Apologies for spamming the lists with this, but I hope it helps someone,
somewhere. If, like me, you're on multiple mailing lists on a variety of
topics, you've likely been the victim of a spam. Here's how to track it
down and put a stop to it.
For more than you ever wanted to know, read the newsgroup
news.admin.net-abuse.misc.
On Tue, 13 Feb 1996, Michael Chaffee wrote:
> I wholeheartedly agree. But first, I suggest we all (each and every one
> of us who still has that piece of garbage in his/her mailbox) reply to
> that address. Include the original message. More than once. Include
> other things, just for laughs.
Nah. Mailbombing spammers makes us as bad as they are. The thing to do
is to get their feed cut... either by getting their account at their
provider revoked, or by getting their site's feed cut.
Under some circumstances, the victim of your mailbomb can also pursue you
civilly and criminally for harassment.
First, send a copy of the email *back* to the poster, with firm but
polite language that you don't want to hear from him anymore.
Next, to find a spammer, and maybe get him or her removed from the 'Net,
start with doing a whois on the site name. (gaffa is my local machine's
name... I'm running Linux, for anybody who cares.) What we want to do is
send copies of the spam to root@goodprice.com, admin@goodprice.com, and
postmaster@goodprice.com. If this guy is an ordinary yutz like you and me
with a shell or PPP account via a commercial Internet Service Provider, or
through work, he will get a warning from his admin, and maybe get kicked.
If he's on through a work account, maybe he'll get in trouble with his
employers.
--- begin included Unix trivia ---
gaffa~/: whois goodprice.com
[rs.internic.net]
[No name] (GOODP-HST) GOODPRICE.COM 204.52.251.194
FWIW Distributing (GOODPRICE-DOM) GOODPRICE.COM
The InterNIC Registration Services Host contains ONLY Internet Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
--- end included Unix trivia ---
This is obviously bogus. In cases where the whois returns bogus
information, root@goodprice.com, postmaster@goodprice.com, and
admin@goodprice.com are unlikely to be of help... the spammer is most
likely the admin of the site where the spam originates.
Time to go one link up the chain.
The next weapon in our Unix arsenal is the traceroute command, which
details the route that IP packets (and therefore mail messages) take to
get from point A (goodprice.com) to your machine (wherever that is.)
A traceroute to goodprice.com reveals:
1 poe.doa.net (204.183.85.10) 165.653 ms 161.045 ms 149.459 ms
2 whitman.doa.net (204.183.85.1) 229.134 ms 168.94 ms 179.368 ms
3 cdi-doa-64k-isdn-0.dca.net (204.183.95.25) 209.174 ms 218.895 ms 309.516
ms
4 router0.dca.net (204.183.80.1) 219.123 ms 198.93 ms 209.422 ms
5 sl-dc-10-S3/5-T1.sprintlink.net (144.228.120.49) 289.096 ms 238.828 ms
229.374 ms
6 sl-dc-8-F0/0.sprintlink.net (144.228.20.8) 299.21 ms 539.026 ms 609.345
ms
7 sl-fw-5-H4/0-T3.sprintlink.net (144.228.10.18) 609.108 ms 248.849 ms
259.461 ms
8 sl-fw-3-F0/0.sprintlink.net (144.228.30.3) 289.135 ms 248.936 ms 339.401
ms
9 sl-ixa-1-S0-T1.sprintlink.net (144.228.33.22) 309.267 ms 428.991 ms
319.309 ms
10 seattle/N1-0.ixa.net (199.242.16.128) 399.482 ms 319.088 ms 299.329 ms
11 gw-f-jazzie.ixa.com (199.242.18.9) 309.264 ms 448.986 ms 309.491 ms
12 p4-e1.jazzie.com (204.52.251.34) 329.008 ms 318.902 ms 299.471 ms
13 goodprice.com (204.52.251.194) 319.244 ms 409.069 ms 309.404 ms
We're in luck. goodprice.com is a valid site, with a live feed from
jazzie.com. Time to talk to appropriate-parties@jazzie.com to inform them
of what one of their customers is doing with the net feed they've
purchased.
I have sent mail to admin@jazzie.com, postmaster@jazzie.com, and
root@jazzie.com in hopes of getting this joker's feed cut.
You can also pursue these methods with any web sites, forwarding
addresses, maildrops, etc. given in the offending post.
Where you run into trouble is if the person is posting from a forged
user@host, like the Crusader@national-alliance racist spew that hit last
October. *THEN* it's time to look for a forwarding address or some such
in the post. FWIW, forged From: user@host is depressingly easy to fake.
SMTP and sendmail do virtually no authentication.
"Those who would slay monsters must be careful that in so doing, they do
not become monsters themselves. For by gazing into the abyss, the abyss
also gazes into you."
(with apologies to Friederich Nietzsche)
Bill
--
billd@doa.net billd@voicenet.com (Bill Duetschler)
|