Ecoclimber Posted August 2, 2008 Share Posted August 2, 2008 For the past 5 years, I've been tracking a spammer from one site to another. Every time I get him kicked off from one server, he hops onto another domain. He is starting to use FTP servers. His latest server domain gives a bogus address in ARIN. To the best of my knowledge, it is illegal to give a bogus registration address? He is sending illegal spam messages in violation of our State Laws which makes it a felony. Because it involves interstate traffic commerce laws, I will be reporting him to the FBI. However, I am stumped as to how he can register a server under a bogus address. Who do I contact in regard to this fraudulent registration? I am a newbie so maybe this is somewhat out of the scope of this forum. I notice that spammers are becoming more sophisticated over the years making it more and more difficult to block their spam with the current software Link to comment Share on other sites More sharing options...
rconner Posted August 2, 2008 Share Posted August 2, 2008 Sorry, but you're not giving us much to go on here. Which domains? Which servers? Do you have a sample spam you could submit to the parser in order to give us a tracking link? This info would help a great deal. -- rick Link to comment Share on other sites More sharing options...
Ecoclimber Posted August 2, 2008 Author Share Posted August 2, 2008 Sorry, but you're not giving us much to go on here. Which domains? Which servers? Do you have a sample spam you could submit to the parser in order to give us a tracking link? This info would help a great deal. nslookup on notify.mysavertoday.info and Doing a trace route as his headers are forged takes me to 72.37.186.2. There is no address at that location that I could find. The 800 number gave me a pizza company but now gives me a voice mail SBC Telecom Consulting, Inc. MZIMA03-CUST-SBCCONSULT01 (NET-72-37-186-0-1) 72.37.186.0 - 72.37.187.255 OrgName: SBC Telecom Consulting, Inc. OrgID: STC-89 Address: 105 Serra Way Address: #429 City: Milpitas StateProv: CA PostalCode: 95035 Country: US ReferralServer: rwhois://rwhois.sbc.us.com:4321 NetRange: 72.37.186.0 - 72.37.187.255 CIDR: 72.37.186.0/23 NetName: MZIMA03-CUST-SBCCONSULT01 NetHandle: NET-72-37-186-0-1 Parent: NET-72-37-128-0-1 NetType: Reallocated NameServer: NS1.SBC.US.COM NameServer: NS2.SBC.US.COM Comment: RegDate: 2007-01-10 Updated: 2007-01-10 RTechHandle: NOC2087-ARIN RTechName: Network Operations Center RTechPhone: +1-800-370-5265 RTechEmail: ***[at]sbc.us.com OrgAbuseHandle: ABUSE1158-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-800-370-5265 OrgAbuseEmail: *****[at]sbc.us.com OrgNOCHandle: NOC2087-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-800-370-5265 OrgNOCEmail: ***[at]sbc.us.com OrgTechHandle: ADMIN784-ARIN OrgTechName: Administrator OrgTechPhone: +1-800-370-5265 OrgTechEmail: *****[at]sbc.us.com # ARIN WHOIS database, last updated 2008-08-01 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Link to comment Share on other sites More sharing options...
Miss Betsy Posted August 2, 2008 Share Posted August 2, 2008 The 'oldies' on this forum will want to look at a Tracking URL - you don' t have to report the spam, but they will want to see exactly what the headers look like. Not that they don't think you know what you are doing, but when one is troubleshooting, the original is what they want to start with. It never hurts to have more eyes look at it. In the Software Forum, there is Complainerator which automates complaints about bogus registrations - at least that's the way I remember it. (I don't have the time or expertise to complain beyond a spamcop report - well, just barely, if the headers are really simple, I can do a manual report). There is also a difference between the 'source' - the network the spam came from and the 'spamvertized website' - lots of people (including myself) don't think it is worth it to track down spamvertized websites. There are long discussions somewhere here. However, there are some who are very interested and have the time and expertise to do it and are successful. Miss Betsy Link to comment Share on other sites More sharing options...
Ecoclimber Posted August 3, 2008 Author Share Posted August 3, 2008 It doesn't matter what you try to filter, subject, to, received from, this spammers has a program that regenerates from, to, ip adresses and subject lines as well as forged headers which included my own email address so anyone sending me email was blocked. This has been going on for some 6 years now and must be one of the most prolific spammers on line. X-Message-Delivery: Vj0zLjQuMDt1cz0wO2w9MDthPTA= X-Message-Status: n:0 X-SID-PRA: -PRINTER-INK-85%-OFF-MAXIMUM[at]notify.onlinesavingsnow.info X-Message-Info: NDMZeIBu+spHm/sykKtzkSTDwzKu0ZorkzhwKk0ZhZ4BJMx0S9StX2Tm9CwBqpab2iHLk7Ub1SgJorqHMP2qXA== Received: from notify.onlinesavingsnow.info ([129.47.224.176]) by bay0-mc5-f10.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Sat, 2 Aug 2008 11:35:18 -0700 Errors-To: undeliverable[at]onlinesavingsnow.info X-DTK: 3-3044.4 X-AMS: 194023036.9571 Content-type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MIME-Version: 1.0 In-Reply-To: None References: Message-ID: <1217701937.12431.0[at]notify.onlinesavingsnow.info> To: PrinterOwnersOnline Subject: SAVE - [bIG SUMMER SALE] - SAVE 08/02/2008 onlinesavingsnow.info From: -PRINTER-INK-85%-OFF-MAXIMUM[at]notify.onlinesavingsnow.info Date: Sat, 02 Aug 2008 11:32:17 -0700 Return-Path: -PRINTER-INK-85%-OFF-MAXIMUM[at]notify.onlinesavingsnow.info X-OriginalArrivalTime: 02 Aug 2008 18:35:18.0928 (UTC) FILETIME=[83A75100:01C8F4CE] Link to comment Share on other sites More sharing options...
Farelf Posted August 3, 2008 Share Posted August 3, 2008 Tracking URL 'manufactured' from the above http://www.spamcop.net/sc?id=z2119548937z5...8d94c6ad802247z - I note "whois 129.47.224.176[at]whois.arin.net" (Getting contact from whois.arin.net ) nothing found No reporting addresses found for 129.47.224.176, using devnull for tracking. From Tracking message source: 129.47.224.176: Display data: [refresh cache] ** $ whois 129.47.224.176[at]whois.arin.net [whois.arin.net] OrgName: Whittaker Corporation OrgID: WHITTA Address: 1955 North Surveyor Ave City: Simi Valley StateProv: CA PostalCode: 93063-3386 Country: US NetRange: 129.47.0.0 - 129.47.255.255 CIDR: 129.47.0.0/16 NetName: WCAIFHLS NetHandle: NET-129-47-0-0-1 Parent: NET-129-0-0-0-0 NetType: Direct Assignment Comment: RegDate: 1987-07-31 Updated: 2007-05-22 # ARIN WHOIS database, last updated 2008-08-01 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. ** refresh disabled No traffic from 129.47.224.176 sampled by SenderBase The "nothing found" result has been the topic of several discussions in the past, including http://forum.spamcop.net/forums/index.php?showtopic=9132 (feel free to search for others) I don't really see a resolution for this one. It might help if you became a SC reporter and registered some hits against this character but that is not going to give you any relief unless he re-uses the same IP address or network and you can filter on that. Your email address forged as a "From:" address should not get you blocked by major networks though most email clients probably provide address filtering for individuals. Automatically accepting "From:" addresses for filtering rules is quite clueless, as you know. Unfortuantely many don't, hopefully those you correspond with know better. If your name comes up for forging frequently then either he is a very limited spammer (seems likely) or you have been selected for special treatment (a bit of a 'badge of honour' really). Link to comment Share on other sites More sharing options...
Miss Betsy Posted August 3, 2008 Share Posted August 3, 2008 It doesn't matter what you try to filter, subject, to, received from, this spammers has a program that regenerates from, to, ip adresses and subject lines as well as forged headers which included my own email address so anyone sending me email was blocked. This has been going on for some 6 years now and must be one of the most prolific spammers on line. From my perspective, the only way to filter for spammers is to use blocklists (IP Addresses of the source computer). You might not be dealing with the same spammer since lists are bought and sold frequently. Also many spammers nowadays use 'zombie computers' - computers infected with a trojan that sends spam without the owner's knowledge. If you report the spam to the source IP abuse desk, some abuse desks will notify the owner to clean their machine. You still have not identified why you think it is the same spammer. (for the newbie - on this forum, it is not considered necessary to quote someone you are answering in your answer - only the part you are answering. Also, a Tracking URL is preferred to posting headers since there can be subtle changes to the headers in the copying and posting.) Miss Betsy Link to comment Share on other sites More sharing options...
Ecoclimber Posted August 3, 2008 Author Share Posted August 3, 2008 You still have not identified why you think it is the same spammer. Because they are come from the same forge header IP address with variations of [at]notify*saver*.info in the return and the same variations of subject matter and traced to the same IP address of 72.37.186.2. Whenever he changes servers, it's the same thing. When I notify the admin, they that they have a problem, he is then scrubbed from their system except this time, the ARIN address is bogus. At any rate, I will be reporting him to the FTC, State Attorney General's Office and the FBI with the info I have. It impacts interstate commerce laws and the practice thereof. I have reporting him to Spamcop for years apparently to no avail and will be looking at spam Assassin to try and rid him from my address. There is a $2K fine for each instance of this unsolicited email and if I can find out who he is, I plan on bringing into my court of jurisdiction as a recent article on this forum has shown that a recent spam King was convicted and fined in one of the largest cases and is now serving time in a Federal Prison. It's the only message these creeps understand. Thanks everyone for your help Link to comment Share on other sites More sharing options...
Miss Betsy Posted August 3, 2008 Share Posted August 3, 2008 You might try googling - onlinesavingsnow comes with several hits. that particular domain is now up for grabs, but CastleCops apparently has been aware of it for some time. spamassassin may help you to filter it out since it seems to be well known, but your address is 'out there' and there is little likelihood that you will stop spammers from using it. If you have reporting via spamcop, then it is unlikely that this particular spammer is a listwasher so I doubt there is any way to get him to stop using your email address. Good luck in tracking him down and bringing him to trial. If it were an easy job, then there were would be many more citizens involved. Miss Betsy Link to comment Share on other sites More sharing options...
Wazoo Posted August 3, 2008 Share Posted August 3, 2008 (for the newbie - on this forum, it is not considered necessary to quote someone you are answering in your answer - only the part you are answering. Also, a Tracking URL is preferred to posting headers since there can be subtle changes to the headers in the copying and posting.) Much editing done within this Discussion to remove all the unnecessary and broken quoting. Note that the Forum FAQ includes content on editing out unneeded quoted content when Replying to a previous Post. Please see SECTION 6 - Troubleshooting & Quick Links/Shortcuts The use of a Tracking URL simply shows up in too many places, so although the Topic starter still hasn't picked up on it, the continues 'suggestion' seems to be a bit of a lost cause. Too bad. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.