Look at what Dale Amon has to say about the power of email
protest:
“One doesn't have to call for a ‘mail bomb.’
It just happens. Whenever I see spam, I automatically send one
copy of their message back to them. I figure that thousands of
others are doing the same. If they (the spammers) hide their
return address, I find it and post it if I have time. I have
no compunctions and no guilt over it.”
Now Dale is also the founder and technical director of the
largest and oldest ISP in Northern Ireland. So he knows some
more ways to zap spammers. And we are about learn one of them.
Our objective is to find out who connects this outfit to the
Internet, and take out that connection! Believe me, when the
people who run an ISP find out one of their customers is a spammer,
they usually waste no time kicking him or her out.
Our first step will be to dissect the header of this post to
see how it was forged and where.
Since my newsreader (tin) doesn’t have a way to show
headers, I use the “m” command to email a copy of this
post to my shell account.
It arrives a few minutes later. I open it in the email program
“Pine” and get a richly detailed header:
Path:sloth.swcp.com!news.ironhorse.com!news.uoregon.edu!
vixen.cso.uiuc.edu!news.stealth.net!nntp04.primenet.com!
nntp.primenet.com!gatech!nntp0.mindspring.com!
news.mindspring.com!uunet!in2.uu.net!OzEmail!OzEmail-In!news
From: glennys e clarke <ppgc@ozemail.com.au>
NNTP-Posting-Host: 203.15.166.46
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 1.22 (Windows; I; 16bit)
The first item in this header is definitely genuine: sloth.swcp.com.
It’s the computer my ISP uses to host the news groups. It
was the last link in the chain of computers that have passed
this spam around the world.
*******************
Newbie Note #2: Internet host computers all have names which
double as their Net addresses. “Sloth” is the name
of one of the computers owned by the company which has the “domain
name” swcp.com. So “sloth” is kind of like the
news server computer’s first name, and “swcp.com”
the second name. “Sloth” is also kind of like the street
address, and “swcp.com” kind of like the city, state
and zip code. “Swcp.com” is the domain name owned by
Southwest Cyberport. All host computers also have numerical versions
of their names, e.g. 203.15.166.46.
*******************Let’s next do the obvious. The header
says this post was composed on the host 203.15.166.46. So we
telnet to its nntp server (port 119):
telnet 203.15.166.46 119
We get back:
Trying 203.15.166.46 ...
telnet: connect: Connection refused
This looks a lot like a phony item. If this really was a computer
that handles news groups, it should have a nntp port that accepts
visitors. It might only accept a visitor for the split second
it takes to see that I am not authorized to use it. But in this
case it refuses any connection whatever.
There is another explanation: there is a firewall on this
computer that filters out packets from anyone but authorized
users. But this is not common in a computer serving a spammer
dating service.
More how to fight Usenet spam --->>
