How To Catch A Scammer/Spammer

Joe 90 writes "An interesting story got posted on the Irish Linux Users group. It involves the arrest of a scammer/spammer working in an internet cafe. It even includes the attempt to eat a usb pen drive, several cops and a 10 minute struggle to subdue the man. Story is available on the Linux.ie mailing list By the way Gardai = the cops in Ireland."

the power of /.ing

[basil+montreal]

I kinda like all the stories I have read here about /.ing the spammers and signing them up for junk snail-mail and the like. (and if anyone can find me the link to the old story, I'd appreciate it)

whitelists rock

after trying every spam blocker known to mankind
I've finally switched to whitelisting. So far
it absolutely rocks and it doesn't need any
legal enforcement whatsoever.

For good measure I have a password override on it
and any email that contains the password has
it's senders address automatically added to the
whitelist.

which is why I'm not afraid to put my email right
here : j@ww.com , no spam will get through because you're still missing the password :)

Very simple, extremely effective.

Re:whitelists rock

[enjo13]

But not effective in all circumstances.

For me spamming has always been an inconvienence and nothing more really. However, once I helped to implement a new customer support system at work I began to realize just how difficult the problem can be. In that setting (support via e-mail) a whitelist isn't much of an option. An aggressive spam filter isn't really an option either (we really can't have even 1 false positive). We do run a basic filtering system that catches a lot of the spam, but we're still receiving several thousand messages a day. It's a strain on our database and more importantly on our customer support staff who have to wade through all of the spam.

At this point it's just stupid.

Re:whitelists rock

[essreenim]

People generally don't care that much about the decreased bandwidth - a problem which can also be solved - use port knocking algorithm of some kind!

And besides, spamming is pretty sophisticated these days, if the mail delivery fails, the target e-mail is often removed from the list of e-mail addresses they are trying to send scam e-mails to ( as far as I know )
I promise I'm not a spammer, I am interested in the subject though.
I do believe whitelisting is the way to go!
Only way to be sure!

Re:whitelists rock

[essreenim]

I came across a nice implementation for anti-spam a while ago - temporary hash mails.

You may know it:
Works as follows:

You want to contact them so you give THEM *YOUR* email address they then send a temporary e-mail addresss you can reach them at, of the form:

AZ34Z76ZSD6Z6SDG76SD67Z3@.xxx

I think it's a great idea, an idea I had myself, but it's still great _someone_ implemented it first..

Re:whitelists rock

[nuggetboy]

What about mailing lists to which you may want to subscribe? I've found you rarely can find out ahead of time what the sending address will be.

thumbs up!

[softwave]

It's a comforting thought to know that there actually is legal action being taken against those suckers.
I find it very amusing to read how the spammer tries to struggle and fight back the cops :) I think it's a proof that he knows he's in deep trouble :)

sweet

[Maznafein]

This guy sent my first scam/spam to my cell phone last week. Sorry but I had to report you guys for it. I don't particuarly enjoy getting stuff to an address I've had for a week :p

Glad you caught the bastiche though.

-maz

Re:Should have let him eat it ....

Sounds awfully unhealthy. I bet there is some lead in it to soldier parts together etc, it would melt off somewhat in an acidic stomach no? I'm glad he didn't eat it. Spam sucks, but so does poisoning.

Re:Strange understanding of ethnicity

[savi]

He's being sarcastic and poking fun of the spread of the term "African-American." My students write in their exams all the time about "African-American" tribes in Africa. A friend who teaches in England has had exchange students from America ask about "African-American" history in England.

A really good story ... I have a similar notion

[adzoox]

This was a really good story. I hope more libraries, internet cafes, and wifi hotspots will monitor their traffic occasionally like this guy did.

One line I liked, in particular:

"What have I learned? Firstly, digging up evidence on criminals is an exciting activity. "

This is the sentiment I have over my jackwhispers.com website. The deconstruction of the criminal mind is very fascinating - particularly when it involves a technical computer issue.

Re:Not a direct marketing whorehouse...

[RicoX9]

You ought to look sometime at how many marketing/spam/spyware sites are front-ended by a "search" engine. It gets them classified as search engines in web filter databases.

Re:SMTP transparent proxy?

[andika]

Ok, found two links:
spampd
and
smtpprox
Anyone can give opinions about those Postifx add-ons?

Re:Did I miss out on Ireland becoming the 51st sta

[swb]

African-American is about the stupidest PC label ever. First, as you rightly point out, it technically has no racial connotation and covers all the other racial groups who have lived in Africa for generations.

Secondly, a Kenyan I knew (who happened to be a black Kenyan), once told me never to call an African African. "There are no such things as Africans. There are not even Kenyans or other such nationalities, although I can tolerate being referred to as Kenyan since it is the best compromise between easily identifiable to foreigners and almost correct."

Technically my wife's boss and daughter are African-American, since both of them were born in South Africa. They're also white, and it would be side-splitting to have her report her "race" in college as African American. I'd wager there are more than a few college scholarships naively defined as being for African Americans, when they really mean blacks.

Full article text (for the lazy)

[thesaur]

Some of you who were on #linux on friday will know part or most of this story already as i witnessed some of it (while drinking a truly delicious hot chocolate). For those of you who don't, the following is a report written up by a friend of mine on his succussful (or at least, it's looking good) attempt to stop and catch a 419 scammer. I feel it's worth the read

John

-------- Original Message --------
Subject: I fought the scammer... and I won.
Date: Fri, 02 Apr 2004 21:54:30 +0100
From: Steffen Higel
To: John Allman ,
paulinemccaffrey at eircom.net, stevecash at ireland.com, tony.odonnel at cs.tcd.ie, declan.dagger at cs.tcd.ie, edwin.higel at brookside.ie, marynstanley at eircom.net, richard.bannister at cs.tcd.ie, oconnoat at tcd.ie, jean.higgins3 at mail.dcu.ie

[This is long, and is quite heavy on the technical discussion. Skip the bits you don't understand. It gets interesting.]

I work for a busy Dublin Internet cafe, doing some sysadmining and general computer maintenance. On Sunday the 28th of March, I got a rather distressing email from a sysadmin in a large U.S. University. Spamcop had blacklisted our server's external IP address. Abuse mail for the server in question gets sent to my college account (bad practice, I know, but it's a part time job). My college uses Spamcop as a blacklist source. You can probably tell what happened...

Anyway, said email included the full headers of an email which was natted by our server pretending to be from the widow of Mr. Jonas Savimbi, offering the recipient a share of an unspecified large sum of money. The usual panicked thoughts kick in... "Have I fiddled with something which has left us as an open relay?", "Has our server been cracked?", "Have I been sleep-spamming again?". A more reasoned examination of the headers showed that the mail had originated from one of the IP addresses that we assign dynamically to people who bring laptops into the cafe. This is something of a nightmare for cafe operators, we can hardly block outbound smtp but then again it isn't possible for us to manually check every single mail either. Maybe rate limiting is a valid technical solution. Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them.

A peek through the logs revealed:

Mar 26 15:04:16 server dhcpd-2.2.x: DHCPDISCOVER from 00:40:f4:5d:aa:f7
via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPOFFER on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:20 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:20 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1

Bingo. I had something to work with. The network card is one based on a Cameo 32bit chipset. Matches up quite nicely with these:

Return-Path:
Received: from 192.168.1.70 (server.XXXXXX [XXXXXXX.29])
byXXXXXXXXXXXXXXXXXX) with SMTP id i2QFrgi0002755
for ; Fri, 26 Mar 2004 10:53:44 -0500 (EST)
Reply-To: "michelle savimbi"
From: "michelle savimbi"
To:
Subject: urgent response
Date: Fri, 26 Mar 2004 15:53:26 +0000
Organization:
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0 00_0034_01C221EC.6C64F7B 0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000ams
X-MimeOLE: Produced by Microsoft MimeOLE V6.00.2800.1165

I asked around, and a man, described as being black (or is the word African-American these days?), roughly 30, with an accent which seemed half London and half African had been in the cafe with a laptop and had a number of visitors call into

Good Show!

[b_w_duncan]

This is the kind of thing that makes your day, knowing that you personally have removed at least one source of the crap that fills inboxes. Let's hope the Irish bobbies can do something amazing with your tcpdump trace and if not I'm sure there will be vigilantes out there waiting to DoS the servers you mentioned!

We need more admins who are willing to take action.

Is there scope for running something like spamassassin on outgoing mail? Do people do this? Would give you a chance to stop outgoing spam before you get blacklisted.

Similar Problem but the Gardai did nothing.

[Kiffer]

I also work in a Cybercafe and Callshop in Dublin ...
Last year I noticed that someone was using our fax machine to send and reseive 419s ... we copied and collected the faxes for a while and rang the Gardai and told them what was going on ...
we had film of him comming in to send faxes and recieving faxes from people which went along the lines of

Dear Sir, we have resieved your money but need more to bribe people in Bank of Ireland / AIB / cant remmember which bank they where making up.

and getting replys with letters of Attorney for the transpher of money and such...

the Gardai came took the faxes and some photos from our security system... but said there was nothing they could do... I still see the guy around... not so many faxes though...

At the time my boss rang the poor person in america that was getting scammed ... who refused to beleive that it was a scam.. and insisted that it could'nt be and that they where going to get their money ... they had to ... they'ed risked there whole buisseness on it and had sent over $100,000 to the scammers... :(

we had so much dirt on that nigerian guy it's crazy that he's still wandering round free...

Re:Similar Problem but the Gardai did nothing.

The rest of the story, in at least one well-publicized case, was that the apparent scam-ee knew full well what the scam was, and was trying to make it look like someone else (a boss) was falling for it, and hoping to take in some of the money in the middle, while the boss and the company took the fall.

It's not as simple as "the victim falling for it."
There's also the possibility that someone might "play victim" with somebody else's money, hoping to walk away with a percentage while bankrupting someone else and making them look like a fool.

That's the real danger of the 419. It's possible to succumb to greed and make yourself another middleman in the scam.

Re:Did I miss out on Ireland becoming the 51st sta

[stanmann]

The jury is still out on that question.

Similar experience

[lordsilence]

I don't think that the only problem for internet-cafes are the customers who run "illegal" software, but also the security-policies of the cafes themselves. If policies are not enforced lots can happen before someone takes action.

I'm currently a part-time employee at a Swedish Internet-cafe where I work as a system admin. I've previously only been taking care of the Linux systems which we run for sponsored websites and gameservers but have recently been forced to take over the work of our late Windows-loving administrator.

He had the responsibility to maintain our firewall (WatchGuard), our active-directory Windows2000 server (user-database and login) and the exchange system, aswell as other system as the check-in/out machine. These tasks has now forcedly fallen onto me as this previous admin has been removed from further duties. Perhaps he had too much on his hands or he simply didn't care, but lots of security-policies were not enforced which could have saved me lots of trouble.

Anyhow, recently I began getting calls from an employee at a university here in sweden who told me that spam were originating from our mail.domain.se machine, after doing some further checks I noticed the e-mails were infact being sent from a software disguised as "nortonav.exe" on one of our game-machines. Acting as a spam-daemon. The first thing I did when I had recieved the password for the firewall was to block all smtp-traffic except for the trusted exchange and shutdown this terminal. I've set-up a series of security policies as well as tried to teach the cafe-staff some security-values as in maintaining the antivirus/adware-awarity. Would there be other good countermeasures to take?

Some of the firewall-blocking:
03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.102 64.236.62.131 4697 25 syn (SMTP)
03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.102 64.4.50.99 4696 25 syn (SMTP)
03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.162 200.208.9.162 3525 25 syn (SMTP)
03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.162 213.212.42.30 3524 25 syn (SMTP)

It may be just me who has had bad experience with all administrators at companies I've worked at, who only see Windows as the only option but is it more common for these kind of people to ignore security?

Re:Would have to be one tough USB memory card

[Monsieur+Canard]

MaximumPC magazine here in the States did a similar test recently. They put two leading USB keys through a series of everyday hazards such as:

- Going through a laundry wash cycle (both did fairly well)
- Going through a dryer cycle (not so well)
- Being dropped from a 2-story building (pretty decent survival)
- and so on.

One of the "joke tests" they proposed but didn't do for fear of cheesing-off the PETA crowd was the canine-digestion test (i.e. the dog ate it).

about you?

"Living in a former oppressive totalitarian state, now a relatively free country. My best regards to Americans, who do the opposite." This is on your entries page at /. - please explain

Re:Would have to be one tough USB memory card

[Idarubicin]

Microwaving

You might get away with brief exposure to a conventional oven, but microwaving for any length of time is going to kill one of these devices.

There will be strong induced currents in any extended metal object, including the circuit board traces of one of these USB dongles. Very quickly, resistive heating will fry thsoe traces. Quite probably a lethal current will be induced or travel through the flash memory chip itself.

Ever put aluminum foil in a microwave? It's a graphic demonstration of the problem. A conventional compact disc will also spark prettily in a microwave. Heck, it's possible to create arcing between chunks of sausage. I did it inadvertantly just last week. Cut two wedges of Polish sausage, five to ten millimeters thick. (90 to 120 degree sectors.) Place them on a plate so that the points of the wedges are just touching; the arrangement should look roughly like a bow tie when viewed from above. Microwave on high. Within a few seconds, induced currents should flow between the two sausage halves (I presume that there is enough salt and water in the sausage to make it a passable conductor) producing sparking.

I assume no responsibility for damage to your sausages, microwaves, etc. Warning: sausage will be hot, yadda yadda yadda.

I don't know if this has been done

[fishbot]

but couldn't internet cafes and the like install SpamAssassin on the outbound as well as the inbound servers? That way, if an outbound email is flagged as spam (tolerance altered to suit) it could be prevented from ever leaving the network?

If it's been done I'd like to see where/how, 'cos that could be quite useful.