From: "Pandora Sbox" Subject: How to identify a spammer's identity while he is still on-line! Date: 15 Feb 1999 00:00:00 GMT Message-ID: <01be591e$ee4a72e0$07c8c9d0@apollo> X-Complaints-To: newsabuse@remarQ.com X-Trace: 919108773 L9ONVCM4DC807D0C9C usenet54.supernews.com Organization: .... Newsgroups: news.admin.net-abuse.email Here is a neat trick to get a spammer's identity. Catch him while he is still on line and query his computer to see who he is. Be sure you get the right computer, because if a spammer has already hung up someone else may have dialed in behind him. Here is a successful use of this trick. I received the following spam..... Received: from nisc2.upenn.edu (NISC2.UPENN.EDU [128.91.254.18]) by xxxxxxxxxxxxxxxx with ESMTP id MAA06208; Mon, 15 Feb 1999 12:11:52 -0700 (MST) From: hjgjfdk@ibm.net Received: from MSCF.MED.UPENN.EDU (SYSTEM@MSCF.MED.UPENN.EDU [165.123.128.13]) by nisc2.upenn.edu (8.8.8/8.8.7) with ESMTP id OAA08532; Mon, 15 Feb 1999 14:10:18 -0500 (EST) Received: from jgroves (1Cust156.tnt9.lax3.da.uu.net) by mscf.med.upenn.edu (PMDF V5.0-5 #U3216) id <01J7RWPVQ2AO0030CC@mscf.med.upenn.edu>; Mon, 15 Feb 1999 14:08:39 -0500 (EST) Date: Mon, 15 Feb 1999 14:08:39 -0500 (EST) Date-warning: Date header was inserted by mscf.med.upenn.edu Subject: Home Based Biz! 2-4k per week! To: travelers@ibm.net Message-id: <01J7RX8VZ38E0030CC@mscf.med.upenn.edu> Content-transfer-encoding: 7BIT Status: $100,000+ FIRST YEAR INCOME Notice the header - "Received: from jgroves (1Cust156.tnt9.lax3.da.uu.net)" Doing a lookup on that name reveals that 1Cust156.tnt9.lax3.da.uu.net equals IP address 153.37.77.156. Now type the following command at the MS-DOS or Windows NT command prompt while connected to the Internet and look at the results; C:\WINDOWS>nbtstat -A 153.37.77.156 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- BABY <00> UNIQUE Registered WORKGROUP <00> GROUP Registered BABY <03> UNIQUE Registered JACE GROVES <03> UNIQUE Registered MAC Address = 44-45-53-54-00-00 Notice the spam header said "Received: from jgroves.." and the data return has a user named Jace Groves, and another user named "BABY". Remember the baby spammer from a few weeks back? If the data returned does not match the "Received: from" header you may be querying the computer of someone who dialed in after the spammer hung up, so make sure the data matches before you tar and feather the name returned. We would not want to fry an innocent person who had the misfortune of dialing in after the spammer hung up. Pandora