/Culture/ Fight the good fight
28/09/2006 | Filed under Discover > Culture
Tired of being pelted with spam emails, Mike Williams decided to expose the scammers and make them stop. Read this account of one man’s mission to make a difference to the rising tide of spam.
(words: Mike Williams - A .net stalwart, Mike is our resident security expert)
It started so simply, with a single email to info@nuetools.co.uk. The company claimed that it would market my business to global subscribers: “Our members have expressly accepted to receive commercial material from our clients. So, your ad will be welcome”. Which would have been great, except I hadn’t heard of the company, and the info@nuetools.co.uk address that received this message had never been used. Ever.
The sender was actually sending spam to advertise their opt-in mailing service, which puts them amongst the stupidest spammers of all time.
You’ve probably come across similar junk emails on a regular basis, and there’s no shortage of ways to try to deal with them. Obviously installing a spam blocker is a good way to start the ball rolling: Mailwasher (www.mailwasher.net), SpamExperts (www.spamexperts.com) and Spamihilator (www.spamihilator.com) all have free software, while Spam Assassin (www.spamassassin.apache.org) is effective, though more difficult to set up.
Of course, none of these tools offer 100 percent protection, which is why the ludicrous spam marketing offer reached my personal email inbox. So I just deleted it. But then another copy arrived, then another, then three more, and something inside me snapped. Suddenly I’d had enough passively reacting to everything these relentless time-wasting spammers might do. It was finally time to fight back.
Header analysis
Most spammers – even the really, really stupid ones – realise that their activities may annoy people from time to time, so they go to great pains to ensure that you can’t track them down very easily. The ‘from’ name and email address will almost certainly be forged, meaning that there’s no point at all in complaining to the relevant ISP.
You could try checking the header of the offending email, though (simply right-click it in Outlook Express, select Properties > Details > Message Source). Then look for the ‘Received: from’ line, check the host name or IP address that follows it, and you’ve found your spam source.
Of course, you still don’t know who they are, but the ISP who owns that address, in theory, should. Locate them by entering the address in the Abuse Lookup box at DNSStuff (www.dnsstuff.com), or the Abusive Hosts Blocking List (www.ahbl.org/tools/lookup.php), and look for the right email address.
This usually comes in the form of abuse@something, mine was abuse@verizon.net. I prepared an email complaining about the spam, I then copied and pasted in three examples of the offending messages (using Message Source again to include the headers) to back up my rant, and sent it.
It didn’t have much effect. An email apology arrived but that was about it, and the same marketing spam kept coming. To be fair, there’s a limit to what ISPs can do, especially as spam is often sent from zombie PCs. Detecting one of those won’t reveal the spammer – I needed another technique to do that.
Trace the host
If you can’t locate the source of a particular junk email, then the next best approach is to look at whatever they’re trying to sell. With any luck there’ll be a link to a web page that will offer further opportunities to find out more about the sender.
I want to emphasise here that it’s vital you don’t click on email links in spam. Don’t do it. Not ever. These links often lead to malware-infested sites, ready to use the latest browser exploits to infect your PC with something unpleasant.
Unfortunately, the alternatives to this are quite weak. You could try entering the domain name into the DNSStuff (www.dnsstuff.com) WHOIS Lookup box, for instance. In theory this might give you the contact details for who registered with the site, but in practice the information is often faked, or registered by a proxy service, which means the real owner isn’t listed.
Still, this report should also include the domain servers, which will look similar to ns1.webhost.com and ns2.webhost.com. The webhost.com part may point you to the company that’s hosting the site, in which case you can try contacting them and complaining that one of their customers is spamming you. It’s not necessarily as simple as that, though. The spam emails I got were promoting a site called planettarget. com. While they made use of Yahoo!’s DNS servers, and appeared to use its other services, when I complained to them, Yahoo!’s response was that it had no involvement with them. All this really wasn’t getting me very far. It was time to take a risk.
Follow the money
As I mentioned earlier, visiting spam sites isn’t a good idea, but in this case there was no alternative. So I manually visited windowsupdate.com to check XP and Internet Explorer were up to date, and nervously entered the URL planet-target.com. A pop-up immediately said it was capturing my IP address, for some reason. I cleared it and continued. There was no phone number for the company on the site, only an address, and a picture of a huge office building. According to Google Earth, though, it didn’t match the location, suggesting it was probably a fake.
There was an opportunity to place an order, though. Where would that take me? I filled in the forms with fake information about a marketing campaign, clicked the sign-up button, and was taken to… PayPal. Yes, they may claim to be a worldwide organisation, but Planet Target didn’t accept credit cards. It was PayPal or nothing.
The next step was to sign in at PayPal. I did so but be wary if you try the same thing. This might not have been the real PayPal site and, if you’d fallen for a scam, your password might have been stolen.
Once I had signed in PayPal provided some interesting details. The Pay To field told me that Planet Target money goes to Only PCTools, and clicking the User Status button gave me even more information: a URL (onlypctools.com), email address and phone number. I was closing in on the enemy.
Revenge or justice
Discovering the apparent contact details of a spammer leaves you with all kinds of appealing (and vengeful) options. I’d stored all the Planet Target messages in an Outlook Express folder and it would have been very easy to fire them off to the Only PCTools email address. Several hundred times.
This migh seem like poetic justice, but it could just have got me into more trouble than it was worth. There’s no direct proof that the owner of Only PCTools knew about the spamming, however suspicious it seems. If I’d taken significant action, they could have complained that I’d been spamming or harassing them. Ironic, really.
That doesn’t mean you can’t try something similar, as long as you’re polite. So for the next week or so, every time I received a Planet Target email, I forwarded it to Only PCTools , along with a restrained message asking if this was anything to do with them. There was no reply at any point, but guess what? Eventually, the emails stopped. I was free of junk (well, from this source at least).
Direct action can produce some results, then. Of course this is all a considerable amount of hassle. And time consuming. And there’s no guarantee you’ll get anywhere at all, which is why most people don’t bother. But maybe, if everyone with an email account pursued just one spammer a year, it might be enough to make a difference. Because that has to be better than simply putting up with a tide of spam that increases every year, doesn’t it?
Comments
Mr. Brian Bevan / 29/09/2006 / 02:15
Hi
I would like to join you. I have done some similar tracking, And I have been able to identify two sites in UK that were stopped by the fraud squad.
But it is hard work and as you rightly say dangerous. I have been wiped out twice because of my error. But that just made me even more determined. I am trying to develop a software that when activated will follow a routine checkline to give any posible actual traceable address. This also to trigger a info to a web setup national body that is able to take legal action. the fines to be allotted to these Trouble catchers.
I would like to here or see your reaction to my thoughts. More of us, then perhaps we can join forces and create a spam removals force and not just blocking.
Regards
Brian Bevan
tachyon / 11/10/2006 / 14:41
If you are worried about visiting a site that you can't trust, because you are concerned with malware & spyware, why don't you find a friend with a Mac and visit the site on that? None of that stuff has any effect on the Mac. I'm sure you know this already. Or use Linux.
jimmee ruckus / 17/10/2006 / 22:23
Why bother wasting your time? Check out www.linxter.com. IIRC they should have their beta released.
