What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

More on how to fight Usenet spam...

Look at what Dale Amon has to say about the power of email protest:

“One doesn't have to call for a ‘mail bomb.’ It just happens. Whenever I see spam, I automatically send one copy of their message back to them. I figure that thousands of others are doing the same. If they (the spammers) hide their return address, I find it and post it if I have time. I have no compunctions and no guilt over it.”

Now Dale is also the founder and technical director of the largest and oldest ISP in Northern Ireland. So he knows some more ways to zap spammers. And we are about learn one of them.

Our objective is to find out who connects this outfit to the Internet, and take out that connection! Believe me, when the people who run an ISP find out one of their customers is a spammer, they usually waste no time kicking him or her out.
Our first step will be to dissect the header of this post to see how it was forged and where.

Since my newsreader (tin) doesn’t have a way to show headers, I use the “m” command to email a copy of this post to my shell account.

It arrives a few minutes later. I open it in the email program “Pine” and get a richly detailed header:

Path:sloth.swcp.com!news.ironhorse.com!news.uoregon.edu!
vixen.cso.uiuc.edu!news.stealth.net!nntp04.primenet.com!
nntp.primenet.com!gatech!nntp0.mindspring.com!
news.mindspring.com!uunet!in2.uu.net!OzEmail!OzEmail-In!news
From: glennys e clarke <ppgc@ozemail.com.au>
NNTP-Posting-Host: 203.15.166.46
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 1.22 (Windows; I; 16bit)

The first item in this header is definitely genuine: sloth.swcp.com. It’s the computer my ISP uses to host the news groups. It was the last link in the chain of computers that have passed this spam around the world.

*******************
Newbie Note #2: Internet host computers all have names which double as their Net addresses. “Sloth” is the name of one of the computers owned by the company which has the “domain name” swcp.com. So “sloth” is kind of like the news server computer’s first name, and “swcp.com” the second name. “Sloth” is also kind of like the street address, and “swcp.com” kind of like the city, state and zip code. “Swcp.com” is the domain name owned by Southwest Cyberport. All host computers also have numerical versions of their names, e.g. 203.15.166.46.
*******************Let’s next do the obvious. The header says this post was composed on the host 203.15.166.46. So we telnet to its nntp server (port 119):

telnet 203.15.166.46 119

We get back:

Trying 203.15.166.46 ...
telnet: connect: Connection refused

This looks a lot like a phony item. If this really was a computer that handles news groups, it should have a nntp port that accepts visitors. It might only accept a visitor for the split second it takes to see that I am not authorized to use it. But in this case it refuses any connection whatever.

There is another explanation: there is a firewall on this computer that filters out packets from anyone but authorized users. But this is not common in a computer serving a spammer dating service.

More how to fight Usenet spam --->>


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

 

Return to the index of Guides to (mostly) Harmless Hacking!

 © 2013 Happy Hacker All rights reserved.