Re: 10.0.1.* alias blackhole-1.iana.org alias 192.175.48.6 ???

From: DaveK (no.spam_at_my.mailbox.invalid)
Date: 05/29/03 

Date: Thu, 29 May 2003 20:50:57 +0100

"jx" <jx@noplace.com> wrote in message
news:banjb3$1k2pp$1@ID-32226.news.dfncis.de...
> >>It's not clear (to me, anyway) whether the original poster was trying
> >>to trace to an address on network 10.0.0.0, or to this 192.175.48.6
> >>address that he mentioned. Certainly from any network that I'm
> >>familiar with, trying to trace to a 10.0.0.0 address would not get
> >>very far at all
>
> actually, what I was trying to do was identify the origional
> common source so I could filter it out. This would also, I
> hope, provide a starting point to report to my ISP. It appears to me
> that the 10.0.* ip's are the origional senders, but I
> could be wrong. I'm no expert in header interpretation. I'm
> trying to pick this stuff up as I go along.
>
> All the 10.0.* ip's traced to blackhole which traced to
> 192.175.48.6

  They are either

1) completely bogus Received: lines inserted by the spammer's software
2) genuine internal intermediate mail hops on the local network of whatever
business or organization the spammer found an open proxy on
3) genuine Received: lines from a misconfigured multihomed mail relay.

[ You can occasionally see packets in the wild with these addresses in
their source IP fields, but not in their dest IP fields. These will
generally be icmp or udp datagrams. ]

> A full set of headers follows. lifesaversdirect.com is frequently
> replaced by:
> bstnt.com (10.0.1.12)
> amazdir.com (10.0.0.11)
>
> Should the 10.0.* ip be filtered?

  Not necessarily, because it will once in a while produce a false positive.
Suppose you do some shopping on the web: the large corporation that you buy
from will try and send you an acknowledgement of your order, but because
they're using an internal office lan based on 10.* numbers, there's a
received header in it with that IP and you miss a genuine email.

> or the lifesavers/bstnt/amazdir?

  Now that seems like a much more fruitful idea. :)

Quick analysis of your headers:

> Received:
> from mtiwgwc20.worldnet.att.net ([127.0.0.1]) by
> mtiwgwc20.worldnet.att.net (InterMail
> vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP id

Genuine, internal routing at your own machine by the InterMail software

> Received:
> from l185.lifesaversdirect.com (unknown[63.215.88.185])
by
> mtiwgwc20.worldnet.att.net
> (mtiwgwc20) with SMTP id <2003052309363802000g22r8e>;
Fri, 23

  The actual spammer's machine that sent the spam DIRECTLY to your own
machine.

> Received:
> from lifesaversdirect.com (10.0.1.161) by
> l185.lifesaversdirect.com with QMQP; 23 May 2003

  The spammer has a small internal office network using 10.* addresses and
runs their spamware from an internal machine 10.0.1.161, which sends it
through an outgoing mail server at 63.215.88.185 [which I'll bet 50 qatloos
is a dynamic dialup line in some ISPs modem pool].

  OR

  The spammer used an open proxy / relay at 63.215.88.185 which doesn't add
a Received: header of its own, so they added a forged one of their own.

  For more info on spam tracking, consult news.admin.net-abuse.email.

       DaveK 

--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
Burn your ID card!  http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E  6484 C441 CEC7 D2BD

Relevant Pages

  • Re: Learning Perl
    ... } header is the header I see most commonly morphed. ... No one is actually bound to conforming to anyone's killfile or filter. ... tossing around the "troll" label much to easily. ...
    (comp.lang.perl.misc)
  • Re: Google Rules For Various Clients
    ... Header contains "googlegroups.com>" ... This looks as though it will filter too much. ... rule in Gravity not match the References header also? ... I just dig news clients, ...
    (news.software.readers)
  • Re: Need some advise on filtering a morphing troll
    ... if Xnews is able to use regular expressions ... header from right to left, the last entry is the first host that message ... There may be more in common than you think, and this is were a regex filter ... If all of this trolls post begin with 446 regardless of posting service you ...
    (news.software.readers)
  • Re: hatter crowd
    ... NG in the "Newsgroups" header? ... If, for example, I could filter ... scoring text file in your Xnews directory or get back to me here. ...
    (alt.html)
  • Re: Filters
    ... As to why my headers don't show the usual Agent header ... news client can solve *all* aspects of the problems I identified. ... I know that no news client can do mindreading and cannot filter on a ... A less inadquate news-reader than yours could manage things that must seem ...
    (news.software.readers)