tomhudson's Journal: Today's spam is out of Africa via GoDaddy

Todays spam included an email with the following headers
Received: from unknown (41.129.6.187) by p3pismtpa01-07.prod.phx3.secureserver.net (72.167.82.87)
So, where did it come from?

whois 41.129.6.187
% This is the AfriNIC Whois server.

% Note: this output has been filtered.

% Information related to '41.129.0.0 - 41.131.255.255'

inetnum: 41.129.0.0 - 41.131.255.255
netname: EG-LINK-20090209
descr: Link Egypt
country: EG
admin-c: AIA1-AFRINIC
tech-c: AK7379-AFRINIC
org: ORG-LE1-AFRINIC
status: ASSIGNED PA
mnt-by: MAINT-LINK
source: AFRINIC # Filtered
parent: 41.128.0.0 - 41.131.255.255

And the parent is?

whois 41.128.0.0
% This is the AfriNIC Whois server.

% Note: this output has been filtered.

% Information related to '41.128.0.0 - 41.128.255.255'

inetnum: 41.128.0.0 - 41.128.255.255
netname: EG-LINK-20090209
descr: Link Egypt
country: EG
admin-c: AIA1-AFRINIC
tech-c: AK7379-AFRINIC
org: ORG-LE1-AFRINIC
status: ASSIGNED PA
mnt-by: MAINT-LINK
source: AFRINIC # Filtered
parent: 41.128.0.0 - 41.131.255.255

organisation: ORG-LE1-AFRINIC
org-name: Link Egypt (Link.NET)
org-type: LIR
country: EG
address: 3, Mosaddak St.,
address: Giza
e-mail: mhaddad@link.net
phone: +202 336 7711
fax-no: +202 336 4910
admin-c: AIA1-afrinic
tech-c: MG7699
mnt-ref: AFRINIC-HM-MNT
mnt-ref: MAINT-LINK
mnt-by: AFRINIC-HM-MNT
remarks: data has been transferred from RIPE Whois Database 20050221
source: AFRINIC # Filtered

person: Ahmed Ibrahim Ali
address: 3, Mosaddak St., Dokki
phone: +202 2 768 65 00
fax-no: +202 2 768 65 55
e-mail: ahmed.iali@mail.link.net
nic-hdl: AIA1-afrinic
source: afrinic # Filtered

person: Ahmed Khalaf
address: 3 musaddak St., Dokki
address: Giza
address: Egypt
phone: +202 336 7711
fax-no: +202 336 4910
nic-hdl: AK7379-AFRINIC
e-mail: ahmed.iali@mail.link.net
mnt-by: MAINT-LINK
source: AFRINIC # Filtered

And the server which then forwarded the spam (secureserver.net)?
whois 72.167.82.87

OrgName: GoDaddy.com, Inc.
OrgID: GODAD
Address: 14455 N Hayden Road
Address: Suite 226
City: Scottsdale
StateProv: AZ
PostalCode: 85260
Country: US

NetRange: 72.167.0.0 - 72.167.255.255
CIDR: 72.167.0.0/16
OriginAS: AS26496
NetName: GO-DADDY-SOFTWARE-INC
NetHandle: NET-72-167-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NameServer: CNS1.SECURESERVER.NET
NameServer: CNS2.SECURESERVER.NET
NameServer: CNS3.SECURESERVER.NET
Comment:
RegDate: 2007-07-05
Updated: 2008-01-18

RAbuseHandle: ABUSE51-ARIN
RAbuseName: Abuse Department
RAbusePhone: +1-480-624-2505
RAbuseEmail: abuse@godaddy.com

RNOCHandle: NOC124-ARIN
RNOCName: Network Operations Center
RNOCPhone: +1-480-505-8809
RNOCEmail: noc@godaddy.com

RTechHandle: NOC124-ARIN
RTechName: Network Operations Center
RTechPhone: +1-480-505-8809
RTechEmail: noc@godaddy.com

OrgAbuseHandle: ABUSE51-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-480-624-2505
OrgAbuseEmail: abuse@godaddy.com

OrgNOCHandle: NOC124-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-480-505-8809
OrgNOCEmail: noc@godaddy.com

OrgTechHandle: NOC124-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: +1-480-505-8809
OrgTechEmail: noc@godaddy.com

Blue Frog

[Talinom]

Nice work. I just wish it were possible to bring back Blue Frog [wikipedia.org]. They were so successful at the time that the spammers fought back and won [securityfocus.com].

Re:

[tomhudson]

Thanks. I'm going to try to do one a day and post them under the daily spam report [slushdot.com] so I have a record.

The problem is that nobody believes it will make a difference, so nobody does anything. We leave it to spam filters, which will never be enough. The people at the various abuse@$WHATEVER_DOMAIN want spam reported to them - it costs them money.

So If I do a couple dozen a month, it won't have much of an impact - but it will have *some* impact, and that's good enough. And maybe someone else will decide to