FWIW, "Extractor" is spam-ware, and its mere presence in the header is
enough reason to junk the message.
The From: header with a colon is essentially meaningless. (I could make
this message appear to be "From: dvader@deathstar.mil" with little or no
effort.) The SMTP envelope "From " that every message begins with (note
no colon) is a bit more difficult to forge, but the IP addresses inside
the header are still your best bet.
The sickening part is that this guy may not have an account at any
of the ISP's you can identify -- he may be finding an open port, injecting
his mail, and bouncing if off one or more sites before it gets to you.
See http://www.io.com/~johnbob/jmfilter for a Perl tool that does for
mail what trnkill does for news. Highly recommended if you have a shell,
as many Yarn users still do.
On Mon, 7 Apr 1997, Robert Keith Elias wrote:
> > Received: from mail1.bellatlantic.net (mail1.bellatlantic.net
> > [199.45.32.38]) by clic1.qbc.clic.net (8.7.6/8.7.3) with ESMTP
> > id GAA05587 for <kelias@clic.net>; Mon, 7 Apr 1997 06:50:47
> > -0400 (EDT)
Try "abuse@bellatlantic.net" or "postmaster@bellatlantic.net" - and
phrase it as "You have a security issue", which it is. They shouldn't
be relaying mail that didn't originate from their site or one of their
customers.
> > From: EXTRACTOR@NOREPLY.COM
> > Received: from MAIL1.BELLATLANTIC.NET (wil-de1-07.ix.netcom.com
> > [205.184.17.39]) by mail1.bellatlantic.net (8.7.5/8.7.3) with
Oh, goody. This guy is playing with fire; forging machine names this way
is the closest Sanford "SPIT!" Wallace ever came to going to *jail.* I
hope he continues to be this stupid.
Note that you DON'T put in the last block of digits when asking whois
about a block of addresses:
$ whois 205.184.17
NETCOM On-Line Communication Services, Inc (NETBLK-NETCOM-BLK)
3031 Tisch Way, Lobby Level
San Jose, CA 95128
Netname: NETCOM-BLK
[snip]
Coordinator:
NETCOM Hostmaster (NETCOM-HM) hostmaster@NOC.NETCOM.NET
(408) 551-2160
Yep, it's really Netcom. But I happen to know their abuse address is
"abuse@netcom.com".
Let's see, what else can we figure out?
> > SMTP id GAA12405; Mon, 7 Apr 1997 06:46:21 -0400 (EDT)
> > Received: from
> > mailhost.noreply.com(ppp3.noreply.com(204.78.5.102)) by
> > noreply.com (8.8.5/8.6.5) with SMTP id GAA09282 for
> > <you@yourdomain.com>; Mon, 07 Apr 1997 06:32:08 -0600 (EST)
This line looks like unadulterated BS, thrown in just to cloud the issue.
Note the IP address is in parentheses rather than square brackets, and
there's no space between "noreply.com" and the "(204". Fake, fake, fake.
But do a "whois 204.78.5" just in case, and a "traceroute 204.78.5.102"
to see who their upstream provider is. Mailspam is against the TOS at
MCI, ATT, and supposedly at Sprint (though they're slower than molasses to
act on complaints).
$ whois 204.78.5
Eastern College (NETBLK-EASTERNCOLL)
St. Davids, PA 19087
Netname: EASTERNCOLL
Netblock: 204.78.0.0 - 204.78.15.0
Coordinator:
Wily, Marjorie (MW100) mwily@EASTERN.EDU
(610) 341-5855
Looks like an innocent bystander to me, but you could drop her a note.
(Whenever contacting a postmaster, assume they're a victim unless their
reply makes it clear they're an unindicted co-conspirator. Yelling "Are
not!"/"Am too!" doesn't do any good -- move up the ladder to the next
distinct entity on the traceroute.) She should be quite upset that
someone is using *HER* IP address on mail spam -- and if you ever catch
the bastard, she definitely has standing to sue him.
And PLEASE don't quote the whole damn' thing; the verbose headers are
plenty. (23 friggin' kb.... mutter grumble kvetch)
-- I don't have to boil them in oil first, I don't need to gloat over them as they scream in horror; just let me do the Mozambique drill and walk away quietly. "Two in chest, one in head, leave the bastard nice and dead." - from an unpublished novel. That's my story and I'm sticking to it.