Wednesday, March 29, 2006

The first mail was from mail-cosymed.cosymed.de

The first IP address I was sent this scam from was 
62.157.142.135. That resolves to : mail-cosymed.cosymed.de
Asking i.root-servers.net for 135.142.157.62.in-addr.arpa PTR record:
i.root-servers.net says to go to tinnie.arin.net. (zone: 62.in-addr.arpa.)
Asking tinnie.arin.net. for 135.142.157.62.in-addr.arpa PTR record:
tinnie.arin.net [69.25.34.195] says to go to secondary007.dtag.net. (zone: 157.62.in-addr.arpa.)
Asking secondary007.dtag.net. for 135.142.157.62.in-addr.arpa PTR record: Reports mail-cosymed.cosymed.de. [from 195.244.245.24]

Answer:
62.157.142.135 PTR record: mail-cosymed.cosymed.de. [TTL 172800s] [A=62.157.142.135]
So this is a German server, probably an open relay SMTP mail server.

Whois comes back with:

 This is the RIPE Whois query server #2.

% Information related to '62.157.142.128 - 62.157.142.191'

inetnum: 62.157.142.128 - 62.157.142.191
netname: COSYMED-AG
descr: cosymed AG
country: DE
admin-c: AH4498-RIPE
tech-c: AH4498-RIPE
status: ASSIGNED PA
mnt-by: DTAG-NIC
notify: *******@nic.telekom.de
changed: *******@nic.telekom.de 20021008
source: RIPE

person: Anton Hoffmann
address: Cosymed GmbH
address: Hopfenstr. 10
address: 85098 Grossmehring
address: Germany
phone: +49 8407 8041
e-mail: **********@cosymed.via.t-online.de
nic-hdl: AH4498-RIPE
notify: ***********@t-domain.de
notify: ***@nic.dtag.de
mnt-by: DTAG-NIC
changed: ************@telekom.de 19990719
source: RIPE

% Information related to '62.156.0.0/15AS3320'

route: 62.156.0.0/15
descr: Deutsche Telekom AG, Internet service provider
origin: AS3320
mnt-by: DTAG-RR
changed: **@NIC.DTAG.DE 19980825

Deutsche Telekom
Resource: RIPE

0 Comments:

Post a Comment

<< Home