Results 1 to 6 of 6

Thread: Spam Tracking

  1. #1
    Senior Member
    Join Date
    Jun 2002
    Posts
    148

    Spam Tracking

    I have read quite a few of the Manuals and Tutorials that came with the SamSpade tool That I got from www.samspade.org

    I have also read RFC 821 regarding SMTP.

    Periodicaly I still recieve the odd spam in my inbox, as a result I decided that I would help reduce spam by traceing the ocasional spam I get in my inbox. I have set up my hotmail account to show the full email headers. From there I have all the information I need to trace down and report a spammer. What I do is fist identify the point of forgery, then use that information to further trace down the origin of the letter. I have been useing www.samspade.org www.internic.com and the Samspade tool that you can find at www.samspade.org

    Recently I have reposrted two spamm emails to the Federal Trades Commission and to what I believed to be the ISP of the senders. I recieved a reply from a few of recipitants basicaly stateing that the person in question is not related to them but rather a customer, and kindly they redirect me to the whois database where I can find more spasific information on that particular user.

    So here are my questions:

    If I have determined the ISP or IP block owner of a spam letter, are they responsible to further investigate their system logs to determine the user in question, or is it my responibility to futher find that particulat user given the whois server spesified in the e-mail.

    If i get some fake DNS responce from a tracerout done at www.samspade.org does that mean the "spammers" server is suplying a host name not belonging to them and is that illegal?

    How can I determine the real host name if supplyed with a fake DNS responce from a traceroute?
    In snatches, they learn something of the wisdom
    which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~

  2. #2
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    Slightly off subject...I've quit worrying about tracing spammers. I downloaded Mail Washer ( www.mailwasher.net ), a nifty little tool that bounces and deletes all my SPAM. It's easy to use and easy to train, and it's made my inbox a lot less crowded.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I think you are somewhat missing the point. SMTP headers and conversations are quite easily forged and poorly configured servers / proxy servers can be tricked into relaying mail. I think this is what you are running into...

    If the ISP has a client running a server somewhere on their network that is poorly configured and blindly relays mail, the ISP isn't really responsible for the problem existing and as far as I know isn't at any risk of legal problems (although that is changing constantly as more governments are trying to stem the tide of spammers).

    One of the more recent things that I have seen is that the actual headers for the mail traffic are actually forged. As more people try to combat spam and setup email filters to eliminate it, some spammers are resorting to making the message appear that it came from somewhere else entirely in the hope of avoiding filters that block their addresses. Essentially what is done is that the first couple of hops in the relaying of the message are actually completely forged (and you can often time spot this by names != ip addresses when you check) and then somwhere in the middle of the relay stream, the person actually making the connection to mail server has their delivery header (look for a HELO <name> [ip]) show up, and then the rest of a normal SMTP message relaying takes place. This in effect makes some email filtering software think the email originated from the spoofed part of the header, rather than the middle part and can bypass the filters entirely.

    Here is a sanitized example of what I mean:
    Return path: <Main_Office75552b00@victimmail>
    Received from <anotherdomain.com> <192.168.1.1>
    by victimmailserver with SMTP id xxxxxxxxxxxxxx
    for <victimuserid@victimdomain>, Tue, 18 Jun 20002 :00:03:25 -0:400 EDT
    Received from unknown (HELO hd.fakedomain.net) (10.1.1.1) by mta95.spammer.net with SM TP, 17 Jun0102 17:04:21 +0400
    Received from [aaaa.bbb.ccc.ddd] by smtp4.somedomain.com with NNFM, 17 Jun 0102 20:54:27 +0100

    Hopefully I didn't typo that in sanitizing it

    If you notice, the HELO didn't happen until the middle of the conversation; however, when the victim domain mailserver gets the message, it will assume it came from aaaa.bbb.ccc.ddd, not the person in the middle of the conversation stream. In this particular case, the domain reported in the HELO didn't match the actual IP.

    Hope that made sense...probably not...if not just let me know, I will try to explain a little better...The jist of the story is, be a little careful with those headers, they sometimes lie.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    these's nothing that says an isp must dis-allow spam. Some isp's are notorious for allowing it, almost to the point of promoting it some are actually spamhauses, whos sole purpose is to spam the world.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Senior Member
    Join Date
    Jun 2002
    Posts
    148
    10Q nebulus200 and all who responded.

    Most of the spam I get has only one headder, the forgery point with very little bounceing between servers. In which case I get something like:

    Received from [10.1.1.1] by blah.mail.hotmail.com with SMTP ID xxxxxxxxxxxxxx, 17 Jun0102 17:04:21 +0400

    In which case that was the only transaction and X-Mailer and X stuff would be apended. What you have explained makes sence, since their server is blacklisted they bounce to other servers that are not on a blacklist so the victim recieves the mail right?

    But since spam is prohibited is there a way that law enforcement or even the Federal Trades Commision can take legal action?

    oooh, ok I get it, they either are alowing spam on their network or have poorly configured mail servers , and someone found the mail server alows relay so they bounce from there. Sorry about that.
    In snatches, they learn something of the wisdom
    which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    There are ways, but really it isn't worth it (IMHO). There are sections of US Code that allow you to charge a reading fee of up to $500 dollars per email, but it costs you to pursue it and very often, the spammers are fly by night operations and you will never see a dime. Aside from reporting them to their ISP's or reporting it to organizations that are dedicated to fighting spam, there really isn't anything you can do unless the email is fradulent (pyramid schemes, nonexistant products, child porn) because law enforcement pretty much won't be interested.

    Good luck fighting the fight.

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •