<long boring geeky post>
Nice try Stimpy but you've fallen at the first hurdle with both emails you've posted. Let's start by looking at the one you claim came to you from NTL.
The email originated from a PC (possibly an IBM) with an IP address of 80.168.243.66. We can tell this from the line in the headers;
Received: from IBMCA8D325E423 [80.168.243.66] by visiongaingroup.com with SMTP
(SMTPD32-8.05) id A97622401A6; Thu, 18 Nov 2004 19:23:58 +0530
We can perform a WHOIS query on the IP address to find out where it belongs;
espresso:~$ whois -h whois.ripe.net 80.168.243.66
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
inetnum: 80.168.243.64 - 80.168.243.71
netname: VISIONGAIN
descr: Routed Connection
country: GB
admin-c: SAM80-RIPE
tech-c: CH309-RIPE
rev-srv: ns0.clara.net
rev-srv: ns1.clara.net
status: ASSIGNED PA
notify: [email protected]
mnt-by: AS8426-MNT
source: RIPE
changed: [email protected] 20041102
route: 80.168.0.0/16
descr: CLARA-AGG4
origin: AS8426
mnt-by: AS8426-MNT
changed: [email protected] 20030408
source: RIPE
role: Claranet Hostmaster
address: Claranet Ltd
address: 21 Southampton Row
address: London WC1B 5HA
address: United Kingdom
phone: +44 (0) 20 7685 8000
fax-no: +44 (0) 20 7685 8001
e-mail: [email protected]
This tells us that the ISP is not NTL but Claranet and the IP address belongs to a subnet that is allocated to Visiongain for a routed connection which means it's probably a leased line rather than ADSL (although that's not always the case)
So where did the email go from here? Well, looking further up the headers we see it was received by visiongaingroup.com (202.70.193.69) which is the Visiongain corporate email server. This is confirmed by doing an MX query (this asks which mailsever handles email for a particular domain) against the nameservers which gives;
espresso:~$ dig visiongaingroup.com mx
; <<>> DiG 8.4 <<>> visiongaingroup.com mx
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2180
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; QUERY SECTION:
;; visiongaingroup.com, type = MX, class = IN
;; ANSWER SECTION:
visiongaingroup.com. 1H IN MX 10 mail.visiongaingroup.com.
visiongaingroup.com. 1H IN MX 10 202.70.193.69.
OK, this mail server then passes the email onto the first of two Verizon mail servers. The question you now have to ask is whether the mailserver for Visiongain.com is in the UK.
We check this by doing a WHOIS query of the IP address and even before I do this just by looking at the number I can tell it's an Asia Pacific address. It actually turns out to be in India (belonging to India Online in fact);
espresso:~$ whois -h whois.apnic.net 202.70.193.69
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 202.70.192.0 - 202.70.207.255
netname: IOLNET
descr: India Online Network Ltd.
descr: Broadband ISP
descr: Mumbai
country: IN
admin-c: DT136-AP
tech-c: DT136-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-IN-IOL
changed: [email protected] 20010130
changed: [email protected] 20021007
changed: [email protected] 20021010
status: ALLOCATED PORTABLE
source: APNIC
route: 202.70.192.0/20
descr: Broadband - ISP
origin: AS9910
notify: [email protected]
mnt-by: APNIC-HM
changed: [email protected] 19991123
source: APNIC
person: Dhananjay Singh Thakur
nic-hdl: DT136-AP
e-mail: [email protected]
address: IOL Broadband Limited,
address: AB-01, Neelam Centre,
address: Hind Cycle Road, WORLI,
address: MUMBAI--400025, INDIA
phone: +91-22-56319400
fax-no: +91-22-56319401
country: IN
changed: [email protected] 20031212
mnt-by: MAINT-IN-IOL
source: APNIC
So, we now know that although the email originated in the UK, it wasn't from an NTL subscriber and it wasn't received by Verizon.net from a UK mailserver but one based in India. If Verizon.net was blocking UK emails this one would get round the block by using a mailserver in India which appears not to be locked.
Now we've cleared that up let's look at the spam you think you received from the UK.
Again we need to look at headers carefully and understand how folks can try to make them mislead us.
The first IP address we see in the headers is 200.30.245.221. This IP address claims to be runshaw-stud.co.uk but that's a bit strange as the IP address originates in South America. We can do two things to confirm that something is amiss here. The first is simply do a WHOIS lookup of the IP address which gives;
espresso:~$ whois -h whois.lacnic.net 200.30.245.221
% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2005-01-24 09:24:31 (BRST -02:00)
inetnum: 200.30.240/20
status: reassigned
owner: Metropolis Intercom
ownerid: CL-MEIN-LACNIC
responsible: Eulogio Robles Perez
address: Avenida Jose Pedro Alessandri, 3082, Macul
address: -- - Santiago - RM
country: CL
phone: +56 2 8105442 []
owner-c: ERP
tech-c: ERP
inetrev: 200.30.240/20
nserver: NS-1.METROPOLIS-INTER.COM
nsstat: 20050120 AA
nslastaa: 20050120
nserver: NS-2.METROPOLIS-INTER.COM
nsstat: 20050120 AA
nslastaa: 20050120
created: 20011019
changed: 20011019
inetnum-up: 200.30.192/18
So the IP address is actually in Santiago, Chile. So where does the runshaw-stud.co.uk bit come from? It is conceivable that it could be a British company operating in Chile but let's find out what the WHOIS records for runshaw-stud.co.uk show;
espresso:~$ whois -h whois.nic.uk runshaw-stud.co.uk
Domain Name:
runshaw-stud.co.uk
Registrant:
Helen Tattersall
Administrative Contact's Address:
Unit 22 Walworth Enterprise Centre
Duke Close
West Way
Walworth Industrial Estate
Andover
Hampshire
SP10 5AP
UK
Registrant's Agent:
Namesco Limited [Tag = NAMESCO]
URL: http://www.names.co.uk
Relevant Dates:
Registered on: 09-Aug-2000
Renewal Date: 09-Aug-2006
Last updated: 10-Aug-2004
Registration Status:
Registered until renewal date.
Name servers listed in order:
ns0.phase8.net 212.84.175.69
ns1.phase8.net 212.84.175.68
ns2.phase8.net 80.253.126.16
WHOIS database last updated at 11:25:01 24-Jan-2005
--
(c) Nominet UK 1996 - 2005
For further information and terms of use please see http://www.nic.uk/whois
Nominet reserves the right to withhold access to this service at any time.
Now that doesn't look very Chilean to me so let's see if there is a slight chance that the email server for runshaw-stud.co.uk is based in Chile. Again, it's back to our old friend Dig to query the nameservers;
espresso:richard/etc/mail$ dig runshaw-stud.co.uk mx
; <<>> DiG 8.4 <<>> runshaw-stud.co.uk mx
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28023
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
;; QUERY SECTION:
;; runshaw-stud.co.uk, type = MX, class = IN
;; ANSWER SECTION:
runshaw-stud.co.uk. 1D IN MX 30 fwd2.hosts.co.uk.
runshaw-stud.co.uk. 1D IN MX 30 fwd1.hosts.co.uk.
;; AUTHORITY SECTION:
runshaw-stud.co.uk. 1D IN NS ns0.phase8.net.
runshaw-stud.co.uk. 1D IN NS ns1.phase8.net.
runshaw-stud.co.uk. 1D IN NS ns2.phase8.net.
;; ADDITIONAL SECTION:
ns0.phase8.net. 1d23h59m55s IN A 212.84.175.69
ns1.phase8.net. 1d23h59m55s IN A 212.84.175.68
ns2.phase8.net. 1d23h59m55s IN A 80.253.126.16
;; Total query time: 5086 msec
;; FROM: espresso to SERVER: 192.168.0.10
;; WHEN: Mon Jan 24 11:31:05 2005
;; MSG SIZE sent: 36 rcvd: 214
We need to do a bit more work here to work out the IP addresses of the two mailservers which handle email for runshaw-stud.co.uk. Their hostnames are listed as fwd1.hosts.co.uk and fwd2.hosts.co.uk
Using Dig to look up the IP addresses for these two hostnames we find that fwd1.hosts.co.uk is 212.84.175.148 and fwd2.hosts.co.uk is 212.84.175.146. Now there are reasons that this worries me but it has nothing to do with the legitimacy of the servers. We can immediately see that 212.84.175.148 and 212.84.175.146 are nowhere near the address in the email header of 200.30.245.221 so what
is that IP address?
Back to the DNS tools and we do a host lookup which shows that the IP address has a hostname of pc-30-245-221.la-reina.pc.metropolis-inter.com. La Reina is a town in Chile and the fact that the hostname includes the word "PC" suggests strongly that it's a dial-up connection.
So the email came from a dial-up pc in La Reina, Chile. Not exactly from the UK. We still have to work out how the runshaw-stud.co.uk bit got there.
To do that you have to understand how email servers work. It's often a wise precaution to set your email server to reject incoming email that claims to be from a non-existent domain. Spammers therefore use legitimate domains belonging to
other people to trick email servers into accepting their spams. The domain works its way into the headers because of another thing that mail exchange systems do. If your PC is networked (and it needs to be to send email) it will have a network name. This network name may only be relevant locally as far as
you are concerned but when you send an email from your PC that network name is sent in the headers of the email. If you tweak your network name to be runshaw-stud.co.uk then you can appear to send email from runshaw-stud.co.uk. Often this trick is foiled because the receiving mail server tries to look for the public regustered hostname for the IP address of the remote machine and if it finds it, it includes that in the headers. Had Verizon's mail server done this the header you would have seen would have said;
Received: from runshaw-stud.co.uk (pc-30-245-221.la-reina.pc.metropolis-inter.com [206.46.170.121]) by sc008pub.verizon.net
That might have given you some warning that the address was faked. Basically ignore any hostname or domain outside the () brackets.
So you can get email from France but us Brits are still out in the cold (and not responsible for your spam either!)
If you want to go poking around to find out where an email really came from you can check IP addresses at
http://www.samspade.org
</long boring geeky post>