Results 1 to 6 of 6

Thread: Investigating MSN Spam Origins

  1. #1
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    6

    Default Investigating MSN Spam Origins

    I'm a total noob, been slooowly learning bt for a few months. I've had fedora installed a few times before, but I'm generally a total noob to linux. I realize this post is thoroughly unimpressive, but I'm posting it anyways.

    I recently got some MSN messenger spam on winblows live, and I figured instead of turning off messages from people not on my contact list, I'd allow them and try to sniff out the source.

    So the message is from fixyoxymag34@hotmail.com, and it reads:

    heya. lets chat but not here ok? I have a webcam setup in my room... just goto this website and signup i'll be waiting for you .. it's dubya dubya dubya period chatwithme4free period you know the rest.

    The first thing I noticed was the structure of the email address. Is it worth investigating? No. It's obvious that it's a generated name. So, the next step is to try to grab the IP of the spam bot. Sometimes they aren't bots, but Indian kids at their computers. So I tried changing my display pic, hopefully forcing that computer to connect with mine to get the new image. Nothing. I checked in the cmd console with netstat -a , carefully monitoring the connections. So now I'm sure it's a bot, since there's no one here still chatting with me. (I love to play with the A"I" of the automated chat bots)

    Next step is to check out the domain, chatwithme4free. It redirects through a site called mnjump period commecial domain. Now I'm on my backtrack machine, doing whois chatwithme4free . The registration info shows domainsbyproxy . Now it's time to scan. I do a reverse dns lookup with dns-ptr, looking up the IPs surrounding the spammer IPs. I wasn't able to find any pattern, or any domain name that seemed relevant to chat or girlz, etc. So now I pull out nikto and start scanning through a proxy. Now, there's some pretty interesting stuff that comes up, not that I understand how to apply the remote command execution vlunerabilities found. I'm just looking around anyways, not going to break into anything this way.

    Next, I pull out nmap and give mnjump a thorough scan. mnjump was also purchased through domainsbyproxy, and mnjump does not come up in important search listings in google, so it's safe to assume that it's not a commercial redirect site, and probably owned by the spammer(s). Lots of interesting services running on that system. See for yourself.

    Anyways, hopefully this post is entertaining to read if anything. :P

  2. #2
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Which OS and msn version are you using?
    dd if=/dev/swc666 of=/dev/wyze

  3. #3
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    6

    Default

    XP Pro SP2, Windows Live Version 2008 Build 8.5.1302.1018
    BT2 Laptop

  4. #4
    Junior Member kr0m3's Avatar
    Join Date
    Jan 2008
    Posts
    68

    Default

    nice "look but don't touch" post!

    i can sense the mods perusing the thread like wolves on the hunt for a wounded pig....
    (nothing but love, guys...nothing but love)

    i'd never thought of changing the chat icon, you've given me something to play with.
    nice presentation, thanks for the info!
    ~k
    "...you've picked up a bit of an attitude. Still curious and willing to learn, I hope. "

  5. #5
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    6

    Default

    5/6/08 18:06 CST

    (tudenederuc26@hotmail.com) Diann says:
    Hey.. whats up? 22/Female. let's chat but not here ok? I have a webcam you can come join me at this website dubya dubya dubya period freehottycams period commercial domain.

    I haven't investigated further, but they started using a new domain today

  6. #6
    Junior Member
    Join Date
    Aug 2007
    Posts
    31

    Default

    Good job, you now know how spammers work. I usually just block spammers.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •