Results 1 to 11 of 11
Thread: Detecting spammer IP
-
06-15-2002, 06:38 PM #1Junior Guru
- Join Date
- Mar 2002
- Posts
- 210
Detecting spammer IP
Hi,
I am getting many spam bounce mails today. here is the header from one file. Can anyone tell me which IP is really sending the spam. I am bit confused with diffrent IP's
-------
Received: from bigfoot.com (mail.bigfoot.com [64.15.239.140]) by amsmsx02.gorillapark.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55)
id MGJ0LX6P; Sat, 15 Jun 2002 04:36:05 +0200
Received: from pop.sunbeltengineering.com ([64.105.59.76])
by BFLITEMAIL3A.bigfoot.com (LiteMail v3.02(BFLITEMAIL3A)) with SMTP id 14Jun2002_BFLITEMAIL3A_34882_108382178;
Fri, 14 Jun 2002 22:36:04 -0400 EST
Received: from chorus3.cern.ch ([206.104.54.4]) by pop.sunbeltengineering.com with Microsoft SMTPSVC(5.0.2195.2966);
Fri, 14 Jun 2002 22:36:02 -0400
Message-ID: <000072b103ab$000048e4$00001db9@cic.cl>
From: dancemc@hotmail.com
Reply-To: dancemc@hotmail.com
To: jeslie@buysellphones.com, psico@aircraftsys.com, ndahl@buyfonts.com,
lneiswanger@yahoo.com, ruder@industech.com, hb@beer.com
Cc: mccourry@startmarketing.com, usri@de-water.com,
mccourry@starsbasketball.com, lneiswender@yahoo.com,
lneiswender@hotmail.com, kda@gfainc.com
Subject: Lose Weight Without Dieting 1839
Date: Sat, 15 Jun 2002 16:46:18 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C21415.681B8D20"
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C21415.681B8D20
Content-Type: text/plain;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
-------
-
06-15-2002, 07:35 PM #2Web Hosting Master
- Join Date
- Feb 2002
- Posts
- 956
64.15.239.140
http://www.samspade.org/t/lookat?a=64.15.239.140 may also be useful too
-
06-16-2002, 12:47 AM #3WHT Addict
- Join Date
- Oct 2001
- Location
- Canada
- Posts
- 157
run it through spamcop.net for more details
-
06-16-2002, 09:41 AM #4Web Hosting Guru
- Join Date
- Jan 2002
- Posts
- 325
Originally posted by roly
64.15.239.140
http://www.samspade.org/t/lookat?a=64.15.239.140 may also be useful too
-
06-16-2002, 11:00 AM #5Junior Guru
- Join Date
- Jun 2002
- Posts
- 186
The original sending IP was 206.104.54.4 That's in an IP block assigned to Sprint and sub-let to:
Ace Trucking,
1172 147TH AVENUE
MOLINE, MI 49335
US
64.15.239.140 is just the IP of mail.bigfoot.com which happened to be the last forwarding mail server. Please don't blacklist it!
Best wishes,
Simonhttp://www.AQHost.com
Fast, reliable dual Intel Xeon servers
Excellent uptime record
Efficient and friendly support
-
06-16-2002, 01:08 PM #6Web Hosting Master
- Join Date
- Dec 2001
- Location
- New Jersey
- Posts
- 1,152
I use bigfoot all the time, Personally I would like to see bigfoot blacklisted, maybe they would upgrade there spam prevention.
MikeI am Mike From ADEHOST.Com, Multidomain Windows hosting with Cold Fusion and ASP and Dot.NET Also offering multi-domain Unix hosting. silently, each one should ask, Have I done my daily task. Have I kept my honor bright, can I sleep without guilt tonight. Have I done and have I did, everything, to be prepared. - our motto to maintain services.
-
06-16-2002, 01:28 PM #7Junior Guru
- Join Date
- Mar 2002
- Posts
- 210
No I just dont want to blacklist the mail.bigfoot.com but just wondering how these mails goes through them, for a long time.
Anyway it is more worrying why this is landing at my server... I have nothing to with this mail ID's or the IPs. Thinking about someone is relaying on my server.
-
06-16-2002, 02:15 PM #8Junior Guru
- Join Date
- Jun 2002
- Posts
- 186
Is 64.105.59.76 an IP that belongs to one of your servers?
Simonhttp://www.AQHost.com
Fast, reliable dual Intel Xeon servers
Excellent uptime record
Efficient and friendly support
-
06-16-2002, 02:43 PM #9Junior Guru
- Join Date
- Mar 2002
- Posts
- 210
No, that is not belong to our server at all..
-
06-16-2002, 02:55 PM #10Junior Guru
- Join Date
- Mar 2002
- Posts
- 210
Here is the another header:
Here is a complete bounced mail with headers.
only the first line showing the qmail at "myserver.com" is from our mail server.
Initially I thought someone spamming to one of our client mail. but none of these mail id's exist in our client base on the server. and I got suspicious with the bounced mails, since hundreds of them bounced to our server. the server is running with smtp authentication. I also tried to scan the client logfiles to find out they are using any scripts to spamming, but found nothing.
Any suggestions?
----------------------------------------------------------
Hi. This is the qmail-send program at myserver.com.
I tried to deliver a bounce message to this address, but the bounce bounced!
<sexqjvppcsg@inmail.sk>:
62.168.63.132 does not like recipient.
Remote host said: 550 unknown user <sexqjvppcsg@inmail.sk>
Giving up on 62.168.63.132.
--- Below this line is the original bounce.
Return-Path: <>
Received: (qmail 30792 invoked from network); 14 Jun 2002 23:44:02 -0000
Received: from zwl1-p27.worldonline.nl (HELO gorillapark.com) (195.241.133.27)
by dp.aekea.com with SMTP; 14 Jun 2002 23:44:02 -0000
Date: Sat, 15 Jun 2002 01:40:25 +0100
From: Mail Delivery Subsystem <MAILER-DAEMON@gorillapark.com>
Message-Id: <200206150140.ZVW17212@mx1.gorillapark.com>
To: <sexqjvppcsg@inmail.sk>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="ZVW17212.1024099200/mx1.gorillapark.com"
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)
This is a MIME-encapsulated message
--ZVW17212.1024099200/mx1.gorillapark.com
The original message was received at Sat, 15 Jun 2002 01:40:25 +0100
from mail.bigfoot.com [64.15.239.140]
----- The following addresses had permanent fatal errors -----
<henrik@gorillapark.com>
(expanded from: <henrik@gorillapark.com>)
----- Transcript of session follows -----
mail.local: unknown name: henrik
550 <henrik@gorillapark.com>... User unknown
--ZVW17212.1024099200/mx1.gorillapark.com
Content-Type: message/delivery-status
Reporting-MTA: dns; mx1.gorillapark.com
Received-From-MTA: DNS; mail.bigfoot.com
Arrival-Date: Sat, 15 Jun 2002 01:40:25 +0100
Final-Recipient: RFC822; <henrik@gorillapark.com>
X-Actual-Recipient: RFC822; henrik@gorillapark.com
Action: failed
Status: 5.1.1
Last-Attempt-Date: Sat, 15 Jun 2002 01:40:25 +0100
--ZVW17212.1024099200/mx1.gorillapark.com
Content-Type: message/rfc822
Received: from bigfoot.com (mail.bigfoot.com [64.15.239.140]) by amsmsx02.gorillapark.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55)
id MGJ0LXXD; Sat, 15 Jun 2002 01:33:43 +0200
Received: from localhost.localdomain ([4.21.134.55])
by BFLITEMAIL3A.bigfoot.com (LiteMail v3.02(BFLITEMAIL3A)) with SMTP id 14Jun2002_BFLITEMAIL3A_34874_131609920;
Fri, 14 Jun 2002 19:33:40 -0400 EST
Message-ID: <1024090283.3161@localhost.localdomain>
From: sexqjvppcsg@inmail.sk
Reply-To: sexpgmsqqyy@inmail.sk
To: hb@bigfoot.com
Subject: DO YOU LIKE FREE PORN!!
Date: Sat, 15 Jun 2002 00:31:23 +0200
hb@bigfoot.com
DO ME NOW!!
FREE PORN ACCESS ALL THE PORN YOU CAN HANDLE!!
DO ME NOW I WANT YOU TO CUM!!!
http://www.freewebland.com/nh57/cc
-
06-16-2002, 03:19 PM #11Junior Guru
- Join Date
- Jun 2002
- Posts
- 186
It would really help if we knew what IP(s) belong to your server and/or what the server is named.
Simonhttp://www.AQHost.com
Fast, reliable dual Intel Xeon servers
Excellent uptime record
Efficient and friendly support