• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

[Tutorial] About spam/tracing e-mail & How to avoid spam

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Anonymity // Privacy // Spam

View previous topic :: View next topic  
Author Message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Sat May 11, 2002 4:33 am    Post subject: [Tutorial] About spam/tracing e-mail & How to avoid spam Reply with quote

Using a case study of a e-mail I got, it's not really spam but its sort of.

The first rule is NEVER reply to spam, NEVER click the unsubscribe link and NEVER e-mail to the unsubscribe address.

These are simply underhand tactics to get 'active' e-mail addresses.

Some other tips to avoid getting spammed in the first place:

1) Never use your real e-mail address in newsgroups, this is the best place to get picked up by a spam bot. Use something like john-no-spam@i.hate.spam-btopenworld.com

Then in your signature put remove -no-spam and i.hate.spam- to reply.

2) Never put your e-mail address on a publically viewable web page as it will be spidered by Google and grabbed by spammers.

If you do need to put an e-mail address use the simple JavaScript below to protect it:

Code:

<!-- Begin Shaolin Tiger E-mail Saver

randomword = "john";
randomword2 = "btopenworld";
append = "?Subject=Enquiry&Body=Please%20Insert%20Your%20Message%20Here.";

document.write('<a href=\"mailto:' + randomword + '@' + randomword2 + append + '\">');
document.write(randomword + '@' + randomword2 + '</a>');
// End -->
</SCRIPT>


3) If you do put your e-mail address anywhere try and obscure it in some way.

4) Create a disposable e-mail address (hotmail or yahoo) that you rarely check for signing up to Web-sites. Most commercial sites will bombard you with spam after you've signed up for whatever services they are offering. Some also sell your address to list makers or other spammer so never give your *real* e-mail address to anyone except people you want to e-mail you.

If you follow all of these you wont get any spam. My yahoo account which I made when I was internet Naive gets about 20-30 spams a day, this is just from signing a few guestbooks with my real e-mail address and putting it on my first home page.

Now I follow the above rules, I don't get any Smile

If you do get some, follow below:

In this example youremail@yourdomain.com = Your e-mail address.

Find the full headers of the message, headers can be found in the message source in Outlook Express.

Headers look like this:

Code:

Return-Path: <nobody@letters.ezinehub.com>
Delivered-To: securityforumsco-admin@127.0.0.1
Received: (qmail 94940 invoked by uid 1373); 2 May 2002 20:16:38 -0000
Delivered-To: youremail@yourdomain.com
Received: (qmail 94937 invoked from network); 2 May 2002 20:16:37 -0000
Received: from unknown (HELO letters.ezinehub.com) (64.23.12.74)
  by ns1.dc-hosting.net with SMTP; 2 May 2002 20:16:37 -0000
Received: (from nobody@localhost)
   by letters.ezinehub.com (8.11.6/8.9.3) id g42KKTr28012;
   Thu, 2 May 2002 16:20:29 -0400
Date: Thu, 2 May 2002 16:20:29 -0400
Message-Id: <200205022020.g42KKTr28012@letters.ezinehub.com>
To: youremail@yourdomain.com
From: support@exactseek.com
Subject: Important ExactSeek site listing information.


The main things you want to look for are:

1) The e-mail address it originated from (Most likely spoofed)

From: support@exactseek.com

2) The server used to send it (Most likely an open relay)

by letters.ezinehub.com (8.11.6/8.9.3) id g42KKTr28012

3) The IP address it originated from (Usually unspoofed, often encoded or hidden)

(HELO letters.ezinehub.com) (64.23.12.74)

In this case as this resulted from a search engine submission the SMTP server and the senders IP are the same.

Generally they would be different.

The next stage is to find the upstream provider of the SMTP server and the originating IP. Also take note of the domain the e-mail appeared to come from.

For this we would use Sam Spade or something similar.

If you are using Win2k you can just use tracert (Trace Route) from the command line.

As Samspade is down for maintenance at the moment I will use tracert in this example.

Result of tracert on letters.ezinehub.com

1 160 ms 160 ms 161 ms 194.176.218.67
2 240 ms 181 ms 140 ms 194.176.218.242
3 161 ms 180 ms 160 ms 194.176.218.43
4 160 ms 160 ms 180 ms 194.176.220.189
5 160 ms 160 ms 160 ms sl-gw10-lon-8-0.sprintlink.net [213.206.130.9]
6 160 ms 160 ms 161 ms sl-bb21-lon-8-0.sprintlink.net [213.206.128.45]
7 220 ms 241 ms 240 ms sl-bb20-msq-10-0.sprintlink.net [144.232.19.69]
8 340 ms 240 ms 241 ms sl-bb20-rly-15-1.sprintlink.net [144.232.19.94]
9 240 ms 241 ms 240 ms sl-gw19-rly-9-0.sprintlink.net [144.232.14.26]
10 240 ms 241 ms 240 ms sl-affinity-11-0-0.sprintlink.net [160.81.221.150]
11 240 ms 240 ms 241 ms core2a.balt.skynetweb.com [208.231.4.4]
12 241 ms 240 ms 240 ms ezinehub.com [64.23.0.31]

As can be seen the upstream provider is sprintlink.net and the web host most likely skynetweb.com.

This should be repeated for the provider of both the originating IP address and the SMTP server used.

The next step is to e-mail all of these people using the e-mail I constructed below:

ShaolinTiger wrote:


The following COMMERCIAL UNSOLICITED E-MAIL was received by myself at the non-published, non-used address sent to youremail@yourdomain.com. Please educate your users that this spam and can clog people's mailboxes and subject them to criminal prosecution.

In some states, it falls under the definition of illegal faxing without the recipient's permission. (Device having a computer, modem, and printer and capable of printing images. USC 47.5.II.227. Fine: $500 per recipient.)

In some countries, notably England, it falls under the Criminal Statutes regarding unauthorized alteration of computer data or theft of computer resources. (Theft of access time and disk space.)

Anyone affiliated to this person and/or company can be held responsible as an ACCESSORY to these CRIMINAL ACTIONS!

EDUCATE your Users or cut them off at the phone line!



E-mail this to abuse@, spam@, postmaster@ all the ISP's/Web-hosts/Services providers you identified using traceroute or Samspade.

E.g. in this case abuse@sprintlink.net; spam@sprintlink.net etc.

Include the full e-mail with full headers, proof of traceroutes and so on.

Stop the spammer, they are wasting everyones bandwidth.

I will update this document whenever I think of something to add to it, or something new comes up.

Any comments/suggestions are welcome and if you don't understand any of it ask and I will clarify.

© ShaolinTiger 2002


Last edited by ShaolinTiger on Tue May 14, 2002 8:24 pm; edited 4 times in total
Back to top
View user's profile Send private message Visit poster's website
TinTin
Forum Fanatic
Forum Fanatic


Joined: 25 Apr 2002
Posts: 16777199


Offline

PostPosted: Sun May 12, 2002 2:00 am    Post subject: Spam Reply with quote

Wink Thanks Shaolin. I hate spammers!
Back to top
View user's profile Send private message Send e-mail MSN Messenger
ciel
Just Arrived
Just Arrived


Joined: 30 Apr 2002
Posts: 6
Location: LYON ( FRANCE )

Offline

PostPosted: Sun May 12, 2002 7:15 pm    Post subject: Thanks Reply with quote

Hi,

Thanks for this help, i add a link in my own forums to your post, as i think it would be helpful for other ppl.

ciel


Last edited by ciel on Fri Sep 16, 2005 12:59 am; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail
TinTin
Forum Fanatic
Forum Fanatic


Joined: 25 Apr 2002
Posts: 16777199


Offline

PostPosted: Sun May 19, 2002 6:59 pm    Post subject: Hate Mail Reply with quote

Just been Reading BC, It seems that Cab is the latest target.

Have posted a response to him, to tell him to log onto here and read this!!
Back to top
View user's profile Send private message Send e-mail MSN Messenger
LexyLou
Just Arrived
Just Arrived


Joined: 18 Aug 2002
Posts: 0
Location: On Top

Offline

PostPosted: Sun Sep 15, 2002 3:31 am    Post subject: topic Reply with quote

How do you trace an e-mail, when certain information has been removed or cleverly hidden??
Back to top
View user's profile Send private message MSN Messenger
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Feb 24, 2003 7:51 pm    Post subject: Reply with quote

Found a site about e-mail, the ultimate e-mail site.

Got plenty of info about tracing here:

http://www.expita.com/header1.html
http://www.expita.com/header2.html

It's a great site with everything about e-mail.

http://www.expita.com/
Back to top
View user's profile Send private message Visit poster's website
catwoman
Just Arrived
Just Arrived


Joined: 28 Feb 2003
Posts: 0
Location: Edinburgh, Scotland

Offline

PostPosted: Sat Mar 01, 2003 12:50 pm    Post subject: Reply with quote

I think I nees to learn a lot more about computers before I put this into action!

Catwoman...........woefully ignorant Confused
Back to top
View user's profile Send private message MSN Messenger
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Wed Mar 03, 2004 2:00 am    Post subject: Reply with quote

Some spammers now use web bugs by including HTML code like this

<p><img border="0" src="http://www.spammer.com/open_email.asp?reference=######"
width="275" height="63"></p>

Which uses ASP to gather info about you and finally redirecting it to a image. Not only does it get info about you but it also verifies your email address which results in more spam. Mad

My usenet email addy is bounce@127.0.0.1 which supposedly screws up the bots. The more people that use it the better.
Back to top
View user's profile Send private message
ZCorker
Just Arrived
Just Arrived


Joined: 07 Nov 2003
Posts: 0


Offline

PostPosted: Sun Mar 07, 2004 8:46 pm    Post subject: Tracing the real McCoy vs spoofed e-mail Reply with quote

Below is a partial header (lowest link in heading) from a spammer that sends out info on Viagra. Would you please advise me how to trace the "real e-mail" of the spammer.

I am not planning on reporting the spammer to his IP or anyone else. I have not had much success with this technique and instead have a special surprise for the spammer.

Spammer's address appears to be spoofed.

Received: from c-g-s.demon.co.uk (186-190-89-200.fibertel.com.ar [200.89.190.186])
by mx05.nyc.untd.com with SMTP id AABAEYT7WAFD94XJ
(sender <kelliej.drummondbe@aol.com>);
Sun, 7 Mar 2004 08:03:00 -0800 (PST)

What is the real e-mail address of the spammer? Spamcop report alleges the following:





From: "Kellie J. Drummond" <kelliej.drummondbe@aol.com>
To: x, x, x,
x
Date: Sun, 07 Mar 2004 12:18:45 +0000
Subject: You will never know if don't try it!
Message-ID: <GNAD_______________________________________ndbe@aol.com>
Received: from mx05.nyc.untd.com (mx05.nyc.untd.com [10.140.24.65])
by maildeliver19.lax.untd.com with SMTP id AABAEYT7XAABYXA2
for <x> (sender <kelliej.drummondbe@aol.com>);
Sun, 7 Mar 2004 08:03:01 -0800 (PST)
Received: from c-g-s.demon.co.uk (186-190-89-200.fibertel.com.ar [200.89.190.186])
by mx05.nyc.untd.com with SMTP id AABAEYT7WAFD94XJ
(sender <kelliej.drummondbe@aol.com>);
Sun, 7 Mar 2004 08:03:00 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: base64
X-ContentStamp: 1:1:1980731145
Return-Path: <kelliej.drummondbe@aol.com>
View entire message

Parsing header:

Received: from mx05.nyc.untd.com (mx05.nyc.untd.com [10.140.24.65]) by maildeliver19.lax.untd.com with SMTP id AABAEYT7XAABYXA2 for <x> (sender <kelliej.drummondbe@aol.com>); Sun, 7 Mar 2004 08:03:01 -0800 (PST)
10.140.24.65 found
host 10.140.24.65 (getting name) no name
10.140.24.65 discarded

Received: from c-g-s.demon.co.uk (186-190-89-200.fibertel.com.ar [200.89.190.186]) by mx05.nyc.untd.com with SMTP id AABAEYT7WAFD94XJ (sender <kelliej.drummondbe@aol.com>); Sun, 7 Mar 2004 08:03:00 -0800 (PST)
200.89.190.186 found
host 200.89.190.186 (getting name) = 186-190-89-200.fibertel.com.ar.
host 186-190-89-200.fibertel.com.ar (checking ip) = 200.89.190.186
Possible spammer: 200.89.190.186
200.89.190.186 is not an MX for 186-190-89-200.fibertel.com.ar
host 186-190-89-200.fibertel.com.ar (checking ip) = 200.89.190.186
Received line accepted


Tracking message source: 200.89.190.186:
Routing details for 200.89.190.186
[refresh/show] Cached whois for 200.89.190.186 : noc@fibertel.com.ar
Using abuse net on noc@fibertel.com.ar
abuse net fibertel.com.ar = spamming@fibertel.com.ar
Using best contacts spamming@fibertel.com.ar
Yum, this spam is fresh!
200.89.190.186 listed in dnsbl.njabl.org ( 127.0.0.9 )
200.89.190.186 listed in dnsbl.njabl.org ( 127.0.0.9 )
200.89.190.186 is an open proxy
200.89.190.186 not listed in plus.bondedsender.org
200.89.190.186 not listed in query.bondedsender.org


Finding links in message body
Parsing text part
no links found


Please make sure this email IS spam:
From: "Kellie J. Drummond" <kelliej.drummondbe@aol.com> (You will never know if don't try it!)
Buy Viagra and Cialas Aka "Super Viagra"..The Viagra that last all weekend!..
and other good prescriptions... Next-Day Fedex ...
View full message

Report Spam to:


Re: 200.89.190.186 (Administrator of network where email originates)
To: spamming@fibertel.com.ar (Notes)


Re: 200.89.190.186 (Third party interested in email source)
To: Cyveillance spam collection (Notes)
Additional notes (optional - max 2000 characters):



ATTENTION: Report only those e-mail addresses and web sites that you think your spammer has used. Avoid checking any boxes left empty unless you know that your spammer has used the addresses or sites thus identified. Each false report that you submit means wasted time for a network administrator, so take care. The last thing SpamCop wants are network administrators so accustomed to false claims that they no longer take these spam reports seriously.








Comments for:spamming@fibertel.com.ar (200.89.190.186)

Return to report

Comments for:spamcop@imaphost.com (200.89.190.186)

Return to report
Back to top
View user's profile Send private message
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Mon Mar 15, 2004 10:07 pm    Post subject: Reply with quote

We are currently adding a Spam Filter box to our organization Very Happy

Last edited by PhiBer on Tue Mar 16, 2004 10:12 pm; edited 2 times in total
Back to top
View user's profile Send private message
cisco student
Just Arrived
Just Arrived


Joined: 07 Sep 2003
Posts: 8
Location: SFDC USA: Chico, California

Offline

PostPosted: Tue Mar 16, 2004 1:20 am    Post subject: Reply with quote

I personally like the idea of having a network spam/virus email filter hardware box at my border, this uses blacklists to block spam from the end user recieving it. Thanks ST for another great post, I would like to add something to the part about never clicking the unsubscribe link. If you click that, they will know that it is a valid email account and will send you more crap. Most spammers just use random addresses to send their spam to.
Back to top
View user's profile Send private message
ChrisM
Just Arrived
Just Arrived


Joined: 13 Apr 2004
Posts: 0


Offline

PostPosted: Tue Apr 20, 2004 5:11 am    Post subject: Reply with quote

Well I happened to put my email on a publicly viewed site so what do I do to rid myself of the spam?
Back to top
View user's profile Send private message Send e-mail
Fool
Just Arrived
Just Arrived


Joined: 23 Aug 2004
Posts: 0
Location: SC, USA

Offline

PostPosted: Tue Aug 24, 2004 12:09 am    Post subject: Reply with quote

Just read the document...looks pretty nice and informing. Thanks for the great read mate.
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
Security Hobbit
Just Arrived
Just Arrived


Joined: 14 Jul 2004
Posts: 0


Offline

PostPosted: Tue Aug 24, 2004 10:53 am    Post subject: Reply with quote

Presentation at BlackHat 2004 you might find interesting. I really wish they had the audio too.

Curtis Kret
Nobody’s Anonymous—Tracking Spam and Covert Channels
http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-kret.pdf

It is more about recognizing spam emails, spam motivations and general forensics, _not_ prevention. Also covers spam as covert channels, criminal scams, etc...

N.
Back to top
View user's profile Send private message
vjy
Just Arrived
Just Arrived


Joined: 05 May 2004
Posts: 0


Offline

PostPosted: Tue Aug 24, 2004 1:45 pm    Post subject: Reply with quote

hi guys,
the tutorial and the follow ups were excellent. I have a problem, I am not sure if its relevent here. But I am not sure where to post it.
I receive many junk mails in my yahoo account, like undeliverable messages with attachments, but I havent opened the attachments or the mails even once. I am not sure how I am getting the emails, since I have not sent the mails at all.
Kindly let me know what to do? Its very annoying.
Back to top
View user's profile Send private message
Ex0dus
Just Arrived
Just Arrived


Joined: 18 Nov 2005
Posts: 0
Location: Down Under

Offline

PostPosted: Fri Nov 18, 2005 3:02 am    Post subject: Reply with quote

those would be just viruses. it is common for viruses attachements to be sent with emails saying "your password has been changed" and "undeliverable messages". all of which try to intice you to opening the attachement.

true bounce back emails will never have attachments. they instead will just insert text in the bounce back email
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Anonymity // Privacy // Spam All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register