'Tis me again. Lately I've been on a really big stomp out spam kick, because it seems to be increasing so much.

I'm trying to understand the email headers of this one. I think maybe it was "spoofed," if that's what you call it.

I'm just posting the parts in question:

From shopsite@angelfire.six.futurequest.net Tue Jun 08 10:14:54 1999
Return-Path: <shopsite@angelfire.six.futurequest.net>

Received: from xcom-79-128.mdc.net (HELO Shopsite) (209.251.79.128)
[nbsp][nbsp]by six.futurequest.net with SMTP; 8 Jun 1999 10:14:52 -0000
From: Shopsite <shopsite@angelfire.six.futurequest.net>

Message-Id: <419.436319.26121898shopsite@angelfire>


So, it appears this actually came from mdc.net. Is that correct? I've been trying to read up on this but am not sure if I understand correctly.

It looks to me like it comes from shopsite@angelfire.com, but because they left off the .com part, the server adds the six.futurequest.net part - eg, it adds the local server name.

This is either a mistake or a cheesy attempt to spoof the headers IMO...

------------------
Justin Nelson
FutureQuest Support

My guess would in fact be that it did come from MDC.net

Via a whois on arin.net I looked up the IP number it came from (209.251.79.128)
MDC, Inc. dba NetWay Internet (NETBLK-MDCINC-BLK-1)
[nbsp][nbsp] 11 Hodges Street
[nbsp][nbsp] North Andover, MA 01845

[nbsp][nbsp] Netname: MDCINC-BLK-1
[nbsp][nbsp] Netblock: 209.251.64.0 - 209.251.79.255
[nbsp][nbsp] Maintainer: MDCN

[nbsp][nbsp] Coordinator:
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]Smith, Douglas[nbsp][nbsp](DS1368-ARIN)[nbsp][nbsp]systemdls@NETWAY.COM
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp](978) 557-0097

[nbsp][nbsp] Domain System inverse mapping provided by:

[nbsp][nbsp] NAMESRV.MDC.NET[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]206.66.240.254
[nbsp][nbsp] NAMESRV2.MDC.NET[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]206.66.240.253

[nbsp][nbsp] ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

[nbsp][nbsp] Record last updated on 17-Jul-98.
[nbsp][nbsp] Database last updated on 8-Jun-99 16:15:54 EDT. From this I would feel pretty confident that it originated from MDC.net realm. They probably tried to spoof an angelfire address and seem to have failed at that attempt for the reasons Justin has already explained.

Deb

Thanks!

I did an ARIN search also on the IP. That's why I thought it was MDC.net. Boy, it's a lot of trouble just to report these people. But lately, the amount of spam in my mail has increased dramatically, so I'm ready to try and do something about it. I think the nut who is harassing me is making me want to put an end to ALL types of email abuse.

Thank you both for your help! Now, I'll report this spammer.

heh the spam we're getting that bothers me most is from a guy that we actually kicked off of our servers for spamming.. yet he still has some of my addresses in his lists.. I find myself reporting him to various ISPs and Host's every month as he works his way around the net abusing server after server :(

Spam is proving to be a very difficult issue to say the least:(

Then being totally silly -- while house hunting I inquired with a few realty companies on the net using my personal email account -- yep - now I'm constantly receiving emails telling me how I can 'get rich' via repo homes, receive loans, sell my house, and from those who want to buy my morgage blah blah blah (gee I was only renting)... *sigh*

Deb

Spam by any other name would still be ... Spam.


AN ODE TO SPAM(tm)

Oh SPAM(tm)! Oh SPAM(tm)! Gourmet delight!
My food by day, my dreams by night.
To carve, to slice, to dice you up -
pureed in a blender and sipped from a cup.

What shining deity from Olympus knelt
down to the earth and hog butt smelt?
Creating then man's eternal desire
for swine entrails congealed by fire.

On some corporate farm, a pig has died.
Eyes, tongue, and snout end up inside
that cube of SPAM(tm) hidden in the can
I now hold in my trembling hand.

More than mere food, SPAM(tm) is for me
a hedonistic expression of gluttonous glee.
Mottled with pork fat, the pink cube engrosses.
My mouth takes it in, my intestine disposes.

Long have my arteries clogged to the sound
of sizzling SPAM(tm) when there's no one around -
furtively chewing or swallowing whole.
Triple bypass by forty, my medical goal.

Other processed meat products I've tried or declined
Vienna Sausages, Treet, even pig's feet in brine.
Though each may be tasty in different ways,
none matches SPAM(tm) for gelatinous glaze.

That glistening pinkness beckons me
with gristle, fat, and BHT.
Oh SPAM(tm), my SPAM(tm) - the taste, the smell!
The sacred meat product, from Hormel.

:)

*edit* Sorry, but I couldn't resist!
[This message has been edited by pc (edited 06-09-99)]

Heh heh.... I was really into spam-busting not too long ago. Even had my pic posted in the spam fighter's gallery on www.netscum.org (http://www.netscum.org). Browse the news.admin.net-abuse.email newsgroup for antispam info and helpful techniques. The guys and gals there are a great bunch (and still chortle about taking down spam king Sanford aka Spamford Wallace)...

------------------
Don Z.
www.zeegraf.com (http://www.zeegraf.com)

"To poldly mow air moebius
gumby four" --Kirk on Novacaine

I am spam busting again. Here is another set of headers with only the important info included:

From sales@marcap.com Sat Jun 12 17:06:10 1999
Return-Path: <sales@marcap.com>

Received: (qmail 28765 invoked by uid 85); 12 Jun 1999 17:06:10 -0000
Received: from unknown (HELO sub2.submit-it.com) (206.25.90.164)
[nbsp][nbsp]
Received: from ftpdesktop.submit-it.com (ftpdesktop.submit-it.com [206.25.90.22]) by sub2.submit-it.com (NTMail 3.03.0017/1.abcg) with ESMTP id na485849 for ; Sat, 12 Jun 1999 13:07:11 -0400
Date: Sat, 12 Jun 99 13:08:23 Eastern Daylight Time
From: sales@marcap.com

Subject: Exposure! Exposure! Exposure!
X-Mailer: <WC Mail>
Message-Id: <17071144712013@submit-it.com>

When I do an Arin lookup for the IP shown, here it what it shows for 206.25.90.164 and 206.25.90.22, which is not much:

Cable &amp; Wireless USA (NETBLK-CW-05BLK) CW-05BLK[nbsp][nbsp][nbsp][nbsp]206.24.0.0 - 206.31.255.255
NAVISITE (NETBLK-CW-206-25-86-A)CW-206-25-86-A[nbsp][nbsp][nbsp][nbsp] 206.25.86.0 - 206.25.94.255

The guy from marcap.com is really getting testy with me about this when I requested that I recieve no more of these spam mailings. Should I report this to Virtualisys, who hosts marcap.com or Cable and Wireless?

I promise I won't ask anymore spam questions after this one!! :)

Anyone want to recommend a spam filtering program?


[This message has been edited by pc (edited 06-12-99)]

I would go Cable and Wireless ...