Slashdot Mirror
How To Catch A Scammer/Spammer
Joe 90 writes "An interesting story got posted on the Irish Linux Users group. It involves the arrest of a scammer/spammer working in an internet cafe. It even includes the attempt to eat a usb pen drive, several cops and a 10 minute struggle to subdue the man. Story is available on the Linux.ie mailing list
By the way Gardai = the cops in Ireland."
No wonder there was a struggle!
Comment removed based on user account deletion
I kinda like all the stories I have read here about /.ing the spammers and signing them up for junk snail-mail and the like. (and if anyone can find me the link to the old story, I'd appreciate it)
A unmamed man aprehended a scammer and a spammer,a nd put them in the slammer using only a scanner and a spanner!
Or something like that........
Fellowship 9/11
It's a comforting thought to know that there actually is legal action being taken against those suckers. :) I think it's a proof that he knows he's in deep trouble :)
I find it very amusing to read how the spammer tries to struggle and fight back the cops
It wasn't a scam, it was just a bad April Fool joke...and we all know we had a blast with bad jokes on Slashdot. Everybody deserves a little fun.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
From the article:
Some of you who were on #linux on friday will know part or most of this story already as i witnessed some of it (while drinking a truly delicious hot chocolate).
You know, more people should mention what they're drinking when relating news like this.
There is an interesting and [somewhat] related article on The Register.
I want to drag this out as long as possible. Bring me my protractor.
I hate spam more than I hate crackers
But yet combining spam and crackers can be quite a tasty treat.
I work for a busy Dublin Internet cafe, doing some sysadmining and general computer maintenance. On Sunday the 28th of March, I got a rather distressing email...
...I asked around, and a man, described as being black (or is the word African-American these days?)
Hmmm...
Of all the fallout from the 419 spamming, I dont believe anything is funnier than Ebola Monkey Man. Good way to kill productivity this fine Monday morning. ;)
No! Say it ain't so! It's bad enough we export McDonald's and Britney, but now we're exporting our political-correctness?
An "African-American" is a person of African origin living in America. Not all African-Americans are black, and not all blacks are African. Certainly it would be a strange coincidence if this black person in Dublin was visiting from America, and also happened to be originally from Africa.
This stuff hurts my head.
The House Between - Original Sci-Fi Series
here : j@ww.com , no spam will get through because you're still missing the password
I hope the password's not viagra, or some l33t speak typo variant.
Car analogies break down.
There's a certain irony to an Irishman in Ireland referring to hauling people off in the paddywagon. Especially when the guy in question actually isn't Irish.
What a great story!
Hey, if the memory stick were actually swallowed and then passed through the scammer's digestive system, and the Gardai waited it out and retrieved it from the loo, and it still worked, think what a great marketing slogan the manufacturer could make from that.
Tough enough to pass through the guts of a scammer!
If this story turns out to be a hoax, I'll be sorely disappointed. The thought of one of these 419 scammers desperately trying to break free of the grasp of the police in order to run back and hit a kill switch on his notebook computer makes my nipples explode with delight.
You are in error. No-one is screaming. Thank you for your cooperation.
So he would be an Irish-American? Err, wait...
Typos... that's just how I role.
Someone prominent in the U.S referred to Nelson Mandela as an African-American. I can't remember who but it brings a smile to my face whenever I hear it.
:-)
I was poking fun at them
Where's all the posts saying how this guy's privacy rights were destroyed/taken/bushed by the sysadmin?
/. we are supposed to ignore the fact he's in public and using someone else's internet.
This is
i'm trying to picture a revived miami vice, focused on computer crimes. imagine the possibilities. ok, there aren't many...
/.'rs are pretty, um, passionate on privacy and gov't intrusion, even if this IS an (alleged!) spammer who by definition is not humanoid. :)
congrats to the irish police for taking the offense so seriously. but is anyway here wary of the snooping involved? yes the sysadmin had every right to monitor traffic, but in what depth and for what purpose? for example, there's talk here of trying to fish out the suspect's email password and so on -- at police request. wouldn't it would feel a bit different in the police, without warrant, were to do the same themselves -- imagine worst case of them bugging all internet cafes to examine generic traffic without individualized suspicion. it's bad enough they want to see what we do at the library....
practically speaking, i would imagine the government generally lacks the resources to parse large amounts of computer data. but just wait until it can be done by computers hunting for suspicious transactions, much as the credit card companies do now to catch fraud. the capability is there.
i'm not sure where the legal stuff comes out here, this is not US law, but wonder about future possibilities. it is debatable what expectation of privacy you have in an internet cafe -- are keyloggers ok? is decrypting information different from reading plain text? must the user be warned? as an analogy, consider that when the federal exclusionary rule was first judicially established, it did not apply to states and the "silver platter doctrine" emerged whereby state investigators would get what the feds wanted and hand it over clean of any search and seizure problem. obviously this is a charade.
someone who acts at the behest of the government -- an agent -- pretty much *is* the government, and i wonder if this interpretation colors the reaction of anyone here on privacy -- normally
I just sent you an email containing:
1. The meaning of life.
2. The location of $1,000,000 I buried 10 years ago.
3. How to get any woman you want.
4. How to stay young and live forever.
Oh well.
Well, let's all start flood pinging it before we start to start thinking about our actions, its neighbor IPs, or whether the information is even really accurate :)
He's being sarcastic and poking fun of the spread of the term "African-American." My students write in their exams all the time about "African-American" tribes in Africa. A friend who teaches in England has had exchange students from America ask about "African-American" history in England.
Sorry, that doesn't solve the whole spam problem. Your mail server is still getting hammered by spam, it's just that you aren't seeing it. You are still paying for, directly or indirectly, the bandwidth that is being gobbled up by all the unwanted email that is sent to you.
Unfortunately it would seem that whilst you have obviously been furnished with a good understanding of the term 'African-American' you obviously have zero understanding of the term 'humour'.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
No! Say it ain't so! It's bad enough we export McDonald's and Britney, but now we're exporting our political-correctness?
An "African-American" is a person of African origin living in America. Not all African-Americans are black, and not all blacks are African. Certainly it would be a strange coincidence if this black person in Dublin was visiting from America, and also happened to be originally from Africa.
It almost killed me when I heard a US newscaster refer to Nelson Mandela as African-American.
When your world is all round pegs, what can you do when you encounter a square one?
Best Line: "Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them."
VENI, VIDI, VICI, DIXI
And it also means that I can't email you, since I don't know your password, and the only way I could get your password is by asking you, and the only way I could ask you - since I don't have your address or phone number - is by emailing you.
Doubtless that doesn't bother you, as you probably aren't interested in getting email from me. I, on the other hand, do frequently receive personal email from strangers. Your "solution" is worthless to me.
Except that now, anyone who cares to do a simple whois lookup on the domain ww.com will quickly find himself in the posession of your name, address, and phone number, in addition to your e-mail.
Not that anyone will call. But still, maybe you'd better think about that?
You ought to look sometime at how many marketing/spam/spyware sites are front-ended by a "search" engine. It gets them classified as search engines in web filter databases.
Then, he spent a bit of time on http://www.emailspidereasy.com. Don't you just love the fake google-textads?
Yup, love is the word. I also love these links on the same page:
Credit cards - links to credit card resources
Cheap loans - compare and get a cheap loan
Compare mortgage quotes - cheap mortgages online
Work from home - make money with working from home
Seems this is the only site spammers need to visit; they have links to spamming resources as well! Very convenient ...
I hear there's rumors on the Slashdots
and they are investigating.
They are a co-lo facility, barebones, FYI.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
People generally don't care that much about the decreased bandwidth - a problem which can also be solved - use port knocking algorithm of some kind!
And besides, spamming is pretty sophisticated these days, if the mail delivery fails, the target e-mail is often removed from the list of e-mail addresses they are trying to send scam e-mails to ( as far as I know )
I promise I'm not a spammer, I am interested in the subject though.
I do believe whitelisting is the way to go!
Only way to be sure!
Eh how about you read the mail.
Our cafe was *BLACKLISTED* by spamcop. I checked the logs. I found his MAC address and when he came in with his laptop. I asked the staff. They described him. He came back and I caught him red handed.
And I would have gotten away with it, if it wasn't for you meddling kids!
Hrrm... I usually just sign my name.
African-American is about the stupidest PC label ever. First, as you rightly point out, it technically has no racial connotation and covers all the other racial groups who have lived in Africa for generations.
Secondly, a Kenyan I knew (who happened to be a black Kenyan), once told me never to call an African African. "There are no such things as Africans. There are not even Kenyans or other such nationalities, although I can tolerate being referred to as Kenyan since it is the best compromise between easily identifiable to foreigners and almost correct."
Technically my wife's boss and daughter are African-American, since both of them were born in South Africa. They're also white, and it would be side-splitting to have her report her "race" in college as African American. I'd wager there are more than a few college scholarships naively defined as being for African Americans, when they really mean blacks.
Some of you who were on #linux on friday will know part or most of this story already as i witnessed some of it (while drinking a truly delicious hot chocolate). For those of you who don't, the following is a report written up by a friend of mine on his succussful (or at least, it's looking good) attempt to stop and catch a 419 scammer. I feel it's worth the read
,
John
-------- Original Message --------
Subject: I fought the scammer... and I won.
Date: Fri, 02 Apr 2004 21:54:30 +0100
From: Steffen Higel
To: John Allman
paulinemccaffrey at eircom.net, stevecash at ireland.com, tony.odonnel at cs.tcd.ie, declan.dagger at cs.tcd.ie, edwin.higel at brookside.ie, marynstanley at eircom.net, richard.bannister at cs.tcd.ie, oconnoat at tcd.ie, jean.higgins3 at mail.dcu.ie
[This is long, and is quite heavy on the technical discussion. Skip the bits you don't understand. It gets interesting.]
I work for a busy Dublin Internet cafe, doing some sysadmining and general computer maintenance. On Sunday the 28th of March, I got a rather distressing email from a sysadmin in a large U.S. University. Spamcop had blacklisted our server's external IP address. Abuse mail for the server in question gets sent to my college account (bad practice, I know, but it's a part time job). My college uses Spamcop as a blacklist source. You can probably tell what happened...
Anyway, said email included the full headers of an email which was natted by our server pretending to be from the widow of Mr. Jonas Savimbi, offering the recipient a share of an unspecified large sum of money. The usual panicked thoughts kick in... "Have I fiddled with something which has left us as an open relay?", "Has our server been cracked?", "Have I been sleep-spamming again?". A more reasoned examination of the headers showed that the mail had originated from one of the IP addresses that we assign dynamically to people who bring laptops into the cafe. This is something of a nightmare for cafe operators, we can hardly block outbound smtp but then again it isn't possible for us to manually check every single mail either. Maybe rate limiting is a valid technical solution. Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them.
A peek through the logs revealed:
Mar 26 15:04:16 server dhcpd-2.2.x: DHCPDISCOVER from 00:40:f4:5d:aa:f7
via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPOFFER on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:20 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:20 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Bingo. I had something to work with. The network card is one based on a Cameo 32bit chipset. Matches up quite nicely with these:
Return-Path:
Received: from 192.168.1.70 (server.XXXXXX [XXXXXXX.29])
byXXXXXXXXXXXXXXXXXX) with SMTP id i2QFrgi0002755
for ; Fri, 26 Mar 2004 10:53:44 -0500 (EST)
Reply-To: "michelle savimbi"
From: "michelle savimbi"
To:
Subject: urgent response
Date: Fri, 26 Mar 2004 15:53:26 +0000
Organization:
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0 00_0034_01C221EC.6C64F7B 0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000ams
X-MimeOLE: Produced by Microsoft MimeOLE V6.00.2800.1165
I asked around, and a man, described as being black (or is the word African-American these days?), roughly 30, with an accent which seemed half London and half African had been in the cafe with a laptop and had a number of visitors call into
It even includes the attempt to eat a usb pen drive, several cops and...
Diet tip of the day: never try to eat cops. That whole pig motif's just a cunning lie.
No, a sysadmin has his IP balcklisted because of spam, discovers it was sent from a laptop and when. Then he finds out that there was someone in with a laptop at the right time and they had visitors while they were there (which is not rare or suspicious of itself in a net cafe, but it attracts attention and can look suspicious depending on what they are doing). The guys description was male, black, 30 and a half london, half african accent. The sysadmin had the MAC address of the laptop and asked the staff to watch out for the same man. When the same guy appeared the sysadmin raced in and after the guy had waited to get a particularly private booth the sysadmin saw the mac address appear and hence had his confirmation. But the police wanted someone caught in the act of doing something illegal so he had to keep watching until the spam went again. Not quite as you described it eh?
Never underestimate the dark side of the Source
I do my transperant proxying using iptables.
Just forward outgoing traffic on port 25 to local:25.
You need to do some sanity checking afterwards, to make sure you haven't ended up as an open relay. Other than that, it works fine for me.
Hmmm, well let's think for a moment:
a) The internet cafe is more or less a public place, as well as a private establishment. If they don't have a sign indicating monitoring, at least they wouldn't have anything indicating that you do have 100% privacy
b) No "privacy" was violated until the issue with SPAM was discovered. At this time, massive SMTP requests were tracked to a particular machine/NIC using the MAC address.
c) MAC generally being a fairly unique identifier (not many people MAC-spoof), there was a fair bit of surety that the monitoring action was being taken against the same scummy spamming individual, used to acquisition evidence against his activity which while if perhaps not illegal, would almost indefinately violate the usage agreement for the cafe.
d) You don't really really even have that many privacy "rights" with your ISP. They log activity for these very reasons (spammers, kiddy-fiddlers, other illegal activitiy). If you were tagged as a spammer (with a non-spam friendly ISP) or a kiddy-pr0nography, you would no doubt come under scutiny with them as well.
I've got absolutely nothing to hide,
by Anonymous Coward
Um...
The jury is still out on that question.
Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
Why not?
You're a cyber cafe, not a shop that's set up with local accounts. Mail should be of one of two types:
Either way, your proxy server should have a default DENY outbound port 25 EXCEPT from your mailserver, which itse'f is handling the authentication for the few accounts that really are allows to send mail.
This space for rent. Call 1-800-STEAK4U
>
> Eventually, 2 more gardai arrive and he's cuffed and brought out, crying like a little girl
Ten. Whole. Minutes. Skulls thumping, billy clubs and fists flying, and 419er whimpering.
Video? Even grainy stuff from the internet cafe's security cam? Please? Pretty please? Pretty please with a lead pipe and a clump of spammer flesh on top?
> What have I learned? Firstly, [ ... ]
FIFTHLY: BRING A VIDEO CAMERA NEXT TIME! You got to see all the good stuff, and you didn't SHARE!
The Gardai as they are referred to are actually called, in Gaelic "Garda Siochana na hEireann", which translates to "Guardians of Peace in Ireland" . They are the cops in the Republic of Ireland. They even go on peacekeeping missions abroad.
I hate sigs.
I have bought a domain (let's say johndoe.org) from a very cheap url forwarding company (at a rate of something like $15/year). It comes with unlimited e-mail forwarding aliases, and a "catch-everything" alias (let's say notexisting@johndoe.org), that forwards any e-mail send to non-existing alias to the default e-mail address that I have defined.
:P
:)
The default e-mail address (let's say secret@johndoe.org) is an alias that forwards everything to my real mailbox (let's say johndoe@aol.com). Of course, my real mailbox address, my catch-all address and the "default" address are not given to ANYBODY.
For my communication needs, or whenever asked, I just makeup a e-mail address (jonamazon@johndoe.org for amazon so that I will remember easily what address I use on the site). Since the alias is not setup in the mailserver, when amazon tries to contact me, the e-mail will follow the following alias path:
1) jonamazon
2) notexisting
3) secret (default)
4) real mailbox
When I see an spam message (once in two weeks!!!), I just divert the alias to point to an abuse address of a random spamhaus. The good thing, is that since I use random but descriptive addresses, I can see what websites actually harvest e-mails and sell them to spammers!!!
It is interesting to note that at some point I received e-mail that were addressed at some ridiculus random aliases (e.g. jesus@, happykitty@ etc) of my domain (clearly not used by me). Just an indication of the use of wordlists (of course every such alias got blocked).
I have not yet reached the levels of paranoia of giving seperate e-mail addresses to any of my friends of course
Anyway, it is not as complicated as it looks, and of course way less complicated than using bayesian filters and the like. And believe me, it works