What To Do The Laws The Scam Dissected The Numbers Revealed The Countries The Variants Ridiculed The Reporters The Results Links Elsewhere Return to the MMF Home Page Spammer Tracing Examples
MMF Navigation Bar

Tracing Example #2

Here's another example of some in-depth tracing. This particular article was not a MMF article (This was actually email, not usenet), but it still shows some (but not by any means all) of the techniques used to track stuff down and get the (ir)responsible people dealt with. The original article headers were posted by Adam Lasnik with the following comments: 
This is the header of an e-mail I just received, by those Floodgate
folks again... this time bragging about their new Stealth E-mail
shareware add-on <SIGH>

Any thoughts on this?  Has anyone tried writing the Attorney General
in Kentucky to try to get these guys shut down?!?

--ADAM

----------------------- Headers --------------------------------
From r1X8txDcxw@zGJ0s.FXX1ZFtw5.com  Fri Jan 24 22:51:27 1997
Return-Path: r1X8txDcxw@zGJ0s.FXX1ZFtw5.com
Received: from 208 ([208.18.8.10]) by emin29.mail.aol.com
(8.6.12/8.6.12) with ESMTP id WAA14531; Fri, 24 Jan 1997 22:51:16
-0500
From: r1X8txDcxw@zGJ0s.FXX1ZFtw5.com
Received: (from outmail@localhost) by 208 (8.6.12/8.6.9) id VAA01198;
Fri, 24 Jan 1997 21:35:06 -0600
Date: Fri, 24 Jan 1997 21:35:06 -0600
Message-Id: <199701250335.VAA01198@208>
To: Internet.Mail.Delivery@208
Subject: EZ-Stealth-Mailer
Reply-To: worldnet@juno.com


**********************************************************************
 Adam, creator o' the AdamPages.  Visit me at http://pobox.com/~music
      Music, humor, pictures, live chat, and just plain fun :-)
**********************************************************************
He was answered by Howard Knight, who is very well known in the news.admin.net-abuse.* areas for his ability to dig this stuff out. He responded: 
Did you get this on your indiana.edu account?  It looks like the
last stop was AOL.  Also, what is 'Floodgate'?  Was that mentioned as
part of the ad?  Next time, please post the entire ad.  Sorry, I'm not
up to speed on the well known UCE abusers (unless I get one of their
ads!).

These headers are a bitch to figure out.  I don't claim to be an
expert, but here's my guess.  I'm assuming that the perp used AOL's
mail server and that the recipient is an AOL user too.  If that's
true, then this header is probably a forgery:

> Received: (from outmail@localhost) by 208 (8.6.12/8.6.9) id VAA01198;

So, based on the other "Received" line, let's assume the origin was
208.18.8.10:

> Received: from 208 ([208.18.8.10]) by emin29.mail.aol.com
> (8.6.12/8.6.12) with ESMTP id WAA14531; Fri, 24 Jan 1997 22:51:16
> -0500

Naturally, the first thing I tried was 'nslookup' on "208.18.8.10":

   | *** localhost can't find 208.18.8.10: Non-existent host/domain

No luck. Next thing I did was a 'traceroute':

   | traceroute to 208.18.8.10 (208.18.8.10)
   |                  .
   |                  .
   |                  .
   | 11  sl-pdsi-1-S0-T1.sprintlink.net (144.224.23.154)
   | 12  207.15.68.248 (207.15.68.248)
   | 13  208.18.8.10 (208.18.8.10)

Damn it!  Next thing was a 'whois' for the "208.18.8" IP block:
 
   | Prime data Systems, inc. (NETBLK-SPRINT-D0120F) SPRINT-D0120F
   |                          208.18.8.0 - 208.18.15.255

Then a 'whois' for "NETBLK-SPRINT-D0120F":

   | Prime data Systems, inc. (NETBLK-SPRINT-D0120F)
   |    1725 Ashley Circle, Ste 202
   |    Bowling Green, KY 42104
   |    US
   | 
   |    Netname: SPRINT-D0120F
   |    Netblock: 208.18.8.0 - 208.18.15.255
   | 
   |    Coordinator:
   |       Hale, Vernon  (VH197)  nomailbox@NOWHERE
   |       5025292041
   |
   |   Record last updated on 10-Nov-96.

Finally, we're getting somewhere.  Vernon is either an admin, or
the perp.  See his e-mail "nomailbox@NOWHERE"?  I get royally 
PISSED OFF at InterNic, every time I see one of those.  But I
won't get in to that now.

Next thing was, I checked that other IP address (207.15.68.248)
that appeared in the "traceroute".  I did a 'whois' on the
"207.15.68" IP block:

   | Prime data Systems, inc. (NETBLK-SPRINT-CF0F47) SPRINT-CF0F47
   |                          207.15.68.0 - 207.15.71.255

Same company!  Next, I did a 'whois' on "Prime data Systems":

   | Prime data Systems, inc. (NETBLK-SPRINT-CF0F47) SPRINT-CF0F47
   |                          207.15.68.0 - 207.15.71.255
   | Prime data Systems, inc. (NETBLK-SPRINT-D01207) SPRINT-D01207
   |                          208.18.4.0 - 208.18.7.255
   | Prime data Systems, inc. (NETBLK-SPRINT-D0120F) SPRINT-D0120F
   |                          208.18.8.0 - 208.18.15.255
   | Prime data Systems, inc. (NETBLK-SPRINT-D01212) SPRINT-D01212
   |                          208.18.18.0 - 208.18.18.255

I did 'whois's on these other "nicks" (the keyword that appears
in the parenthesis) for Prime.  They are virtually the same as
the D0120F entry.  Hmm, where to go from here...

My next thought was to do a 'whois' on "Hale, Vernon":

   | Hale, Vernon (VH197)  nomailbox@NOWHERE
   |                       5025292041
   | Hale, Vernon N (VH68) staff@MAIL2.NETFREE.COM
   |                       (502) 745-0327 (FAX) (502)529-9106

Looks suspicious, eh?  Same area code and everything.  I already
knew about VH197 (from the 'whois' above').  So, I did a 'whois' 
on "VH68":

   | Hale, Vernon N (VH68)         staff@MAIL2.NETFREE.COM
   |    Prime Data Systems, Inc.
   |    1945 Scottsville Rd., B-2(160)
   |    Bowling Green, KY 42104
   |    (502) 745-0327 (FAX) (502)529-9106
   | 
   |    Record last updated on 19-Aug-96.

Yup!  Same guy!  And Look!  We have a seemingly legitimate
e-mail address!!  And notice it says "staff"?  Probably, Vernon
is affiliated with NETFREE.COM.  Let's make sure.  I did a
'whois' on NETFREE.COM:

   | Prime Data WorldNet Systems (NETFREE-DOM)
   |    1945 Scottsville Rd, B-2 (160)
   |    Bowling Green, KY 42104
   | 
   |    Domain Name: NETFREE.COM
   | 
   |    Administrative Contact, Technical Contact, Zone Contact:
   |       Hale, Vernon N  (VH68)  staff@MAIL2.NETFREE.COM
   |       (502) 745-0327 (FAX) (502)529-9106
   | 
   |    Record last updated on 07-Dec-96.
   |    Record created on 05-Oct-95.
   | 
   |    Domain servers in listed order:
   | 
   |    DNS.PDWSI.COM              207.15.68.253
   |    DNS2.PDWSI.COM             207.15.68.251

Bingo!  THEN I did a 'whois' for "Prime Data WorldNet Systems":

   | Prime Data WorldNet Systems (NETFREE-DOM)          NETFREE.COM
   | Prime Data WorldNet Systems (RESPONDBACK-DOM)      RESPONDBACK.COM
   | Prime Data Worldnet Systems (PDWSI-DOM)            PDWSI.COM
   | Prime Data Worldnet Systems (LOWESTPRICES-DOM)     LOWESTPRICES.COM
   | Prime Data Worldnet Systems (A-1FLOODGATE-DOM)     A-1FLOODGATE.COM
   | Prime Data Worldnet Systems (PRIMEDATASYSTEMS-DOM) PRIMEDATASYSTEMS.COM
   | Prime Data Worldnet Systems (MAILOUT-DOM)          MAILOUT.COM
   | Prime Data Worldnet Systems (INTERNET4BIZ-DOM)     INTERNET4BIZ.COM

Hey Adam, notice anything familiar?  See that A-1FLOODGATE.COM? 
Didn't you say the e-mail was from Floodgate?  I have a hunch that
Vernon is our culprit.  But, don't jump to conclusions yet.  First,
complain to him about the UCE:

   staff@mail2.netfree.com

MAKE SURE you CC your complaint to his provider, Sprint:

   postmaster@sprint.net    <-- is there a better one?

Hope this helps!

Howard

PS: If you get a response from Vernon, please post it!

Moral: Don't spam - you WILL be caught.

Return to the What To Do About MMF Page

Return to the MMF Myth Page

All comments within these pages are expressed as personal opinions only.

Made With Macintosh  © 1997 Ken Lucke - all rights reserved  Spun With PageSpinner