This one came directly into our server but from a dial-up account.
Received: from 22.214.171.124 by Your POP/SMTP Server's Address with SMTP (Eudora Internet Mail Server 1.2); Mon, 23 Feb 1998 23:15:21 -0500 From: email@example.com To: new@Your POP/SMTP Server's Address Subject: Run Your Own AUTO-PILOTED Business! X-Reply-To: firstname.lastname@example.org Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Mon, 23 Feb 1998 23:15:21 -0500 Message-ID: <1323846775-648560@Your POP/SMTP Server's Address>This one looks real hard and it is. They came directly into your mail server! Using Trace Route we find that 126.96.36.199 is a valid netcom.net dial-up address.
Looking further, mooncrater.net has no Web site but obtains its communications from alter.net, a legitimate communications company, but does not have a Web site - obvious SPAM ISP. Looking at their domain servers at the NIC via whois, they do their own DNS so no further help there.
We look at online-success.com because in the body of the message there is a "remove me" clause. Via Trace Route, online-success.comobtains its communications from netcom.net, a legitimate communications company, and based upon its name - obvious SPAM ISP. Looking at their domain servers at the NIC, we find that they get their DNS from linkus.com. Using our browser, linkus.com seems to be a legitimate ISP. linkus.com gets its DNS from netcom.net.
Now that we have decoded the SPAM, we can take action and we also forward to the FTC as the SPAM looks like a get rich quick scheme.