Re: How to trace email sender's domain ?

From: John Thompson (john_at_vector.os2.dhs.org)
Date: 03/15/05 

Date: Mon, 14 Mar 2005 19:31:25 -0600

On 2005-03-14, news@absamail.co.za <news@absamail.co.za> wrote:
> Please list the steps to determine an email sender's domain.
> Or perhaps point to a tut.
> Can this be traced also to the town ?
>
> This is the one which interests me now:--
>
> Return-Path: <nospam@isp.com>
> Received: from smtp10.atl.mindspring.net not authenticated
> [207.69.200.246]
> Received: from h-67-101-134-168.nycmny83.dynamic.covad.net
> ([67.101.134.168] helo=Anon)
> by smtp10.atl.mindspring.net with smtp (Exim 3.33 #1)
> id 1DAWVn-0002Dq-00; Sun, 13 Mar 2005 12:04:19 -0500
> From: nospam@isp.com

As an email message is transported across the internet, each mail server
that handles the message adds a "Received:" line to the top of the list of
headers. The bottom "Received:" line is therefore the first mail server to
handle the message; in this case "smtp10.atl.mindspring.net" recieved it
from "h-67-101-134-168.nycmny83.dynamic.covad.net" which is a dynamically
assigned IP. Running a whois aginst the IP address 67.101.134.168
associated with this address, you find it is registered to "Covad
Communications" in San Jose CA and the abuse reporting address is
"abuse-isp@covad.com"

This is most likely some household Windows machine that has been
compromised by a spam-bot. If you report it to the abuse address above,
they can contact the owner of the machine to have them take it off line
and clean it up. It is unlikely that it could be traced back to its
utimate spammer origin, though, as the current spam practice is to relay
through a number of dynamically changing proxies before attempting to
inject the mail in to the mail delivery system. The body of the message
likely contains an address (probably overseas someplace) intended to
direct the recipient to a site where they can be exploited. You may be
able to find an abuse address for the owner of that IP, but responding in
that why may not be effective and in fact may expose you to further spam.
I've had the best luck with European and North American sites; Asian
sites, particularly in China and Korea don't seem to give a rip.

Your best bet is to put a good spam filter, e.g. spamassassin, in front
of your mail system. 

-- 
John (john@os2.dhs.org)

Relevant Pages

  • Re: mail 2.0
    ... it is a no-brainer to avoid spam. ... usenet died as a social forum because there are no access controls. ... livejournal has a very active abuse department. ... sort of governing authority. ...
    (comp.mail.mime)
  • Re: 1279-Work at home as an Internet research assistant!
    ... > You want that I should go to the affiliate website and file a spam report ... You can clearly read IP addresses; report it to the NNTP ... news.admin.net-abuse.sightings so there's a record of ongoing abuse. ... invalid mail that ISP will have to process. ...
    (alt.marketing.online.ebay)
  • Forward to abuse@ button for http://tools.ietf.org/html/rfc5965
    ... Any tools to auto forward spam into rfc5965 format for abuse@? ... ] For questions about using Yahoo! ...
    (freebsd-isp)
  • Re: Brad Jesness and Reply to anonymous stalker
    ... NONE of the people who are claimed to be my friends are ... and HIS anonymous stalking, abuse domains. ... List of CABAL Internet Spam Abuse Domains ... Thanks -- Brad Jesness ...
    (sci.psychology.psychotherapy)
  • Re: Why does this group have so much spam?
    ... The owner of compromised PC should be responsible of his computer like the ... owner of a car is responsible of damages caused by its car. ... If you want to avoid usenet spam and don't want to filter it yourself, ... Are you suggesting to moderate every news server and mail server all over ...
    (comp.lang.python)