Tracking and reporting a mail spammer

Here’s what I received in my mailbox today:

Delivered-To: [[email protected] removed]
Received: by 10.68.204.234 with SMTP id lb10csp6940pbc;
        Sat, 10 Aug 2013 01:39:05 -0700 (PDT)
X-Received: by 10.60.131.69 with SMTP id ok5mr3471132oeb.70.1376123944596;
        Sat, 10 Aug 2013 01:39:04 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mail-oa0-f46.google.com (mail-oa0-f46.google.com [209.85.219.46])
        by mx.google.com with ESMTPS id sp4si11350425oeb.124.2013.08.10.01.39.04
        for <[[email protected] removed]>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Sat, 10 Aug 2013 01:39:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 209.85.219.46 as permitted sender) client-ip=209.85.219.46;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of [email protected] designates 209.85.219.46 as permitted sender) [email protected]
Received: by mail-oa0-f46.google.com with SMTP id l10so7944474oag.33
        for <[[email protected] removed]>; Sat, 10 Aug 2013 01:39:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=x-original-authentication-results:delivered-to:to:subject:from
         :reply-to:message-id:date;
        bh=zSMRbrl//PMEzHQ6OysHgk48CTaa8Hx+QU92JI9AcuE=;
        b=V0jDd5g44xp/IflBQFEPP/A7WMhSgycsjaYSstyMPUC2DZtHGa3m2kexZR5cYbWZW0
         +kgwdapOCTRshF9sHdP9SJ5IfIhwyyd3TExyjzMun0nVaY0Eb8qBkq+ZyjRCXw6Sq4jL
         oguysxDZlQkd9AKLYz5BEFOOJJW4AMMYRu0UikldCbP5xXXdmQE2meXZJoadY9oE9WXA
         qhPhacLCZXEftv6FUWya9oygDEAUDwOnjgo09GB/R4kc+gMx7Nv4K9j+YDFJTK3n7PYQ
         zjppUh9eP6ONxuNrCqzQDAhQP8iSzygLBhvc49vjnZpMFOxsOR4yD4KlpmzrBGvnOaTO
         UEIg==
X-Original-Authentication-Results: mx.google.com;       spf=neutral (google.com: 198.23.248.156 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
X-Received: by 10.182.119.229 with SMTP id kx5mr6412591obb.23.1376123944234;
        Sat, 10 Aug 2013 01:39:04 -0700 (PDT)
X-Forwarded-To: [[email protected] removed]
X-Forwarded-For: [[email protected] removed] [[email protected] removed]
Delivered-To: [[email protected] removed]
Received: by 10.182.128.229 with SMTP id nr5csp8850obb;
        Sat, 10 Aug 2013 01:39:03 -0700 (PDT)
X-Received: by 10.68.189.194 with SMTP id gk2mr1027310pbc.194.1376123943050;
        Sat, 10 Aug 2013 01:39:03 -0700 (PDT)
Return-Path: <[email protected]>
Received: from us4.networkpanda.com ([198.23.248.156])
        by mx.google.com with ESMTPS id ie10si14857047pbc.251.2013.08.10.01.39.02
        for <[[email protected] removed]>
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Sat, 10 Aug 2013 01:39:03 -0700 (PDT)
Received-SPF: neutral (google.com: 198.23.248.156 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=198.23.248.156;
Received: from topseo80 by us4.networkpanda.com with local (Exim 4.80.1)
	(envelope-from <[email protected]>)
	id 1V84hR-000004-MM
	for [[email protected] removed]; Sat, 10 Aug 2013 08:39:01 +0000
To: [[email protected] removed]
Subject: VPS Hosting Services Providers
From: [email protected]
Reply-To: [email protected]
X-Mailer: NotOneBit.com Simple Mailer
Message-Id: <[email protected]>
Date: Sat, 10 Aug 2013 08:39:01 +0000
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - us4.networkpanda.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [764 765] / [47 12]
X-AntiAbuse: Sender Address Domain - us4.networkpanda.com
X-Get-Message-Sender-Via: us4.networkpanda.com: authenticated_id: topseo80/only user confirmed/virtual account not confirmed

Dear Sir,

I am Hemant Bansal, Business development executive. We are providing quality VPS hosting for websites.

If your website is grown up or not running smoothly, we can provide you quality Virtual private server (VPS) hosting for Rs 800/- only.

In VPS you will get all the features of a dedicated server for fraction of a dedicated server cost. You will get full root access, can host unlimited domains, unlimited email ids. You can install any software which need root access and can set any configuration setting as per your need.

If you are suffering in shared hosting because other sites in shared server are using too much resources or facing problem in email due to your neighbour site is spamming. We recommend you to switch to VPS hosting. A VPS will give you complete independence and lots of room to grow your site.

I will really appreciate if you please let me know your VPS requirement.

We are also providing Reseller and shared hosting.


Warm Regards

Hemant Bansal


P.S. To stop receiving further mail please reply with "Remove" in the subject line.

I went on the trail of this spammer.

Looking at the Original Message text in Gmail, gives me:

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - us4.networkpanda.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [764 765] / [47 12]
X-AntiAbuse: Sender Address Domain - us4.networkpanda.com
X-Get-Message-Sender-Via: X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - us4.networkpanda.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [764 765] / [47 12]
X-AntiAbuse: Sender Address Domain - us4.networkpanda.com
X-Get-Message-Sender-Via: us4.networkpanda.com: authenticated_id: topseo80/only user confirmed/virtual account not confirmed: authenticated_id: topseo80/only user confirmed/virtual account not confirmed

Accordingly I trace the mail server: us4.networkpanda.com

#ping us4.networkpanda.com
PING us4.networkpanda.com (192.227.129.118) 56(84) bytes of data.
64 bytes from host.colocrossing.com (192.227.129.118): icmp_req=1 ttl=48 time=82.4 ms

Now I need to locate the company to whom this IP block has been delegated.

I visit http://whois.arin.net/rest/net/NET-192-227-129-112-1/pft

It gives me the following details:

WHOIS-RWS

Network
NetRange	192.227.129.112 - 192.227.129.127
CIDR	192.227.129.112/28
Name	CC-192-227-129-112-28
Handle	NET-192-227-129-112-1
Parent	CC-12 (NET-192-227-128-0-1)
Net Type	Reallocated
Origin AS	AS36352
Organization	Green Value Hosting, Inc. (GVH-7)
Registration Date	2013-07-28
Last Updated	2013-07-28
Comments	
RESTful Link	http://whois.arin.net/rest/net/NET-192-227-129-112-1
See Also	Related organization's POC records.
See Also	Related delegations.


Organization
Name	Green Value Hosting, Inc.
Handle	GVH-7
Street	1600 Ironwood Dr
City	Normal
State/Province	IL
Postal Code	61761
Country	US
Registration Date	2013-07-15
Last Updated	2013-07-15
Comments	
RESTful Link	http://whois.arin.net/rest/org/GVH-7
Function	Point of Contact
NOC	JONAT8-ARIN (JONAT8-ARIN)
Admin	JONAT8-ARIN (JONAT8-ARIN)
Tech	JONAT8-ARIN (JONAT8-ARIN)
Abuse	JONAT8-ARIN (JONAT8-ARIN)


Point of Contact
Name	Jonathan , Nguyen
Handle	JONAT8-ARIN
Company	Green Value Hositng, Inc.
Street	6 Copps Hill Road
City	Windham
State/Province	NH
Postal Code	03087
Country	US
Registration Date	2013-07-13
Last Updated	2013-07-20
Comments	
Phone	+1-603-339-2886 (Office)
Email	[email protected]
[email protected]
RESTful Link	http://whois.arin.net/rest/poc/JONAT8-ARIN

Now I got the following details. The block was delegated to Greenvalue Hosts, which is a known provider in Webhostingtalk circles. I also got the email details of their abuse department.

Another detail that I got from the mail itself is the mailserver name: us4.networkpanda.com

networkpanda.com seems to be a hosting company, which probably rents a dedicated server from Greenvalue hosts. I reported the spam mail to both companies.

If they don’t take action, the next measure is to report it to Colocrossing, the colocator/dedicated server provider, and also ARIN, which is the IP block delegator agency.

Thanks to @INIZ on Lowendtalk.com for help regarding RIPE databases.

Note: If you do a search on ARIN, by default, they take you to this page: http://whois.arin.net/rest/net/NET-192-227-129-112-1 which does not provide full details. You need to suffix ‘/pft’ to the resulting url to get full details. Eg: http://whois.arin.net/rest/net/NET-192-227-129-112-1/pft

As per ARIN’s post:

The next enhancement is a change to the default output on a query initiated by the search box on the web page for IP addresses, organizations, and ASNs. The query for an IP address or network will return the network as well as the full output of related Organization and Point of Contact (POC) data for the network. Likewise, the query result for an AS number will output the associated organization and related POCs along with the AS number. The query result for an organization, will list all related networks and ASNs, and give full output of associated POCs. This will allow you to view all information on a single web page. This “pft” option is an enhancement to the RESTful web interface, and it is not available on port 43. To use it, append “/pft” to the URL, for example:

http://whois.arin.net/rest/org/ARIN/pft
http://whois.arin.net/rest/net/ NET-192-136-136-0-1/pft
Note again that web search forms will default to using the “pft” option.

Response from the Provider

I had contacted the abuse department of networkpanda.com, whose email server us4.networkpanda.com was used for sending spam email. They responded by blocking the user:

Hello Joel, 

Just as a follow up, the user who was authenticating to this Gmail account to send the messages, was now permanently suspended from our servers. But you will also need to report the account [email protected] to Google, as he will be also using other providers to send spam. 

Thank you for reporting this issue.