On Wed, 24 Aug 2005, Steve Phillips wrote: > Jessica Zhu wrote: > > Hi Steve, > > > > Below is one. It is from mx.maria.choppy.com.cl, right? I guess I have to > > scan all the bounces. It will be really time consuming. > > > > Date: Wed, 24 Aug 2005 03:43:57 +0800 (CST) > > From: Mail Delivery Subsystem <MAILER-DAEMON@xxxxxxxxxxxxxx> > > To: Jessica@xxxxxxxxxxxxx > > Subject: Returned mail: Service unavailable > > > > The original message was received at Wed, 24 Aug 2005 03:43:52 +0800 (CST) > > from [211.106.177.167] > > > > ----- The following addresses had permanent fatal errors ----- > > <chingyu7@xxxxxxxxxxxxxx> > > > > ----- Transcript of session follows ----- > > mail.local: /var/mail/c/chingyu7: Disc quota exceeded > > 554 <chingyu7@xxxxxxxxxxxxxx>... Service unavailable > > > > ----- Original message follows ----- > > > > Return-Path: <Jessica@xxxxxxxxxxxxx> > > Received: from 168.95.5.28 ([211.106.177.167]) > > by ms28.hinet.net (8.8.8/8.8.8) with SMTP id DAA01186; > > Wed, 24 Aug 2005 03:43:52 +0800 (CST) > > Received: from mx.maria.choppy.com.cl (HELO 24-138.F.dial.o-tel-o.net) > > by mx.maria.munich.com.cl (Estfix) with ESMTP id F86203BD55 > > for <Jessica@xxxxxxxxxxxxx>; Wed, 24 Aug 2005 01:38:50 +0500 > > These are the important lines. > > It should also be noted that as spammers forge these lines the first one > is generally the only one that can be trusted, but lets follow them all > as an example. > > The above says > > "Mail originated from a machine that thought it was called > 24-138.F.dial.o-tel-o.net but was mx.maria.choppy.com.cl and was recived > by mx.maria.munich.com.cl" > > The next line reads > > "Mail originated from a machine that called itself 168.95.5.28 but was > infact 211.106.177.167 and was recived by ms28.hinet.net" > > From this we can tell that either the first recived line is bogus or > somehow the message magically jumped from Chile to the USA (whic his > unlikely) > > As a result, the only _real_ information we have is that the spam > originated from 211.106.177.167, which was also trying to lie about its > identity by calling itself 168.95.5.28 (which is actually the IP of > ms28.hinet.net) > > 211.106.177.167 is a Korean network block, and looking up via APNIC > > whois 211.106.177.167@xxxxxxxxxxxxxxx > > produces.. > > # ENGLISH > > KRNIC is not a ISP but a National Internet Registry similar to APNIC. > The followings are information of the organization that is using the > IPv4 address. > > IPv4 Address : 211.106.177.0-211.106.177.255 > Network Name : KORNET-INFRA000001 > Connect ISP Name : KORNET > Connect Date : 20031129 > Registration Date : 20031209 > > [ Organization Information ] > Organization ID : ORG1600 > Org Name : Korea Telecom > State : GYUNGGI > Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci > Zip Code : 463-711 > > [ Admin Contact Information] > Name : IP Administrator > Org Name : Korea Telecom > State : GYUNGGI > Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci > Zip Code : 463-711 > Phone : +82-2-3674-5708 > Fax : +82-2-747-8701 > E-Mail : ip@xxxxxxxxxxxxx > > [ Technical Contact Information ] > Name : IP Manager > Org Name : Korea Telecom > State : GYUNGGI > Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci > Zip Code : 463-711 > Phone : +82-2-3674-5708 > Fax : +82-2-747-8701 > E-Mail : ip@xxxxxxxxxxxxx > > This could potentially create problems for you unless you are versed in > korean. I would try to send an e-mail to them and hope that someone > there understands the language you compose your e-mail in. Failing this, > you may want to redirect a bunch of these messages to the admin and > technical contacts (which happen to be the same address) and hope there > is someone there that understands e-mail headers. > > You should also examine the other messages however as you may find that > this box (211.106.177.167) is a comprimised machine that is being used > to relay spam and hide the real person. > > In this case you are goign to have a major job tracking these people > down - if this is the case try to find an address range used that > originated in a country that you speak the language of fluently and try > calling them - they may be able to help you track down the actual > originator of these messages and you can then either persue legal > proceedings or request their real ISP to shut them down. > > However, the problem can get worse, if the spam is originating from a > "spam gang" then you are pretty much out of luck and will either have to > shut down the domain or buy a bigger box to cope with the attack. > Eventually the spam will stop.. > Appreciate Steve. I will try to contact them and also will consider to get another big box if our current one cannot co-op with the situation. If I get another one, I'd like to set up multi-layer on it to scan virus, spam and prevent forge. Do you guys have any structure suggestion for this? Jessica -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
