SpamBITS

While browsing around I received an interesting email. What is so interesting about it?
First, its subject:
- Will you be ready Monday morning?
It is Sunday evening when I received the email. The sender aims to attract my attention with interesting subject, make me open it and take some action. How can I know that it is SPAM?
Well, most of you will ignore this message. I have to admit that the spammer did not make any special actions to stick my attention on the message. The only interesting thing was the subject.
Here is the whole message:

Watch Out For Big News Monday

SCORE ONE INC (SREA . OB)
Price: $0.1

We expect it to rocket again after news hits. Jump the news, grab SREA
before it hits the wires on Monday.

Lets look at email headers. For my purpose I don’t need all the headers but only part of them:
Return-path: <selarson@utthouston.com>
Received: from [193.253.202.77] (helo=LAubervilliers-153-51-31-77.w193-253.abo.wanadoo.fr)
by my-web-server-is-here with smtp (Exim 4.63)
(envelope-from <selarson@utthouston.com>)
Received: from spe ([96.76.44.59])
by LAubervilliers-153-51-31-77.w193-253.abo.wanadoo.fr (8.13.2/8.13.2) with SMTP
From: <selarson@utthouston.com>
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200


Now lets take in deep into the message headers:

• If we visit the site under the domain - utthouston.com, from which the email pretends to come from we will see a “Red Hat Enterprise Linux Test Page”
• The IP on which this web site is located is : 72.16.158.82
• If look in the mail headers we will not see this IP.
• The e-mail is sent using Microsoft Outlook Express.

If we check the location of the utthouston.com IP we will see that it is located in the US, but the email comes from France (wanadoo.fr - according to the headers). The domain wanadoo.fr redirects to orange.fr which makes me thing it is an Internet provider in France.
What we’ve got up to now? The originator of the email is not part of the organization he is pretending to sent the email from - utthouston.com
He is sending the email from his computer (in his home probably) or while using WiFi in a some cafe.
The IP 96.76.44.59 ( Received: from spe ([96.76.44.59]) ) is probably an internal address.
If we check the whois for IP 193.253.202.77 (the first Received header):
we get:

inetnum: 193.253.202.0 - 193.253.202.255
netname: IP2000-ADSL-BAS
descr: LNAUB153 Aubervilliers Bloc 1
country: FR
admin-c: WITR1-RIPE
tech-c: WITR1-RIPE
status: ASSIGNED PA
remarks: for hacking, spamming or security problems send mail to
remarks: Whois Privacy and Spam Prevention by DomainTools.com AND Whois Privacy and Spam Prevention by DomainTools.com
mnt-by: FT-BRX
source: RIPE # Filtered

role: Wanadoo France Technical Role
address: FRANCE TELECOM/SCR
address: 48 rue Camille Desmoulins
address: 92791 ISSY LES MOULINEAUX CEDEX 9
address: FR

This part is not so important except we are sure the spammer has used a local internet provider to send the message.

We do not need to go so deeply to find out that this e-mail is spam. We check that the there is no active web site under the domain utthouston.com and that the email was send from a local internet provider in France (wanadoo.fr)
At this point we can simply delete the message or we can mark it as SPAM so our spam filter will know in the future to put similar messages directly into the junk folder.

Hope you enjoy!