analysis of the header starts from top to bottom. The first Received: line you get is the "trusted" line
from your provider. You can almost
*always* trust this line. The further
you get down the Received: lines the less you can trust the information.
>Received: from cpimssmtpc05.msn.com - 220.127.116.11 by email.msn.com with
> Sat, 19 May 2001 12:22:21 -0700
Received at your provider from email.msn.com. Essentially you can "trust" these machines because they are from your provider.
>Received: from mta1.tm.net.my ([18.104.22.168]) by cpimssmtpc05.msn.com
>with Microsoft SMTPSVC(5.0.2195.3225);
> Sat, 19 May 2001 12:22:18 -0700
Received at cpimssmtpc05.msn.com from 22.214.171.124. You cannot trust the "mta1.tm.net.my" because it is outside the parenthesis that has the IP addresses. Now we go to Sam Spade ( http://samspade.org/t/ ), put in the IP address 126.96.36.199 into the top slot, click on ipblock and traceroute and click on "Do Stuff". This tells us where the real address is:
Official name: mta1.tm.net.my
If the "contact" information is in the United States or the spam is in English then the fact that this address is outside the United States typically means that the spammer is abusing an open SMTP (mail) server. Specifically this one is in Malaysia (the .my part of the address). This spammer knows some tricks apparently. So I complain to email@example.com and tell them that they should close their open SMTP server. That is a start to killing off your spammer.
>Received: from trooper.tm.net.my ([188.8.131.52]) by mta1.tm.net.my
> (InterMail v03.02.05 118 121 101) with ESMTP
> id <20010510183454.HBRJ16950@trooper.tm.net.my>;
> Fri, 11 May 2001 02:34:54 +0800
Next we see that the message *actually* came from trooper.tm.net.my to the server mta1.tm.net.my. These mail messages are handed along in a fire bucket brigade fashion, the link from machine to machine should never break. So I would tell firstname.lastname@example.org that the open SMTP server that they have is specifically trooper.tm.net.my, and that it should be secured. Like so:
email@example.com - Your SMTP mail server trooper.tm.net.my ([184.108.40.206]) was used as a mule to pass (and waste your system resources) this e-mail on to me. You can stop your SMTP port from allowing rerouting of e-mail back outside of your domain if you wish to. FYI only. Info on how to block your server, see:
http://www.abuse.net/relay.html - Test for server vulnerability
>Received: from arauco.bomberos.cl (ip161.chicago31.il.pub-ip.psi.net
> by trooper.tm.net.my (8.8.8+Sun/8.8.8) with SMTP id CAA05488;
> Fri, 11 May 2001 02:15:42 +0800 (SGT)
O.K... *Now* we have the spammer in our clutches. Note that we have in the received: line:
arauco.bomberos.cl (ip161.chicago31.il.pub-ip.psi.net [220.127.116.11])
The spammer "named" their machine "arauco.bomberos.cl", but notice that this portion is outside the parenthesis. Inside the parenthesis we find ip161.chicago31.il.pub-ip.psi.net [18.104.22.168]. This is where the spammer actually resides. So complain to psi.net. We can also assume that the spammer lives somewhere in the Chicago area.
>Subject: Spam: Rates DROPPED! Free Mortgage Loan Analysis. No obligation!
>Date: Fri, 11 May 2001 13:01:31 -0500
>X-OriginalArrivalTime: 19 May 2001 19:22:19.0278 (UTC)
All the above can be easily faked. Now onto the HTML. Lets see if we can get the spammers e-mail or web site shut down.
><META content=3D"Microsoft FrontPage 4.0" name=3DGENERATOR>
><META content=3D"Cheryl N Knowles" name=3DAuthor>
Look. They were kind enough to leave us their name. So maybe you want to look up Cheryl N Knowles in the Chicago area and give them a call :-) ...
><!-- CHANGE EMAIL ADDRESS IN ACTION OF FORM --><FORM name=3D"form" method=3D=
O.K... They have attempted to "encrypt" their e-mail return address here, but Sam Spade is your buddy. Paste this into the "Obfuscated URL" portion and it will magically turn it into plain text for you to see. I paste the following portion (take the "=" signs off the end of the lines, they are put in by the software that mailed this to me) in:
Sam Spade comes back with mailto:firstname.lastname@example.org?subject=Mort-Loan ... Now we have a somewhere to complain to. First go to www.uole.com and see if the web site "looks" like the spammer. It looks like www.uole.com is a provider of some sort, so send a complaint to email@example.com (the "standard" complaint address) and see what comes back. if you get back a message confirming receipt of your complaint, or no message back at all them the complaint probably went thru OK. There is also an address firstname.lastname@example.org (bottom of the page). You might want to send the complaint to them also.
Obviously this spammer is experienced (but not too bright if they leave their name in the HTML code of the message) and is using throw away accounts for their spam.
></b>Click on the below link to be exclude from further communication.</fon=
><b><a href=3D"mailto:email@example.com?subject=3DDelete-Mort">Click Here</a>=
NEVER never never reply to a "Remove Me" link. That only confirms that your e-mail address is "live" and it will then get passed along to other spammers.
You can, however, complain to uole.com about this address also to get it canceled.