Spam

I've really ahd enough of this spam crap. Is there any active way of getting back at these buggers? Does anybody know of a way we can gang up on them? Surely the MG brains united can fix them up.

 

It doesn't actually go to the spammers if you fight back. It goes to hijacked email addresses and slave machines, so the best thing to do is get a good spam filter and don't open any of the emails.

 

Mr Flea is right there is no way to fight them. I use to report them to their ISP. Use to bounce their emails used to ask them to stop emailing me. the last one was a real bad Idea. There is no way for now to get them. The only way is to get a good anti spam program

http://www.majorgeeks.com/download.php?det=2295


here's one that Major Attitude, Kodo me and other users of this site deemed to be pretty good.

give it a try and you might decide to buy it.

 

This is a bit passive "Mr Flea is right there is no way to fight them." This is supposed to be MAJOR GEEKS, not meek geeks. If these arseholes can attck us then surely we can attack them back.

 

Spam retalliation sucessful!

I purchased a domain name and almost immediately, it was hijacked. False email addresses were created and bulk spam was sent using my domain name. I found out about it because the emails bounced and I have a forward for all non-registered email addresses to my own email address.

When I tried to protect myself through legitimate channels, they all said there was nothing I or they could do, they wouldn't take information from bounced spam, to expect my domain name to get hijacked frequently because it was short, that since my domain sent the spam they would black-list my domain.
I had _just_ purchased the darned thing and this made me _mad_.

This is what I did about it (I'll provide details if anyone wants them):

I found out where the emails originated from the headers.
I also went to the site link in the spam and researched the site (this is not always safe). This was made difficult by the crackers because they made the links pop up in dialog boxes with no nav, addresses, back button or _anything_. They had also added javascript to prevent "right-click" and "control key" use. In addition, they had the link redirect from "legitimate" sites by using mile-long <HREF> tags that contained only one true working link, and a script on the "legitimate" site to farward to the actual host. But since browsers keep a temporary internet directory, I could just look up where the sites were hosted from the images and files stored there.
I went directly to the host sites to see what other sites the crackers were operating and who owned them.
I used DNS to query who owned the hosting machines. This lead to additional sites used by the crackers.
I took all this information and bundled it up into a nice little email that I sent to the admins of the machines that sent the emails, host the spam site, host the additional cracker sites, my domain name provider, the domain name provider for the cracker sites, and the "legitimate" hosting providers. I stated the damage that was being done to the servers by allowing themselves to be cracked, the damage to the registrar's reputations, the damage to legitimate hosts, etc and requested that the crackers be shut down.
All but two of the sites were shut down and the domain name registrations were revoked. The crackers then went on a rampage sending my real email address (which they got from my domain registrar - public knowledge) tons of viruses. Fortunatley, I'm behind a firewall and have virus software scanning all my mail *WHEW*

My domain name got hijacked only one more time, by the same crackers no less. I did the same thing in retalliation. So far they've left me alone since then (knock on wood). I know that there's nothing short of cracking the cracker's servers that might have any lasting impact, but it sure felt good to do _something_ and even if I didn't put them out of business, I _did_ put a crimp in their operation and they _are_ leaving me alone now.

deyb
Be at peace with yourself and you grow
Hate life and its trials and you'll go
Into the abyss and you'll never be missed
'cause you left of your own accord

 

Good for you! Sounds like you pissed off those a$$holes a good one.

 

I sure hope so! I just hope there's no long-term mental damage from my brief visit to the world of cracking .

 

Uhhh, I don't know what I did wrong with my signature...

 

signature test

 

DEYB you beauty. There IS one Major Geek. Could you rewrite in simple steps to suit the likes of me so that I too can bore it up the sods?

 

Good for you.

You've touched on a good point there DEYB. Spammers exist by employing unknowing accomplises. Peel away the layers and they can be squashed like cockroaches.

Good for you the other hosts were cooperative. Its getting to the point were something might have to be done with people who leave their systems compromised out on the internet. Some have talked about having ISP validate computers before letting them connect to the net. It might get to that point someday soon.

 

it is a waste of time.. unless you're hijacked like deyb, then don't bother. For every spammer you cripple there are 1000's more knocking on your door. This is not being passive, this is being REALISTIC!
There's no sense in stooping to their level, they'll beat you on experience.

 

Very true. All we can hope is that more and more people start using spam blockers/filters and the problem gets solved somewhat that way (crackers losing money).... rather than MS coming in and introducing palladium and TCP/A as the new safety measure! That scary possibilities of palladuim that arose so many months ago still linger in my head

 

I'm working on making a ppt for you so I can put in screen shots, etc. Then I'll zip it up and hope it's small enough to post

A few warnings:
- Do NOT click on a link in a spam unless a) you have an updated anti-virus pog b) you're behind a firewall c) you take note of what files (cookies, etc) are downloaded to your tempInternet folder when you access the site and remove them _immediately_ once you've gotten the info from them d) you run a spyware check after access
- If you pi** these people off, you _will_ become a target. I recieved varius forms of viruses for _months_ after I tangled with these crackers!
- Don't expect help from sys admins. Most will try to brush you off (they're very busy people). If you remain polite, factual, and persistant, they'll probably help you in the end though
- Keep all your investigation results in a file. Most of the info won't get sent to others, but info from the internet is here-today-gone-tomorrow so if you run into problems in future, you'll need these files to prove the validity of your info

On a side note, I've come to the conclusion that the only real way to stop malevolent spammers is going to be from the people who _recieve_ the spam, or the porn industry *SIGH*.

Crackers go to great pains to hide their activities, so the first ones to find out about them are the people who actually get the spam. The machines used to send the spam are clueless because they've been cracked, the user names, email addresses, and domain names are clueless unless they get a bounce, the sites hosting the crackers are clueless because either they're being used as a referral site or they've been cracked or worse/better yet, it's a server set up by the crackers - worse because as soon as you let them know you know you're toast, better because in this case authorities can/will actually do something about it.

I say the porn industry could have a stake in stopping them because most of the spam I've seen filters back to porn sites. Porn is legitimate to host, but it doesn't draw a lot of popular support - so the crackers can hide behind it. It makes the porn industry look very bad indeed though to be used as a screen for crackers...and since the porn industry fights continually for the first amemdment, it seriously hurts their cause.

 

it is a war you can win 2 - 3 battles but you will loose the war
there are to many combatants on their side.

 

Meek geeks all, you may be right. In fact I suspect that with your greater experience you ARE right, but this is how tyrannies start.

I will give Deyb's system a run or two and if you never hear from me again you know the spam scum have got me.

NO TRUCE WITH TYRANTS

 

Well you go Lance! I decided to make it a quick and dirty HTML page. Everyone is open to let me know if I've left anything out, gotten anything wrong or am totally misguded in any of this information

- except - crud! It's too big to upload at 495 KB . I could put it on here as a series of posts or I could email it to you...any other ideas?

 

Deyb - Post it, mate. There may be another diehard or two out there.

 

With all due respect Major,
Thank you for your suggestion about
http://www.majorgeeks.com/download.php?det=2295
Do you have anything that can work with Thunderbird or PocoMail ?

 

you could ZIP It and post it .

 

That's the zipped size

 

Series of posts detailing how to identify malicious spammers/crackers

I'm going to direct this as if the person reading it has no tech skills because I don't know the level of reader that will be looking at it - if you know the info already, just skip over it. I'll post tutorial pics as we go along. I've targeted the help to IE users, but will offer help for others on request. Everyone feel free to correct me where I'm wrong or fill in information that I've left out.

Ok, so you get some spam and want to do something about it. First of all, I'd like to clarify that there is a difference between legitimate advertising and malicious spam. A bonafide advertiser has no need to falsify headers, obfiscate URLs, or in other ways hide their origins. Malicious spammers are cracking machines and otherwise using resources that they don't own for their own ends - those ends usually being to rip people off!

 

The first thing you have to do is look at the headers on the email. A valid header looks like this:

Status: U
Return-Path: <weekender@newsletters.digitalcity.com>
Received: from imo-r06.mx.aol.com ([152.163.225.102])
by tanager (EarthLink SMTP Server) with ESMTP id 1aRtxd57C3NZFmQ0
Thu, 12 Feb 2004 18:58:30 -0800 (PST)
Received: from dci-ds28.web.aol.com (dci-ds28.web.aol.com [205.188.218.109])
by imo-r06.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
with ESMTP id VAA19484;
Thu, 12 Feb 2004 21:54:30 -0500 (EST)
From: weekender@newsletters.digitalcity.com
Received: from AOLserver (localhost [127.0.0.1])
by dci-ds28.web.aol.com (8.11.6+Sun/8.9.1) with SMTP id i1D2sTn18492;
Thu, 12 Feb 2004 21:54:29 -0500 (EST)
Message-Id: <200402130254.i1D2sTn18492@dci-ds28.web.aol.com>
To: weekender-members@digitalcity.com
Reply-To: weekender@digitalcity.com
Subject: Dallas-Ft. Worth Weekend: Cabaret in Addison, Valentine's Day Ideas...
Date: Fri, 13 Feb 2004 02:54:29 GMT

The green text is the main thing you want to be concerned with. This is generally, but not always, the last "Received:" line before the "From:" line. Only generally because "Received:" lines can be faked _after_ the real information. As each server forwards the email, it _pre-pends_ it's info. This means that the closer to the top, the closer it is to getting to you. You can tell where the real info starts and false info begins by matching up these lines and making sure that they're mail servers with a DNS query (more on that later). You also need to make sure that the "Received:" line follows the proper format, generally, crackers leave off a line or two because they can't be bothered to come up with valid info. Another way to make sure you've come to the end of valid info is by checking the Server ID. Most mail servers insert their own line with an email identifier so that they can track down emails in their logs (not that I've ever gotten an admin to track one down). The server that creates this ID will be reflected in the last valid "Received:" line.
Note: The red lines can be easily faked.

 

Ok, so you've verified that the email is malicious spam because the headers have been falsified. What next? Now comes the fun, timeconsuming part. Here's the header from a malicious spam:

Status: U
Return-Path: <er@yahoo.com>
Received: from 82.64.66.180 ([82.64.66.180])
by tanager (EarthLink SMTP Server) with SMTP id 1aRNBB51J3NZFmQ0
for <deyb1@earthlink.net>; Fri, 13 Feb 2004 16:24:21 -0800 (PST)
Received: from unknown (HELO BCB) (192.168.78.24)
by 82.64.66.180 with SMTP; Fri, 13 Feb 2004 16:18:08 -0800
Message-ID: <00ee01c3f28f$fe779200$a38a50d5@BCB>
From: "deyb1@earthlink.net" <er@yahoo.com>
To: "earned@assmang.co.za" <deyb1@earthlink.net>
Subject: REF: reqs
Date: Fri, 13 Feb 2004 16:17:56 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_00EB_01C3F29E.4B3CE41C"
X-Priority: 3

The items in red are a dead givaway that this spam/company is not on the up-and-up, I mean, according to them, I sent _myself_ the spam! The "unknown" leaves us not knowing where the email actually came from, and to compound the problem, the IP address is one inserted by the DNS server. I'm not sure why the authories thought this was a good idea, but if the server can't do a reverse look-up, the new policy is to insert a DNS server so that the mail will go through. So we're stuck having to research the link from the spam. Don't worry, you're not going to be missing out on any info, the procedure is the same for IP and domain names you find in a header as it is for the spam links we're going to investigate.

 

You can right-click on the email body (attached) and see how it was put together, all the secret messages that were passed in the spam (you'd be _amazed_ at all the secret messages that are passed with spam!), where the links direct you, the URLs of any included pics, etc.
Note: I _highly_ recommend you check the HTML code _before_ you go clicking any links from spam!
Things to note from the HTML:
- Any additional URLs from inserted images
- The "opt-out" URL - especially note if the link takes you to a program, form, or HTML page. If it links to a program do NOT go there! If it's a form or HTML page, there's more investigative fodder for you.
- Any misc. URLs or IP addresses in the HTML code ie. notes stating that this or that HTML code was transfered from such place, etc
- The domain name for the main URL - sometimes this can be difficult. The main URL for this example is very straightforward, but serious crackers will take pains to obfuscate the URLs they use, if you have problems figuring out URLs, please let me know and I'll try to help you.

 

Before clicking on anything, trace the information you've uncovered.
From the HTML code (or company name), do a search on the host/company, see what comes up! In this case, I didn't find much, just a warning that the company isn't legit and uses spam.
My favorite site for checking URLs and IP addresses is: http://www.dnsstuff.com/. You can also check for this same info (in a more complex format) and if an IP address has been hijacked at http://www.completewhois.com/. Make sure and note the abuse@host.domain addresses for the clues you uncover.
You can look up the domain name discountcanadarx.biz. A domain name is the two-part section of an address that starts with the host, and ends with .domain.
- Doing a Reverse DNS lookup, tells you that the IP associated with this URL is 221.232.160.111.
- Now you can do a WHOIS Lookup on the IP address to find out who hosts the site.
A Reverse DNS lookup and WHOIS Lookup will also tell you, right at the top, where the host machine is located. In this case, China - which doesn't add legitimacy with the fact that the URL implies that it's a Canadian company.
- Sometimes you can get lucky with a domain name and do an MX DNS lookup (on the top right of dnsstuff.com - MX means mailserver) and that will tell you what machine is their mail server. If you select "all" instead of "MX", this will also tell you the IP address.
- You can do a WHOIS Lookup on the domain name and that will tell you who has registered that domain name and sometimes the company they registered it with.
If in desperation, you can do a Tracert. If this ends up at the final destination without timing out (***), it will give tell you what the IP and country are.
A lot of times, a tracert ends on the public server used as an interface for that domain. That will give you a good general idea of the host company owning the URL and the country. Without getting into IP addresses, the thing to remember about valid internet IP addresses is that they cannot be in the ranges:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

 

Now that you've exhausted all the info you could glean from the HTML code and verified that you won't be clicking on any programs, it's time to go to the URL from the spam.
To make it easy on yourself, close all browser windows except one.
Clear out your cache (this image has been posted at http://www.majorgeeks.com/vb/showthread.php?t=28002.
Now open your temporary internet file and sort on "Last Accessed".
Now go to the URL from the spam. After the page comes up, you can highlight your temporary internet folder and hit F5 and it will refresh with the documents just downloaded from that site.
Inspecting those documents, you'll see that, in many cases, there are files downloaded from other URLs or IP addresses. In this case, exteme-dm.com
With your new information, repeat the DNS investigations. Soon you'll have a whole network of cracker-related sites!

I have a few more pics for help, but since I can't upload them, let me know if you need more help.

Next step - What on Earth do I _do_ with all this information?! If anyone needs more info, please let me know in this thread and I'll continue.

 

Deyb, you beauty. I've been away working (spit, spit) I see you're still flying the flag. Please go on with the info.

Next step - What on Earth do I _do_ with all this information?! If anyone needs more info, please let me know in this thread and I'll continue.[/QUOTE]

 

Well hello again Lance!

Actually, from when I first posted, to this reply, a lot of changes have been made that make tracking spam much more difficult. The entity registering a domain name can now use their registrar as the main point of contact – in effect, hiding behind their registrar, new security holes have been found in IE that eliminates the need for site redirection, etc. The main thing, is to get the information to someone that is in a position to do something about it…and cares to. So here are some ideas for you. Get creative, I’m sure you can come up with more on your own .

A lot of these spam sites lead back to underground porn sites. The porn industry is one of your best allies in cracking down on spam. Right now, the porn industry is under a lot of pressure from government agencies cracking down on them, so they're taking extra measures to control what goes on in that industry. Sites containing bestiality, child porn, murder, ****, etc, are illegal in the US, so have gone underground or are being served from outside the country. Porn sites tend to gather on specific servers willing to take the flack for hosting porn. If a porn host finds that they are inadvertently hosting an underground site, they will halt it immediately to protect their precarious position. If you can prove (with all the info you've gathered...it's best to be as specific as possible when connecting the sites - I create a web site spelling everything out) that the owner of the underground porn site is also involved with spam sites hosted on their servers, they will shut those down as well.

In addition, many of the spam sites lead back to dummy companies set up for the sole purpose of stealing credit card or identity information. Domain name registrars are also very keen to protect their reputations, so if your evidence shows that a domain name registered with ABC registrar is being used for these purposes, ABC will revoke that domain name.

A lot of spam sites will use redirects on free web space to send users to the site host transparently. URL obfuscation is hard to describe, but if you know the basic HTML rules for href, you know all you need to know and can figure out what part of the URL will be read by the browser and which part is junk. If your info shows that free web space is being used for this purpose, and in most instances, when you can identify the URL, you can usually identify the user IDs, both the site and the user IDs will be shut down.
Good luck in your spam hunts!

 

Now I'm a Spammer?

I have probably only received 3 spam messages in a few years (knock on wood). BUT now my e-mail address has been labelled as a spammer!



OK -- I can't get what I want to copy over to this so see my attachment

(I'm going to post this as a new thread since I'm desperate and this may get lost in the shuffle)

 

I see programs for blocking spam -- and I just downloaded one. But what about this problem? Is there a way to fix it or blocking spammers from getting to YOU?

 

Pegg,

Your email address isn't labeled as a spammer, your email provider, the email server op1.xlccorp.com has been labeled as a spammer because of all the complaints to SpamCop.

The mail server at chapelhillchurch.org has been set up so that any email coming from xlccorp.com is blocked. If they have a high-tech system, they could make an exception to the rule to let your email address alone through from that provider. It isn't realistic to think that his company will change the rules so that your email will get through, on the other hand, all they can do is say no, so it doesn't hurt to ask.

You may want to consider getting a hotmail account or some other free email account for getting messages to your husband - although there's no guarantee those won't be blocked either. You may want to consider changing email/ISP providers to a more reputable (but probably more expensive) one.

I do find it curious that your email provider has a division devoted to servicing people concerned about spam: http://www.highstream.net/internetsecurity/content/aboutus.asp

If you want to be active, you could forward the information you posted to their support email: support@highstream.net . I didn't find an abuse@ email on the site or in their DNS info, so hopefully your complaint will get to the proper person.

Best of luck!

 

I started a new thread "Now I'm a Spammer" where I replied to you and someone else had already responded too. Thanks for what you said. I'm still not sure what to do overall...but let's continue in that thread so we don't get confused.