Re: About the Unsolicited Use of Our Legal IP Addresses
- Date: Mon, 29 Jul 2002 15:28:20 +0100
At 29/07/2002 12:17 +0300, Muharrem Ay wrote:
> We don't want to be put in the blacklists or shitlists of
> organizations. We would like to get help from you to do this.
> Also, we would be glad if you can tell us what exactly is
> being happening, and what can we be done to get rid.
First, what has happened. Your analysis was right and I've
just written it out in more detail here.
The top Received: line is internal to MSN. Not interesting.
The next line says that the MSN mailer had the message from
188.8.131.52, somewhere in China. I have to guess that the
person who complained to you did not change that IP address.
In this line, '184.108.40.206' is a meaningless forgery. The
bulk mailer connected from the Chinese system with
'HELO 220.127.116.11' to confuse anyone reading the header.
There is no connection between that line and the other
Received: lines, so you have to assume they are fictional
and included by the bulk mailing program to confuse anyone
reading the header. _None_ of these addresses:
or these domain names:
had any part in the origination or transmission of the message.
The message passed by the bulk mailer in the DATA phase already
included all the false Received: lines.
So who has done anything wrong here?
The managers of 18.104.22.168, who left it insecure either
as an open mail relay (not to my casual test), an open proxy
server of some kind (it is listening on port 1080), or a system
vulnerable to root compromise.
The person who sent the bulk mail. That could be a manager or
user of 22.214.171.124 but it probably wasn't. The managers
might in principle be able to partly trace the misuse but they
The person operating the advertised Web site. Unfortunately the
URL in the mail is a free Tripod page for which the only
responsibility Tripod will accept is to remove it. Perhaps
nobody has asked them, because it's still there at present.
The person operating the site that the downloaded program
FreeAccess.exe connects to. I haven't dared to try that :-)
I believe you should complain to Tripod (in VE and US), to
Chinanet and perhaps to CN-CERT. There is no guarantee that any
of them will help you but they may close an account and the
bulk mailer may move on to some different forged Received:
Other people may take a more optimistic view?
Rodney Tillotson, JANET-CERT
+44 1235 822 255.
Received: from cpimssmtpa48.msn.com ([10.48.181.222])
with Microsoft SMTPSVC(5.0.2195.4905);
Sun, 28 Jul 2002 00:31:59 -0700
Received: from 126.96.36.199 ([188.8.131.52])
by cpimssmtpa48.msn.com with Microsoft SMTPSVC(5.0.2195.4905);
Sun, 28 Jul 2002 00:31:52 -0700
Received: from [184.108.40.206] by n7.groups.yahoo.com with SMTP;
Jul, 28 2002 12:19:32 AM +0300
Received: from [220.127.116.11] by f64.law4.hotmail.com with QMQP;
Jul, 27 2002 11:05:48 PM -0200
Received: from anther.webhostingtalk.com ([18.104.22.168])
by da001d2020.lax-ca.osd.concentric.net with QMQP;
Jul, 27 2002 10:28:43 PM +0300
Received: from unknown (HELO da001d2020.lax-ca.osd.concentric.net)
(22.214.171.124) by f64.law4.hotmail.com with QMQP;
Jul, 27 2002 9:14:49 PM -0200
From: Vim hing@localhost <>>
Subject: School Girl Teens Caught Fuck'n In Showers !!!!! dmlwt
Sender: Vim hing@localhost
Content-Type: text/html; charset="iso-8859-1"
Date: Sun, 28 Jul 2002 00:32:48 -0700
X-Mailer: MIME-tools 5.503 (Entity 5.501)
X-OriginalArrivalTime: 28 Jul 2002 07:31:59.0606 (UTC) FILETIME=[DBDBF960:01C23608]
HOT FREE MORPHEUS XXX MILLIONS OF MOVIES AND PICS TO DOWNLOAD FOR FREE!!!
Click Here <http://members.tripod.com.ve/alladian828r>To Download Free Software!
P.S DOWNLOAD IT NOW BEFORE IT'S GONE!