Spammer hunting for fun and profit
Published Apr 12 2004 12:35 PM 2,710 Views

So I get another spam message from a #&%$@ spammer, though this time it evaded my normal filters as the main content was an image. They're getting smarter... but they remain predictable. Here is the first installment in a series to track down spammers, for fun, for education, and sometimes for just plain stress relief :-).

Step 1: Gather the information.

Unless your spammer is spamming just to annoy people, or is incredibly dumb (not out of the question), he/she will have some information in the email that you receive that will allow an actual respondent or unsuspecting clicker to reply or return some data. This is how their business model works: they send out mass generated emails, each with some URL or return address that will be used to accomplish a "hit". Out of a million messages sent in a day, even if 1% reply, that is still significant to a spammer for a day's worth of work! You, however, do not care to really reply, and instead will leverage the reply back information.

So how do you get this information? Chances are that your email client already displays most of the information you need. Look for the following information and cut and paste it into a scratch pad somewhere:

Email addresses: These are of the form something@somedomain.foo. The left of the '@' is the username; the right hand side is the 'domain'.

Domain name: We got one of these through the email address; you can extract more by looking for similar patters throughout the text of the email.

"Click here" web addresses: These will be of the form http://lame.spammerdoofus.com/
foo/blas?asdasdyaddayaddd
. Again, the important information is the domain part, which is spammerdoofus.com and the sub-domain, which is the "lame" part.

Cross linked content: These are references to images or other files that are not actually part of the email, but when the email is opened in a client, the client will follow these links and display the appropriate files. Images are often referenced through IMG tags.

IP (Internet Protocol) addresses: These are numerical values of the form 127.0.0.0. These might be substituted for the domain portion of email and web addresses in some spam emails.

The best way to get all this information is probably to save the email using your client to somewhere accessible (OE on Windows XP allows you to save emails anywhere as ".eml") files. Usually these are saved as plain text files (some clients may save emails in a proprietary format, in which case you may get some of the information listed above just be investigating the message in the client. You may also have to look at "Message properties" or "View message source" to get to the original format of the message). Try opening this file in a regular text editor, notepad for instance. Here is what I get when I opened the spam in notepad:

Return-Path: 
Delivered-To: virtual-viveksharma_com-vivek@viveksharma.com
Received: (qmail 14031 invoked from network); 29 Dec 2003 03:45:11 -0000
Received: from unknown (HELO jpbwdic.devertansparta.com) (65.208.147.70) by xxxx.xxxxxxxxxxx.com with SMTP; 29 Dec 2003 03:45:11 -0000
Received: from mail.viveksharma.com (xxx.xxx.xxx.xxx) by jpbwdic.devertansparta.com with SMTP id 3UR1E2IMOVE; Sun, 28 Dec 2003 19:52:12 -0400
Received: from tvwgn.devertansparta.com (HELO tvwgn) (169.254.43.210) by mail.viveksharma.com with SMTP; Sun, 28 Dec 2003 19:52:12 -0400
Reply-To:
From: "Rlgu Dt"
To: "Vivek Uowep"
References:
Subject: Vivek, =?ISO-8859-1?B?cmVhY2hpbmcgeW91ciBpbnRlcm5ldCBtYXJrZXQ=?=
Date: Sun, 28 Dec 2003 19:52:12 -0700
Message-ID: NGBBKGHMANKNGCMIMKBLKEIOLMAA.UCDUYDYLUTQZ@AITFogakt.devertansparta.com
MIME-Version: 1.0
Content-Type: text/html; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-BBounce: geb099
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400

 

<html>
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 10 (filtered)">
</head>
<body lang=EN-US link=blue vlink=purple>
<a href="http://vnupsmwfjd.devertansparta.com/optin/index.html"><img src="http://avwhhwna.devertansparta.com/optin/logo.gif" border="0"></a>
<br><br>
<br><br>
<a href="http://jxbhwyuky.mzmvbjyridrtfd-mzmvb.devertansparta.com/u.cgi?e=vivek!viveksharma.com&l=geb099">
<img src="http://jxbhwyuky.mzmvbjyridrtfd-mzmvb.devertansparta.com/logo.gif?vivek-viveksharma.com-avwhhwnafjzdkezre" border="0"></a><br><br><br><br>
quyflrtt vdjmtwecipfi cufhzbysy xnnekxcmnhlm bnljrdgv esspvwmdkvj dmguffev<br>
cketqxkxs zolyzaxw qaomxmhjhhte ybefeury tnkqfrygmg xmccwglifruc jcopvusrhl<br>
wlwnocurksc dviaynru gywoqvhd qtndpcqx hirrmpednko ythqvozjxbpr nwiewnbwmcf<br>
vkxpwgy tohjnirvy njjufcgwvuj tnaapkus<br><br>
</body>
</html>

From my example email, I extracted the following:

        jpbwdic.devertansparta.com
        tvwgn.devertansparta.com
        169.254.43.210
        vnupsmwfjd.devertansparta.com
        jxbhwyuky.mzmvbjyridrtfd-mzmvb.devertansparta.com

The common thread is the domain devertansparta.com, which we will follow up on in the next section.

Step 2: Verify "live" domains

There's lots of crappy information in spam messages, designed to throw the casual user. If you remember the spam economics, however, you will realize that there's something valid somewhere in the message. This step helps you figure out how to get to the primary information. The main tool we will use to verify the domain is 'ping', basically sends geekynerdycomputery messages to the computer registered to answer for the given domain. Rather than focus on how to get ping working on your computer, I'll refer you to some internet resources that can expose a web interface to ping. Do a google or internet search for "ping looking glass" [result here]. You'll get back some sites that offer to do "bgp, ping, traceroute, domain lookup..." etc. Pick one and you'll find a text field or two to to fill in. This is where you will paste in the domain(s) you found in step 1. Pick 'ping' as the type of query you want to try and hit submit. If the domain is live, you'll get back a result like this:

Translating "DEVERTANSPARTA.COM"...domain server (207.99.0.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 65.208.146.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/82/96 ms

Btw, the domain server bit above (207.99.0.1) also gives us the IP address of the computer which is responsible for pointing other servers to the given domain. We can use this to see who the spammer uses to register their domain name to the rest of the world.

Advanced note: In case ping does not seem to work, it might be the case that the remote destination has firewalled the protocol that ping uses. In this case you can resolve addresses by using the telnet tool (usually available through command line on most OSes) to telnet to different ports. Try HTTP (port 80), SMTP (port 25) for starters. You can also use the tool nslookup to match the IP address to the spammers domain [Tip from Alex Wetmore].

Step 3: Drilling further...

There are probably many useful tools in your operating system such as traceroute, ping (which we used previously), nslookup, dig, and whois. We'll abstract from the different OS'es and stick with using the many web interfaces instead. The most useful one to try first is a whois interface (try a search engine again or use a registrar like Internic). Here is what I found out by entering the sample domain (be sure to check "domain" as the type of query):

   Domain Name: DEVERTANSPARTA.COM
   Registrar: BULKREGISTER, LLC.
   Whois Server: whois.bulkregister.com
   Referral URL: http://www.bulkregister.com
   Name Server: NS3.DICEWEBHOSTING.COM
   Name Server: NS4.DICEWEBHOSTING.COM
   Status: ACTIVE
   Updated Date: 21-nov-2003
   Creation Date: 21-nov-2003
   Expiration Date: 21-nov-2004

And at the same time, I tried the name server address we got back through pink in step 2 to see who is responsible for pointing other computers to the spammer's domain. Here is that result:

   WHITESQUIRREL.COM
   NS2.CANAANTECHS.COM
   NS1.NAC.NET
   207.99.0.1

This nameserver seems to be a mom and pop shop, supplying services to most anyone, its probably no big spammer conspiracy here. Later on, we'll make good use of this information. For now, let's look at the first set of results. Whois tells us who registered this domain, and who is probably hosting this spammer. The registrar is bulkregister.com and the hoster seems to be dicewebhosting.com. But how do we actually get the spammer's information? 1) you could ask by replying to the original email or 2) you could try and get it from the registrar. Opting (btw: "opt"=a word spammers grossly misuse!) for the latter, after going to bulkregister.com and trying a whois search on their database of clients, and lo-and-behold:

XXXXXXX XXXXXXX 
   XXX XXX. XXX XXXXX
   Kuala Lumpur,  XXXXX
   MY

 

   Domain Name: DEVERTANSPARTA.COM

 

   Administrative Contact:

        XXXXXX XXXXX XXXXX XXXXXX@XXXXXX.com
        XXXXXXX XXXXXXX
        XXX XXX. XXX XXXXX
        Kuala Lumpur,  XXXXX
        MY

        Phone: +XX X XXXX XXXX 
        Fax:

   Technical Contact:

        XXXXXXXX XXXXXXXXXX XXXXXXX@XXXXXXXXXX.com
        XXX XXX XXXXXX XXX.
        XXX XXXXXXX XX

        Makati City, XXXXXX XX NA
        PH

        Phone: +XX X XXX-XXXX 

        Fax: 

 

   Record updated on 2003-11-21 02:14:59
   Record created on 2003-11-21
   Record expires on 2004-11-21
   Database last updated on 2003-12-29 16:08:52 EST

Of course it is no surprise that this spammer is from outside the US :). Note: I X'd out the details b/c it would be silly for me to stoop to the same level as a spammer... plus its an exercise for the reader.

Steps you can take

This is the tricky part... There are no magic bullets for spam prevention! So what can you do now with this information?

Report the spam: Here you are largely helping others, but your karma index will increase and you will be loved by all. Report to spam companies like spamcop.net, or industry watchers like ftc.org. There are good follow-ups here at spam.abuse.net and spamcon.org.

Report to the web hoster: Chances are the web hoster is in cahoots, but it might be worth a try. Worst case, you can report the web hoster too!

Report to the name server: Even though mom and pop shops may be pointing spammers to the rest of the world, chances are they are not aware of the real intentions of the spammer. Especially if a company is in the US, feel free to submit a claim saying they are redirecting unsolicited traffic. In some rare cases the spammer may be exploiting the hoster or the name server illegally.

Report it to your ISP: Your mail service provider (like yahoo.com, hotmail.com) may have a reporting mechanism for you to send in the spam for future blocking.

Block the domain/IP in your mail client: This is a stop gap measure but will work for some number of spammers until they switch domains again.

Block keywords and other characteristics: Your mail client may permit you to set up rules to block mail containing keywords... naughty words are a good indicator, as well as garbled characters and foreign characters. So are ridiculous offers to enlarge mortgages etc. Some client and server pieces also allow you to block malformed messages, images, URLs and other tell-tale signs of spam.

Buy specialty software: This is good if you are willing to drop a few bills to lessen the problem. Outlook 2003 has a new learning filter incorporated as well as Exchange 2003 (server side). Unix-y people may want to use a combination of procmail and spamassasin.

Stop advertising your mail: This is a case of me not following my own advice, but my address has been public for so long that it really no longer matters. I did take steps, however, to remove my address from key sites and substitute it with a mail-to form on my website. This may work for you as well.

Bear it with some humor: This is probably the hardest to do. Yes spam can be annoying, but if you're only mildly annoyed, try simply hitting the delete button... in other words, you are probably the best spam filter that will ever exist, so get rid of that spam manually and don't give the spammer the satisfaction of annoying you!

There you have it. Some simple techniques to help get more information out of that spam email. Send feedback on what you'd like to see next time!

- Vivek Sharma

9 Comments
Not applicable
I hope you realize that those headers are so easily spoofed that they're meaningless. If some ignorant postmasters actually listen to you we can just send them few million e-mails claiming to be from microsoft.com and voila - no more microsoft.com e-mail for them. Hunting down spammers is not as easy as it seems and thanks to Microsoft Windows being so open it's almost impossible (since the originating machine's owner will have no clue that his box is used to send spam).
Not applicable
StickyC.com :: Spammer hunting for fun and profit
Not applicable
Thanks for the feedback -- Microsoft is spending a lot of effort and time on addressing any vulnerabilities that might be leveraged by malicious users. As it is a pretty hard process, it can time... :).

On your spoofing concerns, yes, it is likely that many items are spoofed. That is why I include this:

"...he/she will have some information in the email that you receive that will allow an actual respondent or unsuspecting clicker to reply or return some data."

The focus of this article is to find one of these "live" return paths, either a non-spoofed email address or domain name, and use that to block spam. In fact, there was another tool announced today which relies on this to work properly (surbl.org), by scanning the body of a message and finding/blocking web addresses used by spammers.

I will note your caveat, however, in that Administrators should not assume that the "from" address is the spammers.

Thanks again!
Not applicable
Take Outs for 12 April 2004
Not applicable
There is some odd "bug/feature" in Outlook 2003 even with latest filters. Very often a couple of the spams get through to the inbox, but that's not so surpising as this: There is no text, images, links, anything. The whole post is empty. I am not sure is this caused by the filter or what, but i get these couple a day. Either way, why would i want to receive empty mails anyway and second, if the filter cleans it up and makes it empty, why not just get rid of the whole thing.

It may be caused by some combination of settings. I have setup my Outlook 2003 to show the messages as plain text, no images etc.

Other thing is, very obvious fraud emails get through, i got a ton of Citibank fraud mails just recently. The filters should look if there's obvious spoof going on like: http www.citibank.com <realurl:http some.fraud.com>

I would just filter all mails with such blatanly obvious spoof attempts.
Not applicable
Not sure if the blank messages are anything to do with Outlook, or if everyone suffers, but I get a few of them a week. As the whole thing is blank (including most of the header) I suspect it's possibly a bug in a mass mailer, or a result of someone partially uninstalling a worm or somesuch, but I can't be certain.

I've created a rule in Outlook that deletes messages with no content so they don't cause me any problem, but they are a bit of an oddity...
Not applicable
David L. was kind enough to point me to this blog :)
Just a few thoughts on this.

Advertising your email address? You don't have too.. having a domain and a server receiving mail for it is more then enough.
Consider postmaster, info, webmaster and all standard addresses. Even without advertising them on public places they will get bombed with spam.
Not to mention the fact that some spammers will try about any possible combination that could make a valid user@your domain. They don't mind to send you 400 messages, you'll start to loose your sense of humor.
Now.. if you're 'lucky' enough to have a spammer send from fake FROM's pulling a Joejob on your domain then brace for impact. Other spammers will be more then happy to pick up the spoofed from and send spam to it.

Fully qualified spammers are running their operation from China, Russia, India or any other country where you'll rather not want to go after someone and sue them.
They will also be more then happy to provide false information when registering their domain.

Spam is a serious problem while at least a part of the solution could be provided by dailup/access ISP's. All they would have to do is block all outgoing traffic to remote port 25 accept for the traffic that goes via their SMTP servers.
Right now most spam I get is being send either via open proxies, open relays or otherwise misconfigured computers.

Blocking keywords is a good idea.. if spammers would be nice enough to play with you..
I'm afraid they don't :( how many ways to spell some drugs to enlarge your private parts do you want to see :-)
So basically you can forget about filtering on keywords.

After the last few Joe jobs I've lost my sense of humor when it comes to spam.
Not applicable
Re: Joku and Mat Hall:

Yes, Outlook does not actually delete content from Junk mail, the empty mails are either caused by a crappy mass mailer as Mat says, or by a server side filter running on your ISP. It is also possible that this maybe be the reason why the mails get through the filter. I forwarded your mail to someone who has worked closely with Outlook on this feature.
Not applicable
Re: Blank emails...

Yet another follow-up. I talked with another Exchange PM, Simon Attwell, who has worked closely with Outlook on the spam filter.

Loosely quoted: "If there is nothing in the mail, the filter has nothing to draw conclusions from, so the spam probability is indeed low. However, combined with filtering at the gateway (something we are working on), this should get better. The key is to combine multiple sources of information to make a better guess at whether a piece of mail is spam or not."
Version history
Last update:
‎Apr 12 2004 12:35 PM
Updated by: