Thread: Email tracking

    #1
  1. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16

    Email tracking


    Does anyone know of a method for determining who owns an IP address given that the IP address won't resolve to a fully qualified domain name (ie like jo.blo.com) (*on linux btw!*).

    I keep getting these dodgy emails with bad 'from' headers about buying your own university diplomas or something. The headers are like this:
    Code:
    From diplomas@advanced_careers Tue, 06 Nov 2001 19:40:49 -0800
    Received: from [194.78.170.27] by hotmail.com (3.2) with ESMTP id MHotMailBDB1D370002F40043716C24EAA1B9C6F1487; Tue, 06 Nov 2001 19:39:56 -0800
    Message-ID: <1UJb1A7XXyK7Ps.uf4GMYY43LGKrSc@fLBa3cxPQ5qyh2.>
    From: diplomas@advanced_careers <diplomas@advanced_careers>
    Bcc:
    To:ockhams_razor@hotmail.com
    To:ockham99@hotmail.com
    To:ockham57@hotmail.com
    To:ockham182@hotmail.com
    To:ockham_razer@hotmail.com
    Subject: Get your Bachelors, Masters or PhD right now.
    Date: Fri, 16 Nov 2001 21:38:51 -0400 (EDT)
    MIME-Version: 1.0
    Content-Type: text/plain; charset="US-ASCII"
    Content-Transfer-Encoding: 7bit
    as you can see the from header is spoofed up and whilst this address: 194.78.170.27 *does* resolve to a fqdn/canonical name, another mail they sent has this source:
    Code:
    From udp@degree_program Wed, 14 Nov 2001 08:33:18 -0800
    Received: from [196.40.61.34] by hotmail.com (3.2) with ESMTP id MHotMailBDBBE3940016400438DAC4283D2295EF130; Wed, 14 Nov 2001 08:31:51 -0800
    Message-ID: <POLlO9hr1SyzuuTCec84DaGQRLNLPj@WZx2Xw5E32lE_6z>
    From: udp@degree_program <udp@degree_program>
    Bcc:
    To:ockhams_razor@hotmail.com
    To:ockham99@hotmail.com
    To:ockham57@hotmail.com
    To:ockham182@hotmail.com
    To:ockham_razer@hotmail.com
    Subject: The University Degree Program
    Date: Sat, 24 Nov 2001 10:30:57 -0400 (EDT)
    MIME-Version: 1.0
    Content-Type: text/plain; charset="US-ASCII"
    Content-Transfer-Encoding: 7bit
    
    U N I V E R S I T Y   D I P L O M A S
    
    Obtain a prosperous future, money earning power,
    and the admiration of all.
    
    Diplomas from prestigious non-accredited
    universities based on your present knowledge
    and life experience.
    
    No required tests, classes, books, or interviews.
    
    Bachelors, masters, MBA, and doctorate (PhD)
    diplomas available in the field of your choice.
    
    No one is turned down.
    
    Confidentiality assured.
    
    CALL NOW to receive your diploma
    within days!!!
    
    1 - 2 1 4 - 8 5 3 - 4 3 5 7
                or
    1 - 4 1 2 - 2 9 1 - 1 5 1 5
    
    Call 24 hours a day, 7 days a week, including
    Sundays and holidays.
    (message included in that one;\\) Trouble is that IP addy doesn't resolve to a name... just wondering if there's anything worth doing.

    Can anyone tell I'm bored?
  2. #2
  3. No Profile Picture
    Senior Member
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Nov 2001
    Location
    Boston Ma.
    Posts
    1,529
    Rep Power
    0

    IP SPOOFING, NOT REALLY!!!


    Hi

    what do you mean it does not resolve............

    This is a report from my mail server's filtering system, this same (IP, mail deamon)
    has tried to attack my server almost 4,000 times in the last 30 days.....

    It is a known spam relaying server.....


    This is just me logging into my server to pull the real MX look up for the IP you showed in your message........


    MAPS RBL+#report

    REQUEST+OK

    USER+OK

    PASS+OK

    VERIFY+OK

    CHECK SMTP#196.40.61.34

    WARNING

    IP RANGE 196.40.0.0 - 196.40.79.255

    Found in database

    Listing: Mail Server Spam Bot

    Server Software: delistmo ESMTP service MDaemon v2.8.5.0 R

    ROUTING RULE

    ACCESS DENIED

    IP RANGE 196.40.0.0 - 196.40.79.255


    LAST 30 DAYS

    sent 1,953 denied 1,953


    NET NAME: RACSA.DOM, racsa.com

    mail.racsa.net.

    pop.racsa.net.


    MAPS RBL+QUIT

    QUIT+OK

    connection closed




    F!
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> a method for determining who owns an IP address

    Just go to http://www.name-space.com/search/ and run a Smart Whois search anonymously.

    >> given that the IP address won't resolve to a fully qualified domain name

    There are at least 30% of IPs that don't resolve to a hostname when doing a reverse DNS lookup. And like Fataqui said, that has nothing to do with IP spoofing. In fact, spammers just need to find out an open relay mail sever (194.78.170.27 and 196.40.61.34 likely are open relay) to spam.

    BTW, you can safely deny connection to mail servers that are open relays.

    Go to http://www.abuse.net/relay.html and test out those IPs yourself. Or go here -> http://www.abuse.net/cgi-bin/relayte...1.34&ALIAS=YES
  6. #4
  7. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16

    'IP spoofing'???


    oi oi saveloy, didn't say anything about IP spoofing in my post! Just that the from field was spoofed is all, perhaps a lax choice of wording

    I'll be on later tonight, paying for online time atm so gotta be off for now!

    thanx freebsd, fataqui (very interesting, what you say, will comment later;\)
  8. #5
  9. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16
    hi back on again...

    fatqui: what do you mean it does not resolve............

    I just meant that the IP address is not resolvable into a FQDN is all and so it isn't obvious exactly who owns the IP range (ie if it resolved to ppp213-1-2-3.bt.com, I'd have a better idea who to file an abuse complaint to).

    So you've had trouble from relay servers in that address range too... mmm, interesting... I'm about to check it out with the links freebsd posted and when I get a result I'll probably mail an abuse complaint (for what good it'll do;\).

    It's just a little annoying - not a major issue for me at all to be honest, I was more curious about how/what UNIX tools (dig?) to do the job of tracing an IP address down to the owner, given that it doesn't resolve to a FQDN - that's all! Not to worry, thanx for the posts anyway...
  10. #6
  11. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2001
    Posts
    6
    Rep Power
    0

    little idea


    I have a little idea about inversigation of ip's
    Just use next command (on UNIX):
    whois 194.78.170.27@whois.ripe.net
    or via web interface :
    http://www.ripe.net/perl/whois
    (all above for Europeen ip's)
    For US or Asian go to www.internic.net
  12. #7
  13. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16
    cheers romeo - sounds like a similar approach to the link freebsd gave above - I was more curious about how you'd go about doing it 'manually' ie with tools like nslookup or dig. Thanx for the reply anyway.

IMN logo majestic logo threadwatch logo seochat tools logo