Re: How can I trace the source of this email?

• Previous message: Kevin: "Re: How can I trace the source of this email?"
• In reply to: Randell D.: "How can I trace the source of this email?"
• Next in thread: Don Kelloway: "Re: How can I trace the source of this email?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 05 Nov 2003 04:43:20 GMT

Randell D. wrote:
> Can someone tell me how I received the following email?
>
> Its junk email - I used to have several pop3 boxes, but now I have
> one and have all my previous emails forwarded to the one pop3 box. I
> know it came from one of my alias or mail forwarding accounts, and
> not directly to my pop3 account because I use zoneedit.com for my
> mail forwarding and they are mentioned in the email path. I have
> replaced my real pop3 account with me@myPop3.account in the path...
> If I can find out the original address it was sent to, then I figure
> out who has sold my email address without my permission...
>
> Cheers
> Randell D.
>
>
> 04 Nov 2003 16:09:57 -0700 (MST)
> Received: from pd8mi1no.prod.shaw.ca
> (pd8mi1no-qfe2.prod.shaw.ca [10.0.149.144]) by l-daemon
> (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003))
> with ESMTP id <0HNU00K24OCLB2@l-daemon> for me@myPop3.account
> (ORCPT me@myPop3.account); Tue, 04 Nov 2003 16:09:57 -0700 (MST)
> Received: from mail.zoneedit.com (mail.zoneedit.com [67.29.152.143])
> by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14
> 2003)) with ESMTP id <0HNU009DIOCLE1@l-daemon> for
> me@myPop3.account; Tue, 04 Nov 2003 16:09:57 -0700 (MST)
> Received: from maxio3.uk2net.com (maxlb1ip.uk2net.com [213.239.57.81])
> by mail.zoneedit.com (Postfix) with ESMTP id 91A7E625978; Tue,
> 04 Nov 2003 18:09:56 -0500 (EST)
> Received: from [10.0.1.221] (helo=mail.uk2.net) by maxio3.uk2net.com
> with smtp
> (Exim 4.24) id 1AHAHp-00038p-Ea; Tue, 04 Nov 2003 23:08:33 +0000
> Received: from 81.199.84.12 (SquirrelMail authenticated user
> complotto) by maxproxy2.uk2net.com with HTTP; Tue, 04 Nov 2003
> 23:08:19 +0000 (GMT) Date: Tue, 04 Nov 2003 23:08:19 +0000 (GMT)
> From: manager lotto <complotto@uk2.net>
> Subject: CONGRATULATIONS
> To: undisclosed-recipients: ;
> Message-id:
> <1305.81.199.84.12.1067987299.squirrel@maxproxy2.uk2net.com>
> MIME-version: 1.0
> Content-type: text/plain; charset=iso-8859-1
> Content-transfer-encoding: 8BIT
> Importance: Normal
> X-Priority: 3
> User-Agent: SquirrelMail/1.4.1
> X-SA-Exim-Mail-From: complotto@uk2.net
> X-Spam-Checker-Version: SpamAssassin 2.60-rc6 (1.208-2003-09-19-exp)
> on maxio3.uk2net.com
> X-Spam-Status: No, hits=4.0 required=5.0 tests=LINES_OF_YELLING,
> MAILTO_TO_SPAM_ADDR,PRIORITY_NO_NAME,SELECTED_YOU autolearn=no
> version=2.60-rc6
> X-Spam-Level: ***
> X-SA-Exim-Version: 3.0 (built Tue May 27 21:41:10 CEST 2003)
> Original-recipient: rfc822;me@myPop3.account
>
> For the hell of it, I include everything I have manged to find out
> about it below:
>
>
> Domain Name: LINKFINANCEANDTRUSTLTD.NET
> Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
> Whois Server: whois.melbourneit.com
> Referral URL: http://www.melbourneit.com
> Name Server: YNS1.YAHOO.COM
> Name Server: YNS2.YAHOO.COM
> Status: ACTIVE
> Updated Date: 15-oct-2003
> Creation Date: 15-oct-2003
> Expiration Date: 15-oct-2004
>
>
> [whois.melbourneit.com]
>
> Domain Name.......... linkfinanceandtrustltd.net
> Creation Date........ 2003-10-16
> Registration Date.... 2003-10-16
> Expiry Date.......... 2004-10-16
> Organisation Name.... Richard Forbes
> Organisation Address. 105 B North Milledge Ave.
> Organisation Address.
> Organisation Address. athens
> Organisation Address. 30612
> Organisation Address. GA
> Organisation Address. UNITED STATES
>
> Admin Name........... Richard Forbes
> Admin Address........ 105 B North Milledge Ave.
> Admin Address........
> Admin Address........ athens
> Admin Address........ 30612
> Admin Address........ GA
> Admin Address........ UNITED STATES
> Admin Email.......... richforbes27613@yahoo.com
> Admin Phone.......... +1.7065468122 <==== ## Holiday Inn Express ##
>
>
> Tech Name............ YahooDomains TechContact
> Tech Address......... 701 First Ave.
> Tech Address.........
> Tech Address......... Sunnyvale
> Tech Address......... 94089
> Tech Address......... CA
> Tech Address......... UNITED STATES
> Tech Email........... domain.tech@YAHOO-INC.COM
> Tech Phone........... +1.6198813096
> Tech Fax............. +1.6198813010
> Name Server.......... yns1.yahoo.com
> Name Server.......... yns2.yahoo.com
>
>
> -----Original Message-----
> FROM: THE PRIZE AWARD DEPARTMENT
> WORLDWIDE PREMIER LOTTO, UK
>
>
> Congratulations Category A prize winner! You have been
> selected as one of two winners of the Worldwide Premier Lotto
> UK computer ballot draws and thus will be a privileged recipient
> of the grand draw prize of £ 7,500,000 (Seven million five
> hundred thousand Great Britain Pounds only). Winning File
> Reference number for your prize is WWPL/UK/ 61-812087; ticket
> number 003-214-39/A.
>
> We in the Worldwide Premier Lotto UK is by this
> program, launching our model computer balloting lottery draws,
> developed and designed to satisfy the cravings of the ever
> growing number of participants in our various lottery programs. With
> funds accrued exclusively from previous draws, payouts to
> all winners are guaranteed and will be transferred in record time.
>
> After randomly selecting 15,000 participants from an
> initial database of 300,000 emails and zoning all
> participants by their respective continents from across the
> globe, we produced an extensive list from which you have emerged as
> one of the winners of the Grand Draw prize.
>
> To ensure a smooth collection of your winnings, the
> transfer of your prize is to be handled by our Prize
> Transfer agents. You are to contact our agents by email
> and/or fax within a week of receiving this notice.
> Please find full contact details below:
>
> Mr. Simon Perchard
> Finance Director
> Link Finance and Trust Ltd.
> 20 - 24 St. Leonard's Road
> Windsor SL4 3BB, United Kingdom
> Great Britain
> Tel: (+44) 709 204 1843
> Fax: (+44) 709 203 9288
>
> Email:sperchard24@linkfinanceandtrustltd.net
>
> Also find all other relevant winning lottery
> information
> below:
> Draw Serial No: 35/751346
> Batch No: 06-A852
> Zonal Draw No: A2-003
> Grand Draw No: 12099
>
> You are seriously advised to keep all winning lottery
> information and numbers from the public in line with
> our companysecurity protocol to avoid double claiming
> and unwarranted abuse of this program by unscrupulous individuals.
>
> Please direct all further correspondences and queries
> to your respective category Prize Transfer handlers.
> Congratulations once again from the Worldwide Premier Lotto family.
>
>
> Sincerely,
>
>
> Joseph Finn
> International Promotions Manager
> WORLDWIDE PREMIER LOTTO, UK

Received:
    from <untrusted_helo_string> (pd8mi1no-qfe2.prod.shaw.ca
[10.0.149.144])
    by l-daemon ...; Tue, 04 Nov 2003 16:09:57 -0700 (MST)
Received:
    from <untrusted_helo_string> (mail.zoneedit.com [67.29.152.143])
    by l-daemon ...; Tue, 04 Nov 2003 16:09:57 -0700 (MST)
Received:
    from maxio3.uk2net.com (maxlb1ip.uk2net.com [213.239.57.81])
    by mail.zoneedit.com ...; Tue, 04 Nov 2003 18:09:56 -0500 (EST)
Received:
    from [10.0.1.221] (helo=<untrusted_helo_string>)
    by maxio3.uk2net.com ...; Tue, 04 Nov 2003 23:08:33 +0000
Received:
    from 81.199.84.12 (...)
    by maxproxy2.uk2net.com with HTTP; Tue, 04 Nov 2003 23:08:19 +0000
(GMT)

You can't go by the HELO/EHLO string that the sender ("from" host)
claimed that identifies them. The first 2 Received headers seem to be
used by whatever e-mail forwarding provider that you are using to bounce
your e-mail around inside their service. The 3rd Received header with a
uk2net.com looks to have the first step outside your providers domain,
reinforced by the distinct change in the timezone. Also note that the
"by" host in the 3rd Received header says the sender is at IP address
213.239.57.81 but the "from" host reported by that same server shows an
internal host at 10.0.1.221 (so now you're inside the spam source
domain). I wouldn't trust any Received headers after that (but then
uk2net.com is also listed).

It looks like uk2net.com is running an open proxy or has otherwise been
compromised by spammers. If the open (abused) proxy at uk2net.com is
actually reporting a valid IP address of whomever connected to it, the
the IP address 81.199.84.12 belong to CIDR-COMMUNICATION-01 in Nigeria
(another Nigerian scam?), according to RIPE's WhoIs. However, bitch to
uk2net.com for operating an open relay. Bitching to the spammer won't
help and can only hurt you more.

You might want to use e-mail aliases instead of forwarding accounts. I
think the paid-for Yahoo accounts have e-mail aliases. Otherwise, you
can use Sneakemail.com to create aliases to your e-mail account. When
registering for a web site or software or when having to divulge a valid
e-mail account, you can create a Sneakemail alias on the fly. Just
create a unique alias that only that recipient will ever get. If you
ever get spammed through that alias then you know who screwed you.
E-mails delivered through the alias account will have a comment in the
To header from Sneakemail telling you the alias account through which
the e-mail was delivered. SpamMotel also provides e-mail aliases but I
dislike them inserting a statistics table at the start of my e-mails.
SpamEx, I think, also provides e-mail aliases but costs money.
Sneakemail is free for a basic account (i.e., daily and monthly quota
restrictions on bandwidth and quota restriction on max message size) but
for whom I am dispensing e-mail aliases this is more than sufficient for
me, but you can get their paid account with larger quotas.

--
____________________________________________________________
*** Post replies to newsgroup.  E-mail is not accepted. ***
____________________________________________________________

• Previous message: Kevin: "Re: How can I trace the source of this email?"
• In reply to: Randell D.: "How can I trace the source of this email?"
• Next in thread: Don Kelloway: "Re: How can I trace the source of this email?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]