Tracking Sourceless SPAM

Booker asks: "Lately I've seen a disturbing trend in my spam - there seems to be no originating machine in the headers. They typically go through an insecure mail host, and list only a toll free number for a contact. How do I track these people down? I need the satisfaction, however fleeting, of helping to terminate a spammer's account!" There is an example header of this sourceless SPAM. Click below for more.

Here's the example:

Return-Path: jdekrpzsad@hotbot.com
Received: from ns.mobic.co.jp (ns.mobic.co.jp [210.162.104.178])by deliverator.io.com
(8.9.3/8.9.3) with ESMTP id XAA14862;Tue, 27 Jul 1999 23:51:58 -0500
From: jdekrpzsad@hotbot.com
Received: from default by ns.mobic.co.jp (2.5 Build 2630 (Berkeley 8.8.6)/8.8.4) with SMTP id NAA02786; Wed, 28 Jul 1999 13:58:25 +0900
Message-Id: 199907280458.NAA02786@ns.mobic.co.jp
To:
Subject: $15,000 Monthly Guaranteed! No Work Required!
Date: Tue, 27 Jul 1999 21:08:01 -0700
MIME- Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_4264_00005913.00007A3E"
X-Priority: 3
X-MSMail-Priority: Normal
X-UIDL: 29f083c057306b12c10f509e156f7a87
Status: U

I thought there were laws that prevented this sort of things. How can we help prevent spam if the spammers are becoming more and more anonymous?

Re:Remember, SPAM is for profit!

IT WOULD BE NICE IF THERE WAS A WAY THAT SPAMMERS could fund increasing the band width on the net.This would keep the phone companies and ISP's happier. **I have found a free web based e-mail company Msgto.com -- that intellegently stops spam -- Great idea! puts the e-mail sender back in school.

Becareful of links at the bottom too!

[Samus]

Below is a spam I received last week. Unfortunately I fell for the trick. At the end of the message is a link that says click here to remove or some other removal directive. Sending the mail only resulted in more spam from someone else matching the same format. What happened in reality is that I just verified my address as being an active account. I don't think I have received after I sent an e-mail to the isp of one of the messages requesting the users information so that I could persue legal action. I hope this helps somebody else.

Received:
by mail.one.net for samus (with Cubic Circle's cucipop (v1.21 1997/08/10) Tue
Jul 27 23:13:14 1999)
X-From_:
jons@prontomail.com Tue Jul 27 23:12:36 1999
Received:
from [210.9.54.13] ([210.9.54.13] EHLO quest.netrix.net.au ident:
IDENT-NOT-QUERIED [port 5411]) by mail.one.net with ESMTP id
convert rfc822-to-8bit; Tue, 27 Jul 1999 23:12:29 -0400
Received:
from unniss (ts001d03.pro-ri.CONCENTRIC.NET [206.173.46.15]) by
quest.netrix.net.au (8.9.3/8.8.3) with ESMTP id OAA27352; Wed, 28 Jul 1999
14:07:27 +1000
Message-ID:

From:
"Roy"
Subject:
Do you have a product or service to offer?
To:
allnetbiz89h3@quest.netrix.net.au
X-Mailer:
Microsoft Outlook Express 4.72.1712.3
X-MimeOLE:
Produced By Microsoft MimeOLE V(null).1712.3
Mime-Version:
1.0
Date:
Tue, 27 Jul 1999 22:13:44 -0500
Content-Type:
text/plain; charset="iso-8859-1"
Content-Transfer-Encoding:
8BIT
X-Mozilla-Status:
8003
X-Mozilla-Status2:
00000000
X-UIDL:
b49e5a103e070000



...spam text removed..

CALL (888) 264-9272 9AM - 6PM MST
//////////////////////////////////////////////
////////////Please remove at mailto:tmon34@yahoo.com?subject=remove
//////////////////////////////////////////////

IP Whois

[jab]

Usually IP Whois works like a charm. If you enter the IP address of the originating computer (from the earliest Received: header), it will tell you someone just high up on the IP address foodchain that they will care about stopping spammers. In this case, the IP is 210.162.104.178, which gives

inetnum: 210.162.104.176 - 210.162.104.191
netname: MOBIC-NET-JP
descr: Mobic Corporation
descr: 22,Obara,Tsuyama-city,
descr: Okayama 708-0001 Japan
country: JP
admin-c: MO821JP
tech-c: ST901JP
changed: apnic-ftp@nic.ad.jp 19990729
source: JPNIC

Hmmm... usually it's a bit more helpful and supplies an admin's name, phone number, and email address.

Re:Remember, SPAM is for profit!

[SEWilco]

It often is not hard to convert from decimal to dotted quad form. Some of the tools which you mentioned will emit the dotted quad from when given a single decimal number.

Remember, SPAM is for profit!

[wuzoe]

I haven't had to deal with sourceless spam myself, but I think I can help anyways. The important thing to remember is that spam is for profit, and therefore they will give you some sort of contact info. If they give you an email address, use tools like dig, nslookup, and whois to find out what ISP hosts that email address. If they give a web address, find out what ISP owns the ip address given. (sometimes they try to hide thier address by putting it as a long decimal number i.e. http://3213213213 ... convert this to base 256 (I know ... painfull ...) and that'll be the dotted ip address)

This may not help you find the source of the email, but you can attack the spammers in these other places.

BTW, spamcop.net is great at doing all of this automagically, although I don't know good it would be with "sourceless" email.

Sorry, I read that a little fast ...

[wuzoe]

I guess I read that question a little too fast.

If they ONLY give a phone number, then I can only think of two things:

1. Try to find a reverse look-up type of phone directory, and then hunt down the company ... not very practical.

2. Try to identify which mail server was exploited to obscure the source, and have them fix their problem ... it's not direct, but it would keep the spammers running.

Re:Sorry, I read that a little fast ...

[radja]

they give a phone number? then call them. collect.
better yet, get someone from somewhere else to call them collect from Peru or something. they cause you grief, so they deserve some yourself. got a snailmail address? send them a couple of bricks, without stamps. again, more distance is better...

Radja, the bastard

Don't accept that kind of mail

[Russ+Nelson]

Subscribe to one of the DNS-based blocking services. There's a listing of them at www.crynwr.com/spam/. That particular host isn't on the RBL, but they are on RRSS, and no doubt ORBS.
-russ

'Sourceless'

[oneiros27]

There's a source, it's just not being recorded. Your problem lies in this line:

Received: from default by ns.mobic.co.jp (2.5 Build 2630 (Berkeley 8.8.6)/8.8.4) with SMTP id NAA02786; Wed, 28 Jul 1999 13:58:25 +0900

the machine 'ns.mobic.co.jp' received the message from a machine who gave the HELO of 'default', and didn't put its IP address into the message.

My normal procedure for this? I send a simple little message to postmaster@ns.mobic.co.jp:

The following unsolicited commercial e-mail was received.
You are being informed for the following reason:

ns.mobic.co.jp : as the message was relayed through your system. Please see http://spam.abuse.net/ for information on securing your system.

And of course, attach a .sig, and the message with full headers.

Get some help

[Cylix]

*Sigh*

Ive had to deal with this lately...as hard as Ive tried to keep my email out of the hands of those who would use it to do me harm.

Fortunately I work for my ISP...so it makes for easy access to our maillogs and individuals of importance who can counteract such problems *if it becomes a pain to enough users we will filter the domain*.

I lodged complaints with the relay and used the contact information to make sure they knew I was unhappy about this *and of course to make it clear I would be causing them some grief*.

Its been a good week now and I havent been spammed *as it had been occuring on a day by day basis previously*.

So...when I say get some help...lodge complaints with your ISP and the relay...make yourself heard...most likely you are not the only one *the definition of spam* and hopefully your cries will be heard and offending domains dealt with.

Its not a fun process, but if it becomes clear these actions will not be tolerated all parties involved will shape up.

Hope this helps..