- Home
- Exchange
- Exchange Team Blog
- Spammer hunting for fun and profit
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
So I get another spam message from a #&%$@ spammer, though this time it evaded my normal filters as the main content was an image. They're getting smarter... but they remain predictable. Here is the first installment in a series to track down spammers, for fun, for education, and sometimes for just plain stress relief :-).
Step 1: Gather the information.
Unless your spammer is spamming just to annoy people, or is incredibly dumb (not out of the question), he/she will have some information in the email that you receive that will allow an actual respondent or unsuspecting clicker to reply or return some data. This is how their business model works: they send out mass generated emails, each with some URL or return address that will be used to accomplish a "hit". Out of a million messages sent in a day, even if 1% reply, that is still significant to a spammer for a day's worth of work! You, however, do not care to really reply, and instead will leverage the reply back information.
So how do you get this information? Chances are that your email client already displays most of the information you need. Look for the following information and cut and paste it into a scratch pad somewhere:
Email addresses: These are of the form something@somedomain.foo. The left of the '@' is the username; the right hand side is the 'domain'.
Domain name: We got one of these through the email address; you can extract more by looking for similar patters throughout the text of the email.
"Click here" web addresses: These will be of the form http://lame.spammerdoofus.com/foo/blas?asdasdyaddayaddd. Again, the important information is the domain part, which is spammerdoofus.com and the sub-domain, which is the "lame" part.
Cross linked content: These are references to images or other files that are not actually part of the email, but when the email is opened in a client, the client will follow these links and display the appropriate files. Images are often referenced through IMG tags.
IP (Internet Protocol) addresses: These are numerical values of the form 127.0.0.0. These might be substituted for the domain portion of email and web addresses in some spam emails.
The best way to get all this information is probably to save the email using your client to somewhere accessible (OE on Windows XP allows you to save emails anywhere as ".eml") files. Usually these are saved as plain text files (some clients may save emails in a proprietary format, in which case you may get some of the information listed above just be investigating the message in the client. You may also have to look at "Message properties" or "View message source" to get to the original format of the message). Try opening this file in a regular text editor, notepad for instance. Here is what I get when I opened the spam in notepad:
Return-Path:
Delivered-To: virtual-viveksharma_com-vivek@viveksharma.com
Received: (qmail 14031 invoked from network); 29 Dec 2003 03:45:11 -0000
Received: from unknown (HELO jpbwdic.devertansparta.com) (65.208.147.70) by xxxx.xxxxxxxxxxx.com with SMTP; 29 Dec 2003 03:45:11 -0000
Received: from mail.viveksharma.com (xxx.xxx.xxx.xxx) by jpbwdic.devertansparta.com with SMTP id 3UR1E2IMOVE; Sun, 28 Dec 2003 19:52:12 -0400
Received: from tvwgn.devertansparta.com (HELO tvwgn) (169.254.43.210) by mail.viveksharma.com with SMTP; Sun, 28 Dec 2003 19:52:12 -0400
Reply-To:
From: "Rlgu Dt"
To: "Vivek Uowep"
References:
Subject: Vivek, =?ISO-8859-1?B?cmVhY2hpbmcgeW91ciBpbnRlcm5ldCBtYXJrZXQ=?=
Date: Sun, 28 Dec 2003 19:52:12 -0700
Message-ID: NGBBKGHMANKNGCMIMKBLKEIOLMAA.UCDUYDYLUTQZ@AITFogakt.devertansparta.com
MIME-Version: 1.0
Content-Type: text/html; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-BBounce: geb099
X-Priority: 3 () Normal
X-MSMail-Priority:X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Normal
Importance:X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Normal
<html>
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 10 (filtered)">
</head>
<body lang=EN-US link=blue vlink=purple>
<a href="http://vnupsmwfjd.devertansparta.com/optin/index.html"><img src="http://avwhhwna.devertansparta.com/optin/logo.gif" border="0"></a>
<br><br>
<br><br>
<a href="http://jxbhwyuky.mzmvbjyridrtfd-mzmvb.devertansparta.com/u.cgi?e=vivek!viveksharma.com&l=geb099">
<img src="http://jxbhwyuky.mzmvbjyridrtfd-mzmvb.devertansparta.com/logo.gif?vivek-viveksharma.com-avwhhwnafjzdkezre" border="0"></a><br><br><br><br>
quyflrtt vdjmtwecipfi cufhzbysy xnnekxcmnhlm bnljrdgv esspvwmdkvj dmguffev<br>
cketqxkxs zolyzaxw qaomxmhjhhte ybefeury tnkqfrygmg xmccwglifruc jcopvusrhl<br>
wlwnocurksc dviaynru gywoqvhd qtndpcqx hirrmpednko ythqvozjxbpr nwiewnbwmcf<br>
vkxpwgy tohjnirvy njjufcgwvuj tnaapkus<br><br>
</body>
</html>
From my example email, I extracted the following:
jpbwdic.devertansparta.com
tvwgn.devertansparta.com
169.254.43.210
vnupsmwfjd.devertansparta.com
jxbhwyuky.mzmvbjyridrtfd-mzmvb.devertansparta.com
The common thread is the domain devertansparta.com, which we will follow up on in the next section.
Step 2: Verify "live" domains
There's lots of crappy information in spam messages, designed to throw the casual user. If you remember the spam economics, however, you will realize that there's something valid somewhere in the message. This step helps you figure out how to get to the primary information. The main tool we will use to verify the domain is 'ping', basically sends geekynerdycomputery messages to the computer registered to answer for the given domain. Rather than focus on how to get ping working on your computer, I'll refer you to some internet resources that can expose a web interface to ping. Do a google or internet search for "ping looking glass" [result here]. You'll get back some sites that offer to do "bgp, ping, traceroute, domain lookup..." etc. Pick one and you'll find a text field or two to to fill in. This is where you will paste in the domain(s) you found in step 1. Pick 'ping' as the type of query you want to try and hit submit. If the domain is live, you'll get back a result like this:
Translating "DEVERTANSPARTA.COM"...domain server (207.99.0.1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 65.208.146.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/82/96 ms
Btw, the domain server bit above (207.99.0.1) also gives us the IP address of the computer which is responsible for pointing other servers to the given domain. We can use this to see who the spammer uses to register their domain name to the rest of the world.
Advanced note: In case ping does not seem to work, it might be the case that the remote destination has firewalled the protocol that ping uses. In this case you can resolve addresses by using the telnet tool (usually available through command line on most OSes) to telnet to different ports. Try HTTP (port 80), SMTP (port 25) for starters. You can also use the tool nslookup to match the IP address to the spammers domain [Tip from Alex Wetmore].
Step 3: Drilling further...
There are probably many useful tools in your operating system such as traceroute, ping (which we used previously), nslookup, dig, and whois. We'll abstract from the different OS'es and stick with using the many web interfaces instead. The most useful one to try first is a whois interface (try a search engine again or use a registrar like Internic). Here is what I found out by entering the sample domain (be sure to check "domain" as the type of query):
Domain Name: DEVERTANSPARTA.COM
Registrar: BULKREGISTER, LLC.
Whois Server: whois.bulkregister.com
Referral URL: http://www.bulkregister.com
Name Server: NS3.DICEWEBHOSTING.COM
Name Server: NS4.DICEWEBHOSTING.COM
Status: ACTIVE
Updated Date: 21-nov-2003
Creation Date: 21-nov-2003
Expiration Date: 21-nov-2004
And at the same time, I tried the name server address we got back through pink in step 2 to see who is responsible for pointing other computers to the spammer's domain. Here is that result:
WHITESQUIRREL.COM
NS2.CANAANTECHS.COM
NS1.NAC.NET
207.99.0.1
This nameserver seems to be a mom and pop shop, supplying services to most anyone, its probably no big spammer conspiracy here. Later on, we'll make good use of this information. For now, let's look at the first set of results. Whois tells us who registered this domain, and who is probably hosting this spammer. The registrar is bulkregister.com and the hoster seems to be dicewebhosting.com. But how do we actually get the spammer's information? 1) you could ask by replying to the original email or 2) you could try and get it from the registrar. Opting (btw: "opt"=a word spammers grossly misuse!) for the latter, after going to bulkregister.com and trying a whois search on their database of clients, and lo-and-behold:
XXXXXXX XXXXXXX
XXX XXX. XXX XXXXX
, XXXXX Kuala Lumpur
MY
Domain Name: DEVERTANSPARTA.COM
Administrative Contact:XXXXXX XXXXX XXXXX XXXXXX@XXXXXX.com
XXXXXXX XXXXXXX
XXX XXX. XXX XXXXX
, XXXXX Kuala Lumpur
MY
Phone: +XX X XXXX XXXX
Fax:
Technical Contact:XXXXXXXX XXXXXXXXXX XXXXXXX@XXXXXXXXXX.com
XXX XXX XXXXXX XXX.
XXX XXXXXXX XX
, XXXXXX XX NA Makati City
PH
Phone: +XX X XXX-XXXX Fax:
Record updated on 2003-11-21 02:14:59
Record created on 2003-11-21
Record expires on 2004-11-21
Database last updated on 2003-12-29 16:08:52 EST
Of course it is no surprise that this spammer is from outside the
Steps you can take
This is the tricky part... There are no magic bullets for spam prevention! So what can you do now with this information?
Report the spam: Here you are largely helping others, but your karma index will increase and you will be loved by all. Report to spam companies like spamcop.net, or industry watchers like ftc.org. There are good follow-ups here at spam.abuse.net and spamcon.org.
Report to the web hoster: Chances are the web hoster is in cahoots, but it might be worth a try. Worst case, you can report the web hoster too!
Report to the name server: Even though mom and pop shops may be pointing spammers to the rest of the world, chances are they are not aware of the real intentions of the spammer. Especially if a company is in the
Report it to your ISP: Your mail service provider (like yahoo.com, hotmail.com) may have a reporting mechanism for you to send in the spam for future blocking.
Block the domain/IP in your mail client: This is a stop gap measure but will work for some number of spammers until they switch domains again.
Block keywords and other characteristics: Your mail client may permit you to set up rules to block mail containing keywords... naughty words are a good indicator, as well as garbled characters and foreign characters. So are ridiculous offers to enlarge mortgages etc. Some client and server pieces also allow you to block malformed messages, images, URLs and other tell-tale signs of spam.
Buy specialty software: This is good if you are willing to drop a few bills to lessen the problem. Outlook 2003 has a new learning filter incorporated as well as Exchange 2003 (server side). Unix-y people may want to use a combination of procmail and spamassasin.
Stop advertising your mail: This is a case of me not following my own advice, but my address has been public for so long that it really no longer matters. I did take steps, however, to remove my address from key sites and substitute it with a mail-to form on my website. This may work for you as well.
Bear it with some humor: This is probably the hardest to do. Yes spam can be annoying, but if you're only mildly annoyed, try simply hitting the delete button... in other words, you are probably the best spam filter that will ever exist, so get rid of that spam manually and don't give the spammer the satisfaction of annoying you!
There you have it. Some simple techniques to help get more information out of that spam email. Send feedback on what you'd like to see next time!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.