SUMMARY: anti-spam tracing

From: Jeff Graham (demit@best.com)
Date: Fri Apr 10 1998 - 20:02:41 CDT


This is going to be short as it is very simple, the only reason I am posting
this at all is that a number of people asked how I tracked the people back.

I simply used the authoritative dns servers for the machines in question.
 
then mailed abuse@<domain> for those domains.

For example (since we are talking about inexchange here,) lets take the
inexchange spams.

A whois inexchange.net returns:

Internet Exchange (INEXCHANGE3-DOM)
   1609 W 32 ST
   Ft Lauderdale, FL 33309

   Domain Name: INEXCHANGE.NET

   Administrative Contact, Technical Contact, Zone Contact:
      Info Desk (ID97-ORG) info@INEXCHANGE.NET
      (954)242-6141
   Billing Contact:
      Info Desk (ID97-ORG) info@INEXCHANGE.NET
      (954)242-6141

   Record last updated on 17-Mar-98.
   Record created on 11-Dec-97.
   Database last updated on 10-Apr-98 03:56:45 EDT.

   Domain servers in listed order:

   NS1.LINKUS.COM 207.93.198.6
   NS2.LINKUS.COM 207.93.198.7

Before trying these tho you should find out if it properly routes mail.

so a dig inexchange.net MX returns:

; <<>> DiG 8.1 <<>> inexchange.net MX
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUERY SECTION:
;; inexchange.net, type = MX, class = IN

;; ANSWER SECTION:
inexchange.net. 1D IN MX 5 mail.inexchange.net.

;; AUTHORITY SECTION:
inexchange.net. 1D IN NS NS1.LINKUS.COM.

;; ADDITIONAL SECTION:
mail.inexchange.net. 1D IN A 209.64.244.254
NS1.LINKUS.COM. 1D IN A 207.93.198.6

;; Total query time: 161 msec
;; FROM: alpine to SERVER: default -- 127.0.0.1
;; WHEN: Fri Apr 10 17:30:35 1998
;; MSG SIZE sent: 32 rcvd: 113

so we know that a mechanism for mail handling exists. A abuse user is
another matter.. You can try telnet mail.inexchange.net 25 but most external
mail servers hide the user lists from you so basically the only sure way
is to try to send mail there.

So I checked similarly for a mail server at the uplink. It is going to be
rarely if ever that you find that a customer of an ISP has a MX record but
that the ISP its self does not. But it does happen.

Noting that both of these had mail handling servers I fired off a email
including the spam and a brief statement about the mailing list to both
the abuse@inexchange.net and abuse@linkus.com, after giving them 48 hours to
answer (even automated,) I figured that they were not going to answer and
esclated. The reason the original mail was to both abuse@inexchange AND
linkus.com was that sometimes when an abuser sees his uplink (be it
ISP or IAP or whatever) they clean up their act quicker.

So following the whois example we find that netcom handles traffic for
linkus. I then reported to abuse@netcom.com the problem. I DID recieve
an answer from abuse telling me they were looking into the problem. I have
the feeling that the acct was not pulled but that someone told them to
stop spamming the lists with their ad. As this is an acceptable result
I stopped here.

As a side note, spamming back a spammer to cause a DoS is not really right
a DoS is a DoS (Denial of Service) in its self. I do not feel personally
that spamming back is the right answer as I feel that ALL spam is bad.
Sending a copy back as part of a complaint is NOT a spam. Nor is blackholing
the spammer which is two things that can be done that are correct.

As a user you can use something like filtering reactively to get rid
of this repetative spamming.

There is an alternate method of finding uplinks, that is to follow a
traceroute from your host to the destination. Make sure you don't
complain to YOUR uplinks tho. :)

NOTE: I don't really think that I was the primary one who got this removed
but from the mails I got a few of us took one of the right paths to complain
and it got removed.

If anyone has anything to add to this please email me seperately and if there
is sufficient interest we can have another summary or a FAQ/HOWTO on how
to track and complain about this. I would be willing to coordiante this.

Sorry for the time delay on the summary but I wanted to make sure the
spamming was over and that I had all input from people that wanted to chip in.

Thanks to: James Hsieh (jhsieh@soe.ucsd.edu) [bell south end of things]
                Rob McCauley (robmccau@RadOnc.Duke.EDU) [fwd spam to netcom]
                Miquel Cabanas (miquel@proton.uab.es) [traceroute method]
                Jason Axley (jason.axley@attws.com) [linkus complaint]
                Don Lewis (Don.Lewis@tsc.tdk.com) [netcom 15 day disconnect
                                                   information]
                Jim Robetori (jimr@ltopskris.pr.lucent.com) [alternate method]
                 Mark Luntzel (markl@babycenter.com) [http://www.cauce.org/
                                                     link]
                
All the responses I got were mostly uninteresting other than to say action
was being taken. So in hopes of brevity (too late :) ) I am leaving them
out.

-- 
Jeffrey Graham                      | Public key available for PGP-encryption
Senior Systems Administrator (UNIX) | by request. 



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:36 CDT