How do you trace no-name emails?

[WAZ]

I have been getting solicitation emails several times a day. When I look at the message properties, they all come from different FAKE email addresses and random combinations of servers (indiana.edu, yahoo.com, msn.com, aol, bigfoot.com, etc) and end up at a weird address that's not even mine. I have tried replying to all addresses, and they're all bogus -- I can't send to any of them. They have fake "reply-to" addresses, fake "from" addresses, etc. And they're all different, so i can't block them. But all the messages are the "same" so I know they're all coming from the same person/people. If anyone could tell me how to trace these messages back to their origin (before they get filtered through all the bogus addresses and random servers), I'd love to find out where they're coming from.

Thanks!
WAZ

 

[Viper GTS]

You have the header?

Viper GTS

 

[Russ]

Example SPAM header (one from the many in today's batch):

Received: (from russs@localhost)
by www35.web2010.com (8.9.3/8.9.0) id OAA20357
for russs2; Fri, 9 Feb 2001 14:20:37 -0500 (EST)
Received: from mail04.mygeek.com ([204.176.122.151])
by www35.web2010.com (8.9.3/8.9.0) with SMTP id OAA20354
for <russ@compucheap.com>; Fri, 9 Feb 2001 14:20:36 -0500 (EST)
Received: (qmail 1554 invoked by uid 3710); 9 Feb 2001 13:23:20 -0000
Date: 9 Feb 2001 13:23:20 -0000
Message-ID: <20010209132320.1553.qmail@mail04.mygeek.com>
To: russ@compucheap.com
From: intro@mygeek.com (myGeek.com)
Errors-To: bounces@mygeek.com
Subject: Welcome to myGeek!
Precedence: bulk
X-BID: 5073909
Mime-Version: 1.0
Content-type: multipart/alternative;
boundary=&quot;QXQXQXQXQXQ&quot;

Note the IP address in bold. This actually traces to mygeek.com, which means this isn't the brightest bulb in the box. They have a subnet leased from UUNET, which is also listed in an arin search. Thus, I reported them to abuse@uunet.com.

Example two:

Received: (from russs@localhost)
by www35.web2010.com (8.9.3/8.9.0) id PAA07206
for russs2; Fri, 9 Feb 2001 15:14:33 -0500 (EST)
Received: from mail.globalvision.ca ([205.150.183.70])
by www35.web2010.com (8.9.3/8.9.0) with ESMTP id PAA07203
for <russ@compucheap.com>; Fri, 9 Feb 2001 15:14:33 -0500 (EST)
From: mD41zyue3@ntsidfmes1.supporter.fr
Received: from 2brvk5c21 [63.36.249.133] by mail.globalvision.ca
(SMTPD32-6.00) id A1077143026A; Fri, 09 Feb 2001 15:20:23 -0500
DATE: 09 Feb 01 1:15:45 PM
Message-ID: <o4DF90txoO0Ec>
SUBJECT: >>>>>Best Cell Phone Offer Ever<<<<< lkjj
X-UIDL: 9l:!!F^G&quot;!37V!!$eK&quot;!

The highlighted IP traces to jtcconnects.com. This outfit doesn't even have an abuse@ address (mail bounced) which is a good indication that they are either involved, or condone the activity.

BUT, their block is also leased from UUNET - of Canada. Same thing; I fired off an eMail to abuse@uunet.ca.

Russ, NCNE

 

[WAZ]

Yeah, they all have headers. This is the one consistent factor in all of them:

129.79.6.185 or 129.79.6.184, which are fins.uits.indiana.edu and mask.uits.indiana.edu, respectively.

Then, they all vary with different combinations of the following:

Name: HSE-Kitchener-ppp78656.sympatico.ca (from 0tug3j.compuserve.com)
Address: 216.208.52.67

Name: HSE-Kitchener-ppp78779.sympatico.ca
Address: 216.208.52.190

Name: mailer.netkom-sachsen.de
Address: 145.253.229.131

Name: localhost.rejent.poznan.pl (IDENT:root@rejent-gw.man.poznan.pl)
Address: 150.254.162.150

Name: Maxim_Server.MaximWeb.com
Address: 166.90.188.150

Name: Kitchener-ppp111662.sympatico.ca
Address: 216.209.123.53

Name: hpacq.kent.edu
Address: 131.123.1.165

Name: h209-50-67-111.mt.sfl.net
Address: 209.50.67.111

Name: rejent-gw.man.poznan.pl
Address: 150.254.162.150

So it looks like they are pretty thoroughly abusing A LOT of servers. They have their stuff filtering through a nice thick web of servers and aliases, and nothing can be replied to. I have been able to trace all of these IP addresses though. But that's all. I do see that they are all traced back to something.UITS.INDIANA.EDU.

How did you find that mail.globalvision.ca ([205.150.183.70]) traced back to jtcconnects.com and then to UUNET, and then that they did or did not have an abuse@ address? How can I go about this?

Thanks a lot again for your help.
-WAZ

 

[perry]

Heheh.. I got that mygeek.com spam. They're pretty bright. They listed the place that sold them my address. Didn't bother going to the site to see if there is some opt-out thing, I just hit the delete key and moved on to the next spam.

 

[shopbruin]

EWWWWWWWW!!!!! THIS IS GETTING OUT OF HAND!

i was looking through my hotmail seeing if i got any real mail or not (doubted it) but usually people type in the wrong address and i kindly tell them of their mistake. I usually don't do that until they've sent me at least two e-mails. So I see two e-mails that might be suspect to that. stupid me didn't check their file size.

i started to open up the e-mail... and there are pictures of pron! ewwwwwwwww its one thing to be asked to go to their sites its another to have it sent right to you!!!! ugh!

allright i gotta find out how to nuke these suckers. (bad choice of words there...) but they're located in malaysia

 

[Missus]

I don't...

I ignore them...

 

[WAZ]

I was referred to a site called SpamCop. I think I'll give that a try. These emails are just annoying the hell out of me... I wanna take the bastards down!