Date: 11 Apr 2002 12:31:23 -0700 From: Ken McGlothlen <mcglk@artlogix.com> To: <freebsd-questions@freebsd.org> Cc: syborg@stny.rr.com Subject: Re: Forwarded mail.... Message-ID: <87it6yhw1g.fsf@ralf.artlogix.com> In-Reply-To: <047101c1e183$daf3a310$fd6e34c6@mlevy> References: <Pine.LNX.4.44.0204111356320.24094-100000@janeway.vonbek.dhs.org> <047101c1e183$daf3a310$fd6e34c6@mlevy>
next in thread | previous in thread | raw e-mail | index | archive | help
"Moti" <moti@flncs.com> writes:
| it's called SPAM
| ----- Original Message -----
| From: "John Bleichert" <syborg@stny.rr.com>
| To: <freebsd-questions@freebsd.org>
| Sent: Thursday, April 11, 2002 1:57 PM
| Subject: Forwarded mail....
|
| > What is this crap below? Spam from the BSD mailer daemon? [...]
Well, in a response which may actually prove to be more helpful than the last
one, it's not actually from the BSD mailer daemon. Unfortunately, with the
current state of email exchange, you can forge any headers you want on a
message. (I'm getting to the point where I'm hoping that enough people get
sick enough of spam that MTAs no longer permit forged headers.)
Looking at the headers (which you need to do anytime you look at spam
complaints) is the most direct way to determine the message's origin, and in
this case, it's not terribly obfuscated. The Received headers tell the story.
After a few that shows the final delivery and the internal routing at
freebsd.org, we find this:
Received: from informesuteis.com.br (CE128188.user.veloxzone.com.br [200.164.128.188])
by hub.freebsd.org (Postfix) with SMTP
id CB59537B400; Thu, 11 Apr 2002 10:05:49 -0700 (PDT)
It appears that veloxzone.com.br is the ISP for the spammer, even though they
used their own host name in the SMTP HELO command. Fortunately, postfix and
several other MTAs also record the actual IP address of the connection. If we
do a traceroute on the website, we get this:
$ traceroute www.informesuteis.com.br
traceroute to informesuteis.com.br (216.29.207.22), [...]
[...]
13 DBS-COLO.Columbus.fnsi.net (216.29.188.126) 79.712 ms
14 216.29.165.78 (216.29.165.78) 86.598 ms [...]
15 216.29.207.22 (216.29.207.22) 92.081 ms [...]
$ _
which implies that fnsi.net is the ISP for the spammer's website. Let's make
sure by checking who that IP number belongs to.
$ whois -h whois.arin.net 216.29.207.22
Fiber Network Solutions, Inc. (NETBLK-FNSI-CBLK5) FNSI-CBLK5
216.28.0.0 - 216.29.255.255
DB Solutions (NETBLK-FNSI-CBLK5-129-207) FNSI-CBLK5-129-207
216.29.207.0 - 216.29.207.255
[...]
$ _
Well, apparently, a company named DB Solutions owns the Class C. Let's look up
that netblock.
$ whois -h whois.arin.net \!NETBLK-FNSI-CBLK5-129-207
DB Solutions (NETBLK-FNSI-CBLK5-129-207)
576 Charring Cross Dr. Suite B
Westerville, OH 43081
US
Netname: FNSI-CBLK5-129-207
Netblock: 216.29.207.0 - 216.29.207.255
Coordinator:
Fiber Network Solutions, Inc. (IF29-ARIN) hostmaster@fnsi.net
(614) 895-6621
Domain System inverse mapping provided by:
NS1.FNSI.NET 206.183.224.7
NS2.FNSI.NET 206.183.224.8
NS3.FNSI.NET 206.183.226.10
[...]
$ _
So you'd send a complaint to veloxzone.com.br and to fnsi.net, with complete
headers for the message.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87it6yhw1g.fsf>