6/22/2011 03:00:00 PM
K.D
Problem: Most spam emails (and virtually all current viruses) arrive with fake sender addresses, making it difficult to notify the service provider of the person really responsible for this nuisance.
Explanation: Most spam these days is sent with a fake return address. In these cases, complaining to the administrator of the sender domain is a waste of time. You first need to figure out where the spam really came from before you can complain to the administrators of the servers involved in sending the spam to get the offenders kicked off.
Solution: The following link lets you find out which provider an IP address is assigned to.
How to use this form:
1. Display the mail header in the spam e-mail. How to do this depends on your email client:
o Outlook Express: File / Properties / Details / Message Source.
o Microsoft Outlook 98 and 2000 for Windows: Right click on the message and select Options
o Netscape Messenger 4.7 - 6: Open the email; View / Headers / All
o Netscape Messenger 6.2 and higher: Go to Netscape Messenger Inbox; View / Headers / All
o Other mail programs: See here
You'll see something similar to the following (not all fields will be present):
Return-path:
Envelope-to: mail@recipient.com
Delivery-date: Thu, 05 Jun 2003 14:06:15 +0200
Received: from [213.165.64.100] (helo=mx0.gmx.net)
by mxng15.myprovider.com with smtp (Exim 3.35 #1)
id 19NtVS-00089g-00
for mail@recipient.com; Thu, 05 Jun 2003 14:06:10 +0200
Received: (qmail 30356 invoked by alias); 5 Jun 2003 12:06:10 -0000
Delivered-To: GMX delivery to recipient@gmx.net
Received: (qmail 30132 invoked by uid 65534); 5 Jun 2003 12:06:08 -0000
Received: from unknown (HELO fw.muan.chonnam.kr) (211.34.18.231)
by mx0.gmx.net (mx010-rz3) with SMTP; 05 Jun 2003 14:06:08 +0200
From: "Dieter Wroblewski "
Reply-To: "Dieter Wroblewski "
To: joevicki2000@yahoo.com
Date: Fri, 21 Feb 2003 07:55:25 -0800
Subject: SilkSnake.com - Porn, Games, Movies and Much More
MIME-Version: 1.0
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20030605120609.30223gmx1@mx010-rz3.gmx.net>
X-Resent-By: Forwarder
X-Resent-For: recipient@gmx.net
X-Resent-To: mail@recipient.com
2. Find out from where the mail reached your mailserver. In this case the mail claims to be from a yahoo.com customer, but it never passed through a yahoo.com mailserver. It's fake. Look at the Received: lines, they have all the information you need. Generally you want the very first line starting with Received: from, but if your mail is automatically resent through a mail forwarder such as GMX or POBOX (indicated by Delivered-To: lines in this example) then look for the first Received: from line after the last Delivered-To: line. In this case that is:
3. Received: from unknown (HELO fw.muan.chonnam.kr) (211.34.18.231)
4. by mx0.gmx.net (mx010-rz3) with SMTP; 05 Jun 2003 14:06:08 +0200
Make sure the from address is from an outside server, not your own provider. Sometimes mail gets internally forwarded at your mail provider.
The sender's computer claimed to be server called fw.muan.chonnam.kr (in Korea), but you can't trust HELO values - they can be faked. More significant is the IP address that follows (in other cases the IP address may preceed the server name or may be enclosed in square brackets such as [211.34.18.231]). It's always a sequence of four numbers from 0 to 255, separated by dots. The string "unknown" in that same line indicates that the receiving mailserver tried to do a reverse lookup to get a name for the number and couldn't find one. Well-administered networks provide name lookups for all their IP-addresses. Paste the IP address into the above Domain or IP field and click the Go button.
The form queries the the NIC of the country or region (for example, ARIN for USA and Canada, RIPE for Europe, APNIC for addresses in Japan, Australia, Singapore, Korea and China, LACNIC for Brazil and Argentina, AfriNIC for South Africa or Nigeria). Here is what we get:
[ ISP Network Abuse Contact Information ]
Name : Pubnet Abuse Manger
Phone : +82-2-710-1457
Fax : +82-2-710-1411
E-Mail : abuse@pubnet.ne.kr
5. For webmailers such as Yahoo, find the IP address from which the mail was posted. This applies to advance fee fraud spam ("Nigeria scam") that usually involves real sender addresses and free webmailers:
Yahoo:
Received: from [196.201.83.243] by web37806.mail.mud.yahoo.com via HTTP; Sun, 05 Mar 2006 11:32:44 PST
Date: Sun, 5 Mar 2006 11:32:44 -0800 (PST)
From: jane robert
Subject: FROM: MRS JANE ROBERT.
To: mrs_janerobert2002@yahoo.com
Hotmail:
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Sun, 5 Mar 2006 21:36:55 -0800
Message-ID:
Received: from 81.91.238.45 by by19fd.bay19.hotmail.msn.com with HTTP;
Mon, 06 Mar 2006 05:36:51 GMT
X-Originating-IP: [81.91.238.45]
X-Originating-Email: [henryunnachukwu@hotmail.com]
X-Sender: henryunnachukwu@hotmail.com
From: "chigozie unnachukwu"
Web.de:
Received: from [84.254.131.218] by freemailng2302.web.de with HTTP;
Sun, 05 Mar 2006 20:23:06 +0100
Date: Sun, 05 Mar 2006 20:23:06 +0100
Message-Id: <9273898@web.de>
MIME-Version: 1.0
From: MRS LARISA SOSNITSKAYA
Webmailers often log the IP address of the machine from which the email was posted via a browser using a "Received:" line such as the above. Look for "via HTTP" or "with HTTP" in usually the last "Received:" line. Alternatively look for a "X-Originating-IP:" line or something similar. Use this IP address to locate the provider. Send complaints to both the webmail provider and the ISP used for the posting.
Soon you'll know who to complain to. You should paste the complete message source (with full headers, see above) into your email and leave the subject line unchanged from the spam. Most domains have an abuse contact such as abuse@domainname. If mails to that address bounce, write to postmaster@domainname instead. Write a short and polite complaint, followed by the unmodified spam message.
By the way, you should never try to use any of the unsubscribe addresses provided by spammers. Writing to these addresses only confirms that the spam has reached a recipient and has been read. More often than not trying to unsubscribe will "reward" you with even more spam!
Explanation: Most spam these days is sent with a fake return address. In these cases, complaining to the administrator of the sender domain is a waste of time. You first need to figure out where the spam really came from before you can complain to the administrators of the servers involved in sending the spam to get the offenders kicked off.
Solution: The following link lets you find out which provider an IP address is assigned to.
How to use this form:
1. Display the mail header in the spam e-mail. How to do this depends on your email client:
o Outlook Express: File / Properties / Details / Message Source.
o Microsoft Outlook 98 and 2000 for Windows: Right click on the message and select Options
o Netscape Messenger 4.7 - 6: Open the email; View / Headers / All
o Netscape Messenger 6.2 and higher: Go to Netscape Messenger Inbox; View / Headers / All
o Other mail programs: See here
You'll see something similar to the following (not all fields will be present):
Return-path:
Envelope-to: mail@recipient.com
Delivery-date: Thu, 05 Jun 2003 14:06:15 +0200
Received: from [213.165.64.100] (helo=mx0.gmx.net)
by mxng15.myprovider.com with smtp (Exim 3.35 #1)
id 19NtVS-00089g-00
for mail@recipient.com; Thu, 05 Jun 2003 14:06:10 +0200
Received: (qmail 30356 invoked by alias); 5 Jun 2003 12:06:10 -0000
Delivered-To: GMX delivery to recipient@gmx.net
Received: (qmail 30132 invoked by uid 65534); 5 Jun 2003 12:06:08 -0000
Received: from unknown (HELO fw.muan.chonnam.kr) (211.34.18.231)
by mx0.gmx.net (mx010-rz3) with SMTP; 05 Jun 2003 14:06:08 +0200
From: "Dieter Wroblewski "
Reply-To: "Dieter Wroblewski "
To: joevicki2000@yahoo.com
Date: Fri, 21 Feb 2003 07:55:25 -0800
Subject: SilkSnake.com - Porn, Games, Movies and Much More
MIME-Version: 1.0
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20030605120609.30223gmx1@mx010-rz3.gmx.net>
X-Resent-By: Forwarder
X-Resent-For: recipient@gmx.net
X-Resent-To: mail@recipient.com
2. Find out from where the mail reached your mailserver. In this case the mail claims to be from a yahoo.com customer, but it never passed through a yahoo.com mailserver. It's fake. Look at the Received: lines, they have all the information you need. Generally you want the very first line starting with Received: from, but if your mail is automatically resent through a mail forwarder such as GMX or POBOX (indicated by Delivered-To: lines in this example) then look for the first Received: from line after the last Delivered-To: line. In this case that is:
3. Received: from unknown (HELO fw.muan.chonnam.kr) (211.34.18.231)
4. by mx0.gmx.net (mx010-rz3) with SMTP; 05 Jun 2003 14:06:08 +0200
Make sure the from address is from an outside server, not your own provider. Sometimes mail gets internally forwarded at your mail provider.
The sender's computer claimed to be server called fw.muan.chonnam.kr (in Korea), but you can't trust HELO values - they can be faked. More significant is the IP address that follows (in other cases the IP address may preceed the server name or may be enclosed in square brackets such as [211.34.18.231]). It's always a sequence of four numbers from 0 to 255, separated by dots. The string "unknown" in that same line indicates that the receiving mailserver tried to do a reverse lookup to get a name for the number and couldn't find one. Well-administered networks provide name lookups for all their IP-addresses. Paste the IP address into the above Domain or IP field and click the Go button.
The form queries the the NIC of the country or region (for example, ARIN for USA and Canada, RIPE for Europe, APNIC for addresses in Japan, Australia, Singapore, Korea and China, LACNIC for Brazil and Argentina, AfriNIC for South Africa or Nigeria). Here is what we get:
[ ISP Network Abuse Contact Information ]
Name : Pubnet Abuse Manger
Phone : +82-2-710-1457
Fax : +82-2-710-1411
E-Mail : abuse@pubnet.ne.kr
5. For webmailers such as Yahoo, find the IP address from which the mail was posted. This applies to advance fee fraud spam ("Nigeria scam") that usually involves real sender addresses and free webmailers:
Yahoo:
Received: from [196.201.83.243] by web37806.mail.mud.yahoo.com via HTTP; Sun, 05 Mar 2006 11:32:44 PST
Date: Sun, 5 Mar 2006 11:32:44 -0800 (PST)
From: jane robert
Subject: FROM: MRS JANE ROBERT.
To: mrs_janerobert2002@yahoo.com
Hotmail:
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Sun, 5 Mar 2006 21:36:55 -0800
Message-ID:
Received: from 81.91.238.45 by by19fd.bay19.hotmail.msn.com with HTTP;
Mon, 06 Mar 2006 05:36:51 GMT
X-Originating-IP: [81.91.238.45]
X-Originating-Email: [henryunnachukwu@hotmail.com]
X-Sender: henryunnachukwu@hotmail.com
From: "chigozie unnachukwu"
Web.de:
Received: from [84.254.131.218] by freemailng2302.web.de with HTTP;
Sun, 05 Mar 2006 20:23:06 +0100
Date: Sun, 05 Mar 2006 20:23:06 +0100
Message-Id: <9273898@web.de>
MIME-Version: 1.0
From: MRS LARISA SOSNITSKAYA
Webmailers often log the IP address of the machine from which the email was posted via a browser using a "Received:" line such as the above. Look for "via HTTP" or "with HTTP" in usually the last "Received:" line. Alternatively look for a "X-Originating-IP:" line or something similar. Use this IP address to locate the provider. Send complaints to both the webmail provider and the ISP used for the posting.
Soon you'll know who to complain to. You should paste the complete message source (with full headers, see above) into your email and leave the subject line unchanged from the spam. Most domains have an abuse contact such as abuse@domainname. If mails to that address bounce, write to postmaster@domainname instead. Write a short and polite complaint, followed by the unmodified spam message.
By the way, you should never try to use any of the unsubscribe addresses provided by spammers. Writing to these addresses only confirms that the spam has reached a recipient and has been read. More often than not trying to unsubscribe will "reward" you with even more spam!
Posted in: Email hacking,Security
.png)
0 comments:
Post a Comment