Forgot I had this nice little tutorial laying around. Somebody from one of the anti-spam newsgroups lent me quite an explanation when I asked. So here it is, in all its wonderfulness:
----------------------------------------------------------
OK, Tim. Here's what I do. Do you run Windows? In which case, here's a small tutorial:
The standard programs we (tinw*) use are Sam Spade Personal
<http://www.samspade.org/ssw/> and NetDemon
<http://www.netdemon.net/>. I use Sam Spade more, so the tutorial follows.
Firstly, you copy the full message into your clipboard, then boot Spade. Once that is done, select
Tools > Parse Email Headers
click Paste, and click Parse. What follows is a processed list from a recent ZZN (Find Out About...) spam.
---BEGIN CHECK---
From
[email protected] Mon Sep 25 08:31:06 2000
Hmmm from isn't a header I recognise
Received: from [210.97.17.6] (helo=dove.kyungin-c.ac.kr) by
carbon.btinternet.com with smtp (Exim 3.03 #83) id
13dSj8-0002Cz-00; Mon, 25 Sep 2000 08:31:04 +0100
This received header was added by your mailserver
carbon.btinternet.com received this from someone claiming
to be [210.97.17.6]
(carbon.btinternet.com doesn't record the senders IP
address in any way I recognise, so it's impossible to be
sure. All received headers after this one should be
treated with suspicion)
Received: from hill.zzn.com by dove.kyungin-c.ac.kr
(SMI-8.6/SMI-SVR4) id QAA10436; Mon, 25 Sep 2000 16:28:03
+0900
dove.kyungin-c.ac.kr received this from someone claiming
to be hill.zzn.com
(dove.kyungin-c.ac.kr doesn't record the senders IP
address in any way I recognise, so it's impossible to be
sure. All received headers after this one should be
treated with suspicion)
Date: Mon, 25 Sep 2000 16:28:03 +0900
From:
[email protected]
Message-Id: <
[email protected]>
To:
[email protected]
Subject: Free Satellite and Cell Vacation Gi
---END PROCESS---
The FROM: and TO: headers can be easily forged, and as you can see two "From" headers are a constant hallmark of the spamware that this b*stard uses. As you can see from the Recieved headers, my mailserver (carbon.btinternet.com) got it from a machine [210.97.17.6], which is an "open relay" - i.e. a place on the Net where people can just insert mail, without permission. It is listed on RSS - if you enter this number into the box at the top of Spade, say by clicking on it in the header, and clicking the "RBL" toolbar button, it will find the number on the "Radparker relayed spam system".
You have hit a dead end here, though. The "Find Out" spammer targets relays running SMI-8.6/SMI-SVR4, a version of Sendmail supplied with Sun workstations that allows *anonymous* open relaying by default - the machine, in the second header it prints, simply prints the message it gets from a HELO. A mail server conversation goes something like this:
Contacting [ip address removed]
220 insecure.mailserver.in.korea (SMI-8.6/SMI-SVR4)
HELO insecure.mailserver.com
250 insecure.mailserver.in.korea Hello [ip address removed], pleased to meet you
MAIL FROM:<
[email protected]>
250 <
[email protected]>... sender OK
RCPT TO:<
[email protected]>
250 <
[email protected]>... sender OK
DATA
[insert test mail message here]
And when I recieve it, the headers look like this:
Recieved from insecure.mailserver.com by insecure.mailserver.in.korea (SMI-8.6/SMI-SVR4)
From:
[email protected]
...and so on.
So what you have to do here is to send a LART - "luser attitude readjustment tool", a heads up - to postmaster@ the insecure mailserver, and so on. Do a reverse DNS and an abuse.net check on the IP, using Spade (its help files are good) and you will find.
Now we get on to the spam's body.
---SPAM---
Free Satellite and Cell Phone - Vacation Giveaways
Hi:
I am assoc # 2431. Giveawayvacations is my specialty. You can
register
for one and get a Free Satellite and a Free Cell Phone just for
registering. If you
would like one of our giveawayvacations register today. Go to my introductory
site below. If you go to the main site where we giveawayvacations Please
use associate # 2431
For More Information Go To:
http://hanklin529.tripod.com/index.html
To be removed from our list hit Reply
and put Remove in the Subject
---END SPAM---
Ah, what's this? I click on the address, and am regaled by a Tripod homepage. (I doubt it's there now, but you could check.) When I click on the link inside, I get a new page inviting me to go to
http://www.giveawayvacations.com. When I go there, I find this site has locked me out of clicking the right button - doesn't stop me from clicking "View/Source" in Internet Explorer, though. I look for the "recipient" field in the HTML, which sends the details in the form to
[email protected] Trying to verify this address using Spade SMTP verify gives me an expand (EXPN) response of
250 Guy TE <
[email protected]>
who is the spammer in question. Just to confirm this, I make a whois lookup on giveawayvacations.com, which gives me:
whois -h whois.opensrs.net giveawayvacations.com ...
Registrant:
none
c/o 1167 rt 52
tel, olives 99999
IL
Domain Name: GIVEAWAYVACATIONS.COM
Administrative Contact:
T, Gi
[email protected] [who is this???]
c/o 1167 rt 52
tel, olives 99999
IL
7098859774
[cut billing and tech etc.]
The registrant is the "Find Out About Anyone Else Now" spammer. The name "Gi T" and the Bigfoot email box have previously been used as a registrant on general-delivery.net, the previous "Find Out" spambox (now dead and gone). The Italy address and phone number are a hoax, and the Bigfoot box is dead. And doesn't "Guy TE" sound a lot like "Gi T"? Thought so.
This is a spam from "Loree and Lord", working from Fishkill, NY - their address can be found in a Deja search.
Some of the best examples of spam-tracing work can be seen from
[email protected] (search on Deja), who mostly traces back spam from Empire Towers (aka "AMZ Internet Specialties", "ET Corp" and so on), a prolific spamhaus that continually spams long, obfuscated and
generally cruddy messages. His traces are masterpieces of the art of LARTing.
Thank you so much for listening,