...
FWIW Joe's getting jobbed: __
Return-Path: bouteille@kinki-kids.com Received: from dbzmail.com ([61.85.57.209]) by smtp1.supranet.net (8.12.10/8.12.10) with SMTP id j6P3ZTlx009677 for <x>; Sun, 24 Jul 2005 22:35:30 -0500 (CDT) Received: from kinki-kids.com (kinki-kids-com-bk.mr.outblaze.com [64.62.181.92]) by dbzmail.com (Postfix) with ESMTP id E5A841602F for <x>; Sun, 24 Jul 2005 00:39:14 -0500 From: "Ambulance U. Descant" bouteille@kinki-kids.com To: Info <x> Subject: Hi dear Date: Sun, 24 Jul 2005 00:39:14 -0500 Message-ID: 100101c59012$879febec$06412c2e@kinki-kids.com MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2605 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 X-GMX-Antivirus: 0 (no virus found) X-UIDL: K,H!!c%?"!Fde!!XT9"!
Hi Try jwSpamSpy, our spam filter for POP3 mailboxes. We use it to track spammers and scammers. Free full featured 30 day evaluation version available!
...
kinki-kids.com is actually a quite legitimate Outblaze customer. Every forgery or it I have seen is for CP or at least "std." pornography. So maybe Joe can guess at who he pissed off. The sender's IP 61.85.57.209 seems to be a comprimised Windows box on DSL at Kornet - Dynamic address too. The IP is only listed at five-ten, SORBS, NOMOREFUNN, and NJABL; In other words, not really listed or listable (except as dynamic or for full Korean blockage). If it is still the same machine connected at that IP, the entrance was probably the wide open UPnP port or the IIS running. Backdoor installed on port 123 (ntp) UDP - machine is "0wn3d". Also, the routing takes an "interesting" side trip by way fo Kornet -> TONEK (China) the back -> Kornet. Maybe a very good hack at the router level (AS4766 to AS17431 back to AS4766) - Not many people capable of that.
I doubt many people running any BLs would list Joe.
Paul Shupak track@plectere.com