Thank you for taking the time to fight SPAM!
Rest assured the domain deuce.com did *not* send you SPAM.
Most likely the name "deuce" was forged on the email in
question with something like "mailserver.deuce.com".
In fact, deuce.com has no servers of its own, it is
simply a personal (vanity) nameplate.
If you are interested, please read on to find out how you
can easily determine where a SPAM email came from (or any
email for that matter.) You will be much more effective if
you send a complaint to the correct place. Most ISP's today
are very good about dealing with SPAM.
Regards,
steve@deuce.com
-----------------------------------------------
How to Figure out where a SPAM email came from
This is something that I wrote myself.
At the end I have listed some good sites
about dealing with SPAM that I recommend.
-----------------------------------------------
Look at the headers of the original SPAM email
(here is an example of an actual SPAM):
Return-Path: <>
Received: from mailserver.deuce.com (2Cust55.tnt20.lax3.da.uu.net [208.255.121.55])
by camel9.mindspring.com (8.8.5/8.8.5) with SMTP id LAA05079;
Thu, 3 Dec 1998 11:11:28 -0500 (EST)
Message-ID: <24786.33507@mailserver.deuce.com>
From: <>
Subject: Dream Getaway -- Yours (64817)
Date: Thu, 03 Dec 1998 08:06:42 -0400 (EDT)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
You are looking for the specific line:
Received: from mailserver.deuce.com (2Cust55.tnt20.lax3.da.uu.net [208.255.121.55])
Depending on your email program you might have to turn on something
that will show you all the headers rather then just the basic ones.
In this example it looks like "mailserver.deuce.com" is the sender,
but this is actually forged, and usually a non-existent name is used
so that reply's don't work. You want to look at the IP number rather
then the name, in this case [208.255.121.55]. This will tell you
which server sent the email. Hopefully the owner of that server
can track down the actual user who sent the SPAM.
Also, when there are two hostnames, the one in (parentheses) is
usually the correct one, and the IP address in [square-brackets] is almost
always correct. Look up the IP number in the [ ] not the hostname.
You can pretty much disregard any other address's given in other headers,
or in the mail itself as those are normally used for "cover."
If you want to check the host name, to see if it exists, use nslookup.
This will confirm that the domain name is forged.
There are nslookup tools on the web (go to yahoo and search nslookup)
Here is a good one that I use: http://www.infobear.com/nslookup-form.cgi
Output of: nslookup mailserver.deuce.com
*** ns.digiweb.com can't find mailserver.deuce.com: Non-existent host/domain
Server: ns.digiweb.com
Address: 206.161.225.3
Note - nslookup returns the name of the server that did the search first,
and then what you were looking for. If a match is made it will follow
with specific information, like this (now plug in the IP number 208.255.121.55)
Output of: nslookup 208.255.121.55
Server: ns.digiweb.com
Address: 206.161.225.3
Name: 2Cust55.tnt20.lax3.da.uu.net
Address: 208.255.121.55
Now you have the actual server/IP and real name that the SPAM came from.
To find more information on that specific server/IP use whois.
I like to use this one: http://www.arin.net/whois/arinwhois.html
Note: if this fails you might check the Euro version of this,
just back up a page and there is a tool for this as well.
Here is the output of 208.255.121.55
UUNET Technologies, Inc. (NETBLK-UUNET97DU)
3060 Williams Drive, Suite 601
Fairfax, VA 22031
US
Netname: UUNET97DU
Netblock: 208.250.0.0 - 208.255.255.255
Maintainer: UUDA
Coordinator:
Uunet, AlterNet - Technical Support (OA12-ARIN) help@UUNET.UU.NET
+1 (800) 900-0241
Domain System inverse mapping provided by:
DIALDNS1.UU.NET 153.39.194.10
DIALDNS2.UU.NET 153.39.194.26
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Record last updated on 19-Nov-98.
Database last updated on 3-Dec-98 16:12:39 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and nic.mil for NIPRNET Information.
Now send your complaints to that domain and hopefully they will
deal with the sender. Again, most ISP's are very good about
dealing with SPAM today.
---
Here are two very good sites about how to deal with and track SPAM:
----------------------------------------------------------------------
http://www.mcs.com/~jcr/junkemaildeal.html
http://www.netwizards.net/spam.html
[ Back ]
www.deuce.com
webmaster@deuce.com