What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

This was written back in the dawn of the war against spammers, in 1996. Nowadays email spam is a much more serious problem, and spammers are much more sophisticated. For more up-to-date information, see The Happy Hacker book.

GUIDE TO (mostly) HARMLESS HACKING

Vol. 1 Number 5

It's vigilante phun day again! How get email spammers kicked off their ISPs.
_______________________________________________________

So, have you been out on Usenet blasting spammers? It's phun, right?

But if you have ever done much posting to Usenet news groups, you will notice that soon after you post, you will often get spam email. This is mostly thanks to Lightning Bolt, a program written by Jeff Slayton to strip huge volumes of email addresses from Usenet posts.

Here's one I recently got:

Received:from mail.gnn.com (70.los-angeles-3.ca.dial-access.att.net
[165.238.38.70]) by mail-e2b-service.gnn.com (8.7.1/8.6.9) with SMTP id BAA14636; Sat, 17 Aug 1996 01:55:06 -0400 (EDT)
Date: Sat, 17 Aug 1996 01:55:06 -0400 (EDT)
Message-Id: <199608170555.BAA14636@mail-e2b-service.gnn.com>
To:
Subject: Forever
From: FREE@Heaven.com

                       "FREE"   House and lot in   "HEAVEN"

    Reserve yours now, do it today, do not wait. It is  FREE
just for the asking. You receive a Personalized Deed and detailed Map to your home in HEAVEN. Send your name and address along with a one time minimum donation of $1.98 cash, check, or money order to help cover s/h cost

       TO:  Saint Peter's Estates
          P.O. Box 9864
          Bakersfield,CA 93389-9864

This is a gated community and it is "FREE".

Total satisfaction for 2 thousand years to date.
 
>From the Gate Keeper.   9PS. See you at the Pearly Gates)
                     GOD will Bless you.

Now it is a pretty good guess that this spam has a forged header. To
identify the culprit, we employ the same command that we used with Usenet spam:

        whois heaven.com

We get the answer:

        Time Warner Cable Broadband Applications (HEAVEN-DOM)
           2210 W. Olive Avenue
           Burbank, CA 91506
 
           Domain Name: HEAVEN.COM
 
           Administrative Contact, Technical Contact, Zone Contact,        Billing Contact:
             Melo, Michael  (MM428)  michael@HEAVEN.COM
              (818) 295-6671
 
          Record last updated on 02-Apr-96.
          Record created on 17-Jun-93.
 
           Domain servers in listed order:

          CHEX.HEAVEN.COM              206.17.180.2
          NOC.CERF.NET                 192.153.156.22

>From this we conclude that this is either genuine (fat chance) or a better forgery than most. So let's try to finger FREE@heaven.com.

First, let's check out the return email address:

        finger FREE@heaven.com

We get:

        [heaven.com]
        finger: heaven.com: Connection timed out

There are several possible reasons for this. One is that the systems
administrator for heaven.com has disabled the finger port. Another is that heaven.com is inactive. It could be on a host computer that is turned off, or maybe just an orphan.

*********************
Newbie note: You can register domain names without setting them up on a
computer anywhere. You just pay your money and Internic, which registers domain names, will put it aside for your use. However, if you don't get it hosted by a computer on the Internet within a few weeks, you may loose your registration.
*********************

We can test these hypotheses with the ping command. This command tells you whether a computer is currently hooked up to the Internet and how good its connection is.

Now ping, like most kewl hacker tools, can be used for either information or as a means of attack. But I am going to make you wait in dire suspense for a later Guide to (mostly) Harmless Hacking to tell you how some people use ping. Besides, yes, it would be *illegal* to use ping as a weapon.

Because of ping's potential for mayhem, your shell account may have disabled the use of ping for the casual user. For example, with my ISP I have to go to the right directory to use it. So I give the command:

        /usr/etc/ping heaven.com

The result is:

        heaven.com is alive

***********************
Technical Tip: On some versions of Unix,giving the command "ping" will start your computer pinging the target over and over again without stopping. To get out of the ping command, hold down the control key and type "c". And be patient, next Guide to (mostly) Harmless Hacking will tell you more about the serious hacking uses of ping.
***********************

Well, this answer means heaven.com is hooked up to the Internet right now. Does it allow logins? We test this with:

        telnet heaven.com

This should get us to a screen that would ask us to give user name and
password. The result is:

        Trying 198.182.200.1 ...
        telnet: connect: Connection timed out

OK, now we know that people can't remotely log in to heaven.com. So it sure looks as if it was an unlikely place for the author of this spam to have really sent this email.

How about chex.heaven.com? Maybe it is the place where spam originated? I type in:

        telnet  chex.heaven.com 79

This is the finger port. I get:

        Trying 206.17.180.2 ...
        telnet: connect: Connection timed out

I then try to get a screen that would ask me to login with user name, but once again get "Connection timed out."

This suggests strongly that neither heaven.com or chex.heaven.com are being used by people to send email. So this is probably a forged link in the header.

Let's look at another link on the header:

        whois gnn.com

The answer is:

   America Online (GNN2-DOM)
   8619 Westwood Center Drive
   Vienna, VA 22182
   USA
 
   Domain Name: GNN.COM
 
   Administrative Contact:
      Colella, Richard  (RC1504)  colella@AOL.NET
      703-453-4427
   Technical Contact, Zone Contact:
      Runge, Michael  (MR1268)  runge@AOL.NET
      703-453-4420
   Billing Contact:
      Lyons, Marty  (ML45)  marty@AOL.COM
      703-453-4411
 
   Record last updated on 07-May-96.
   Record created on 22-Jun-93.
 
   Domain servers in listed order:
 
   DNS-01.GNN.COM               204.148.98.241
   DNS-AOL.ANS.NET              198.83.210.28

Whoa! GNN.com is owned by America Online. Now America Online, like Compuserve, is a computer network of its own that has gateways into the Internet. So it isn't real likely that heaven.com would be routing email through AOL, is it? It would be almost like finding a header that claims its email was routed through the wide area network of some Fortune 500 corporation. So this gives yet more evidence that the first link in the header, heaven.com, was forged.
 
In fact, it's starting to look like a good bet that our spammer is some
newbie who just graduated from AOL training wheels. Having decided there is money in forging spam, he or she may have gotten a shell account offered by the AOL subsidiary, GNN. Then with a shell account he or she could get seriously into forging email.

Sounds logical, huh? Ah, but let's not jump to conclusions. This is just a hypothesis and it may be wrong. So let's check out the remaining link in this header:

        whois att.net

The answer is:

   AT&T EasyLink Services (ATT2-DOM)
   400 Interpace Pkwy
   Room B3C25
   Parsippany, NJ 07054-1113
   US
 
   Domain Name: ATT.NET
 
   Administrative Contact, Technical Contact, Zone Contact:
      DNS Technical Support  (DTS-ORG)  hostmaster@ATTMAIL.COM
      314-519-5708
   Billing Contact:
      Gardner, Pat  (PG756)  pegardner@ATTMAIL.COM
      201-331-4453
 
   Record last updated on 27-Jun-96.
   Record created on 13-Dec-93.
 
   Domain servers in listed order:
 
   ORCU.OR.BR.NP.ELS-GMS.ATT.NET199.191.129.139
   WYCU.WY.BR.NP.ELS-GMS.ATT.NET199.191.128.43
   OHCU.OH.MT.NP.ELS-GMS.ATT.NET199.191.144.75
   MACU.MA.MT.NP.ELS-GMS.ATT.NET199.191.145.136

Another valid domain! So this is a reasonably ingenious forgery. The culprit could have sent email from any of heaven.com, gnn.com or att.net. We know heaven.com is highly unlikely because we can't get even the login port to work. But we still have gnn.com and att.net as suspected homes for this spammer.

The next step is to email a copy of this spam *including headers* to both postmaster@gnn.com (usually a good guess for the email address of the person who takes complaints) and runge@AOL.NET, who is listed by whois as the technical contact. We should also email either postmaster@att.net (the good guess) or hostmaster@ATTMAIL.COM (technical contact). Also email postmaster@heaven.com, abuse@heaven.com and root@heaven.com to let them know how their domain name is being used.

Presumably one of the people reading email sent to these addresses will use the email message id number to look up who forged this email. Once the culprit is discovered, he or she usually is kicked out of the ISP.

But here is a shortcut. If you have been spammed by this guy, lots of other people probably have been, too. There's a news group on the Usenet where people can exchange information on both email and Usenet spammers,
news.admin.net-abuse.misc. Let's pay it a visit and see what people may have dug up on FREE@heaven.com. Sure enough, I find a post on this heaven scam:

From: bartleym@helium.iecorp.com (Matt Bartley)
Newsgroups: news.admin.net-abuse.misc
Subject: junk email - Free B 4 U - FREE@Heaven.com
Supersedes: <4uvq4a$3ju@helium.iecorp.com>
Date: 15 Aug 1996 14:08:47 -0700
Organization: Interstate Electronics Corporation
Lines: 87
Message-ID: <4v03kv$73@helium.iecorp.com>
NNTP-Posting-Host: helium.iecorp.com

(snip)

No doubt a made-up From: header which happened to hit a real domain name.

Postmasters at att.net, gnn.com and heaven.com notified.  gnn.com has already stated that it came from att.net, forged to look like it came from gnn.  Clearly the first Received: header is inconsistent.

Now we know that if you want to complain about this spam, the best place to send a complaint is postmaster@att.net.

But how well does writing a letter of complaint actually work? I asked ISP owner Dale Amon. He replied, "From the small number of spam messages I have been seeing - given the number of generations of exponential net growth I have seen in 20 years - the system appears to be *strongly* self regulating. Government and legal systems don't work nearly so well.

"I applaud Carolyn's efforts in this area. She is absolutely right. Spammers are controlled by the market. If enough people are annoyed, they respond. If that action causes problems for an ISP it puts it in their economic interest to drop customers who cause such harm, ie the spammers. Economic interest is often a far stronger and much more effective incentive than legal requirement.

"And remember that I say this as the Technical Director of the largest ISP in Northern Ireland."

How about suing spammers? Perhaps a bunch of us could get together a class action suit and drive these guys into bankruptcy?

Systems administrator Terry McIntyre argues, "I am opposed to attempts to sue spammers. We already have a fairly decent self-policing mechanism in place.

"Considering that half of everybody on the internet are newbies (due to the 100% growth rate), I'd say that self-policing is marvelously effective.

"Invite the gov't to do our work for us, and some damn bureaucrats will write up Rules and Regulations and Penalties and all of that nonsense. We have enough of that in the world outside the 'net; let's not invite any of it to follow us onto the 'net."

So it looks like Internet professionals prefer to control spam by having net vigilantes like us track down spammers and report them to their ISPs. Sounds like phun to me! In fact, it would be fair to say that without us net vigilantes, the Internet would probably grind to a halt from the load these spammers would place on it.

OK, I'm signing off for this column. I look forward to your contributions to this list. Have some vigilante phun -- and don't get busted!
_______________________________________________________

Want to share some kewl stuph? Tell me I'm terrific? Flame me? For the first two, I'm at . Please direct flames to
dev/null@cmeinel.com. Happy hacking!
© 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end. To subscribe, email with message "subscribe hacker <joe.blow@boring.ISP.net>" substituting your real email address for Joe Blow's.


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

 

Return to the index of Guides to (mostly) Harmless Hacking!

 © 2013 Happy Hacker All rights reserved.