Results 1 to 11 of 11
  1. #1
    Join Date
    Mar 2002
    Posts
    210

    Detecting spammer IP

    Hi,
    I am getting many spam bounce mails today. here is the header from one file. Can anyone tell me which IP is really sending the spam. I am bit confused with diffrent IP's
    -------
    Received: from bigfoot.com (mail.bigfoot.com [64.15.239.140]) by amsmsx02.gorillapark.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55)
    id MGJ0LX6P; Sat, 15 Jun 2002 04:36:05 +0200
    Received: from pop.sunbeltengineering.com ([64.105.59.76])
    by BFLITEMAIL3A.bigfoot.com (LiteMail v3.02(BFLITEMAIL3A)) with SMTP id 14Jun2002_BFLITEMAIL3A_34882_108382178;
    Fri, 14 Jun 2002 22:36:04 -0400 EST
    Received: from chorus3.cern.ch ([206.104.54.4]) by pop.sunbeltengineering.com with Microsoft SMTPSVC(5.0.2195.2966);
    Fri, 14 Jun 2002 22:36:02 -0400
    Message-ID: <000072b103ab$000048e4$00001db9@cic.cl>
    From: dancemc@hotmail.com
    Reply-To: dancemc@hotmail.com
    To: jeslie@buysellphones.com, psico@aircraftsys.com, ndahl@buyfonts.com,
    lneiswanger@yahoo.com, ruder@industech.com, hb@beer.com
    Cc: mccourry@startmarketing.com, usri@de-water.com,
    mccourry@starsbasketball.com, lneiswender@yahoo.com,
    lneiswender@hotmail.com, kda@gfainc.com
    Subject: Lose Weight Without Dieting 1839
    Date: Sat, 15 Jun 2002 16:46:18 +0200
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----_=_NextPart_001_01C21415.681B8D20"
    This message is in MIME format. Since your mail reader does not understand
    this format, some or all of this message may not be legible.

    ------_=_NextPart_001_01C21415.681B8D20
    Content-Type: text/plain;
    charset="windows-1252"
    Content-Transfer-Encoding: quoted-printable

    -------

  2. #2
    Join Date
    Feb 2002
    Posts
    956
    64.15.239.140
    http://www.samspade.org/t/lookat?a=64.15.239.140 may also be useful too

  3. #3
    Join Date
    Oct 2001
    Location
    Canada
    Posts
    157
    run it through spamcop.net for more details

  4. #4
    Originally posted by roly
    64.15.239.140
    http://www.samspade.org/t/lookat?a=64.15.239.140 may also be useful too
    /me thinks your reading the headers totally wrong

  5. #5
    The original sending IP was 206.104.54.4 That's in an IP block assigned to Sprint and sub-let to:

    Ace Trucking,
    1172 147TH AVENUE
    MOLINE, MI 49335
    US

    64.15.239.140 is just the IP of mail.bigfoot.com which happened to be the last forwarding mail server. Please don't blacklist it!

    Best wishes,
    Simon
    http://www.AQHost.com
    Fast, reliable dual Intel Xeon servers
    Excellent uptime record
    Efficient and friendly support

  6. #6
    Join Date
    Dec 2001
    Location
    New Jersey
    Posts
    1,152
    I use bigfoot all the time, Personally I would like to see bigfoot blacklisted, maybe they would upgrade there spam prevention.

    Mike
    I am Mike From ADEHOST.Com, Multidomain Windows hosting with Cold Fusion and ASP and Dot.NET Also offering multi-domain Unix hosting. silently, each one should ask, Have I done my daily task. Have I kept my honor bright, can I sleep without guilt tonight. Have I done and have I did, everything, to be prepared. - our motto to maintain services.

  7. #7
    Join Date
    Mar 2002
    Posts
    210
    No I just dont want to blacklist the mail.bigfoot.com but just wondering how these mails goes through them, for a long time.

    Anyway it is more worrying why this is landing at my server... I have nothing to with this mail ID's or the IPs. Thinking about someone is relaying on my server.

  8. #8
    Is 64.105.59.76 an IP that belongs to one of your servers?

    Simon
    http://www.AQHost.com
    Fast, reliable dual Intel Xeon servers
    Excellent uptime record
    Efficient and friendly support

  9. #9
    Join Date
    Mar 2002
    Posts
    210
    No, that is not belong to our server at all..

  10. #10
    Join Date
    Mar 2002
    Posts
    210
    Here is the another header:

    Here is a complete bounced mail with headers.
    only the first line showing the qmail at "myserver.com" is from our mail server.

    Initially I thought someone spamming to one of our client mail. but none of these mail id's exist in our client base on the server. and I got suspicious with the bounced mails, since hundreds of them bounced to our server. the server is running with smtp authentication. I also tried to scan the client logfiles to find out they are using any scripts to spamming, but found nothing.

    Any suggestions?
    ----------------------------------------------------------

    Hi. This is the qmail-send program at myserver.com.
    I tried to deliver a bounce message to this address, but the bounce bounced!

    <sexqjvppcsg@inmail.sk>:
    62.168.63.132 does not like recipient.
    Remote host said: 550 unknown user <sexqjvppcsg@inmail.sk>
    Giving up on 62.168.63.132.

    --- Below this line is the original bounce.

    Return-Path: <>
    Received: (qmail 30792 invoked from network); 14 Jun 2002 23:44:02 -0000
    Received: from zwl1-p27.worldonline.nl (HELO gorillapark.com) (195.241.133.27)
    by dp.aekea.com with SMTP; 14 Jun 2002 23:44:02 -0000
    Date: Sat, 15 Jun 2002 01:40:25 +0100
    From: Mail Delivery Subsystem <MAILER-DAEMON@gorillapark.com>
    Message-Id: <200206150140.ZVW17212@mx1.gorillapark.com>
    To: <sexqjvppcsg@inmail.sk>
    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;
    boundary="ZVW17212.1024099200/mx1.gorillapark.com"
    Subject: Returned mail: User unknown
    Auto-Submitted: auto-generated (failure)

    This is a MIME-encapsulated message

    --ZVW17212.1024099200/mx1.gorillapark.com

    The original message was received at Sat, 15 Jun 2002 01:40:25 +0100
    from mail.bigfoot.com [64.15.239.140]

    ----- The following addresses had permanent fatal errors -----
    <henrik@gorillapark.com>
    (expanded from: <henrik@gorillapark.com>)

    ----- Transcript of session follows -----
    mail.local: unknown name: henrik
    550 <henrik@gorillapark.com>... User unknown

    --ZVW17212.1024099200/mx1.gorillapark.com
    Content-Type: message/delivery-status

    Reporting-MTA: dns; mx1.gorillapark.com
    Received-From-MTA: DNS; mail.bigfoot.com
    Arrival-Date: Sat, 15 Jun 2002 01:40:25 +0100

    Final-Recipient: RFC822; <henrik@gorillapark.com>
    X-Actual-Recipient: RFC822; henrik@gorillapark.com
    Action: failed
    Status: 5.1.1
    Last-Attempt-Date: Sat, 15 Jun 2002 01:40:25 +0100

    --ZVW17212.1024099200/mx1.gorillapark.com
    Content-Type: message/rfc822

    Received: from bigfoot.com (mail.bigfoot.com [64.15.239.140]) by amsmsx02.gorillapark.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55)
    id MGJ0LXXD; Sat, 15 Jun 2002 01:33:43 +0200
    Received: from localhost.localdomain ([4.21.134.55])
    by BFLITEMAIL3A.bigfoot.com (LiteMail v3.02(BFLITEMAIL3A)) with SMTP id 14Jun2002_BFLITEMAIL3A_34874_131609920;
    Fri, 14 Jun 2002 19:33:40 -0400 EST
    Message-ID: <1024090283.3161@localhost.localdomain>
    From: sexqjvppcsg@inmail.sk
    Reply-To: sexpgmsqqyy@inmail.sk
    To: hb@bigfoot.com
    Subject: DO YOU LIKE FREE PORN!!
    Date: Sat, 15 Jun 2002 00:31:23 +0200
    hb@bigfoot.com

    DO ME NOW!!


    FREE PORN ACCESS ALL THE PORN YOU CAN HANDLE!!

    DO ME NOW I WANT YOU TO CUM!!!

    http://www.freewebland.com/nh57/cc

  11. #11
    It would really help if we knew what IP(s) belong to your server and/or what the server is named.

    Simon
    http://www.AQHost.com
    Fast, reliable dual Intel Xeon servers
    Excellent uptime record
    Efficient and friendly support

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •