From owner-freebsd-questions Thu Apr 11 12:29: 1 2002 Delivered-To: freebsd-questions@freebsd.org Received: from ralf.artlogix.com (sense-mcglk-240.oz.net [216.39.168.240]) by hub.freebsd.org (Postfix) with ESMTP id C4D7037B41A for ; Thu, 11 Apr 2002 12:28:56 -0700 (PDT) Received: by ralf.artlogix.com (Postfix, from userid 1000) id 149E51B9D5A; Thu, 11 Apr 2002 12:31:24 -0700 (PDT) To: Cc: syborg@stny.rr.com Subject: Re: Forwarded mail.... References: <047101c1e183$daf3a310$fd6e34c6@mlevy> From: Ken McGlothlen Date: 11 Apr 2002 12:31:23 -0700 In-Reply-To: <047101c1e183$daf3a310$fd6e34c6@mlevy> Message-ID: <87it6yhw1g.fsf@ralf.artlogix.com> Lines: 78 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "Moti" writes: | it's called SPAM | ----- Original Message ----- | From: "John Bleichert" | To: | Sent: Thursday, April 11, 2002 1:57 PM | Subject: Forwarded mail.... | | > What is this crap below? Spam from the BSD mailer daemon? [...] Well, in a response which may actually prove to be more helpful than the last one, it's not actually from the BSD mailer daemon. Unfortunately, with the current state of email exchange, you can forge any headers you want on a message. (I'm getting to the point where I'm hoping that enough people get sick enough of spam that MTAs no longer permit forged headers.) Looking at the headers (which you need to do anytime you look at spam complaints) is the most direct way to determine the message's origin, and in this case, it's not terribly obfuscated. The Received headers tell the story. After a few that shows the final delivery and the internal routing at freebsd.org, we find this: Received: from informesuteis.com.br (CE128188.user.veloxzone.com.br [200.164.128.188]) by hub.freebsd.org (Postfix) with SMTP id CB59537B400; Thu, 11 Apr 2002 10:05:49 -0700 (PDT) It appears that veloxzone.com.br is the ISP for the spammer, even though they used their own host name in the SMTP HELO command. Fortunately, postfix and several other MTAs also record the actual IP address of the connection. If we do a traceroute on the website, we get this: $ traceroute www.informesuteis.com.br traceroute to informesuteis.com.br (216.29.207.22), [...] [...] 13 DBS-COLO.Columbus.fnsi.net (216.29.188.126) 79.712 ms 14 216.29.165.78 (216.29.165.78) 86.598 ms [...] 15 216.29.207.22 (216.29.207.22) 92.081 ms [...] $ _ which implies that fnsi.net is the ISP for the spammer's website. Let's make sure by checking who that IP number belongs to. $ whois -h whois.arin.net 216.29.207.22 Fiber Network Solutions, Inc. (NETBLK-FNSI-CBLK5) FNSI-CBLK5 216.28.0.0 - 216.29.255.255 DB Solutions (NETBLK-FNSI-CBLK5-129-207) FNSI-CBLK5-129-207 216.29.207.0 - 216.29.207.255 [...] $ _ Well, apparently, a company named DB Solutions owns the Class C. Let's look up that netblock. $ whois -h whois.arin.net \!NETBLK-FNSI-CBLK5-129-207 DB Solutions (NETBLK-FNSI-CBLK5-129-207) 576 Charring Cross Dr. Suite B Westerville, OH 43081 US Netname: FNSI-CBLK5-129-207 Netblock: 216.29.207.0 - 216.29.207.255 Coordinator: Fiber Network Solutions, Inc. (IF29-ARIN) hostmaster@fnsi.net (614) 895-6621 Domain System inverse mapping provided by: NS1.FNSI.NET 206.183.224.7 NS2.FNSI.NET 206.183.224.8 NS3.FNSI.NET 206.183.226.10 [...] $ _ So you'd send a complaint to veloxzone.com.br and to fnsi.net, with complete headers for the message. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message