[lug] spam decoding

Bill Thoen bthoen at gisnet.com
Sun Mar 13 08:43:06 MST 2005 

I think your most reliable information is the IP address in the square
brackets in the top Received header. Using this, I Googled on the domain
name and the word "spam," and came up with several hundred hits.  
According to blogger "Ann Elizabeth"  
(http://www.annelisabeth.com/blog/archives/000248.html) this spam is the
work of the notoroious Alexander Morozov.

On Sat, 12 Mar 2005, D. Stimits wrote:

> I'm receiving a huge amount of spam advertising http://yrt009il.com/ 
> (dozens or more in a couple of hours), and have already sent information 
> to the domain registrars involved (none of these have any removal means 
> either). However, I'm also interested in making sure I can squeak every 
> last bit of information possible out of every header involved, this has 
> just irked me to where I plan to pursue every last one of these. All 
> headers appear to have at least some forgery involved, but all messages 
> are themselves exact copies. I'd be interested in any comments anyone 
> can send me regarding one of the headers (they all vary only slightly) 
> in what to pursue. Normally I would go for dotted decimal addresses, but 
> I'd like to know if there is something more I can dig out of these 
> headers. One is pasted below.
> 
> D. Stimits, stimits AT comcast DOT net
> 
> X-UIDL: 20050313022839s220089k5ge02t2kp
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 00000000
> Received: from mail.mitti.se 
> (196.red-62-101-184.user.auna.net[62.101.184.196](untrusted sender))
>            by sccrmxc22.comcast.net (sccrmxc22) with SMTP
>            id <20050313022838s2200gt60re>; Sun, 13 Mar 2005 02:28:38 +0000
> X-Originating-IP: [62.101.184.196]
> from: "Sheila" <yszvst at mobilpesca.it>
> To: <patter at comcast.net>
> Subject: Better prices this week only
> Date: Sat, 12 Mar 2005 20:28:42 -0500
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> 	boundary="----163306132301331"
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> Thread-Index: AcUnV57qQvDayPJbRV60VQJVqrTQugAAEKAQ
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> 
> This is a multi-part message in MIME format.
> 
> ------163306132301331
> Content-Type: text/plain;
> 	charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>

More information about the LUG mailing list