An E-Mail to OJAS, hallo, how are you?, I'm JJ from Spain, how goes the anti-scamms crusade?, I know you are an expert in headers, I post this one from an scammer 'lady' I am writing now with her, if you would be so kind to explain me about what it means, I did get any like this with that of AntiAbuse.
The IP one is from Houston Texas, the other Yoskar-Ola as usual and the other Marina del Rey CA. but the E-Mail is not google or yahoo and then the times between Spain and Calif. you go 7 hrs. in advance and we, with Yoskar-Ola, we go 2 hrs. in advance.
Received: from s52.avahost.net ([220.127.116.11])
Sun, 19 Jul 2009 03:04:28 +0200
Received: from [18.104.22.168] (helo=[10.81.0.138])
by s52.avahost.net with esmtpa (Exim 4.69)
Sat, 18 Jul 2009 11:43:31 -0500
Date: Sat, 18 Jul 2009 20:37:47 +0400
X-Mailer: The Bat! (v22.214.171.124) Professional
X-Priority: 3 (Normal)
Subject: Re: Fw: Hello dear Elena
Content-Type: text/plain; charset=us-ascii
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - s52.avahost.net
X-AntiAbuse: Original Domain
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - lvmail.ru
X-OriginalArrivalTime: 19 Jul 2009 01:04:29.0281 (UTC) FILETIME=[DE20ED10:01CA080C].
Thanks for your help JJ
Dirk from Heerlen, Netherlands
IP address: 126.96.36.199
Reverse DNS: s52.avahost.net.
Reverse DNS authenticity: [Verified]
ASN Name: THEPLANET-AS
IP range connectivity: 0
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 188.8.131.52 to 184.108.40.206
Country fraud profile: Normal
City (per outside source): Dallas, Texas
Country (per outside source): US [United States]
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
All right, Dirk, thank you, but I already know where all those IP are coming from, I already check the 'dnsstuff'. My question is if would be possible to explain what all those X-AntiAbuse: means??, as it is the first time I've seen it on a header. Thank you a by JJ.
@ JJ from Spain
If I may help, even though I know you have asked OJAS, he gets very busy, as do we all!
I've been doing this for more than 1 year, and helping out here for nearly the same time.
I've just seen your main question 'X-AntiAbuse: means??' The email is being tracked. As you can see it's known to be a mail server and dictionary attacker.
I can see your confusion regarding the originating IP 220.127.116.11 United States
Many spam emails are re-routed through many servers to disguise there origin. This is what I believe has happened here. The original IP is most probably 18.104.22.168 Russian Federation (Yoshkar-ola)
WHOIS - 22.214.171.124
Location: Russian Federation (high) [City: Yoshkar-Ola, Mariy-El]
Information related to '126.96.36.199 - 188.8.131.52'
inetnum: 184.108.40.206 - 220.127.116.11
descr: ZAO 'Company 'ER-Telecom' Yoshkar-Ola
descr: Enterprise customers (PPPoE)
IP 18.104.22.168 [Spam Server] [Dictionary Attacker]
The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server and dictionary attacker.
Very defiantly the originating IP, each scammer in Russia sends up to 300 emails each day using The Bat! (v22.214.171.124) Professional, email program. Ensuring the IP is identified as a mail server through 'The Project Honey Pot'
Emails been re-routed through IP 126.96.36.199
WHOIS - 188.8.131.52
Location: United States [City: Monroe, New York]
OrgName: General Electric Company
Address: Internet Registrations
Address: 3135 Easton Turnpike
The Houston Texas IP is the server before it got to you, (I suppose you already know that) has no significance in your search.
One of the main things in the header is the X-Mailer: The Bat! (v184.108.40.206) Professional
Leads me to believe you have a scammer in tow.
Dirk from Heerlen, Netherlands
Sorry, seem to have misunderstood your question.
About adding the X-AntiAbuse Message in the Headers:
These days all mail servers add these headers. These help to determine who/where/when did the mail orginate, so that one can be tracked when the server is mis-used/abused.
Usually there is an emailaddress added to this message. You can report the abuse (spammail) there.
OJAS from United States
I was late to see this thread. Dirk & Steve have covered your question. I thought you were asking how scammers keep track of their ''job'' and answered you in the Osinniki thread. It is one of of the most active threads, and you can reach most delphians on that or other most active threads from the top left of this page.
anonymous from Russian Federation
www.elenasmodels.com elenasmodelscom elenasmodels site scammer All scammer website..
anonymous from United States
www.russian-women.net russian-women.net russian women net scammer All scammer website..
russian-women.net scammers all scammers
Are you being scammed and this is your first visit here?