This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Date: Fri, 5 Jan 2001 17:40:44 -0800 To: svlug@svlug.org Subject: Re: [svlug] Spammer impersonating me From: Rick Moen <rick@linuxmafia.com> begin Matt Ettus quotation: > Apparently a spammer has decided to use MY email address as the From: on > his/her spam (my earthlink account). [...] Is there anything I can do? Welcome to the wonderful world of spam-hunting. You're going to become really good at analysing SMTP headers, I can tell! SPAM-L FAQ: http://oasis.ot.com/~dmuth/spam-l/ alt.spam FAQ: http://ddi.digital.net/~gandalf/spamfaq.html > I have notified earthlink.... You're a very funny man, Matt. === Date: Fri, 5 Jan 2001 18:03:53 -0800 From: Aaron Lehmann <aaronl@vitelus.com> To: Matt Ettus <matt@ettus.COM> Cc: svlug@lists.svlug.org Subject: Re: [svlug] Spammer impersonating me On Fri, Jan 05, 2001 at 04:02:56PM -0800, Dan Beimborn wrote: > >Apparently a spammer has decided to use MY email address as the From: on > >his/her spam (my earthlink account). Every couple of weeks, they send out > >their messages, and 3 things happen: > > Maybe you could send the mail headers to us, have you had any luck > parsing out who it comes from? After you find that information, you could try taking the course of action described at http://belps.freewebsites.com/index2.htm. However, I would hesitate to reccomend it. === Date: Fri, 5 Jan 2001 18:22:02 -0800 (PST) From: Rafael <raffi@linwin.com> To: Matt Ettus <matt@ettus.COM> Subject: Re: [svlug] Spammer impersonating me On Fri, 5 Jan 2001, Matt Ettus wrote: > Apparently a spammer has decided to use MY email address as the From: on > his/her spam (my earthlink account). Every couple of weeks, they send out > their messages, and 3 things happen: > > - I get dozens of bounced mails from bad addresses > - I get dozens of "remove me" mails > - I get several nastygrams from [understandably] annoyed people > > Is there anything I can do? I have notified earthlink, but they can't or > (more likely) won't do anything. Go after the benefactor of the SPAM, i.e. the company or product or whatever service the spammer was peddling. Sue them for damages to your reputation, time spent cleaning the mess, stealing your resources, etc. That company is somewhat responsible for their business practice and should pay for it IMO. According to radio report this week, two guys ended up in jail for 4 years because they sent over 50 million "selling addresses" messages. I don't understand how US could come up with 12,000 stupid people sending them money, but then we are not metric yet either... > > I can't just kill the account b/c I published several papers listing that > address, and get responses every now and then to that account. Mostly, > though, it just receives spam. > > Thanks > Matt I use Exim and it's so tight that I haven't got any spam for weeks but I don't get email from poorly setup networks either. Take a chance. Good luck, === Date: Fri, 5 Jan 2001 19:03:16 -0800 To: svlug@svlug.org Subject: Re: [svlug] Spammer impersonating me From: Rick Moen <rick@linuxmafia.com> begin Rafael quotation: > Go after the benefactor of the SPAM, i.e. the company or product or > whatever service the spammer was peddling. _Boy_ can that approach backfire! Please don't do that. http://www.MarkWelch.com/yuri.htm === Date: Sun, 7 Jan 2001 13:09:42 -0800 From: Rick Moen <rick@linuxmafia.com> To: World Domination <svlug@svlug.org> Subject: Re: [svlug] Spammer impersonating me begin F. E. Glover quotation: > Can we go back to the original topic? As someone with very limited > knowledge of mail servers, and virtually unlimited ignorance of > networks in general, I'm very curious about how headers are forged, > what can be done about it, and if there is any way to tell if someone > is targetting you this way? First of all, SMTP is an ASCII-format conversation carried out between two mail servers. You can pretend to be one such SMTP server, typing such an SMTP conversation at a destination machine, and telling it all manner of lies as you draft a message to be dropped off there, on the fly, manually. (More about that below.) We'll do a sample forged message delivered to your address at webstress.com -- but first we have to find out which messages handle your incoming mail. That requires querying the DNS, as follows. (I'll insert explanatory comments on the right.) [rick@uncle-enzo] ~ $ nslookup # nslookup (nameservice lookup) is a tool for # directly querying nameservers Default Server: localhost # Since I didn't specify a particular Address: 127.0.0.1 # nameserver I want to pester, nslookup # will query the local nameserver, which # is listed first in /etc/resolv.conf > set querytype=mx # I specify that I'm only interested in # DNS information of type MX = mail exchanger, # i.e., what machines are designated for # handling incoming mail for your host. > webstress.com # Here, I tell nslookup what host I want # the information concerning. Server: localhost # nslookup reminds me whose DNS I'm querying Address: 127.0.0.1 webstress.com preference = 5, mail exchanger = svn2.svn.net webstress.com preference = 0, mail exchanger = svn.net # Those are the two data of interest. webstress.com nameserver = ns1.svn.net webstress.com nameserver = ns2.svn.net svn2.svn.net internet address = 216.174.228.10 svn.net internet address = 167.160.200.10 ns1.svn.net internet address = 167.160.200.10 ns2.svn.net internet address = 64.40.160.15 > exit # How one leaves nsloolup. And we're done with nslooup. Next, I proceed to playing forgery games with your mail exchanger: [rick@uncle-enzo] ~ $ telnet svn2.svn.net smtp # Here, I use my telnet client to # initiate an SMTP conversation (TCP port # 25) with one of your mail exchangers. Trying 216.174.228.10... Connected to svn2.svn.net. Escape character is '^]'. 220 SVN.NET ESMTP secure sendmail daemon # Your mail exchanger says hi. HELO linuxmafia.com # I say hi back. A spammer # would not give a real # hostname, here, and usually # would be connecting via # someone else's PPP dialup # line, or a very # spam-friendly provider. 250 svn.net Hello rick@[209.81.22.250], pleased to meet you # Your mail exchanger's copy of sendmail carries out some # elementary checks: It tries to do a reverse DNS lookup # on the machine making the connection, and fails, reporting # the IP addres in its place. It also does an "ident" # lookup on what username on the remote host is running the # incoming SMTP session, and comes up with "rick". Sendmail # will include that information in the recorded headers. # Spammers will try to obscure it or make it misleading, # but spamhunters may find it somewhat useful. EXPN mle@webstress.com # I ask sendmail to "expand" your address, to # tell me more about who it reaches. 502 5.7.0 Sorry, we do not allow this operation VRFY mle@webstress.com # I ask sendmail to "verify" your address. 252 2.5.2 Cannot VRFY user; try RCPT to attempt delivery (or try finger) MAIL FROM: elvis@graceland.com # Here, I start the forgery. I'm lying # to sendmail about the "envelope" # sender address, which will be in the # recorded SMTP stream at the very top. 250 2.1.0 elvis@graceland.com... Sender ok RCPT TO: mle@webstress.com # I specify the "envelope" receiver # address. 250 2.1.5 mle@webstress.com... Recipient ok DATA # I say I'm starting the message proper, # which I will start with the headers. 354 Enter mail, end with "." on a line by itself # Sendmail says this, to instruct the # sending system on how to indicate end of # message (as if a sending SMTP program # wouldn't know, already). Next line is # my totally fabricated Received header: Received: from svn.net ([167.160.200.10]) by graceland.com with ESMTP id werhsafdser2342s324 Sun, 7 Jan 2001 00:12:35 -0500 # I might have composed a half-dozen # more such faked Received headers, to # make spam-hunters' life more # difficult. Note the "-0500" # time-zone. (Hey, it's from Graceland, # right?) Message-ID <123456@graceland.com> # Fake message ID header. Date: Sun, 07 Jan 2001 00:09:50 -0500 # Fake date header. Note again the # 5-hour Eastern zone offset from # GMT. From: Elvis Presley <elvis@graceland.com> # Fake From header. X-Accept-Language: en # More customary headers to make this look real. MIME-Version: 1.0 # More customary headers. To: mle@webstress.com # The To header inside the message. Many spammers # don't bother to include one, and you can make # procmail discard such messages, with the # disadvantage that you'll also miss mail from # ninny friends who decide to Bcc you with no # To address. Subject: I am the king # HAIL to the King! Content-Type: text/plain; charset=us-ascii # More customary headers. Content-Transfer-Encoding: 7bit # More customary headers. Content-Length: 1354 # More customary headers. Lines: 0 # More customary headers. # Blank line always follows headers. See subject line. # My message body text. This is of course # where the spammer ordinarily tries to sell # you something, or (in the case of Yuri Rutman) # to motivate you to attack someone he doesn't # like. . # I signal to sendmail that this is the end of # this particular message. I could go on to # drop off other messages, if I wished. 250 2.0.0 f07JXAG09447 Message accepted for delivery # sendmail accepts it. quit # And I tell sendmail I'm signing off from my SMTP session. 221 2.0.0 svn.net closing connection # My telnet client tells me that Connection closed by foreign host. # the far end has closed down [rick@uncle-enzo] # And thus telnet itself shuts down. ~ $ Some general observations: Only the envelope information and _some_ of the Received lines can be counted on to be anything other than completely fictional. It may be that only one our of the six or seven Received lines is real, and is surrounded by faked ones composed directly by the spammer. The envelope information may be partially missing and/or misleading. Most spammers are actually _lousy_ at forging Received headers, but a good one can make analysis difficult, and you might have to compare copies of the spam with some other spamhunter's copy, who posted the headers to news.admin.net-abuse.email or the spam-l mailing list for that purpose. Of course, spammers characteristically aren't bright enough to actually compose fakemail _themselves_: They use badly written Win32 "bulkmail" packages to compose and pump out the faked headers for them. Anyhow, the end result of your header analysis might be "Oh, this is yet another unknown clown injecting spam into UUNET dial-ups in the L.A. area." You can _suspect_ that complaining to or going after the apparent beneficiary, as indicated in the message body text, is a good idea, but Joe Doll is hardly the only victim of "revenge spam". The idea caught on with a vengeance after Rutman's pioneering backstab, four years ago: For example, the immediately next such "revenge spam" victim (of many that have followed, since) was Samsung America's "Sailahead Internet Services" division. Presumably, that firm pissed off some spammer, who then sought to use the anti-spam community as his weapon, the way Rutman did. You can read about that, here: http://www.info-sec.com/internet/internet_081497a.html-ssi http://www.wirednews.com/news/culture/0,1284,5967,00.html http://catless.ncl.ac.uk/Risks/19.33.html#subj6 ...and about one poorly-clued would-be spamhunter who got duped, here: http://www.pipeline.com/~chrisf/geno.html#threat ...and, on the less depressing side, one spam-hunter who actually had the class to apologise to Samsung for initially going off half-cocked: http://www.cctec.com/maillists/nanog/historical/9708/msg00274.html Last, you asked, what can you do if someone sends out faked mail purporting to be from you, and perhaps purporting to promote your business? (The latter part would make you the target of anyone attempting to follow Rafael's advice -- as Samsung and Joe Doll experienced, among many others.) In the short term -- upon finding out about the forgery -- you can put up a prominent Web page at your site, disclosing the real facts for anyone not already too stupidly angry at you to listen. You can put a similar message on an auto-responder for your domain's "abuse@" and "postmaster@" e-mail addresses. And you can expect to spend a lot of time on the telephone taking calls from misinformed hotheads. In the longer term, you can try to spread clues to the Internet population at large, so that fewer users follow abysmal advice like Rafael's, and more follow Martyn Williams's advice in the www.info-sec.com article referenced above: Write this down and paste it on the top of your monitor: "I will not believe everything I read on the Internet." Next time something arrives on your desktop that makes you mad, seems unbelievable, or even allows thoughts of parting with money into your head, look at that statement, it's good advice. See also: .signature block, below. -- Cheers, "It ain't so much the things we don't know that get us Rick Moen in trouble. It's the things we know that ain't so." rick@linuxmafia.com -- Artemus Ward (1834-67), U.S. journalist === Date: Sun, 7 Jan 2001 13:22:52 -0800 From: Rick Moen <rick@linuxmafia.com> To: World Domination <svlug@svlug.org> Subject: Re: [svlug] Spammer impersonating me Emilie, a correction to something that may have been confusing: > First of all, SMTP is an ASCII-format conversation carried out between > two mail servers. You can pretend to be one such SMTP server, typing > such an SMTP conversation at a destination machine, and telling it all > manner of lies as you draft a message to be dropped off there, on the > fly, manually. (More about that below.) We'll do a sample forged > message delivered to your address at webstress.com -- but first we have > to find out which messages handle your incoming mail. ^^^^^^^^^^^^^^ That should have been "which SMTP mail servers". Sorry about that. === Date: Sun, 7 Jan 2001 20:05:02 -0800 From: Rick Moen <rick@linuxmafia.com> To: World Domination <svlug@svlug.org> Subject: Re: [svlug] Spammer impersonating me begin Ray Olszewski quotation: > Now this part of the exchange ... or more exactly, the Received: > header my MTA generates from this information ... is the piece I have > always considered (almost; see below) completely trustworthy. Yes about one from _your_ MTA, as to prior IP address (and possibly other information, depending on your MTA version). But, the Received headers that purport to be from anyone else's MTA: maybe, maybe not. By the way, this is going to not be a direct reply, because of what I stressed in my _earlier_ e-mail: SMTP header analysis isn't easy, you're dealing with mails originating from someone specifically attempting to fool you, and you simply need to study the subject to understand what you're doing. And, until then, it's rather too easy to fool yourself. To become good at analysis, first read the relevant forums' FAQs: http://oasis.ot.com/~dmuth/spam-l/ FAQ for spam-l. http://ddi.digital.net/~gandalf/spamfaq.html FAQ for alt.spam. Second, spend some time reading spam-l, news.admin.net-abuse.email, and/or alt.spam. Study how seasoned spam-hunters analyse headers. It helps if you're in practice with this stuff, and I've not done it regularly for several years. (Also, I've just had two glasses of very nice wine. And I don't have time or patience to argue over header analysis with _this_ lot, anyway.) Anyone who's serious about tracking down spammers should invest some time in doing the above. Others are likely to make errors and do more harm than good. ===