Look at what Dale Amon has to say about the power of email
One doesn't have to call for a mail bomb.
It just happens. Whenever I see spam, I automatically send one
copy of their message back to them. I figure that thousands of
others are doing the same. If they (the spammers) hide their
return address, I find it and post it if I have time. I have
no compunctions and no guilt over it.
Now Dale is also the founder and technical director of the
largest and oldest ISP in Northern Ireland. So he knows some
more ways to zap spammers. And we are about learn one of them.
Our objective is to find out who connects this outfit to the
Internet, and take out that connection! Believe me, when the
people who run an ISP find out one of their customers is a spammer,
they usually waste no time kicking him or her out.
Our first step will be to dissect the header of this post to
see how it was forged and where.
Since my newsreader (tin) doesnt have a way to show
headers, I use the m command to email a copy of this
post to my shell account.
It arrives a few minutes later. I open it in the email program
Pine and get a richly detailed header:
From: glennys e clarke <firstname.lastname@example.org>
X-Mailer: Mozilla 1.22 (Windows; I; 16bit)
The first item in this header is definitely genuine: sloth.swcp.com.
Its the computer my ISP uses to host the news groups. It
was the last link in the chain of computers that have passed
this spam around the world.
Newbie Note #2: Internet host computers all have names which
double as their Net addresses. Sloth is the name
of one of the computers owned by the company which has the domain
name swcp.com. So sloth is kind of like the
news server computers first name, and swcp.com
the second name. Sloth is also kind of like the street
address, and swcp.com kind of like the city, state
and zip code. Swcp.com is the domain name owned by
Southwest Cyberport. All host computers also have numerical versions
of their names, e.g. 184.108.40.206.
*******************Lets next do the obvious. The header
says this post was composed on the host 220.127.116.11. So we
telnet to its nntp server (port 119):
telnet 18.104.22.168 119
We get back:
Trying 22.214.171.124 ...
telnet: connect: Connection refused
This looks a lot like a phony item. If this really was a computer
that handles news groups, it should have a nntp port that accepts
visitors. It might only accept a visitor for the split second
it takes to see that I am not authorized to use it. But in this
case it refuses any connection whatever.
There is another explanation: there is a firewall on this
computer that filters out packets from anyone but authorized
users. But this is not common in a computer serving a spammer
More how to fight Usenet spam --->>