Christmas spam from RESERVED IANA adressblock ?

Jon Lewis jlewis at lewis.org
Wed Dec 24 12:51:58 UTC 2008 

Lots of networks use RFC1918 space _internally_, as iispp.com obviously 
does between their webmail server and their SMTP relay.  It's no more 
suspicious than your own ISP's use of 10.0.1 between their MX and the 
mailstore to which your message was delivered.  Recognizing this is pretty 
basic to reading SMTP headers.

On Wed, 24 Dec 2008, macbroadcast wrote:

> hello ladys and getlepersons
>
>
> just out of curiosity  i looked a bit closer  into this  spammail header, 
> because
> this company is  really annoying and  abusing a lot of internet citizens.
>
>
> Anfang der weitergeleiteten E-Mail:
>> Von: mailling at ualadys.com
>> Datum: 24. Dezember 2008 12:30:18 MEZ
>> An: marc at let.de
>> Betreff: E-Mail For You @ ualadys.com
>> Return-Path: <www-data at web1.iispp.com>
>> Received: from mx2.mail.vrmd.de ([10.0.1.21]) by vm42.mail.vrmd.de (Cyrus 
>> v2.2.12-Invoca-RPM-2.2.12-9.RHEL4) with LMTPA; Wed, 24 Dec 2008 12:30:25 
>> +0100
>> Received: from mx2.iispp.com ([76.74.250.247]) by mx2.mail.vrmd.de with 
>> esmtp (Exim 4.69) (envelope-from <www-data at web1.iispp.com>) id 
>> 1LFRwW-00011o-DY for marc at let.de; Wed, 24 Dec 2008 12:30:25 +0100
>> Received: from web1.iispp.com (w1 [172.16.21.244]) by mx2.iispp.com 
>> (Postfix) with ESMTP id B71CF3504DB for <marc at let.de>; Wed, 24 Dec 2008 
>> 11:30:18 +0000 (UTC)
>> Received: by web1.iispp.com (Postfix, from userid 33) id A5C7917A405C; Wed, 
>> 24 Dec 2008 06:30:18 -0500 (EST)
>
>
> Whois wurde gestartet &
>
>
> OrgName:    Internet Assigned Numbers Authority
> OrgID:      IANA
> Address:    4676 Admiralty Way, Suite 330
> City:       Marina del Rey
> StateProv:  CA
> PostalCode: 90292-6695
> Country:    US
>
> NetRange:   172.16.0.0 - 172.31.255.255
> CIDR:       172.16.0.0/12
> NetName:    IANA-BBLK-RESERVED
> NetHandle:  NET-172-16-0-0-1
> Parent:     NET-172-0-0-0-0
> NetType:    IANA Special Use
> NameServer: BLACKHOLE-1.IANA.ORG
> NameServer: BLACKHOLE-2.IANA.ORG
> Comment:    This block is reserved for special purposes.
> Comment:    Please see RFC 1918 for additional information.
> Comment:    http://www.arin.net/reference/rfc/rfc1918.txt
> RegDate:    1994-03-15
> Updated:    2007-11-27
>
> OrgAbuseHandle: IANA-IP-ARIN
> OrgAbuseName:   Internet Corporation for Assigned Names and Number
> OrgAbusePhone:  +1-310-301-5820
> OrgAbuseEmail:  abuse at iana.org
>
> OrgTechHandle: IANA-IP-ARIN
> OrgTechName:   Internet Corporation for Assigned Names and Number
> OrgTechPhone:  +1-310-301-5820
> OrgTechEmail:  abuse at iana.org
>
> # ARIN WHOIS database, last updated 2008-12-23 19:10
> # Enter ? for additional hints on searching ARIN's WHOIS database.
>
>
> so how is this possible ?
>
> merry christmas anyway
>
>
> Marc
>
>> X-Sieve: CMU Sieve 2.2
>> Envelope-To: marc at let.de
>> Delivery-Date: Wed, 24 Dec 2008 12:30:25 +0100
>> X-Id-From: 1000
>> X-Id-To: 238141
>> X-Mail-Id: 203714382
>> Mime-Version: 1.0
>> Content-Type: text/html
>> Message-Id: <20081224113018.A5C7917A405C at web1.iispp.com>
>> X-Spam-Suspicion: No
>> X-Purgate: Clean X-purgate-ID: 
>> 150741::081224123024-0FFB86C0-283E8BDE/0-0/0-1 X-purgate-Ad: For more 
>> information about eXpurgate please visit http://www.expurgate.net/
>> 
>> 
>> 
>> 
>> marc, You have new mail
>> This is to notify you that you have received an E-Mail from
>> 
>> View Photos
>> DetailsIrina O #1000
>> Subject: Destiny has linked us...
>> 
>> Date: 24 December 2008
>> 
>> To read the message go here:
>> 
>> PLEASE, DO NOT REPLY TO THIS E-MAIL - FOLLOW THE LINK
>> 
>> http://www.ualadys.com/view_mail.rpx?hash=a71d2600f032ece232a391296f5f071e&mid=203714382&uid=238141
>> 
>> Thank you,
>> ualadys.com Support Team
>> 
>> Favorites      ualadys.com
>> 
>> 24x7 Call center
>> 
>> United States
>> +1 (315) 849-5814
>> 
>> United Kigdom
>> +44 (315) 849-5814
>> 
>> Skype support : ualadys
>> 
>> 
>> 
>> For any question in english
>> about this site please call:
>> +1 (212) 226-8900
>> Mon-Fri 9:00-16:00 (EST)
>
>

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the NANOG mailing list