Re: Spam tracking

Date view Thread view Subject view Author view

From: Gregory Alan Bolcer (gbolcer@endtech.com)
Date: Sat Jan 20 2001 - 10:19:07 PST


Hey Marco,

I am assuming from the email that you read the message
in the FoRK archive: http://xent.ics.uci.edu/FoRK-archive/july98/0106.html

You may have also seen the Beer Broiled Spam message at:
http://xent.ics.uci.edu/FoRK-archive/july98/0302.html

In reference to machine: 1Cust237.tnt9.jacksonville.fl.da.uu.net

These are probably dialup machines set up by
UUNet. Even though it mentions Jacksonville, you
can't always assume that's where the dialup or machine
is located as some big dialup companies regionalize their
servers or even just use alphabetical naming conventions.
It's almmost certain that the spammer has a non-fixed
IP, so even if you can find the traceroute to the machine,
that machine may be some other innocent dialup user who
was round-robin allocated the IP number.

If you use altavista or google, you can do a search
on +1Cust237.tnt9.jacksonville.fl.da.uu.net or just +da.uu.net
and it will show you all the various people that use uunet
as their ISP. Other than that, there's not much you can
determine without enlisting the help of the network provider.

Send the full headers to abuse@uu.net; I seem to get
a lot of spam over their lines nowadays too, but they
tend to take spamming seriously. The very least they can do
is cancel the offending account; if enough accounts are registered
and re-registered, sometimes they can determine the actual registered
user or group of users and ban them. Typically the ISP is
an unwilling participant.

If you're a little more daring, you might try collecting a little
more information through ping, traceroute, last, finger, telnet, telnet port 80,
portscan, and a whole variety of other network admin tools.

Another trick is to use the networksolutions WhoIs lookup on
some of the mail headers and send the same spam complaint to the
appropriate abuse addresses for each network provider. All network
providers don't like being identified by other network providers and
spammers, so typically, if they get a spam complaint from another,
they'll handle it very quickly.

Hope this helps,

Greg

Marco Franse wrote:
>
> Hi,
>
> In noticed your name on a forum abour spam tracking and I was just
> interested to know. I've recently noticed that quite a lot
> of spam orginates from the IP address 63.29.57.237. Looking this up, I came
> up with the hostname
> 1Cust237.tnt9.jacksonville.fl.da.uu.net
>
> There are of course many variations of this like:
> 1Cust51.tnt26.chi5.da.uu.net
> 1cust165.tnt1.smyrna.ga.da.uu.net
> And many others. The common denominator being the da.nuu.net
>
> Being a novice at this, I have been unable to trace it to an ISP. How to I
> go about doing this from the IP and hostname?
>
> Any suggestions would be appreciated.
>
> Thanks
> Marco
>
> ICQ: 20253245
> Yahoo Messenger: ozbro
> AOL IM: ozbro2536
> http://www.angelfire.com/me2/aboutmarco

-- 
Gregory Alan Bolcer        | gbolcer@endtech.com    | work: 949.833.2800
Chief Technology Officer   | http://www.endtech.com | cell: 714.928.5476
Endeavors Technology, Inc. | efax: 603.994.0516     | wap:  949.278.2805


Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Sun Jan 21 2001 - 04:07:18 PST