Slashdot Mirror
How To Catch A Scammer/Spammer
Joe 90 writes "An interesting story got posted on the Irish Linux Users group. It involves the arrest of a scammer/spammer working in an internet cafe. It even includes the attempt to eat a usb pen drive, several cops and a 10 minute struggle to subdue the man. Story is available on the Linux.ie mailing list
By the way Gardai = the cops in Ireland."
No wonder there was a struggle!
Comment removed based on user account deletion
I kinda like all the stories I have read here about /.ing the spammers and signing them up for junk snail-mail and the like. (and if anyone can find me the link to the old story, I'd appreciate it)
after trying every spam blocker known to mankind
:)
I've finally switched to whitelisting. So far
it absolutely rocks and it doesn't need any
legal enforcement whatsoever.
For good measure I have a password override on it
and any email that contains the password has
it's senders address automatically added to the
whitelist.
which is why I'm not afraid to put my email right
here : j@ww.com , no spam will get through because you're still missing the password
Very simple, extremely effective.
A unmamed man aprehended a scammer and a spammer,a nd put them in the slammer using only a scanner and a spanner!
Or something like that........
Fellowship 9/11
It's a comforting thought to know that there actually is legal action being taken against those suckers. :) I think it's a proof that he knows he's in deep trouble :)
I find it very amusing to read how the spammer tries to struggle and fight back the cops
It wasn't a scam, it was just a bad April Fool joke...and we all know we had a blast with bad jokes on Slashdot. Everybody deserves a little fun.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
From the article:
Some of you who were on #linux on friday will know part or most of this story already as i witnessed some of it (while drinking a truly delicious hot chocolate).
You know, more people should mention what they're drinking when relating news like this.
There is an interesting and [somewhat] related article on The Register.
I want to drag this out as long as possible. Bring me my protractor.
I hate spam more than I hate crackers
But yet combining spam and crackers can be quite a tasty treat.
Maybe he should have looked into the Thermite option we saw in the latest edition of The Broken?
Of course, you don't want that going off when your trying to swallow the evidence. On second though, you don't really want it going off in your pocket either...
"Luck is what others call skill when they have none." --Phelan Kell
I work for a busy Dublin Internet cafe, doing some sysadmining and general computer maintenance. On Sunday the 28th of March, I got a rather distressing email...
...I asked around, and a man, described as being black (or is the word African-American these days?)
Hmmm...
Of all the fallout from the 419 spamming, I dont believe anything is funnier than Ebola Monkey Man. Good way to kill productivity this fine Monday morning. ;)
This guy sent my first scam/spam to my cell phone last week. Sorry but I had to report you guys for it. I don't particuarly enjoy getting stuff to an address I've had for a week :p
Glad you caught the bastiche though.
-maz
<happiness>beer</happiness>
No! Say it ain't so! It's bad enough we export McDonald's and Britney, but now we're exporting our political-correctness?
An "African-American" is a person of African origin living in America. Not all African-Americans are black, and not all blacks are African. Certainly it would be a strange coincidence if this black person in Dublin was visiting from America, and also happened to be originally from Africa.
This stuff hurts my head.
The House Between - Original Sci-Fi Series
the admin narrating the story said the perp looked to be black (or is the word
African-American these days?), roughly 30, with an accent which seemed
half London and half African
Uh, I don't think the term 'American' should be applied to a guy with a half London and half African accent who's currently in Ireland. I just don't see the connection.
There's a certain irony to an Irishman in Ireland referring to hauling people off in the paddywagon. Especially when the guy in question actually isn't Irish.
What a great story!
Hey, if the memory stick were actually swallowed and then passed through the scammer's digestive system, and the Gardai waited it out and retrieved it from the loo, and it still worked, think what a great marketing slogan the manufacturer could make from that.
Tough enough to pass through the guts of a scammer!
If this story turns out to be a hoax, I'll be sorely disappointed. The thought of one of these 419 scammers desperately trying to break free of the grasp of the police in order to run back and hit a kill switch on his notebook computer makes my nipples explode with delight.
You are in error. No-one is screaming. Thank you for your cooperation.
So he would be an Irish-American? Err, wait...
Typos... that's just how I role.
Someone prominent in the U.S referred to Nelson Mandela as an African-American. I can't remember who but it brings a smile to my face whenever I hear it.
:-)
I was poking fun at them
Where's all the posts saying how this guy's privacy rights were destroyed/taken/bushed by the sysadmin?
/. we are supposed to ignore the fact he's in public and using someone else's internet.
This is
Yeah, right, and you can put it in your USB port to search for evidence.
[Fuck Beta]
o0t!
i'm trying to picture a revived miami vice, focused on computer crimes. imagine the possibilities. ok, there aren't many...
/.'rs are pretty, um, passionate on privacy and gov't intrusion, even if this IS an (alleged!) spammer who by definition is not humanoid. :)
congrats to the irish police for taking the offense so seriously. but is anyway here wary of the snooping involved? yes the sysadmin had every right to monitor traffic, but in what depth and for what purpose? for example, there's talk here of trying to fish out the suspect's email password and so on -- at police request. wouldn't it would feel a bit different in the police, without warrant, were to do the same themselves -- imagine worst case of them bugging all internet cafes to examine generic traffic without individualized suspicion. it's bad enough they want to see what we do at the library....
practically speaking, i would imagine the government generally lacks the resources to parse large amounts of computer data. but just wait until it can be done by computers hunting for suspicious transactions, much as the credit card companies do now to catch fraud. the capability is there.
i'm not sure where the legal stuff comes out here, this is not US law, but wonder about future possibilities. it is debatable what expectation of privacy you have in an internet cafe -- are keyloggers ok? is decrypting information different from reading plain text? must the user be warned? as an analogy, consider that when the federal exclusionary rule was first judicially established, it did not apply to states and the "silver platter doctrine" emerged whereby state investigators would get what the feds wanted and hand it over clean of any search and seizure problem. obviously this is a charade.
someone who acts at the behest of the government -- an agent -- pretty much *is* the government, and i wonder if this interpretation colors the reaction of anyone here on privacy -- normally
Well, let's all start flood pinging it before we start to start thinking about our actions, its neighbor IPs, or whether the information is even really accurate :)
Unfortunately it would seem that whilst you have obviously been furnished with a good understanding of the term 'African-American' you obviously have zero understanding of the term 'humour'.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
No! Say it ain't so! It's bad enough we export McDonald's and Britney, but now we're exporting our political-correctness?
An "African-American" is a person of African origin living in America. Not all African-Americans are black, and not all blacks are African. Certainly it would be a strange coincidence if this black person in Dublin was visiting from America, and also happened to be originally from Africa.
It almost killed me when I heard a US newscaster refer to Nelson Mandela as African-American.
When your world is all round pegs, what can you do when you encounter a square one?
Best Line: "Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them."
VENI, VIDI, VICI, DIXI
One line I liked, in particular:
"What have I learned? Firstly, digging up evidence on criminals is an exciting activity. "
This is the sentiment I have over my jackwhispers.com website. The deconstruction of the criminal mind is very fascinating - particularly when it involves a technical computer issue.
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
You ought to look sometime at how many marketing/spam/spyware sites are front-ended by a "search" engine. It gets them classified as search engines in web filter databases.
Then, he spent a bit of time on http://www.emailspidereasy.com. Don't you just love the fake google-textads?
Yup, love is the word. I also love these links on the same page:
Credit cards - links to credit card resources
Cheap loans - compare and get a cheap loan
Compare mortgage quotes - cheap mortgages online
Work from home - make money with working from home
Seems this is the only site spammers need to visit; they have links to spamming resources as well! Very convenient ...
I hear there's rumors on the Slashdots
and they are investigating.
They are a co-lo facility, barebones, FYI.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Eh how about you read the mail.
Our cafe was *BLACKLISTED* by spamcop. I checked the logs. I found his MAC address and when he came in with his laptop. I asked the staff. They described him. He came back and I caught him red handed.
And I would have gotten away with it, if it wasn't for you meddling kids!
Hrrm... I usually just sign my name.
African-American is about the stupidest PC label ever. First, as you rightly point out, it technically has no racial connotation and covers all the other racial groups who have lived in Africa for generations.
Secondly, a Kenyan I knew (who happened to be a black Kenyan), once told me never to call an African African. "There are no such things as Africans. There are not even Kenyans or other such nationalities, although I can tolerate being referred to as Kenyan since it is the best compromise between easily identifiable to foreigners and almost correct."
Technically my wife's boss and daughter are African-American, since both of them were born in South Africa. They're also white, and it would be side-splitting to have her report her "race" in college as African American. I'd wager there are more than a few college scholarships naively defined as being for African Americans, when they really mean blacks.
Some of you who were on #linux on friday will know part or most of this story already as i witnessed some of it (while drinking a truly delicious hot chocolate). For those of you who don't, the following is a report written up by a friend of mine on his succussful (or at least, it's looking good) attempt to stop and catch a 419 scammer. I feel it's worth the read
,
John
-------- Original Message --------
Subject: I fought the scammer... and I won.
Date: Fri, 02 Apr 2004 21:54:30 +0100
From: Steffen Higel
To: John Allman
paulinemccaffrey at eircom.net, stevecash at ireland.com, tony.odonnel at cs.tcd.ie, declan.dagger at cs.tcd.ie, edwin.higel at brookside.ie, marynstanley at eircom.net, richard.bannister at cs.tcd.ie, oconnoat at tcd.ie, jean.higgins3 at mail.dcu.ie
[This is long, and is quite heavy on the technical discussion. Skip the bits you don't understand. It gets interesting.]
I work for a busy Dublin Internet cafe, doing some sysadmining and general computer maintenance. On Sunday the 28th of March, I got a rather distressing email from a sysadmin in a large U.S. University. Spamcop had blacklisted our server's external IP address. Abuse mail for the server in question gets sent to my college account (bad practice, I know, but it's a part time job). My college uses Spamcop as a blacklist source. You can probably tell what happened...
Anyway, said email included the full headers of an email which was natted by our server pretending to be from the widow of Mr. Jonas Savimbi, offering the recipient a share of an unspecified large sum of money. The usual panicked thoughts kick in... "Have I fiddled with something which has left us as an open relay?", "Has our server been cracked?", "Have I been sleep-spamming again?". A more reasoned examination of the headers showed that the mail had originated from one of the IP addresses that we assign dynamically to people who bring laptops into the cafe. This is something of a nightmare for cafe operators, we can hardly block outbound smtp but then again it isn't possible for us to manually check every single mail either. Maybe rate limiting is a valid technical solution. Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them.
A peek through the logs revealed:
Mar 26 15:04:16 server dhcpd-2.2.x: DHCPDISCOVER from 00:40:f4:5d:aa:f7
via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPOFFER on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:20 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:20 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Bingo. I had something to work with. The network card is one based on a Cameo 32bit chipset. Matches up quite nicely with these:
Return-Path:
Received: from 192.168.1.70 (server.XXXXXX [XXXXXXX.29])
byXXXXXXXXXXXXXXXXXX) with SMTP id i2QFrgi0002755
for ; Fri, 26 Mar 2004 10:53:44 -0500 (EST)
Reply-To: "michelle savimbi"
From: "michelle savimbi"
To:
Subject: urgent response
Date: Fri, 26 Mar 2004 15:53:26 +0000
Organization:
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0 00_0034_01C221EC.6C64F7B 0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000ams
X-MimeOLE: Produced by Microsoft MimeOLE V6.00.2800.1165
I asked around, and a man, described as being black (or is the word African-American these days?), roughly 30, with an accent which seemed half London and half African had been in the cafe with a laptop and had a number of visitors call into
It even includes the attempt to eat a usb pen drive, several cops and...
Diet tip of the day: never try to eat cops. That whole pig motif's just a cunning lie.
This is the kind of thing that makes your day, knowing that you personally have removed at least one source of the crap that fills inboxes. Let's hope the Irish bobbies can do something amazing with your tcpdump trace and if not I'm sure there will be vigilantes out there waiting to DoS the servers you mentioned!
We need more admins who are willing to take action.
Is there scope for running something like spamassassin on outgoing mail? Do people do this? Would give you a chance to stop outgoing spam before you get blacklisted.
This is a story that starts with a sysadmin seeing a 419 scam, hearing that there was a black guy with a "suspicious" accent in his cafe, deciding that this must be our criminal, and deciding to read his e-mail to find out...
Right?
Not totally. He first said that a company (Spamcop?) blacklisted him and he didn't know why. He went back to investigate and looked through the logs, he saw a lot of traffic by someone using a laptop at the cafe and figured that the person was spamming. He had the hours it happened, and asked, and the person told him about the "suspicious" people during those hours.
No, a sysadmin has his IP balcklisted because of spam, discovers it was sent from a laptop and when. Then he finds out that there was someone in with a laptop at the right time and they had visitors while they were there (which is not rare or suspicious of itself in a net cafe, but it attracts attention and can look suspicious depending on what they are doing). The guys description was male, black, 30 and a half london, half african accent. The sysadmin had the MAC address of the laptop and asked the staff to watch out for the same man. When the same guy appeared the sysadmin raced in and after the guy had waited to get a particularly private booth the sysadmin saw the mac address appear and hence had his confirmation. But the police wanted someone caught in the act of doing something illegal so he had to keep watching until the spam went again. Not quite as you described it eh?
Never underestimate the dark side of the Source
I do my transperant proxying using iptables.
Just forward outgoing traffic on port 25 to local:25.
You need to do some sanity checking afterwards, to make sure you haven't ended up as an open relay. Other than that, it works fine for me.
Hmmm, well let's think for a moment:
a) The internet cafe is more or less a public place, as well as a private establishment. If they don't have a sign indicating monitoring, at least they wouldn't have anything indicating that you do have 100% privacy
b) No "privacy" was violated until the issue with SPAM was discovered. At this time, massive SMTP requests were tracked to a particular machine/NIC using the MAC address.
c) MAC generally being a fairly unique identifier (not many people MAC-spoof), there was a fair bit of surety that the monitoring action was being taken against the same scummy spamming individual, used to acquisition evidence against his activity which while if perhaps not illegal, would almost indefinately violate the usage agreement for the cafe.
d) You don't really really even have that many privacy "rights" with your ISP. They log activity for these very reasons (spammers, kiddy-fiddlers, other illegal activitiy). If you were tagged as a spammer (with a non-spam friendly ISP) or a kiddy-pr0nography, you would no doubt come under scutiny with them as well.
The jury is still out on that question.
Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
The cafe operator ought to know better:
If you operate a public Internet access point (school, library, cafe, city park, etc.) please block egress port 25 traffic! Your patrons do not need to pretend to be an e-mail server. To allow such traffic to come from your network is to invite spammers, scammers, and so on to operate freely with your resources. Anyone needing legitimate e-mail access can use webmail or pester their ISP or business to use SMTP+AUTH+SSL/TLS for initial mail submission (on a port other than 25, of course).
Configuring a SMTP server to handle this in not difficult for a reasonably skilled sys admin, so no excuses!
Why not?
You're a cyber cafe, not a shop that's set up with local accounts. Mail should be of one of two types:
Either way, your proxy server should have a default DENY outbound port 25 EXCEPT from your mailserver, which itse'f is handling the authentication for the few accounts that really are allows to send mail.
This space for rent. Call 1-800-STEAK4U
I don't think that the only problem for internet-cafes are the customers who run "illegal" software, but also the security-policies of the cafes themselves. If policies are not enforced lots can happen before someone takes action.
I'm currently a part-time employee at a Swedish Internet-cafe where I work as a system admin. I've previously only been taking care of the Linux systems which we run for sponsored websites and gameservers but have recently been forced to take over the work of our late Windows-loving administrator.
He had the responsibility to maintain our firewall (WatchGuard), our active-directory Windows2000 server (user-database and login) and the exchange system, aswell as other system as the check-in/out machine. These tasks has now forcedly fallen onto me as this previous admin has been removed from further duties. Perhaps he had too much on his hands or he simply didn't care, but lots of security-policies were not enforced which could have saved me lots of trouble.
Anyhow, recently I began getting calls from an employee at a university here in sweden who told me that spam were originating from our mail.domain.se machine, after doing some further checks I noticed the e-mails were infact being sent from a software disguised as "nortonav.exe" on one of our game-machines. Acting as a spam-daemon. The first thing I did when I had recieved the password for the firewall was to block all smtp-traffic except for the trusted exchange and shutdown this terminal. I've set-up a series of security policies as well as tried to teach the cafe-staff some security-values as in maintaining the antivirus/adware-awarity. Would there be other good countermeasures to take?
Some of the firewall-blocking:
03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.102 64.236.62.131 4697 25 syn (SMTP)
03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.102 64.4.50.99 4696 25 syn (SMTP)
03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.162 200.208.9.162 3525 25 syn (SMTP)
03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.162 213.212.42.30 3524 25 syn (SMTP)
It may be just me who has had bad experience with all administrators at companies I've worked at, who only see Windows as the only option but is it more common for these kind of people to ignore security?
>USB pen drives aren't very filling.
Don't know. That's a lot of bytes.
>
> Eventually, 2 more gardai arrive and he's cuffed and brought out, crying like a little girl
Ten. Whole. Minutes. Skulls thumping, billy clubs and fists flying, and 419er whimpering.
Video? Even grainy stuff from the internet cafe's security cam? Please? Pretty please? Pretty please with a lead pipe and a clump of spammer flesh on top?
> What have I learned? Firstly, [ ... ]
FIFTHLY: BRING A VIDEO CAMERA NEXT TIME! You got to see all the good stuff, and you didn't SHARE!
The correct term, as everyone should know, is African-African.
Er, wait...
~Idarubicin
The Gardai as they are referred to are actually called, in Gaelic "Garda Siochana na hEireann", which translates to "Guardians of Peace in Ireland" . They are the cops in the Republic of Ireland. They even go on peacekeeping missions abroad.
I hate sigs.
I have bought a domain (let's say johndoe.org) from a very cheap url forwarding company (at a rate of something like $15/year). It comes with unlimited e-mail forwarding aliases, and a "catch-everything" alias (let's say notexisting@johndoe.org), that forwards any e-mail send to non-existing alias to the default e-mail address that I have defined.
:P
:)
The default e-mail address (let's say secret@johndoe.org) is an alias that forwards everything to my real mailbox (let's say johndoe@aol.com). Of course, my real mailbox address, my catch-all address and the "default" address are not given to ANYBODY.
For my communication needs, or whenever asked, I just makeup a e-mail address (jonamazon@johndoe.org for amazon so that I will remember easily what address I use on the site). Since the alias is not setup in the mailserver, when amazon tries to contact me, the e-mail will follow the following alias path:
1) jonamazon
2) notexisting
3) secret (default)
4) real mailbox
When I see an spam message (once in two weeks!!!), I just divert the alias to point to an abuse address of a random spamhaus. The good thing, is that since I use random but descriptive addresses, I can see what websites actually harvest e-mails and sell them to spammers!!!
It is interesting to note that at some point I received e-mail that were addressed at some ridiculus random aliases (e.g. jesus@, happykitty@ etc) of my domain (clearly not used by me). Just an indication of the use of wordlists (of course every such alias got blocked).
I have not yet reached the levels of paranoia of giving seperate e-mail addresses to any of my friends of course
Anyway, it is not as complicated as it looks, and of course way less complicated than using bayesian filters and the like. And believe me, it works
I'm surprised that the author used the term "paddywagon", which I understood to be an american term particularly offensive to an irishman.
-MattT *** Not speaking for my employer, or any other sentient beings ***