What To Do The Laws The Scam Dissected The Numbers Revealed The Countries The Variants Ridiculed The Reporters The Detectives The Results Links Elsewhere Return to the MMF Home Page The Detectives
MMF Navigation Bar

You can go here to get another example of tracing. This particular article was not a MMF article, but it still shows some (but not by any means all) of the techniques used to track stuff down and get the (ir)responsible people dealt with. This one's actually fairly simple compared to some of the more "sophisticated" spammers nowadays. The original article headers were posted by Bruce Lane with the following comments: 
This looks like a scam to me. I've done some digging with WHOIS, and it
looks like whoever the real author is has gone to a -lot- of trouble to
conceal their real location and identity.

In short, this one's going to take a more experienced head than mine,
ideally someone with Unix access, to track down adequately. Volunteers?
Please? I'd be curious as to the results.

Thanks in advance. Attachment follows.

-=-=- <SNIP> -=-=-

Path:
news!news-master!newsfeed.concentric.net!news.texas.net!news-xfer.netaxs.com!news.dra.com!news.he.net!usenet65.supernews.com!news
From: tmg@ia.com
Newsgroups: comp.sys.ibm.pc.hardware.misc
Subject: FIND PIRATED SOFTWARE
Date: Thu, 02 Jan 1997 14:07:42 GMT
Organization: All USENET -- http://www.net-link.com
Lines: 112
Message-ID: <32CAF48C.7443183@207.126.101.82>
Reply-To: tmg@ia.com
NNTP-Posting-Host: 206.248.95.69
X-Newsreader: Forte Agent .99e/32.227
He was answered by Jean McGuire, who is fairly well known in the news.admin.net-abuse.* areas for her ability to dig this stuff out. She responded: 
Well, I'm no wizard, but here's a bit of digging:

> Path:
> News!news-master!newsfeed.concentric.net!news.texas.net!news-xfer.netaxs.com!news.dra.com!news.he.net!usenet65.supernews.com!news

Pay close attention to the apparent start of the path: supernews.com --
we'll be seeing more of them later.

> From: tmg@ia.com

While one would first guess that this is either bogus or a throwaway
account, let's see where it leads:

Information Alliance (IA2-DOM)
   4179 3rd Ave #501
   San Diego, California 92103
   USA

   Domain Name: IA.COM

   Administrative Contact, Technical Contact, Zone Contact, Billing
Contact:
      Garcia, Manuel D  (MDG4)  mail23617@POP.NET
      619-291-5374 (FAX) n/a

   Record last updated on 15-Jul-96.
   Record created on 09-Nov-93.

   Domain servers in listed order:

   AUTH03.NS.UU.NET             198.6.1.83
   AUTH51.NS.UU.NET             198.6.1.162

Looks like it might be a virtual or vanity domain to me... note the fine
example of InterNIC's complete and up-to-date contact info. Attempting
to finger it gives me an "unknown host" response. Chasing Mr. Garcia
around doesn't bring up anything interesting, except an address
identical with that for IA.COM.

> Newsgroups: comp.sys.ibm.pc.hardware.misc
> Subject: FIND PIRATED SOFTWARE
> Date: Thu, 02 Jan 1997 14:07:42 GMT
> Organization: All USENET -- http://www.net-link.com

This one can be interesting -- it frequently defaults to some
advertising for the online service, and sometimes spammers spoof other
things but don't change this one. I checked out their web site -- seems
to be a more-or-less legitimate news service, if a bit loud on the
"we're honest, really we are" stuff. Oh, wait, this part's interesting: 

[from the Net-Link web site]

> NOTE:  Net-Link Solutions collects important information about the
> Internet account you are using
> right now to access this web page.  That information assists us in
> setting up your NNTP/USENET account.
> Thus, it is important that you use your regular Internet account to
> fill out this form.  Thank you!

Let's see who NET-LINK is:

Net-Link Solutions (NET-LINK-DOM)
   553 North Pacific Coast Highway, Suite B167
   Redondo Beach, CA 90277

   Domain Name: NET-LINK.COM

   Administrative Contact, Technical Contact, Zone Contact:
      Wallace, Craig  (CW177)  support@MOREINFO.COM
      1-800-503-1199

   Record last updated on 15-Oct-96.
   Record created on 07-Nov-94.

   Domain servers in listed order:

   DNS1.SUPERNEWS.COM           207.126.101.90
   NS2.NET-LINK.COM             204.254.156.13

Hmmm...looks like a pretty small setup. There appears to be real
hardware there, since they're doing some of their own DNS service, but I
sort of wonder about the numerous servers and T-3's they advertise...you
think with that sort of setup, they wouldn't be getting half their DNS
service from a third party. If it really is a _third_ party....

I have a -5 on my reaction to anyone named Wallace, and to any service
with "Super-" in its name. Let's follow Mr. Wallace back to
MOREINFO.COM:

Craig Wallace (MOREINFO-DOM)
   322 Forbes Ave
   San Rafael, CA 94901

   Domain Name: MOREINFO.COM

   Administrative Contact, Technical Contact, Zone Contact, Billing
Contact:
      craig, wallace  (WC634)  cwallace@MOREINFO.COM
      800 503 1199 (FAX) 800 503 1199

   Record last updated on 07-Nov-96.
   Record created on 21-Oct-94.

   Domain servers in listed order:

   DNS1.SUPERNEWS.COM           207.126.101.90
   DNS2.SUPERNEWS.COM           207.126.101.120

Now, that's interesting. MOREINFO.COM seems to be hanging off of
SUPERNEWS.COM...again, vanity or virtual by my best guess. But at least
it's not in Philadelphia!

> Lines: 112
> Message-ID: {32CAF48C.7443183@207.126.101.82}

That's not usually much use, since it normally just matches the From:
line, but let's take a look:

Name:    host9.supernews.com
Address:  207.126.101.82

Well! There's the SuperNews connection again...remember Supernews was
the tail-end of the Path.

> Reply-To: tmg@ia.com

Hmmm...same as the From: -- there might be someone at the other end
after all. I'll have my cat send a query from his email account, see
what turns up.

> NNTP-Posting-Host: 206.248.95.69

Name:    cs3-6.iaw.on.ca
Address:  206.248.95.69

Interesting...because it's NOT anywhere on that Path. Either there's
something critical I don't know about reading headers, or this is
beginning to look really, really odd.

Also, we've just flipped to the other side of the continent... that
should be somewhere in Ontario, Canada. I couldn't get them with whois,
but their website lists this address:

> INTERNET ACCESS - WORLDWIDE, Welland, Ontario, Canada. 

Yep, it is in Ontario, all right.

> X-Newsreader: Forte Agent .99e/32.227

Probably totally irrelevant, but IAW makes a moderately big deal out of
giving out Free Agent.

> STM
> P.O. Box 552
> Buffalo, NY
> 14201 - 0552

Even more interesting, given the proximity of Buffalo to the Canadian
border. I don't have a map handy, but I'd bet that Welland, ON is
somewhere awfully close to Buffalo...perhaps close enough that someone
might drive over and rent a P.O. box? An inquiry with the Buffalo
postmaster might be valuable, seeing as this box is being used for doing
business with the public.

Okay, that's everything I could dig up. Like I said, I'm no wizard. You
might do best to drop a note to piracy@spa.org and let them know what
you've got, and the bits and pieces I just listed. They certainly have
better resources than I do.

My guess is the originator is somewhere in Canada, (alternately Buffalo)
using various sites in California for a smokescreen. That post office
box is going to be the place to pry. The SPA and their lawyers can
probably do a better job of it, but if I understand correctly, the real
name and address of the renter of any PO box used for business is
available upon request. Talking to the Buffalo, NY postmaster (the snail
mail one!) might get you all sorts of interesting info.

Good luck!

Moral: Don't spam - you WILL be caught.

Return to the What To Do About MMF Page

Return to the MMF Myth Page

All comments within these pages are expressed as personal opinions only.

Made With Macintosh  © 1997 Ken Lucke - all rights reserved  Spun With PageSpinner