This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Date: Fri, 5 Jan 2001 17:40:44 -0800
To: svlug@svlug.org
Subject: Re: [svlug] Spammer impersonating me
From: Rick Moen <rick@linuxmafia.com>
begin Matt Ettus quotation:
> Apparently a spammer has decided to use MY email address as the From: on
> his/her spam (my earthlink account). [...] Is there anything I can do?
Welcome to the wonderful world of spam-hunting. You're going to become
really good at analysing SMTP headers, I can tell!
SPAM-L FAQ: http://oasis.ot.com/~dmuth/spam-l/
alt.spam FAQ: http://ddi.digital.net/~gandalf/spamfaq.html
> I have notified earthlink....
You're a very funny man, Matt.
===
Date: Fri, 5 Jan 2001 18:03:53 -0800
From: Aaron Lehmann <aaronl@vitelus.com>
To: Matt Ettus <matt@ettus.COM>
Cc: svlug@lists.svlug.org
Subject: Re: [svlug] Spammer impersonating me
On Fri, Jan 05, 2001 at 04:02:56PM -0800, Dan Beimborn wrote:
> >Apparently a spammer has decided to use MY email address as the From: on
> >his/her spam (my earthlink account). Every couple of weeks, they send out
> >their messages, and 3 things happen:
>
> Maybe you could send the mail headers to us, have you had any luck
> parsing out who it comes from?
After you find that information, you could try taking the course of
action described at http://belps.freewebsites.com/index2.htm. However,
I would hesitate to reccomend it.
===
Date: Fri, 5 Jan 2001 18:22:02 -0800 (PST)
From: Rafael <raffi@linwin.com>
To: Matt Ettus <matt@ettus.COM>
Subject: Re: [svlug] Spammer impersonating me
On Fri, 5 Jan 2001, Matt Ettus wrote:
> Apparently a spammer has decided to use MY email address as the From: on
> his/her spam (my earthlink account). Every couple of weeks, they send out
> their messages, and 3 things happen:
>
> - I get dozens of bounced mails from bad addresses
> - I get dozens of "remove me" mails
> - I get several nastygrams from [understandably] annoyed people
>
> Is there anything I can do? I have notified earthlink, but they can't or
> (more likely) won't do anything.
Go after the benefactor of the SPAM, i.e. the company or product or
whatever service the spammer was peddling. Sue them for damages to your
reputation, time spent cleaning the mess, stealing your resources, etc.
That company is somewhat responsible for their business practice and
should pay for it IMO.
According to radio report this week, two guys ended up in jail for 4 years
because they sent over 50 million "selling addresses" messages. I don't
understand how US could come up with 12,000 stupid people sending them
money, but then we are not metric yet either...
>
> I can't just kill the account b/c I published several papers listing that
> address, and get responses every now and then to that account. Mostly,
> though, it just receives spam.
>
> Thanks
> Matt
I use Exim and it's so tight that I haven't got any spam for weeks but I
don't get email from poorly setup networks either. Take a chance.
Good luck,
===
Date: Fri, 5 Jan 2001 19:03:16 -0800
To: svlug@svlug.org
Subject: Re: [svlug] Spammer impersonating me
From: Rick Moen <rick@linuxmafia.com>
begin Rafael quotation:
> Go after the benefactor of the SPAM, i.e. the company or product or
> whatever service the spammer was peddling.
_Boy_ can that approach backfire! Please don't do that.
http://www.MarkWelch.com/yuri.htm
===
Date: Sun, 7 Jan 2001 13:09:42 -0800
From: Rick Moen <rick@linuxmafia.com>
To: World Domination <svlug@svlug.org>
Subject: Re: [svlug] Spammer impersonating me
begin F. E. Glover quotation:
> Can we go back to the original topic? As someone with very limited
> knowledge of mail servers, and virtually unlimited ignorance of
> networks in general, I'm very curious about how headers are forged,
> what can be done about it, and if there is any way to tell if someone
> is targetting you this way?
First of all, SMTP is an ASCII-format conversation carried out between
two mail servers. You can pretend to be one such SMTP server, typing
such an SMTP conversation at a destination machine, and telling it all
manner of lies as you draft a message to be dropped off there, on the
fly, manually. (More about that below.) We'll do a sample forged
message delivered to your address at webstress.com -- but first we have
to find out which messages handle your incoming mail. That requires
querying the DNS, as follows. (I'll insert explanatory comments on the
right.)
[rick@uncle-enzo]
~ $ nslookup # nslookup (nameservice lookup) is a tool for
# directly querying nameservers
Default Server: localhost # Since I didn't specify a particular
Address: 127.0.0.1 # nameserver I want to pester, nslookup
# will query the local nameserver, which
# is listed first in /etc/resolv.conf
> set querytype=mx # I specify that I'm only interested in
# DNS information of type MX = mail exchanger,
# i.e., what machines are designated for
# handling incoming mail for your host.
> webstress.com # Here, I tell nslookup what host I want
# the information concerning.
Server: localhost # nslookup reminds me whose DNS I'm querying
Address: 127.0.0.1
webstress.com preference = 5, mail exchanger = svn2.svn.net
webstress.com preference = 0, mail exchanger = svn.net
# Those are the two data of interest.
webstress.com nameserver = ns1.svn.net
webstress.com nameserver = ns2.svn.net
svn2.svn.net internet address = 216.174.228.10
svn.net internet address = 167.160.200.10
ns1.svn.net internet address = 167.160.200.10
ns2.svn.net internet address = 64.40.160.15
> exit # How one leaves nsloolup.
And we're done with nslooup. Next, I proceed to playing forgery games
with your mail exchanger:
[rick@uncle-enzo]
~ $ telnet svn2.svn.net smtp # Here, I use my telnet client to
# initiate an SMTP conversation (TCP port
# 25) with one of your mail exchangers.
Trying 216.174.228.10...
Connected to svn2.svn.net.
Escape character is '^]'.
220 SVN.NET ESMTP secure sendmail daemon # Your mail exchanger says hi.
HELO linuxmafia.com # I say hi back. A spammer
# would not give a real
# hostname, here, and usually
# would be connecting via
# someone else's PPP dialup
# line, or a very
# spam-friendly provider.
250 svn.net Hello rick@[209.81.22.250], pleased to meet you
# Your mail exchanger's copy of sendmail carries out some
# elementary checks: It tries to do a reverse DNS lookup
# on the machine making the connection, and fails, reporting
# the IP addres in its place. It also does an "ident"
# lookup on what username on the remote host is running the
# incoming SMTP session, and comes up with "rick". Sendmail
# will include that information in the recorded headers.
# Spammers will try to obscure it or make it misleading,
# but spamhunters may find it somewhat useful.
EXPN mle@webstress.com # I ask sendmail to "expand" your address, to
# tell me more about who it reaches.
502 5.7.0 Sorry, we do not allow this operation
VRFY mle@webstress.com # I ask sendmail to "verify" your address.
252 2.5.2 Cannot VRFY user; try RCPT to attempt delivery (or try finger)
MAIL FROM: elvis@graceland.com # Here, I start the forgery. I'm lying
# to sendmail about the "envelope"
# sender address, which will be in the
# recorded SMTP stream at the very top.
250 2.1.0 elvis@graceland.com... Sender ok
RCPT TO: mle@webstress.com # I specify the "envelope" receiver
# address.
250 2.1.5 mle@webstress.com... Recipient ok
DATA # I say I'm starting the message proper,
# which I will start with the headers.
354 Enter mail, end with "." on a line by itself
# Sendmail says this, to instruct the
# sending system on how to indicate end of
# message (as if a sending SMTP program
# wouldn't know, already). Next line is
# my totally fabricated Received header:
Received: from svn.net ([167.160.200.10]) by graceland.com with ESMTP id werhsafdser2342s324 Sun, 7 Jan 2001 00:12:35 -0500
# I might have composed a half-dozen
# more such faked Received headers, to
# make spam-hunters' life more
# difficult. Note the "-0500"
# time-zone. (Hey, it's from Graceland,
# right?)
Message-ID <123456@graceland.com> # Fake message ID header.
Date: Sun, 07 Jan 2001 00:09:50 -0500 # Fake date header. Note again the
# 5-hour Eastern zone offset from
# GMT.
From: Elvis Presley <elvis@graceland.com> # Fake From header.
X-Accept-Language: en # More customary headers to make this look real.
MIME-Version: 1.0 # More customary headers.
To: mle@webstress.com # The To header inside the message. Many spammers
# don't bother to include one, and you can make
# procmail discard such messages, with the
# disadvantage that you'll also miss mail from
# ninny friends who decide to Bcc you with no
# To address.
Subject: I am the king # HAIL to the King!
Content-Type: text/plain; charset=us-ascii # More customary headers.
Content-Transfer-Encoding: 7bit # More customary headers.
Content-Length: 1354 # More customary headers.
Lines: 0 # More customary headers.
# Blank line always follows headers.
See subject line. # My message body text. This is of course
# where the spammer ordinarily tries to sell
# you something, or (in the case of Yuri Rutman)
# to motivate you to attack someone he doesn't
# like.
. # I signal to sendmail that this is the end of
# this particular message. I could go on to
# drop off other messages, if I wished.
250 2.0.0 f07JXAG09447 Message accepted for delivery # sendmail accepts it.
quit # And I tell sendmail I'm signing off from my SMTP session.
221 2.0.0 svn.net closing connection # My telnet client tells me that
Connection closed by foreign host. # the far end has closed down
[rick@uncle-enzo] # And thus telnet itself shuts down.
~ $
Some general observations: Only the envelope information and _some_ of the
Received lines can be counted on to be anything other than completely
fictional. It may be that only one our of the six or seven Received
lines is real, and is surrounded by faked ones composed directly by the
spammer. The envelope information may be partially missing and/or
misleading. Most spammers are actually _lousy_ at forging Received
headers, but a good one can make analysis difficult, and you might have
to compare copies of the spam with some other spamhunter's copy, who
posted the headers to news.admin.net-abuse.email or the spam-l mailing
list for that purpose.
Of course, spammers characteristically aren't bright enough to actually
compose fakemail _themselves_: They use badly written Win32 "bulkmail"
packages to compose and pump out the faked headers for them.
Anyhow, the end result of your header analysis might be "Oh, this is yet
another unknown clown injecting spam into UUNET dial-ups in the L.A.
area." You can _suspect_ that complaining to or going after the
apparent beneficiary, as indicated in the message body text, is a good
idea, but Joe Doll is hardly the only victim of "revenge spam". The
idea caught on with a vengeance after Rutman's pioneering backstab, four
years ago: For example, the immediately next such "revenge spam" victim
(of many that have followed, since) was Samsung America's "Sailahead
Internet Services" division. Presumably, that firm pissed off some
spammer, who then sought to use the anti-spam community as his weapon,
the way Rutman did. You can read about that, here:
http://www.info-sec.com/internet/internet_081497a.html-ssi
http://www.wirednews.com/news/culture/0,1284,5967,00.html
http://catless.ncl.ac.uk/Risks/19.33.html#subj6
...and about one poorly-clued would-be spamhunter who got duped, here:
http://www.pipeline.com/~chrisf/geno.html#threat
...and, on the less depressing side, one spam-hunter who actually had
the class to apologise to Samsung for initially going off half-cocked:
http://www.cctec.com/maillists/nanog/historical/9708/msg00274.html
Last, you asked, what can you do if someone sends out faked mail
purporting to be from you, and perhaps purporting to promote your
business? (The latter part would make you the target of anyone
attempting to follow Rafael's advice -- as Samsung and Joe Doll
experienced, among many others.)
In the short term -- upon finding out about the forgery -- you can put
up a prominent Web page at your site, disclosing the real facts for
anyone not already too stupidly angry at you to listen. You can put
a similar message on an auto-responder for your domain's "abuse@" and
"postmaster@" e-mail addresses. And you can expect to spend a lot of
time on the telephone taking calls from misinformed hotheads.
In the longer term, you can try to spread clues to the Internet
population at large, so that fewer users follow abysmal advice like
Rafael's, and more follow Martyn Williams's advice in the
www.info-sec.com article referenced above:
Write this down and paste it on the top of your monitor: "I will not
believe everything I read on the Internet." Next time something
arrives on your desktop that makes you mad, seems unbelievable, or
even allows thoughts of parting with money into your head, look at
that statement, it's good advice.
See also: .signature block, below.
--
Cheers, "It ain't so much the things we don't know that get us
Rick Moen in trouble. It's the things we know that ain't so."
rick@linuxmafia.com -- Artemus Ward (1834-67), U.S. journalist
===
Date: Sun, 7 Jan 2001 13:22:52 -0800
From: Rick Moen <rick@linuxmafia.com>
To: World Domination <svlug@svlug.org>
Subject: Re: [svlug] Spammer impersonating me
Emilie, a correction to something that may have been confusing:
> First of all, SMTP is an ASCII-format conversation carried out between
> two mail servers. You can pretend to be one such SMTP server, typing
> such an SMTP conversation at a destination machine, and telling it all
> manner of lies as you draft a message to be dropped off there, on the
> fly, manually. (More about that below.) We'll do a sample forged
> message delivered to your address at webstress.com -- but first we have
> to find out which messages handle your incoming mail.
^^^^^^^^^^^^^^
That should have been "which SMTP mail servers". Sorry about that.
===
Date: Sun, 7 Jan 2001 20:05:02 -0800
From: Rick Moen <rick@linuxmafia.com>
To: World Domination <svlug@svlug.org>
Subject: Re: [svlug] Spammer impersonating me
begin Ray Olszewski quotation:
> Now this part of the exchange ... or more exactly, the Received:
> header my MTA generates from this information ... is the piece I have
> always considered (almost; see below) completely trustworthy.
Yes about one from _your_ MTA, as to prior IP address (and possibly
other information, depending on your MTA version). But, the Received
headers that purport to be from anyone else's MTA: maybe, maybe not.
By the way, this is going to not be a direct reply, because of what I
stressed in my _earlier_ e-mail: SMTP header analysis isn't easy,
you're dealing with mails originating from someone specifically
attempting to fool you, and you simply need to study the subject to
understand what you're doing. And, until then, it's rather too easy to
fool yourself.
To become good at analysis, first read the relevant forums' FAQs:
http://oasis.ot.com/~dmuth/spam-l/ FAQ for spam-l.
http://ddi.digital.net/~gandalf/spamfaq.html FAQ for alt.spam.
Second, spend some time reading spam-l, news.admin.net-abuse.email,
and/or alt.spam. Study how seasoned spam-hunters analyse headers.
It helps if you're in practice with this stuff, and I've not done it
regularly for several years. (Also, I've just had two glasses of very
nice wine. And I don't have time or patience to argue over header
analysis with _this_ lot, anyway.)
Anyone who's serious about tracking down spammers should invest some
time in doing the above. Others are likely to make errors and do more
harm than good.
===