heqdvd
01-16-2003, 10:21 AM
Sure, we all get tons of Klez-H type auto, generated e-mail viruses.
But say you have some stalker that is so frustrated by their lack of importance, creative impotence and total rejection by society that they won’t quit. There is an answer.
Trace the e-mail. Contact the e-mail SOURCE, repeatedly and as a doggedly as the malformed Internet “user” does to you. Then set up filters to simply erase the next similar type of e-mail from coming in.
Here’s a very silly, juvenile and jealous repeated e-mail I kept getting (though the From: line changed).
-----------------------------------------------------------------------
From: dillonthomas77 [dillonthomas77@yahoo.com]
Sent: Wed 1/15/03 8:06 PM
To: greggdilorenzo@greggdilorenzo.com
Hi,greggdilorenzo,some questions
---------------------------------------------------------------------
The e-mail has no text in it, of course, but my firewall stripped the malicious attachment immediately and warned me…
RULE ONE – Set you firewall or E-mail client to “quarantine” all attachments to a closed area of your hard disk. This is not hard at all, depending on the actual program or client it should take 2-3 steps.
RULE TWO – Right click the actual e-mail in your e-mail (using outlook) and choose “options”. Copy all the text to a text processor:
Return-Path: <klacey@au00.com>
Received: from au00.com ([210.18.218.2])
by lsh100.siteprotect.com (8.9.3/8.9.3) with SMTP id TAA27859
for <greggdilorenzo@greggdilorenzo.com>; Wed, 15 Jan 2003 19:05:35 -0600
Date: Wed, 15 Jan 2003 19:05:35 -0600
Message-Id: <200301160105.TAA27859@lsh100.siteprotect.com>
Received: (qmail 26490 invoked from network); 16 Jan 2003 01:01:15 -0000
Received: from tory-177.gateway.to.the.fraser.coast.au00.com (HELO Iamoozahd) (210.18.218.177)
by sarah.maryboroughqld.com with SMTP; 16 Jan 2003 01:01:15 -0000
From: dillonthomas77 <dillonthomas77@yahoo.com>
To: greggdilorenzo@greggdilorenzo.com
Subject: Hi,greggdilorenzo,some questions
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=E9MZ80N4f3832z9RP
Ay yes, this “klacey@au00.com” has been stupidly diligent lately, like a “VILLAGE” idiot… I recognized this name.
RULE THREE – Right click in the message body and do “view source” Copy this text as well…
HTML><HEAD></HEAD><BODY
iframe src=cid:RC9YL7j5U4H5MUjY50 height=0 width=0>
/iframe>
FONT></FONT></BODY></HTML
[altered this so it displays here]
Ah… I won’t get into hex codes here, but this type of approach betrays the ignorance of the sender very clearly. The fact of the matter is that if step one isn’t followed, problems arise from the attachment here.
RULE FOUR - Go to a e-mail tracking service, such as http://spamcop.net, sign up for a free account and then paste all of the above info into the submit box. Press enter, and wait for the program to work.
Possible spammer: 210.18.218.2
210.18.218.2 is not an MX for au00.com
host au00.com (checking ip) = 210.18.218.12
210.18.218.2 is not an MX for au00.com
ips are close enough
Taking name from IP...
host 210.18.218.2 (getting name) no name
Received line accepted
Received: (qmail 26490 invoked from network); 16 Jan 2003 01:01:15 -0000
no ip found in received line
Ignored
Received: from tory-177.gateway.to.the.fraser.coast.au00.com (HELO Iamoozahd) (210.18.218.177) by sarah.maryboroughqld.com with SMTP; 16 Jan 2003 01:01:15 -0000
host 210.18.218.2 (getting name) no name
210.18.218.2 not listed in opm.blitzed.org
Possible spammer: 210.18.218.177
210.18.218.177 is not an MX for tory-177.gateway.to.the.fraser.coast.au00.com
host tory-177.gateway.to.the.fraser.coast.au00.com (checking ip) = 210.18.218.177
Taking name from IP...
host 210.18.218.177 (getting name) no name
Chain test:sarah.maryboroughqld.com =? au00.com
host au00.com (checking ip) = 210.18.218.12
210.18.218.12 is an MX for maryboroughqld.com
210.18.218.12 is mx
sarah.maryboroughqld.com and au00.com have close IP addresses - chain verified
Possible relay: 210.18.218.2
210.18.218.2 not listed in relays.ordb.org.
210.18.218.2 has already been sent to relay testers
Received line accepted
Tracking message source: 210.18.218.177:
Routing details for 210.18.218.177
[refresh/show] Cached whois for 210.18.218.177 : benc@iexec.com.au
Using last resort contacts benc@iexec.com.au
Whois found benc@iexec.com.au
ISP has already cancelled the account used to send this spam. ISP resolved this issue sometime after Thu Jan 16 01:01:15 2003 GMT Wednesday, January 15, 2003 8:01:15 PM -0500
210.18.218.177 not listed in formmail.relays.monkeys.com
210.18.218.177 not listed in opm.blitzed.org
210.18.218.177 not listed in relays.ordb.org.
210.18.218.177 not listed in query.bondedsender.org
Finding IP block owner:
Routing details for 210.18.218.177
[refresh/show] Cached whois for 210.18.218.177 : benc@iexec.com.au
Using last resort contacts benc@iexec.com.au
RULE FIVE: Make sure it IS SPAM, and then take the appropriate actions, like contacting the administrator.
If you are polite, they usually respond, though it might take a few tries!
You can see they cancelled that user’s account. It worked. This doesn’t mean the mutant won’t just jump to another server of mailer system. But he/she had to actually “work” for a second, thus our mission is successful.
I feel 1,000,000 issues would be resolved if people simply stated their real names and addressed REAL issues they have with members of this planet earth. But this is an idealist dream that never will be realized.
In the mean time – TURN OFF THE SPAMMERS E-MAIL ACCOUNTS…. Contact the administrators!
Peace and love from NYC.
http://heqdvd.com
(newly updated)
But say you have some stalker that is so frustrated by their lack of importance, creative impotence and total rejection by society that they won’t quit. There is an answer.
Trace the e-mail. Contact the e-mail SOURCE, repeatedly and as a doggedly as the malformed Internet “user” does to you. Then set up filters to simply erase the next similar type of e-mail from coming in.
Here’s a very silly, juvenile and jealous repeated e-mail I kept getting (though the From: line changed).
-----------------------------------------------------------------------
From: dillonthomas77 [dillonthomas77@yahoo.com]
Sent: Wed 1/15/03 8:06 PM
To: greggdilorenzo@greggdilorenzo.com
Hi,greggdilorenzo,some questions
---------------------------------------------------------------------
The e-mail has no text in it, of course, but my firewall stripped the malicious attachment immediately and warned me…
RULE ONE – Set you firewall or E-mail client to “quarantine” all attachments to a closed area of your hard disk. This is not hard at all, depending on the actual program or client it should take 2-3 steps.
RULE TWO – Right click the actual e-mail in your e-mail (using outlook) and choose “options”. Copy all the text to a text processor:
Return-Path: <klacey@au00.com>
Received: from au00.com ([210.18.218.2])
by lsh100.siteprotect.com (8.9.3/8.9.3) with SMTP id TAA27859
for <greggdilorenzo@greggdilorenzo.com>; Wed, 15 Jan 2003 19:05:35 -0600
Date: Wed, 15 Jan 2003 19:05:35 -0600
Message-Id: <200301160105.TAA27859@lsh100.siteprotect.com>
Received: (qmail 26490 invoked from network); 16 Jan 2003 01:01:15 -0000
Received: from tory-177.gateway.to.the.fraser.coast.au00.com (HELO Iamoozahd) (210.18.218.177)
by sarah.maryboroughqld.com with SMTP; 16 Jan 2003 01:01:15 -0000
From: dillonthomas77 <dillonthomas77@yahoo.com>
To: greggdilorenzo@greggdilorenzo.com
Subject: Hi,greggdilorenzo,some questions
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=E9MZ80N4f3832z9RP
Ay yes, this “klacey@au00.com” has been stupidly diligent lately, like a “VILLAGE” idiot… I recognized this name.
RULE THREE – Right click in the message body and do “view source” Copy this text as well…
HTML><HEAD></HEAD><BODY
iframe src=cid:RC9YL7j5U4H5MUjY50 height=0 width=0>
/iframe>
FONT></FONT></BODY></HTML
[altered this so it displays here]
Ah… I won’t get into hex codes here, but this type of approach betrays the ignorance of the sender very clearly. The fact of the matter is that if step one isn’t followed, problems arise from the attachment here.
RULE FOUR - Go to a e-mail tracking service, such as http://spamcop.net, sign up for a free account and then paste all of the above info into the submit box. Press enter, and wait for the program to work.
Possible spammer: 210.18.218.2
210.18.218.2 is not an MX for au00.com
host au00.com (checking ip) = 210.18.218.12
210.18.218.2 is not an MX for au00.com
ips are close enough
Taking name from IP...
host 210.18.218.2 (getting name) no name
Received line accepted
Received: (qmail 26490 invoked from network); 16 Jan 2003 01:01:15 -0000
no ip found in received line
Ignored
Received: from tory-177.gateway.to.the.fraser.coast.au00.com (HELO Iamoozahd) (210.18.218.177) by sarah.maryboroughqld.com with SMTP; 16 Jan 2003 01:01:15 -0000
host 210.18.218.2 (getting name) no name
210.18.218.2 not listed in opm.blitzed.org
Possible spammer: 210.18.218.177
210.18.218.177 is not an MX for tory-177.gateway.to.the.fraser.coast.au00.com
host tory-177.gateway.to.the.fraser.coast.au00.com (checking ip) = 210.18.218.177
Taking name from IP...
host 210.18.218.177 (getting name) no name
Chain test:sarah.maryboroughqld.com =? au00.com
host au00.com (checking ip) = 210.18.218.12
210.18.218.12 is an MX for maryboroughqld.com
210.18.218.12 is mx
sarah.maryboroughqld.com and au00.com have close IP addresses - chain verified
Possible relay: 210.18.218.2
210.18.218.2 not listed in relays.ordb.org.
210.18.218.2 has already been sent to relay testers
Received line accepted
Tracking message source: 210.18.218.177:
Routing details for 210.18.218.177
[refresh/show] Cached whois for 210.18.218.177 : benc@iexec.com.au
Using last resort contacts benc@iexec.com.au
Whois found benc@iexec.com.au
ISP has already cancelled the account used to send this spam. ISP resolved this issue sometime after Thu Jan 16 01:01:15 2003 GMT Wednesday, January 15, 2003 8:01:15 PM -0500
210.18.218.177 not listed in formmail.relays.monkeys.com
210.18.218.177 not listed in opm.blitzed.org
210.18.218.177 not listed in relays.ordb.org.
210.18.218.177 not listed in query.bondedsender.org
Finding IP block owner:
Routing details for 210.18.218.177
[refresh/show] Cached whois for 210.18.218.177 : benc@iexec.com.au
Using last resort contacts benc@iexec.com.au
RULE FIVE: Make sure it IS SPAM, and then take the appropriate actions, like contacting the administrator.
If you are polite, they usually respond, though it might take a few tries!
You can see they cancelled that user’s account. It worked. This doesn’t mean the mutant won’t just jump to another server of mailer system. But he/she had to actually “work” for a second, thus our mission is successful.
I feel 1,000,000 issues would be resolved if people simply stated their real names and addressed REAL issues they have with members of this planet earth. But this is an idealist dream that never will be realized.
In the mean time – TURN OFF THE SPAMMERS E-MAIL ACCOUNTS…. Contact the administrators!
Peace and love from NYC.
http://heqdvd.com
(newly updated)