Last Modified:


Case 9

This one came directly into our server but from a dial-up account.

Received: from 207.223.188.108 by Your POP/SMTP Server's Address
 with SMTP (Eudora Internet Mail Server 1.2); Mon, 23 Feb 1998 23:15:21 -0500
From:     osg@eagle.mooncrater.net
To:       new@Your POP/SMTP Server's Address
Subject:  Run Your Own AUTO-PILOTED Business!
X-Reply-To:  opt1@online-success.com
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: Mon, 23 Feb 1998 23:15:21 -0500
Message-ID: <1323846775-648560@Your POP/SMTP Server's Address>
This one looks real hard and it is. They came directly into your mail server! Using Trace Route we find that 207.223.188.108 is a valid netcom.net dial-up address.

Looking further, mooncrater.net has no Web site but obtains its communications from alter.net, a legitimate communications company, but does not have a Web site - obvious SPAM ISP. Looking at their domain servers at the NIC via whois, they do their own DNS so no further help there.

We look at online-success.com because in the body of the message there is a "remove me" clause. Via Trace Route, online-success.comobtains its communications from netcom.net, a legitimate communications company, and based upon its name - obvious SPAM ISP. Looking at their domain servers at the NIC, we find that they get their DNS from linkus.com. Using our browser, linkus.com seems to be a legitimate ISP. linkus.com gets its DNS from netcom.net.

Now that we have decoded the SPAM, we can take action and we also forward to the FTC as the SPAM looks like a get rich quick scheme.

  1. We forward the original SPAM with all the headers displayed to abuse@netcom.net,abuse@alter.net,abuse@linkus.com,uce@ftc.gov

For web problems contact the webmaster
Web page ©1998 by OITC. All rights reserved, USA and Worldwide