Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: I fought the scammer... and I won

  1. #1
    Senior Member
    Join Date
    Feb 2002

    I fought the scammer... and I won

    Here's the story of how Steffen Higel, a sysadmin for a Dublin internet cafe managed to help catch a spammer/scammer. To me, a most amusing read.. so I thought you folks would enjoy it too. The original source for this, is to be found here.

    Fri, 02 Apr 2004

    I work for a busy Dublin Internet cafe, doing some sysadmining and general computer maintenance. On Sunday the 28th of March, I got a rather distressing email from a sysadmin in a large U.S. University. Spamcop had blacklisted our server's external IP address. Abuse mail for the server in question gets sent to my college account (bad practice, I know, but it's a part time job). My college uses Spamcop as a blacklist source. You can probably tell what happened...

    Anyway, said email included the full headers of an email which was natted by our server pretending to be from the widow of Mr. Jonas Savimbi, offering the recipient a share of an unspecified large sum of money. The usual panicked thoughts kick in... "Have I fiddled with something which has left us as an open relay?", "Has our server been cracked?", "Have I been sleep-spamming again?". A more reasoned examination of the headers showed that the mail had originated from one of the IP addresses that we assign dynamically to people who bring laptops into the cafe.

    This is something of a nightmare for cafe operators, we can hardly block outbound smtp but then again it isn't possible for us to manually check very single mail either. Maybe rate limiting is a valid technical solution. Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them.

    A peek through the logs revealed:

    Mar 26 15:04:16 server dhcpd-2.2.x: DHCPDISCOVER from 00:40:f4:5d:aa:f7
    via eth1
    Mar 26 15:04:17 server dhcpd-2.2.x: DHCPOFFER on to
    00:40:f4:5d:aa:f7 via eth1
    Mar 26 15:04:17 server dhcpd-2.2.x: DHCPREQUEST for from
    00:40:f4:5d:aa:f7 via eth1
    Mar 26 15:04:17 server dhcpd-2.2.x: DHCPACK on to
    00:40:f4:5d:aa:f7 via eth1
    Mar 26 15:04:20 server dhcpd-2.2.x: DHCPREQUEST for from
    00:40:f4:5d:aa:f7 via eth1
    Mar 26 15:04:20 server dhcpd-2.2.x: DHCPACK on to
    00:40:f4:5d:aa:f7 via eth1

    Bingo. I had something to work with. The network card is one based on a Cameo 32bit chipset. Matches up quite nicely with these:

    Return-Path: <mjsavimbi2000 at>
    Received: from (server.XXXXXX [XXXXXXX.29])
    byXXXXXXXXXXXXXXXXXX) with SMTP id i2QFrgi0002755
    for <XXXXXXXXXXXXXX>; Fri, 26 Mar 2004 10:53:44 -0500 (EST)
    Reply-To: "michelle savimbi" <mjsavimbi2000 at>
    From: "michelle savimbi" <mjsavimbi2000 at>
    Subject: urgent response
    Date: Fri, 26 Mar 2004 15:53:26 +0000
    Mime-Version: 1.0
    Content-Type: multipart/alternative;
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000ams
    X-MimeOLE: Produced by Microsoft MimeOLE V6.00.2800.1165

    I asked around, and a man, described as being black (or is the word African-American these days?), roughly 30, with an accent which seemed half London and half African had been in the cafe with a laptop and had a number of visitors call into his booth and had been there at the given time.

    I hate spam more than I hate crackers. I hate spam more than I hate virus writers. I wanted to catch this guy in the act and I wanted to see him hauled off in a paddywagon. We contacted the police, who unfortunately didn't seem willing to do anything about it unless we caught someone in the act of doing something illegal. The daily staff in the cafe were instructed to let me know if said individual turned up again, though honestly, who could be that stupid? My hopes weren't high.

    Evidently, a 419er is that stupid. The very next Friday (2nd of April 2004) he turned up again. I was on the bus at the time, just about to go in for another day of world altering research. I ran down as fast as I could and was told that he was on the second floor and hadn't plugged in yet because he wanted one particular booth which is somewhat secluded and was willing to wait.

    I sat myself down at a computer in another room, started tailing the daemon.log and waited for the telltale entries. I took a quick flick through the tcpdump manpage, just to make sure I didn't screw up. 20 minutes later, it started to happen. He plugged in, and his Windows XP laptop started to blabber away. WindowsUpdate, Netbios, passport logins. Nothing much happened for a while. The odd DNS request here, the occasional search:

    GET /search.php?Keywords=male%20erection&p (I'm not messing!)

    on, which seems to belong to some direct marketing whorehouse.

    He logged into this as well:, which seems to be some sort of mail harvesting database. The login is done over SSL, so I can't find out more. If any militant anti-spam vigilantes want to get a good look at how these people organize themselves, that's probably a good place to start. Then, he spent a bit of time on Don't you just love the fake google-textads? He logged into next, using the email address kendoda at Whatever hash they use for passwords was aaka7zxkcNo. Then, he logged into his yahoo mail account. This was probably to check the account that in which he receives those mails. It looks like the rest happened over SSL.

    Then it started. The screen started showing an awful lot of smtp traffic heading out onto the net. I knew that I had to let it go, even if it meant another 48 hours of being blacklisted. If it meant he could be convicted of committing a crime, then I figured it was worth the price. I hope those who received the mail also feel that way. (sorry :-/)

    Before I phoned my contact in the Gardai, I had to make sure that he was actually sending out his vile wares. I scped the partial dumpfile onto my laptop, and opened it up in ethereal. Guess what?

    220 serverXXXXXXXXXX ESMTP Postfix
    250 serverXXXXXXXXXX
    MAIL FROM:<mjsavimbi2000 at>
    250 Ok
    RCPT TO:<>
    250 Ok
    354 End data with <CR><LF>.<CR><LF>
    Reply-To: "michelle savimbi" <mjsavimbi200From: "michelle savimbi"
    <mjsavimbi2000 at yaSubject: urgent response
    Date: Fri, 2 Apr 2004 10:48:20 +0100
    Mime-Version: 1.0
    Content-Type: multipart/alternative; boundX-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2X-MimeOLE: Produced by
    Microsoft MimeOLE V
    ------=_NextPart_000_0034_01C221EC.6C64F7BContent-Type: text/plain;

    Dear Sir,

    I would like to introduce myself to you [....]

    [I've noticed that some characters are missing. This seems to be due to our server not being able to keep up]

    And on it went. To lots of people. 1178 of them. By that time, two Gardai had called in and wanted to wait until he had sent as many as he was going to. They seemed fairly convinced at that point that our friend was engaged in something less than honest. These weren't computer specialists, but they walked up, knocked on the window of the booth and introduced themselves.

    He asks them what the problem is and is told to step away from the computer. He doesn't seem too happy about this, but does so. He's asked his name and is told that he might like to come down for a chat in the local station. He says his wallet and ID are in the booth, so he walks in, rips a USB memory stick from the side of his laptop, tries to swallow it and makes a run for it. Detective number 1 grabs and tries to cuff him, detective 2 starts to do the same. A struggle ensues and goes on for a full 10 minutes, basically trying to pin him on the floor and then getting his arms behind so he can be handcuffed. Michelle agrees to co-operate on numerous occasions and each time tries to run to the booth to destroy whatever is on that machine.

    Eventually, 2 more gardai arrive and he's cuffed and brought out, crying like a little girl claiming police brutality (which is untrue, they would probably never have even formally arrested him if he hadn't attempted to run). Detective 1 was explaining to me how it's extremely difficult to restrain someone without hurting them. They could have had him subdued in about 10 seconds flat, but there have been instances in the past where a few gardai in this country have caused quite a bit of controversy with their liberal application of force. So this eyewitness applauds the superb work done by these gardai in a very difficult situation. 10 minutes of struggling with someone is pretty tough work.

    So he's carted off in a car back to the local station., where he'll get a cozy cell. Myself and detective 1 take a look at the equipment he had... A "mentor" network card (based on the cameo chipset), a badly chewed (but fairly undamaged looking) USB memory stick and a bulky laptop running Windows XP. Open on the screen is MS Word with the exact text of our beloved email and some bulk email program (the icon had a yellow background with a black @ symbol). His phone is ringing in his coat constantly. One of his many guests from his previous visit must want to talk to him.

    At one point, 3 guys who would appear to be of similar ethnic background want to come into the room where Michelle was working. They are told we are closed due to a technical problem. They were friendly and understood the situation and departed quickly enough.

    Some guys from the computer crime unit turn up, 3 of them. We have a good chat about what evidence I have on the guy. We look through my tcp trace, they same happy enough with what's there. They ask if I managed to sniff any other traffic, http and so forth. They're really hoping that they can get his email password, so with appropriate judicial permission (I assume) they can take a look at who has been mailing him. Yahoo are apparantly extremely uncooperative in this area. He seemed to be using a address as well. Proof that he is intending on scamming people out of money is what the gardai need. I'm not sure if it's illegal to pretend to be someone you aren't and offer a stranger money that you don't have. I'm guessing that with the tcpdump I gave them, their technicians will be able to get something out of it. I'm more interested in the contents of that USB stick.

    So anyway, that's my tale. Michelle has been charged with assault (he tore off detective 1's wrist watch) and is claiming that he can't speak any English. Given the potential scale of the scamming operation, detective 1 reckoned that they'd probably end up handing the evidence over to interpol or whoever works in Quantico (that's the FBI, right?).

    What have I learned? Firstly, digging up evidence on criminals is an exciting activity. Secondly, if you're an absentee sysadmin for an Internet cafe, transperantly proxy as much traffic as you can. The logs will prove useful if you are trying to track an abuser's traffic 24 hours after they have left. I was lucky in this respect, I was proxying smtp and http to postfix and squid. The added headers in the mails makes things easier to track. Thirdly, there doesn't seem to be sufficient clarity among those employed in law enforcement concerning the legalities of spam. Hell, I don't know what the laws regarding this sort of thing are. I just know it sucks. Finally, it's a bit out there, but the gardai should forge closer links with the research community Among us, we have a whole lot of knowledge of just about every issue under the sun. We're mostly idealists, and those ideals include a spam-free Internet. And heck, we're cheap!

    Hope that provided some amusement. Forward it on to anyone who is interested. Really. I want to see it on the front page of slashdot and el reg within a week. And yes it really happened.

    Now curious me, I had to google on "emailspidereasy.+com" to find out more about this spam program and possibly more about how these guys operate. There's a lot of info/spam about the program itself and the places that offer it but while sifting through it, I found what most likely was the content of that letter that this Michelle guy was sending out. Really just another one of the Nigerian letters most of us have seen before. If you're interested, you can read that here.

    good story, huh ? it'd made a nice chapter in a book on scammers..

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Yeah, I just read that a few hours ago... Must have been an exciting couple of days for that guy!

    Credit travels up, blame travels down -- The Boss

  3. #3
    Senior Member
    Join Date
    Jul 2003
    I am all out for the bringing down of spam servers [and anything in contact with it] by legal or illegal methods. Not D[x]oS but serious corruption of the servers, possibly physical damage incurred. I know it sounds harsh, but as the guy in this article says, I hate spammers more than any other breed of Internet animal. Even more than the skids, I think.

  4. #4
    Ah i wonder if that dude is enjoying he's Government paid Holiday at one of there fine 5 stars Holiday camps..
    Wondering if he's got soap on the rope?
    Cause if he don't then Bubba and the welcoming committee will soon give him a suprise he'll never forget..
    So anyhow this was a very very interesting read, it's amazing how stupid people can be. Why the heck this guy continually used the same booth, or even went back to the same Internet Cafe is just asking for trouble, if yah gonna do that kinda stuff you don't return to the scene of the crime (so to speak)..


  5. #5
    Senior Member
    Join Date
    Jul 2003
    Well I guess he assumed that being at an e-Cafe the traffic would hide his doing... but initiating SMTP connections 100 times a second does trigger an alarm no matter what. Maybe he thought nothing would happen to the server of the e-Cafe or something. Regardless, he got caught and outsmarted.

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Stupid scammer...

    Why go to an internet cafe when you can find dozens of unprotected WAPs in a matter of hours... maybe minutes depending where you live.

    He's just a dumb one. He deserved to get caught.

    You gotta love stupid criminals.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Senior Member
    Join Date
    Jul 2003
    On a WAP he would need a powerful card to send and receive e-mails fast enough, at least closely comparable to a landline. I would not know how experienced these people are, but he seems to be like some guy that learned how to do this and got some money or something out of it. Once you get through a 'training' I guess you don't need an IT certification to do it.

  8. #8
    Senior Member
    Join Date
    Nov 2001

    Re: I fought the scammer... and I won

    Originally posted here by sumdumguy
    Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them.
    Lol, too much time spent watching Bugs Bunny cartoons as a child makes this even funnier.

    good story, huh ? it'd made a nice chapter in a book on scammers..
    I actually recall reading one of a guy who was fooling with one of the Nigerian 419(?) scammers from across the world, unfortunately I couldn't google up a link.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  9. #9

    Re: Re: I fought the scammer... and I won

    Originally posted here by chsh
    I actually recall reading one of a guy who was fooling with one of the Nigerian 419(?) scammers from across the world, unfortunately I couldn't google up a link.

    I think you might be referring to this:

    And here's another:

    I'm pretty sure these links were mentioned a while back here on AO, so I bookmarked them cause I was LMAO while reading them... Funny stuff...
    - Maverick

  10. #10
    Senior Member
    Join Date
    Jan 2003
    1,499 is another nigerian thing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts