How to Handle Newsgroup Spam

E-mail and Web site

Example 1
  1. These are much harder to cloak than E-mail spams, which is why there are far fewer of them nowadays.
  2. The "Path" header shown below is very important. It will be a single line when you see it.
Pay attention to highlighted items.

[YOU are at this end of the path, e.g. I am at Earthlink.net]
Path: opinion.news.pas.earthlink.net!stamper.news.pas.earthlink.net!
 newsfeed1.earthlink.net!newsfeed.earthlink.net!news.maxwell.syr.edu!
 newsfeed.media.kyoto-u.ac.jp!spring.edu.tw!news.nctu.edu.tw!
 feeder.seed.net.tw!news.ethome.net.tw!not-for-mail
[The SPAMMER is at this end of the path, ethome.net.tw. This spammer's true location will always be in the path, although some newsgroup spammers have forged the rightmost element so the "injection point" will be somewhere to its left.]
 From:  xkdwaxfj@tzpjpjckr.com
 Newsgroups:  alt.animals.dolphins
 Subject:  Clean your PC properly - 2fviqjrk4g50vpc dq3 8j9 f
 Date:  Mon, 16 Dec 2002 01:59:23 +0000 (UTC)
 Organization:  ETHOME InterNetNews site
 Lines:  46
 Message-ID:  <atjc1p$io3$1@news.ethome.net.tw>
 NNTP-Posting-Host:  200.215.97.82 [SHOULD match the path]
 X-Trace:  news.ethome.net.tw 1040003963 19203 200.215.97.82 (16 Dec 
 2002 01:59:23 GMT)
 X-Complaints-To:  usenet@news.ethome.net.tw
 NNTP-Posting-Date:  Mon, 16 Dec 2002 01:59:23 +0000 (UTC)
 Xref:  stamper.news.pas.earthlink.net alt.animals.dolphins:69100
 X-Received-Date:  Sun, 15 Dec 2002 18:04:51 PST (opinion.news.pas.earthlink.net)

 You're in Serious Trouble - It's a Proven Fact!
[No, the SPAMMER is in serious trouble.]

 http://157.237.254.7/eenws/

 Deleting "Internet Cache and History" will NOT protect you because any of the Web Pages, Pictures, Movies, Videos, Sounds, E-mail, Chat Logs and 
 Everything Else you see or do could easily be recovered to Haunt you forever! How would  you feel if a snoop made this information public to your Spouse, Mother & Father,  Neighbors, Children, Boss or the Media? It could easily Ruin Your Life! Solve  all your problems and enjoy all the benefits of an "As New PC", Evidence  Eliminator can Speed-Up your PC/Internet Browser, reclaim Hard Disk space  and Professionally Clean your PC in one easy mouse click!<br>

 Visit this URL to get protected:
 http://157.237.254.7/eenws/


Let's start with the mailing information. This should be ethome.net.tw. Does the NNTP posting host match? Since it seems to be from Taiwan, we'll try APNIC (Asia-Pacific registry of IP addresses). APNIC denies owning it. ARIN (North American registry) refers us to LACNIC (Latin America).
It's quite likely that the NNTP address is forged; if the path headers and NNTP posting host don't match, go by the path headers. (You can look up the Latin American ISP anyway and report it to them just to make sure.) Complain to abuse "at" seed.net.tw and abuse "at" ethome.net.tw.

Now for the spammer's Web site. This is easy. Going to http://157.237.254.7/ yields "directory listing denied," which is a frequent (but not 100%) indication that the domain is a spam host. ARIN does have this IP address (see lower left for how to use UXN Spam Combat to access ARIN).

Search results for: 157.237.254.7 
     NetRange:   157.237.0.0 - 157.237.255.255
     CIDR:       157.237.0.0/16
     NetName:    NETVIKINGS
     NetHandle:  NET-157-237-0-0-1
     Parent:     NET-157-0-0-0-0
     NetType:    Direct Allocation
     NameServer: ns1.netvikings.net
     NameServer: ns2.netvikings.net
     Comment:
     RegDate:    1992-02-03
     Updated:    2002-11-05

     TechHandle: ZS252-ARIN
     TechName:   Administrative
     TechPhone:  +1-919-932-1670
     TechEmail:  Massiveisp "at" hotmail.com <====== Complain here

     OrgTechHandle: NETWO85-ARIN
     OrgTechName:   Network Administrator
     OrgTechPhone:  +1-919-672-2365
     OrgTechEmail:  joharris19 "at" sprintpcs.com <====== Complain here
You can also do a traceroute:

YOU are at this end of the traceroute. Don't complain to Opus1.net or twtelecom.net
traceroute to 157.237.254.7 (157.237.254.7), 30 hops max, 40 byte packets
 1  manny.Firewall.Opus1.COM (192.245.12.95)  4.883 ms
 2  Opus-GW (207.182.35.49)  16.601 ms
 3  Login-Opus-T1-1.Opus1.NET (207.182.63.102)  21.483 ms
 4  opus1-gw.login.COM (165.64.254.49)  18.554 ms
 5  F10.tus1.login.COM (165.64.254.77)  22.459 ms
 6  66-162-41-17.gen.twtelecom.net (66.162.41.17)  20.506 ms
 7  66-162-41-1.gen.twtelecom.net (66.162.41.1)  21.483 ms
 8  216-136-127-9.gen.twtelecom.net (216.136.127.9)  23.436 ms
 9  dist-01-so-0-0-0-0.sttl.twtelecom.net (168.215.53.197)  58.590 ms
10  tran-02-ge-0-2-0-0.sttl.twtelecom.net (168.215.54.114)  59.567 ms
11  64.132.69.6 (64.132.69.6)  111.321 ms
12  core1-seattle-pos15-0.in.bellnexxia.net (206.108.102.177)  111.321 ms
13  core1-vancouver-pos10-1.in.bellnexxia.net (206.108.102.194)  113.274 ms
14  core1-calgary-pos6-0.in.bellnexxia.net (206.108.101.74)  112.297 ms
15  * * *
16  64.230.231.162 (64.230.231.162)  117.180 ms
17  157.237.254.7 (157.237.254.7)  118.156 ms
The SPAMMER is at this end of the traceroute. It might be worth copying abuse "at" bellnexxia.net, although it's more clearcut when an ISP's domain name appears right above the last IP address.

 

 Example 2 (which spammer wants to be next?) I guess this guy did:

@s deleted to prevent harvesting

  To:    mtd nilenet.com, abuse nilenet.com, hostmaster coop.net, abuse coop.net,  adamsprecision yahoo.com, admin jnztech.com, joharris19 sprintpcs.com,  postmaster netvikings.net, abuse boaw.net
   Subject:   [Fwd: Delete that porn before the wife finds out ( xp8x)]
      Content-Type:                    multipart/mixed; boundary="------------FFA5D6F11DC86DEC982D9942"

From:      xcd@zxt.com
        Newsgroups:    alt.animals.dolphins
            Subject:  Delete that porn before the wife finds out ( xp8x)
              Date:  Mon, 6 Jan 2003 23:00:34 -0700
       Message-ID:    <2eqdva.1hh.ln@thoth.nilenet.com>
 NNTP-Posting-Host:  207.174.251.62 [Pay attention here, we are going to cross-reference this with the path headers]
   X-Trace:   7 Jan 2003 09:04:39 -0700, 207.174.251.62
   Lines:   27
     Path: mindspring!stamper.news.atl.earthlink.net!stamper.news.pas.earthlink.net
!newsfeed2.earthlink.net!newsfeed.earthlink.net!newsfeed.news2me.com!
cyclone1.gnilink.net!wn11feed!wn14feed!worldnet.att.net!4.24.21.153!
chcgil2-snh1.gtei.net!paloalto-snf1.gtei.net!news.gtei.net!dimensional.com!
pulsar.dimensional.com!coop.net!news.coop.net!thoth.nilenet.com!nobody
              Xref:    mindspring alt.animals.dolphins:66253

http://ws.arin.net/cgi-bin/whois.pl?queryinput=207.174.251.62
verifies nilenet as the actual source when cross-referenced with the
path headers:
Colorado Internet Cooperative Association NETBLK4-COOP-NET
(NET-207-174-0-0-1)  207.174.0.0 - 207.174.255.255
     Blastsite Hosting/NileNET, Ltd. BLAST-248-255-NET
(NET-207-174-248-0-1) 207.174.248.0 - 207.174.255.255
    
From Sam Spade antispam tools:
opt-in-adult.com resolves to 157.237.254.7
 www.opt-in-adult.com resolves to 157.237.254.7
 Mail for opt-in-adult.com is handled by opt-in-adult.com (10)
157.237.254.7

  whois -h magic opt-in-adult.com

     opt-in-adult.com is registered with PRIMUS TELCO PTY LTD DBA
PRIMUSDOMAIN/PLANETDOMAIN - redirecting to whois.planetdomain.com

     whois -h whois.planetdomain.com opt-in-adult.com

        Domain Name: OPT-IN-ADULT.COM

           Registered Through....: 1cheapdomains
           Created on............: Oct 18, 2002 4:00:16 AM
           Expires on............: Oct 17, 2003 1:52:48 PM
           Record last updated on: Oct 18, 2002 4:00:16 AM

Owner, Administrative Contact, Technical Contact, Billing Contact:
           amond
           amond amond (ID00026733)
           5789 commerce drive
           #34
           orlando, fl 32809
           us
           Phone: +1.4074979717
           Email: adamsprecision yahoo.com

        Domain servers in listed order:

        NS1.JNZTECH.COM
        NS2.JNZTECH.COM
        NS3.JNZTECH.COM

ARIN lookup: Search results for: 157.237.254.7

     SIMRAD NETVIKINGS (NET-157-237-0-0-1)
                                       157.237.0.0 - 157.237.255.255
     JNZ Technologies Inc MRT-103 (NET-157-237-254-0-1)
                                       157.237.254.0 - 157.237.254.255

     # ARIN Whois database, last updated 2003-01-07 20:00
     # Enter ? for additional hints on searching ARIN's Whois database.

traceroute to 157.237.254.7 (157.237.254.7), 30 hops max, 40 byte
packets
 1  manny.Firewall.Opus1.COM (192.245.12.95)  4.882 ms
 2  Opus-GW (207.182.35.49)  17.577 ms
 3  Login-Opus-T1-1.Opus1.NET (207.182.63.102)  19.530 ms
 4  opus1-gw.login.COM (165.64.254.49)  17.577 ms
 5  F10.TUS1.login.COM (165.64.254.77)  21.483 ms
 6  66-162-41-17.gen.twtelecom.net (66.162.41.17)  24.412 ms
 7  66-162-41-1.gen.twtelecom.net (66.162.41.1)  24.412 ms
 8  216-136-127-13.gen.twtelecom.net (216.136.127.13)  18.554 ms
 9  core-02-so-1-3-0-0.chcg.twtelecom.net (168.215.53.45)  56.637 ms
10  peer-01-ge-0-3-0-0.chcg.twtelecom.net (168.215.53.194)  58.590 ms
11  206.220.243.188 (206.220.243.188)  59.567 ms
12  pos6-2.core1-tor.bb.attcanada.ca (216.191.65.97)  71.285 ms
13  srp2-0.gwy1-tor.bb.attcanada.ca (216.191.65.243)  71.284 ms
14  pos1-0.colo5-tor.bb.attcanada.ca (216.191.65.206)  72.261 ms
15  core1.c1b1.core.55cc.tor.boaw.net (216.94.86.66)  74.214 ms
16  p001.core1.core.55cc.tor.boaw.net (216.94.86.194)  75.191 ms
17  157.237.254.7 (157.237.254.7)  76.167 ms

So I think I've nailed this guy pretty good. Complaints were sent to mtd nilenet.com, abuse nilenet.com, hostmaster coop.net, abuse coop.net,  adamsprecision yahoo.com, admin jnztech.com, joharris19 sprintpcs.com,  postmaster netvikings.net, abuse boaw.net (@s deleted to prevent harvesting)
 

"Spam Delenda Est" antispam home page

visitors since 7 January 2003