From: buchanan@cybernex.net (Lysander Spooner)
Subject: Re: Hopeless Case?
On Mon, 04 Aug 1997 10:35:19 GMT, elig@hotmail.com (NetBolt@) wrote:
>This sucker below has RUINED some dozens of ng the past 24 hours.
>Unfortunately to trace this seems *impossible*. How to do it?
LONG ANSWER --
First, we can try to find out what news-server the spam was posted to.
The most reliable place to start is the Path:. At least some
portion of it MUST be valid, since it is updated by other servers
after it leaves the control of the originator, who might have forged
everything in the header. You read it from right to left, and the
trick is to figure out if anything was "pre-loaded" and where the
article was actually injected. In this case, it doesn't look like
there was any funny business.
(The full header is quoted at the bottom of this message.)
Examining the right side of the Path: line, we find the IP address
208.2.249.1. When we try to do a DNS lookup, it politely reverses.
(That is, it gives the host name associated with that address. Forward
DNS gives the address for a specified name. All domain names _must_
translate to an address -- else they get lonely -- but not all
addresses will supply an associated domain name. In spam-investigating,
the fact that an address won't reverse-DNS is a good hint that it's a
spam-site. Reputable businesses want a name you can remember.
Spammers don't want you to know their names. They want to hide behind
a number that 98% of the Internet doesn't even know how to interpret.)
It identifies itself as "BOINK".
The next most reliable field is the "NNTP-Posting-Host:" line. This
is supposed to identify the name or address of the computer which
posted the article in question to the server. In this case, there
isn't one. Frigging stupid Microsoft server software sucks! Onward.
Then we look at the Message-ID:. We're interested in the part to the
right of the "@". Usually, this is the hostname of the actual
news-server the article was posted _to_. BEWARE: Some servers will
just insert whatever is to the right of the "@" in the "From:" field.
Pretty stupid when you think of it, since From: is the easiest thing
to forge. Even Neil can handle that.
"boink.noculture.com". Ah, consistency!
So let's check out boink. Using the telnet command (or any Windows
telnet client), try to telnet to port 19 (NNTP). The connection goes
through, and it greets us with
>telnet 208.2.249.1 19
>
>200 NNTP Service Microsoft® Internet Services 5.00.7515 Version:
>5.0.0.7515 Posting Allowed
That means it's an open server, and it will let anybody post whatever
they want. (Shit. I just gave Tommy the Terrorist a new server to
abuse! I don't know if I can spare a bot to "embargo" another open
server!)
At this point, a good Spam Warrior will use the Whois command (or one
of the Web-based interfaces for NIC lookups) to find out who
"noculture.com" is.
>Cultural Science Center of Calabasas (NOCULTURE-DOM)
> 8101 Airlane Ave.
> Los Angeles, CA 90045
> US
>
> Domain Name: NOCULTURE.COM
>
> Administrative Contact, Technical Contact, Zone Contact:
> Usher, Phil (PU67) phil_usher@XNAN.COM
> (310) 670-8650
> Billing Contact:
> Usher, Phil (PU67) phil_usher@XNAN.COM
> (310) 670-8650
>
> Record last updated on 12-Mar-97.
> Record created on 12-Mar-97.
> Database last updated on 4-Aug-97 04:29:21 EDT.
>
> Domain servers in listed order:
>
> DNS.NOCULTURE.COM 208.2.249.1
> FOXTROT.WORLDCOM.COM 198.64.193.12
An email to Phil, as well as Postmaster and Root @noculture.com, with
a polite request to secure their server, is the usual practice.
So who POSTED the shit? In the body, as well as the "organization:"
header line, we find "htttp://204.248.170.93/diamond".
Again, we try a reverse DNS lookup. It tells us to piss off.
SPAMMER ALERT!! (As if we hadn't already figured that out.)
That is a "Class-C" address, since the first of the four numbers
(called "octets" -- 8-bit values) is greater than 191. This means
that the NIC assigns the first three octets (callled the "Net-ID") and
the owner of that Net-ID can use the the last octet as he wishes for
individual Hosts. This yields 254 separate IP addresses.
If you want to do a NIC lookup for a Class-C, you have to "wildcard"
or "mask" the last octet when you request the info. You just replace
the last octet with a zero. To wit: "whois 204.248.170.0"
(digress)
(If the first octet is 128 - 191, that means it's a Class-B address,
and the NIC assigns only the first TWO octets, leaving the last two
octets - 16 bits - for the holder of that Net-ID. This can yeild up
to around 65,000 IP addresses. If the first number is below 128,
it's a Class-A address. You guessed it -- the NIC only assigns the
first octet, leaving 24 bits for individual host addresses -- that is
a LOT of possible addresses. Do the math.
When I started teaching this stuff 10 years ago, I used to joke that
in order to get a Class-A address you had to have a signed note from
God; to get a Class-B address you had to be a medium-sized company or
better, and to get a Class-C address you had to put a quarter in the
vending machine at Stanford. After all, they had LOTS of Class-C IDs
to give out, but only about 65,000 Class-Bs, and only a hundred and
some odd Class-A IDs. Needless to say, the net has grown and
addresses are getting more and more precious.)
(end digression)
A Whois for 204.248.170.0 yields:
>Net Direct (NETBLK-SPRINT-CCF8AA) SPRINT-CCF8AA204.248.170.0 - 204.248.171.255
>US Sprint (NETBLK-SPRINT-BLKD) SPRINT-BLKD 204.248.0.0 - 204.251.255.0
So the address block is registerd to Sprint, and is "sub-leased" to
Net Direct. Do a whois for !NETBLK-SPRINT-CCF8AA and you get:
>Net Direct (NETBLK-SPRINT-CCF8AA)
> 6251 N. Winthrop, Suite 5
> Indianapolis, IN 46220
> US
>
> Netname: SPRINT-CCF8AA
> Netblock: 204.248.170.0 - 204.248.171.255
> Maintainer: NDIR
>
> Coordinator:
> Wilson, Mark (MW349) mrw@NETDIRECT.NET
> 3172515252 ext. 2166 (FAX) (317) 726-5239
>
> Record last updated on 21-Jul-97.
> Database last updated on 4-Aug-97 04:29:21 EDT.
Whew. We're finally getting somewhere, or so it seems. We can
reliably conclude that the web-page referenced in that Spam is run by
a customer of Net Direct of Indianapolis, or a possibly the customer
of one of Net Direct's customers. You can call it a day at this
point, and email Mark Wilson, and/or the usual Postmaster@ and root@
but I like to be thorough.
Try poking around. Try connecting to that 204.248.170.93 address on
port 25 and see if it speaks SMTP (email). It doesn't. Try to FTP
to it or try a plain telnet and see if it barks.
Woof Woof:
>220 hostall.hostall.com FTP server (Version 6.00) ready.
and
>FreeBSD (hostall.hostall.com) (ttyp1)
>
>login:
respectively. BINGO! There's the name that the Spammer doesn't want
us to know -- hostall.com. Again we dip into the NIC database with
Whois:
>HostAll, Inc. (HOSTALL-DOM)
> 11715 Fox Road Suite 400-126
> Indianapolis, IN 46236
> USA
>
> Domain Name: HOSTALL.COM
>
> Administrative Contact, Technical Contact, Zone Contact:
> Cazzell, Jacob (JC5570) jacobcaz@NETDIRECT.NET
> (317) 823-3924 (FAX) (317) 826-1997
> Billing Contact:
> Cazzell, Jacob (JC5570) jacobcaz@NETDIRECT.NET
> (317) 823-3924 (FAX) (317) 826-1997
>
> Record last updated on 14-Feb-97.
> Record created on 08-Feb-97.
> Database last updated on 4-Aug-97 04:29:21 EDT.
>
> Domain servers in listed order:
>
> NS1.RAWSPACE.COM 204.248.170.202
> NS2.NETDIRECT.NET 204.120.164.4
And there is Netdirect.com, which we will assume to be hostall's
upstream provide. Absolute confirmation of this fact can be gotten
from the traceroute command --
>traceroute hostall.hostall.com
>Sending 48 data bytes to hostall.hostall.com [204.248.170.2]
>
>1:No packet received from intermediate hop.
>2:Rcvd ICMP pkt type 11: [207.198.145.1] cybernex-nj-wayne.cybernex.net in 151 msec.
>3:Rcvd ICMP pkt type 11: [207.198.150.13] cybernex-nj-wayne.cybernex.net in 171 msec.
>4:Rcvd ICMP pkt type 11: [207.198.151.33] gw1.cybernex.net in 161 msec.
>5:Rcvd ICMP pkt type 11: [207.198.129.9] JerseyCity1.new-york.net in 251 msec.
>6:Rcvd ICMP pkt type 11: [165.254.3.1] nyc1.new-york.net in 221 msec.
>7:Rcvd ICMP pkt type 11: [165.113.121.13] crl-new-york-net.us.crl.net in 171 msec.
>8:Rcvd ICMP pkt type 11: [165.113.50.85] vva-lga.x.atm.us.crl.net in 211 msec.
>9:Rcvd ICMP pkt type 11: [192.41.177.181] mae-east-plusplus.washington.mci.net in 271 msec.
>10:Rcvd ICMP pkt type 11: [204.70.1.213] core2-hssi2-0.Washington.mci.net in 171 msec.
>11:Rcvd ICMP pkt type 11: [204.70.4.45] core2.NorthRoyalton.mci.net in 221 msec.
>12:Rcvd ICMP pkt type 11: [204.70.1.254] core2-hssi-3.Chicago.mci.net in 211 msec.
>13:Rcvd ICMP pkt type 11: [204.70.185.50] border5-fddi-0.Chicago.mci.net in 221 msec.
>14:Rcvd ICMP pkt type 11: [204.70.186.66] net-direct.Chicago.mci.net in 231 msec.
>15:Rcvd ICMP pkt type 11: [204.248.170.254] ? in 251 msec.
>16:Rcvd ICMP pkt type 0: [204.248.170.2] ?, 48 bytes in 240 msec.
>
>TraceRoute Statistics for hostall.hostall.com
>16 packets transmitted, 15 packets received, 6% packet loss
>round-trip (ms) min/avg/max = 151/210/271
As we thought, hostall (the "?" in the last two lines), is connected
through Netdirect, which uses MCI as a backbone provider.
[END OF LONG ANSWER]
So, now we know that the culprit is:
> Cazzell, Jacob (JC5570) jacobcaz@NETDIRECT.NET
> (317) 823-3924 (FAX) (317) 826-1997
right? Weeeeelllll, yes, but not the _only_ culprit, or the actual
villian in this Spammage. Jacob is probably just yet another poor
fool who's been bribed into Spamming for, and directing web-traffic
to, the REAL bad guys. To find out who they are, we go to the
SHORT ANSWER TO YOUR QUESTION
(in case anybody's forgotten, the question was how to "trace" this
spam)
Short Answer: Click on the URL. It's yet another front for
ADULTSIGHTS, the most abusive Spammers on the net.
For more info on Adultsights (including home phone numbers of some of
the principles) see my recent article
So why didn't I just give the short answer first? Because I have to
write _documentation_ today, and I DESPISE writing documentation, and
I'm gonna damn well procrastinate until the last possible minute!
See ya later. I have to go paint my oak tree.
-- Rick
-----------
** Eschew obfuscation **
The Spam
> From: jaclyn@freepussy.com
> Subject: !!THE BEST PUSSY SITE ON THE WEB!! - red_0089.jpg(1/1) 12668
> bytes
> Organization: htttp://204.248.170.93/diamond The Hottest Free Hard
> Core XXX Uncensored Porn Site On the Net!!
> Reply-To: jaclyn@freepussy.com
> Post-Count: 001777
> Message-ID: <Sj71u#9n8GA.64@boink.noculture.com>
> Newsgroups: alt.binaries.erotica,alt.binaries.erotica.female.plumpers,
> alt.binaries.erotica.fetish,alt.binaries.erotica.fettish,
> alt.binaries.erotica.pornstar,alt.binaries.erotica.sex.in.the.morning,
> alt.binaries.erotica.teen,alt.binaries.pictures.erotic.centerfolds,
> alt.binaries.pictures.erotica,alt.binaries.pictures.erotica.amateur,
> alt.binaries.pictures.erotica.amateur.female,
> alt.binaries.pictures.erotica.blondes,
> alt.binaries.pictures.erotica.breasts,
> alt.binaries.pictures.erotica.breasts.small,
> alt.binaries.pictures.erotica.brunette,
> alt.binaries.pictures.erotica.butts,
> alt.binaries.pictures.erotica.cheerleaders,
> alt.binaries.pictures.erotica.facials,
> alt.binaries.pictures.erotica.female,
> alt.binaries.pictures.erotica.female.anal,
> alt.binaries.pictures.erotica.fetish,
> alt.binaries.pictures.erotica.fetish.feet,
> alt.binaries.pictures.erotica.groupsex,
> alt.binaries.pictures.erotica.lesbians
> Date: Sun, 03 Aug 1997 00:34:31 -0700
> Lines: 455
> Path: mn5.swip.net!mn6.swip.net!seunet!news2.swip.net!news.stupi.se!
> cam-news-hub1.bbnplanet.com!cpk-news-hub1.bbnplanet.com!
> news.bbnplanet.com!howland.erols.net!news-peer.sprintlink.net!
> news-sea-19.sprintlink.net!news-in-west.sprintlink.net!
> news.sprintlink.net!Sprint!208.2.249.1!junkhouse