gtmhh1-5

_______________________________________________________
GUIDE TO (mostly) HARMLESS HACKING

Vol. 1 Number 5

It's vigilante phun day again! How get email spammers kicked
off their ISPs.
_______________________________________________________

So, have you been out on Usenet blasting spammers? It's

phun, right?

But if you have ever done much posting to Usenet news

groups, you will
notice that soon after you post, you will often get spam
email. This is
mostly thanks to Lightning Bolt, a program written by Jeff
Slayton to strip
huge volumes of email addresses from Usenet posts.
Here's one I recently got:
Received: from mail.gnn.com
(70.los-angeles-3.ca.dial-access.att.net
[165.238.38.70]) by mail-e2b-service.gnn.com (8.7.1/8.6.9)
with SMTP id
BAA14636; Sat, 17 Aug 1996 01:55:06 -0400 (EDT)
Date: Sat, 17 Aug 1996 01:55:06 -0400 (EDT)
Message-Id: <199608170555.BAA14636@mail-e2b-service.gnn.com>
To:
Subject: Forever
From: FREE@Heaven.com

"FREE" House and lot in "HEAVEN"

Reserve yours now, do it today, do not wait. It is FREE

just for the asking. You receive a Personalized Deed and

detailed Map to
your home in HEAVEN. Send your name and address along with
a one time
minimum donation of $1.98 cash, check, or money order to
Page 1
 gtmhh1-5
help cover s/h cost

TO: Saint Peter's Estates

P.O. Box 9864
Bakersfield,CA 93389-9864
This is a gated community and it is "FREE".

Total satisfaction for 2 thousand years to date.

>From the Gate Keeper. (PS. See you at the Pearly

Gates)
GOD will Bless you.

Now it is a pretty good guess that this spam has a forged

header. To
identify the culprit, we employ the same command that we
used with Usenet spam:

whois heaven.com
We get the answer:

Time Warner Cable Broadband Applications

(HEAVEN-DOM)
2210 W. Olive Avenue
Burbank, CA 91506

Domain Name: HEAVEN.COM

Administrative Contact, Technical Contact, Zone

Contact, Billing Contact:
Melo, Michael (MM428) michael@HEAVEN.COM
(818) 295-6671
Record last updated on 02-Apr-96.
Record created on 17-Jun-93.

Domain servers in listed order:

CHEX.HEAVEN.COM 206.17.180.2
NOC.CERF.NET 192.153.156.22

>From this we conclude that this is either genuine (fat

Page 2
 gtmhh1-5
chance) or a better
forgery than most. So let's try to finger FREE@heaven.com.
First, let's check out the return email address:

finger FREE@heaven.com

We get:
[heaven.com]
finger: heaven.com: Connection timed out

There are several possible reasons for this. One is that the
systems
administrator for heaven.com has disabled the finger port.
Another is that
heaven.com is inactive. It could be on a host computer that
is turned off,
or maybe just an orphan.

*********************
Nwebie note: You can register domain names without setting
them up on a
computer anywhere. You just pay your money and Internic,
which registers
domain names, will put it aside for your use. However, if
you don't get it
hosted by a computer on the Internet within a few weeks, you
may loose your
registration.
*********************
We can test these hypotheses with the ping command. This
command tells you
whether a computer is currently hooked up to the Internet
and how good its
connection is.

Now ping, like most kewl hacker tools, can be used for
either information or
as a means of attack. But I am going to make you wait in
dire suspense for a
later Guide to (mostly) Harmless Hacking to tell you how
some people use
Page 3
 gtmhh1-5
ping. Besides, yes, it would be *illegal* to use ping as a
weapon.
Because of ping's potential for mayhem, your shell account
may have disabled
the use of ping for the casual user. For example, with my
ISP I have to go
to the right directory to use it. So I give the command:
/usr/etc/ping heaven.com

The result is:

heaven.com is alive
***********************
Technical Tip: On some versions of Unix,giving the command
"ping" will start
your computer pinging the target over and over again without
stopping. To
get out of the ping command, hold down the control key and
type "c". And be
patient, next Guide to (mostly) Harmless Hacking will tell
you more about
the serious hacking uses of ping.
***********************

Well, this answer means heaven.com is hooked up to the

Internet right now.
Does it allow logins? We test this with:

telnet heaven.com

This should get us to a screen that would ask us to give

user name and
password. The result is:

Trying 198.182.200.1 ...

telnet: connect: Connection timed out

OK, now we know that people can't remotely log in to

heaven.com. So it sure
looks as if it was an unlikely place for the author of this
spam to have
Page 4
 gtmhh1-5
really sent this email.

How about chex.heaven.com? Maybe it is the place where spam

originated? I
type in:
telnet chex.heaven.com 79

This is the finger port. I get:

Trying 206.17.180.2 ...

telnet: connect: Connection timed out

I then try to get a screen that would ask me to login with

user name, but
once again get "Connection timed out."
This suggests strongly that neither heaven.com or
chex.heaven.com are being
used by people to send email. So this is probably a forged
link in the header.

Let's look at another link on the header:

whois gnn.com
The answer is:

America Online (GNN2-DOM)

8619 Westwood Center Drive
Vienna, VA 22182
USA

Domain Name: GNN.COM

Administrative Contact:
Colella, Richard (RC1504) colella@AOL.NET
703-453-4427
Technical Contact, Zone Contact:
Runge, Michael (MR1268) runge@AOL.NET
703-453-4420
Billing Contact:
Lyons, Marty (ML45) marty@AOL.COM
703-453-4411
Page 5
 gtmhh1-5

Record last updated on 07-May-96.

Record created on 22-Jun-93.

Domain servers in listed order:

DNS-01.GNN.COM 204.148.98.241
DNS-AOL.ANS.NET 198.83.210.28
Whoa! GNN.com is owned by America Online. Now America
Online, like
Compuserve, is a computer network of its own that has
gateways into the
Internet. So it isn't real likely that heaven.com would be
routing email
through AOL, is it? It would be almost like finding a header
that claims its
email was routed through the wide area network of some
Fortune 500
corporation. So this gives yet more evidence that the first
link in the
header, heaven.com, was forged.

In fact, it's starting to look like a good bet that our

spammer is some
newbie who just graduated from AOL training wheels. Having
decided there is
money in forging spam, he or she may have gotten a shell
account offered by
the AOL subsidiary, GNN. Then with a shell account he or she
could get
seriously into forging email.

Sounds logical, huh? Ah, but let's not jump to conclusions.

This is just a
hypothesis and it may be wrong. So let's check out the
remaining link in
this header:
whois att.net

The answer is:

AT&T EasyLink Services (ATT2-DOM)

Page 6
 gtmhh1-5
400 Interpace Pkwy
Room B3C25
Parsippany, NJ 07054-1113
US

Domain Name: ATT.NET

Administrative Contact, Technical Contact, Zone Contact:

DNS Technical Support (DTS-ORG)
hostmaster@ATTMAIL.COM
314-519-5708
Billing Contact:
Gardner, Pat (PG756) pegardner@ATTMAIL.COM
201-331-4453
Record last updated on 27-Jun-96.
Record created on 13-Dec-93.

Domain servers in listed order:

ORCU.OR.BR.NP.ELS-GMS.ATT.NET199.191.129.139
WYCU.WY.BR.NP.ELS-GMS.ATT.NET199.191.128.43
OHCU.OH.MT.NP.ELS-GMS.ATT.NET199.191.144.75
MACU.MA.MT.NP.ELS-GMS.ATT.NET199.191.145.136
Another valid domain! So this is a reasonably ingenious
forgery. The culprit
could have sent email from any of heaven.com, gnn.com or
att.net. We know
heaven.com is highly unlikely because we can't get even the
login port to
work. But we still have gnn.com and att.net as suspected
homes for this spammer.
The next step is to email a copy of this spam *including
headers* to both
postmaster@gnn.com (usually a good guess for the email
address of the person
who takes complaints) and runge@AOL.NET, who is listed by
whois as the
technical contact. We should also email either
postmaster@att.net (the good
guess) or hostmaster@ATTMAIL.COM (technical contact).

Page 7
 gtmhh1-5
Presumably one of the people reading email sent to these
addresses will use
the email message id number to look up who forged this
email. Once the
culprit is discovered, he or she usually is kicked out of
the ISP.

But here is a shortcut. If you have been spammed by this

guy, lots of other
people probably have been, too. There's a news group on the
Usenet where
people can exchange information on both email and Usenet
spammers,
news.admin.net-abuse.misc. Let's pay it a visit and see what
people may have
dug up on FREE@heaven.com. Sure enough, I find a post on
this heaven scam:

From: bartleym@helium.iecorp.com (Matt Bartley)

Newsgroups: news.admin.net-abuse.misc
Subject: junk email - Free B 4 U - FREE@Heaven.com
Supersedes: <4uvq4a$3ju@helium.iecorp.com>
Date: 15 Aug 1996 14:08:47 -0700
Organization: Interstate Electronics Corporation
Lines: 87
Message-ID: <4v03kv$73@helium.iecorp.com>
NNTP-Posting-Host: helium.iecorp.com

(snip)
No doubt a made-up From: header which happened to hit a real
domain
name.

Postmasters at att.net, gnn.com and heaven.com notified.

gnn.com has
already stated that it came from att.net, forged to look
like it came from
gnn. Clearly the first Received: header is inconsistent.

Now we know that if you want to complain about this spam,

the best place to
send a complaint is postmaster@att.net.

Page 8
 gtmhh1-5
But how well does writing a letter of complaint actually
work? I asked ISP
owner Dale Amon. He replied, "From the small number of spam
messages I have
been seeing - given the number of generations of exponential
net growth I
have seen in 20 years - the system appears to be *strongly*
self regulating.
Government and legal systems don't work nearly so well.

"I applaud Carolyn's efforts in this area. She is absolutely

right. Spammers
are controlled by the market. If enough people are annoyed,
they respond. If
that action causes problems for an ISP it puts it in their
economic interest
to drop customers who cause such harm, ie the spammers.
Economic interest is
often a far stronger and much more effective incentive than
legal requirement.
"And remember that I say this as the Technical Director of
the largest ISP
in Northern Ireland."
How about suing spammers? Perhaps a bunch of us could get
together a class
action suit and drive these guys into bankruptcy?
Systems administrator Terry McIntyre argues, "I am opposed
to attempts to
sue spammers. We already have a fairly decent self-policing
mechanism in place.

"Considering that half of everybody on the internet are

newbies (due to the
100% growth rate), I'd say that self-policing is marvelously
effective.
"Invite the gov't to do our work for us, and some damn
bureaucrats will
write up Rules and Regulations and Penalties and all of that
nonsense. We
have enough of that in the world outside the 'net; let's not
Page 9
 gtmhh1-5
invite any of
it to follow us onto the 'net."
So it looks like Internet professionals prefer to control
spam by having net
vigilantes like us track down spammers and report them to
their ISPs. Sounds
like phun to me! In fact, it would be fair to say that
without us net
vigilantes, the Internet would probably grind to a halt from
the load these
spammers would place on it.

OK, I'm signing off for this column. I look forward to your
contributions to
this list. Have some vigilante phun -- and don't get busted!
____________________________________________________________
______

Want to share some kewl stuph? Tell me I'm terrific? Flame

me? For the first
two, I'm at cmeinel@techbroker.com. Please direct flames to
dev/null@techbroker.com. Happy hacking!
_______________________________________________________
Copyright 1996 Carolyn P. Meinel. You may forward the GUIDE
TO (mostly)
HARMLESS HACKING as long as you leave this notice at the
end. To subscribe,
email cmeinel@techbroker.com with message "subscribe hacker
<joe.blow@boring.ISP.net>" substituting your real email
address for Joe Blow's.
____________________________________________________________
_______

Page 10