This was written
back in the dawn of the war against spammers, in 1996. Nowadays
email spam is a much more serious problem, and spammers are much
more sophisticated. For more up-to-date information, see The Happy
Hacker
book.
GUIDE TO (mostly) HARMLESS HACKING
Vol. 1 Number 5
It's vigilante phun day again! How get email spammers kicked off their ISPs.
_______________________________________________________
So, have you been out on Usenet blasting spammers? It's phun,
right?
But if you have ever done much posting to Usenet news groups,
you will notice that soon after you post, you will often get
spam email. This is mostly thanks to Lightning Bolt, a program
written by Jeff Slayton to strip huge volumes of email addresses
from Usenet posts.
Here's one I recently got:
Received:from mail.gnn.com (70.los-angeles-3.ca.dial-access.att.net
[165.238.38.70]) by mail-e2b-service.gnn.com (8.7.1/8.6.9) with
SMTP id BAA14636; Sat, 17 Aug 1996 01:55:06 -0400 (EDT)
Date: Sat, 17 Aug 1996 01:55:06 -0400 (EDT)
Message-Id: <199608170555.BAA14636@mail-e2b-service.gnn.com>
To:
Subject: Forever
From: FREE@Heaven.com
"FREE" House and lot in "HEAVEN"
Reserve yours now, do it today, do not
wait. It is FREE
just for the asking. You receive a Personalized Deed and detailed
Map to your home in HEAVEN. Send your name and address along
with a one time minimum donation of $1.98 cash, check, or money
order to help cover s/h cost
TO: Saint Peter's
Estates
P.O. Box
9864
Bakersfield,CA
93389-9864
This is a gated community and it is "FREE".
Total satisfaction for 2 thousand years to date.
>From the Gate Keeper. 9PS. See you at the Pearly
Gates)
GOD will Bless you.
Now it is a pretty good guess that this spam has a forged
header. To
identify the culprit, we employ the same command that we used
with Usenet spam:
whois heaven.com
We get the answer:
Time Warner Cable
Broadband Applications (HEAVEN-DOM)
2210 W. Olive Avenue
Burbank, CA 91506
Domain Name: HEAVEN.COM
Administrative Contact, Technical Contact, Zone Contact,
Billing Contact:
Melo, Michael (MM428) michael@HEAVEN.COM
(818) 295-6671
Record
last updated on 02-Apr-96.
Record
created on 17-Jun-93.
Domain servers in listed order:
CHEX.HEAVEN.COM
206.17.180.2
NOC.CERF.NET
192.153.156.22
>From this we conclude that this is either genuine (fat
chance) or a better forgery than most. So let's try to finger
FREE@heaven.com.
First, let's check out the return email address:
finger FREE@heaven.com
We get:
[heaven.com]
finger: heaven.com:
Connection timed out
There are several possible reasons for this. One is that the
systems
administrator for heaven.com has disabled the finger port. Another
is that heaven.com is inactive. It could be on a host computer
that is turned off, or maybe just an orphan.
*********************
Newbie note: You can register domain names without setting them
up on a
computer anywhere. You just pay your money and Internic, which
registers domain names, will put it aside for your use. However,
if you don't get it hosted by a computer on the Internet within
a few weeks, you may loose your registration.
*********************
We can test these hypotheses with the ping command. This command
tells you whether a computer is currently hooked up to the Internet
and how good its connection is.
Now ping, like most kewl hacker tools, can be used for either
information or as a means of attack. But I am going to make you
wait in dire suspense for a later Guide to (mostly) Harmless
Hacking to tell you how some people use ping. Besides, yes, it
would be *illegal* to use ping as a weapon.
Because of ping's potential for mayhem, your shell account
may have disabled the use of ping for the casual user. For example,
with my ISP I have to go to the right directory to use it. So
I give the command:
/usr/etc/ping heaven.com
The result is:
heaven.com is alive
***********************
Technical Tip: On some versions of Unix,giving the command "ping"
will start your computer pinging the target over and over again
without stopping. To get out of the ping command, hold down the
control key and type "c". And be patient, next Guide
to (mostly) Harmless Hacking will tell you more about the serious
hacking uses of ping.
***********************
Well, this answer means heaven.com is hooked up to the Internet
right now. Does it allow logins? We test this with:
telnet heaven.com
This should get us to a screen that would ask us to give user
name and
password. The result is:
Trying 198.182.200.1
...
telnet: connect: Connection
timed out
OK, now we know that people can't remotely log in to heaven.com.
So it sure looks as if it was an unlikely place for the author
of this spam to have really sent this email.
How about chex.heaven.com? Maybe it is the place where spam
originated? I type in:
telnet chex.heaven.com
79
This is the finger port. I get:
Trying 206.17.180.2
...
telnet: connect: Connection
timed out
I then try to get a screen that would ask me to login with
user name, but once again get "Connection timed out."
This suggests strongly that neither heaven.com or chex.heaven.com
are being used by people to send email. So this is probably a
forged link in the header.
Let's look at another link on the header:
whois gnn.com
The answer is:
America Online (GNN2-DOM)
8619 Westwood Center Drive
Vienna, VA 22182
USA
Domain Name: GNN.COM
Administrative Contact:
Colella, Richard (RC1504)
colella@AOL.NET
703-453-4427
Technical Contact, Zone Contact:
Runge, Michael (MR1268)
runge@AOL.NET
703-453-4420
Billing Contact:
Lyons, Marty (ML45)
marty@AOL.COM
703-453-4411
Record last updated on 07-May-96.
Record created on 22-Jun-93.
Domain servers in listed order:
DNS-01.GNN.COM
204.148.98.241
DNS-AOL.ANS.NET
198.83.210.28
Whoa! GNN.com is owned by America Online. Now America Online,
like Compuserve, is a computer network of its own that has gateways
into the Internet. So it isn't real likely that heaven.com would
be routing email through AOL, is it? It would be almost like
finding a header that claims its email was routed through the
wide area network of some Fortune 500 corporation. So this gives
yet more evidence that the first link in the header, heaven.com,
was forged.
In fact, it's starting to look like a good bet that our spammer
is some
newbie who just graduated from AOL training wheels. Having decided
there is money in forging spam, he or she may have gotten a shell
account offered by the AOL subsidiary, GNN. Then with a shell
account he or she could get seriously into forging email.
Sounds logical, huh? Ah, but let's not jump to conclusions.
This is just a hypothesis and it may be wrong. So let's check
out the remaining link in this header:
whois att.net
The answer is:
AT&T EasyLink Services (ATT2-DOM)
400 Interpace Pkwy
Room B3C25
Parsippany, NJ 07054-1113
US
Domain Name: ATT.NET
Administrative Contact, Technical Contact, Zone
Contact:
DNS Technical Support (DTS-ORG)
hostmaster@ATTMAIL.COM
314-519-5708
Billing Contact:
Gardner, Pat (PG756)
pegardner@ATTMAIL.COM
201-331-4453
Record last updated on 27-Jun-96.
Record created on 13-Dec-93.
Domain servers in listed order:
ORCU.OR.BR.NP.ELS-GMS.ATT.NET199.191.129.139
WYCU.WY.BR.NP.ELS-GMS.ATT.NET199.191.128.43
OHCU.OH.MT.NP.ELS-GMS.ATT.NET199.191.144.75
MACU.MA.MT.NP.ELS-GMS.ATT.NET199.191.145.136
Another valid domain! So this is a reasonably ingenious forgery.
The culprit could have sent email from any of heaven.com, gnn.com
or att.net. We know heaven.com is highly unlikely because we
can't get even the login port to work. But we still have gnn.com
and att.net as suspected homes for this spammer.
The next step is to email a copy of this spam *including headers*
to both postmaster@gnn.com (usually a good guess for the email
address of the person who takes complaints) and runge@AOL.NET,
who is listed by whois as the technical contact. We should also
email either postmaster@att.net (the good guess) or hostmaster@ATTMAIL.COM
(technical contact). Also email postmaster@heaven.com, abuse@heaven.com
and root@heaven.com to let them know how their domain name is
being used.
Presumably one of the people reading email sent to these addresses
will use the email message id number to look up who forged this
email. Once the culprit is discovered, he or she usually is kicked
out of the ISP.
But here is a shortcut. If you have been spammed by this guy,
lots of other people probably have been, too. There's a news
group on the Usenet where people can exchange information on
both email and Usenet spammers,
news.admin.net-abuse.misc. Let's pay it a visit and see what
people may have dug up on FREE@heaven.com. Sure enough, I find
a post on this heaven scam:
From: bartleym@helium.iecorp.com (Matt Bartley)
Newsgroups: news.admin.net-abuse.misc
Subject: junk email - Free B 4 U - FREE@Heaven.com
Supersedes: <4uvq4a$3ju@helium.iecorp.com>
Date: 15 Aug 1996 14:08:47 -0700
Organization: Interstate Electronics Corporation
Lines: 87
Message-ID: <4v03kv$73@helium.iecorp.com>
NNTP-Posting-Host: helium.iecorp.com
(snip)
No doubt a made-up From: header which happened to hit a real
domain name.
Postmasters at att.net, gnn.com and heaven.com notified.
gnn.com has already stated that it came from att.net, forged
to look like it came from gnn. Clearly the first Received:
header is inconsistent.
Now we know that if you want to complain about this spam,
the best place to send a complaint is postmaster@att.net.
But how well does writing a letter of complaint actually work?
I asked ISP owner Dale Amon. He replied, "From the small
number of spam messages I have been seeing - given the number
of generations of exponential net growth I have seen in 20 years
- the system appears to be *strongly* self regulating. Government
and legal systems don't work nearly so well.
"I applaud Carolyn's efforts in this area. She is absolutely
right. Spammers are controlled by the market. If enough people
are annoyed, they respond. If that action causes problems for
an ISP it puts it in their economic interest to drop customers
who cause such harm, ie the spammers. Economic interest is often
a far stronger and much more effective incentive than legal requirement.
"And remember that I say this as the Technical Director
of the largest ISP in Northern Ireland."
How about suing spammers? Perhaps a bunch of us could get
together a class action suit and drive these guys into bankruptcy?
Systems administrator Terry McIntyre argues, "I am opposed
to attempts to sue spammers. We already have a fairly decent
self-policing mechanism in place.
"Considering that half of everybody on the internet are
newbies (due to the 100% growth rate), I'd say that self-policing
is marvelously effective.
"Invite the gov't to do our work for us, and some damn
bureaucrats will write up Rules and Regulations and Penalties
and all of that nonsense. We have enough of that in the world
outside the 'net; let's not invite any of it to follow us onto
the 'net."
So it looks like Internet professionals prefer to control
spam by having net vigilantes like us track down spammers and
report them to their ISPs. Sounds like phun to me! In fact, it
would be fair to say that without us net vigilantes, the Internet
would probably grind to a halt from the load these spammers would
place on it.
OK, I'm signing off for this column. I look forward to your
contributions to this list. Have some vigilante phun -- and don't
get busted!
_______________________________________________________
Want to share some kewl stuph? Tell me I'm terrific? Flame
me? For the first two, I'm at . Please
direct flames to
dev/null@cmeinel.com. Happy hacking!
© 1996 Carolyn P. Meinel. You may forward the GUIDE TO
(mostly) HARMLESS HACKING as long as you leave this notice at
the end. To subscribe, email with message
"subscribe hacker <joe.blow@boring.ISP.net>"
substituting your real email address for Joe Blow's.
