Thursday, October 28, 2004

How to fight SPAM

Spam and eggs, spam bacon spam and beans, spam spam eggs spam sausages spam spam...


SPAM is a problem which plagues the internet and is a constant source of daily frustration for many people. When we think of spam, we usually think of unsolicited email recieved by our email clients, which do have an increasing ability to filter it out of our inbox, but what would you do if you started recieving just as many emails to your handheld or mobile device, or even worse, to your mobile phone?

Mobile phones too


It is mobile phones which are the very victims of a plague of email spam here in Japan. It's mostly being sent by dubious advertisers of porn sites and the occasional money scam like insurance sales . I just upgraded my mobile phone, which I recieved for free on the conditional that I accept a completely new phone number and email address, so this time I chose a nice sensible address based on my name. Stupid! I recieve typically 5-10 junk emails a day to my phone. Or at least I used to...


Fight back


I got fed up with it and decided to fight back. This is how:

I started keeping a record of all the emails I recieved, making note of the date, time, and the URL contained within the message. The email address of the sender is irrelevant, as it can easily be faked, but the URL gives us what we need to track the senders down. There's a wealth of information available on how to track the source of an email using it's header information, but unfortunately mobile phones don't store the headers for obvious memory space reasons.

Tools of the trade


From the URL it is possible to contact the company hosting the offending website, as well as the company used to register the site's domain name. There are some simple tools available to users of UNIX variants to achieve this, and becuase I'm a linux user myself I'd recommend downloading a MEPIS live cd if you're a windoze user for quick, easy access to these tools. MEPIS is a complete Linux operating system, with a beautiful user interface, which is downloaded as an ISO image, burned to a CD, and used to boot straight to Linux from the CD with automatic hardware detection without affecting the operating system you chose to afflict your hard disk with. Get MEPIS and then we can make war against the spam senders.

Battle plan


The machine that goes "ping"...


From the URL of the link to the website in question we need to optain the IP address of the computer hosting it in the search for the site's webhost. To the front line we send the ping command. Ping will send a packet of data to the url, time how long it takes to come back, and display the result with the computer's IP address.

:~$ ping www.love-shot.info
PING www.love-shot.info (210.189.74.34) 56(84) bytes of data.
64 bytes from 210.189.74.34: icmp_seq=1 ttl=51 time=17.0 ms
64 bytes from 210.189.74.34: icmp_seq=2 ttl=51 time=17.3 ms
64 bytes from 210.189.74.34: icmp_seq=3 ttl=51 time=17.0 ms

--- www.love-shot.info ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 17.013/17.126/17.336/0.211 ms

Gotcha! Hello 210.189.74.34...

The route to victory


To find the most likely company hosting the website we use the traceroute command. Traceroute displays a list of all the computers on the internet forming the connection from our computer to the website itself. One of the last in the list will obviously be the webhost itself. With the IP address obtained from our ping skirmish we send traceroute on a reconnaissance mission:

:~$ traceroute 210.189.74.34
traceroute to 210.189.74.34 (210.189.74.34), 30 hops max, 38 byte packets
1 YahooBB218125049254.bbtec.net (218.125.49.254) 6.166 ms 5.696 ms 5.313 ms
2 10.36.253.49 (10.36.253.49) 6.357 ms 6.258 ms 6.289 ms
3 10.36.0.123 (10.36.0.123) 6.107 ms 5.737 ms 6.141 ms
4 10.36.0.105 (10.36.0.105) 6.538 ms 6.089 ms 6.362 ms
5 10.2.4.161 (10.2.4.161) 7.102 ms 7.025 ms 7.532 ms
6 10.2.3.162 (10.2.3.162) 7.910 ms 10.2.3.166 (10.2.3.166) 7.332 ms 10.2.3.194 (10.2.3.194) 24.458 ms
7 61.200.82.65 (61.200.82.65) 7.331 ms 7.242 ms 7.390 ms
8 61.207.14.49 (61.207.14.49) 7.841 ms 7.892 ms 7.693 ms
9 210.163.253.245 (210.163.253.245) 7.919 ms 7.470 ms 8.175 ms
10 61.207.0.25 (61.207.0.25) 14.995 ms 15.313 ms 15.516 ms
11 210.145.252.146 (210.145.252.146) 15.714 ms 15.429 ms 14.912 ms
12 219.160.10.122 (219.160.10.122) 16.274 ms 15.919 ms 15.954 ms
13 210.173.176.231 (210.173.176.231) 14.994 ms 15.367 ms 15.234 ms
14 ge-0-2-0.tokdcbr01.idc.ad.jp (158.205.192.206) 15.769 ms 15.495 ms 16.696 ms
15 Giga1-1.tokdcas08.idc.ad.jp (158.205.188.190) 15.469 ms 15.598 ms15.507 ms
16 158.205.175.226 (158.205.175.226) 16.194 ms 15.895 ms 15.739 ms
17 61.115.225.245 (61.115.225.245) 16.774 ms 18.600 ms 17.730 ms
18 210.189.74.34 (210.189.74.34) 16.240 ms 21.210 ms 15.734 ms

In the last few lines we see ge-0-2-0.tokdcbr01.idc.ad.jp and Giga1-1.tokdcas08.idc.ad.jp. We ignore the subdomains ge-0-2-0.tokdcbr01 and Giga1-1.tokdcas08, and instead verify the results of our search by sending our browser to www.idc.ad.jp... Hello Japan-based Cable & Wireless IDC.

A friendly reminder


From here I decided to email the company, referring them to the spam I had recieved and the URL of the site they were hosting, and ask them nicely to please remind the owner of the site that sending unsolicited email advertising is illegal. Webhosts take spam very seriously, as it is a gross missuse of their bandwidth, so they replied thusly:

We will communicate the complaint to the sender and strongly
request them to respond adequately.

In order for you to obtain an effective result, we would
like to have your messages and e-mail headers that you have
received.

Sincerely,

--------------------------------------
Cable & Wireless IDC
Net-Abuse Team

Ah yes, the email headers... As I mentioned earlier, mobile phones don't store the headers, but mine allows me to store the email as a VML file and transfer it to my PC via infra-red, which I did and then passed it on in reply. A few days later I was pleasantly surpised to recieve this email:

We asked our contractor to take care of this issue.
They committed they'll warn their customer to refrain
from sending spam.

If you are still getting the email regarding the site,
please let us know that.


Respectfully,

-----------------------------------------
Cable & Wireless IDC Inc.

Wow! I wasn't getting any more email advertising the same site, but from the records I was keeping I was able to determine that the majority of spam I was recieving was advertising sites which were all being hosting by the same company, so I sent them the entire list asking that they check their billing information for correlations in the contact information of the sites in question. So far I'm still spam free!

The war might be over, but not every battle was won


I was very impressed with the success of approaching the site's webhost, and I thank C&W IDC for their co-operation. There's more in a domain name than just an IP address, and with it we can also find the comapny used to actually register the domain name itself and the apparent conatact information of it's owner, but I found this approach much less effective.

Whois that domain name?


The whois command searches the Internic whois database for information related to a domain name. The whois database is where the information needed to direct a browser looking for a domain name like love-shot.info to the computer hosting it is stored. Each domain name is asociated with a Domain Name Server (DNS) which converts the domain name to an IP address.

:~$ whois love-shot.info
NOTICE: Access to .INFO WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the Afilias
registry database. The data in this record is provided by Afilias Limited
for informational purposes only, and Afilias does not guarantee its
accuracy. This service is intended only for query-based access. You agree
that you will use this data only for lawful purposes and that, under no
circumstances will you use this data to: (a) allow, enable, or otherwise
support the transmission by e-mail, telephone, or facsimile of mass
unsolicited, commercial advertising or solicitations to entities other than
the data recipient's own existing customers; or (b) enable high volume,
automated, electronic processes that send queries or data to the systemsof
Registry Operator or any ICANN-Accredited Registrar, except as reasonably
necessary to register domain names or modify existing registrations. All
rights reserved. Afilias reserves the right to modify these terms at any
time. By submitting this query, you agree to abide by this policy.

Domain ID:D2875814-LRMS
Domain Name:LOVE-SHOT.INFO
Created On:19-Sep-2003 10:00:24 UTC
Expiration Date:19-Sep-2005 10:00:24 UTC
Sponsoring Registrar:R117-LRMS
Status:ACTIVE
Status:OK
Registrant ID:C3651911-LRMS
Registrant Name:Aihara Kousuke
Registrant Organization:Kousuke
Registrant Street1:Chiyoda-ku
Registrant City:Tokyo
Registrant Postal Code:1020071
Registrant Country:JP
Registrant Phone:+81.0331645635
Registrant Email:Aihara1954@hotmail.com
Admin ID:C3651912-LRMS
Admin Name:Aihara Kousuke
Admin Organization:Kousuke
Admin Street1:Chiyoda-ku
Admin City:Tokyo
Admin Postal Code:1020071
Admin Country:JP
Admin Phone:+81.0331645635
Admin Email:Aihara1954@hotmail.com
Billing ID:C3647544-LRMS
Billing Name:Speednames Billing
Billing Organization:Speednames A/S
Billing Street1:Rejsbygade 8A
Billing City:Copenhagen V
Billing Postal Code:1759
Billing Country:DK
Billing Phone:+45.33886300
Billing Email:billing@speednames.com
Tech ID:C3647543-LRMS
Tech Name:Technical Hostmaster
Tech Organization:Speednames
Tech Street1:Rejsbygade 8a
Tech City:Copenhagen
Tech Postal Code:1759
Tech Country:DK
Tech Phone:+45.33886300
Tech Email:hostmaster@speednames.com
Name Server:NS1.ASCIO.NET
Name Server:NS2.ASCIO.NET
Name Server:NS3.ASCIO.NET


love-shot.info would appear to be registered to an Aihara Kousuke of Tokyo, but this information is not likely to be correct. What we can rely on is that the name server (DNS) is correct - ASCIO.NET
The Tech Email refers to the company or individual which actually entered the domain name into the whois database, and in this case it is listed as hostmaster@speednames.com. Checking the Internic's list of domain name registrars reveals that speednames.com and ascio.net are in fact one and the same: InterNIC Registrar List

Yeah, but it's not our problem...


Contacting the domain name registrar and asking them to discourage the owner from sending spam was less successfull than the same approach when applied to the site's webhost. The responsibility of the registrar is simply to register the domain name, collect a small periodical-fee to keep the name active, and that's it. What the site itself is used for is really none of their business, and they have no right or power to do anything about it. I was hoping they might sypathise with my cause and at least send the owner a friendly reminder, but no.

Don't suffer in silence!


If you have the means at your disposal, taking the same kind of non-confrontational action may well have similar positive results. The more individuals who stand up to spammers the less able they may become to continue operating, so please do what you can. If you're recieving email to your PC you have even more resources available from the information contained in the email headers which may well lead to the originating email address or computer itself.

In the meantime, on my to-do list of future projects is a site which allows most of this process to be automated and offered to anyone for free.

No comments: