Should I Be Concerned?

[Katana]

I hope it's ok if I post this in the computers sub-forum. It seemed like I would target the audience who might know the most about this.

I have a free AOL account through my dad which I almost never use. I drop in periodically to clean out all of the spam which I did recently. Much to my surprise, there was an e-mail supposedly from Barack Obama. As I'm from Illinois, and my parents still live there, I was intrigued. This is what it said:

Dear [my first name]:

Thank you for contacting me regarding S. 3742, the Freight Rail Infrastructure Capacity Expansion Act. You raise some important concerns.

I understand that the Department of Transportation projects a substantial increase in freight traffic over the next twenty years, and that a great deal of this new burden will be placed on our freight rail infrastructure. As you know, S. 3742 would create a tax credit for new infrastructure investment, and make all freight rail infrastructure capital expenditures eligible for expensing treatment. I see the policy needs for these solutions, and will keep a close eye on this bill as it proceeds through the Senate. And if S. 3742 comes to the Senate floor for a vote, I will certainly keep your concerns in mind.

Again, thank you for contacting me. Please stay in touch in the future, on this or any other issue.

Sincerely,

Barack Obama
United States Senator


P.S. Our system does not allow direct response to this email. However, if you would like to contact me again, please use the form on the website: http://obama.senate.gov/contact/

Stay up to date with Barack's work in the Senate and on issues of importance to Illinois. Subscribe to the weekly podcast here: http://obama.senate.gov/podcast/=

I thought that was odd but was going to let it go until I saw an e-mail supposedly from Dick Durbin which said:

November 13, 2006 Mr. [my maiden name] [my parents' address], Dear Mr. [maiden name]: Thank you for contacting me regarding the Freight Rail Infrastructure Capacity Expansion Act (S. 3742). I appreciate hearing your views on this matter. I share your support for expanding freight rail capacity. Rail transportation provides numerous public benefits, including fuel conservation, pollution reduction, relief of traffic congestion, increased public safety on highways, and promotion of economic development. Rail expansion could greatly increase shipping efficiency given that one freight train can carry the load of 500 trucks. With truck traffic on our highways projected to rise nearly 80 percent by the year 2020, expanding freight rail infrastructure now is a valuable investment for the future. The Freight Rail Infrastructure Capacity Expansion Act would provide a tax credit for 25% of the cost of new freight rail infrastructure and locomotive property and would allow taxpayers to deduct the cost of qualified freight rail infrastructure property. These tax benefits would encourage businesses to invest in new rail infrastructure and increase the capacity of the system. S. 3742 has been referred to the Senate Finance Committee. I am not a member of this committee, but I will keep your views in mind in case this bill is brought to the Senate floor for a vote. Thank you again for contacting me. Please feel free to keep in touch. Sincerely, Richard J. Durbin United States Senator RJD/ls P.S. If you are ever visiting Washington, please feel free to join Senator Obama and me at our weekly constituent coffee. When the Senate is in session, we provide coffee and donuts every Thursday at 8:30 a.m. as we hear what is on the minds of Illinoisans and respond to your questions. We would welcome your participation. Please call my D.C. office for more details.

The "Mr." aside, this is weird.

Then I saw a third e-mail (sorry if this is getting boring):

We received your request to join Growth Options for the 21st Century
and send a letter to your Members of Congress in favor of improving
the nation's energy efficiency by supporting America's freight rail
system. The letter below will be sent to your legislators. If you
prefer not to send this letter to your Members of Congress, please
follow the instructions below. Thank you for participating. Your
voice counts!

---------------------------------------------------------------------


Please Support Fuel-Efficient Rail Transportation

I am writing to urge your support for legislation to increase the
hauling capacity of our nation?s freight rail network. Such
legislation is desperately needed for a variety of reasons, not least
of which is the amount of fuel we would conserve through greater use
of rail.

Just a single gallon of diesel fuel can move a ton of freight over
410 miles. That is almost four times more fuel efficient than a truck
on the highway. One intermodal freight train can haul 280 truck
trailers. Particularly for shipments between cities, it makes sense
to use the long haul efficiency of the railroads.

We need to take steps to reduce our dependence on imported oil, and
policies to make better and wider use of the rail system seem a good
place to start.

I look forward to hearing from you.

______________________________________________________________________
You are receiving this email because you opted in for this offer with
one of our web site partners. You opted in from the IP address
xx.xx.xxx.xx on 11/8/2006.

What the hell? I have no idea what this is about, I have never heard of this legislation, and I certainly would never have opted in for any offer. All of that said, I hadn't used my aol address in well over a year, and I never would have used my maiden name or my parents' address. This stinks on many levels.

Is anyone familiar with this type of thing, and should I be worried that someone who knows my maiden name, my parents' address, my aol e-mail address, and may be signing up for things with that info? Now all of it would be tied to the e-mail since the account goes back before I was married and, again, is through my dad. Is this something coming from AOL itself?

Finally, any advice on what I should do? Is there a way to trace that IP address?

Whatever info anyone has to offer would be greatly appreciated. This is a first for me. Perhaps it's minor and nothing to worry about, but I was hoping to tap into the wonderful minds here at JREF before blowing this off.

Thanks.

 

[The_Fire]

It does seem odd.
Not knowing the AOL setup, you should be able to access the headers of the email (probably labeled something like "Show full headers"). This should give you full information on where the email came from.
Second, try contacting your local law enforcement. While it may be nothing, someone seems to have gotten access to information they shouldn't.

 

[TobiasTheViking]

go http://www.dnsstuff.com/ <- there

enter the ip address into the "IP Information" form.

for me the reply is

IP address: 89.150.71.x
Reverse DNS: [No reverse DNS entry per ns-pri.ripe.net.]
Reverse DNS authenticity: [Unknown]
ASN: 0
ASN Name: IANA-RSVD-0
IP range connectivity: 0
Registrar (per ASN): Unknown
Country (per IP registrar): DK [Denmark]
Country Currency: DKK [Denmark Kroner]
Country IP Range: 89.150.64.0 to 89.150.127.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): DK [Denmark]
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 89.150.71.x

Depending on your location in the world you might get more specific information.

It should also show the ISP, i don't know why it didn't show mine. kinda odd.


Or you can use this link http://www.dnsstuff.com/tools/ipall.ch?ip=89.150.71.x <- fill in the real ip address.

 

[Katana]

Thanks to both of you.

The_Fire: I tried the "View message source" on aol, and it was a lot of info which didn't help me. Is there something I should be looking for or do you want to see what it said? As for local law enforcement, who would I call? The police for the city where my parents live? Is it likely that they would be able to do anything since this is an internet issue?

Tobias: Thank you for the link. I did the part that you suggested, and here are the results:

IP address: 72.92.150.xx
Reverse DNS: pool-72-92-150-xx.burl.east.verizon.net.
Reverse DNS authenticity: [Verified]
ASN: 19262
ASN Name: VZGNI-TRANSIT
IP range connectivity: 0
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 72.64.0.0 to 72.127.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): US [United States]
Private (internal) IP? No
IP address registrar: BOGUS
Known Proxy? No
Link for WHOIS: 72.92.150.xx

Does that tell you anything?

 

[Katana]

These are the reverse DNS results (if it helps):

Using 0 day old cached answer (or, you can get fresh results).
Displaying E-mail address (use sparingly -- this will make it more likely that you will trigger our rate limiting system).


OrgName: Verizon Internet Services Inc.
OrgID: VRIS
Address: 1880 Campus Commons Dr
City: Reston
StateProv: VA
PostalCode: 20191
Country: US

NetRange: 72.64.0.0 - 72.95.255.255
CIDR: 72.64.0.0/11
NetName: VIS-72-64
NetHandle: NET-72-64-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BELLATLANTIC.NET
NameServer: NS2.BELLATLANTIC.NET
NameServer: NS2.VERIZON.NET
NameServer: NS4.VERIZON.NET
Comment:
RegDate: 2005-06-24
Updated: 2005-12-13

OrgAbuseHandle: VISAB-ARIN
OrgAbuseName: VIS Abuse
OrgAbusePhone: +1-214-513-6711
OrgAbuseEmail: abuse@verizon.net

OrgTechHandle: ZV20-ARIN
OrgTechName: Verizon Internet Services
OrgTechPhone: +1-703-295-4583
OrgTechEmail: IPMGMT@verizon.com

# ARIN WHOIS database, last updated 2006-12-04 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Is this really something originating from Verizon?

We have Verizon DSL here in Vermont, but the first and only time I accessed the AOL account, again, in years was the day I discovered the e-mails, and that was at my parents' house. They use Comcast.

 

[The_Fire]

Ok, the lines you should look for is: ETA: in the email header that is...

X-Originating-IP: [ip number]
Return-Path: (one or more email adresses)
Received: from [ip number]
Reply-to: "email adress"

Mind, this is taken from a brief look at Yahoos headers and may look differently at AOL.....
The return path one is most interesting since that is the real adress from which the email have been send where as the reply to email can be faked.

As for the law, try your local first since it was your account. They will be able to help you further. If you are in the US, you'll probably be redirected to the local feds office.

 

[TobiasTheViking]

Does that tell you anything?

Well, it tells me that either the emails, or the user that submitted you to the list(depending on whether or not you are using an IP address from the email headers, or the one from "You opted in from the IP address xxx.xx.xxx.xx on 11/8/2006."

it also looks like the source is from, or near the city of Reston.

 

[Katana]

Ok, the lines you should look for is: ETA: in the email header that is...



Mind, this is taken from a brief look at Yahoos headers and may look differently at AOL.....
The return path one is most interesting since that is the real adress from which the email have been send where as the reply to email can be faked.

As for the law, try your local first since it was your account. They will be able to help you further. If you are in the US, you'll probably be redirected to the local feds office.

So this is what it said.

Return-Path: <services@rsmdata.rsc02.com>
Received: from rly-yj06.mx.aol.com (rly-yj06.mail.aol.com [172.18.180.144]) by air-yj01.mail.aol.com (v113.6) with ESMTP id MAILINYJ14-8284551d30d35d; Wed, 08 Nov 2006 07:52:51 -0500
Received: from om-rsmdata.rsc02.com (om-rsmdata.rsc02.com [66.35.244.114]) by rly-yj06.mx.aol.com (v113.6) with ESMTP id MAILRELAYINYJ610-8284551d30d35d; Wed, 08 Nov 2006 07:52:29 -0500
DKIM-Signature: a=rsa-sha1; c=nowsp; q=dns; s=responsys; d=rsc02.com;
h=MIME-Version:Content-Typeate:From:Subject:To:Message-Id;
b=DXc+nDfSwjvz44n02Wk6L3o5GlQLN0sh1an+H66IOwxjZiinuBqV7XKc+UO4z1UDjfhSiOFHE6aY
OOQogfaPBeREksDjj1KrqH0G6VpagVFUWb516l7/M4CC513VlMlWN7Zm9nDRl2VaiGfomLVoP91e
wJrtXmt55hyRNAQF0Z0=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=responsys; d=rsc02.com;
b=X5d/3Ib+dpv3SorgTpZdfWsJdPr9TbtvTPDi7kRQJXrkW+2VLoEHIseDVIc4OkPFwHhSEl9YVWCA
KvevYDLQh6g9HWBT3Ath0J/oaFhHN2NrZxZM9drns29LdaJKK6pxlvj9k5iW8P9Lxl4/WyCw/a4m
IKziaX3TYtRVdwZITsQ=;
Received: by om-rsmdata.rsc02.com id ha79gq066ish for <[my e-mail]@aol.com>; Wed, 8 Nov 2006 04:52:28 -0800 (envelope-from <services@rsmdata.rsc02.com>)
MIME-Version: 1.0
Content-Type: text/plain;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 8 Nov 2006 04:52:28 -0800
From: "Admin" <services@rsmdata.rsc02.com>
Reply-To: "Admin" <services@rsmdata.com>

Does that help?

I found a link to RMS Data: http://www.rmsdata.net/

Then there's RMS Data Wizard: https://www.rms.com/DataWizard/

Last but not least, we have Real Marketing: http://www.rmsdata.com/

Ugh!

Thanks again for your help in this.

 

[tkingdoll]

Have you asked your dad if he knows anything about it? Firstly you got the account through him, and secondly, well, isn't he Mr [yourmaidenname]?

 

[Ripley Twenty-Nine]

Have you asked your dad if he knows anything about it? Firstly you got the account through him, and secondly, well, isn't he Mr [yourmaidenname]?

That's what I was thinking as well.. It really looks like legitimate E-Mails were sent from that address.. And it looks like the E-Mail that was sent was contained in one of your replies:

Please Support Fuel-Efficient Rail Transportation

I am writing to urge your support for legislation to increase the
hauling capacity of our nation?s freight rail network. Such
legislation is desperately needed for a variety of reasons, not least
of which is the amount of fuel we would conserve through greater use
of rail.

Just a single gallon of diesel fuel can move a ton of freight over
410 miles. That is almost four times more fuel efficient than a truck
on the highway. One intermodal freight train can haul 280 truck
trailers. Particularly for shipments between cities, it makes sense
to use the long haul efficiency of the railroads.

We need to take steps to reduce our dependence on imported oil, and
policies to make better and wider use of the rail system seem a good
place to start.

I look forward to hearing from you.

 

[Katana]

My dad was as mystified as I. The Mr. [my maiden name] contained my first and last names. Sorry for the confusion on that one.

Ripley Twenty-Nine, I wasn't sure what you meant by this:

That's what I was thinking as well.. It really looks like legitimate E-Mails were sent from that address.. And it looks like the E-Mail that was sent was contained in one of your replies:

Could you clarify that a bit further?

 

[Solus]

Why are you so concerned about something that is obviously spam? I have a junk email account that gets piles of this stuff. I'd just ignore it if I were you. And be more careful about submiting your full name on the internet. I only use my real name when it comes to ordering, as I must give out my correct credit card info.

 

[Gord_in_Toronto]

I think these days you can assume that every field in a header can be faked and that most spam is sent through hijacked servers.

The addresses are "harvested" by Trojans that install themselves on peoples' MS (spit) computers and send the contents of their address books (and sometimes everything on the hard disk that is formated like an address) to the spammer. If your address was on such a machine, away you go.

Unless you are Homeland Security or the police, the actual originator of the message cannot be (easily) traced. I always look at the Reply Field and do a Whois on it. In this case "rsmdata.com" does not appear to be valid.

I don't know enough about USian politics to know who is on what side of the issue but it is unlikely (but not impossible) that the people named in the e-mails are actually responsible for them and that they are "joe jobs" intended to embarrass them.

IMHO YMMV.

I do remember a kinder, gentler Internet where it was not unknown to post to Usenet and include your address and phone number. Alas, those days are long past.

 

[Macoy]

G_i_T is correct in that your Dad's m/c has been zombied. He should extract safe data & reinstall his operating system.

 

[kevin]

rmsdata has nothing to do with this. the first part of domain name is just the name of the server at that domain (not to mention in the headers is rsmdata, rmsdata)

The important part of the header is the domain name. The first received by header is:

Received: by om-rsmdata.rsc02.com id ha79gq066ish for <[my e-mail]@aol.com>; Wed, 8 Nov 2006 04:52:28 -0800 (envelope-from <services@rsmdata.rsc02.com>)

Using whois you can track rsc02.com back to Responsys.com. Googling them turns out they are a semi-legitimate e-mailing service, although I doubt senators are using them.

BTW, the IP lookup is probably a lookup of your own IP address. Do you use Verizon? the internet facing server that delivered the message to AOL is at 66.35.244.114. This is obtained from the header showing the message moving from one domain to another. The IP is actually added by the receiving server so it's usually correct.

Received: from om-rsmdata.rsc02.com (om-rsmdata.rsc02.com [66.35.244.114]) by rly-yj06.mx.aol.com (v113.6) with ESMTP id

If I had to guess, someone purchased an e-mail list of possible democrats from somewhere and sent this. Are they trying to build support for the proposal or are they playing dirty tricks to try and piss people off about it (similar tactic used with robo-calls in Ohio).

 

[kevin]

I think these days you can assume that every field in a header can be faked and that most spam is sent through hijacked servers.

Actually no they can't. Additional headers can be added, but many headers are inserted by the receiving servers and those are usually accurate.

For example spammers will typically add additional received by: headers to make it look like an originating server was actually just in the chain of receiving e-mail servers. However they can't fake the real received by headers added afterwards by your own mail server. Tracing headers until you find a fake one is pretty easy. Not to mention in this case only 2 domains are ever involved, kind of hard to fake that. Especially since the IP listed for the receiving header really does resolve back to the server name listed in the headers. Fakers usually don't go that deep.

 

[Katana]

I appreciate everyone's input. I think I understand most of it.

There are a couple of reasons why I was concerned about this.

1) I hadn't used that e-mail in over a year, yet a website with access to my (maiden) name, e-mail, and my parents's address claims that I had contacted it. If nothing else, that's a bit disconcerting. Not being a computer expert (but not wanting to careen fully into conspiracy thinking), I wanted to know if there was anything else that could be done with that information.

2) This was information sent to two congressmen. What if it had been about a less benign issue? What if the e-mail had been threatening? That's not a pleasant thought. I'm trying not to imagine some Secret Service agents showing up at my parents' home.

As for the Verizon issue, kevin, my husband and I do use Verizon at home, but I haven't accessed the AOL account since we subscribed with them.

G_I_T and Macoy, thanks. I'll talk to my dad about this. Is it weird that he, being the primary AOL subscriber, hasn't received similar e-mails?

 

[Beady]

Who knows how your name gets on various lists. I used to be local Democratic committee chair, and wound up on lists for the the Republican National Committee, the NRA, and several others. Since your spam sounds political, I'd nose around there, if you're really interested. Myself, I'd be inclined to shrug it off.

 

[kevin]

if you want to do something about it send a complaint to the two sentators mentioned. If they were responsible then they should feel shamed for using spam tactics. If they weren't they'll probably want to find out why they're being given a black eye by someone.

Just because your AOL accounts are tied together doesn't mean your e-mail is. You ended up on a mailing list your father didn't, that isn't unusual. I run a mail server for several members of my family. They get no spam (currently) because I just set them up. Even after a really aggressive spam filtering I get quite a bit.

 

[kevin]

Just wanted to clarify this statement:

hat most spam is sent through hijacked servers.

This is incorrect as well. Most spam is sent from hijacked CLIENTS not servers and is sent through legitimate servers. Although there aren't many left some servers are configured (accidentally or intentionally) to act as an open relay and relay mail from anyone to anyone. Mail from most of these servers is typically blocked by the use of realtime blackhole lists (RBL).

These days botnets (networks of compromised client computers) are much more frequently used to deliver spam directly to the recipient servers without going through open relays. This bypasses open relay RBL lists. To block some of this spam some mail administrators are using lists of IP addresses of cable/DSL providers and block e-mail that comes direct from those computers instead of going through their ISP's servers first.