| First, you need to reveal the hidden secrets of email. Whichever
email program you are using, there is an option to show all the headers
in the message. In Netscape, go to the VIEW menu, select HEADERS
and ALL.
You will see something like this: (Note: my domain name has been munged to avoid even more spam)
Received: from itok_nts1.itok.com ([202.85.44.3])by
aumcom.com
(8.8.8/8.8.8) with ESMTP id JAA10540for
<mark@nnnylon.net>; Fri, 26 Feb 1999 09:23:40 -0800 (PST)
Received: from pomcm006032.netvigator.com
by itok_nts1.itok.com with SMTP (Microsoft Exchange Internet Mail Service
Version 5.0.1457.7)id FVSK68Q7; Fri, 26 Feb 1999 23:51:11 +0800
Received: from fgym.mbouj.ujcw.com [21.22.23.24]
by bag.com (FTGate 2,
1, 1, 0);Fri, 26 Feb 99 19:02:39 +0800
Message-Id: <199902261901.TUH5554@fgym.mbouj.ujcw.com>
Date: Fri, 26 Feb 1999 07:01:02 PM
Subject: let me introduce a website
for you to travell
From: rxpugs@pjjf.flkgx.gxsb.com
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: 870484073.166
Dear Sir,
let me introduce a website for you
to travell " GreenBeauty " so much free picture
a day & to be a free members!!
http://pickup01.areCool.net/
All models are at least 18 years of
age!
If you don't want to received this
message pls email to clear@hutchcity.com, I
will
delete your email account form the email
list.
Thanks.....
Yes, it looks like a load of gobblygook, but it's really not hard to wade
through the crap to find that nugget you're looking for. Let's break
it down.
Received: from itok_nts1.itok.com ([202.85.44.3])by
aumcom.com (8.8.8/8.8.8)
with ESMTP id JAA10540for <mark@nnnylonspam.net>;
Fri, 26 Feb 1999 09:23:40 -0800 (PST)
aumcom.com are good guys to
me. They supply my mail. Look at a few genuine message headers
sent to you and become familiar with the "good guys". The message
passed through itok_nts1.itok.com ([202.85.44.3])
who may be unwitting couriers with slack
email security. Note how the numeric IP address appears in brackets.
You can use it to verify itok_nts1.itok.com.
I checked www.itok.com and it seems to
be a reputable software house. It's hard to say - if they don't
know about this spam being passed through their mail server, they may
appreciate being told.
Let's look for the next link in
the chain to my mailbox...
Received: from pomcm006032.netvigator.com
by itok_nts1.itok.com with
SMTP (Microsoft Exchange Internet Mail
Service Version 5.0.1457.7)id
FVSK68Q7; Fri, 26 Feb 1999 23:51:11
+0800
This tells us that itok_nts1.itok.com
received the mail from
pomcm006032.netvigator.com. Let's keep
tracking...
Received: from fgym.mbouj.ujcw.com
[21.22.23.24] by bag.com (FTGate 2, 1, 1, 0);Fri, 26 Feb 99 19:02:39
+0800
This is where it starts getting
harder. Looking at the IP address for fgym.mbouj.ujcw.com
[21.22.23.24] suggests it's bogus.
The named address (fgym.mbouj.ujcw.com)
also looks like a drunk chimp was typing
crap. If you want to find out for sure, try entering the named
address into the address bar of your browser. No site exists?
It's probably bogus.
A clever tool to help you dig into
such things is provided by the Sam Spade Site http://www.blighty.com/spam/spade.html
Download the mighty useful and free
Sam Spade software and it lets you enter named addresses to find the
IP address (or vice versa), do a traceroute to find the path to the
spammer, and even find the email abuse address to write to. VERY
useful stuff!
I tried using Sam Spade to trace the
fgym... address and it failed. No such site exists. I tried
using Sam Spade's PING feature on "bag.com" and it found a site!
Next step was to use Sam Spade to do a "WHOIS" on the "bag.com"
site. It reported:
whois -h whois.internic.net bag.com
...
Registrant:
Distinctive Domains (BAG6-DOM)
1971 W. Lumsden Rd. #110
Brandon, FL 33511
US
Domain Name: BAG.COM
Administrative Contact,
Technical Contact, Zone Contact:
Administrator,
Internet (EG997) admin@REFLEX.COM
813-205-7090
Billing Contact:
Administrator,
Internet (EG997) admin@REFLEX.COM
813-205-7090
Record last updated on
27-Jul-97.
Database last updated on
27-Feb-99 06:42:56 EST.
Domain servers in listed
order:
NS.OKDIRECT.COM
209.54.94.5
NS2.OKDIRECT.COM
209.54.94.4
Now we have a lead to the company
supporting the "bag.com" domain! Since my patience is low and
my time is short. I tend to apply a scattergun approach to complaining:
I find the "respectable" looking companies in the chain and add them
to my list to notify. In the above WHOIS, I pulled out REFLEX.COM
and OKDIRECT.COM. They probably host the bag.com domain.
Since it's probably a waste of time complaining to the spammer, complain
to their domain hosts and email hosts, who will probably get really
pissed off with the spammer abusing their services.
What else can we try? TRACEROUTE!
Again, it's built into Sam Spade.
Trace bag.com (209.54.94.168) ...
1 203.12.163.9
151ms 138ms 130ms TTL: 0 (mel-ts2-2500.tpgi.com.au
ok)
2 203.12.163.20 127ms
125ms 122ms TTL: 0 (mel-gw.tpgi.com.au ok)
3 203.12.163.22 130ms
126ms 151ms TTL: 0 (mel-4700.tpgi.com.au ok)
4 139.130.49.97 541ms
556ms 598ms TTL: 0 (Serial4-6.lon11.melbourne.telstra.net
ok)
5 139.130.239.231 556ms
604ms 672ms TTL: 0 (Fddi0-0.lon5.Melbourne.telstra.net
ok)
6 204.70.208.121 588ms
599ms 650ms TTL: 0 (borderx2-hssi3-0.Bloomington.cw.net
ok)
7 204.70.208.65 580ms
1011ms 682ms TTL: 0 (core2-fddi-1.Bloomington.cw.net
ok)
8 204.70.4.201
605ms 623ms 688ms TTL: 0 (core2.SanFrancisco.cw.net
ok)
9 204.70.10.254 590ms
558ms * TTL: 0 (mae-west2-nap.SanFrancisco.cw.net
ok)
10 198.32.136.37 689ms
568ms 657ms TTL: 0 (mae-west.good.net ok)
11 209.54.101.226 738ms
622ms 698ms TTL: 0 (okcity.good.net ok)
12 209.140.161.38 738ms
629ms 732ms TTL: 0 (okdirect1.okcity.good.net
ok)
13 209.54.94.168 716ms
636ms 724ms TTL:241 (bag.com ok)
Ah! A treasure trove of information
for the junior antispammer. From the top:
Trace bag.com (209.54.94.168) ...
1 203.12.163.9
151ms 138ms 130ms TTL: 0 (mel-ts2-2500.tpgi.com.au
ok)
2 203.12.163.20
127ms 125ms 122ms TTL: 0 (mel-gw.tpgi.com.au
ok)
3 203.12.163.22
130ms 126ms 151ms TTL: 0 (mel-4700.tpgi.com.au
ok)
Steps 1 to 3 are my ISP. I
can identify their name in the addresses.
4
139.130.49.97
541ms 556ms 598ms TTL: 0 (Serial4-6.lon11.melbourne.telstra.net
ok)
5 139.130.239.231 556ms
604ms 672ms TTL: 0 (Fddi0-0.lon5.Melbourne.telstra.net
ok)
These are also friendlies.
They are the backbone suppliers getting over the big water...
6 204.70.208.121 588ms
599ms 650ms TTL: 0 (borderx2-hssi3-0.Bloomington.cw.net
ok)
7 204.70.208.65
580ms 1011ms 682ms TTL: 0 (core2-fddi-1.Bloomington.cw.net
ok)
8 204.70.4.201
605ms 623ms 688ms TTL: 0 (core2.SanFrancisco.cw.net
ok)
9 204.70.10.254
590ms 558ms * TTL: 0 (mae-west2-nap.SanFrancisco.cw.net
ok)
Hello Cable and Wireless, USA!
I assume they're friendly. If in doubt, it's not hard to find
the juicy bit of the domain name (near the final "dot") - cw.net - and
add a "www." at the front and type it into your browser. Their
site suggests they are a big backbone internet supplier.
10 198.32.136.37 689ms
568ms 657ms TTL: 0 (mae-west.good.net ok)
11 209.54.101.226 738ms
622ms 698ms TTL: 0 (okcity.good.net ok)
The message has diverted from the
Cable & Wireless network to another network - good.net. A
quick browser check confirms they are a broadband internet service supplier.
12 209.140.161.38 738ms
629ms 732ms TTL: 0 (okdirect1.okcity.good.net
ok)
It seems that okdirect1 is an ISP
feeding from good.net (a bigger ISP) who feed from cw.net (the chief
ISP). The end of the food chain is...
13 209.54.94.168 716ms
636ms 724ms TTL:241 (bag.com ok)
Bag.com! Probably the source
of the message. They do not have a web site - not a legitimate
sign! Their domain is provided via REFLEX.COM and OKDIRECT.COM.
This is where you can build
your hit list. Your complaints should be addressed to abuse@xxxx.yyy
or, if that bounces back, postmaster@xxx.yyy
So you fire up your email program
and send the following message to: abuse@reflex.com
abuse@okdirect.com
Forget about adding fgym.mbouj.ujcw.com
to the list. It's bound to bounce
back, but it won't hurt if you do add it.
The message must be polite and informative. The
guys you're writing to are good guys, not spammers.
Dear folks,
The following message was received
as unsolicited email. I believe you are part of the chain servising
this spammer. Please investigate and take appropriate action. All
links in the chain from the spammer to my mailbox have been notified.
It is important that you include
a copy of the complete message with all the headers visible. They
need this to do their own traces. You can highlight the entire
message, press CONTROL+C to copy it and then CONTROL+V to paste it
into
your message.
Don't forget to add your own signature
with name, email address etc at the end of the message. (I clearly
separate the copy of the spam from my sig just to avoid unfortunate
misunderstandings from the net cops!
Oh, one more thing of interest.
In this spam, the slug has actually given an "unsubscribe" email address clear@hutchcity.com.
This is a bonus. Perhaps we can get his domain destroyed by his
ISP *and* his email account yanked by his email host. A quick
check of hutchcity.com shows it to be Asian (the site is all in Japanese
or Chinese script so I can't tell). Sam Spade tells me the hutchcity.com
is
whois -h whois.internic.net hutchcity.com
...
Registrant:
Hutchison Telecommunication (HK) Ltd
(HUTCHCITY-DOM)
12/F Two Harbourfront 22
Tak Fung
Street Hunghom
HongKong,
HK
Domain Name: HUTCHCITY.COM
Administrative Contact:
Yip,
Philip (PY271) philipy@HTHK.COM
852 2128
5735 (FAX) 852 2621 5108
Technical Contact, Zone
Contact:
DNS Administrator
(DA7018-ORG) dns@HUTCHCITY.COM
852 21285691
Billing Contact:
Yip,
Philip (PY271) philipy@HTHK.COM
852 2128
5735 (FAX) 852 2621 5108
Record last updated on
14-Jul-98.
Database last updated on
27-Feb-99 06:42:56 EST.
Domain servers in listed
order:
BROWN.HUTCHCITY.COM
202.45.84.67
RED.HUTCHCITY.COM
202.45.84.68
Hong Kong! So... add abuse@hutchcity.com
to your list of complaint recipients. Send off your message and
wait for either automatic replies saying "We don't tolerate spammers.
We're looking into it" or failed messages bouncing back from bogus
sites.
Sometimes - o! sweet sometimes!
- a week or so later you will receive a message from one of your addressees
saying they have killed the spammer's account. Sit back, have
a celebratory glass of Bonox and savour the moment. Another kill
to your account!
Please note that some professional
spammers don't make your life as easy as this real example did.
Some spammers are heavy-duty address spoofers who can make tracing
addresses quite difficult. Some addresses seem genuine but are
faked and it takes an ISP to correlate dates and times with other
ISPs to determine
where a message was actually sneaked into a complicated and faked path.
This little tutorial will not attempt to handle such cases. I
think most spam can be alerted to responsible ISPs by the methods
listed
above. If the case is complicated, just sending them the complaint
and the message with its original headers can let them do the real
detective
work at their end.
Remember that Sam Spade address:
http://www.blighty.com/spam/spade.html
Related information
BACK TO NYLON.NET
|
Time has marched on since this page was first written in about 1998. Tracing spammers
is proving less and less useful since much of the information you
might
glean from spam is pretty useless: complaining to ISPs is becoming
an act of supreme optimism because the spammers rarely care if their
internet
connection is cut. They just pop up in another location five minutes
later and continue their useless activity. They don't even really
care
if you click their links or not - most of the links fail anyway. They
don't particularly care if 10 million spams lead to 6 sales. Spam is
cheap.