This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: Rick Moen <rick@linuxmafia.com>
Date: Fri, 16 Aug 2002 16:22:19 -0700
Quoting Robert Gilman (rbob@dnai.com):
> Just recently I received a piece of spam showing my own email address
> as sender.
Welcome to the Internet. ;->
Those of us who hunt down spammers know that _every_ header in a
spam-o-gram can be and usually is forged, with the exception of at least
some contents of some of the Received headers.
Spammers do everything possible to shift both costs and consequences
onto other people -- but mostly using automated, dumbed-down Win32 spam
generation programs and lists of names they've bought from somewhat more
competent but equally scummy people. Thus, Caveman Og's rules:
1. Spammers lie.
2. Spammers are stupid.
Some choice quotations from Chairman Og:
http://linuxmafia.com/pub/humour/caveman-og
> I contacted my ISP and had them reset my password.
That put you and the ISP through some trouble for no benefit, I'm sorry
to say.
===
From: Joseph Zitt <jzitt@metatronpress.com>
To: "Brian Sroufek" <brian_sroufek@msdesigninc.com>
Cc: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Fri, 16 Aug 2002 18:22:49 -0700
On Fri, 16 Aug 2002 20:17:42 -0400
"Brian Sroufek" <brian_sroufek@msdesigninc.com> wrote:
> Since most of my spam comes from a limited (?)
> set of ISPs, typically some non-US ISPs willing,
> perhaps, to host anything for $$, a good spam
> filter would black list the ISP, and
>
> ==>
> return
> an email indicating to the poor opportunist that
> their ISP has been black listed.
> <==
>
> Wonder how fast the proliferation of that technique
> would quell the trafficers?
How fast is a dead snail?
Most of what it would do is block you from getting mail from innocent
people whose addresses were forged into the email, including
(especially?) friends whose addresses happened to reside with yours in
some poor fool's Outlook address book, and who might be confused and
insulted by receiving email from you accusing them of wrongdoing.
===
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: Rick Moen <rick@linuxmafia.com>
Date: Fri, 16 Aug 2002 18:35:09 -0700
Quoting Brian Sroufek (brian_sroufek@msdesigninc.com):
> Since most of my spam comes from a limited (?)
> set of ISPs, typically some non-US ISPs willing,
> perhaps, to host anything for $$, a good spam
> filter would black list the ISP, and
>
> ==>
> return
> an email indicating to the poor opportunist that
> their ISP has been black listed.
> <==
Out of curiosity, how are you identifying originating ISPs?
A lot of people seem to try to do this by taking some of the spam
headers at face value. In my experience, nailing down the originating
host sometimes takes some detective work.
===
From: "Brian Sroufek" <brian_sroufek@msdesigninc.com>
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Fri, 16 Aug 2002 22:11:42 -0400
> Quoting Brian Sroufek (brian_sroufek@msdesigninc.com):
>
> > Since most of my spam comes from a limited (?)
> > set of ISPs, typically some non-US ISPs willing,
> > perhaps, to host anything for $$, a good spam
> > filter would black list the ISP, and
> >
> > ==>
> > return
> > an email indicating to the poor opportunist that
> > their ISP has been black listed.
> > <==
>
> Out of curiosity, how are you identifying originating ISPs?
> A lot of people seem to try to do this by taking some of the spam
> headers at face value. In my experience, nailing down the originating
> host sometimes takes some detective work.
From having wasted a lot of time chasing down
and reporting spammers to major free-email ISPs:
they got tired of me and gave me instructions on
how to identify the first received: header
(lowest in view).
This header cannot be forged, I'm to understand and,
sure enough, go chase it down (arin.net - least likely,
usually european, asian, ...) and you find joe blow
ISP on some small island - sometimes, this is not
exaggeration.
So, having recently written an N-tier servlet with
header analysis stuff, I can easily see an automation
method that suggests...the ISP for an "Add" to the
"black-list" mentioned earlier.
Only trouble is that most of those foreign ones that
do this conveniently have no "abuse","spam","postmaster"
type of addresses: so, the offending ISP isn't always
notifiable (easily).
===
From: "Brian Sroufek" <brian_sroufek@msdesigninc.com>
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Fri, 16 Aug 2002 22:25:08 -0400
How about a pre-recorded message
sent via (free?) internet telephone
to the phone number snatched from the
Registry for the offending ISP?
Too big brot-hery, even Sea Eye A scarey,
but as long as the ISPs are hand-added,
and they have no way of hi-tting your
residence with an over-the-sea mis-sile....
Anyway, as long as the spam stops, they don't
*have* to know.
===
From: "Brian Sroufek" <brian_sroufek@msdesigninc.com>
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Fri, 16 Aug 2002 22:25:30 -0400
How about a pre-recorded message
sent via (free?) internet telephone
to the phone number snatched from the
Registry for the offending ISP?
Too big brot-hery, even Sea Eye A scarey,
but as long as the ISPs are hand-added,
and they have no way of hi-tting your
residence with an over-the-sea mis-sile....
Anyway, as long as the spam stops, they don't
*have* to know.
===
From: "Brian Sroufek" <brian_sroufek@msdesigninc.com>
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Fri, 16 Aug 2002 22:25:52 -0400
How about a pre-recorded message
sent via (free?) internet telephone
to the phone number snatched from the
Registry for the offending ISP?
Too big brot-hery, even Sea Eye A scarey,
but as long as the ISPs are hand-added,
and they have no way of hi-tting your
residence with an over-the-sea mis-sile....
Anyway, as long as the spam stops, they don't
*have* to know.
===
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: Rick Moen <rick@linuxmafia.com>
Date: Fri, 16 Aug 2002 21:33:12 -0700
Quoting Brian Sroufek (brian_sroufek@msdesigninc.com):
> From having wasted a lot of time chasing down and reporting spammers
> to major free-email ISPs: they got tired of me and gave me
> instructions on how to identify the first received: header (lowest in
> view).
>
> This header cannot be forged, I'm to understand and, sure enough, go
> chase it down (arin.net - least likely, usually european, asian, ...)
> and you find joe blow ISP on some small island - sometimes, this is
> not exaggeration.
If you are merely electing to believe the bottom-most Received header
("lowest in view"), and are believing any information whatsoever in any
such header other than that generated by SMTP servers you have reason to
trust, then you're setting yourself up to be fooled.
Alas, I've seen many, many people go bother innocent parties because
they relied on bogus header data. And misdirected complaints from the
inexperienced are among the major reasons why "postmaster" and "abuse"
mailboxes have been overwhelmed and rendered effectively unusable.
Having been given "instructions" by an ISP is just not sufficient
preparation, I'm afraid. I seriously recommend studying how SMTP works
and how header forgery works. There's good information on-line.
===
To: balug-talk@balug.org
From: Robert Gilman <rbob@dnai.com>
Subject: [Balug-talk] Hi-Jacked Email Address
Date: Fri, 16 Aug 2002 22:15:39 -0700
The following is the message header from my spam:
X-Authentication-Warning: moe.sfrn.dnai.com: 62-37-182-26.dialup.uni2.es
[62.37.182.26] didn't use HELO protocol
From: rbob@dnai.com
Subject: You're Paying Too Much
X-Sender: rbob@dnai.com
To: rbob@dnai.com
Reply-To: rbob@dnai.com
Importance: Normal
MIME-Version: 1.0
X-Encoding: MIME
Date: Wed, 14 Aug 2002 17:40:57 -0500
Status: U
The gist of what I'm picking up is that I should not worry too much and
pick up some mail filtering software.
Thx for the replies.
===
From: Nick Moffitt <nick@zork.net>
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Fri, 16 Aug 2002 22:07:32 -0700
begin Brian Sroufek quotation:
> they got tired of me and gave me instructions on how to identify the
> first received: header (lowest in view).
>
> This header cannot be forged, I'm to understand and,
Your understanding needs a real good fixin'.
===
From: Nick Moffitt <nick@zork.net>
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Fri, 16 Aug 2002 22:08:50 -0700
begin Robert Gilman quotation:
> The following is the message header from my spam:
>
> X-Authentication-Warning: moe.sfrn.dnai.com: 62-37-182-26.dialup.uni2.es
> [62.37.182.26] didn't use HELO protocol
> From: rbob@dnai.com
> Subject: You're Paying Too Much
> X-Sender: rbob@dnai.com
> To: rbob@dnai.com
> Reply-To: rbob@dnai.com
> Importance: Normal
> MIME-Version: 1.0
> X-Encoding: MIME
> Date: Wed, 14 Aug 2002 17:40:57 -0500
> Status: U
Woefully incomplete, at best. Lots more bogus information
will likely be available for your perusal and entertainment if you
bring up FULL headers for that message.
===
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: Rick Moen <rick@linuxmafia.com>
Date: Fri, 16 Aug 2002 22:20:07 -0700
Quoting Robert Gilman (rbob@dnai.com):
> The following is the message header from my spam:
^ highly incomplete
news.admin.net-abuse.email is probably where you want to be.
===
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: "David L. Sifry" <david@sifry.com>
To: Rick Moen <rick@linuxmafia.com>
Cc: Balug <balug-talk@balug.org>
Date: 16 Aug 2002 22:37:04 -0700
Rick and Brian,
There is one line in an email header that you can (reasonably) trust -
the first Received: header. The reason for this is because it is YOUR
email MTA that creates this header.
If I used Rick's email as an example:
Return-Path: <balug-talk-admin@balug.org>
Received: from colo1.sifry.com (root@colo1.sifry.com [198.186.203.94])
by inferno.sifry.com (8.12.2/8.12.2/Debian -5) with ESMTP id
g7H4YlcC021274 for <david@sifry.com>; Fri, 16 Aug 2002 21:35:07 -0700
Received: from colo1.sifry.com (mailman@colo1 [127.0.0.1]) by
colo1.sifry.com (8.12.3/8.12.3/Debian -4) with ESMTP id g7H4XAaG025230;
Fri, 16 Aug 2002 21:33:10 -0700
Received: from linuxmafia.com (linuxmafia.COM [198.144.195.186]) by
colo1.sifry.com (8.12.3/8.12.3/Debian -4) with ESMTP id g7H4WmaG025208
for <balug-talk@balug.org>; Fri, 16 Aug 2002 21:32:48 -0700
Received: from rick by linuxmafia.com with local (Exim 3.35 #1 (Debian))
id 17fvGy-0005vB-00 for <balug-talk@balug.org>; Fri, 16 Aug 2002
21:33:12 -0700
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Message-ID: <20020817043312.GQ9654@linuxmafia.com>
References: <E17ft42-0003Xj-00@hydrogen.liquidweb.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <E17ft42-0003Xj-00@hydrogen.liquidweb.com>
User-Agent: Mutt/1.4i
From: Rick Moen <rick@linuxmafia.com>
===
Date: 16 Aug 2002 21:33:12 -0700
The first Received line is something I can trust, because I am
reasonably sure that my mail server (inferno.sifry.com) hasn't been
hacked:
Received: from colo1.sifry.com (root@colo1.sifry.com [198.186.203.94])
by inferno.sifry.com (8.12.2/8.12.2/Debian -5) with ESMTP id
g7H4YlcC021274 for <david@sifry.com>; Fri, 16 Aug 2002 21:35:07 -0700
This tells me that the MTA that connected to my mail server was located
at 198.186.203.94 and that it called itself colo1.sifry.com.
When you check most spam email, its headers look something like this:
Return-Path: <errors@buyingfrenzy.com>
Received: from localhost.localdomain (mail2.nexplore.com
[157.238.138.36] (may be forged)) by inferno.sifry.com
(8.12.2/8.12.2/Debian -5) with ESMTP id g772PEcC024271 for
<david@sifry.com>; Tue, 6 Aug 2002 19:25:15 -0700
To: david@sifry.com
X-FP: 64617669644073696672792e636f6d
Received: from 127.0.0.1 ([127.0.0.1]) by nexdeals.com (8.11.2/8.11.2)
with SMTP id 2345911028685998 for to; Tue Aug 6 22:02:33 2002
Date: 06 Aug 2002 22:02:33 +0000
Message-Id: <2002822233.2345911028685998@mail2.nexdeals.com>
X-Form: 1649
From: FREE Quote! <GreatDeals@nexdeals.com>
Reply-To: nexdeals <errors@nexdeals.com>
Subject: *****SPAM***** You Need Auto Insurance, Not a Big Bill!
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Note the first (and in this case, only) Received: header. It tells me:
Received: from localhost.localdomain (mail2.nexplore.com
[157.238.138.36] (may be forged)) by inferno.sifry.com
(8.12.2/8.12.2/Debian -5) with ESMTP id g772PEcC024271 for
<david@sifry.com>; Tue, 6 Aug 2002 19:25:15 -0700
Someone from 157.238.138.36, which called itself
"localhost.localdomain", but whose reverse DNS lookup shows
"mail2.nexplore.com" connected to my mail server and delivered the spam.
All that means is that I can trust the last hop; It might be that that
machine is a cracked or trojaned mail server of a perfectly legitimate
ISP or company, or it could be a dynamic dialup account, but at least I
can then go to ARIN with the IP address block and find out who the
upstream ISP is. I can also do a traceroute on the IP address to get
some good info, here's an excerpt:
$ traceroute 157.238.138.36
....
11 so-7-0-0.gar2.SanJose1.Level3.net (64.159.1.78) 16.499 ms 14.918
ms 16.606 ms
12 so-7-0-0.edge1.SanJose1.level3.net (209.244.3.142) 18.630 ms
19.717 ms 18.126 ms
13 unknown.ix.singtel.com (209.245.146.154) 18.732 ms 19.554 ms
18.327 ms
14 p16-0-1-0.r20.snjsca04.us.bb.verio.net (129.250.3.86) 21.520 ms
19.067 ms 18.711 ms
15 p16-3-0-0.r00.mlpsca01.us.bb.verio.net (129.250.5.8) 23.594 ms
19.263 ms 22.193 ms
16 p16-5-0-0.r00.nwrknj01.us.bb.verio.net (129.250.5.113) 88.631 ms
92.251 ms 96.791 ms
17 p1-1-0-0.r01.rochny01.us.bb.verio.net (129.250.2.148) 100.158 ms
99.188 ms 99.093 ms
18 ge-1-2.a00.rochny01.us.da.verio.net (129.250.29.217) 98.052 ms
99.486 ms 99.202 ms
19 157.238.140.34 (157.238.140.34) 99.576 ms 105.270 ms 100.056 ms
20 mail2.nexplore.com (157.238.138.36) 100.796 ms 98.150 ms *
So this tells me that I can feel comfortable sending abuse emails to
nexplore.com and to its upstream provider, verio.net. In fact, I have a
pretty good idea which juristiction the spammer is in - Rochester, NY.
See line 18 for where I get that hint.
Of course, I could have just gone to http://www.nexplore.com/ and found
out that they are:
an online media placement company founded in 2000. We deliver marketing
solutions by working closely with publishers, agencies, and fresh opt-in
list owners. We identify and plan media for all industry segments.
Nexplore will find the right medium for your next banner, email, or lead
generation campaign.
Yikes! Professional spammers!
A check of their whois record shows:
Registrant:
Nexplore Ltd. (NEXPLORE5-DOM)
null
null
null
Domain Name: NEXPLORE.COM
Administrative Contact:
Nexplore, Ltd (PYVCYSDRLI) support@NEXPLORE.COM
Nexplore, Ltd.
29B Commodore Street
Albany, NY 12205
US
518-446-1153 518-446-1105
Technical Contact:
VeriSign, Inc. (HOST-ORG) namehost@WORLDNIC.NET
VeriSign, Inc.
21355 Ridgetop Circle
Dulles, VA 20166
US
1-888-642-9675 fax: - namehost@worldnic.net
Ah ha! So they are located in Albany, NY, not far from Rochester. At
this point, I could contact them via their phone number, or I could call
the NY State Attorney General's office, have a lawyer send a
cease-and-desist, instigate civil procedures against them, etc.
Enjoy spam hunting. I installed SpamAssassin and 99% of my spam has
been tagged; Makes email a much more pleasant experience nowadays.
Dave
On Fri, 2002-08-16 at 21:33, Rick Moen wrote:
> Quoting Brian Sroufek (brian_sroufek@msdesigninc.com):
>
> > From having wasted a lot of time chasing down and reporting spammers
> > to major free-email ISPs: they got tired of me and gave me
> > instructions on how to identify the first received: header (lowest in
> > view).
> >
> > This header cannot be forged, I'm to understand and, sure enough, go
> > chase it down (arin.net - least likely, usually european, asian, ...)
> > and you find joe blow ISP on some small island - sometimes, this is
> > not exaggeration.
>
> If you are merely electing to believe the bottom-most Received header
> ("lowest in view"), and are believing any information whatsoever in any
> such header other than that generated by SMTP servers you have reason to
> trust, then you're setting yourself up to be fooled.
>
> Alas, I've seen many, many people go bother innocent parties because
> they relied on bogus header data. And misdirected complaints from the
> inexperienced are among the major reasons why "postmaster" and "abuse"
> mailboxes have been overwhelmed and rendered effectively unusable.
>
> Having been given "instructions" by an ISP is just not sufficient
> preparation, I'm afraid. I seriously recommend studying how SMTP works
> and how header forgery works. There's good information on-line.
>
===
To: "David L. Sifry" <david@sifry.com>
From: Deirdre Saoirse Moen <deirdre@deirdre.net>
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Cc: Balug <balug-talk@balug.org>
Date: Fri, 16 Aug 2002 22:46:50 -0700
At 10:37 PM -0700 8/16/02, David L. Sifry wrote:
>Rick and Brian,
>
>There is one line in an email header that you can (reasonably) trust -
>the first Received: header. The reason for this is because it is YOUR
>email MTA that creates this header.
Wrong. You can forge that too! You just simply add a line and pretend
it's not your MUA.
http://www.rahul.net/falk/mailtrack.html
You're using unforged mail to explain how forgeries work. Not smart.
This reminds me of a usenet discussion I had about forgeries in 1995.
Same kind of problem.
===
From: Rick Moen <rick@linuxmafia.com>
To: Balug <balug-talk@balug.org>
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Fri, 16 Aug 2002 22:49:22 -0700
Quoting David L. Sifry (david@sifry.com):
> There is one line in an email header that you can (reasonably) trust -
> the first Received: header.
Dave, sorry, no.
All the spammer has to do is inject mail that already has forged
Received headers in it.
Again: news.admin.net-abuse.email
===
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: "David L. Sifry" <david@sifry.com>
To: Deirdre Saoirse Moen <deirdre@deirdre.net>
Cc: Balug <balug-talk@balug.org>
Date: 16 Aug 2002 22:55:34 -0700
Um, I'm sorry Dierdre, but either you misread my email or you didn't
read the URL you referenced:
To whit:
>From <http://www.rahul.net/falk/mailtrack.html>:
Received:
These are the most reliable lines in the header. They form a list of
all sites through which the message traveled in order to reach you. They
are completely unforgeable after the point where it was injected. Up to
that point, they may be forgeries.
I trust my last-hop MTA, and unless it has been hacked, the first
Received header is reliable.
If I'm wrong and you know of a way to forge that header outside of
something exotic like IP spoofing, please correct me.
Dave
On Fri, 2002-08-16 at 22:46, Deirdre Saoirse Moen wrote:
> At 10:37 PM -0700 8/16/02, David L. Sifry wrote:
> >Rick and Brian,
> >
> >There is one line in an email header that you can (reasonably) trust -
> >the first Received: header. The reason for this is because it is YOUR
> >email MTA that creates this header.
>
> Wrong. You can forge that too! You just simply add a line and pretend
> it's not your MUA.
>
> http://www.rahul.net/falk/mailtrack.html
>
> You're using unforged mail to explain how forgeries work. Not smart.
>
> This reminds me of a usenet discussion I had about forgeries in 1995.
> Same kind of problem.
===
To: Balug <balug-talk@balug.org>
From: Bill Moseley <moseley@hank.org>
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Fri, 16 Aug 2002 22:55:44 -0700
At 10:49 PM 08/16/02 -0700, Rick Moen wrote:
>Quoting David L. Sifry (david@sifry.com):
>
>> There is one line in an email header that you can (reasonably) trust -
>> the first Received: header.
>
>Dave, sorry, no.
>
>All the spammer has to do is inject mail that already has forged
>Received headers in it.
Dave was talking about the top header, inserted locally upon receipt from a
remote machine. How is that forged if delivered to your system via SMTP?
===
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: "David L. Sifry" <david@sifry.com>
To: Rick Moen <rick@linuxmafia.com>
Cc: Balug <balug-talk@balug.org>
Date: 16 Aug 2002 22:57:25 -0700
On Fri, 2002-08-16 at 22:49, Rick Moen wrote:
> Quoting David L. Sifry (david@sifry.com):
>
> > There is one line in an email header that you can (reasonably) trust -
> > the first Received: header.
>
> Dave, sorry, no.
>
> All the spammer has to do is inject mail that already has forged
> Received headers in it.
>
> Again: news.admin.net-abuse.email
Yes, but those forged headers appear BELOW the first Received: header.
I can still trust the first Received: header, even if I can't trust all
the ones after it.
In most cases, it points me straight to the spammer, if others, it
points me to an open relay or a trojaned box that is acting as a relay.
===
From: Rick Moen <rick@linuxmafia.com>
To: Balug <balug-talk@balug.org>
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Fri, 16 Aug 2002 23:05:44 -0700
Quoting David L. Sifry (david@sifry.com):
> Yes, but those forged headers appear BELOW the first Received: header.
> I can still trust the first Received: header, even if I can't trust all
> the ones after it.
The bottom-most Received header _is_ the one that purports to be first.
What you seem to be aiming at is the key problem of determining where
the spam injection point was. _If_ you can do that, then you know where
it came from. The problem is that many people assume they know what
information is forged, when they really have no idea.
===
To: "David L. Sifry" <david@sifry.com>
From: Deirdre Saoirse Moen <deirdre@deirdre.net>
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Cc: Balug <balug-talk@balug.org>
Date: Fri, 16 Aug 2002 23:09:36 -0700
At 10:55 PM -0700 8/16/02, David L. Sifry wrote:
>Um, I'm sorry Dierdre, but either you misread my email or you didn't
>read the URL you referenced:
You've known me for three years and you still can't spell my name.
>To whit:
>
> >From <http://www.rahul.net/falk/mailtrack.html>:
>
>Received:
> These are the most reliable lines in the header. They form a list of
>all sites through which the message traveled in order to reach you. They
>are completely unforgeable after the point where it was injected. Up to
>that point, they may be forgeries.
Right. So, say you've got 5 received headers on a piece of spam. You
know #5 is accurate. I think the problem is that you say "first
received header" which I understood as earliest in time -- you are
apparently calling it the LAST in time, which I call #5.
You know that somewhere between 1 and 4, the spam was injected. You
don't know WHICH host it was without further examination, which that
URL will tell you how to do.
>If I'm wrong and you know of a way to forge that header outside of
>something exotic like IP spoofing, please correct me.
Yes, you insert fake Received headers *BELOW* where your header will
be injected.
And that kind of IP spoofing *isn't* exotic.
They've been doing it for at least 7 years now.
===
To: Balug <balug-talk@balug.org>
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: Rick Moen <rick@linuxmafia.com>
Date: Fri, 16 Aug 2002 23:12:09 -0700
Quoting Bill Moseley (moseley@hank.org):
> Dave was talking about the top header, inserted locally upon receipt from a
> remote machine. How is that forged if delivered to your system via SMTP?
Oh, _that_ Received header is guaranteed to record (at least) a valid
IP, since it was appended by one's own system using information taken
directly from the socket. If that's what he meant, then yeah.
But that may not tell you where the spam originated, just what IP
address it transited immediately before yours. You may end up trying to
get an open relay closed -- or pressure for an end to SMTP acceptance
from a dial-up host. Not that that's a bad thing.
===
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: "David L. Sifry" <david@sifry.com>
To: Rick Moen <rick@linuxmafia.com>
Cc: Balug <balug-talk@balug.org>
Date: 16 Aug 2002 23:12:27 -0700
Rick Moen wrote:
> Quoting David L. Sifry (david@sifry.com):
>
> > Yes, but those forged headers appear BELOW the first Received: header.
> > I can still trust the first Received: header, even if I can't trust all
> > the ones after it.
>
> The bottom-most Received header _is_ the one that purports to be first.
>
> What you seem to be aiming at is the key problem of determining where
> the spam injection point was. _If_ you can do that, then you know where
> it came from. The problem is that many people assume they know what
> information is forged, when they really have no idea.
OK so it sounds like there was a bit of confusion over what the "first"
header was - I always look at email from the perspective of the
receiver, and in my example, I use "first" to mean the Header that
appeared topmost in the email.
I think the confusion came from the reading of "first" as being the
header that is bottommost in the email, purporting to be the Header that
was attached first. Of course, as you and Dierdre point out, that
header can easily be forged.
===
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: "David L. Sifry" <david@sifry.com>
To: Deirdre Saoirse Moen <deirdre@deirdre.net>
Cc: Balug <balug-talk@balug.org>
Date: 16 Aug 2002 23:16:11 -0700
Deirdre,
My apologies on the misspelling of your name, it was unintentional.
On Fri, 2002-08-16 at 23:09, Deirdre Saoirse Moen wrote:
> At 10:55 PM -0700 8/16/02, David L. Sifry wrote:
> >Um, I'm sorry Dierdre, but either you misread my email or you didn't
> >read the URL you referenced:
>
> You've known me for three years and you still can't spell my name.
>
> >To whit:
> >
> > >From <http://www.rahul.net/falk/mailtrack.html>:
> >
> >Received:
> > These are the most reliable lines in the header. They form a list of
> >all sites through which the message traveled in order to reach you. They
> >are completely unforgeable after the point where it was injected. Up to
> >that point, they may be forgeries.
>
> Right. So, say you've got 5 received headers on a piece of spam. You
> know #5 is accurate. I think the problem is that you say "first
> received header" which I understood as earliest in time -- you are
> apparently calling it the LAST in time, which I call #5.
Yup, it appears that's where the confusion started.
>
> You know that somewhere between 1 and 4, the spam was injected. You
> don't know WHICH host it was without further examination, which that
> URL will tell you how to do.
>
Right.
> >If I'm wrong and you know of a way to forge that header outside of
> >something exotic like IP spoofing, please correct me.
>
> Yes, you insert fake Received headers *BELOW* where your header will
> be injected.
>
> And that kind of IP spoofing *isn't* exotic.
Well, that isn't IP spoofing. You still know that that last hop was
either that originator of the spam, an open relay, or a cracked box,
which at least gives you some cause of action.
>
> They've been doing it for at least 7 years now.
> --
> _Deirdre http://deirdre.net
> "It is lots easier to build a house from plans than from dumping a pile of
> 2x4s into a vacant lot then moving them around until they look like a
> house." -- James D. MacDonald
===
To: "David L. Sifry" <david@sifry.com>
From: Deirdre Saoirse Moen <deirdre@deirdre.net>
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Cc: Balug <balug-talk@balug.org>
Date: Fri, 16 Aug 2002 23:20:08 -0700
At 11:12 PM -0700 8/16/02, David L. Sifry wrote:
>OK so it sounds like there was a bit of confusion over what the "first"
>header was - I always look at email from the perspective of the
>receiver, and in my example, I use "first" to mean the Header that
>appeared topmost in the email.
That's the way Rahul does it too. And yes, it's the first header come across.
Being contrary, I tend to think chronologically rather than linearly.
Usenet spam has everything bang-separated on one line in the Path
header. Bonus points to the old hands (except Nick or Rick) who can
explain why.
>I think the confusion came from the reading of "first" as being the
>header that is bottommost in the email, purporting to be the Header that
>was attached first. Of course, as you and Deirdre point out, that
>header can easily be forged.
Yes. As long as we agree that the earliest isn't reliable.
On my name, I just tell people: spelled as in DEITY, not as in DIET. ;)
===
From: Dan Lyke <danlyke@flutterby.com>
To: Balug <balug-talk@balug.org>
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Sat, 17 Aug 2002 08:01:11 -0700
Rick Moen writes:
> Quoting David L. Sifry (david@sifry.com):
>
> > There is one line in an email header that you can (reasonably) trust -
> > the first Received: header.
>
> Dave, sorry, no.
Ummmm... Sendmail as I've always had it configured inserts its
"Received" header above all the other "Received" headers. Thus the
first line is trustable to the extent that I trust the MTA on the box
which got the message. Forged "Received" lines get pushed further down
in the stack.
What MTA are you and Dierdre running?
Dan
_______________________________________________
Balug-talk mailing list
Balug-talk@balug.org
http://www.balug.org/mailman/listinfo/balug-talk
===
To: Balug <balug-talk@balug.org>
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: Rick Moen <rick@linuxmafia.com>
Date: Sat, 17 Aug 2002 09:07:33 -0700
Quoting Dan Lyke (danlyke@flutterby.com):
> Ummmm... Sendmail as I've always had it configured inserts its
> "Received" header above all the other "Received" headers. Thus the
> first line is trustable to the extent that I trust the MTA on the box
> which got the message. Forged "Received" lines get pushed further down
> in the stack.
>
> What MTA are you and Dierdre running?
Let me know if you still have questions after catching up on the message
thread (and learning how to spell Deirdre ;-> ).
===
To: balug-talk@balug.org
From: Bill Moseley <moseley@hank.org>
Subject: [Balug-talk] Routing table question
Date: Sat, 17 Aug 2002 10:14:30 -0700
Good Morning,
I was looking at my routing tables for my home lan. It all works fine, so
I don't think I'm trying to fix anything, but on the other hand it doesn't
completely make sense. Might be a lack of Peets this morning. Anyway, my
goal with linux is to have things make sense, even if I have to ask basic
questions ;). Hope you don't mind.
I have a simple setup: /29 subnet with a DSL modem hooked to a switch, with
a few machines on the internet side, and one acts as a router (really NAT)
for my internal 192.168 segment.
Destination Gateway Genmask Flags Metric Ref Use Iface
63.205.225.168 * 255.255.255.248 U 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default gateway.hank.or 0.0.0.0 UG 0 0 0 eth1
"gateway" is PacBell's machine.
Here's where I'm a bit confused. Here's one of my internal machine's table:
Destination Gateway Genmask Flags Metric Ref Use Iface
localnet * 255.255.255.0 U 0 0 0 eth0
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
I'm wondering why I don't have (or seem to need) an entry of:
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
That is, if 192.168.0.10 wants to talk to 192.168.0.20 it looks like the
only defined route is "default".
The page at:
http://www.debian.org/doc/manuals/network-administrator/ch-tcpip.html#s3.4
makes me think I should have a route to the local net.
So, do why don't I need that route in the table?
Thanks,
===
From: Dan Lyke <danlyke@flutterby.com>
To: Balug <balug-talk@balug.org>
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Sat, 17 Aug 2002 10:03:15 -0700
Rick Moen writes:
> Let me know if you still have questions after catching up on the message
> thread
Got it now from the web, most of those messages hadn't arrived at my
address as of my writing the previous message. There's a puzzle for
the "Received" lines, but given that I switched email addresses for my
subscription this morning, probably a moot one.
> (and learning how to spell Deirdre ;-> ).
Yeesh. Yep, or just learning how to read without transposition, given
that there seem to be a good number of "Dierdre"s in the world too, I
must've only known the "diet" sort previously.
And on Deirdre's question about bang-path addressing, I stopped
adminning professionally 7 years ago, and I did *not* need the NNTP
memories dredged up again. shudder.
Time to spend some time with eliza...
> What would it mean to you if you got to discuss your nightmares
> about adminning usenet feeds?
===
From: Ramin Keyvan <keyvan@rhinonetworksolutions.com>
To: balug-talk@balug.org
Subject: [Balug-talk] Newbie question..Print queue configuration on home LAN...
Date: Sat, 17 Aug 2002 12:06:06 -0700
Group,
I have a LINUX (SuSe 8.0 Pro) box and a WIN2K box running on my LAN and I
would like to configure my LINUX box to be able to use my WIN2K box as a
"print server" and route print jobs to the Epson printer I have connected to
the WIN2K box. I am having a devil of a time configuring this to work.
What files do I need to edit in order to make this happen. What entries should
I look for/add, etc.?
Any insight you might be able to provide would be greatly appreciated.
Cheers,
Rain
_______________________________________________
Balug-talk mailing list
Balug-talk@balug.org
http://www.balug.org/mailman/listinfo/balug-talk
===
From: Kent Howard <balug@thisway.net>
To: Bill Moseley <moseley@hank.org>
Cc: balug-talk@balug.org
Subject: Re: [Balug-talk] Routing table question
Date: Sat, 17 Aug 2002 14:06:58 -0700
On Sat, Aug 17, 2002 at 10:14:30AM -0700, Bill Moseley wrote:
> Here's where I'm a bit confused. Here's one of my internal machine's table:
>
> Destination Gateway Genmask Flags Metric Ref Use Iface
> localnet * 255.255.255.0 U 0 0 0 eth0
> default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
>
> I'm wondering why I don't have (or seem to need) an entry of:
>
> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
>
> That is, if 192.168.0.10 wants to talk to 192.168.0.20 it looks like the
> only defined route is "default".
>
> The page at:
>
> http://www.debian.org/doc/manuals/network-administrator/ch-tcpip.html#s3.4
>
> makes me think I should have a route to the local net.
>
> So, do why don't I need that route in the table?
You probably do have it.
Turn off name lookup for your routing table output by using the -n
option to either route or netstat. (i.e. "route -n" or "netstat -r -n")
I suspect "localnet" may actually be your LAN route 192.168.0.0.
On a basic system (not using NIS, or LDAP, etc for this) /etc/networks
defines the symbolic names for networks and that's where "localnet"
is likely defined on your system.
It looks to me like you are actually missing your loopback route
which looks like this.
Destination Gateway Genmask Flags Metric Ref Use Iface
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
- Kent
_______________________________________________
Balug-talk mailing list
Balug-talk@balug.org
http://www.balug.org/mailman/listinfo/balug-talk
===
From: Samantha Atkins <samantha@objectent.com>
To: balug <balug-talk@balug.org>
Subject: [Balug-talk] DNS question
Date: Sat, 17 Aug 2002 17:27:24 -0700
I tend to have several domains running against my local set of
machines with fixed IP addresses. So far I have had my DSL ISP
provider handle mapping domain MX, www, ftp records to one of my
IP addrs. But it gets old and annoying to call them up and map
new ones or move them about. So I am thinking of doing my own
DNS stuff also. But the DNS literature looks a bit daunting.
Can someone put me onto the minimum I need to know to map a few
domain name records to a handful of IP addresses? I am drowning
a bit in too much information without a clear idea how much of
it is relevant to my specific needs.
One question is whether I will need to handle the entire
household (block of 32 contiquous IP addresses) if I only really
want to map my own domains to my set of 7 addrs.
Thanks for any clues.
===
To: Robert Gilman <rbob@dnai.com>
Cc: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: davidw@dedasys.com (David N. Welton)
Date: 16 Aug 2002 13:05:15 -0700
Do you still have that piece of spam? Did it really come from your
box, or did someone just use that as a 'from' address? You could post
the headers here and I'm sure we could figure it out from that.
If it's just a forgery, you don't have to worry. If it's coming from
your box, then you may have been hacked, or simply allow mail
relaying, and you have problems.
===
From: Mark Cohen <markc@binaryfaith.com>
To: <balug-talk@balug.org>
Subject: [Balug-talk] PIM help
Date: Fri, 16 Aug 2002 15:34:10 -0700 (PDT)
I have an interesting problem. I've got all of my contacts in (ahem)
outlook and Id like to get them into one of the many linux contact
management tools. Is there an easy way to convert them?
-Mark
===
To: <bear@pagansexcult.org>
Cc: Byron <snail945@yahoo.com>, <balug-talk@balug.org>,
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: davidw@dedasys.com (David N. Welton)
Date: 16 Aug 2002 17:01:35 -0700
On the topic of spam, this is pretty interesting:
http://www.paulgraham.com/spam.html
===
From: Brian.Sroufek@WellsFargo.COM
To: balug-talk@balug.org
Subject: RE: [Balug-talk] Hi-Jacked Email Address
Date: Fri, 16 Aug 2002 17:13:42 -0700
josv@osp.nl [mailto:josv@osp.nl] wrote:
> Robert Gilman wrote:
>
> > I'm looking for advice.
>
> > Just recently I received a piece of spam showing my own
> > email address as sender. I contacted my ISP and had them
> > reset my password. I have a dial-up ISDN connection. Now
> > I'm wondering whether there's any danger that whoever took
> > my email address would also be able to steal my on-line
> > accounts information; for example, with my bank; and steal
> > from me that way. My ISP says "unlikely" but I'd be
> > grateful for opinions.
>
> It happened to me a couple of times as well. And, surprisingly, I never
> got any mail from people saying that they did not want their penis
> enlarged, that they were fine with the natural breasts they had or that
> they did not need any Viagra thank-you-very-much... :-)
Since most of my spam comes from a limited (?)
set of ISPs, typically some non-US ISPs willing,
perhaps, to host anything for $$, a good spam
filter would black list the ISP, and
==>
return
an email indicating to the poor opportunist that
their ISP has been black listed.
<==
Wonder how fast the proliferation of that technique
would quell the trafficers?
===
From: Brian.Sroufek@WellsFargo.COM
To: balug-talk@balug.org
Subject: RE: [Balug-talk] Hi-Jacked Email Address
Date: Fri, 16 Aug 2002 18:37:09 -0700
Joseph Zitt [mailto:jzitt@metatronpress.com] wrote:
> "Brian Sroufek" <brian_sroufek@msdesigninc.com> wrote:
>
> > Since most of my spam comes from a limited (?)
> > set of ISPs, typically some non-US ISPs willing,
> > perhaps, to host anything for $$, a good spam
> > filter would black list the ISP, and
> >
> > ==>
> > return
> > an email indicating to the poor opportunist that
> > their ISP has been black listed.
> > <==
> >
> > Wonder how fast the proliferation of that technique
> > would quell the trafficers?
>
> How fast is a dead snail?
>
> Most of what it would do is block you from getting mail from innocent
> people whose addresses were forged into the email, including
> (especially?) friends whose addresses happened to reside with yours in
> some poor fool's Outlook address book, and who might be confused and
> insulted by receiving email from you accusing them of wrongdoing.
No worries, I'm sure, because my acquaintances
would probably not be using the specific,
small-island hideout ISP's as their originators.
===
From: Joseph Zitt <jzitt@metatronpress.com>
To: Brian.Sroufek@wellsfargo.com
Cc: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Sat, 17 Aug 2002 21:19:35 -0500
Brian.Sroufek@wellsfargo.com wrote:
> No worries, I'm sure, because my acquaintances
> would probably not be using the specific,
> small-island hideout ISP's as their originators.
But again: it can be extremely difficult to tell that they
came from them. See, again, the references on spam forgery.
===
From: "Karsten M. Self" <kmself@ix.netcom.com>
To: Balug <balug-talk@balug.org>
Subject: Re: [Balug-talk] Multiple rows in Mozilla Personal Toolbar?
Date: Sun, 18 Aug 2002 13:59:54 -0700
David L. Sifry (david@sifry.com) wrote:
> Has anyone found a way to get multiple rows availabe in the Mozilla
> personal toolbar? It really sucks because I love the personal toolbar
> to save well-used bookmarks - but as soon as I shrink a window, all my
> rightmost bookmarks scroll off the edge. I've been looking through
> Google and mozilla.org, but haven't been able to find any thing so far.
>
> Any Mozilla experts out there that know the magic incantation to get a
> multiline personal toolbar working?
A. Move bookmarks from the top of your screen to the right/left side.
The bar becomes verticle. Downside: sucks more real estate. For a
sufficiently large display, not a problem. Note: I may be
confusing Moz with Galeon, which I *know* has this feature.
B. Switch to Galeon. Smaller widgets ;-) There's also a ***VERY***
handy "Open whole folder in (tabs|windows)" option which lets you
open a slew of bookmarks in one swell foop. I find this convenient
for, e.g.: my morning newsfeeds. One click: 17 sites open. This
in turn makes book mark folders the *logical* way for organizing
sites.
Galeon wins massively on a number of UI points -- it's far more designed
for use than Mozilla. Small difference matter much -- open tab behind
current tab (rather than at the end of the tab stack) is just _so_ way
the Right Way To Do It.=20
Numerous other controls at your fingertips. Mozilla wins slightly with
its security panel (for SSL sites, missing in Galeon) and actually has a
few content controls built in that Galeon doesn't have -- but they're
stuck multiple levels deep in nested menus/controls. Galeon's awfully
good making similar features immediately available.
More browser review / work in progress at:
http://twiki.iwethey.org/twiki/bin/view/Main/NixBrowsers =20
===
From: "Karsten M. Self" <kmself@ix.netcom.com>
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Sun, 18 Aug 2002 14:03:58 -0700
on Fri, Aug 16, 2002, Robert Gilman (rbob@dnai.com) wrote:
> I'm looking for advice.
http://www.google.com/search?hl=3Den&ie=3DISO-8859-1&q=3Dklez
At work, our virus intercepts went from 6-24/day January - mid-April.
They've stairstepped first to 80-90, 120-150, and now ~200-250 daily,
persistantly. The vast majority are Klez, though Sircam's made
something of a resurgance.
Klez (if you haven't read any of the above links) forges the 'from'
header, making identification of the infected party somewhat difficult.
=46rom a virus's perspective, it's been phenomenally successful.
If you can't get the message itself, the subject line is often a strong
giveaway. Again, research the Google links above.
===
From: "Karsten M. Self" <kmself@ix.netcom.com>
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
Date: Sun, 18 Aug 2002 14:43:01 -0700
Rick Moen (rick@linuxmafia.com) wrote:
> Quoting Brian Sroufek (brian_sroufek@msdesigninc.com):
> > Since most of my spam comes from a limited (?)
> > set of ISPs, typically some non-US ISPs willing,
> > perhaps, to host anything for $$, a good spam
> > filter would black list the ISP, and
> >
> >
> > return
> > an email indicating to the poor opportunist that
> > their ISP has been black listed.
> >
>
> Out of curiosity, how are you identifying originating ISPs? A lot of
> people seem to try to do this by taking some of the spam headers at
> face value. In my experience, nailing down the originating host
> sometimes takes some detective work.
I use the expedient (appreciated by some, scorned by others) of using an
automated tool to report to *all* receiveds that spam which did, or
wants to look like it did, come from/through them, was received. The
specific tool is ricochet, an earlier work from Vipul of Vipul's Razor.
I hook this in to my spamassassin scripts, triggering the mail
automatically on all scores 10+, and manually on most of what falls in
below that level.
This is somewhat shotgun in its effects, but it's pretty effective at:
- Ferretting out frustrated GNU/Linux admins at sf.net.
- Identifying borderline sociopaths who make threatening calls to
your workplace (one in seven months).
- Identifying candidates for submission to rfc-ignorant
(http://www.rfc-ignorant.org/) for failing to properly
receive/respond to mail to postmaster and/or abuse accounts, and/or
have invalid WHOIS contacts. Several per week.
- Identify just how much Yahoo, Hotmail, and Lycos mail is forged,
among the larger shops, and other smaller ones (lots).
- And, several times a week, prompt a response from a sysadmin
somewhere who's discoverd, courtesy the report, that they are in
fact running an open relay or otherwise hosting a spammer.
I've even found that folks getting spoofed appreciate my reports as I
send ***FULL HEADERS***, which apparently five nines of their
complainants *don't* do, and which makes proper forensics of an issue
difficult.
In related news, spam intercepts at work have actually *fallen* about
20% since May, peaking at ~55/day, now in the 42-45/day range (this
being my own and a bunch of catch-all accounts -- trend matters more
than quantity). Home numbers differ somewhat, but appear to be holding
relatively steady:
http://twiki.iwethey.org/twiki/bin/view/Main/SpamEmailTrends
(Spam report and graphics)
My philosophy: rapid response and reaction to spam raises costs of
doing business. Spam is an economic activity (and a low-margin one at
that), so any actions which increase its costs _should_ reduce its
prevalence. Both filtering (passive response) and reporting (active
response) have strong impacts. Seems we may be winning somewhat at
present.
===
From: "Vipul Jain" <vjainfvc@hotmail.com>
To: balug-talk@balug.org
Subject: [Balug-talk] PCMCIA card not working
Date: Sun, 18 Aug 2002 14:48:44 -0700
I am a newbie to Linux OS. I installed my Red-Hate Linux (7.0) on my Toshiba
Laptop. Everything runs fine except the 3Com's PCMCIA network card
(3CXFE575BT). The problem is that as soon as I put the card in the system,
the complete system hangs.
I have no idea how to debug/solve it. I had tried putting the PCMICA patches
but with no results.
Any help would be highly appreciated.
===
To: balug-talk@balug.org
Subject: Re: [Balug-talk] Hi-Jacked Email Address
From: Rick Moen <rick@linuxmafia.com>
Date: Sun, 18 Aug 2002 15:06:24 -0700
Quoting Karsten M. Self (kmself@ix.netcom.com):
> I use the expedient (appreciated by some, scorned by others) of using an
> automated tool to report to *all* receiveds that spam which did, or
> wants to look like it did, come from/through them, was received.
I'll withhold comment on the automation, about which I'm skeptical.
However, I can recommend one nice little tool, a perl script call
"hinfo" (not to be confused with the DNS datum of the same name).
Description and tarball available here: http://www.blars.org/hinfo.html
Excerpt:
hinfo is a utility that will display information about a host. It is
primarily designed to find the owner of an IP block in order to direct
spam complaints to where they may do some good.
The first function is to decrypt obfuscated IPs and URLs. You can feed
it most forms of obfuscated addresses that I've seen and have it extract
the IP or hostname.
The second function is to do DNS lookups and check if the forward and
reverse DNS match.
If hinfo is given a hostname, domain based blacklist checks are done if
the -d option is not specified. If the rDNS isn't forged, domain based
lookups are done on it as well. These hostnames are also checked on
whois.abuse.net's database if the -a option is not specified.
The IP is then checked with a number of IP based blackhole lists if the
-b option is not specified. If the hostname has multiple IPs, all are
checked.
Unless the -w option is specified, the whois database is then queried
for the owner of the IP block containing this address. This is done with
a modified code from the geektools whois proxy, querying ARIN and other
whois and rwhois databases. Unfortunately, this output is non-uniformly
formated and can be difficult to read.
===