[tutorial] About Spam/tracing E-mail & How To Avoid Spam

[tezza 0]

Using a case study of a e-mail I got, it's not really spam but its sort of.
The first rule is NEVER reply to spam, NEVER click the unsubscribe link and NEVER e-mail to the unsubscribe address.

These are simply underhand tactics to get 'active' e-mail addresses.

Some other tips to avoid getting spammed in the first place:

1) Never use your real e-mail address in newsgroups, this is the best place to get picked up by a spam bot. Use something like john-no-spam-at-i.hate.spam-btopenworld.com

Then in your signature put remove -no-spam and i.hate.spam- to reply.

2) Never put your e-mail address on a publically viewable web page as it will be spidered by Google and grabbed by spammers.

If you do need to put an e-mail address use the simple JavaScript below to protect it:

Code:

<!-- Begin Shaolin Tiger E-mail Saver

randomword = "john";
randomword2 = "btopenworld";
append = "?Subject=Enquiry&Body=Please%20Insert%20Your%20Message%20Here.";

document.write('<a href=\"mailto:' + randomword + '@' + randomword2 + append + '\">');
document.write(randomword + '@' + randomword2 + '</a>');
// End -->
</SCRIPT>



3) If you do put your e-mail address anywhere try and obscure it in some way.

4) Create a disposable e-mail address (hotmail or yahoo) that you rarely check for signing up to Web-sites. Most commercial sites will bombard you with spam after you've signed up for whatever services they are offering. Some also sell your address to list makers or other spammer so never give your *real* e-mail address to anyone except people you want to e-mail you.

If you follow all of these you wont get any spam. My yahoo account which I made when I was internet Naive gets about 20-30 spams a day, this is just from signing a few guestbooks with my real e-mail address and putting it on my first home page.

Now I follow the above rules, I don't get any

If you do get some, follow below:

In this example youremail-at-yourdomain.com = Your e-mail address.

Find the full headers of the message, headers can be found in the message source in Outlook Express.

Headers look like this:

Code:

Return-Path: <nobody-at-letters.ezinehub.com>
Delivered-To: securityforumsco-admin-at-127.0.0.1
Received: (qmail 94940 invoked by uid 1373); 2 May 2002 20:16:38 -0000
Delivered-To: youremail-at-yourdomain.com
Received: (qmail 94937 invoked from network); 2 May 2002 20:16:37 -0000
Received: from unknown (HELO letters.ezinehub.com) (64.23.12.74)
by ns1.dc-hosting.net with SMTP; 2 May 2002 20:16:37 -0000
Received: (from nobody-at-localhost)
by letters.ezinehub.com (8.11.6/8.9.3) id g42KKTr28012;
Thu, 2 May 2002 16:20:29 -0400
Date: Thu, 2 May 2002 16:20:29 -0400
Message-Id: <200205022020.g42KKTr28012-at-letters.ezinehub.com>
To: youremail-at-yourdomain.com
From: support-at-exactseek.com
Subject: Important ExactSeek site listing information.



The main things you want to look for are:

1) The e-mail address it originated from (Most likely spoofed)

From: support-at-exactseek.com

2) The server used to send it (Most likely an open relay)

by letters.ezinehub.com (8.11.6/8.9.3) id g42KKTr28012

3) The IP address it originated from (Usually unspoofed, often encoded or hidden)

(HELO letters.ezinehub.com) (64.23.12.74)

In this case as this resulted from a search engine submission the SMTP server and the senders IP are the same.

Generally they would be different.

The next stage is to find the upstream provider of the SMTP server and the originating IP. Also take note of the domain the e-mail appeared to come from.

For this we would use Sam Spade or something similar.

If you are using Win2k you can just use tracert (Trace Route) from the command line.

As Samspade is down for maintenance at the moment I will use tracert in this example.

Result of tracert on letters.ezinehub.com

1 160 ms 160 ms 161 ms 194.176.218.67
2 240 ms 181 ms 140 ms 194.176.218.242
3 161 ms 180 ms 160 ms 194.176.218.43
4 160 ms 160 ms 180 ms 194.176.220.189
5 160 ms 160 ms 160 ms sl-gw10-lon-8-0.sprintlink.net [213.206.130.9]
6 160 ms 160 ms 161 ms sl-bb21-lon-8-0.sprintlink.net [213.206.128.45]
7 220 ms 241 ms 240 ms sl-bb20-msq-10-0.sprintlink.net [144.232.19.69]
8 340 ms 240 ms 241 ms sl-bb20-rly-15-1.sprintlink.net [144.232.19.94]
9 240 ms 241 ms 240 ms sl-gw19-rly-9-0.sprintlink.net [144.232.14.26]
10 240 ms 241 ms 240 ms sl-affinity-11-0-0.sprintlink.net [160.81.221.150]
11 240 ms 240 ms 241 ms core2a.balt.skynetweb.com [208.231.4.4]
12 241 ms 240 ms 240 ms ezinehub.com [64.23.0.31]

As can be seen the upstream provider is sprintlink.net and the web host most likely skynetweb.com.

This should be repeated for the provider of both the originating IP address and the SMTP server used.

The next step is to e-mail all of these people using the e-mail I constructed below:

ShaolinTiger wrote:


The following COMMERCIAL UNSOLICITED E-MAIL was received by myself at the non-published, non-used address sent to youremail-at-yourdomain.com. Please educate your users that this spam and can clog people's mailboxes and subject them to criminal prosecution.

In some states, it falls under the definition of illegal faxing without the recipient's permission. (Device having a computer, modem, and printer and capable of printing images. USC 47.5.II.227. Fine: $500 per recipient.)

In some countries, notably England, it falls under the Criminal Statutes regarding unauthorized alteration of computer data or theft of computer resources. (Theft of access time and disk space.)

Anyone affiliated to this person and/or company can be held responsible as an ACCESSORY to these CRIMINAL ACTIONS!

EDUCATE your Users or cut them off at the phone line!




E-mail this to abuse@, spam@, postmaster@ all the ISP's/Web-hosts/Services providers you identified using traceroute or Samspade.

E.g. in this case abuse-at-sprintlink.net; spam-at-sprintlink.net etc.

Include the full e-mail with full headers, proof of traceroutes and so on.

Stop the spammer, they are wasting everyones bandwidth.

I will update this document whenever I think of something to add to it, or something new comes up.

Any comments/suggestions are welcome and if you don't understand any of it ask and I will clarify.

Notice from serverph:

COPIED CONTENT from http://forums.xisto.com/no_longer_exists/
QUOTE TAGS added.

[Zero Ziat 0]

http://gishpuppy.com/ beats you heavily to the floor with a big hammer. XD

It helps more than expected when signing up.