Simple Relay

Home
Up
The Right Way
General FAQ
Spam Killer FAQ
Sam Spade
WebTools
AUPs
Glossary
Useful Links
Suggestions
Survey

 

 

 

 

  

 
TRACING THROUGH A SIMPLE RELAY 
Original Header:

Received: from megahit.co.kr ([210.107.74.2]) by mtiwgwc04.worldnet.att.net
(InterMail v03.02.07 118 124) with SMTP
id <19990514053256.UMBX27324@megahit.co.kr> for <XXXXXX@xxx.xxx>;
Fri, 14 May 1999 05:32:56 +0000
Received: from 837GnFnxB (unverified [142.194.155.232]) by megahit.co.kr
(EMWAC SMTPRS 0.83) with SMTP id <B0000018141@megahit.co.kr>;
Fri, 14 May 1999 14:32:33 +0900
DATE: 14 May 99 1:38:35 AM
FROM:
Message-ID: <faq0NnsL1vY0zH3>
SUBJECT: ADV: Tremendous Payouts! Are YOU the Next Big Winner?

 

Relevant Parts of the Header:

 

To Determine the Sender:

Perform an rDNS on the first IP address shown:

From the PC based Sam Spade:

nslookup 210.107.74.2
Canonical name: megahit.co.kr
Addresses:
210.107.74.2

This matches the named server in the first Received line.

But there is a slight twist:
From the web based Sam Spade:

Official name: ns.leeyangil.co.kr
Addresses: 210.107.74.2

The next step is to see if that server will third party relay. Using the web based Sam Spade relay check:

X-Envelope-Sender: Read_www.blighty.com_slash_relay.html@[210.107.74.2]
X-Envelope-Recipient: read_www.blighty.com_slash_relay.html@blighty.com
Received: (qmail 26191 invoked from network); 16 May 1999 22:45:05 -0000    
Received: from ns.leeyangil.co.kr (HELO megahit.co.kr) (210.107.74.2)    
  by blighty.com with SMTP; 16 May 1999 22:45:05 -0000    
Received: from [210.107.74.2] (unverified [206.117.161.80]) by megahit.co.kr    
 (EMWAC SMTPRS 0.83) with SMTP id <B0000020013@megahit.co.kr>;    
 Mon, 17 May 1999 07:44:37 +0900    
Date: Mon, 17 May 1999 07:44:37 +0900    
Message-ID: <B0000020013@megahit.co.kr>    
To: bitbucket@blighty.com    
    
Third party relay test - see http://www.blighty.com/relay/    
User:  Server: 210.107.74.2    
 

This tells us that a named server called ns1.leeyangil.co.kr actually identifies itself (HELOs) as megahit.co.kr:

Received: from ns.leeyangil.co.kr (HELO megahit.co.kr) (210.107.74.2)

The two Lookups from Sam Spade listed both of these server names as being associated with IP address 210.107.74.2. 

The machine is running qmail, so there may be some problems with it correctly identifying the sending server.  The second Received: line says that megahit.co.kr  received the mail from 210.107.74.2,  which is its own IP address.  But, looking closely at both headers, it also gives a second IP address which is shown as "unverified":

Spam Header:

Received: from 837GnFnxB (unverified [142.194.155.232]) by megahit.co.kr

Relay Check Header:

Received: from [210.107.74.2] (unverified [206.117.161.80]) by megahit.co.kr   

 

Do an IP lookup on the Relay Header "unverified" IP Address:

nslookup 206.117.161.80
Canonical name: blighty.com
Addresses:
206.117.161.80

The "unverified" IP Address shown correctly identified the server that sent the relay check.  It would be fair to assume that the "unverified" IP Address in the spam header is also correct.

Do an IP lookup on the spam Header "unverified" IP Address:

nslookup 142.194.155.232
Canonical name: d232-sc101h1-stct-pdi.attcanada.net
Addresses:
142.194.155.232

The spam appears to have originated from attcanada.net.

Verify the reporting address:

whois -h whois.abuse.net attcanada.net ...
abuse@attcanada.net

In a case like this, be sure to state in your complaint how you arrived at attcanada.net, and acknowledge that the IP Address is unverified.

 

 


Questions or problems regarding this web site should be directed to marjie1@att.net
Note: TINW
Copyright © 1999 All rights reserved. 
Last modified: Sunday September 12, 1999.