[VHFcontesting] Re: Why we ... YADA YADA YADA

David Vondrasek n5ito at davidv.net
Mon Jul 28 15:39:10 EDT 2003 

At 03:20 PM 7/28/2003 -0400, you wrote:
>Hey Guys,
>
>Welcome to the internet.   It IS a spoof.   Take a look at the 
>headers and notice the underlined sections:

Let's read the headers the correct way...  comments below.

>>Received: from contesting.com [216.1.128.73] by nt030203-107137 with ESMTP
>>  (SMTPD32-8.00) id A33DA910020; Mon, 28 Jul 2003 10:54:05 -0700
>>Received: from dayton.akorn.net (localhost [127.0.0.1])
>>        by contesting.com (8.12.9/8.12.9) with ESMTP id h6SHsCn5016804;
>>        Mon, 28 Jul 2003 13:54:16 -0400

Above is correct and no to any concern. It's the lists server.

>>Received: from spf13.us4.outblaze.com (205-158-62-67.outblaze.com
>>        [205.158.62.67])
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>And just who is Outblaze.com?  A whois search results:


Outblaze is a free email service and will NUKE this account
if complaints are filed. The abuse type God is  Suresh
and can be contacted via abuse at outblaze.com
They are NOT at fault.

>So, Kip is routing his email via a company in Hong Kong?  I don't think so.

Well yes he is.. It's a forwarding service.. And perfectly valid..
Keep going down..

>>        by contesting.com (8.12.9/8.12.9) with ESMTP id h6SHrxn4016564
>>        for <vhfcontesting at contesting.com>; Mon, 28 Jul 2003 13:53:59 -0400
>>Received: from 205-158-62-68.outblaze.com (205-158-62-68.outblaze.com
>>        [205.158.62.68])
>>        by spf13.us4.outblaze.com (Postfix) with QMQP id 82EC41800770
>>        for <vhfcontesting at contesting.com>;
>>        Mon, 28 Jul 2003 17:53:58 +0000 (GMT)
>>Received: (qmail 88944 invoked from network); 28 Jul 2003 17:53:54 -0000
>>Received: from unknown (HELO ws1-12.us4.outblaze.com) (205.158.62.81)
>>  by 205-158-62-153.outblaze.com with SMTP; 28 Jul 2003 17:53:54 -0000
>>Received: (qmail 94651 invoked by uid 1001); 28 Jul 2003 17:53:52 -0000
>>Message-ID: <20030728175352.94650.qmail at mail.com>
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>Next, we see that the mail originated on another free email service,
mail.com.

Mail.com *is* Outblaze. They own mail.com as well as several thousand
other free email redirectors . Still a valid path line..


>Using an anonymous mail account routed via hong kong is a typical
footprint for
>an email spammer.

Not in this case.. But your right...

>No problem, except the address used in the email is an address on usa.com.
 The
>mail should have come from an account on a usa.com server.

It did usa.com = outblaze.com = mail.com

The part you DIDN't leave of the header is the TRUE senders Ip address.
That would be this part at the bottom.

X-Mailer: MIME-tools 5.41 (Entity 5.404)
Received: from [12.109.148.178] by ws1-12.us4.outblaze.com with http for
    n2xre at usa.com; Mon, 28 Jul 2003 12:53:51 -0500

the original person is using the Ip of  12.109.148.178 and he gave it to 
outblaze.com to be forwared. This is the sender..

This belongs to these people

REGUS BUSINESS CENTRE CO REGUS-BU64-148-128 (NET-12-109-148-128-1)
                                  12.109.148.128 - 12.109.148.191

OrgName:    REGUS BUSINESS CENTRE CO
OrgID:      RBC-36
Address:    13800 COPPERMINE ROAD
City:       HERNDON
StateProv:  VA
PostalCode: 20171
Country:    US

NetRange:   12.109.148.128 - 12.109.148.191
CIDR:       12.109.148.128/26
NetName:    REGUS-BU64-148-128
NetHandle:  NET-12-109-148-128-1
Parent:     NET-12-0-0-0-1
NetType:    Reassigned
Comment:
RegDate:    2002-05-19
Updated:    2002-05-19

TechHandle: JS971-ARIN
TechName:   SMITH, JIM
TechPhone:  +1-914-304-4147
TechEmail:  jsmith at regususa.com

Now.. lets see who comes out of the woodwork...

This also matches a previous post

X-Mailer: MIME-tools 5.41 (Entity 5.404)
Received: from [12.109.148.178] by ws1-12.us4.outblaze.com with http for
    n2xre at usa.com; Mon, 28 Jul 2003 12:53:51 -0500
From: "Kip K." <n2xre at usa.com>
To: vhfcontesting at contesting.com
Date: Mon, 28 Jul 2003 12:53:51 -0500
X-Originating-Ip: 12.109.148.178
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
X-Originating-Server: ws1-12.us4.outblaze.com
Subject: [VHFcontesting] Re: Why we ... YADA YADA YADA
X-BeenThere: vhfcontesting at contesting.com
X-Mailman-Version: 2.1


Dave
- I do this for a living folks....

More information about the VHFcontesting mailing list