 
                                                     
                                                       
               ۰߰     ܰ۰  
             ۱      ܱ߰    ۰
             ۱          ۱      ۰  
                 ܰ߱    ߰۲    
              Outbreak Magazine Issue #10 - Article 1 of 18
           '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

######################################################################
############      Spam: So Go0d, Its G0ne. -dropcode      ############
######################################################################

----------------------------------------------------------------------
           Make Up To $10,000 per Month Working from home!!
                Congratulations! Here's Your Diploma!
               BE A MILLIONAIRE IN JUST FIVE MONTHS!!!
----------------------------------------------------------------------

----------------------------------------------------------------------
The Problem.
----------------------------------------------------------------------
Spam or UCE (unsolicited commercial email) is basically the electronic
version  of  the useless clutter propping open the lid of your mailbox 
and, often enough, blowing around in your driveway. 

Its  useless,  its  irritating,  its  often offensive and, here on the 
internet, its an incredible resource hog.


----------------------------------------------------------------------
Do's and Dont's
----------------------------------------------------------------------
-Don't reply. 

   "In  order  to  remove  your  address  from our mailing list simply
    reply to this email using 'REMOVE' as your subject."

Bull-peto0ty.  Never EVER reply to spam. When you do, you're verifying
to  the  spammer that your email address does indeed exist and it will
be a prime candidate for the next distribution.

-Don't bother filtering.

If all you care about is stopping spam from maxing out your inbox then
sure,  filtering  might do the job. But the purpose of this file is to
help  educate readers about the problems spam is causing the internet,
one  of  which  is  chewing  up  resources  like  oprah  with a bag of
cornchips.  When  you apply filters to your inbox, you're causing your 
email server to work overtime trying to process all your filters.

-Do keep track.

If  you're  really bothered by spam, do your part and fight back. Keep 
track  of  who  spams  you.  Even  if  you only look into  a couple of 
chainletters  a  week.  I'll explain some methods of finding out where
spam comes from in the next section of this article.

-Do combat spambots.

Hey, if nothing more... its kinda fun :D


----------------------------------------------------------------------
Tracking Spammers.
----------------------------------------------------------------------
Alright,  so you have a folder full of junkmail and you're pissed. You 
wanna  fight back but you don't know where to start... Here's a novice
intro to tracking email.

First of all, you're going to want to save the email to your hard-disk
so  that  you  have  it  handy. Open it up and take a look through the
headers.

There  are  alot of  headers that come in an email, but only a few are 
important  for our task. All of the examples I use are completely made
up,  the  ip's  are  completely random and the domains, at the time of 
this  writing,  do not exist. Keep in mind that certain email software 
will  arrange  these  headers  differently  then  I  have,  but  these 
fields will always be present.

----------------------------------------------------------------------
Return-Path: spamkidd13@mygrits.com

Received: from  lick.mygrits.com  (lick.mygrits.com [192.335.127.152]) 
          by  mymailserv.com  (Switch-2.1.4/Switch-2.1.0) with SMTP ID 
          MO0107E4  for  <dropc0de@mymailserv.com>  Sun,  15 Sept 2002 
          22:11:19 +0400 

Received: by  lick.mygrits.com (Switch-2.1.4/Switch-2.1.0)  with  SMTP 
          id MO0154F3 for <dropc0de@mymailserv.com>; Sun, 15 Sept 2002 
          22:10:58 +0400  

Date: Sun, 15 Sept 2002 22:10:58 +0400
From: Spam Kid <spamkidd13@mygrits.com>
Message-Id: <14279880235.MO0154F3@lick.mygrits.com> 
To: dropc0de@mymailserv.com
Subject: earn 50$ an hour working from home!!!
----------------------------------------------------------------------

The  above  is  an  example of an email sent without precautions being
taken to hide the identity of the sender. The return-path is the field
that  contains the address that will be used by your email client when
you reply or by an email server to return a delivery failure.

The  Recieved  fields  contain  information about the route your email 
took  from  the  system  it started on all the way to your mailserver. 
These  fields should be read in reverse: the email was first sent from
lick.mygrits.com  [192.335.127.152] to mymailserv.com. The message was
sent  at 22:10:58 and recieved at 22:11:19, the entire process took 21
seconds.

Now  lets  look  at  a  few  different tricks of the spammer trade for 
remaining anonymous.

----------------------------------------------------------------------
Return-Path: Bojangles@asdfasdf.com

Received: from  lick.mygrits.com  (lick.mygrits.com [192.335.127.152]) 
          by  mymailserv.com  (Switch-2.1.4/Switch-2.1.0) with SMTP ID 
          MO0107E4  for  <dropc0de@mymailserv.com>  Sun,  15 Sept 2002 
          22:11:19 +0400 

Received: by  lick.mygrits.com (Switch-2.1.4/Switch-2.1.0)  with  SMTP 
          id MO0154F3 for <dropc0de@mymailserv.com>; Sun, 15 Sept 2002 
          22:10:58 +0400  

Date: Sun, 15 Sept 2002 3:00:00 +0400
From: Mr Bojangles <Bojangles@asdfasdf.com>
Message-Id: <14279880235.MO0154F3@lick.mygrits.com> 
To: dropc0de@mymailserv.com
Subject: urgent.
----------------------------------------------------------------------

In  this  example,  a technique has been used to spoof the Return-Path 
and  date headers. This is actually quite simple to do and easy for us
to  notice. Looking through the Recieved fields we see that this email
took  the  exact  same  path  as  the  last one. There's no mention of 
asdfasdf.com  anywhere,  AND  the  Date  field  is set at a completely 
different  time  than  the  Received fields are telling us. This might 
seem  to  be  a  pointless  tactic for the spammer to use, but keep in
mind  that  most  email  clients  don't  show the full list of headers
unless  they're  asked  to.  By default  you wouldn't see the Received
fields and would therefore have no reason to suspect.

Well,  now that you're all advocative fans of the Received fields, its
time  to  make  things  even  MORE  difficult.  Just  as  we  saw  the 
Return-Path  and  Date  fields  spoofed,  all the other header fields, 
including  the  Recieved fields can be spoofed as well. Before we look 
at  an  example  of  this type of spoof, lets look at some methods for 
tracing the spoof we looked at above.

Well,  to  start,  we're  not exactly sure whether or not the Recieved 
fields  were spoofed. (to keep you on track, they weren't, but pretend
you  don't  know  that  yet  *smirk*). A good sleuth will follow every 
lead  he has, and the first leads are those Recieved fields. Lets take
a    look   at   where   we   think   it   started:   lick.mygrits.com 
[192.335.127.152].  First,   we'll   make   sure   the   ip   we  have
matches  the  hostname.  We can do this with nslookup. nslookup can be 
done in many different ways: webforms, *nix shells, your own box, etc:

    Results Returned for "lick.mygrits.com":

    Name:     lick.mygrits.com
    Address:  192.335.127.152

Good,  we  have  a match. Well, the Recieve field has passed the first 
test.  Next  we'll find out who's in charge of mygrits.com. To do this
we  use  a  service  called  whois.  Just  like nslookup, whois can be 
accessed in many different ways.

   Registrant:
   Lick My Grits (MYGRITS-DOM)
   123 leet st.
   Ottawa ON, P6B 3R8
   CA

   Domain Name: MYGRITS.COM

   Administrative Contact, Technical Contact:
      Redneck, Dumb    (DRF1337)     hick@mygrits.com
      Lick My Grits
      123 leet st
      Ottawa ON, P6B 3R8
      CA
      613-320-3323

   Record expires on 20-Jan-2010.
   Record created on 18-Jan-1998.
   Database last updated on 18-Sep-2002 13:09:12 EDT.

Excelent,  now we have a phone number and email address of someone who
can  help us out. We'll send Dumb Redneck an email containing the FULL
header of the email we recieved and tell him to check through his logs
for  any  reference to emails with the id's MO0107E4 or MO0154F3. Now, 
if  the  Recieved  fields  were faked then Dumb Redneck at mygrits.com 
isn't  going to find anything, but... if the Recieved fields are legit
then  you  might  be able to convince him to give you the user info of 
whoever sent the email.

This is an example of the type of user info Dumb Redneck may have sent
us in reply:

   jdoe ttyp7 poor.sob.hisisp.com Sun Sept 15 21:40 - 22:22 (00:42)
   Login name: jdoe In real life: Jon Doe 
   Directory: /usr/users/jdoe Shell: /bin/sh

Excelent.  Now  we  can  forward the email to hisisp.com and that will
be it for him. Kapow.

----------------------------------------------------------------------
Return-Path: Bojangles@asdfasdf.com

Received: from   im.a.spoof.com   (lick.mygrits.com [192.335.127.152]) 
          ID MO0107E4 for <dropc0de@mymailserv.com> Sun,  15 Sept 2002 
          22:11:19 +0400 

Received: by  neenerneener.com (Switch-2.1.4/Switch-2.1.0)  with  SMTP 
          id MO0154F3 for <dropc0de@mymailserv.com>; Sun, 15 Sept 2002 
          22:10:58 +0400  

Date: Sun, 15 Sept 2002 3:00:00 +0400
From: Mr Bojangles <Bojangles@asdfasdf.com>
Message-Id: <14279880235.MO0154F3@lick.mygrits.com> 
To: dropc0de@mymailserv.com
Subject: urgent.
----------------------------------------------------------------------

In  this  example,  the recieved fields have been spoofed. Uh-oh. Hey, 
no  worries.  We  can  thwart  the spoof quite easily by following the 
same  procedure  as  last  time.  The last hop the email took was from
im.a.spoof.com to mymailserv.com right? wrong. You'll notice this when
you  do an nslookup on im.a.spoof.com and compare it to the ip address
our  system  got  the message from. Infact, our email software did its
own  nslookup  on  the ip it had and placed the hostname it got beside 
the  ip in the output. (lick.mygrits.com). Not all email software will
be  that  nice  however,  so you might have to do the lookup yourself. 
What  does  this mean? it means that the emailer put im.a.spoof.com in 
place of lick.mygrits.com, but we were clever enough to notice :)

If  we didn't notice, we might have ended up emailing neenerneener.com 
and  had them look through their logs for references to MO0154F3. That
would  have  been  completely useless, because that message never came 
near neenerneener.com.

Well,  now that we have a fairly firm grip on tracing email, lets move
on to something else.


----------------------------------------------------------------------
Spambots.
----------------------------------------------------------------------
The spambot is the spammers evil, automaton, sidekick. They spider the
web  scanning  webpages  for  mailto:  tags  and  harvesting the email 
addresses within them.

Spambots  are generally quite easy to notice, due to a few very common
behavioural traits. By its very nature, a spambot is solely interested
in  mailto:'s  and will stop at nothing to get them. Often, a spam bot 
will  scour  a  webpage  from  top  to  bottom following every link in 
succession ignoring images, sounds, everything but those mailto:'s.

Lets have a look at a standard webserver access log. 

----------------------------------------------------------------------
192.13.104.170 - - [18/Sep/2002:10:52:42 -0700] 
         "GET /main.html HTTP/1.1" 200 62 
         "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 
         "www.mygrits.com"

192.13.104.170 - - [18/Sep/2002:10:52:42 -0700] 
         "GET /images/header.jpg HTTP/1.1" 200 416
         "http://www.mygrits.com/main.html" 
         "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 
         "www.mygrits.com"

192.13.104.170 - - [18/Sep/2002:10:52:42 -0700] 
        "GET /images/tractertrailor.jpg HTTP/1.1" 200 110 
        "http://www.mygrits.com/main.html" 
        "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 
        "www.mygrits.com"

192.13.104.170 - - [18/Sep/2002:10:52:42 -0700] 
        "GET /images/pickuptruck.jpg HTTP/1.1" 200 214 
        "http://www.mygrits.com/main.html" 
        "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 
        "www.mygrits.com"

192.13.104.170 - - [18/Sep/2002:10:52:42 -0700]   
        "GET /images/shootincans.jpg HTTP/1.1" 200 114
        "http://www.mygrits.com/main.html" 
        "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 
        "www.mygrits.com"
----------------------------------------------------------------------

Heres  a  small  page  called main.html on the mygrits.com homepage. A
user has just loaded the page by typing it into their browsers address
field.  (i'm assuming this because theres no referrer in the first GET
request, if they followed a link there would be.)

First  the  user's (192.13.104.170) client requests the main.html page 
using  the  command 'GET /main.html HTTP/1.1'. The server then replies
with  the  response code '200', meaning everythings okay, and the size
of the file in bytes.

The  next  line  indicates  the  referring  url  (omitted in the first 
record)  followed by some information about the users browser/platform
(this is called the USER-AGENT field) and finally the webpages domain.

All  the  requests  after  the  first  one are in the same format, but 
you'll  notice that they are requests for all the images (contained in
<img src""> tags) on the page.

Here's an example of a spam bot viewing www.mygrits.com/main.html:

----------------------------------------------------------------------
192.13.104.170 - - [18/Sep/2002:10:52:42 -0700] 
         "GET /main.html HTTP/1.1" 200 62 
         "Spambot v1.0(neenerneenerneener)" 
         "www.mygrits.com"
----------------------------------------------------------------------

You'll  notice  two  things. First of all, the spambot didn't download 
any images. Sometimes, users will visit your site using a text browser
like  lynx, you'll get the same type of entries in your logs for them.
Next  you'll  notice  the  USER-AGENT.  In  this example, the bot sent 
Spambot  as  their  user-agent. Don't take this literally, as far as I 
know  theres  no  spambot  named  Spambot.  The following is a list of 
user-agents  to  look  out for. If you know of more, pass them over my
way :)

   ExtractorPro
   EmailSiphon
   Wget
   EmailWolf
   Vitaplease
   WebSnake
   EmailCollector
   WebEmailExtractor
   Crescent
   CherryPicker
   [Ww]eb[Bb]andit

Last  but  not  least, you'll notice in your access logs that spambots 
will  follow,  as I said, every link in order from top to bottom. With
these  behavioural  traits  noted, its possible to write code to watch 
for these types of bots, but I'll leave that up to you. 


----------------------------------------------------------------------
Combating Spambots.
----------------------------------------------------------------------
As  advocative  participants in the anti-spam movement, it is our duty
to  actively pumble all the spambots that cross our paths. When ever a 
spambot  finds a mailto: on a page, it archives it and continues along
looking  for  the  next. The following is a small javascript that will 
generate a list of faux mailto:'s for the spambots to harvest.

I  was far from the first to think of this, infact there are plenty of 
programs  all  over  the  web  that  perform  the exact same function, 
however, most are written in perl and c which means you'll need access
to a cgi-bin or equivilent to impliment them. This is why I decided to
write a javascript version.

NOTE: its very important to make sure that the domains being generated
do  not  exist.  If  they  do  exist, their servers will have to reply
with  a  delivery failure message causing a slight burden on available
resources.  Whether  the  burden  is  trivial or not, its the complete
opposite of what we're trying to do.

----------------------------------------------------------------------

// indigestion.js :: 5:00 PM 9/18/2002 :: -dropcode 
// ------------------------------------------------


function DecHex(DecVal)
   {
      HexSet = "0123456789ABCDEF";
      DecVal=parseInt(DecVal);
      if (DecVal > 255 || DecVal < 0)
      {
         DecVal=255;
      }
      var a = DecVal % 16;
      var b = (DecVal-a) / 16;
      var HexVal = HexSet.charAt(b)+HexSet.charAt(a);
      return HexVal;
   }




function generateMailtos()
   {		

      document.write('<br /> This page is meant for mailto harvester _
                                            spambots. <br /><br />')
   

      amountToGenerate = 30;
      minUsernameChars = 3;
      maxUsernameChars = 15;  
      minDomainChars   = 3;
      maxDomainChars   = 15;  
      username = '';
      domainName = '';



      for (i = 0; i < amountToGenerate; i++)
      {
         usernameChars = Math.floor(Math.random() * (maxUsernameChars_
                             - minUsernameChars)) + minUsernameChars;

         domainChars = Math.floor(Math.random() * (maxDomainChars -  _
                                  minDomainChars)) + minDomainChars;





         for (catonateUsername = 0; catonateUsername < usernameChars;_
                                                  catonateUsername++)
         {
            currentUNChar = Math.floor(Math.random() * (122 - 97)) + _
                                                                 97;

            currentUNChar = "%" + DecHex(currentUNChar) + "";
            username = username + unescape(currentUNChar);
         }





         for (catonateDomain = 0; catonateDomain < domainChars;      _
                                              catonateDomain++)
         {

            currentDChar = Math.floor(Math.random() * (122 - 97)) +  _
                                                                97;

            currentDChar = "%" + DecHex(currentDChar) + "";
            domainName = domainName + unescape(currentDChar);

         }

         addy = username + '@' + domainName;
         document.write('<a href="mailto:'+ addy +'.com"> '+ addy +' _ 
                                                  .com </a><br />');

         username = "";
         domainName = "";
      }
      document.write('<br /><a href="#top">Round and round we go.</a>_
                                                             <br />')

      return true;

   }

----------------------------------------------------------------------

In  order  to  make  the code all fit in the 70 char width format I've 
been  using,  I had to split some lines in the middle. Any line ending 
in  an  underscore  (_) has been split. Remove the underscore and move
the code on the next line up.

In  order  to  implement  the  code,  you'll  want  to give it its own 
dedicated  .html.  within  the <head></head> tags of that .html you'll 
add   a   <script>   tag   pointing   to  indigestion.js  (like  this: 
<script src="indigestion.js").   Inside   the   body  tag  you'll  add
onLoad="generateMailtos()".

Feel free to alter the variables. They are as follows:

   amountToGenerate = The   amount   of  mailto:  links  to  generate.

   minUsernameChars = The  smallest  amount  of  characters  that  the 
                      username can be.

   maxUsernameChars = The   largest  amount  of  characters  that  the
                      username can be.

   minDomainChars   = The  smallest  amount  of  characters  that  the 
                      domain name can be.

   maxDomainChars   = The   largest  amount  of  characters  that  the 
                      domain name can be.

The  last  document.write()  in the code probably wont fool most bots,
but  if  it  does  catch  one  the  results will be quite interesting. 
considering  most  spambots  follow  all links, if it follows this one 
it will be caught in a loop.

----------------------------------------------------------------------
If anyone has anything to add or would like to correct me on something
you  can email me at dropc0de@yahoo.com. Also, drop me an email if you 
use my script, I'd like to see how big of a distribution it gets.

Together we can beat the living crap out of spammers. Join the fight.

----------------------------------------------------------------------
greets: savvyD,  ramb0x,  gr3p,  kleptic,  dirv,  jenny,  lexi, lenny, 
        turb, joja, smiley. I love you guys :D

