identifying spam senders

[RogerS]

Been getting a lot of bounced back emails as a result of my email address being spoofed. One header is shown below...

From [email protected] Wed Feb 20 06:36:25 2008
Received: from host52-37-static.28-79-b.business.telecomitalia.it ([79.28.37.52]) by webnetvps.railsplayground.net with esmtp (Exim 4.68) (envelope-from <_ukisin>) id 1JRp7Y-0004U4-Dm for [email protected]; Wed, 20 Feb 2008 06:36:25 -0700
Message-ID: <000801c873c5_978fbbb0_34251c4f_at_AlpidueBANCONE>
From: "Zsolt Kemish" <_ukisin>
To: [email protected]
Subject: ukoyuias
Date: Wed, 20 Feb 2008 14:36:26 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--------=_NextPart_000_0004_01C873CD.F95423B0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198


My (limited) understanding is that if you go high enough through the header you come to the site that originally sent the email which in this case is alpiduebancone. But I can find no google reference to any company such as this. Am I missing something here?

Pls note I had to fudge the message header to display alpiduebancone

 

[StevieB]

Depends, generally mails will be sent by bots lurking on a dummy PC - so called slave networks that have been in the news recently. For example if your PC was infected it could send out spam without your knowledge with your PC as the original sender.

Steve.

 

[Argee]

I've always sent spam reports to the host IP, in this case 79.28.37.52

Result:
--------------------------------------------------------
Information related to '79.0.0.0 - 79.63.255.255'

inetnum: 79.0.0.0 - 79.63.255.255
org: ORG-TIN1-RIPE
netname: IT-TIN-20070221
descr: Telecom Italia Net
descr: Provider Local Registry
country: IT
admin-c: LV357-RIPE
tech-c: ES785-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: TIWS-MNT
mnt-routes: INTERB-MNT
source: RIPE # Filtered

organisation: ORG-TIN1-RIPE
org-name: Telecom Italia Net
org-type: LIR
address: Telecom Italia S.p.A.
Thomas Tozzi
VIA DI VAL CANNUTA 250
00166 ROME
IT
phone: +39 06 36881
fax-no: +39 06 36885566
admin-c: GP1340-RIPE
admin-c: TT616-RIPE
mnt-ref: TIWS-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

role: EASYIP STAFF
address: Via Val Cannuta, 250
address: I-00100 Roma
address: Italy
phone: +39 06 36881
fax-no: +39 06 36885661
remarks: trouble: Please report spam/abuse notification to
remarks: trouble: [email protected]
admin-c: LV357-RIPE
tech-c: CC297-RIPE
tech-c: VS4572-RIPE
nic-hdl: ES785-RIPE
source: RIPE # Filtered
abuse-mailbox: [email protected]

person: Luigi Vassallo
address: Telecom Italia
address: 00100 Roma
address: Italy
phone: +39-6-3688
fax-no: +39-6-3688
nic-hdl: LV357-RIPE
source: RIPE # Filtered
mnt-by: TIWS-MNT

% Information related to '79.28.0.0/16AS3269'

route: 79.28.0.0/16
descr: INTERBUSINESS
origin: AS3269
mnt-by: TIWS-MNT
mnt-routes: INTERB-MNT
source: RIPE # Filtered
---------------------------------
and let them deal with it. Mostly seems to work.

Ray.

 

[Anonymous]

Roger,

I've always found Demon to be the worst for spam. Years back I used to use them a lot and got hundreds of spam emails. I thought they might have improved but recently my company moved ISP to them. Since that move I've received loads more spam.

Dave

 

[RogerS]

Thanks Argee...email sent to them

 

[Chris Knight]

Get gmail!

 

[OLD]

I am on plusnet and since there new spam trap start of the year have only had 1 spam message was getting 20-30 a day.

 

[tnimble]

post the emails you get to www.spamcop.net

They automaticcaly find and sent a report to the ISPs the email originated from and who host websites advertised in a mail if any. Its very effective and free of cost.

 

[Smudger]

Dave - I agree, that was one of the reasons I eventually ditched Demon.
You can get a rough idea of where an email comes from if you put the originating ISP address into a finder such as

http://spamid.servebeer.com:8081/spamid/realtimeiplocator.jsp;jsessionid=DAMEKCMGAGEC

 

[RogerS]

Interesting comments re Demon and Plusnet...

I get about the same number from each...at around 10-20 a day.

I was in the local pub tonight and the barman had his laptop out. Flashing away was a sign saying Critical Error - blah de blah. I asked him if he'd seen it and he said Yes but he didn't understand computers and it was his girlfriends computer anyway. I saw he had Norton - spit - and offered to check it out for him.

Turned out to that they'd never updated Norton in the year they'd had it and the subscription had expired.

This is why the spam botnets can work....because there are enough thick dozy sods like him around. Well, that's what I told him.

 

[Slim]

This is why the spam botnets can work....because there are enough thick dozy sods like him around. Well, that's what I told him.

Are you now barred?

 

[RogerS]

This is why the spam botnets can work....because there are enough thick dozy sods like him around. Well, that's what I told him.

Are you now barred?

No...he agreed with me :lol: