How to find origin of spam email from header.

Volitics

Below are headers from two spam emails. I received one this morning. I received the other one this evening. Both spams have the same content.

I'm not very good at deciphering email headers. Can anybody tell me is it possible to find the origin of these two emails?

//------- This one was received this morning.

Received: (qmail 30237 invoked from network); 26 Apr 2006 00:15:23 -0000
Received: from unknown (HELO pre-smtp09-01.prod.mesa1.secureserver.net) ([64.202.166.54])
(envelope-sender <jzlqn@worldlinkfutures.com>)
by smtp13-02.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for <my.name@mydomain.com>; 26 Apr 2006 00:15:23 -0000
Received: (qmail 21023 invoked from network); 26 Apr 2006 00:15:23 -0000
Received: from unknown (HELO leaselinedsl.claranet.co.uk) ([80.168.160.94])
(envelope-sender <jzlqn@worldlinkfutures.com>)
by pre-smtp09-01.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for <my.name@mydomain.com>; 26 Apr 2006 00:15:21 -0000
Received: from pfoz.nccn ([80.168.237.120])
by leaselinedsl.claranet.co.uk (8.13.5/8.13.5) with SMTP id k3Q0HfI5055960;
Wed, 26 Apr 2006 01:17:41 +0100
Message-ID: <002201c668c6$c1ba40c4$78eda850@pfoz.nccn>
From: "Robbie Mcgrath" <jzlqn@worldlinkfutures.com>
To: <my.name@mydomain.com>
Subject: tap-dance
Date: Wed, 26 Apr 2006 01:15:04 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_001E_01C668CF.237EA874"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Nonspam: None
//----- end ---------

//----- This one was received this evening.

Received: (qmail 26117 invoked from network); 27 Apr 2006 02:15:54 -0000
Received: from unknown (HELO pre-smtp02-01.prod.mesa1.secureserver.net) ([64.202.166.25])
(envelope-sender <ukds@guidaa.com>)
by smtp11-02.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for <my.name@mydomain.com>; 27 Apr 2006 02:15:54 -0000
Received: (qmail 27975 invoked from network); 27 Apr 2006 02:15:54 -0000
Received: from wsip-70-184-12-177.ri.ri.cox.net ([70.184.12.177])
(envelope-sender <ukds@guidaa.com>)
by pre-smtp02-01.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for <my.name@mydomain.com>; 27 Apr 2006 02:15:54 -0000
Received: from [70.184.150.49] (helo=po.nepd)
by wsip-70-184-12-177.ri.ri.cox.net with smtp (Exim 4.43)
id 1FYw3O-0002Rb-Mx; Wed, 26 Apr 2006 22:16:26 -0400
Message-ID: <001201c669a0$83df96b1$3196b846@po.nepd>
From: "Clara Stokes" <ukds@guidaa.com>
To: <my.name@mydomain.com>
Subject: irrelevant
Date: Wed, 26 Apr 2006 22:14:12 -0400
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_000E_01C6697E.FCCDF67D"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1158
X-Nonspam: None

//------- end ----------

Thanks.

dalecosp

The last "Received:" header is the closest you can get to the source.

Interestingly enough, both of those machines have reverse DNS:

[304] Thu 27.Apr.2006 19:42:01
[kadmin@archangel][~]  host 70.184.150.49
49.150.184.70.in-addr.arpa domain name pointer wsip-70-184-150-49.rn.hr.cox.net.

[305] Thu 27.Apr.2006 19:56:52
[kadmin@archangel][~]  host 80.168.237.120
120.237.168.80.in-addr.arpa domain name pointer dsl-2-solo-237-120.claranet.co.uk.

So, you might contact those companies, but it is possible to forge this; at least, I can bet that there's a chance they are just infected Windows machines ("zombies"). But, maybe not. OTOH, no self-respecting spammer would use their own connection....

Volitics

dalecosp;

Thanks for responding.

My email providers' tech support said that the spammer could be seeking revenge against an ISP that had reported him. In other words, the cox.net and the claranet.co.uk DNS's could be companies that tried to get the spammer in trouble.

There's another possibility. The subject of the emails (I've received 4 of them total) is a company called iKarma dot com. From just briefly looking over their web site it looks like a business rating service. Someone (the spammer) could have received a poor rating and is trying to punish the iKarma dot com web site owners by putting their name in the spam.

One other possibility is that iKarma is sending the spam to promote their web site. That is probably the least likely among the possibilities since they would be exposing themselves to possible legal difficulties.

Click here to see the image in the spam:

khendar

May I ask why the concern ? Its spam. Read it or trash it.

dalecosp

It's what, 45 percent of SMTP traffic on the 'Net? Bandwidth suckers, they are....

It'd be nice if we could round 'em all up, tie rocks to their legs, and drop 'em off a barge in Lake Erie.

Yeah; probably not going to account for anything. But, I like the attitude, even if I think it's probably fruitless.

Volitics

It'd be nice if we could round 'em all up, tie rocks to their legs, and drop 'em off a barge in Lake Erie.

My thoughts exactly.