Index - eMail CRM freeware | Useful Sites | Sun Tzu Art of War | eMail Marketing Tips | Art of eMail CRM | eMail Broadcast FAQ
 
Back to: eMail Bolts & Nuts FAQ's
 
Email Spam tracking 101 - Meaning of email headers
Email Spam tracking 102 - The many uses of DejaNews
Email Spam tracking 103 - The WHOIS database
Email Spam tracking 104 - A spammer unmasked

Thinking of bulk emailing- Consequences of spamming?

Figuring out fake E-Mail  -  Deciphering fake email or posting?

Need help finding something? Try Google...
 


Spam-tracking 104:
A spammer unmasked by Bill Mattocks

This is an actual case study of a spam that I received today and tracked to the source. It is intended as a lesson in spam-tracking for the uninitiated or the beginner in spam-tracking. It shows that with patience, all things are possible.


Are you sitting comfortably? Good, then I'll begin.

Today I got spam. That's nothing new, I get spam everyday. But this spam was from Wisconsin, and I happen to live in Wisconsin. I feel a powerful need to get rid of spam in Wisconsin. So, here is what happened and what I did about it.
 

This is the spam I got:

>Received: from mail.tds.net (unverified [204.246.1.2]) by mail.comp-sol.com
>(EMWAC SMTPRS 0.83) with SMTP id <B0000040843@mail.comp-sol.com>;
> Mon, 06 Oct 1997 15:55:11 -0500
>Received: from Comp1 (mewi0-a10.midway.tds.net [204.246.12.107])
>by mail.tds.net (8.8.5/8.8.5) with SMTP id PAA03860;
>Mon, 6 Oct 1997 15:19:42 -0500 (CDT)
>Date: Mon, 6 Oct 1997 15:19:42 -0500 (CDT)
>Message-Id: <199710062019.PAA03860@mail.tds.net>
>From: webbs@tds.net
>Subject: Your Home And Family

>YOUR HOME AND FAMILY

>Now available, (Your Home and Family), the consumer guide everyone
>has been asking for.

>This guide is filled with information every household should be
>aware of. Protect yourself and your family, be informed of the
>real life events that can happen to you and your household.

>Read about wills and trusts (don’t let the government take
>everything)!

>Parents worst fears- (Drug Abuse, maybe its already there)! Be
>informed!

>Dealing with divorce “Get It Together” “Not The End”.

>Safeguards against rape....Don’t let it happen to you, worse yet
>a member of your family!

>Household: Don’t let your house get the better of you, TAKE
>CONTROL!

>This guide is packed full of important information that you will
>want to share with friends and other family members.

>This is “MUST HAVE INFORMATION”. Get this NOW!

>Send for your copy today! Here is how to order: Send check or
>money order for $29.95 (shipping and handling included in price)
>to:

>Affordable Services
>PO Box 352
>Medford, WI 54451

>PS: You won’t believe the startling information in the guide!
>Order an extra report for your friends and neighbors! Give
>yourself a little piece of mind.

Free FireFox browser
 

 


100% effective.
I recommend it.

  The easies way to stop email spam, virus getting
into your PC
 Free2-Try
 


Sun Tzu Art of War "Leaders who takes on the role of the commander, without understanding the strategy of warfare, invite defeat." Free eBook

 

Image Power
Managing Director Dolly Kee

eMail CRM maximize
the life-time value
of my customers,
I recommend it.
 .
 Freeware
for home, office PC

 

Free FireFox browser
 

 


Bounce eMail
Manager Freeware
"A valued contribution that I and the rest of
my team sincerely appreciate it. We have checked your software twice and it is good." Alex webmaster@softpicks.net

 

 

 

Normally, this is the most innocuous type of spam. It purports to sell a report, but it is not MLM, a pyramid scheme, or a chain letter. The sender appears not to have hijacked a mail server to send the spam. The return address could even be legitimate, for all I know.

Therefore, it is not illegal on its face. Sending spam itself is legal, so it would appear that no laws were broken, except that I was unhappy over having gotten the spam in the first place.

So, I sent a letter of complaint to the postmaster at TDS.NET, letting them know that they are harboring a spammer. If they don't permit spamming, they may well terminate the begger. If I never get spam from him again, that should be the end of it, right?

Wrong.

I also did a little checking. Curious sort, am I. I used DejaNews to check out the city of Medford, WI (that's where I'm supposed to send the money for the report to, right)? Here is what I got back:

>1. 97/10/05 028 [email] (UCE) Your Home news.admin.net-abus "Nasty Mama"

Ok, so it appears that Nasty Mama has also gotten this spam and has taken some action. But wait, there's more:

>10. 97/09/23 026 [email] Pyramid Sche#1/2 news.admin.net-abus Todd C. Lawson

Oh-ho! Pyramid scheme, eh? Well, let's just take a look!

>Subject: [email] Pyramid Scheme from newnorth.net (Your Free Report)
>From: Todd C. Lawson <tlawson@amug.org>
>Date: 1997/09/23
>Message-Id: <v03110703b04d9662ef4b@[204.62.193.226]>
>Newsgroups: news.admin.net-abuse.sightings
>[More Headers]

>X-Reply-to: news.admin.net-abuse.email
>Abuse-spotted-in: mailbox tlawson@amug.org
>Abuse-Subject: Your Free Report
>Type-of-abuse: Unsolicited Email, Pyramid Scheme
>Description: Pyramid Scheme

[snip] - VERY excellent information from Todd Lawson on what a pyramid scheme is, and why it is illegal. For a copy of his report, take a look at it. Use DejaNews and search for Todd Lawson.]

>Return-Path: webbs321@newnorth.net

Whups, not from TDS.NET, but from NEWNORTH.NET, which is another local ISP in rural Wisconsin. Ok, so maybe this guy got bounced based on Todd's complaint. Notice the similarity in user names, though (webbs vs. webbs321).

[snip rest of headers]

>Free Report

>Students! Professionals! Unemployed! Absolutely anyone can use this
>information to
>make cash anytime they want. Read and save this report to use time and >time again

[snip much pyramid stuff, we've all seen it.]

>This program has remained successful
>because of the
>HONESTY Integrity the participants.

[Well, not only does our unknown spammer send illegal pyramid schemes, but he is also a liar, as I will also show!]

[snip - more pyramid stuff]

>HERE IS THE LIST OF NAMES TO SEND TO:

>1. R.D.Haar, 1628 Hillcrest St. Mesquite, TX 75149 Fargo, USA

>2. James Shanahan, 2/16 Myola St., Mayfield 2304, Australia

>3. Diane Wicke, PO box 32, Jump River, WI 54434, USA

>4. Affordable Services, PO Box 352, Medford, WI 54451, USA

[But wait - here is the man who sent me the UCE! ^^^^^^^ ]

>5. Scott Webster, 939 High Street #102, Rib Lake, WI 54470, USA

[And who could this be???]

>Mail $1.00 to each of the 5 names listed above. SEND CASH ONLY
>(Total investment:

[snip - more pyramid scheme]

>REMEMBER - THIS PROGRAM FAILS ONLY IF YOU ARE NOT HONEST
>-PLEASE!! PLEASE BE HONORABLE...IT DOES WORK! THANK YOU

[yet another exhortation to BE HONEST!!!]

Ok, so now we know that webbs@TDS.NET sends UCE and pyramid scheme UCE. We could stop there and just mail a copy of this pyramid scheme to:

POSTMASTER
MEDFORD, WI 54451
 

And we'd be done with it. But I'm just a curious guy, so I took the very last step in identifying this spammer. I called the US Post Office in Medford, WI at (715) 748-3981. Remember, if the holder of a US Post Office Box lists their PO Box as being used for business, the information is open to the public.

If they check off the little box that says that they are NOT doing business with the public, then you can't get the info, but then they are committing perjury (PO Box applications are legal documents). It seems our spammer DID want to be just a little bit honest though, because the post office told me who he is (drum roll, please):

Scott's Affordable Services
939 High Street
# 102
Rib Lake, WI 54470

Oh gee. Seems like Mister Scott Webster from our pyramid scheme above and Affordable Services from the same list are indeed the same person. On top of that, I would venture a guess to say that webbs and webbs321 both mean Scott Webster, huh?

So, same person all the way around. He just could not restrain himself from cheating on his very own pyramid scheme, the one he warns people NOT to cheat on. Shame, shame, Mr. Webster.

Now, I complain to his ISP. I print a copy of the pyramid scheme that was previously posted to news.admin.net-abuse.sightings by Todd Lawson, and I send it to the postmaster at Rib Lake, WI, and Medford, WI.


Our nasty little spammer is going to stop bouncing from ISP to ISP, because he is going to jail.

Thus endeth the lesson.

Best Regards, Bill Mattocks, CIIU

Derived from an HTML translation by Marek Jedlinski www.lodz.pdi.net/~eristic of a usenet post by Bill Mattocks

Notes:
Good info available on deciphering forged email headers at:
The alt.spam FAQ http://ddi.digital.net/~gandalf/spamfaq.html

Email Spam tracking 101 - Meaning of email headers
Email Spam tracking 102 - The many uses of DejaNews
Email Spam tracking 103 - The WHOIS database
Email Spam tracking 104 - A spammer unmasked

Thinking of bulk emailing- Consequences of spamming?

Figuring out fake E-Mail  -  Deciphering fake email or posting?

Need help finding something? Try Google...

 

whois whois.internic.net networksolutions are network registries to find out contact info for current domain or IP address

nslookup
A DNS tool that Perform forward and reverse DNS queries for the current address (this will usually give you the IP address of a hostname)...see Advance dig

traceroute
finds the route packets take between you and the selected address... see Advance dig

A one page course about emailing?
 Everything you wanted to know about emailing in a "nut shell"

How email works?  Delivery of each email is done by your ISP mail server, first establishing a conversation
through (port 25) of each of your recipient ISP mail server