[Dshield] Spam Problem

Brad Spencer brad.madison at mail.tds.net
Mon Jan 12 15:41:52 GMT 2004


At 06:03 PM 1/11/2004 -0500, you wrote:

>I have been searching through with hopes of locating someone who has partook
>of spoofing my email with disturbing messages.  I am not exactly computer
>savy, however, I have found whomever is responsible to have the IP address of
>172.20.83.104. Did you ever locate who was responsible for your troubles 
>in May of
>last year and if so, how did you do it?


I think you'll find that the IP you list is a special one that the spammer 
has faked.  You may need to look more closely at the header.

I think you're asking _me_ about the spammer in May.  I traced the spammer 
somewhat.  I had three types of information: the source IP for the relay 
test, the dropbox address for the relay test, and the advertised domains in 
the spam sent (I forced delivery of one of the tests - normally I was 
simply accepting the tests and stopping there - no delivery.  When the 
spammer receives a test message back he typically concludes he's fond 
another open relay.)  For each of these I could check the registration.  I 
don't think I ever got to where I had a single name - I did, as best I 
recall, find that the spam looked very much like it was one of the Florida 
spam gangs that had sent it (based on the IPs of the we pages in the spam.)

For one set of rely tests I was able to find the spammer's name.  The 
dropbox was mets17 at erols.com.  Google for "mets17 erols" leads to the name 
"Dave Patton," and "Dave Patton" is a ROKSO-listed spammer. 
(http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK1844)

The earlier tests for mets17 at erols.com were form the Washington, DC 
area.  Later ones were from the Los Angeles, California area.  Either he 
moved or he moved the source of his tests.





More information about the list mailing list