|
 Author |
 Homework for a Guru (currently 6,131 views) |
| tracker |
| Posted on: Sunday, December 17th, 2006, 9:57pm |
 |
|
Posts: 41
|
I included the "going out" spam posted just to show what some registrars have been blocking because of spam content. Strange.
Ryan, since I don't want to give away too much personal info, I'll have to modify the header a bit. |
|
|
|
 |
Reply: 15 - 26 |
|
|
| MarkGiles |
| Posted on: Sunday, December 17th, 2006, 10:23pm |
|
|
Posts: 363
|
Question...
When checking out the status of nameservers at dnsstuff.com I've seen where at times they will list a server but mention that it does not repond to their requests. Does that mean the server has been deactivated... as I was told by one registrar? |
That proves that antispammers as well as spammers read these messages.
In particular, Alex Polyakov's gang has caught on to the fact that spam trackers are using dnsstuff.com as a tool to find out which nameservers are active and which are not. So he has configured his nameserver machines to block all requests coming from dnsstuff.com. That way they show a response of "Timeout" when they are interrogated from dnsstuff. Alex trying to be clever.
That is why it pays to know that
0.0.0.0 is a sign that the registrar has acted
61.61.61.61 is a sign that Beijing Interactive has acted
217.70.185.0 is a sign that Gandi has acted
There are other sites and methods to check the status of a nameserver.
Let's take an example.
We want to know if ns1.lightwithab.com is an active Polyakov nameserver. It is registered on Ace of Domains.
From the Command Prompt (Windows - Start > Run > cmd)
ping ns1.lightwithab.com
responds with
Pinging ns1.lightwithab.com [221.12.68.2] with 32 bytes of data:
Reply from 221.12.68.2: bytes=32 time=196ms TTL=47
Reply from 221.12.68.2: bytes=32 time=110ms TTL=47
etc
Then we can do a nameserver lookup of one of the domains registered to use that nameserver. For example, plasmgkablasmaboo.com
(Hey, I don't invent these names!)
nslookup plasmgkablasmaboo.com ns1.lightwithab.com
That says "look up the details of plasmgkablasmaboo.com, using just the one name server, ns1.lightwithab.com"
Part of the response contains
> Name: plasmgkablasmaboo.com
> Address: 221.12.68.2
So the nameserver responds to a "ping" test, and it is working as a name server for the spammed web sites that are defined under it.
Let's work another example.
If you repeat the exercise for spammed site notprosay.info, you find that four name servers are found from the link http://www.dnsstuff.com/tools/traversal.ch?domain=notprosay.info&type=A
Ignoring Alex's Timeouts, we find
ns1.flockglass.com. [0.0.0.0] Thanks, Tucows, go to the Hall of Fame
ns1.happikun.com. [63.151.190.7]
ns2.dogmatrust.info. [217.70.185.0] Thanks, Gandi, join Tucows
ns2.vertubadon.com. [141.209.170.86]
A ping to the 2nd and 4th works. So we do the lookups
nslookup notprosay.info ns1.happikun.com
> Name: notprosay.info
> Address: 220.134.62.1
nslookup notprosay.info ns2.vertubadon.com
> Name: notprosay.info
> Address: 220.134.62.1
So two of the four name servers are still working. They are registered on Beijing Innovative and XIN Net respectively. You'll find them languishing in the Hall of Shame. So far. See what tomorrow brings, after you have sent your compliance request for their removal.
PS - MacAfee Site Advisor links provide background on these spammed sites
http://www.siteadvisor.com/sites/plasmgkablasmaboo.com
http://www.siteadvisor.com/sites/notprosay.info |
|
|
|
|
Reply: 16 - 26 |
|
|
| tracker |
| Posted on: Monday, December 18th, 2006, 12:51am |
|
|
Posts: 41
|
| Mark, is there a switch on the Ping command to keep the window active instead of closing immediately after it retreives the info? I tried /P but not go. Works fine if I go to DOS instead of trying to work through Windows, but without cut and paste help. Also don't have the nslookup command, as I just found out. |
|
|
|
|
Reply: 17 - 26 |
|
|
| tracker |
| Posted on: Monday, December 18th, 2006, 1:14am |
|
|
Posts: 41
|
Ryan, here is the header from one of Polykov's spam emails. I think that this was sent through a mail server in Taiwan. I also did a quicky on performing an AKA on my email address, but suppose the theory will remain the same.
Return-path: <istanbull@gforce1.com>
Received: from mmp1-v0.westbroadband.net ([192.168.17.143])
by msgs1.westbroadband.net
(Sun Java System Messaging Server 6.2-7.04 (built Aug 17 2006))
with ESMTP id <0JAG00EIQBSB7900@msgs1.westbroadband.net> for
johndoe@doepizza.com; Sun, 17 Dec 2006 20:14:35 -0800 (PST)
Received: from cuda2.westbroadband.com ([192.168.17.102])
by s1mq0.westbroadband.net
(Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005))
with ESMTP id <0JAG0074JBV6FL10@s1mq0.westbroadband.net> for
johndoe@doepizza.com (ORCPT johndoe@doepizza.com); Sun,
17 Dec 2006 20:16:18 -0800 (PST)
Received: from -1216223920 (61-228-133-113.dynamic.hinet.net [61.228.133.113])
by cuda2.westbroadband.com (Spam Firewall) with SMTP id DE07942E071 for
<johndoe@doepizza.com>; Sun, 17 Dec 2006 20:21:25 -0800 (PST)
Received: from gforce1.com (-1215544608 [-1215387776])
by 61-228-133-113.dynamic.hinet.net (Qmailv1) with ESMTP id 336FB6AB95 for
<johndoe@doepizza.com>; Sun, 17 Dec 2006 21:17:15 -0500
Date: Sun, 17 Dec 2006 21:17:15 -0500
From: "Axiom I. Incriminate" <istanbull@gforce1.com>
Subject: [SPAM:*] Girls don't like you?
To: Johndoe <johndoe@doepizza.com>
Message-id: <7698121304.20061217211715@gforce1.com>
MIME-version: 1.0
X-Mailer: The Bat! (v2.00.3) Personal
Content-type: text/plain
Content-transfer-encoding: 7BIT
X-Priority: 3
X-ASG-Debug-ID: 1166415675-7288-233-2
X-Barracuda-URL: http://cuda2.westbroadband.com:8000/cgi-bin/mark.cgi
X-ASG-Orig-Subj: Girls don't like you?
X-AntiVirus: OK! AntiVir MailGate Version 2.0.1; AVE: 6.15.0.0; VDF: 6.15.0.6
X-Barracuda-Bayes: SPAM GLOBAL 1.0000 1.0000 4.3430
X-Virus-Scanned: by Westbroadband Spam Firewall at westbroadband.com
X-ASG-Tag: INTENT (propnostril.com)
X-Barracuda-Spam-Score: 7.39
X-Barracuda-Spam-Status: Yes, SCORE=7.39 using global scores of TAG_LEVEL=3.5
QUARANTINE_LEVEL=1000.0 KILL_LEVEL=8.0 tests=DRUGS_ANXIETY,
DRUGS_ANXIETY_EREC, DRUGS_ERECTILE
X-Barracuda-Spam-Report: Code version 3.02,
rules version 3.0.29029 Rule breakdown below pts rule name description ----
---------------------- -------------------------------------------------- 1.10
DRUGS_ERECTILE Refers to an erectile drug 1.84 DRUGS_ANXIETY Refers
to an anxiety control drug 0.10 DRUGS_ANXIETY_EREC Refers to both an
erectile and an anxiety drug
X-Barracuda-Spam-Flag: YES
Original-recipient: rfc822;johndoe@doepizza.com
|
|
|
|
|
Reply: 18 - 26 |
|
|
| MarkGiles |
| Posted on: Monday, December 18th, 2006, 3:35pm |
|
|
Posts: 363
|
Mark, is there a switch on the Ping command to keep the window active instead of closing immediately after it retreives the info? I tried /P but not go. Works fine if I go to DOS instead of trying to work through Windows, but without cut and paste help. Also don't have the nslookup command, as I just found out. |
I am so ancient I don't mind using the command prompt. You can copy/paste in the DOS window by click on the top left icon. To paste, select Edit > Paste.
To copy, select Edit > Mark, then use the mouse to "swipe" the rectangular area to copy, and press Enter to copy the highlighted text to the clipboard.
Keyboard shortcuts are ep for edit > paste or ek for edit > mark after you have clicked the top left icon.
ping and nslookup are available on the web at many sites, too.
|
|
|
|
|
Reply: 19 - 26 |
|
|
| tracker |
| Posted on: Tuesday, December 19th, 2006, 12:49am |
|
|
Posts: 41
|
| Interesting... When in DOS, I only have a full screen. Have to type "exit" to get back. Time to upgrade... |
|
|
|
|
Reply: 20 - 26 |
|
|
| Ryan |
| Posted on: Tuesday, December 19th, 2006, 1:49am |
|
|
Spam Fighter 
Posts: 76
|
So let's get started on this!
Ok, Part I:
Return-path: <istanbull@gforce1.com>
|
Metaphorically, this is the return-address on the envelope that was posted.
This address could be anything that the sender decided to put there, and should not be interpreted as being the real e-mail address of the sender.
Hosts (and other companies, and individuals) can have their servers or mail clients flooded, and ground to a halt when spammers mail millions of spam mails with fake return-paths. This is because all the bounced mails get sent to that address, thus crippling the system not designed to handle such a flow.
Received:
from mmp1-v0.westbroadband.net ([192.168.17.143])
by msgs1.westbroadband.net (Sun Java System Messaging Server 6.2-7.04 (built Aug 17 2006))
with ESMTP id <0JAG00EIQBSB7900 @msgs1.westbroadband.net>
for johndoe@doepizza.com; Sun, 17 Dec 2006 20:14:35 -0800 (PST)
|
The Received section indicates the origin of the mail. In your mail, there are four indications:
from: the machine that sent it (and its IP address)
by: the nameserver that received it, and its mail transfer agent (MTA) (http://en.wikipedia.org/wiki/Mail_transfer_agent)
with: The ESMTP (http://en.wikipedia.org/wiki/SMTP_extension) id of the sender. This information was added by the mail server, and not the spammer, so it is more reliable. All it does is help identify the connection associated with the handler. Not useful in anti-spam.
for: This is to whom the mail was sent. Note that this may be different than the "to" that you see in the short header! I see many cases, when spammers use a different "for" address and "to" address to the victim does not know what e-mail address of theirs is actually being spammed.
Why are there three "received"?:
This is because each server that handles "your" mail adds one to the spam. (when it was written, when it was processed by the MTA, and when transferred to you).
You can use this to trace the mail back to the source by starting from the bottom and working your way towards the top. The first one sent (by the spammer, is the bottom one).
UPDATE: See Mark's comment below regarding the original source of the message. |
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
 |
Reply: 21 - 26 |
|
|
| MarkGiles |
| Posted on: Tuesday, December 19th, 2006, 6:22pm |
|
|
Posts: 363
|
Interesting analysis. This is fun!
Received: from gforce1.com (-1215544608 [-1215387776])
by 61-228-133-113.dynamic.hinet.net (Qmailv1) with ESMTP id 336FB6AB95 for
<johndoe@doepizza.com>; Sun, 17 Dec 2006 21:17:15 -0500
So the source would most likely be at IP address 61.228.133.113 which apears to be a dynamic address on hinet.net. It is time-stamped 21:17:15 at 5 hours behing GMT (say 26:17 or 02:17 the next day, GMT)
In the next step on its journey we see
Received: from -1216223920 (61-228-133-113.dynamic.hinet.net [61.228.133.113])
by cuda2.westbroadband.com (Spam Firewall) with SMTP id DE07942E071 for
<johndoe@doepizza.com>; Sun, 17 Dec 2006 20:21:25 -0800 (PST)
That means that it arrived at westbroadband.com after leaving hinet.net. Arrival is time-stamped 20:21:25 at 8 hours behind GST (say 28:21 or 04:21 GMT - almost 2 hours time delay assuming the time zones are configured right.)
Now for the next step on the journey
Received: from cuda2.westbroadband.com ([192.168.17.102])
by s1mq0.westbroadband.net
(Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005))
with ESMTP id <0JAG0074JBV6FL10@s1mq0.westbroadband.net> for
johndoe@doepizza.com (ORCPT johndoe@doepizza.com); Sun,
17 Dec 2006 20:16:18 -0800 (PST)
The IP addresses for westbroadband are 192.168.*.* which are private, non-routable addresses.
One more hop within the westbroadband.com network, arriving 20:16:18 - seemingly a few minutes earlier than it left. Assume that the time-of-day clock on one of these two machines is a bit inaccurate.
Now for the final hop from source to destination
Received: from mmp1-v0.westbroadband.net ([192.168.17.143])
by msgs1.westbroadband.net
(Sun Java System Messaging Server 6.2-7.04 (built Aug 17 2006))
with ESMTP id <0JAG00EIQBSB7900@msgs1.westbroadband.net> for
johndoe@doepizza.com; Sun, 17 Dec 2006 20:14:35 -0800 (PST)
This timestamp shows another anomaly, it is also earlier than its departure time from the previous hop. But that is the sequence of operations, as seen in the "From" and "By" fields. The admin of those Sun Java systems should set them up to auto-synch the time from a time-server!
Origin -> Hinet -> westbroadband.com -> westbroadband.net -> westbroadband.net -> you
Does that order make sense?
Looking at the hinet address, you can see it has been reported already
http://cbl.abuseat.org/lookup.cgi?ip=61.228.133.113&.submit=Lookup
|
|
|
|
|
Reply: 22 - 26 |
|
|
| MarkGiles |
| Posted on: Tuesday, December 19th, 2006, 6:50pm |
|
|
Posts: 363
|
Now for the real analysis. The source address looks weird. Instead of being in the form 61.123.234.123 we see a long negative number, in fact two!
Received: from gforce1.com (-1215544608 [-1215387776])
by 61-228-133-113.dynamic.hinet.net (Qmailv1) with ESMTP id 336FB6AB95 for
<johndoe@doepizza.com>; Sun, 17 Dec 2006 21:17:15 -0500
We can convert long integer form into dotted IP address form. See http://www.opinionatedgeek.com/DotNet/Tools/CrazyIP/default.aspx
Converting the first of these, -121554608, we get Host: 32.sub-72-115-189.myvzw.com which is IP 72.115.189.32
Converting the second one, -1215387776, we get Host: 128.sub-72-113-88.myvzw.com which is IP 72.113.88.128
That is the most likely actual origin address, which is in the Verizon Wireless IP range. myvzw.com is a Verizon / MSN offering. The spammer used hinet as the uplink, exploiting an open relay.
|
|
|
|
|
Reply: 23 - 26 |
|
|
| Ryan |
| Posted on: Tuesday, December 19th, 2006, 11:21pm |
|
|
Spam Fighter
Posts: 76
|
I bow in the presence of greatness 
Thanks for the link, Mark! |
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 24 - 26 |
|
|
| tracker |
| Posted on: Friday, December 22nd, 2006, 11:32am |
|
|
Posts: 41
|
You guys are good. I’ve always wondered about those time anomalies which I’d often see, and because of that I’d get a bit confused as to the route that the email took. So it passes from bottom up to the top of the stack? Got it. I didn't realize that those long integers were IP addresses.
Perhaps someone now could answer why or how some email, just like our pony express, gets actual real delays for days. Maybe it gets routed through the Denver airport, eh? |
|
|
|
|
Reply: 25 - 26 |
|
|
| phantazm |
| Posted on: Sunday, July 1st, 2007, 5:13pm |
|
|
New Member 
Posts: 18
|
Ryan: "So in short, a clear "registrar hall of shame" is a GREAT idea, but one needs to really be careful to make it an accurate assessment..."
If they ignore complaints, that should be enough! |
|
|
|
|
Reply: 26 - 26 |
|
|
Pages: 
Logged
Locked Board