Paging the net detectives.

Someone advertising on muddystuff has been emailed by a scammer, & as
far as I can tell said scammer has been emailing from Southwark. Can
anyone who's better at tracing these things than me come up with any
more info? The headers (with the recipients email addy deleted) are:


Return-Path: <>
Received: from aamta05-winn.ispmail.ntl.com ([81.103.221.35])
by mta02-winn.ispmail.ntl.com with ESMTP
id
<
l.ntl.com>
for <deleted>; Thu, 27 Oct 2005 20:25:40 +0100
Received: from web26707.mail.ukl.yahoo.com ([217.146.176.70])
by aamta05-winn.ispmail.ntl.com with SMTP
id
<
..yahoo.com>
for <deleted>; Thu, 27 Oct 2005 20:25:40 +0100
Received: (qmail 68507 invoked by uid 60001); 27 Oct 2005 19:25:38 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.co.uk;

h=Message-ID:Receivedate:From:Subject:To:In-Reply-To:MIME-Version:Cont
ent-Type:Content-Transfer-Encoding;

b=42/3HtbnB05CYd3hbIAsK6if+VyQ2aX4QAx1skZRPrelHJ4XgLb4It8Gl4Iski9gFxF+3g
6fDrnWChdh7Ei/5r325kp8kYt7sQ5hgPxtuwgArZ+E8nmuP/htXBDRj0RmkWYpslo3BzifsK
DGzrFs3Nxp4qOzPa/hMHHPIEzZv7Q= ;
Message-ID: <>
Received: from [213.185.125.172] by web26707.mail.ukl.yahoo.com via
HTTP; Thu, 27 Oct 2005 20:25:38 BST
Date: Thu, 27 Oct 2005 20:25:38 +0100 (BST)
From: marry sim <>
Subject: PAYMENT AND PICK UP DETAILS............................
To: James <deleted>
In-Reply-To: <000d01c5db83$16dba7e0$72ea0750@OLDSKOOLMACHINE>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="0-823392504-1130441138=:66688"
Content-Transfer-Encoding: 8bit

 

I passed Go & collected 200 pounds.

Actually that's what NeoTrace Pro came up with.

 

That's a /19 PA block, not an assigned network. So bugger all use
really.

A quick bit of digging shows that...

- no reverse DNS delegation exists for 125.185.213.in-addr.arpa
- no such route, aggregate or otherwise, appears in the global table
- no relevant inetnum object exists in the RIPE db

....suggesting that the IP in question isn't in use by Intelsat at all,
even though it's allocated to their LIR.

I'd happily bet a quid that an iffy ISP, probably in the far east,
identified the prefix as unused, announced it from their AS and used
it to spew spam out for a while before sneakily withdrawing the
announcement. Which would make the spam all but untraceable.

Any fool can scrape a whois record from a web site. Being able to
usefully interpret that information is what sets IT professionals
apart from self employed computer consultants.