Security Incidents mailing list archives

Re: properties in e-mail from sexyfun

From: Guillaume Filion <gfk () LOGIDAC COM>
Date: Mon, 15 Jan 2001 12:41:41 -0500

Hi Kelly,

An easy way to find this is to use Spamcop's automatic parsing service
available at: http://spamcop.net/nosend.shtml

Here's what it said on your spam:
------------------------
Parsing header:

Received: from mx8-w.mail.home.com (mx8-w.mail.home.com [24.0.95.73]) by
h14.mail.home.com (8.9.3/8.9.0) with ESMTP id VAA09676 for
<Kelly-Reid () home com>; Thu, 11 Jan 2001 21:43:57 -0800 (PST)
Possible spammer: 24.0.95.73
"nslookup 73.95.0.24.dul.maps.vix.com." (checking ip) ip [show] not found
"nslookup mx8-w.mail.home.com" (checking ip) ip [show] ip = 24.0.95.73
"nslookup 73.95.0.24.rbl.maps.vix.com." (checking ip) ip [show] not found
"nslookup 73.95.0.24.inputs.orbs.org." (checking ip) ip [show] not found
"nslookup 73.95.0.24.dul.maps.vix.com." (checking ip) ip [show] not found
24.0.95.73 has already been sent to ORBS
Received line accepted

Received: from smtp02.mail.onemain.com (SMTP-OUT003.ONEMAIN.COM
[63.208.208.73]) by mx8-w.mail.home.com (8.11.1/8.11.1) with SMTP id
f0C5huk01495 for <Kelly-Reid () home com>; Thu, 11 Jan 2001 21:43:56 -0800
(PST)
"nslookup 73.95.0.24.dul.maps.vix.com." (checking ip) ip [show] not found
Possible spammer: 63.208.208.73
"nslookup SMTP-OUT003.ONEMAIN.COM" (checking ip) ip [show] ip = 63.208.208.73
"nslookup smtp02.mail.onemain.com" (checking ip) ip [show] ip = 63.208.208.73
"nslookup 73.208.208.63.rbl.maps.vix.com." (checking ip) ip [show] not found
"nslookup 73.208.208.63.inputs.orbs.org." (checking ip) ip [show] not found
Chain test:mx8-w.mail.home.com =? mx8-w.mail.home.com
Chain verified mx8-w.mail.home.com = mx8-w.mail.home.com
"nslookup 73.208.208.63.dul.maps.vix.com." (checking ip) ip [show] not found
63.208.208.73 has already been sent to ORBS
Received line accepted

Received: (qmail 4354 invoked from network); 12 Jan 2001 04:25:11 -0000
no ip found in received line
Ignored

Received: from moperr01-98.midwest.net (HELO computer) ([208.235.39.108])
(envelope-sender <>) by 10.209.20.32 (qmail-ldap-1.03) with SMTP for
<Kelly-Reid () home com>; 12 Jan 2001 04:25:11 -0000
"nslookup 73.208.208.63.dul.maps.vix.com." (checking ip) ip [show] not found
Possible spammer: 208.235.39.108
"nslookup moperr01-98.midwest.net" (checking ip) ip [show] ip = 208.235.39.108
Taking name from IP...
"nslookup 208.235.39.108" (getting name) [show] 208.235.39.108 =
moperr01-98.midwest.net
"nslookup moperr01-98.midwest.net" (checking ip) ip [show] ip = 208.235.39.108
"nslookup 108.39.235.208.rbl.maps.vix.com." (checking ip) ip [show] not found
"nslookup 108.39.235.208.inputs.orbs.org." (checking ip) ip [show] not found
Chain error; '10.209.20.32' != 'SMTP-OUT003.ONEMAIN.COM' or
'smtp02.mail.onemain.com'; received line discarded

Tracking ip 63.208.208.73:
"nslookup 63.208.208.73" (getting name) [show] 63.208.208.73 =
SMTP-OUT003.ONEMAIN.COM
"nslookup SMTP-OUT003.ONEMAIN.COM" (checking ip) ip [show] ip = 63.208.208.73
abuse.net smtp-out003.onemain.com=abuse () earthlink net, abuse () onemain com

Statistics:
ISP (abuse () onemain com, abuse () earthlink net) score:3917
Right now, this email would be detained by SpamCop Filters
Would send complaint to abuse () onemain com, abuse () earthlink net
------------------------
[REF: http://spamcop.net/sc?id=15426746&crc=77734 ]

Hope this helps,
GFK's

Following is the properties from the email from sexyfun.  I'm interested
in knowing who this came from so that they can get their machine scanned.

Any help would be appreciated

         Thu, 11 Jan 2001 21:43:57 -0800
Received: from mx8-w.mail.home.com (mx8-w.mail.home.com [24.0.95.73])
by h14.mail.home.com (8.9.3/8.9.0) with ESMTP id VAA09676
for <Kelly-Reid () home com>; Thu, 11 Jan 2001 21:43:57 -0800 (PST)
Received: from smtp02.mail.onemain.com (SMTP-OUT003.ONEMAIN.COM
[63.208.208.73])
by mx8-w.mail.home.com (8.11.1/8.11.1) with SMTP id f0C5huk01495
for <Kelly-Reid () home com>; Thu, 11 Jan 2001 21:43:56 -0800 (PST)
Date: Thu, 11 Jan 2001 21:43:56 -0800 (PST)
Message-Id: <200101120543.f0C5huk01495 () mx8-w mail home com>
Received: (qmail 4354 invoked from network); 12 Jan 2001 04:25:11 -0000
Received: from moperr01-98.midwest.net (HELO computer) ([208.235.39.108])
(envelope-sender <>)
         by 10.209.20.32 (qmail-ldap-1.03) with SMTP
         for <Kelly-Reid () home com>; 12 Jan 2001 04:25:11 -0000
From: Hahaha <hahaha () sexyfun net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEJOXIFS9IZC1IZ4DAR0DIVOTAJ05AJ"
Apparently-To: <Kelly-Reid () home com>

Current thread:

Re: properties in e-mail from sexyfun Michael Damm (Jan 15)
- <Possible follow-ups>
- Re: properties in e-mail from sexyfun Guillaume Filion (Jan 15)