?
Good, then I'll begin.

Here is a spam I just received. It is bad, because it is
spam. It is bad, because it attempts to masquerade as being information I requested to avoid detection as spam.

It is bad because it has mangled headers to attempt to
deflect complaints away from the true perpetrators. It is
also quite funny. Here it is, dissected for the newer anti-spammers to watch and learn from.

First line:

>Received: from bullets.cybercon.com (bullets.cybercon.com [199.217.156.7])
>by mail.comp-sol.com (EMWAC SMTPRS 0.83) with SMTP id
>B0000036788@mail.comp-sol.com>; Wed, 10 Sep 1997 20:00:52 -0500

eMail Bolts & Nuts FAQ's

How to manage and clean bounced or undelivered emails? Understand why emails get bounced

How to use your desktop PCs as an email server and bypass your ISP email server, a simple process using a free mail server program

How to test your message and see if it gets deleted by broad based anti-spam filters?

A one page email course. Everything you wanted to know about emailing in a "nut shell"

Quick guide to: dig finger traceroute ping whois nslookup IP block FTP SMTP relay TCP/IP Port

How to embed email tracking code into your email? Invisible counters, codes, scripts to track viewer

Send HTML or TEXT email using formatted HTML email, you can send an entire webpage

How to embed images into HTML email for faster emailing? Prevent displaying linked-site in recipient email client status bar

RFC defined ESMTP, SMTP Status Email Error Codes? These codes are used to provide informative explanations of error conditions

How email works? Delivery of each email is done
by your ISP mail server, first establishing a conversation through your recipient port 25

Some spiders visit site after site, collecting email addresses and controlling these rogue spiders spam bots or email harvesters with robot.txt

This is my mail server getting the spam from a mail server known as bullets.cybercon.com Please note that the ISP listed here may well have been innocently hijacked by the spammer, we really don't know yet.

>Wed, 10 Sep 1997 21:02:53 -0500
>Received: from
>From: 84903020@ix.netcom.com

This is all fake...inserted by the spammer's bulk mail software. It can be safely ignored.

>Received: from 199.217.156.7 (hd70-155.hil.compuserve.com [199.174.250.155])
>by bullets.cybercon.com (8.8.5/8.8.5) with SMTP id UAA03117;
>Wed, 10 Sep 1997 20:27:30 -0500

This line purports to show where bullets.cybercon.com actually got the mail from that it relayed to me. Please note that 199.217.156.7 does not belong to
hd70-155.hil.compuserve.com How do we know this? Simple, we use a tool called nslookup (available for many platforms).

Here is what we see:

[199.217.156.7]
Translated Name: bullets.cybercon.com
IP Address: 199.217.156.7

[hd70-155.hil.compuserve.com]
Translated Name: hd70-155.hil.compuserve.com
IP Address: 199.174.250.155

What does this all mean? It means that the first part of the line is bogus, but the second part is correct. We know that because most mail server software will report accurate information about where it got the mail from in most cases
(it has to be misconfigured or older brain-dead software to be completely silent about where it got the mail from).

eMail Bolts & Nuts FAQ's

About TCP/IP and mail server port numbers? It is a number between 1 and 65535 which identifies to the receiving computer what function you want to perform

The function of URL or Uniform Resource Locator?
A command for your email address, some mail clients may not be able to translate it into an email address

A standard client server protocol for receiving email. POP3 is use for retrieving Internet email from ISPs mail server...

Collections of important useful emails related sites? Free email stuff, real cool, give it a try

Advanced DNS (dig) for the DNS records of a host or domain showing all the DNS records

All about IP Addresses, DNS, Internet addressing. Serious stuff, perfect remedy if you can't sleep

Email history, email netiquette, improving email presentation, email with sound, pictures--give it a try

101 Email spam tracking and meaning of message header? 102 DejaNews the most powerful dedicated spam-tracker's tool 103 The spam tracker tools: Whois, nslookup, traceroute, dig 104 Spam tracking

Never use ISPs that hosts your web site to send out newsletter. If they cancel your account, you will lose all your web pages

Warning: If you publish an online newsletter or email to any opt-in list (including your own list), it is critical that you read this

The history of Spam starts with Monty Python's Flying Circus and Vikings singing Spam

A list of return error codes by Windows Sockets API returned by WSAGetLastErrorcall with descriptions

Meet The Kings of SPAM - You don't need rocket science to figure out how to send spam emails

It has been my observation that you can trust the IP address found within the square brackets, i.e. [199.217.156.7]

So, we have a reasonable expectation that the spammer used a dialup account on Compuserve to send this spam.
We still do not know if the ISP it was sent through is innocent or guilty, though. We will complain to Compuserve at abuse@compuserve.com, for starters.

>Received: from usr15-dialup53.mx1.Willowsprings.mci.net [166.55.38.181]
>by Willowsprings.mci.net (8.8.5/8.6.5) with SMTP id GAA02664
>for <bullwinkle@rocky.com>; Wed, 10 Sep 1997 20:59:04 -0600 (EST)
>Date: Wed, 10 Sep 97 20:59:04 EST
>To: bullwinkle@rocky.com
>Subject: Here's the info you requested
>Message-ID: <19970908182053.load2391.in@don>
>Reply-To: mrchicken@answerme.com
>X-UIDL: 12345678987456123012345698745612
>Comments: Authenticated sender is <don@Willowsprings.mci.net>

The above is all trash.
You can ignore any headers after the correct ones are found. That is because mailers put the headers onto the top of the message when they pass it along, not somewhere inside the message.

Thus, the very top message was from my mailer, receiving the mail. The one right under that was from the ISP's mailer, sending it to me and reporting where it got it from.

The rest is junk, designed to confuse us. Don't be fooled by Authenticated sender messages. They are easily faked, and mean nothing. They don't authenticate anything.

Spam-tracking 103 WHOIS tool nslookup and traceroute freeware download

whois.internic.net or network solutions are network registries to find out contact info for current domain or IP address

nslookup a DNS tool that Perform forward and reverse DNS queries for the current address (this will usually give you the IP address of a hostname)

traceroute finds the route packets take between you and the selected address

Email in a "nut shell" a one page course about emailing. Everything you wanted to know about emailing.

How email works? Delivery of each email is done by your ISP mailserver establishing a conversation through (port 25) of your recipient mail server

Free2-Try 100% effective. The easiest way to Stop Spam getting into your PC. I recommend it.

Free eBook Sun Tzu Art of War Commanders without thoughtful strategy invite defeat.

Sun Tzu

Free eBook Great online Stealth Marketing strategies to help you increase sales

><HTML><PRE><BODY BGCOLOR="#000000">COLOR="#00FFFF" SIZE=3>
>Everybody loves Mr. Chicken!

Ah, here's where it gets amusing!
So, let's just enjoy this spam for a moment, shall we?

>Kids are going wild over Mr.Chicken. Parents laugh hysterically at the >sight of him Why spend $50 on toys that your kids forget about the
>next day when for pennies they can have a Mr Chicken that they'll
>enjoy for months?
>For full details, Email MrChicken@answerme.com

Now, if we follow Rush Limbaugh's advice and "follow the money," it would appear that the perpetrator of this spam has a mailbox at answerme.com and his handle is MrChicken What do we know about answerme.com?

Cyber Promotions (ANSWERME4-DOM)
8001 Castor Avenue, Suite #127
Philadelphia, PA 19152 USA

Well, it happens that Cyberpromo is the owner of this particular domain. That kind of ends that trail for us, because Cyberpromo is a spamhaus, and their upstream provider, AGIS, is well aware of it and supports it. AGIS is a "backbone" on the Internet, so there is no one above them to complain to.

Still, since Cyberpromo CLAIMS to be against illegal relaying, we can send a copy of the complaint to relayabuse@cyberpromo.com and also to abuse@agis.net This won't do anything, but what the heck.

>

So, that ends the spam. Now, what about the original ISP who sent the spam to me? Innocent party or spamhaus? Well, let's take a look at their web page: http://www.cybercon.com/aup.html

Cybercon Acceptable User Policy
It is contrary to Cybercon policy for any user to effect or participate in any of the following activities through a Cybercon service:
[snip]
3. To send unsolicited mass emailings to more than twenty-five (25) email users, if such unsolicited emailings provoke complaints from the recipients;

4. To engage in any of the foregoing activities using the service of another provider, but channeling such activities through a Cybercon account or remailer, or using a Cybercon account as a maildrop for responses;

Now, it would appear from looking at their homepage (http://www.cybercon.com/) and also by "reading between the lines" of their AUP, that Cybercon is a spamhaus, however thinly disguised. That does not mean that they authorized this spam, or that they were not hijacked.

But the suspicion is definitely there. In any case, they get a copy of the complaint as well. If they were hijacked, they may wish to investigate further and perhaps initiate legal action.

If they were not, they may remain silent on the matter. In any case, they also have an upstream provider, which can be determined by doing a traceroute on bullets.cybercon.com

1 156.46.104.254 (156.46.104.254)
2 alpha-nomad.alpha.net (206.190.31.149)
3 mke-1.alpha.net (156.46.1.1)
4 chicago2-cr2.bbnplanet.net (204.167.132.9)
5 chicago1-br1.bbnplanet.net (199.92.131.11)
6 core5-hssi5-0.WillowSprings.mci.net (206.157.77.201)
7 core1.NorthRoyalton.mci.net (204.70.4.205)
8 core-hssi-2.Chicago.mci.net (204.70.1.93)
9 border4-fddi-0.Chicago.mci.net (204.70.3.83)
10 startnet-llc.Chicago.mci.net (204.70.27.6)
11 router.cybercon.com (199.217.252.58)
12 bullets.cybercon.com (199.217.156.7)

So, we know they get their service from mci.net
Therefore, a complaint also goes to abuse@mci.net

What else do we know about the elusive Cybercon? Let's check their IP range, to see who might own it. We can use whois.internic.net

whois 199.217.156.0
[rs.internic.net]
STARNET, L.L.C. (NETBLK-STARNET-CBLK)
P.O. Box 6286
St. Louis, MO 63006-6286

Netname: STARNET-CBLK
Netblock: 199.217.128.0 - 199.217.255.0
Maintainer: STLL

Coordinator:
Myers, Chris B. [President] (CBM10) chris@STARNET.NET
(314) 227-3136 (FAX) (314) 716-6163

Domain System inverse mapping provided by:

ADMIN.STARNET.NET 199.217.253.10
NEWS.STARNET.NET 199.217.253.11
NS1.DRA.NET 192.65.218.14

Record last updated on 30-Aug-96.

So, it appears that Starnet owns their Class "C" license. Now, let's jump into see 102--DejaNews (the land of "all my sins remembered") and see what we can find out:

For " cybercon.com ," we find only this:

*******************QUOTE*******************
2 Matches for search: cybercon.com

1. 97/05/18 016 [email] Information /uu. news.admin.net-abus LINDSEY JEAN NICE <
2. 97/03/01 016 [email]-BETTER THAN AOL news.admin.net-abus LINDSEY JEAN NICE <
******************ENDQUOTE*****************

Upon reading the messages in question, it appears that they once complained that they had been mischaracterized as "cybercoM.com" and not "cybercon.com" and wanted a retraction printed. OK, no spam reports. How about their class C ticket holder?

[nothing of consequence found]

What about doing a search for mrchicken?

Here is what we find:

**********************QUOTE**********************

Subject: Everyone loves Mr Chicken
From: igynews@sprynet.com
Date: 1997/09/08
Message-Id: <5uv7e4$qiv$1@juliana.sprynet.com>
Organization: Sprynet News Service
Newsgroups: alt.activism.children
[Fewer Headers]

EVERYONE LOVES MR. CHICKEN!

Are you tired of paying hundreds of dollars for toys your kids break
or get bored of the next day? How would you like a toy that can
provide countless hours of fun for literally pennies? MR. CHICKEN is
the answer. For full details, email MRCHICKEN@answerme.com

**********************ENDQUOTE**********************

So, it appears that MrChicken has posted an identical message a few days ago in UseNet. Just one, so not spam, although since it just happened, the others may not have been picked up by dejanews yet. www.dejanews.com

Still, we see that sprynet.net was used, not cybercon.com. It begins to look as though cybercon.com is not guilty, but either was hijacked or has a bad actor on their hands. So, we still complain to Cybercon, but scratch abuse@mci.net (their upstream provider) from the list.

Now, it appears that we have done "due diligence" on our search to find the source of the spam. We believe that the guilty party is only mrchicken@answerme.com So, here is our complaint e-mail:

Note - this will get me a response from their autoresponder, which may give me more information on the identity of "Mr. Chicken." However, it may also subject me to more spam. I am willing to risk it, for the sake of the exercise.
You probably do not want to do this.

To: mrchicken@answerme.com

From: bmattocks@comp-sol.com

Subject: SPAM REPORT ->Re: Here's the info you requested

CC: staff@cybercon.com,support@cybercon.com, abuse@agis.net,relayabuse@cyberpromo.com

NOTE TO CYBERCON.COM: It would appear that your SMTP server was either hijacked, or you have a "bad actor" on your hands. Could you please investigate and take action on this?

NOTE TO CYBERPROMO: It would appear that a client of yours (MrChicken@answerme.com) is failing to use your relay service, and may have hijacked the SMTP server belonging to cybercon.com. Please investigate and take action!

NOTE TO AGIS.NET: This spam was sent via what may well have been an illegally hijacked SMTP server. Please investigate and take action.

Thanks,

Bill Mattocks
Computer Solutions of Kenosha
http://www.comp-sol.com

>Received: from bullets.cybercon.com (bullets.cybercon.com [199.217.156.7])
>by mail.comp-sol.com (EMWAC SMTPRS 0.83) with SMTP id ><B0000036788@mail.comp-sol.com>; Wed, 10 Sep 1997 20:00:52 -0500
>From: 84903020@ix.netcom.com

>Received: from 199.217.156.7 (hd70-155.hil.compuserve.com [199.174.250.155])
>by bullets.cybercon.com (8.8.5/8.8.5) with SMTP id UAA03117;
>Wed, 10 Sep 1997 20:27:30 -0500

>Received: from usr15-dialup53.mx1.Willowsprings.mci.net [166.55.38.181]
>by Willowsprings.mci.net (8.8.5/8.6.5) with SMTP id GAA02664 for <bullwinkle@rocky.com>; Wed, 10 Sep 1997 20:59:04 -0600 (EST)
>Date: Wed, 10 Sep 97 20:59:04 EST
>To: bullwinkle@rocky.com
>Subject: Here's the info you requested
>Message-ID: <19970908182053.load2391.in@don>
>Reply-To: mrchicken@answerme.com
>X-UIDL: 12345678987456123012345698745612
>Comments: Authenticated sender is <don@Willowsprings.mci.net>

><HTML><PRE><BODY BGCOLOR="#000000">
>Everybody loves Mr. Chicken!

>Kids are going wild over Mr. Chicken.
>Parents laugh hysterically at the sight of him.
>Why spend $50 on toys that your kids forget about the next day
>when for pennies
>they can have a Mr Chicken that they'll enjoy for months?
>For full details, Email MrChicken@answerme.com

>

OK, folks, that's it for tonight.
Any questions? If not, class is dismissed.

Best Regards,

Bill Mattocks, CIIU

Derived from an HTML translation by Marek Jedlinski www.lodz.pdi.net/~eristic of a usenet post by Bill Mattocks

Email Spam tracking 101 - Meaning of email headers

Email Spam tracking 102 - The many uses of DejaNews

Email Spam tracking 103 - The WHOIS database

Email Spam tracking 104 - A spammer unmasked

Thinking of bulk emailing - Consequences of spamming?

Figuring out fake E-Mail - Deciphering fake email or posting?

Dolly Kee Managing Director
Image Power

eMail CRM maximize
the life-time value of my customers, I recommend it.

Freeware for home, office PC

Bounce eMail
Manager Freeware

"A valued contribution that
I and the rest of my team sincerely appreciate it. We have checked your software twice and it is good." Alex webmaster@softpicks.net

100% effective.
I recommend it.

The easies way to stop email spam, virus getting
into your PC
Free2-Try

Sun Tzu Art of War "Leaders who takes on the role of the commander without understanding the strategy of warfare, invite defeat." Free eBook