I wonder if you can help me.

I have been receiving spam of late and I want to report the sender to their
ISP but I have a problem. I have looked at the header of the email to see
who it is from but what I do not know is how to find out what ISP the
spammer is using to send the spam.

For example I have a message with the following header (I am pasting just
the relevant information):-
Return-path: <support@hindry.org>
Received: from [200.250.218.247] (helo=2F31F468)
by feynman.zen.co.uk with smtp (Exim 4.43)
id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03 +0000
Received: from featherbrain.chocofan.com (elastomer.chocofan.com
[12.32.12.51])
by pgawtn.com with SMTP id T7NAUCQN5F


How do I find out which ISP is hosting the name chocfan.com for a customer?

As it is possible that the name could be forged I need to check out the IP
address. How do I find out who is hosting the IP address for the customer
(in this case is 200.250.218.247 the correct IP address)?

Is there any other information that you think will be useful to me in trying
to trace the spammer and complain to their ISP?

I apologise if I have used the incorrect terminology.

I hope you can help me.

I appreciate any help or information given.

Thanks

--


-------------------------------------------------------------------------
FIGHT BACK AGAINST SPAM!
Download Spam Inspector, the Award Winning Anti-Spam Filter
http://mail.giantcompany.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Neil Hindry wrote:

hss@athlon:~> whois 200.250.218.247

% Copyright registro.br
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to domain name and IP number registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2006-03-20 14:25:23 (BRT -03:00)

inetnum: 200.250.218/24
aut-num: AS4230
abuse-c: GSE6
owner: Net Sul Comunicaes Ltda.
ownerid: 073.676.512/0001-46
responsible: Lauro Fernando Costa Barbosa
address: Silveiro, 1111, 3 andar
address: 90850-000 - Porto Alegre - RS
phone: (51) 3218-7210 []
owner-c: LFB
tech-c: LFB
created: 20051114
changed: 20051114
inetnum-up: 200.250/16

nic-hdl-br: GSE6
person: Grupo de Segurana Internet da Embratel
e-mail: abuse@embratel.net.br
created: 20001005
changed: 20001005

nic-hdl-br: LFB
person: Lauro Fernando Costa Barbosa
e-mail: abuse@poa.virtua.com.br
created: 19971218
changed: 20040910

remarks: Security issues should also be addressed to
remarks: cert@cert.br, http://www.cert.br/
remarks: Mail abuse issues should also be addressed to
remarks: mail-abuse@cert.br

% whois.registro.br accepts only direct match queries.
% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
% IP and AS numbers.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFEHuZNF/Ya8KAszi0RAoKzAKCys70kTdq1KmVxEgFggsICQfm34ACgh9Sr
pUvIvJl24hqK5B1JaDPIGgs=
=ZOAP
-----END PGP SIGNATURE-----

Neil Hindry wrote:
If you can't do lookups yourself, start with
http://www.samspade.org

Just put your IP address in and press Do Stuff

It's a good starting point. Pop over news.admin.net-abuse.email and they
will help as well

Good luck

"Neil Hindry" <n_nospam_hindry@_nospam_hotmail.com> writes:

Top most Received ip address 200.250.218.247
(now I don't see a reverse confirmation so that can be forged,
but I don't think folks in that ip range even bother forging)

Most of the 200.x.x.x block is Latin America.
So hop over to
http://lacnic.net/en/index.html
pop ip address into the Whois box
and you get
netnum: 200.250.218/24
aut-num: AS4230
abuse-c: GSE6
owner: Net Sul Comunicações Ltda.
ownerid: 073.676.512/0001-46
responsible: Lauro Fernando Costa Barbosa
address: Silveiro, 1111, 3º andar
address: 90850-000 - Porto Alegre - RS
phone: (51) 3218-7210 []
....
nic-hdl-br: GSE6
person: Grupo de Segurança Internet da Embratel
e-mail: abuse@embratel.net.br
created: 20001005
changed: 20001005

nic-hdl-br: LFB
person: Lauro Fernando Costa Barbosa
e-mail: abuse@poa.virtua.com.br
created: 19971218
changed: 20040910

remarks: Security issues should also be addressed to
remarks: cert@cert.br, http://www.cert.br/
remarks: Mail abuse issues should also be addressed to
remarks: mail-abuse@cert.br

So you can throw a complaint at embratel.net.br and cert.br
but in my years of experience you will probably have more
luck flapping your arms and flying.


lacnic.net/en/index.html for south america
www.afrinic.net for africa
www.ripe.net for europe/eastern europe
www.apnic.net for pacific/asia
www.arin.net/whois/index.html for north america

There are other ways to get this information, some will think
their way is the best way, I have no reason to argue with them.
I hope that some of what I've written here helps out.

On Mon, 20 Mar 2006 13:00:30 -0000, "Neil Hindry"
<n_nospam_hindry@_nospam_hotmail.com> wrote:

I find the ARIN domain registry (for North America) whois site to be a
good starting point.

http://www.arin.net/whois/

If the IP isn't registered in North America, you'll get a link or
message directing you to a similar whois search engine for another
region, where the suspect IP is registered.
---------------------------------------------
Thanks.


MCheu

Neil Hindry wrote:

Assuming for a second that that "Received:" header is the correct one...

Your problem appears to be someone using a free webmail provider from an
IP in the NE United states belonging to AT&T Worldnet. I'd say the
webmail provider would be your best bet. AT&T gets so many complaints
you'd probably be pissing into a strong headwind. <sigh>

Now you can ping/whois/tracerout all day long and come up with a lot of
interesting information, but sometimes the laughably simple is the best
detective tool...

http://www.chocofan.com

:-)

On Tue, 21 Mar 2006 01:04:35 +0100 (CET), George Orwell
<nobody@mixmaster.it> wrote:



I'm answering two posts at the same time.
170 ms 180 ms 180 ms ctbdccmt01.ctb.virtua.com.br [200.250.77.3]
181 ms 260 ms 190 ms 200.250.218.247
That's the last two stops on a traceroute which takes us to Brazil.
Then I ran host -l virtua.com.br on a Unix box had to stop the output
when it reached 5 megabytes. I cut it down to
host -l virtua.com.br | grep mail
I showed one SMTP server and 2 other machines w/ mail in the name. I
checked them for open relays and none of them had port 25 opened.
Then I ran ftp virtua.com.br and I got
Connected to virtua.com.br.net
mbox.argentina.com FTP server (Version 6.00LS) ready.
Argentina?? I thought I was in Brazil. It didn't allow anon logins,
so I stopped there. That's where the second quote comes in about
searching all day and finding interesting but no necessarily unseful
things.

I would try an email to abuse@virtua.com.br and abuse@emnratel.net.br
If that doesn't work, just block it in your email client.

MCheu wrote:

[...]

IP addresses aren't registered, they're leased. Domain names are
registered, and the location of the registrar has little or nothing to do
with the physical location of the machine whose IP address is referenced
by that domain in many, or even most cases. In this particular case the
domain name was "purchased" through an agency in one country, but it's
hosted on a machine that's apparently located in another.

donnie wrote:

<snip>

That IP isn't relevant because it's not the last entry in the Received:
header chain. Wrapping sort of munged the original quoted headers. Here
they are, reformatted for clarity...

Received: from [200.250.218.247] (helo=2F31F468) by feynman.zen.co.uk
with smtp (Exim 4.43) id 1F9nPB-00024b-G2; Thu, 16 Feb 2006 17:59:03
+0000

Received: from featherbrain.chocofan.com (elastomer.chocofan.com
[12.32.12.51]) by pgawtn.com with SMTP id T7NAUCQN5F

The message seems to have passed thorough a relay in the 200 block or
ended up there, but it originated from the 12.32.12.51 address. Assuming
that was the last Received: header of course, the IP inside the []
braackets would have been the sender's actual IP, and "elastomer" would
have been the server that person was connected to. The reference to
"featherbrain" would be the actual MTA machine at chocofan.

The IP 12.32.12.51 is from a pool of customer addresses owned by AT&T. My
guess would be a DSL subscriber. AT&T cares little or nothiong about
individual SPAM complaints, they have bigger fish to fry. But the people
at chocofan.com might have something to say about someone abusing their
apparently free (from simply visiting the www URL for that doamin) email
addresses for nefarious purposes.

Id speculate and say that would be complaining to the OP's own email
provider. Of course, that might not be a horrible idea either....

Neil Hindry wrote:
You might find the information you need (along with an email address) there.

Hope you get somewhere
Eli

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

George Orwell wrote:
Please read what I actually wrote. It is considered extremely rude to
comment on what was "written between the lines" (ie. stuff you imagined
was there, but I never wrote).

I never said that you actually have to be physically within a
particular region to register a domain or reserve IP blocks with a
particular region's registrar. You may have read that somewhere, but
it wasn't in my post.

Further, while the process of registering a domain name and leasing an
IP block are separate, that isn't what I was talking about. When you
register a domain name, you do two things, you reserve the name (so
cybersquatter#2 can't take it) and associate an IP address to it in the
registration entry. That is what I meant by registering an IP.

On Mon, 20 Mar 2006, in the Usenet newsgroup alt.computer.security, in article
<441ea779$0$8341$da0feed9@news.zen.co.uk>, Neil Hindry wrote:

The ONLY two pieces of information you have to trust are the Received:
header put on by your ISP, and the address of the website/mail forwarder
that the spammer is directing you to.

The mail was delivered from this IP - which the others have shown how to
locate in Porto Alegre, in the Brazilian state of Rio Grande do Sul (at
roughly 30S/50W, about 800 miles/1300 KM Southwest of Rio de Janeiro).

That one is an obvious forgery. The receiving host (pgawtn.com) is located
in the US - so how did the mail get received there, and sent to you from
Brazil. Where is the "Received:" header indicating such transfer? Further,
the supposed sender 12.32.12.51 is a host with AT&T, but it doesn't have an
IP to name record. Also, neither of the chocofan.com host names exist. This
is just the usual BS put on by the spammer to confuse things, and is pretty
much meaningless.

You ask a whois server - it's being hosted by XO.com - but what relevance
is that? Are they the ones who are being advertised? The domain is actually
registered in Hong Kong to a gaming company.

Complaining to 'Net Sul Comunicaes Ltda' (the assignee of 200.250.218.247) or
Grupo de Segurana Internet da Embratel is a waste of time, effort, and
bandwidth on your part. If you are running a receiving mail server, you can
simply block 200.250.0.0/16 or even 200.0.0.0/7, and ignore this crap.

You can also post the complete mail to news.admin.net-abuse.sightings, but
the rest of the world pretty much knows that accepting unknown mail from
Brazil is a waste of bandwidth. The site that the spammer is advertising
is probably going to be more interesting to the Internet community.

Old guy

On Tue, 21 Mar 2006, in the Usenet newsgroup alt.computer.security, in article
<17d334f3d1c21673ca7c3af7a77483a8@mixmaster.it>, George Orwell wrote:

Guess again.

[compton ~]$ host 12.32.12.51
Host not found.
[compton ~]$

There is no PTR record for that host, so the *.chocofan.com BS is a
forgery. Also, there is no explanation of how the mail might have originated
at the AT&T address, and been sent to pgawtn.com which is also in the US and
has no connection to the Brazilian header.

Old guy

12.32.12.51
12.x.x.x is usally a dialup IP. I used to be on AT&T and that's what
was given.

"Neil Hindry" wrote:

If you're unclear about decoding headers, how do you know what is
relevant?

Based on the the information you gave, The spam appears to have come
from a proxified machine in Brazil. There's no point in looking at
headers below this, since they are very likely to have been forged by
the spammer. This is almost always the case with spam these days; i.e.
you can only trust in the headers what your ISP says about from where
it received the mail.

I assume this header was added by your ISP (Zen) and is correctly
reporting that the host feynman.zen.co.uk received the mail from
200.250.218.247. If you go to http://www.dnsstuff.com and plug the
number into their spam database lookup tool you will see it appears
on a few blocklists as an open proxy. You can also find out to whom
the IP address is allocated by using their "whois" lookup tool.

See the links here for information about reading headers:
http://spamlinks.net/track-trace-headers.htm

On Wed, 22 Mar 2006, in the Usenet newsgroup alt.computer.security, in article
<es91229igi48g2soh54u2a8jn7j86092nu@4ax.com>, donnie wrote:

12.x.x.x is 16.8 million addresses. They are sub-allocated to a huge
number of entities, such as cable services, businesses, and commercial
ISPs - everything from Argonet in Altoona, PA.us to Boeing, to Classicnet,
to Cox, Hilton Hotels, or ThePlanet.com. One of my ISPs has a /23 they
are leasing in the 12.22.x.x range as well as one in the 63.67.x.x range,
and they're certainly not AT&T or UU.net/MCI/what-ever they're calling
themselves at the moment. ARIN has over a hundred SWIP (Shared WhoIs
Project) listings within the 12.x.x.x block. _A_ problem is that AT&T
doesn't bother to provide a rwhois server, and in this particular case
doesn't have a PTR record in their DNS. Their DNS servers are indicating
that the address doesn't exit (NXDOMAIN), though packets do get routed to
the Arlington, Virginia area before going missing at a firewall.

Old guy

"Neil Hindry" <n_nospam_hindry@_nospam_hotmail.com> wrote in message
news:441ea779$0$8341$da0feed9@news.zen.co.uk...
part of the problem with mail headers is, you can telnet to the SMTP box and
type in a hostname. or do it with software. the return path is also a header
you can type in.
I don't know for sure, but I think you can still do that. they may not be
able to fake the IP address, but I *think* that is also something they can
type in, but the server may or may not verify that. possibly not.

On Thu, 6 Apr 2006, in the Usenet newsgroup alt.computer.security, in article
<qtOdnbxlU5FaV6jZnZ2dnUVZ_tednZ2d@comcast.com>, Jim Michaels wrote:

[back on 19 March 2006]

Yeah, telnet works, but you've got to know a little bit about the SMTP
protocol.

Actually the receiving SMTP application inserts that header using the
information from the "MAIL FROM" exchange.

See 'Practical Unix & Internet Security' 3rd edition, by Garfinkel,
Spafford & Schwartz, (O'Reilly, ISBN 0-586-00323-4), the appropriate RFCs
(RFC0821 and RFC2821), and http://www.stopspam.org/email/headers.html.
There are only two headers inserted by default by the receiving mail
server.

"Return-path:" comes from the "MAIL FROM" exchange during the SMTP dialog.
"Received:" is generated by the receiving mail server. Taking the line above
and breaking it into the component parts:

"[200.250.218.247]" is the IP address that the receiving mail server got
the mail from. This can not be faked. There _may_ be a hostname in
parentheses in front of this, such as

"(host.example.com [192.0.2.54])" and that means the receiving mail server
looked up the IP address and got that name. Different mail servers put the
"HELO" or "ELHO" name - the name that the sending mail server announced itself
as during the SMTP exchange - either before or after this mess. In the quoted
example, the sending host announced itself as "2F31F468" which is just
meaningless babble by the spammer.

The remaining stuff in the "Received:" header, here

identifies the receiving mail server (you can ONLY trust those under your
control - and perhaps those of your ISP), the application used (Exim is
one of a handful of mail server applications), a "transaction number" and
timestamp.

This line was obviously faked, because the "receiving server" (here
claimed to be "pgawtn.com") claims to have received the mail from IP
12.32.12.51 which it then claims to have looked up and found to be
"elastomer.chocofan.com". The big red flag waving in front of your eyes
is that first, the 12.32.12.51 doesn't resolve - you can't look it up
to get a name. Second, neither of the chocofan.com hostnames resolve
either. Thus, you have a classic demonstration of the first law of
spammers - "spammers lie".

Another clue is that "Received:" headers should track. If the mail really
did originate at chocofan.com, how did it get from pgawtn.com to the
unidentified Brazilian host 200.250.218.247? Where is the Received:
line for that transfer?

The final clue is if the mail really did originate in .us (the 12.32.12.51
address and pgawtn.com are both in the .us), why was it sent to the O/P in
England via some untrustworthy host in Brazil instead of direct? The answer
is again "spammers lie".

Old guy