[lug] email mystery

Kirk Rafferty kirk at fpcc.net
Tue Feb 20 18:22:32 MST 2001 

The message originated from dns2.kokushikan.ac.jp [202.253.226.22].
It gets a little tricky sometimes, but most spam originates from
the site that last connected to your mail server.  So, working
backwards in the envelope headers, you see the line

Received: from dns2.kokushikan.ac.jp (dns2.kokushikan.ac.jp
[202.253.226.22]) by totalrecall.idcomm.com (8.9.3/8.9.3)
with ESMTP id GAA19192; Tue, 20 Feb 2001 06:18:31 -0700

The other thing that gives this particular spam away is the
"From: crdserv at yahoo.com" header, imbeded between two
"Received:" headers.  You won't ever see "From:" headers in
the envelope section (the "Received:" headers) of an email.

I did an RSS lookup on this IP, and it is in the RSS database.
You'll stop a lot of spam at the source if you can convince the
powers that be at idcomm.com to implement RSS.  You can find
more info at http://mail-abuse.org/rss/.

Good luck, and hope this helps!

-k


On Tue, Feb 20, 2001 at 02:03:17PM -0700, D. Stimits wrote:
> I'm trying to figure out how some of the spam email gets to me. The full
> headers don't show me anywhere in the path, although it does show the
> email servers from my ISP. The ISP uses a mix of Linux and NT boxes. Is
> there some sort of mass email feature to allow sending to everyone at
> some domain? Here is a sample full header I got:
> 
> Return-Path: 
>                  <crdserv at yahoo.com>
>         Received: 
>                  from totalrecall.idcomm.com (totalrecall.idcomm.com
> [207.40.196.5]) by mailhost.idcomm.com
>                  (8.10.0/8.10.0) with ESMTP id f1KDK4p16394; Tue, 20 Feb
> 2001 06:20:04 -0700
>         Received: 
>                  from dns2.kokushikan.ac.jp (dns2.kokushikan.ac.jp
> [202.253.226.22]) by totalrecall.idcomm.com
>                  (8.9.3/8.9.3) with ESMTP id GAA19192; Tue, 20 Feb 2001
> 06:18:31 -0700
>            From: 
>                  crdserv at yahoo.com
>         Received: 
>                  from yahoo.com (localhost [127.0.0.1]) by
> dns2.kokushikan.ac.jp (8.9.3+3.2W/3.7Wpl2/02/06/01) with
>                  SMTP id WAA03068; Tue, 20 Feb 2001 22:16:19 +0900 (JST)
>             Date: 
>                  Tue, 20 Feb 2001 22:16:19 +0900 (JST)
>       Message-ID: 
>                  <200102201316.WAA03068 at dns2.kokushikan.ac.jp>
>         Reply-To: 
>                  crdserv at yahoo.com
>               To: 
>                  crdserv at yahoo.com
>           Subject: 
>                  Clear Up Bad Credit Today! Get approved for loans and
> more...
>   X-Mozilla-Status: 
>                  8001
>  X-Mozilla-Status2: 
>                  00000000
>           X-UIDL: 
>                  _RAE.H8mk6.mailhost
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list