How do you like it when your sober news groups get hit with 900 number sex ads and Make Money Fast
pyramid schemes? If no one ever made those guys pay for their effrontery, soon Usenet would be inundated
with crud.
It’s really tempting, isn’t it, to use our hacking knowledge to blow these guys to kingdom come. But many
times that’s like using an atomic bomb to kill an ant. Why risk going to jail when there are legal ways to keep
these vermin of the Internet on the run?
This issue of Happy hacker will show you some ways to fight Usenet spam.
Spammers rely on forged email and Usenet posts. As we learned in the second Guide to (mostly) Harmless
Hacking, it is easy to fake email. Well, it’s also easy to fake Usenet posts.
*****************
Newbie Note #1: Usenet is a part of the Internet consisting of the system of on-line discussion groups
called "news groups." Examples of news groups are rec.humor, comp.misc, news.announce.newusers,
sci.space.policy, and alt.sex. There are well over 10,000 news groups. Usenet started out in 1980 as a Unix
network linking people who wanted -- you guessed it -- to talk about Unix. Then some of the people wanted
to talk about stuff like physics, space flight, barroom humor, and sex. The rest is history.
*****************
Here’s a quick summary of how to forge Usenet posts. Once again, we use the technique of telnetting to a
specific port. The Usenet port usually is open only to those with accounts on that system. So you will need
to telnet from your ISP shell account back into your own ISP as follows:
telnet news.myISP.com nntp
where you substitute the part of your email address that follows the @ for “myISP.com.” You also have the
choice of using “119” instead of “nntp.”
With my ISP I get this result:
Trying 198.59.115.25 ...
Connected to sloth.swcp.com.
Escape character is '^]'.
200 sloth.swcp.com InterNetNews NNRP server INN 1.4unoff4 05- Mar-96 ready (posting)
Now when we are suddenly in a program that we don’t know too well, we ask for:
help
And we get:
100 Legal commands
authinfo user Name|pass Password|generic <prog> <args>
article [MessageID|Number]
body [MessageID|Number]
date
group newsgroup
head [MessageID|Number]
help
ihave
last
list [active|newsgroups|distributions|schema]
listgroup newsgroup
mode reader
newgroups yymmdd hhmmss ["GMT"] [<distributions>]
newnews newsgroups yymmdd hhmmss ["GMT"] [<distributions>]
next
post
slave
stat [MessageID|Number]
xgtitle [group_pattern]
xhdr header [range|MessageID]
xover [range]
xpat header range|MessageID pat [morepat...]
xpath MessageID
Report problems to <usenet@swcp.com>
Use your imagination with these commands. Also, if you want to forge posts from an ISP other than your
own, keep in mind that some Internet host computers have an nntp port that requires either no password or
an easily guessed password such as “post.” But-- it can be quite an effort to find an undefended nntp port.
So, because you usually have to do this on your own ISP, this is much harder than email forging.
Just remember when forging Usenet posts that both faked email and Usenet posts can be easily detected --
if you know what to look for. And it is possible to tell where they were forged. Once you identify where
spam really comes from, you can use the message ID to show the sysadmin who to kick out.
Normally you won’t be able to learn the identity of the culprit yourself. But you can get their ISPs to cancel
their accounts!
Sure, these Spam King types often resurface with yet another gullible ISP. But they are always on the run.
And, hey, when was the last time you got a Crazy Kevin “Amazing Free Offer?” If it weren’t for us Net
vigilantes, your email boxes and news groups would be constantly spambombed to kingdom come.
And -- the spam attack I am about to teach you is perfectly legal! Do it and you are a certifiable Good Guy.
Do it at a party and teach your friends to do it, too. We can’t get too many spam vigilantes out there!
The first thing we have to do is review how to read headers of Usenet posts and email.
The header is something that shows the route that email or Usenet post took to get into your computer. It
gives the names of Internet host computers that have been used in the creation and transmission of a
message. When something has been forged, however, the computer names may be fake. Alternatively, the
skilled forger may use the names of real hosts. But the skilled hacker can tell whether a host listed in the
header was really used.
First we’ll try an example of forged Usenet spam. A really good place to spot spam is in alt.personals. It is
not nearly as well policed by anti-spam vigilantes as, say, rec.aviation.military. (People spam fighter pilots at
their own risk!)
So here is a ripe example of scam spam, as shown with the Unix-based Usenet reader, “tin.”
Thu, 22 Aug 1996 23:01:56 alt.personals Thread 134 of 450
Lines 110 >>>>FREE INSTANT COMPATIBILITY CHECK FOR SEL No responses
ppgc@ozemail.com.au glennys e clarke at OzEmail Pty Ltd - Australia
CLICK HERE FOR YOUR FREE INSTANT COMPATIBILITY CHECK!
http://www.perfect-partners.com.au
WHY SELECTIVE SINGLES CHOOSE US
At Perfect Partners (Newcastle) International we are private and
confidential. We introduce ladies and gentlemen for friendship
and marriage. With over 15 years experience, Perfect Partners is one
of the Internet's largest, most successful relationship consultants.
Of course the first thing that jumps out is their return email address. Us net vigilantes used to always send a
copy back to the spammer’s email address.
On a well-read group like alt.personals, if only one in a hundred readers throws the spam back into the
poster’s face, that’s an avalanche of mail bombing. This avalanche immediately alerts the sysadmins of the
ISP to the presence of a spammer, and good-bye spam account.
So in order to delay the inevitable vigilante response, today most spammers use fake email addresses.
But just to be sure the email address is phony, I exit tin and at the Unix prompt give the command:
whois ozemail.com.au
We get the answer:
No match for "OZEMAIL.COM.AU"
That doesn’t prove anything, however, because the “au” at the end of the email address means it is an
Australian address. Unfortunately “whois” does not work in much of the Internet outside the US.
The next step is to email something annoying to this address. A copy of the offending spam is usually
annoying enough. But of course it bounces back with a no such address message.
Next I go to the advertised Web page. Lo and behold, it has an email address for this outfit,
perfect.partners@hunterlink.net.au. Why am I not surprised that it is different from the address in the
alt.personals spam?
We could stop right here and spend an hour or two emailing stuff with 5 MB attachments to
perfect.partners@hunterlink.net.au. Hmmm, maybe gifs of mating hippopotami?
***************************
You can go to jail note! Mailbombing is a way to get into big trouble. According to computer security expert
Ira Winkler, “It is illegal to mail bomb a spam. If it can be shown that you maliciously caused a financial
loss, which would include causing hours of work to recover from a spamming, you are criminally liable. If a
system is not configured properly, and has the mail directory on the system drive, you can take out the
whole system. That makes it even more criminal.”
***************************
Sigh. Since intentional mailbombing is illegal, I can’t send that gif of mating hippopotami. So what I did was
email one copy of that spam back to perfect.partners. Now this might seem like a wimpy retaliation. And we
will shortly learn how to do much more. But even just sending one email message to these guys may become
part of a tidal wave of protest that knocks them off the Internet. If only one in a thousand people who see
their spam go to their Web site and email a protest, they still may get thousands of protests from every post.
This high volume of email may be enough to alert their ISP’s sysadmin to spamming, and good-bye spam
account.
Look at what ISP owner/operator Dale Amon has to say about the power of email protest:
“One doesn't have to call for a ‘mail bomb.’ It just happens. Whenever I see spam, I automatically send one
copy of their message back to them. I figure that thousands of others are doing the same. If they (the
spammers) hide their return address, I find it and post it if I have time. I have no compunctions and no guilt
over it.”
Now Dale is also the owner and technical director of the largest and oldest ISP in Northern Ireland, so he
knows some good ways to ferret out what ISP is harboring a spammer. And we are about learn one of them.
Our objective is to find out who connects this outfit to the Internet, and take out that connection! Believe
me, when the people who run an ISP find out one of their customers is a spammer, they usually waste no
time kicking him or her out.
Our first step will be to dissect the header of this post to see how it was forged and where.
Since my newsreader (tin) doesn’t have a way to show headers, I use the “m” command to email a copy of
this post to my shell account.
It arrives a few minutes later. I open it in the email program “Pine” and get a richly detailed header:
Path:
sloth.swcp.com!news.ironhorse.com!news.uoregon.edu!vixen.cso.uiuc.edu!news.stealth.net!nntp04.primen
et.com!nntp.primenet.com!gatech!nntp0.mindspring.com!news.mindspring.com!uunet!in2.uu.net!OzEmail!O
zEmail-In!news
From: glennys e clarke <ppgc@ozemail.com.au>
NNTP-Posting-Host: 203.15.166.46
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 1.22 (Windows; I; 16bit)
The first item in this header is definitely genuine: sloth.swcp.com. It’s the computer my ISP uses to host the
news groups. It was the last link in the chain of computers that have passed this spam around the world.
*******************
Newbie Note #2: Internet host computers all have names which double as their Net addresses. “Sloth” is the
name of one of the computers owned by the company which has the “domain name” swcp.com. So “sloth”
is kind of like the news server computer’s first name, and “swcp.com” the second name. “Sloth” is also kind
of like the street address, and “swcp.com” kind of like the city, state and zip code. “Swcp.com” is the domain
name owned by Southwest Cyberport. All host computers also have numerical versions of their names, e.g.
203.15.166.46.
*******************
Let’s next do the obvious. The header says this post was composed on the host 203.15.166.46. So we telnet
to its nntp server (port 119):
telnet 203.15.166.46 119
We get back:
Trying 203.15.166.46 ...
telnet: connect: Connection refused
This looks a lot like a phony item in the header. If this really was a computer that handles news groups, it
should have a nntp port that accepts visitors. It might only accept a visitor for the split second it takes to
see that I am not authorized to use it. But in this case it refuses any connection whatever.
There is another explanation: there is a firewall on this computer that filters out packets from anyone but
authorized users. But this is not common in an ISP that would be serving a spammer dating service. This
kind of firewall is more commonly used to connect an internal company computer network with the Internet.
Next I try to email postmaster@203.15.166.46 with a copy of the spam. But I get back:
Date: Wed, 28 Aug 1996 21:58:13 -0600
From: Mail Delivery Subsystem <MAILER-DAEMON@techbroker.com>
To: cmeinel@techbroker.com
Subject: Returned mail: Host unknown (Name server: 203.15.166.46: host not
found)
The original message was received at Wed, 28 Aug 1996 21:58:06 -0600
from cmeinel@localhost
----- The following addresses had delivery problems -----
postmaster@203.15.166.46 (unrecoverable error)
----- Transcript of session follows -----
501 postmaster@203.15.166.46... 550 Host unknown (Name server: 203.15.166.46:
host not found)
----- Original message follows -----
Return-Path: cmeinel
Received: (from cmeinel@localhost) by kitsune.swcp.com (8.6.9/8.6.9) id
OK, it looks like the nntp server info was forged, too.
Next we check the second from the top item on the header. Because it starts with the word “news,” I figure it
must be a computer that hosts news groups, too. So I check out its nntp port:
telnet news.ironhorse.com nntp
And the result is:
Trying 204.145.167.4 ...
Connected to boxcar.ironhorse.com.
Escape character is '^]'.
502 You have no permission to talk. Goodbye.
Connection closed by foreign host
OK, we now know that this part of the header references a real news server. Oh, yes, we have also just
learned the name/address of the computer ironhorse.com uses to handle the news groups: “boxcar.”
I try the next item in the path:
telnet news.uoregon.edu nntp
And get:
Trying 128.223.220.25 ...
Connected to pith.uoregon.edu.
Escape character is '^]'.
502 You have no permission to talk. Goodbye.
Connection closed by foreign host.
OK, this one is a valid news server, too. Now let’s jump to the last item in the header: in2.uu.net:
telnet in2.uu.net nntp
We get the answer:
in2.uu.net: unknown host
There is something fishy here. This host computer in the header isn’t currently connected to the Internet. It
probably is forged. Let’s check the domain name next:
whois uu.net
The result is:
UUNET Technologies, Inc. (UU-DOM)
3060 Williams Drive Ste 601
Fairfax, VA 22031
USA
Domain Name: UU.NET
Administrative Contact, Technical Contact, Zone Contact:
UUNET, AlterNet [Technical Support] (OA12) help@UUNET.UU.NET
+1 (800) 900-0241
Billing Contact:
Payable, Accounts (PA10-ORG) ap@UU.NET
(703) 206-5600
Fax: (703) 641-7702
Record last updated on 23-Jul-96.
Record created on 20-May-87.
Domain servers in listed order:
NS.UU.NET 137.39.1.3
UUCP-GW-1.PA.DEC.COM 16.1.0.18 204.123.2.18
UUCP-GW-2.PA.DEC.COM 16.1.0.19
NS.EU.NET 192.16.202.11
The InterNIC Registration Services Host contains ONLY Internet Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
So uu.net is a real domain. But since the host computer in2.uu.net listed in the header isn’t currently
connected to the Internet, this part of the header may be forged. (However, there may be other explanations
for this, too.)
Working back up the header, then, we next try:
telnet news.mindspring.com nntp
I get:
Trying 204.180.128.185 ...
Connected to news.mindspring.com.
Escape character is '^]'.
502 You are not in my access file. Goodbye.
Connection closed by foreign host.
Interesting. I don’t get a specific host name for the nntp port. What does this mean? Well, there’s a way to
try. Let’s telnet to the port that gives the login sequence. That’s port 23, but telnet automatically goes to 23
unless we tell it otherwise:
telnet news.mindspring.com
Now this is phun!
Trying 204.180.128.166 ...
telnet: connect to address 204.180.128.166: Connection refused
Trying 204.180.128.167 ...
telnet: connect to address 204.180.128.167: Connection refused
Trying 204.180.128.168 ...
telnet: connect to address 204.180.128.168: Connection refused
Trying 204.180.128.182 ...
telnet: connect to address 204.180.128.182: Connection refused
Trying 204.180.128.185 ...
telnet: connect: Connection refused
Notice how many host computers are tried out by telnet on this command! They must all specialize in being
news servers, since none of them handles logins.
This looks like a good candidate for the origin of the spam. There are 5 news server hosts. Let’s do a whois
command on the domain name next:
whois mindspring.com
We get:
MindSpring Enterprises, Inc. (MINDSPRING-DOM)
1430 West Peachtree Street NE
Suite 400
Atlanta, GA 30309
USA
Domain Name: MINDSPRING.COM
Administrative Contact:
Nixon, J. Fred (JFN) jnixon@MINDSPRING.COM
404-815-0770
Technical Contact, Zone Contact:
Ahola, Esa (EA55) hostmaster@MINDSPRING.COM
(404)815-0770
Billing Contact:
Peavler, K. Anne (KAP4) peavler@MINDSPRING.COM
404-815-0770 (FAX) 404-815-8805
Record last updated on 27-Mar-96.
Record created on 21-Apr-94.
Domain servers in listed order:
CARNAC.MINDSPRING.COM 204.180.128.95
HENRI.MINDSPRING.COM 204.180.128.3
*********************
Newbie Note #3: The whois command can tell you who owns a domain name. The domain name is the last
two parts separated by a period that comes after the “@” in an email address, or the last two parts separated
by a period in a computer’s name.
*********************
I’d say that Mindspring is the ISP from which this post was most likely forged. The reason is that this part
of the header looks genuine, and offers lots of computers on which to forge a post. A letter to the technical
contact at hostmaster@mindspring.com with a copy of this post may get a result.
But personally, I would simply go to their Web site and email them a protest from there. Hmmm, maybe a 5
MB gif of mating hippos? Even if it is illegal?
But systems administrator Terry McIntyre cautions me:
“One needn't toss megabyte files back ( unless, of course, one is helpfully mailing a copy of the offending
piece back, just so that the poster knows what the trouble was. )
“The Law of Large Numbers of Offendees works to your advantage. Spammer sends one post to ‘reach out
and touch’ thousands of potential customers.
“Thousands of Spammees send back oh-so-polite notes about the improper behavior of the Spammer. Most
Spammers get the point fairly quickly.
“One note - one _wrong_ thing to do is to post to the newsgroup or list about the inappropriateness of any
previous post. Always, always, use private email to make such complaints. Otherwise, the newbie
inadvertently amplifies the noise level for the readers of the newsgroup or email list.”
Well, the bottom line is that if I really want to pull the plug on this spammer, I would send a polite note
including the Usenet post with headers intact to the technical contact and/or postmaster at each of the valid
links I found in this spam header. Chances are that they will thank you for your sleuthing.
Here’s an example of an email I got from Netcom about a spammer I helped them to track down.
From: Netcom Abuse Department <abuse@netcom.com>
Reply-To: <abuse@netcom.com>
Subject: Thank you for your report
Thank you for your report. We have informed this user of our policies, and have taken appropriate action,
up to, and including cancellation of the account, depending on the particular incident. If they continue to
break Netcom policies we will take further action.
The following issues have been dealt with:
santigo@ix.netcom.com
date-net@ix.netcom.com
jhatem@ix.netcom.com
kkooim@ix.netcom.com
duffster@ix.netcom.com
spilamus@ix.netcom.com
slatham@ix.netcom.com
jwalker5@ix.netcom.com
binary@ix.netcom.com
clau@ix.netcom.com
frugal@ix.netcom.com
magnets@ix.netcom.com
sliston@ix.netcom.com
aessedai@ix.netcom.com
ajb1968@ix.netcom.com
readme@readme.net
captainx@ix.netcom.com
carrielf@ix.netcom.com
charlene@ix.netcom.com
fonedude@ix.netcom.com
nickshnn@netcom.com
prospnet@ix.netcom.com
alluvial@ix.netcom.com
hiwaygo@ix.netcom.com
falcon47@ix.netcom.com
iggyboo@ix.netcom.com
joyful3@ix.netcom.com
kncd@ix.netcom.com
mailing1@ix.netcom.com
niterain@ix.netcom.com
mattyjo@ix.netcom.com
noon@ix.netcom.com
rmerch@ix.netcom.com
rthomas3@ix.netcom.com
rvaldes1@ix.netcom.com
sia1@ix.netcom.com
thy@ix.netcom.com
vhs1@ix.netcom.com
Sorry for the length of the list.
Spencer
Abuse Investigator
___________________________________________________________________
NETCOM Online Communication Services Abuse Issues
24-hour Support Line: 408-983-5970 abuse@netcom.com
**************
No comments:
Post a Comment