IP address question
 

Anyone know how to track this IP address?

I have gotten it this far but havent the slightest idea what it says in line 17.

Joe A

TraceRoute to 71.226.82.73 [c-71-226-82-73.hsd1.fl.comcast.net]
Hop (ms) (ms) (ms) IP Address Host name
1 0 0 0 66.98.244.1 gphou-66-98-244-1.ev1servers.net
2 0 0 0 66.98.241.16 gphou-66-98-241-16.ev1servers.net
3 1 0 0 38.99.206.173 -
4 1 1 2 38.112.35.237 g4-0-0.core01.iah01.atlas.cogentco.com
5 1 3 1 154.54.2.202 t4-1.mpd01.iah01.atlas.cogentco.com
6 43 43 44 154.54.2.165 te2-4.mpd01.dca01.atlas.cogentco.com
7 45 44 44 154.54.2.182 v3491.mpd01.dca02.atlas.cogentco.com
8 45 45 46 154.54.5.46 v3496.mpd01.iad01.atlas.cogentco.com
9 45 46 44 154.54.3.221 g9-0-0-3492.core01.iad01.atlas.cogentco.com
10 40 41 41 192.205.33.201 gr1-a3110s1.attga.ip.att.net
11 38 38 37 12.123.8.190 tbr2033001.wswdc.ip.att.net
12 38 37 39 12.122.10.70 tbr1-cl17.attga.ip.att.net
13 39 37 37 12.123.20.9 gar2-p360.attga.ip.att.net
14 49 48 47 12.124.58.166 -
15 47 47 47 68.86.166.53 -
16 47 48 50 68.86.166.34 ubr01.fruitlandpr.fl.lakecnty.comcast.net
17 57 Timed out 52 71.226.82.73 c-71-226-82-73.hsd1.fl.comcast.net

Fitlering ICMP traffic on that hop, probably a home router dropping the packets, etc.

Edit - or the computer/router/whatever that has that IP leased isn't turned on at the moment.

IP address: 71.226.82.73
Reverse DNS: c-71-226-82-73.hsd1.fl.comcast.net.
Reverse DNS authenticity: [Unknown]
ASN: 22909
ASN Name: DNEO-OSP1
IP range connectivity: 4
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 71.192.0.0 to 71.255.255.255
Country fraud profile: Normal
City (per outside source): Lady Lake, Florida
Country (per outside source): US [United States]
Private (internal) IP? No
IP address registrar: BOGUS
Known Proxy? No

Port 25 and 110 are open (SMTP and POP).

HD,

So the IP address is no good or fake?

This is coming from someone trying to scam me. Caught them and have not paid a penny but trying to find out where its coming from. It was supposed to be a Yahoo email address but keep seeing other IP addresses. Its being sent out of an email program called "The Bat!"

Thx,

Joe A

The Bat is a windows email client...

Address is in a pool of dynamic addresses. I just ran nmap on it (port scanner), looks like it is hooked up directly to a windows box with no router/firewall/etc. running.

Joe, its a real address.

Joe, there are certain *ahem* actions that could be taken, but seeing as that they are on Comcast, we may have the wrong IP. In other words, they use dynamic addresses, and we may end up targeting the wrong person.

What is this joker trying to do?

Will email you directly.

Oh really.....?????

This could be fun. How pissed are you at these folks Joe?

Icemaster - note that the address is in a dhcp pool, and my scan didn't show 25 or 110 open like harddrive's did... different computer now. No need to mess up some poor granny's collection of pix of her grandkids...

Quite a bit!

Trying to scam me out of $3000. I figured it out early but would love to turn these jerks into the law.

Yeah, your right. Just did a line by line read on it. If "something" was gonna happen, we probably missed our window of opportunity.

Best thing at this point would be to make Comcast aware of it.

Not that that would do much...

Joe that bad finally??

My latest nmap scan also shows a port 25 .... I doubt that grandma has an SMTP server setup .... doing a -p- also

Jordi,

Nothing new but the request to help by sending $3k came through a few days ago. I have not responded to it but would love to send them to jail or at least get them stopped from trying to screw people on the internet.

You told me the story on Monday over dinner ... sad, very sad ...

I think that the IP address still good, based in Florida (Lady Lake ?)

That the city, but that does not say much. The subnet is probably only handed out locally. Of course the only real way to tell is get in and do some snooping....which I am not doing from my home IP address this evening thank you :D.

Let me do some.....adventuring, tomorrow.

Thanks guys.

HardDrive .... Cain & Abel ARP functions??

Here is a more recent nmap version scan:

Starting Nmap 4.20 ( http://insecure.org ) at 2007-01-19 00:40 PST
Interesting ports on c-71-226-82-73.hsd1.fl.comcast.net (71.226.82.73):
Not shown: 1687 closed ports
PORT STATE SERVICE
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1080/tcp filtered socks
5000/tcp open UPnP
Device type: general purpose|specialized
Running (JUST GUESSING) : Microsoft Windows 2000|2003 (91%), Symbol Windows PocketPC/CE (86%)
Aggressive OS guesses: Microsoft Windows 2000, SP0, SP1, or SP2 (91%), Microsoft Windows 2000 Server SP4 (90%), Microsoft Windows 2000 SP3 (89%), Microsoft Windows 2000 SP4 (89%), Microsoft Windows 2003 Server SP1 (88%), Symbol MC9060-G mobile computer (runs Microsoft Windows CE .NET 4.20) (86%), Microsoft Windows 2000 Server SP4 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 15 hops

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 21.820 seconds

SmileWavy

Hey guys, have a new email and more info.

X-Symantec-TimeoutProtection: 0
X-Symantec-TimeoutProtection: 1
Received: from smtp102.plus.mail.re2.yahoo.com ([206.190.53.27])
by prserv.net (kcin01) with SMTP
id <2007012222360210100ddsk9e>; Mon, 22 Jan 2007 22:36:03 +0000
X-Originating-IP: [206.190.53.27]
Received: (qmail 10580 invoked from network); 22 Jan 2007 22:36:02 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Received:X-YMail-OSG:Date:From:X-Mailer:Reply-To:X-Priority:Message-ID:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding;
b=x4u07bHaFgHUEL+JDhQ9mxFwnpVPmoeLk7pX1tey7g+OuvuW 1dIOuH7re+OAQ+Brkz/kca+BU6o4JXlAbXxK8Gu1VuOjkcG+/RkuDcUzXTwmhNfZX/aK3bqJFAXtameTXuURA2ebhxNSKT2WE+BXcJGRakBekHEpBpHz v8aDFtA= ;
Received: from unknown (HELO yahoo.com) (ohrosha@68.80.139.5 with plain)
by smtp102.plus.mail.re2.yahoo.com with SMTP; 22 Jan 2007 22:35:59 -0000
X-YMail-OSG: 8LxSbnwVM1lv3rW5gILnuCxPhQj3dD1XShqF4uHMW35g_G2bX9 bcJVDEso7e.69SuxcjhfM7MIBl9PqYMz7VSs6.Nm7A0N7CGiRB Mor0XR1375SDjEnYpw--
Date: Tue, 23 Jan 2007 01:27:09 +0300
From: XXX <xxxxxxxxx@yahoo.com>
X-Mailer: The Bat! (v3.95.6) Professional
Reply-To: xxxxxxx <xxxxxx@yahoo.com>
X-Priority: 3 (Normal)
Message-ID: <8711187.20070123012709@yahoo.com>
To: Joe Abrahamson <joeaksa@yahoo.com>,
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-PMFLAGS: 37224576 0 1 P9VFHB02.CNM

Anything you guys can find in this header? She is now down to asking for only $2000!

Joe,

This is a professional spammer.

You are not going to catch this person.

Scott

Scott is right. The Bat! is used by spammers. Here's the info about the I.P. it supposedly came from:

IP: 68.80.139.5
OrgName: Comcast Cable Communications Inc.
OrgID: CMCS
Address: 1800 Bishops Gate Blvd
City: Mt Laurel
StateProv: NJ
PostalCode: 08054
Country: US
NetRange: 68.80.0.0 - 68.87.255.255
CIDR: 68.80.0.0/13
NetName: JUMPSTART-2
NetHandle: NET-68-80-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: DNS.INFLOW.PA.BO.COMCAST.NET
NameServer: DNS.CMC.CO.DENVER.COMCAST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-28
Updated: 2006-01-26
RTechHandle: IC161-ARIN
RTechName: Comcast Cable Communications Inc
RTechPhone: 1-856-317-7200
RTechEmail: CNIPEO-Ip-registration@cable.comcast.com

Dave

Anyway to pin it down to a state and city?

Looks like it went from Florida to New Jersey now.

Problem with pro spammmers is that they often use hijacked home computers to send spam. So even if you track this IP down to the very house where it's situated, chances are you'll just find a computer savy person who has nothing to do with spam but just had a bad habbit of not using firewall and leaving it's computer unprotected.

A typical spammer will have hndreds of such drones, churning away mail on command.