Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: (Challenge) Tracing a spammer

  1. #1
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default (Challenge) Tracing a spammer

    Hi, I'm not sure if this is the right place for such a topic or if it is at all possible but please take a minute to read this post and drop a reply if you can.

    I work as an IT / Network consultant for a company, recently one of our users have been receiving a LOT of e-mails of the sort you receive if you send an e-mail to an invalid e-mail address.

    I'm guessing that most of you know what types of messages I am talking about but here's an example:

    Code:
          
    
    a1aaa1azzzz1zaaaaa@dbtec.de den 03.04.2008 12:59
    The e-mail account does not exist at the organization this message was sent to.
    Check the e-mail address, or contact the recipient directly to find out the correct address.
    < mailfb.netuse.de #5.1.1 SMTP; 550 <a1aaa1azzzz1zaaaaa@dbtec.de>:
     Recipient address rejected: User unknown in local recipient table>
    This has become quite a problem as my colleague has started to receive up to 100 of these mail a day.

    As far as I can understand, this is a result of a spammer sending e-mails to addresses over the world and spoofing the source e-mail so that it appears to originate from the e-mail address of my co-worker.

    I know it probably is a simple procedure to include some sort of rule in our spamfilter to ensure that these types of system messages won't be sendt to the person in question, but I am curious of nature and I want to see how far I can go in tracing this activity back to the original sender.

    The only information I have been able to gather about the source is the following lines from a failure notice mail sendt to my co-worker (however I suspect that this information will only lead to a system the spammer has been able to compromise and is using to send out messages):

    Return-Path: <XX@XXXX.no>
    Received: (qmail 23974 invoked from network); 3 Apr 2008 03:19:26 -0500
    Received: from 213-147-182-209.sta.dsl.ycn.com (HELO 213.147.182.209) (213.147.182.209)
    by corp.hovanic.com with SMTP; 3 Apr 2008 03:19:26 -0500

    (the XX@XXXXX.no address is the address of my co-worker which I have censored to ensure that he won't be the victim of even more e-mail terror )

    The purpose of the mail in which I found this information was to lead the receiver of the mail to the following URL:

    http://compservice.land.ru/video.exe

    The server hosting this file is probably compromised as well and I don't believe it will lead directly to the spammer.

    But if you have any suggestions for me about how I should proceed with this little project of mine please let me know!

    P.S. just to make one thing clear, I have no intentions of engaging in any illegal activities towards the different IP addresses or hostnames that I might come over in this investigation. However I do understand that there is a risk that some of the readers on this forum might not feel the same way but if you decide to help me with this project please lets keep the information gathering on a non-intrusive level so that I can continue to share information with you as I continue the investigation.
    I expect that the forum admins and mods here will shut this thread down immediately if this thread was to spark some illegal activities towards any of the innocent systems I might list here, and I do not want this to happen at all - I hope everyone can respect this but still contribute to the investigation if they wish to.

    Thank you.

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    I can guarantee this is an exercise in futility. All you're going to end up finding is the zombie machine that sent the mail. You'll never find the person in control of the zombie. Setup a good SPAM filter, and move on there's other things that are more important.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    Quote Originally Posted by streaker69 View Post
    I can guarantee this is an exercise in futility. All you're going to end up finding is the zombie machine that sent the mail. You'll never find the person in control of the zombie. Setup a good SPAM filter, and move on there's other things that are more important.
    True. The guy would have to be a complete idiot to send it from his machine.
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

  4. #4
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    Like I stated in my first post, I am aware that both the server sending out the mails and the server hosting the virus or whatever is not his property at all.

    What I want to do here is gather as much information about the zombie network as possible and in the end inform whoever actually pays for these servers and their ISP's.

    Tracking down the actual person behind this is as far fetched as it gets and there is no way I would ever dream of trying to acheive something like that, however i realize that I might have expressed myself in a way that might have given the impression that I wanted to track the actual spammer down and that was stupid of me.

  5. #5
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by cormega View Post
    Like I stated in my first post, I am aware that both the server sending out the mails and the server hosting the virus or whatever is not his property at all.

    What I want to do here is gather as much information about the zombie network as possible and in the end inform whoever actually pays for these servers and their ISP's.

    Tracking down the actual person behind this is as far fetched as it gets and there is no way I would ever dream of trying to acheive something like that, however i realize that I might have expressed myself in a way that might have given the impression that I wanted to track the actual spammer down and that was stupid of me.
    There are much larger groups that are tracking the zombies with much more resources available to them than you can imagine. You might be able to find one or two machines, but you have no idea if they belong to the same botnet, or different botnets. If you're really interested in pursuing this type of thing, then get a job with SANS or any of the other larger groups that have the resources to actually track them down.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  6. #6
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    Quote Originally Posted by streaker69 View Post
    There are much larger groups that are tracking the zombies with much more resources available to them than you can imagine. You might be able to find one or two machines, but you have no idea if they belong to the same botnet, or different botnets. If you're really interested in pursuing this type of thing, then get a job with SANS or any of the other larger groups that have the resources to actually track them down.

    Point taken, however I was not really planning to transform into the role of internet's very own Dirty Harry here.

    All I really wanted was to get a few tips about how I can gather a little more information here (not planning to spend more time than a couple of nights on this, maybe even kill some dead-time at the office).


    For instance, what would be the best way to find out who is supplying the Internet Access to the two servers here?

  7. #7
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by cormega View Post
    Point taken, however I was not really planning to transform into the role of internet's very own Dirty Harry here.

    All I really wanted was to get a few tips about how I can gather a little more information here (not planning to spend more time than a couple of nights on this, maybe even kill some dead-time at the office).


    For instance, what would be the best way to find out who is supplying the Internet Access to the two servers here?
    Nslookup/whois is always a start. since the server is in Russia, you ain't gonna get a single bit of cooperation from the ISP.

    In Soviet Russia, servers spam you.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  8. #8
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    Quote Originally Posted by streaker69 View Post
    In Soviet Russia, servers spam you.
    Dammit Streaker, That was my line.
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

  9. #9
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    Quote Originally Posted by streaker69 View Post
    you ain't gonna get a single bit of cooperation from the ISP.
    I guess thats true, actually, this is the second time that the user in question has experienced this with his e-mail account..


    the last time a security consultant was here (no, we did not hire a security consultant for this - he was here on another matter :P ) and traced the ISP to China .. and as you probably can imagine, neither the e-mail to the ISP or to the company who owned the server which was being used to send mail helped.. not even a polite f*ck off

  10. #10
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by cormega View Post
    I guess thats true, actually, this is the second time that the user in question has experienced this with his e-mail account..


    the last time a security consultant was here (no, we did not hire a security consultant for this - he was here on another matter :P ) and traced the ISP to China .. and as you probably can imagine, neither the e-mail to the ISP or to the company who owned the server which was being used to send mail helped.. not even a polite f*ck off
    I've been tracking and reporting abuses for several years now, and I know that you will never get any help from ISP's in Russia, China, most of the PacRim or anywhere in Africa.

    If you get attacks or abuses from Canada, the US, the UK, you'll get help from those ISP. The other countries in Europe are spotty at best with helping out.

    If who you're working with is a smaller local company and chances are they'd have no reason to get anything legitimate from Russia or the PacRim, it's best just to block those subnets from even getting through your router to your Mail server. Where I'm at, I probably have close to 80 or so subnets that in my opinion, don't exist.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •