Path: news1.icaen!news.uiowa.edu!news.physics.uiowa.edu!hammer.uoregon.edu!newshub.northeast.verio.net!news.idt.net!nntp.farm.idt.net!news From: Tom Greene Newsgroups: comp.sys.apple2,comp.sys.apple2.comm,comp.sys.apple2.gno Subject: Re: More on SPAMing Date: Sun, 07 Nov 1999 01:36:53 -0500 Organization: IDT (Best News In The World) Lines: 135 Message-ID: <38251E05.CBDE9070@idt.net> References: <3823D4E0.C71B36D9@Concentric.net> <3823F6E0.E4721DD7@swbell.net> NNTP-Posting-Host: ppp-38.ts-1.tf.idt.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 4.51 [en] (Win95; I) X-Accept-Language: en Xref: news1.icaen comp.sys.apple2:154243 comp.sys.apple2.comm:5515 comp.sys.apple2.gno:6834 Rubywand wrote: > > The recent posting --> EARN $1000 TO $5000 WEEKLY!!! 7774 > is a good example of newsgroup spamming. > > Below is the full header for the message. Perhaps someone with real savvy > about this sort of thing could explain how to figure out where to email an > abuse complaint. Here's what I know about reading usenet headers. I can't guarantee that this info is 100% correct, but it has served me well. :) > Path: typhoon01.swbell.net!cyclone.swbell.net!bos-service1.ext.raytheon.com!cambridge1-snf1.gtei.net!cam-news-hub1.bbnplanet.com!news.gtei.net!newsfeed.mathworks.com!wn3feed!worldnet.att.net!wnmaster1!not-for-mail The Path: line above is one place to look to see where the message came from. It shows all the news servers that the message went through to get from the spammer to you. The last server in the line should be the news server the spammer posted to. In this case, it seems to have been posted via worldnet.att.net. Note that this line can have spoofed entries on it, usually at the end. However, spammers are not usually very imaginative about what they insert. I usually see aol.com or hotmail.com. Entries such as these are clearly spoofed, since those machines are not news servers. You can check if the machine is a news server by telnetting to port 119 on that machine. This can be done using any telnet client. Under a shell account, you can issue the command: 'telnet worldnet.att.net 119'. The same command can be used under Windows 9x by clicking the Start button, choosing Run, and typing the command there. If the server allows you to connect, you should see something like this: 200 nnrp2.farm.idt.net InterNetNews NNRP server INN 1.4unoff4 05-Mar-96 ready (posting ok). If you can't connect to it, or you don't see something like the above line, its probably not a news server and that entry has been spoofed. Then I would try the next server in the list, working from right to left. > Organization: AT&T WorldNet Services Many times organization line is added by the news server the message was posted to. I know the server for my provider adds the following line: 'Organization: IDT (Best News In The World)' > Message-ID: <800pqi$5i6$551@bgtnsc01.worldnet.att.net> Again, this shows that the message was posted to an att.net news server. I'm almost certain this line cannot be faked. > NNTP-Posting-Host: 63.20.23.98 The NNTP-Posting-Host: line shows the IP address of the machine the message was posted from. If you have access to a shell account, you can use the nslookup command to see what provider this belongs to: 12:45am cowgod@idt.net (~) nslookup 63.20.23.98 Server: localhost.idt.net Address: 127.0.0.1 Name: 1Cust98.tnt9.atl2.da.uu.net Address: 63.20.23.98 So this message was posted by someone connected through UUNet. Another way to see what provider this IP belongs to is to use the ARIN whois database. This is particularly useful when the nslookup command can't resolve the IP. You can do so by either by going to http://www.arin.net/whois/index.html and using the web interface, or by using this command in a shell account: whois -h whois.arin.net 63.20.23.98 Which will return something like this: 12:50am cowgod@idt.net (~) whois -h whois.arin.net 63.20.23.98 UUNET Technologies, Inc. (NETBLK-NETBLK-UUNET97DU) 3060 Williams Drive, Suite 601 Fairfax, va 22031 US Again, this shows that it was posted from a UUNet connection. > X-Complaints-To: abuse@worldnet.att.net > The header claims complaints should go to abuse@worldnet.att.net but, I > distrust this claim. (Normally, how reliable is this information?) Usually the abuse address given (on the X-Complaints-To: line) in the headers is reliable. Its added by the news server when the message is posted. I have never seen one that was spoofed. > Of course, we do have the URL in the message itself ... > > .... > > A SIMPLE ONLINE SYSTEM FOR MAKING FAST, EASY, MONEY THAT LASTS !!! > > > > A TOTAL NO-BRAINER THAT ANYONE IN THE WORLD CAN DO !!! > > > > Go to: http://opportunity.valuenetusa.com/JL2836/ > > > > So, however the message was sent, since opportunity.valuenetusa.com is hosting > this business, that seems like a good place to email an abuse complaint (e.g. > to abuse@opportunity.valuenetusa.com). I wouldn't trust any addresses found in the body of the message too much. They can be somewhat spammer friendly. In this case I would send an e-mail to both abuse@worldnet.att.net and abuse@uu.net. If you are unsure of the abuse address for a particular provider you can try the abuse.net lookup at http://www.abuse.net/lookup.phtml, or by using a command like 'whois -h whois.abuse.net uu.net' in a shell. It should return an email address. Most - but not all - respectable providers are registered in abuse.net's database. When e-mailing an abuse address, I'd recommend putting the subject line of the spam into the subject of the email, and be sure to send the entire message, including headers. Hope this helps. I've used these methods to seek and destroy many a spammer. :) If I left anything out (or screwed something up) please let me know. Tom Greene cowgod@idt.net http://idt.net/~cowgod/