First off, use your e-mail program to look at the header. In Outlook
Express, you would click File, then Properties, then click on the tab
Details. This shows you the SMTP envelope.
The SMTP envelope determines where it is from. The identity of the
sending SMTP host is on the line following the first couple of lines
or so that refer to the SMTP host at Erols. So, the actual line
revealing the originating SMTP host states:
> Received: from orange.aci.net (orange.asatte.com [208.135.27.3] (may
> be forged))
The "it may be forged" refers to the headers in the _short headers_,
which follow in the next lines. The first few lines of the expanded
headers covering Erols and orange.asette.com can not be forged (to my
knowledge), although they can be sent through multiple smtp hosts to
confuse things.
> Date: Fri, 19 Jun 1998 05:54:23 -0400 (EDT)
> From: frankie@yahoo.com
<snip>
> To: frankie@yahoo.com
> Subject: Very Important
These lines, which will appear in the short headers, are forged and
total shit.
These lines, in the middle ("snip" section above):
> Message-Id: <199806190954.FAA09298@mx03.erols.com>
> Received: from yahoo.com (tc-1-82-rno.aci.net [208.136.114.82])
> by orange.aci.net (Post.Office MTA v3.5 release 215
> ID# 0-51640U1000L1000S0V35) with SMTP id net;
> Fri, 19 Jun 1998 01:03:32 -0700
confirm the originating IP. The stuff about yahoo.com is bullshit,
and just the program repeating the forged "from"header; but the stuff
that follows gives:
The log-on DNS name (dynamic) and
The dynamic IP address of the sender at mo.aci.net, and
The time they were loggged on, which will absolutely reveal their
identity to their SMTP host, who appears to be their actual ISP.
The ISP host is:
ACI.NET (ignore the subdomain in case the root domain contains
something in front of the base URL).
Their dynamically assigned domain name and IP address on Fri, 19 Jun
1998 01:03:32 -0700 was:
tc-1-82-rno.aci.net [208.136.114.82]
The SMTP host is:
orange.aci.net (orange.asatte.com [208.135.27.3]) (see second
paragraph of this email).
A "whois" provides the following info:
http://rs.internic.net/cgi-bin/whois?aci.net
Arrow Crab Internet, Inc. ACI4-DOM
200 South Virginia Street
Suite 500
Reno, NV 89501
us
Domain Name: ACI.NET
Administrative Contact, Technical Contact, Zone Contact:
Radford, Fred FR18 fred@ACI.NET
7027865900 (FAX) 702.332.6559
Billing Contact:
Radford, Fred FR18 fred@ACI.NET
7027865900 (FAX) 702.332.6559
(whois can also be done through telnet with the "whois" command)
A "NSLookup" on the dynamic IP address also confirms the actual
ISP, and the IP adress of his dynamic connection on Fri, 19 Jun 1998
01:03:32 -0700:
http://www.infobear.com/nslookup-form.cgi
Name: tc-1-82-rno.aci.net
Address: 208.136.114.82
(nslookup can also be done through telnet with the "nslookup"
command)
Suggestions would be to send complaints to;
root@aci.net
spam@aci.net
postmaster@aci.net
If you get no response (you should, but note they are in Reno NV, and
may be selling low moral conduct [recent federal law does apply to
Nevada, regardless of local statutes]), send email to:
Administrative Contact, Technical Contact, Zone Contact:
Radford, Fred FR18 fred@ACI.NET
7027865900 (FAX) 702.332.6559
and
Billing Contact:
Radford, Fred FR18 fred@ACI.NET
7027865900 (FAX) 702.332.6559
You can also send "Fred" a fax if you want, since provided a fax
number.
If this still gets no response, a "dig" (telnet only) provides info
on their apparent upstream provider:
dig aci.net
aci.net. 10800 A 208.136.112.7
;; AUTHORITY RECORDS:
aci.net. 10800 NS ns1.nameservice.net.
aci.net. 10800 NS ns2.nameservice.net.
;; ADDITIONAL RECORDS:
ns1.nameservice.net. 10800 A 209.151.204.5
ns2.nameservice.net. 10800 A 208.135.27.67
BTW, you can get the same info, in abbreviated form , in a "whois".
A "whois" on "nameservice.net" reveals the tech and billing
contact are still "fred@aci.net". It also seems to indicate that they
are providing their own DNS service, so the path ends there for the
moment.
A dig also indicates they are running their own DNS server, and
offhand seem to have a direct backbone conection.
If no result comes from mailing "fred", after first mailing
postmaster, and spam, and root at aci.net; you can still find
aci.net's (nameservice.net) actual upstream provider. Offhand, it
appears they have a direct connect to the backbone, and their
upstream backbone provider (MCI or UUNet or whatever) may or may not
have a proactive policy toward spammers.
At any rate, this is where you start, and usually deep enough to end.
And you always have "Fred's" voice, fax, and address at:
http://rs.internic.net/cgi-bin/whois?FR18
- Courtesy of Neil Alexander
http://www.conjuror.com
| |
|
|
|
|
|
|