SPAMMER example

How to trace down a SPAMMER
This SPAMMER is using a UU.NET dial up account (very common, especially for UU.NET).  The SPAMMER is using what appears to be a valid domain name (myrealbox.com), however, his DNS is not responding.  Email RFCs state that the sending domain doesn't have to be resolvable so the email is accepted.  The SPAMMER is using a SPAM program.  One important thing to note here is that the "envelope" addresses are what counts, not what the actual email says.  For more information, see the O'Reilly Sendmail book (the Bat book :)

  It should be noted that just about everything in the email header can get forged except for the IP address in the Received line and the header timestamps (but, NOT the "Date:" timestamp!!).  The reason for this is that the Internet used to only be used by governments and academic institutions and everyone was honest.  Unfortunately, this has not been true since around 1995.  Sendmail, SMTP, and TCP/IP in general where not designed with security or authentication in mind.

From the raw email spool (in /var/mail on Solaris machines):

From fredlans4@myrealbox.com Tue Mar 20 20:45:34 2001      <-- the envelope "MAIL FROM:" address
X-UIDL: 73#"!iT8!!iLG!!fC:"!
Received: from local (1Cust247.tnt1.nashua.nh.da.uu.net [63.24.55.247])  <-- There is only 1 Received line so this came directly
        by mailserver.victim.com (8.11.2/8.11.2) with SMTP id f2L1iv523452                  from a UU.NET dial up account.
        for <victim@victim.com>; Tue, 20 Mar 2001 20:45:30 -0500 (EST)  <-- victim@victim.com is the "RCPT TO:" address
Content-Type: text/html;                                                                                                             from the envelope
        charset="iso-8859-1"
Content-Transfer-Encoding: 7BIT
Date: Tue, 20 Mar 2001 17:52:50 -0500
From: fredlans4@hotdeals.com                                                  <-- Could be forged, many people think that this the actual From
Subject: FREE Special Report: Search Engine Optimization           address, but it is not!
Message-Id: <oxsukej.enifjipetymrqkurdya@local host>       <-- the Message-Id is mangled, obviously used a SPAM program
To: @victim.com                                                                                   <-- The To: is mangled, once again, a SPAM program
Content-Length: 2004
Status: RO

Spam message <snipped>

Now, to see what was really going on, we look at the mailserver log file:

Mar 20 20:44:56 mailserver sendmail[23451]: [ID 801593 mail.info] NOQUEUE: connect from 1Cust247.tnt1.nashua.nh.da.uu.net [63.24.55.247]
Mar 20 20:44:56 mailserver sendmail[23451]: [ID 702911 mail.info] SASL: available mech=LOGIN  GSSAPI DIGEST-MD5 CRAM-MD5, allowed mech=LOGIN DIGEST-MD5 CRAM-MD5
Mar 20 20:44:56 mailserver sendmail[23451]: [ID 801593 mail.info] f2L1it523451: --> 220 mailserver.victim.com ESMTP Sendmail 8.11.2/8.11.2; Tue, 20 Mar 2001 20:44:56 -0500 (EST)
Mar 20 20:44:56 mailserver sendmail[23451]: [ID 801593 mail.info] f2L1it523451: <-- HELO local host
Mar 20 20:44:56 mailserver sendmail[23451]: [ID 801593 mail.info] f2L1it523451: --> 250 mailserver.victim.com Hello 1Cust247.tnt1.nashua.nh.da.uu.net [63.24.55.247], pleased to meet you
Mar 20 20:44:57 mailserver sendmail[23451]: [ID 801593 mail.info] f2L1it523451: <-- MAIL FROM: <fredlans4@myrealbox.com>
Mar 20 20:45:29 mailserver sendmail[23452]: [ID 801593 mail.info] f2L1iv523452: --> 451 <fredlans4@myrealbox.com>... myrealbox.com: Name server timeout
Mar 20 20:45:29 mailserver sendmail[23452]: [ID 801593 mail.info] f2L1iv523452: --> 050 <fredlans4@myrealbox.com>... Transient parse error -- message queued for future delivery
Mar 20 20:45:29 mailserver sendmail[23452]: [ID 801593 mail.info] f2L1iv523452: --> 451 <fredlans4@myrealbox.com>... myrealbox.com: Name server timeout           <-- Obviously, myrealbox.com is not a real domain name or their DNS is down
Mar 20 20:45:29 mailserver last message repeated 1 time
Mar 20 20:45:29 mailserver sendmail[23452]: [ID 801593 mail.info] f2L1iv523452: --> 250 2.1.0 <fredlans4@myrealbox.com>... Sender ok
Mar 20 20:45:30 mailserver sendmail[23452]: [ID 801593 mail.info] f2L1iv523452: <-- RCPT TO:<victim@victim.com>
Mar 20 20:45:30 mailserver sendmail[23452]: [ID 801593 mail.info] f2L1iv523452: --> 250 2.1.5 <victim@victim.com>... Recipient ok
Mar 20 20:45:31 mailserver sendmail[23452]: [ID 801593 mail.info] f2L1iv523452: <-- DATA
Mar 20 20:45:31 mailserver sendmail[23452]: [ID 801593 mail.info] f2L1iv523452: --> 354 Enter mail, end with "." on a line by itself
Mar 20 20:45:33 mailserver sendmail[23452]: [ID 801593 mail.info] f2L1iv523452: from=<fredlans4@myrealbox.com>, size=2279, class=0, nrcpts=1, msgid=<oxsukej.enifjipetymrqkurdya@local host>, proto=SMTP, daemon=MTA, relay=1Cust247.tnt1.nashua.nh.da.uu.net [63.24.55.247]
Mar 20 20:45:34 mailserver sendmail[23452]: [ID 801593 mail.info] f2L1iv523452: --> 250 2.0.0 f2L1iv523452 Message accepted for delivery
Mar 20 20:45:34 mailserver sendmail[23454]: [ID 801593 mail.info] f2L1iv523452: to=<victim@victim.com>, delay=00:00:04, xdelay=00:00:00, mailer=local, pri=32014, dsn=2.0.0, stat=Sent
Mar 20 20:45:34 mailserver sendmail[23454]: [ID 801593 mail.info] f2L1iv523452: done; delay=00:00:04, ntries=1
Mar 20 20:45:34 mailserver sendmail[23451]: [ID 801593 mail.info] f2L1it523451: <-- QUIT
Mar 20 20:45:34 mailserver sendmail[23451]: [ID 801593 mail.info] f2L1it523451: --> 221 2.0.0 mailserver.victim.com closing connection
 

Copyright © 1993-2001 by Robert Barnes

Return to Unixhub's home page