spam counterattack!

BYOND Forums

Announcements · BYOND Help · Bug Reports · Feature Requests · Beta Testers · Beta Bugs · Developer Help · Design Philosophy · Demos & Libraries · Tutorials & Snippets · Art & Sound · Classified Ads · Game Updates · Contests & Events · Linux Talk · On Topic · Off Topic

spam counterattack!

ID:194598

Sep 22 2000, 8:25 am

Spuzzum

Another spammer down!

I'm at 3 kills, so far. =)

Remember, everyone, if you're having trouble with spam, don't just delete it. That won't help things, because they'll just send you another one tomorrow. Instead, save it, and turn on All File Headers in the options portion of your email and read them closely.

If you don't want to bother with any of this, you can try forwarding it (headers intact!) to abuse@[your ISP.com], and have them look it up for you. After all, that's what you pay them for!

Here's a sample of the headers from the spammer I shut down. I'll break it down for you:

Return-Path: [[email protected]] Received: from smv196-mc.mail.com by ida659-mc.mail.com (Version 1.11) for [[email protected]]; Fri, 18 Aug 2000 03:09:31 -0400 (EDT) Received: from nl-reg-01.adam.psi.com (dc-server-201.adam.psi.com [195.81.253.201] (may be forged)) by smv196-mc.mail.com (8.9.3/8.9.1SMV070400) with ESMTP id DAA08125 for [[email protected]] sent by [[email protected]]; Fri, 18 Aug 2000 03:09:30 -0400 (EDT) From: [email protected] Received: from new2 [216.77.210.220] by nl-reg-01.adam.psi.com (SMTPD32-5.05) id AEA41DA0360; Fri, 18 Aug 2000 10:07:00 +0200 To: [email protected] Subject: Make $50,000 in 90 Days!!! MIME-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Message-Id: <20000818100862.SM00278@new2> Date: Fri, 18 Aug 2000 10:08:53 +0200 To: [email protected] X-Delivery: Mail.com IDA 1.11

The first line,
Return-Path: [[email protected]]
is the first camouflage address. This is a false address, created simply for gathering flame responses. DO NOT EMAIL TO THIS ADDRESS! You will be immediately added to a variety of other spam lists, or have your email address sold to more spammers.

The next portion,
Received: from smv196-mc.mail.com by ida659-mc.mail.com (Version 1.11) for [[email protected]]; Fri, 18 Aug 2000 03:09:31 -0400 (EDT)
tells me when mail.com received the message from its central server and pathed it into my account. Because it isn't a POP3 server, there is much more precise data.

Now here's a goody.
Received: from nl-reg-01.adam.psi.com (dc-server-201.adam.psi.com [195.81.253.201] (may be forged)) by smv196-mc.mail.com (8.9.3/8.9.1SMV070400) with ESMTP id DAA08125 for [[email protected]] sent by [[email protected]]; Fri, 18 Aug 2000 03:09:30 -0400 (EDT)
This spammer was smart enough to try to hide his IP address. Most aren't smart enough to accomplish this. Here's a more detailed breakdown:
Received: from nl-reg-01.adam.psi.com (dc-server-201.adam.psi.com [195.81.253.201] (may be forged))
This is the forged IP address. Mail.com is fortunately advanced enough to detect possible forging by comparing the DNS of the server it received it from with the DNS of the message.
by smv196-mc.mail.com (8.9.3/8.9.1SMV070400) with ESMTP id DAA08125
This describes my server, the version it is, and... the protocol of the mail message sent by "seabud".

The next line, though, tells you EXACTLY how to shut him down.
From: [email protected] Received: from new2 [216.77.210.220] by nl-reg-01.adam.psi.com (SMTPD32-5.05) id AEA41DA0360; Fri, 18 Aug 2000 10:07:00 +0200
In almost every circumstance, the IP of the server that the person uses is the bottom-most IP address before the subject and return address of the message. This identifies the message precisely:
Received: from new2
We now know Seabud's account. He isn't named "seabud" on his server at all... he's named "new2".
[216.77.210.220] by nl-reg-01.adam.psi.com
This is the most important line of them all. The IP address in brackets shows the exact location of the server that "new2" is using, and the domain name shows the exact location of the server as it is recorded in InterNIC.

This is where most people quit. However, there is a lot more to go.

Go to Sam Spade the Spam Hunter and enter in the domain name in the first field, checking off "whois", "IP block", and "traceroute". In this case, this is what we get:

Important - do not complain to ln.net on the grounds of anything you see here. Address Digger Results (Version 3.1beta) -------------------------------------------------------------------------------- Let's go! -------------------------------------------------------------------------------- Whois for nl-reg-01.adam.psi.com .com is the global domain of USA & International Commercial (Whois queries for .com domains can be performed at http://rs.internic.net/cgi-bin/whois) whois -h whois.crsnic.net psi.com Redirecting to NETWORK SOLUTIONS, INC. The Data in Network Solutions' WHOIS database is provided by Network Solutions for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Network Solutions does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to Network Solutions (or its systems). Network Solutions reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Registrant: PSINet, Inc (PSI-DOM) 510 Huntmar Park Drive Herndon, VA 22070 US Domain Name: PSI.COM Administrative Contact: Administration, PSINet Domain (PDA4) [email protected] PSINet, Inc. 510 Huntmar Park Drive Herndon, VA 22070 (703) 904-4100 (FAX) (703) 904-4200 Technical Contact, Zone Contact: Network Information and Support Center (PSI-NISC) [email protected] PSINet, Inc. 250 Jordan Road Troy, NY 12180 US (518) 283-8860 Billing Contact: PSINet Internal Domain Bursar (PI179-ORG) [email protected] PSINet, Inc. 510 Huntmar Park Drive Herndon, VA 22070 US (703) 904-4100 Record last updated on 27-Apr-2000. Record expires on 08-Mar-2001. Record created on 07-Mar-1989. Database last updated on 22-Sep-2000 13:37:04 EDT. Domain servers in listed order: NS.PSI.NET 38.8.48.2 NS2.PSI.NET 38.8.50.2 NS5.PSI.NET 38.8.5.2

Perfect, no? Just forward the message to abuse@[domain.net] (keep all file headers intact!) and they'll check it themselves and shut them down. The company will contact you if they need additional information, or if you made a mistake somewhere.

"Saddle up. Lock and load." - Lt. Cmdr. Data, USS Enterprise</20000818100862>

Sep 22 2000, 9:56 am

Guy T.

That's pretty neat. But it seems to me there are two flaws in this plan:

1) Email accounts are a dime a dozen.

2) Now you'll never know if you could have made $50,000 in 90 days.

What really irritates me is that a lot of people go to web sites that require registration and just type in a random email address to get past it, so I get all these newsletters addressed to [email protected], [email protected], [email protected], and so on...

Sep 22 2000, 10:22 am In response to Guy T.
Spuzzum	1) Email accounts are a dime a dozen. Not so, imperious one. If you follow the steps correctly, it doesn't point you to the web address, it points you directly to their ISP. I haven't seen one ISP out there that doesn't have a no-spam policy, either.

Sep 22 2000, 10:26 am In response to Spuzzum
Spuzzum	Just so you know, the person at [email protected] had two aliases for email, and two user name aliases, respectively. The emails: [email protected] [email protected] The aliases: new2 inyoura-- [censored] Both were shut down. =)

Sep 22 2000, 10:56 am

In response to Spuzzum

Guy T.

1) Email accounts are a dime a dozen.

Not so, imperious one. If you follow the steps correctly, it doesn't point you to the web address, it points you directly to their ISP. I haven't seen one ISP out there that doesn't have a no-spam policy, either.

"Imperious one"... I like the sound of that! (Yes, I know it's not a compliment. :)

OK, ISP accounts != Email addresses. Still, why couldn't a spammer just sign up for a new ISP account? Granted, for a lot of ISP's you'd need to provide a valid credit card number and owner name to sign up, but the more unscrupulous spammers could probably come by that info with an evening's work rummaging through trash cans. Or am I being paranoid?

Sep 22 2000, 11:42 am

In response to Guy T.

Spuzzum

"Imperious one"... I like the sound of that! (Yes, I know it's not a compliment. :)

Not sure whether it was or wasn't; I just figured you acted kind of like a Cylon, so... =)

OK, ISP accounts != Email addresses. Still, why couldn't a spammer just sign up for a new ISP account? Granted, for a lot of ISP's you'd need to provide a valid credit card number and owner name to sign up, but the more unscrupulous spammers could probably come by that info with an evening's work rummaging through trash cans. Or am I being paranoid?

You do have a point, but honestly, most people are too stupid to try. =)

Besides, don't underestimate the FBI... they even have a small office up here in Vancouver, now, which is astounding considering that they're a US national service.