fighting spam - .:: HVAOnline ::.

English | Vietnamese

Rules

Main Forum

Portal

Member Listing

Statistics

Search

Reading Room
[Register]

Login [ | https ]

Forum Index

Thảo luận bảo mật

fighting spam

[Question] fighting spam	31/08/2006 15:27:24 (+0700) \| #1 \| 19466

goldenmice
Member

Joined: 27/11/2005 14:09:48
Messages: 57
Offline

"Some of y'all might know this, and some of y'all don't Some of y'all might be with this, and some of y'all won't."

Preface: This article will discuss spam. The first part of this article is dedicated to the basics of spam and the counter measures that can be taken. The second part will discuss how to track spammers (or anyone else for that matter) using the headers from an email message. Some basic knowledge about how the Internet works is required.

Spam, what's that?

It does not matter how many times you use the Internet, sooner or later you will be the victim of spam. Spam is unsolicited commercial email messages offering mostly worthless products. In general spam is every email you did not ask to for. Spam is usually sent to a large list of people, and mostly ends up in the electronic trash can. Victims of spam have to spend time and bandwidth on deleting this junk mail. Recently even a lot of Neworder Users where victim of a spam-bots who took their email addresses from their profile.

Now that we know what it is, lets have a look at what it looks like:

############################# Begin Spam #############################

From : aaa9440@edsamail.com.ph To : Subscriber Subject : Increase sexual energy - Reduce body fat - Look 10 years younger! (158973) Date : Mon, 27 Mar 2000 16:02:54 -0400 (EDT) [Doesn't something look wrong here] What would you pay to look and feel 10 years younger? Would you be interested in increasing energy levels by 84%? How about Increasing Sexual Potency & Frequency by 75%? Would you like to increase your Muscle Strength by 88% While..... At the same time...... Reducing Body Fat by 82% and Wrinkles by 61%? Of Course you would! Well we have the Amazing HGH Releasor product to help you achieve all of this and more! +++ PLUS - We have the scientific proof to back it up! Turn Back The Clock and Turn Up the Energy Now! Click here NOW to find out more http://3519732236&@209.055.199.074%2F%7Ee%76e%726 You are receiving this email because you or someone on your behalf agreed to allow us to send you offers. If you wish to be removed from this mailing list, please click mailto:extbgd@yahoo.com?subject=unsubscribe (Please allow 2-4 days to be removed from our database)

############################# End Spam #############################

Does that sound familiar? Consider yourself lucky if it does not. This example of typical spam mail that was sent to me will stay with us throughout this article. We will analyse the headers of this email from top to bottom in the hope of tracing the spammer.

Spam, Why?

Why do companies send spam? Nobody likes to receive spam, they are a waste of time and slow down or crash mail servers. But still a lot of companies keep sending spam. Why?

Because it is free advertisement of their product. All they need is an Internet account at their local ISP. Because they have no advertisement costs they have a profit as soon as 1 out of the 20,000 approached people buys their product.

Sending spam is also very easy; the Internet is filled with programs specially created for this purpose.

So the spammer has very little costs to send a huge amount of email. Every receiver, however, pays with money, time and bandwidth for something he or she never asked for and does not want. Additionally, ISPs have to transport all the junk mail and in the end the users have to pay for that service.

Spam, how?

As stated above, sending spam is very easy. All a spammer has to do is find enough email addresses to send his messages to and be able to hide his real identity. Spammers collect email addresses with programs specially designed for that purpose. These programs scan websites, newsgroups and address listings (like Bigfoot and Info Space). Spammers try to hide there identity using methods as email relaying and the forging of headers. It is not possible to trace every spammer for the smart ones use a Socks or Wingate proxy to connect to the Internet and keep switching ISPs. But fortunately most spammers are
not very smart nor do they need to be for their 'profession' smilie

Spam, what now?

You have mail... Great! It is spam. Great. What should I do now? You have several options. Some more intelligent, some less.

Nothing

You can choose to simply delete the mail and forget about it. Simply deleting any spam you get is a good way to deal with it. If every spam email would find its way to the trash can, the spammers would have no profit and the 'spamming industry' would collapse. By doing so little you've done a lot: you have not contributed to spam being a marketing method that works and you have not wasted too much of your time. (Until the next mail).

The process of deleting spam can, of course, be automated (that's what we have computers for smilie

What the best way is to do that is discussed in many articles widely available all over the internet.

Reply to that spammer and tell him what you think

This is the natural and understandable reaction, but almost exclusively the wrong thing to do. The From: (or the reply-to smilie

field in the header that any email program will use to reply to the sender is the easiest to be forged. It is simply a line in what email programs call the header but actually belongs to the body of an email. To understand that, it is really helpful to have an understanding of how the SMTP protocol works. (Maybe a future article about that one)

The spammer will insert a random name or number with a random domain. Your replies will either go nowhere and be returned to you undelivered or it will reach an innocent victim. Remember your complaint would not be the only one. Complaints would mix with thousands of undeliverable emails returned to the (forged) "sender", eventually bringing the victim's system down. This can do a lot of damage, so please do not reply to a spam, however justified it may seem to be. The chance that the return path is correct is very low.

Complain at the spammer's ISP

Every spammer needs an Internet Service Provider allowing them access to the Internet. Most ISPs have an 'Acceptable Use Policy' banning spamming through their system. Some haven't. Some simply get abused. In such case you can complain to the ISP explaining them that and why spam is bad and what to do. Of all the things you can do with and about spam today complaining to the spammer's ISP is the most effective. [Send your complaint to postmaster@spammer.isp, root@spammer.isp, admin@spammer.isp or the most common one abuse@spammer.isp] If the complaint is justified the account of the spammer is usually terminated.

Additionally, many sites will relay email. They will accept an email whose final destination is not their site and deliver it (possibly via another relay) to the recipient. This is one of the core concepts where Internet is based on. Unfortunately spammers abuse it. But it is possible to make relaying almost impossible, most host just don't know how. If you cannot identify the original sender of unsolicited email and it was obviously relayed by some host you can tell them how to avoid being abused by spammers.

The Complaint

Now that you have the email addresses you need to send every site from every received field the same email message. You are polite (or try to be). And you notify the ISP misused as a relay
that this has happened and maybe what they can do about that. The ISP apparently hosting the spammer is asked to investigate that incident and disconnect the user according to their AUP. Of course you have to include the full headers of the spam. You will cut the contents of the actual spam as far as it is not relevant. You also may include any traceroute or Whois information that has helped you when you investigated the spam. In this case, you could include the Whois information for spammer if you send the mail to one of the contacts mentioned there. However, this is not necessary.

Complain at the IRS

Another option is complaining at the Internal Revenue Service (IRS). Because a lot of spammers advertise strategy for becoming rich quickly, it possible that he did not report all his income on his tax returns. They will check if the spammer has reported all his income to the IRS. This complaint should be in writing to make it official, and should include your research results. The IRS will contact the ISP of the spammer for a home address and start a investigation.

Track down the spammer and hack their system.

Yes, revenge is one of mans best friends. The first part of this approach is finding out where the spam originates. This is also very useful in tracking other people down using email headers.

NOTE: THIS IS NOT A HOW-TO HACK TUTORIAL! smilie

Forging

Most of what you can see in a email header can be 'forged' (aka faked). The uttermost concern of spammers (apparently even more important than selling something) is to hide where they live. They are ready to forge just about everything that would reveal their whereabouts. Only the 'Received:' line cannot be altered (as it is prepended by the server later). But such lines can be manually inserted at the beginning of the headers. A spammer would do that to make it even more complicated to identify the source of their message.

Relaying

One of the basic concepts of the Internet is that there is no headquarters. This is due to its history as a military network. The ARPANET, which should allow communication under almost all circumstances. Had there been a single headquarters, vital for the functioning of the whole network, any attack on that central nerve that put it out of service would have brought the whole net down and communications would have been impossible.

For the network to still allow data transfer if parts of it are already down it is essential that the path the data packets take is not determined, only determinable. So if the direct path from A to B is blocked, but A has a working connection to C and C to B, the data can go from A to C and from C to B. Similarly, it is not sure which servers a message from you (A) to the recipient (B) will pass in order to reach its goal.

The SMTP protocol allows for this relaying since it seemed useful. But this feature is abused by spammers, who relay their messages through another server to cover his identity.

Received: from members2.uol.com.ar (members2.uol.com.ar [200.221.10.***]) by uubin.uol.com.ar (8.8.6/8.8.6) with ESMTP id ******** for ; Sun, 17 Feb 2002 16:05:04 GMT Received: from mail.free.com ([208.236.11.**]) by members2.uol.com.ar (8.8.4/8.8.4) with SMTP id ******** for ; Sun, 17 Feb 2002 16:03:32 GMT Received: from mail.chello.nl by mail.***free.com (AltaVista Mail V2.0/2.0 BL23 wwwector) id ****_****_****_****_**** for addmk3@uol.com.ar; Sun, 17 Feb 2002 17:05:04 +0100 Received: from [62.163.135.***] (HELO best.porn.in.the.world) by mail.chello.nl (AltaVista Mail V2.0/2.0 BL23 wwwector) id ****_****_****_****_**** Sun, 17 Feb 2002 17:05:04 +0100 Received: from porn.unlimited [127.0.0.1] by best.porn.in.the.world with smtp (Exim 1.70 #1) id ****_****_****; Sun, 27 Mar 2000 16:02:54 -0400 (EDT) To: "BUY NOW" From: best@porn.worldwide Comments: Authenticated sender is Subject: About porn Message-Id: Date: Sun, 27 Mar 2000 16:02:54 -0400 (EDT)

Headers

In tracking down the real source of spam, headers are your best friends. But they can be forged. However if you learn what you should look at and how to read the received lines you should have no problem in tracking down the spammer.

Every email message consists of two parts, the body and the header. The header can be thought of as the envelope of the message, containing the address of the sender, the recipient, the subject and other information. The body contains the actual text (or whatever you are sending via email). Things are getting difficult and interesting here already since the recipient I mentioned above may not be what the servers transporting the mail to you use. Before we can commence you should make sure that you know how to display the header in your email program. [Look for an option reading "Show Headers" or "Display All Headers"]

From: best@porn.worldwide
The 'From:' line usually tells the sender of the message and it is what your email program uses to display the person who send you this mail. This, naturally, is the first address you think about complaining to. Spammers know this and thus the 'From:' line is almost guaranteed to be set to something else than their real email address. The 'From:' line, however, is still very useful. You can see that we are indeed dealing with spam here. [.worldwide is not a legitimate country domain, and if you come across a email address like '5432@1287.com' you can draw the same conclusion]

There are two similar lines, 'Reply-to:' and 'Sender:', which have similar functions and may (if present) be similarly forged. Not even the 'From:' line has to be present.

To: "BUY NOW" <buy.porn@lowest.prices>
Due to the design of the SMTP protocol, the address in the 'To:' field of the header does not have to be the actual recipient's address. [This makes sense with carbon copies or with forwarding for example] But also this field is easily forged, not a big deal considering you could not do much with this field anyways.

Comments: Authenticated sender is <best@porn.worldwide&62
This at least sounds nice. The only person (or program) having authenticated the sender may be the sender himself. If someone tells you that he is 31337, you may very well believe him but you'd better find some other, more reliable, source to authenticate this.

Received:
Finally we have come to the most interesting and useful part. On its way from you to the recipient an email message usually will pass through at least two SMTP servers (your ISP' SMTP server and the one of the recipient's ISP). These servers are the programs that do the actual 'sending' on the Internet. They receive a message from some server and pass it on to another until it reaches the SMTP server of the final recipient.

As an SMTP passes the message on, it will stamp the message. It adds the 'Received:' line, stating from where it got the message and for who it is. This is very helpful in tracking down the source of spam as every mail has to be injected to that chain of mail servers somewhere.

The 'Received:' line is always added at the top of a message. This means that the stamps from the servers the message passed through pile up at the beginning of the header lines and must be read in reverse order. The first 'Received:' you see is the last added, by the mail server of your ISP. The last is the spammer himself (unless he added 'received' fields manually)

Received: from porn.unlimited [127.0.0.1]
by best.porn.in.the.world with smtp (Exim 1.70 #1)
id ****_****_****; Sun, 27 Mar 2000 16:02:54 -0400 (EDT)

The first server the message goes through is often the spammer's own machine and thus not too interesting. In this case it is absolutely useless. It shows us the usual pattern of a 'Received:' line, although the porn.unlimited part is usually forged. It is what the client stated as its domain name in the HELO or EHLO command. The IP address [127.0.0.1] is not forged. But 127.0.0.1 is the same as localhost, the spammers own computer.

NOTE: Every host on the Internet is identified by a unique IP address. The domain name is assigned with the IP address and can be looked up at a domain name server (DNS).

best.porn.in.the.world is the name of the host that added the 'Received:' header. In this case a fancy name, smtp (Exim 1.70 #1), gives the program name and version of the Mail Transport Agent (aka MTA, the SMTP server). Different MTAs insert different 'Received:' lines but they all follow a certain pattern.

Received: from [62.163.135.***]
(HELO best.porn.in.the.world)
by mail.chello.nl (AltaVista Mail V2.0/2.0 BL23 wwwector)
id ****_****_****_****_****

Now this is a more interesting 'Received:' field. It is most likely the point of injection. As you can clearly see, the HELO command has been forged again. But the server verified where it got the mail really from and inserted the IP address into the 'Received:' header: [62.163.135.***]. That's the host where the spam came from! Now we have got the IP address of the spammer. But what now?

Source Tracking Tools

In the section above we inspected the email header and saw how they can help us to find out where the spam came from. What we got was a mere IP address: 62.163.135.***. Not bad, but not much either. Now let's see what tools can help us to turn that IP address into viable contact information; contact information where we can eventually send a letter of complaint.

Traceroute

Traceroute will not too surprisingly trace the route that something you send from your computer to the sender's computer takes. Even on the Internet, packets of data do not get beamed from one place to another but have to take a certain (though not exactly determined) path. Along their way, they will pass some or more machines (domains). The final domain "belongs" to the spammer, but before data reaches this machine it has to pass the ISP of the spammer and before that the ISP of the ISP (a so-called up-stream provider). So, traceroute lets you find the ISP of the spammer and if it is necessary their ISP and so on.

Traceroute is available to Windows 95 users as tracert at the DOS prompt, *nix users have their traceroute anyways and those artists of life among us using a Macintosh can take a look at the IPNetMonitor Internet tools.

Traceroute will also do reverse DNS (Domain Name Service) lookups for us, that is it will find the domain name for a given IP address, should there be one. Now let's have a go with 62.163.135.***, the IP address we found before:

NeoTrace Version 3.25 Trace Results Target: 62.163.135.*** Date: 17-2-2002 (Sunday), 19:33:12 Node IP Address Location Node Name Network 1 200.22*.**.* 5.***S, 37.***W OpioN [127.0.0.1] --- 2 200.221.10.74 5.9**S, 37.8**W 200-221-10-74.portais-uolinc.uol.com.br Comite Gestor da Internet no Brasil 3 200.221.30.33 5.98*S, 37.81*W fr2-border4.ix.uol.com.br Comite Gestor da Internet no Brasil 4 200.228.240.50 Sao Caetano do Su uol-a6-0-32-dist04.spo.embratel.net.br Comite Gestor da Internet no Brasil 5 200.230.219.210 Sao Caetano do Su ebt-g2-0-dist04.spo.embratel.net.br Comite Gestor da Internet no Brasil 6 200.230.0.142 Sao Caetano do Su ebt-p12-0-core01.spo.embratel.net.br Comite Gestor da Internet no Brasil 7 200.230.3.1 Sao Caetano do Su uunet-p2-0-intl01.spo.embratel.net.br Comite Gestor da Internet no Brasil 8 152.63.98.5 Unknown pos7-0.ih1.sat1.alter.net UUNET-BACKBONE 9 146.188.144.166 Unknown 184.at-1-0-0.xr2.sat1.alter.net UUNET PIPEX 10 152.63.102.2 Dallas 0.so-7-0-0.xr2.dfw9.alter.net UUNET-BACKBONE 11 152.63.98.134 Dallas 0.so-1-2-0.xl2.dfw9.alter.net UUNET-BACKBONE 12 209.245.240.138 Unknown unknown.level3.net Level 3 Communications, Inc. 13 209.247.10.102 Dallas pos8-0.core2.dallas1.level3.net Level 3 Communications, Inc. 14 209.247.9.102 Dallas so-2-0-0.mp1.dallas1.level3.net Level 3 Communications, Inc. 15 64.159.17.34 New York ae0-52.mp2.newyork1.level3.net Level 3 Communications, Inc. 16 63.209.170.101 Unknown nygate-l3.ixpres.com Level 3 Communications, Inc. 17 213.46.160.254 Unknown us-nyc-rd-01-pos-2-0.chellonetwork.com CHELLO-BACKBONE 18 213.46.160.10 Unknown uk-lon-rc-02-pos-0-0.chellonetwork.com CHELLO-BACKBONE 19 213.46.160.5 Unknown nl-ams-rc-01-pos-1-0.chellonetwork.com CHELLO-BACKBONE 20 213.46.160.17 Unknown nl-ams-rc-02-pos-2-0.chellonetwork.com CHELLO-BACKBONE 21 213.46.161.49 Unknown nl-ams-rd-02-pos-4-0.chellonetwork.com LINKS-NETHERLANDS 22 212.142.32.43 Unknown srp0-0.am00rt05.brain.upc.nl UPC-BRAIN-0 23 212.142.32.1 Unknown srp0-0.am00rt01.brain.upc.nl UPC-BRAIN-0 24 212.142.32.49 Unknown srp8-0.ah00rt01.brain.upc.nl UPC-BRAIN-0 25 212.142.28.122 Unknown gig6-0.ah00rt04.brain.upc.nl TK-RTR-0 26 213.46.90.1 Unknown --- TK-ZTP-CABLE 27 62.163.135.*** 52.**N, 6.**E --- ---

A lot of luck this time. The path to the spammer was traced back all the way to the Netherlands. UPC (chello) is the ISP of the spammer. Traceroute also allows you to view satellite photo's and topographical charts of the area. The IP address on the end has been partially deleted, because the spammers account has been closed and this IP address has been reassigned. It is very rare to get this much information because spammers usually use dialup accounts with an dynamic IP address, but you will anyways find the provider who can check their logs for a certain date and time and get the spammers details.

Dig and NSLookup

Dig basically does the same as nslookup. But it provides you with a lot of unnecessary information. You can search for the name server (where the DNS lookups happen) for a given domain, host information and a mail exchanger.

We are interested in the network address for an IP address (A in the output) and possible mail exchangers (MX). Mail to the IP address will be handled by the mail exchanger, if there is one or it will go directly to the domain name given in A. If there is neither a domain name nor a mail exchange server things get a bit more difficult. There will be (in any case) a "zone of authority" record that states who is responsible for the given IP address. For IP addresses currently not allocated Internic takes responsibility.

To have an IP address resolved to its domain name you invoke dig like this: dig -x 62.163.135.*** any. The -x-prefix is to get the lookup done, any means get any information available (that may be too much); a is for the network address, mx for the mail exchanger. DynIP provides a DNS Lookup Service via the Web.

Whois

Whois tells you who the owner is of a domain. This information is provided by Internic.net for .com, .net, .org, .edu and .gov domains, Ripe.net does it for most European domains, and by others for other parts of the world; Alldomains.com may help to find the proper database and in most cases a way to do the query on the Web. A query for antionline.com returns:

Registrant: Pitt Students (ANTIONLINE2-DOM) 605 Third Street Beaver, PA 15009 US Domain Name: ANTIONLINE.COM Administrative Contact, Technical Contact, Billing Contact: Vranesevich, John (VJ288) jp@ANTIONLINE.COM AntiOnline 605 Third Street Beaver, PA 15009 US 724-773-0940 724-773-0941 Record last updated on 07-Sep-2001. Record expires on 06-Sep-2002. Record created on 05-Sep-1997. Database last updated on 17-Feb-2002 01:13:00 EST. Domain servers in listed order: NS.ANTIONLINE.NET 63.108.181.242 NS2.ANTIONLINE.NET 63.108.181.243

Finally

You now have got all the information about the spammer you need to report him to his ISP or the IRS. The other option would be for you to hack his computer annoy the guy. In my OpioN the first option is the most effective.

For more information about the tracking of spam click here.

Greetz, OpioN

hacker.cn

[Question] fighting spam	15/09/2006 05:04:47 (+0700) \| #2 \| 23441

kid_b0d
Member

Joined: 16/08/2006 00:49:55
Messages: 70
Location: Phan thiết, Bình thu
Offline

Hơ! sao mà tùm lum thế, cuối cùng cậu không tóm gọn nội dung chính lại được sao?

Go to:

Users currently in here
1 Anonymous