Chat with
Hackers

How to Defend
Your Computer 

The Heretic! 
A Hacker Thriller

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

More on how to fight Usenet spam...

Next I try to email postmaster@203.15.166.46 with a copy of the spam. But I get back:

Date: Wed, 28 Aug 1996 21:58:13 -0600
From: Mail Delivery Subsystem <MAILER-DAEMON@techbroker.com>
To: Subject: Returned mail: Host unknown (Name server: 203.15.166.46: host not found)

The original message was received at Wed, 28 Aug 1996 21:58:06 -0600
from cmeinel@localhost

----- The following addresses had delivery problems -----
postmaster@203.15.166.46 (unrecoverable error)

----- Transcript of session follows -----
501 postmaster@203.15.166.46... 550 Host unknown (Name server: 203.15.166.46:
host not found)

----- Original message follows -----
Return-Path: cmeinel
Received: (from cmeinel@localhost) by kitsune.swcp.com (8.6.9/8.6.9) id

OK, it looks like the nntp server info was forged, too.

Next we check the second from the top item on the header. Because it starts with the word “news,” I figure it must be a computer that hosts news groups, too. So I check out its nntp port:

telnet news.ironhorse.com nntp

And the result is:

Trying 204.145.167.4 ...
Connected to boxcar.ironhorse.com.
Escape character is '^]'.
502 You have no permission to talk. Goodbye.
Connection closed by foreign host

OK, we now know that this part of the header references a real news server. Oh, yes, we have also just learned the name/address of the computer ironhorse.com uses to handle the news groups: “boxcar.”

I try the next item in the path:

telnet news.uoregon.edu nntp

And get:

Trying 128.223.220.25 ...
Connected to pith.uoregon.edu.
Escape character is '^]'.
502 You have no permission to talk. Goodbye.
Connection closed by foreign host.

OK, this one is a valid news server, too. Now let’s jump to the last item in the header: in2.uu.net:

telnet in2.uu.net nntp

We get the answer:

in2.uu.net: unknown host

There is something fishy here. This host computer in the header doesn’t exist. It probably is forged. Let’s check the domain name next:

whois uu.net

The result is:

UUNET Technologies, Inc. (UU-DOM)
3060 Williams Drive Ste 601
Fairfax, VA 22031
USA

Domain Name: UU.NET

Administrative Contact, Technical Contact, Zone Contact:
UUNET, AlterNet [Technical Support] (OA12) help@UUNET.UU.NET
+1 (800) 900-0241
Billing Contact:
Payable, Accounts (PA10-ORG) ap@UU.NET
(703) 206-5600
Fax: (703) 641-7702

Record last updated on 23-Jul-96.
Record created on 20-May-87.

Domain servers in listed order:

NS.UU.NET 137.39.1.3
UUCP-GW-1.PA.DEC.COM 16.1.0.18 204.123.2.18
UUCP-GW-2.PA.DEC.COM 16.1.0.19
NS.EU.NET 192.16.202.11

The InterNIC Registration Services Host contains ONLY Internet Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.

So uu.net is a real domain. But since the host computer in2.uu.net listed in the header doesn’t show up, this part of the header may be forged. (However, there may be other explanations for this, too.)

Working back up the header, then, we next try:

telnet news.mindspring.com nntp

I get:

Trying 204.180.128.185 ...
Connected to news.mindspring.com.
Escape character is '^]'.
502 You are not in my access file. Goodbye.
Connection closed by foreign host.

Interesting. I don’t get a specific host name for the nntp port. What does this mean? Well, there’s a way to try. Let’s telnet to the port that gives the login sequence. That’s port 23, but telnet automatically goes to 23 unless we tell it otherwise:

telnet news.mindspring.com

Now this is phun!

Trying 204.180.128.166 ...
telnet: connect to address 204.180.128.166: Connection refused
Trying 204.180.128.167 ...
telnet: connect to address 204.180.128.167: Connection refused
Trying 204.180.128.168 ...
telnet: connect to address 204.180.128.168: Connection refused
Trying 204.180.128.182 ...
telnet: connect to address 204.180.128.182: Connection refused
Trying 204.180.128.185 ...
telnet: connect: Connection refused

Notice how many host computers are tried out by telnet on this command! They must all specialize in being news servers, since none of them handles logins.

This looks like a good candidate for the origin of the spam. There are 5 news server hosts. Let’s do a whois command on the domain name next:

whois mindspring.com

We get:

MindSpring Enterprises, Inc. (MINDSPRING-DOM)
1430 West Peachtree Street NE
Suite 400
Atlanta, GA 30309
USA

Domain Name: MINDSPRING.COM

Administrative Contact:
Nixon, J. Fred (JFN) jnixon@MINDSPRING.COM
404-815-0770
Technical Contact, Zone Contact:
Ahola, Esa (EA55) hostmaster@MINDSPRING.COM
(404)815-0770
Billing Contact:
Peavler, K. Anne (KAP4) peavler@MINDSPRING.COM
404-815-0770 (FAX) 404-815-8805

Record last updated on 27-Mar-96.
Record created on 21-Apr-94.

Domain servers in listed order:

CARNAC.MINDSPRING.COM 204.180.128.95
HENRI.MINDSPRING.COM 204.180.128.3

*********************
Newbie Note #3: The whois command can tell you who owns a domain name. The domain name is the last two parts separated by a period that comes after the “@” in an email address, or the last two parts separated by a period in a computer’s name.
*********************

I’d say that Mindspring is the ISP from which this post was most likely forged. The reason is that this part of the header looks genuine, and offers lots of computers on which to forge a post. A letter to the technical contact at hostmaster@mindspring.com with a copy of this post may get a result.

But personally, I would simply go to their Web site and email them a protest from there. Hmmm, maybe a 5 MB gif of mating hippos?

But systems administrator Terry McIntyre cautioned me:

“One needn't toss megabyte files back ( unless, of course, one is helpfully mailing a copy of the offending piece back, just so that the poster knows what the trouble was. )

“The Law of Large Numbers of Offendees works to your advantage. Spammer sends one post to ‘reach out and touch’ thousands of potential customers.

“Thousands of Spammees send back oh-so-polite notes about the improper behavior of the Spammer. Most Spammers get the point fairly quickly.

“One note - one _wrong_ thing to do is to post to the newsgroup or list about the inappropriateness of any previous post. Always, always, use private email to make such complaints. Otherwise, the newbie inadvertently amplifies the noise level for the readers of the newsgroup or email list.”

OK, I'm signing off for this column. I look forward to your contributions to this list. Happy hacking -- and don’t get busted!

__________________________________________________________________

Want to share some kewl stuph? Tell me I’m terrific? Flame me? For the first two, I’m at . Please direct flames to dev/null@techbroker.com. Happy hacking!
_______________________________________________________
© 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end. To subscribe, email with message "subscribe hacker <joe.blow@boring.ISP.net>" substituting your real email address for Joe Blow's. 

Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

My SQL for Free
 

Return to the index of Guides to (mostly) Harmless Hacking!

© 2001 Happy Hacker All rights reserved.