[ale] Tracing spam (EMAIL MARKETING WORKS)

Alexander Barton alex at cad.gatech.edu
Thu Dec 4 09:04:48 EST 1997


I'm looking at the headers of the two "EMAIL MARKETING WORKS"
spams sent to the ALE mailing list Thursday morning.  I'd like
try to figure out where the spam came from and ultimately do
something to make it stop.  (Yes, I really do need a hobby.)
If anyone has experience doing this, I'd appreciate feedback on
the correctness of my deductions.

Here goes.


1.  I'm sure the From, To, and Reply-To headers are bogus, intended
to direct spam complaints to innocent parties.  If this is true,
it would be worse than useless if we were to complain to 
administrators at the purported source sites, worldnet.att.com
and ix.netcom.com.


2.  The two spams have a few identical "Received" headers:

	Received: from SMTP.XServer     (Smail4.1.19.1 #20) id
		m0wBzN7-009vdR; Thursday, December 4th, 1997
	Received: from mail.apache.net(really [164/187]) by
		relay.comanche.com Tuesday, December 2nd, 1997
	Received: from 32776.21445(really [80110/80111]) by
		relay.denmark.nl Sunday, November 30th, 1997
	Received: from local.nethost.org(really [24553/24554]) by
		relay.SS621.net Saturday, November 29th, 1997

I think it's impossible for two messages to have the same ID
numbers ("m0wBzN7-009vdR", etc.) on the same mail server.
Therefore these four headers are bogus.  Their purpose is to
distract our attention.


3.  If I trust the most recent headers on one message and go
backwards to burdell, it looks like burdell.cc.gatech.edu got
the message from smtp.alphasoft.com:

	Received: from [207.217.4.56] by smtp.alpha-soft.com
		(SMTPD32-4.0) id AD6E4EE00BC; Thu, 04 Dec 1997
		02:36:14 -0500

If I trust alphasoft, they got the message from 207.217.4.56, which
nslookup says is pool056-max4.la-ca-us.dialup.earthlink.net.
The other message seems to have passed through
pool046-max1.la-ca-us.dialup.earthlink.net.  The bogus
headers start immediately after the entry for earthlink.net.

earthlink.net is:
	$ whois earthlink.net       
	   EarthLink Network, Inc. (EARTHLINK-DOM)
	   3100 New York Drive
	   Pasadena, CA 91107
	   US
	   [...]


4.  Now what?  Do I send a politely worded complaint to
postmaster at earthlink.net?  Has someone complained to them already?



-Alexander






More information about the Ale mailing list