Subject: LESSON: Spam-tracking 101 (for newbies)
From: bmattocks@comp-sol.com (Bill Mattocks)
Date: 1997/09/11
Message-Id: <34174fc1.182438849@news.alpha.net>
Newsgroups: news.admin.net-abuse.email
Are you sitting comfortably? Good, then I'll begin.
Here is a spam I just received. It is bad, because it is spam. It is
bad, because it attempts to masquerade as being information I
requested to avoid detection as spam. It is bad because it has
mangled headers to attempt to deflect complaints away from the true
perpetrators. It is also quite funny. Here it is, dissected for the
newer anti-spammers to watch and learn from:
First line:
>Received: from bullets.cybercon.com (bullets.cybercon.com [199.217.156.7]) >by mail.comp-sol.com (EMWAC SMTPRS 0.83) with SMTP id >; Wed, 10 Sep 1997 20:00:52 -0500
This is my mail server getting the spam from a mail server known as
bullets.cybercon.com. Please note that the ISP listed here may well
have been innocently hijacked by the spammer, we really don't know
yet.
> Wed, 10 Sep 1997 21:02:53 -0500
>Received: from
>From: 84903020@ix.netcom.com
This is all fake, inserted by the spammer's bulk mail software. It
can be safely ignored.
>Received: from 199.217.156.7 (hd70-155.hil.compuserve.com [199.174.250.155])
> by bullets.cybercon.com (8.8.5/8.8.5) with SMTP id UAA03117;
> Wed, 10 Sep 1997 20:27:30 -0500
This line purports to show where bullets.cybercon.com actually GOT the
mail from that it relayed to me. Please note that "199.217.156.7"
does NOT belong to "hd70-155.hil.compuserve.com." How do we know
this? Simple, we use a tool called nslookup (available for many
platforms). Here is what we see:
[199.217.156.7]
Translated Name: bullets.cybercon.com
IP Address: 199.217.156.7
[hd70-155.hil.compuserve.com]
Translated Name: hd70-155.hil.compuserve.com
IP Address: 199.174.250.155
What does this all mean? It means that the first part of the line is
bogus, but the second part is correct. We know that because most mail
server software will report accurate information about where it got
the mail from in most cases (it has to be misconfigured or older
brain-dead software to be completely silent about where it got the
mail from). It has been my observation that you can trust the IP
address found within the square brackets, i.e. "[199.174.250.155]"
So, we have a reasonable expectation that the spammer used a dialup
account on Compuserve to send this spam. We still do not know if the
ISP it was sent through is innocent or guilty, though. We will
complain to Compuserve at abuse@compuserve.com, for starters.
>Received: from usr15-dialup53.mx1.Willowsprings.mci.net [166.55.38.181] by Willowsprings.mci.net (8.8.5/8.6.5) with SMTP id GAA02664 for ; Wed, 10 Sep 1997 20:59:04 -0600 (EST)
>Date: Wed, 10 Sep 97 20:59:04 EST
>To: bullwinkle@rocky.com
>Subject: Here's the info you requested
>Message-ID: <19970908182053.load2391.in@don>
>Reply-To: mrchicken@answerme.com
>X-UIDL: 12345678987456123012345698745612
>Comments: Authenticated sender is
The above is all trash. You can ignore any headers after the correct
ones are found. That is because mailers put the headers onto the top
of the message when they pass it along, not somewhere inside the
message. Thus, the very top message was from MY mailer, receiving the
mail. The one right under that was from the ISP's mailer, sending it
to me and reporting where it got it from. The rest is junk, designed
to confuse us.
Don't be fooled by "Authenticated sender" messages. They are easily
faked, and mean nothing. They don't "authenticate" anything.
>Everybody loves Mr. Chicken!
Ah, here's where it gets amusing! So, let's just enjoy this spam for
a moment, shall we?
>Kids are going wild over Mr. Chicken. Parents laugh hysterically at the sight of him.
>Why spend $50 on toys that your kids forget about the next day when for pennies
>they can have a Mr Chicken that they'll enjoy for months?
>For full details, Email MrChicken@answerme.com
Now, if we follow Rush Limbaugh's advice and "follow the money," it
would appear that the perpetrator of this spam has a mailbox at
answerme.com, and his handle is "MrChicken." What do we know about
answerme.com?
Cyber Promotions (ANSWERME4-DOM)
8001 Castor Avenue, Suite #127
Philadelphia, PA 19152
USA
Well, it happens that Cyberpromo is the owner of this particular
domain. That kind of ends that trail for us, because Cyberpromo is a
spamhaus, and their upstream provider, AGIS, is well aware of it and
supports it. AGIS is a "backbone" on the Internet, so there is no one
above them to complain to. Still, since Cyberpromo CLAIMS to be
against illegal relaying, we can send a copy of the complaint to
relayabuse@cyberpromo.com and also to abuse@agis.net. This won't do
anything, but what the heck.
>
So, that ends the spam. Now, what about the original ISP who sent the
spam to me? Innocent party or spamhaus? Well, let's take a look at
their web page: http://www.cybercon.com/aup.html
"Cybercon Acceptable User Policy
It is contrary to Cybercon policy for any user to effect or
participate in any of the following activities through a Cybercon
service:"
[snip]
"3.To send unsolicited mass emailings to more than twenty-five (25)
email users, if such unsolicited emailings provoke
complaints from the recipients;
4.To engage in any of the foregoing activities using the service of
another provider, but channeling such activities through a
Cybercon account or remailer, or using a Cybercon account as a
maildrop for responses;"
Now, it would appear from looking at their homepage
(http://www.cybercon.com) and also by "reading between the lines" of
their AUP, that Cybercon is a spamhaus, however thinly disguised.
That does NOT mean that they authorized this spam, or that they were
NOT hijacked. But the suspicion is definately there. In any case,
they get a copy of the complaint as well. If they were hijacked, they
may wish to investigate further and perhaps initiate legal action. If
they were not, they may remain silent on the matter. In any case,
they also have an upstream provider, which can be determined by doing
a traceroute on "bullets.cybercon.com"
1 156.46.104.254 (156.46.104.254)
2 alpha-nomad.alpha.net (206.190.31.149)
3 mke-1.alpha.net (156.46.1.1)
4 chicago2-cr2.bbnplanet.net (204.167.132.9)
5 chicago1-br1.bbnplanet.net (199.92.131.11)
6 core5-hssi5-0.WillowSprings.mci.net (206.157.77.201)
7 core1.NorthRoyalton.mci.net (204.70.4.205)
8 core-hssi-2.Chicago.mci.net (204.70.1.93)
9 border4-fddi-0.Chicago.mci.net (204.70.3.83)
10 startnet-llc.Chicago.mci.net (204.70.27.6)
11 router.cybercon.com (199.217.252.58)
12 bullets.cybercon.com (199.217.156.7)
So, we know they get their service from mci.net. Therefore, a
complaint also goes to abuse@mci.net.
What else do we know about the elusive Cybercon? Let's check their IP
range, to see who might own it. We can use "whois"
whois 199.217.156.0
[rs.internic.net]
STARNET, L.L.C. (NETBLK-STARNET-CBLK)
P.O. Box 6286
St. Louis, MO 63006-6286
Netname: STARNET-CBLK
Netblock: 199.217.128.0 - 199.217.255.0
Maintainer: STLL
Coordinator:
Myers, Chris B. [President] (CBM10) chris@STARNET.NET
(314) 227-3136 (FAX) (314) 716-6163
Domain System inverse mapping provided by:
ADMIN.STARNET.NET 199.217.253.10
NEWS.STARNET.NET 199.217.253.11
NS1.DRA.NET 192.65.218.14
Record last updated on 30-Aug-96.
So, it appears that Starnet owns their Class "C" license. Now, let's
jump into DejaNews (the land of "all my sins remembered") and see what
we can find out:
For "cybercon.com," we find only this:
*************QUOTE*******************
2 Matches for search: cybercon.com
1. 97/05/18 016 [email] Information /uu. news.admin.net-abus LINDSEY
JEAN NICE <
2. 97/03/01 016 [email]-BETTER THAN AOL news.admin.net-abus LINDSEY
JEAN NICE <
***********ENDQUOTE******************
Upon reading the messages in question, it appears that they once
complained that they had been mischaracterized as "cybercoM.com" and
not "cybercon.com" and wanted a retraction printed. OK, no spam
reports. How about their class C ticket holder?
[nothing of consequence found]
What about doing a search for "mrchicken?"
Here is what we find:
****************QUOTE**********************
Subject: Everyone loves Mr Chicken
From: igynews@sprynet.com
Date: 1997/09/08
Message-Id: <5uv7e4$qiv$1@juliana.sprynet.com>
Organization: Sprynet News Service
Newsgroups: alt.activism.children
[Fewer Headers]
EVERYONE LOVES MR. CHICKEN!
Are you tired of paying hundreds of dollars for toys your kids break
or get bored of the next day? How would you like a toy that can
provide countless hours of fun for literally pennies? MR. CHICKEN is
the answer. For full details, email MRCHICKEN@answerme.com
***************ENDQUOTE*********************
So, it appears that MrChicken has posted an identical message a few
days ago in UseNet. Just one, so not spam, although since it just
happened, the others may not have been picked up by DejaNews yet.
Still, we see that sprynet.net was used, not cybercon.com. It begins
to look as though cybercon.com is NOT guilty, but either was hijacked
or has a bad actor on their hands. So, we still complain to Cybercon,
but scratch abuse@mci.net (their upstream provider) from the list.
Now, it appears that we have done "due diligence" on our search to
find the source of the spam. We believe that the guilty party is only
mrchicken@answerme.com. So, here is our complaint e-mail:
To: mrchicken@answerme.com
[NOTE - this will get me a response from their autoresponder, which
may give me more information on the identity of "Mr. Chicken."
However, it may also subject me to more spam. I am willing to risk
it, for the sake of the exercise. You probably do NOT want to do
this.]
From: bmattocks@comp-sol.com
Subject: SPAM REPORT ->Re: Here's the info you requested
CC: staff@cybercon.com,support@cybercon.com,
abuse@agis.net,relayabuse@cyberpromo.com
NOTE TO CYBERCON.COM: It would appear that your SMTP server was
either hijacked, or you have a "bad actor" on your hands. Could you
please investigate and take action on this?
NOTE TO CYBERPROMO: It would appear that a client of yours
(MrChicked@answerme.com) is failing to use your relay service, and may
have hijacked the SMTP server belonging to cybercon.com. Please
investigate and take action!
NOTE TO AGIS.NET: This spam was sent via what may well have been an
illegally hijacked SMTP server. Please investigate and take action.
Thanks,
Bill Mattocks
Computer Solutions of Kenosha
2031 22nd Avenue
Kenosha, WI 53140
(414) 551-8088
http://www.comp-sol.com
******************************************************************************
>Received: from bullets.cybercon.com (bullets.cybercon.com [199.217.156.7]) >by mail.comp-sol.com (EMWAC SMTPRS 0.83) with SMTP id >; Wed, 10 Sep 1997 20:00:52 -0500
>From: 84903020@ix.netcom.com
>Received: from 199.217.156.7 (hd70-155.hil.compuserve.com [199.174.250.155])
> by bullets.cybercon.com (8.8.5/8.8.5) with SMTP id UAA03117;
> Wed, 10 Sep 1997 20:27:30 -0500
>Received: from usr15-dialup53.mx1.Willowsprings.mci.net [166.55.38.181] by Willowsprings.mci.net (8.8.5/8.6.5) with SMTP id GAA02664 for ; Wed, 10 Sep 1997 20:59:04 -0600 (EST)
>Date: Wed, 10 Sep 97 20:59:04 EST
>To: bullwinkle@rocky.com
>Subject: Here's the info you requested
>Message-ID: <19970908182053.load2391.in@don>
>Reply-To: mrchicken@answerme.com
>X-UIDL: 12345678987456123012345698745612
>Comments: Authenticated sender is
>
>Everybody loves Mr. Chicken!
>Kids are going wild over Mr. Chicken. Parents laugh hysterically at the sight of him.
>Why spend $50 on toys that your kids forget about the next day when for pennies
>they can have a Mr Chicken that they'll enjoy for months?
>For full details, Email MrChicken@answerme.com
>
OK, folks, that's it for tonight. Any questions? If not, class is
dismissed.
Best Regards,
Bill Mattocks, CIIU
***************************************************************
* *
* "My sense of personal integrity is none of your concern." *
* -thus spake Walt "Pickle Jar" Rines *
* *
* "I'm going to pound your balls flat with a wooden mallet." *
* -thus respondeth Bill Mattocks *
* *
***************************************************************