Sign Up!
Login Welcome to Spacequad AntiSpam Services
Thursday, March 11 2010 @ 10:38 AM Eastern Standard Time
Share

Learning how to knock out a spammer

Friday, October 02 2009 @ 05:39 PM Eastern Daylight Time

Contributed by: Michael Brusletten

If your interested in learning how to take down a spammer, read on.  The information that will be provided in this article will only get you started.  Over the years we have had several people ask us to help them deal with a spammer or or bot master.  Most of what we do is investigative work.  By that we mean actually pulling apart the emails or decompiling the bots that we catch.  Granted decompiling is a job that most users cannot do themselves, but the pulling apart emails, you can.

First off, you need to copy your entire spam email message over to plain text file.  An example in how to do this using Microsoft Outlook Express.  The easiest way to do this is to right click on message in the top window, above the preview window, and click on properties.  Then click on details.  After that, you can now see the full raw email with headers.  Right click in that window and select all and the right click again and select copy.  Now your ready to paste that over to a blank text file.  Open up windows explorer and either find a directory that is suitable or create one to place all your investigative work in. 

 


Now create a new blank text file by right clicking any place in the explorer on the right side of the program where all the other files would normally be.  Just don't click on a file itself.  Now rename it accordingly dot txt (example.txt) so you know what it is.  Open that file now and right click in it and paste the content of what you just copied from the raw email and then save it off.

You will need a few tools to to help you in completing this investigation and you can download them here on our site.

These tools listed will help you investigate and get you started in reporting spam to the right places.  Please keep in mind though that you need to thoroughly investigate before making that complaint to the host provider or ISP.  Complaining to the wrong provider will not only piss the provider off, but could result in serious backlash to your provider.  You've been warned!

Windows users will need the below programs to help you.  If you are running a installation of a NIX system, you should already have these tools already built in.

Geektools
NSLOOKUP for Windows

Install these tools and keep reading.

Now, look at the email and find where the http:// of the URL starts and copy just the domain name portion without the http://www. portion or suffix beyond the (example.com)/index.html.  Click on NSLOOKUP and copy the domain name and paste it into the program and hit enter.  We'll use the domain name from this article to show a great example, until the registrar terminates the domain.  You should see:

151.201.22.120
158.142.160.217
173.172.243.20
173.19.26.252
188.36.132.161
190.183.76.95
200.226.150.70
202.131.190.199
202.181.203.146
204.118.0.2
207.13.63.96
208.96.88.89
209.51.85.202
216.104.109.9
217.166.213.26
24.141.107.228
24.237.88.208
24.239.153.188
24.30.179.243
58.169.246.205
60.51.48.10
64.150.231.161
66.231.135.49
67.77.32.172
68.112.20.128
68.54.221.250
69.149.255.223
69.249.22.165
71.227.140.32
71.58.185.212
76.11.238.161
76.26.26.141
81.56.67.245
83.185.94.175
83.80.130.188
84.105.106.220
85.24.163.179
88.176.171.91
89.142.64.95
94.212.11.215
99.189.77.122
99.19.253.137
99.236.138.199
99.36.43.208

Open your Geektools and type in each of the IP address(s if more than one) and notate who the IP belongs to.  You should see something like this below:


OrgName: Verizon Internet Services Inc. 
OrgID: VRIS
Address: 1880 Campus Commons Dr
City: Reston
StateProv: VA
PostalCode: 20191
Country: US
NetRange: 151.196.0.0 - 151.205.255.255 
CIDR: 151.196.0.0/14, 151.200.0.0/14, 151.204.0.0/15 
NetName: VIS-151-196
NetHandle: NET-151-196-0-0-1
Parent: NET-151-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BELLATLANTIC.NET
NameServer: NS2.BELLATLANTIC.NET
NameServer: NS2.VERIZON.NET
NameServer: NS4.VERIZON.NET
NameServer: NS5.VERIZON.NET
NameServer: NS6.VERIZON.NET
Comment: Please send all abuse reports to abuse@verizon.net.
Comment: DO NOT send e-mail to DIA.ADMIN@verizon.com as it will not be answered.
RegDate: 1991-09-25
Updated: 2009-09-15
OrgAbuseHandle: VISAB-ARIN
OrgAbuseName: VIS Abuse 
OrgAbusePhone: +1-214-513-6711
OrgAbuseEmail: abuse@verizon.net
OrgTechHandle: ZV20-ARIN
OrgTechName: Verizon Internet Services 
OrgTechPhone: 800-243-6994
OrgTechEmail: IPNMC@gnilink.net
# ARIN WHOIS database, last updated 2009-10-02 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.

Now that you have the records, you can now look thru them to find the abuse@domain name to send your full raw unedited copy of the spam mail to.  If you find more than one IP listed in the NSLOOKUP, you can check and should check each IP to find all the host providers involved.  If you cannot find a reporting abuse email in the records, then your only recourse is to pull up the host providers website and look for a contact email there.  It is possible that they may not provide it there either, but they may have an online form to send mail to them directly.  Choose the appropriate department to send your complaint to.  We cannot stress highly enough to do your homework before sending these complaints in.  If you have evidence, like logs of the intruder or something else that is pertinent to the complaint, be sure to send that as well.  Some departments may not accept attachments, so you may have to copy and paste that into the email you send them.  If you are still unable to find the right reporting department or one does not exist, you can always contact the registrar responsible for that domain name or if you are unsure how to do some of this, please let us know and we'll see if we can help you answer you questions.

  • Currently 0.00/5
Rating: 0.00/5 (0 votes cast)

What's Related

Story Options

Trackback

Trackback URL for this entry: http://www.spacequad.com/trackback.php/2009100217392182

No trackback comments for this entry.

0 comments

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Find us on Facebook

Spacequad AntiSpam

Blog Writers Needed

Spacequad is looking for volunteer story writers. If you think you have what it takes to be a part of our team, then submit your interests by contacting us.

Navigation

Login

Username:

Password:



Don't have an account yet? Sign up as a New User
Lost your password


Consider Donating

Spacequad AntiSpam Services talks to the registrars and ISPs to get abusive domains terminated. If we encounter spam or network abuse, we let the proper authority know about it. If you find that your spam levels have gone down, its probably because we have had the spammer terminated from doing what they had been doing. Please consider donating to our cause.by using your PayPal, please click on the button below. If you feel that more needs to be done, please let us know, so that we can work with you on that.


Please consider a donation, so we can keep bringing you free services...

Testimonials

I wanted to publicly thank you for the recent work on our web site. Kudos on a job well done!

Louis D.
Lehigh Valley Miata Owners Club

Ads

Latest Abusive Domains Listed at URIBL