Bogus Email- Need help to do detective work

John Thompson JohnThompson at new.rr.com
Sun Mar 28 16:37:20 UTC 2004 

On Sun, 28 Mar 2004 10:01:35 -0500
jim tate <mickeyboa at comcast.net> wrote:

> I have been recieveing Bogus email's to sign onto to my bank account,
> so someone can get my userid and password.
> My Bank say's these are bogus email's and not to respond to them.
> I have been recieveing them in Mozilla mail.
> How can I tell where these email will return to , should I reply or 
> respond to info requested.

Look at the headers (go to "View...Headers...All" in Mozilla).  The last "Received:" header will tell you the originating system.  Here's a typical spam on my system:

Received: from ms-smtp-03.rdc-kc.rr.com (ms-smtp-03.rdc-kc.rr.com [24.94.166.129])
	by amayatra.os2.dhs.org (8.12.11/8.12.8) with ESMTP id i2PFLA1s030205
	for <john at os2.dhs.org>; Thu, 25 Mar 2004 09:21:10 -0600 (CST)
	(envelope-from vxxcek at jcpenney.com)
Received: from ms-mss-01 ([10.15.8.21])
	by ms-smtp-03.rdc-kc.rr.com (8.12.10/8.12.7) with ESMTP id i2OB7dtq019845
	for <john at os2.dhs.org>; Wed, 24 Mar 2004 05:07:39 -0600 (CST)
Received: from ms-mta-01 (ms-mta-01-smtp [10.15.8.71])
 by ms-mss-01.rdc-kc.rr.com
 (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep  8 2003))
 with ESMTP id <0HV2007VRUWRZB at ms-mss-01.rdc-kc.rr.com> for john at os2.dhs.org
 (ORCPT johnthompson at new.rr.com); Wed, 24 Mar 2004 05:07:39 -0600 (CST)
Received: from kcmx03.mgw.rr.com (kcmx03.mgw.rr.com [24.94.165.192])
 by ms-mta-01.rdc-kc.rr.com
 (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep  8 2003))
 with ESMTP id <0HV2002HAUWRCP at ms-mta-01.rdc-kc.rr.com> for
 johnthompson at new.rr.com (ORCPT johnthompson at new.rr.com); Wed,
 24 Mar 2004 05:07:39 -0600 (CST)
Received: from 218-162-16-57.HINET-IP.hinet.net
 ([218.162.16.57])
	by kcmx03.mgw.rr.com (8.12.10/8.12.8) with SMTP id i2OB7XUp029336	for
 <johnthompson at new.rr.com>; Wed, 24 Mar 2004 06:07:35 -0500 (EST)
Date: Wed, 24 Mar 2004 16:06:56 +0500
From: Jeffry Price <vxxcek at jcpenney.com>
Subject: Fwd: Get Any Pills. Our Doctors Write Prescriptions. Overnight FedEx. Secure. Discreet
To: johnthompson at new.rr.com

The last Received: header shows that the email came from "218-162-16-57.HINET-IP.hinet.net" (IP address 218.162.16.57).  Feed this IP address into "whois" to find out who is responsible for this spam:

[john at starfleet john]$ whois 218.162.16.57
[Querying whois.apnic.net]
[Redirected to whois.twnic.net]
[Querying whois.twnic.net]
[whois.twnic.net]
Chunghwa Telecom Data communication Business Group
   No.21, Hsin-Yi Rd., sec. 1
   Taipei
   TW

   Netname: HINET-NET
   Netblock: 218.162.0.0/15

   Administrator contact:
      Chung Yung Kang (CYK-TW) cykang at ms1.hinet.net
      +886-2-2322-3442

   Technical contact:
      Chung Yung Kang (CYK-TW) cykang at ms1.hinet.net
      +886-2-2322-3442

You can complain to the contacts listed, but I don't recommend trusting them.  In many cases this will simply confirm your address as "live" and put you on more spam lists.  Alternatively, you can forward the entire spam (all headers included) to your ISP, your bank, and the federal government's spam report address: uce at ftc.gov 

Unless there's obvious fraud involved, I just use the information to feed my spam filter so the next one gets dumped before it hits my Inbox.


-- 

-John (JohnThompson at new.rr.com)

More information about the users mailing list