Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: (Challenge) Tracing a spammer

  1. #11
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    The company I work for is a financial institution of medium size (on a Norwegian scale ) But I doubt we will be able to get any help on account of our name from any russian company.

    However, as far as i can see only the server hosting the video.exe file resides in russia - I followed your tip and tried some nslookup and whois attempts at the source IP listed in the mail and it turned out to be hosted by an Austrian ISP so I will try to contact them to see if they can be helpful in any way.

    I'm not even sure if the source IP is legit in any way but since it resolved to an Austrian ISP I thought it might be worth a shot.

  2. #12
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default SMTP mail bounce

    I don't believe this is "spam" in the true sense of the word "spam".

    At first glance, it appears to me to be a type of SMTP (Simple Mail Transfer Protocol) mail bounce attack.


    a1aaa1azzzz1zaaaaa@dbtec.de den 03.04.2008 12:59
    The e-mail account does not exist at the organization this message was sent to.
    Check the e-mail address, or contact the recipient directly to find out the correct address.
    < mailfb.netuse.de #5.1.1 SMTP; 550 <a1aaa1azzzz1zaaaaa@dbtec.de>:
    Recipient address rejected: User unknown in local recipient table>
    And it would appear that now they have your mail servers address as well.

    Code:
    mailfb.netuse.de
    What the attacker is doing is "Reconnaissance". Their hoping that by sending this email to an address that doesn't exist, that it will "bounce" back an error message in the attackers email with your true email servers address. And it will send a list of host names and IP addresses back to them. The attacker can learn much about your companies IT and networking structure and plan out attacks by running whois and Nmap...along with other various methodologies of enumerating and fingerprinting / foot printing your companies network.

    Be careful in how you deal with this. But on the brighter side, this method also exposes the attackers IP address assuming that they aren't using anonymous proxy chains and etc.

    In that email...there should be an originating IP address if you look at its headers.

    Hope this info helps.
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  3. #13
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    Thanks for your reply -=Xploitz=-

    I have been on a little vacation so I have not been focusing too much on this case for the last couple of weeks, but I do find it interesting though.

    But the server address you posted does not belong to my company at all, I thought this might be a reply from a mail server to which the spammer/hacker sendt an e-mail to a bogus address..

    In the particular mail you are reffering to here, there is no source IP anywhere but in another mail i found the following:


    Return-Path: <XX@XXXX.no>
    Received: (qmail 23974 invoked from network); 3 Apr 2008 03:19:26 -0500
    Received: from 213-147-182-209.sta.dsl.ycn.com (HELO 213.147.182.209) (213.147.182.209)
    by corp.hovanic.com with SMTP; 3 Apr 2008 03:19:26 -0500
    Message-ID: <000701c89564$0115a292$cc4fb2bc@kagscc>
    From: "adolph imsl" <XX@XXXX.no>
    To: <eldridge@filethirteen.com>
    Subject: Hot nude Rihanna video
    Date: Thu, 03 Apr 2008 06:42:44 +0000
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0004_01C89564.011088F2"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.3138
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

    This is a multi-part message in MIME format.
    I think the ip in this mail belongs to an Austrian ISP named eTel and I thought this IP might belong to a server used to forward the mails to make them appear to originate from this source, or that the IP belongs to a server which the hacker/spammer/whatever has managed to take control of and is using as a mail server for these types of mails... what do you think?

  4. #14
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Here is nice little tutorial on tracking the source IP of an email (this only works when the source of the email was Microsoft Outlook/Outlook Express as they encode the IP in the Message ID field).

    Based on the header data:

    Message-ID: <000701c89564$0115a292$cc4fb2bc@kagscc>

    Break out the important portion (bolded between last $ and @):

    cc 4f b2 bc

    Reverse by octet and convert from hex:

    bc = 188
    b2 = 178
    4f = 79
    cc = 204

    Source IP address is 188.178.79.204

    Unless the message ID or original IP was spoofed (possible), this is the IP of the computer that originally sent the email.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  5. #15
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Any one interested in this might also wanna look into fast-flux one of the newer techniques used when rogues (rouges ) are hiding their locations
    http://spamtrackers.eu/wiki/index.ph..._using_this.3F

    Quickly: Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  6. #16
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Set up a good SPF record for the domain.
    dd if=/dev/swc666 of=/dev/wyze

  7. #17
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    thanks for the replies, I'm learning a lot from this thread already and I especially liked that trick theprez98 came up with - really sweet!

    just came to work so if i get some time during the day I will se what more I can come up with and if I can resolve the same IP from more of these e-mails..

  8. #18
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Quote Originally Posted by theprez98 View Post
    Here is nice little tutorial on tracking the source IP of an email (this only works when the source of the email was Microsoft Outlook/Outlook Express as they encode the IP in the Message ID field).
    Also, if you have a 30gigs.com account...all emails come with the original senders IP address and a cool little Google map of their exact location.

    Like I said earlier..look at the headers, and thanks prez for expanding on what I suggested. Saved me some time.
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  9. #19
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Sometimes the replies you'll receive will be less than helpful.

    Quote Originally Posted by Recent report of Activity
    Thank you for contacting Ford Motor Company.

    We have received a number of messages recently regarding IP xxx.xxx.xxx.xxx, specifically related to the SQL Slammer worm.

    Our investigation into this matter has determined that the recent onset of attacks from this IP is the result of the IP being forged by an external party. External parties will commonly use IP addresses that belong to large organizations to mask network traffic.

    Unfortunately, forging IP addresses is a common practice among spammers and it is very difficult to prevent such unethical behavior.

    We appreciate your assistance. If we have any further questions or concerns regarding your message/notification, we may attempt to contact you at this e-mail address.

    Best regards,

    Ford Motor Company
    --------------------------------------------------------------------------------
    From: xxxxxx xxxxxxxxx [mailto:xxxxxx@xxxxxxx.xxxxx]
    Sent: Monday, April 14, 2008 11:37 AM
    To: Nsadmin, DNS (D.)
    Subject: Attack from Your Network

    I have recieved the following two alerts from my Snort box indicating that a machine on your network is probably compromised with the Slammer WORM. I just wanted to let you know so that this machine can be properly sanitized and stop attacking other networks.

    "29", "647", "2008-04-11 13:28:43", "xxx.xxx.xxx.xxx", "4405", "xx.xxx.xx.xxx", "1434", "[url/vil.nai.com/vil/content/v_99992.htm] [nessus/11214] [cve/2002-0649] [icat/2002-0649] [bugtraq/5311] [bugtraq/5310] [local/2003] [snort/1:2003] MS-SQL Worm propagation attempt"

    "29", "1202", "2008-04-13 06:01:11", "xxx.xxx.xxx.xxx", "4405", "xx.xxx.xxx.xxx", "1434", "[url/vil.nai.com/vil/content/v_99992.htm] [nessus/11214] [cve/2002-0649] [icat/2002-0649] [bugtraq/5311] [bugtraq/5310] [local/2003] [snort/1:2003] MS-SQL Worm propagation attempt"

    Attacker WhoIS: http://whois.domaintools.com/xxx.xxx.xxx.xxx

    Snort Rule: http://www.snort.org/pub-bin/sigs.cgi?sid=1:2003

    Thank you
    Since the attack came from Ford Motor Company, I didn't send them my normal email, but sent them a rather nice one to let them know they have a problem. Of course, they don't want to get caught with their pants down so they send me back complete bullshit. The Slammer Worm is not able to forge it's source IP according to the information I found about the Slammer Worm. I think they just don't want to own up to getting caught with a server that was compromised.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  10. #20
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by streaker69 View Post
    I think they just don't want to own up to getting caught with a server that was compromised.
    Well it is Ford afterall... they're probably too busy with R&D in making a damn vehicle that will run over 100K miles
    dd if=/dev/swc666 of=/dev/wyze

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •