|
|
|
To display this in Netscape Communicator: go to the menu bar and select VIEW, then HEADERS, then FULL. "View Page Source" also works. Status: U
«Â¦Óè 30 ÁûÅø¸ËW¯Å¯S»ù¥un 149 ü¤¸¡A¥§¡¤@Áû¤£¨ì 5 ü¤¸¡A¥þ²yµ´¹ï¨S±o¤ñªº»ù®æ ÅF°Ê¥@ɪº¨k©Ê¨}Ãī¦Óè¡A¹ï©ÊµL¯à©Î§•õ±wªÌO¤@Ó²ö¤jªºÀ°§U¡A
¤£¯à¹L©Ê¥Í¡ªº¤H¥un¦Y¤W¤@²É¡A¥bÓ¤p®É´N¯•¤j®¡A«ùÄò«ÂªZ¡A
http://www.happytime2000.com
See also the Web
site analysis for this spam.
|
This is an easy spam because there is only one IP address
in the header. Many spammers put fake addresses and fake IP addresses in
the headers to confuse you. The domain (happytime2000.com) may or may not
be valid but the spammer cannot hide the true IP address of origin
(even if he adds fake ones).
I don't know where 200.60.136.236 is but, since the spam is in Chinese (this shows how stupid spammers really are, sending advertisements that the recipients can't even read) I'll try APNIC, the Asia Pacific registry of internet addresses. However, it turns out that I'm wrong: inetnum: 200.0.0.0 - 200.255.255.255(You could formerly look up any IP address through one service, but this is no longer true.) A query to ARIN (North America) yields: Search results for: 200.60.136.236In other words, ARIN doesn't know exactly where it is, but it does tell you that it belongs to LACNIC (Latin America). See below for how to use LACNIC's lookup feature inetnum:
<A HREF="/cgi-bin/lacnic/whois?lg=EN&qr=200.60.136/24">200.60.136/24</A>
nic-hdl:
UA1-ARIN
|
Tutorial, Netcom Abuse Department
(October 1997)
Below are some sample headers. The first set of headers are the easiest
to read. Unfortunatly enough, they are often very rare in unsolicited email,
so I have included some nasties to look at as well.
---> These are headers from a NETCOM domain. If you receive email that
is not forged, and it orignated from NETCOM, it should look very similar
to
below.
From usa21@ix.netcom.com Tue Sep 16 22:30:48 1997
Return-Path: <usa@ix.netcom.com>
Received: from dfw-ix9.ix.netcom.com (dfw-ix9.ix.netcom.com [206.214.98.9])
by mrin55.mail.aol.com
(8.8.5/8.8.5/AOL-4.0.0)
with ESMTP
id WAA06345;
Tue, 16
Sep 1997 22:30:43 -0400 (EDT)
Received: (from smap@localhost)
by dfw-ix9.ix.netcom.com
(8.8.4/8.8.4)
id VAA20635;
Tue, 16 Sep 1997 21:30:36 -0500 (CDT)
Received: from lap-ca7-52.ix.netcom.com(207.93.146.116)
by
<===== Look at this first, go by the IP address
dfw-ix9.ix.netcom.com
via smap (V1.3)
id rma015899;
Tue Sep 16 21:28:45 1997
Message-Id: <3.0.1.32.19970916182327.00e02584@popd.ix.netcom.com>
X-Sender: usa21@popd.ix.netcom.com
X-Mailer: Windows Eudora Pro Version 3.0.1 (32)
Date: Tue, 16 Sep 1997 18:23:27 -0700
To: whynotyou?@ix.netcom.com
From: Business USA <usa21@ix.netcom.com>
Subject: Do you know how much money you can make?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
<---
The first thing I would look at is the bottom Received: line. As you can see, lap-ca7-52.ix.netcom.com has an IP immediatly after it. If you do a lookup on this IP, you should also get this address. If you don't, GO BY THE IP... it is *always* accurate. The domain ends with Netcom.com, therefore, it is a NETCOM customer.
All mail from a dialin user goes through a dialin POP server. Any message
sent from a user logged into this POP will have lap-ca7-52.ix.netcom.com
or something similer depending on what state it originated from. If you
cannot locate an address like this, or an IP that translates to an address
like this,
then it is most probably not from NETCOM. Mail is often routed through
a central hub, so pay no attention to the above address: dfw-ix9.ix.netcom.com.
Now for a real nasty header that has been forged professionally, making it very hard to track to the original ISP.
--->
:From youdontneedtoknow@notnow.com Sat Sep 20 10:16:40 1997
Return-Path: <youdontneedtoknow@notnow.com>
Received: from tauceti.vec.net (tauceti.vec.net
[208.133.32.6])
<========= (2) Work your way up: this is the true origin of the mail
by mail.wellserv.com (8.8.7/8.8.7)
with ESMTP id KAA24492
for <notus@net.com>;
Sat, 20 Sep 1997 10:16:34 -0400 (EDT)
Message-Id: <199709201416.KAA24492@mail.wellserv.com>
Received: from wherefake (0.199.299.399) by whirfak4u.net (MX E5.0)
with <======== (1) look here first,
but it's phony
ESMTP; Sat,
20 Sep 1997 07:20:30 -1300 EST
X-Advertisement: Visit http://www.free.speech To get a life.
From: Like we'd tell <nicetry@havefun.com>
Date: Sat, 20 Sep 1997 05:13:53
Subject: More Kewl Stuph 4 U!
<---
The first thing I would look at is the bottom Received line. It's obvious it's fake, but sometimes it can be hard to tell. The EST gives it away, since it should be EDT (Eastern Daylight Savings Time). Also, EST is -4 hours from GMT, so the number before it should be -400. The IP address has numbers in it which exceed 255, so IP address 0.199.299.399 cannot exist. The received line is also below the Message-Id: line, which is very common when fake headers are injected into the message.
The *last* thing I would ever look at in a message is the actuall From: line, the Return-Path: line, and the bottom Date: line. Those are all most often faked and forged, so you cannot send back to the original person who sent you the mail.
Lets look at the next Received line up, working our way from the bottom always. It has tauceti.vec.net in it. The IP in brackets translates to this. Take the last two parts, vec.net. That would be who you would contact for this particular header.
Hope this helps!
Keman
NETCOM Policy Management
"Spam Delenda Est" antispam home page