Section 3.4. Tracking the Spammer

Previous page
Table of content
Next page

3.4. Tracking the Spammer

Before you take this newfound knowledge and start your own spam empire, bear in mind that spammers are being identified and prosecuted with increasing success. How are the authorities able to track these people down?

What they have that you and I do not is access to the ISPs. Starting with an individual spam message, they can slowly but surely work their way back via the mail server logs at multiple ISPs to identify the original source. It is laborious work, justifying to each ISP that they need to provide access to their logs, search them, document the evidence, and then move one more step back through the chain. That effort goes up by at least an order of magnitude every time the delivery route includes a server in a foreign country. Often that will stop an investigation in its tracksa fact that has not gone unnoticed by the professional spammers.

sendmail, as well as most other MTAs, can be configured to record information about the messages it handles in log files . The default level of logging in sendmail captures pretty much the same information as the Received headers in the messages themselves. But there is much less opportunity for forgery in these logs, at least as long as the server has not been compromised. More importantly, by examining log files, we might be able to discover groups of related messages being transferred at the same time, indicative of a coordinated spam campaign rather than a single unsolicited message. Distinctions like this are very important in legal proceedings related to spam.

By way of an example, consider the MTA log entries that relate to the forged email that we just created in the previous section. We begin on gateway, the MTA that received the delivered message. A typical location for these log files on a Unix or Mac OS X system is /var/log. We can use the message ID generated on that server to find the matching records.

     % grep j21Mui721208 /var/log/maillog     Mar  1 14:56:44 gateway sendmail[21208]: j21Mui721208:          from=<ABC@oreilly.com>, size=286, class=0, nrcpts=1,          msgid=<12345678@oreilly.com>, proto=ESMTP, daemon=MTA,          relay=biotech.craic.com [208.12.16.3]     Mar  1 14:56:44 gateway sendmail[21209]: j21Mui721208:          to=<XYZ@craic.com>, delay=00:00:00, xdelay=00:00:00,          mailer=local, pri=30022, dsn=2.0.0, stat=Sent

Every transfer results in two log file records. The first one records the arrival of the message from biotech, including the address of the sender and the message-specific unique ID. The second entry records the delivery of this message to the mailbox of the recipient. The string stat=Sent is the status of this delivery attempt, which was successful. Both records contain the server-specific message ID, but only the first contains the message-specific ID. That is important when you move to the machine biotech and search its mail log. You don't have the server-specific ID, so you have to search for the message-specific ID. That returns only one record, but you can locate the server-specific ID from that and use that to get the pair.

     Mar  1 14:56:44 biotech sendmail[16099]: j21Muir16099:          from=ABC@oreilly.com, size=158, class=0, nrcpts=1,          msgid=<12345678@oreilly.com>, relay=root@localhost     Mar  1 14:56:44 biotech sendmail[16102]: j21Muir16099:          to=XYZ@craic.com, ctladdr=ABC@oreilly.com (0/0),          delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=30158,          relay=craic.com. [208.12.16.5], dsn=2.0.0, stat=Sent          (j21Mui721208 Message accepted for delivery)

The first record here contains the string relay=root@localhost. The term localhost is the default name any Unix machine uses to refer to itself, indicating that the message originated on this machine, rather than being relayed from another source. Also, you can see that the real identity of the sender was user root. The second record reports that the message was sent to gateway and that it was received. So with a few simple steps, you have uncovered that the message that claimed to have been sent by ABC@oreilly.com in fact came from root@biotech.craic.com.

Bear in mind that is a very simple example. There are many ways in which spammers can make tracing the source of their messages difficult or impossible.


Previous page
Table of content
Next page
Internet Forensics
Internet Forensics
ISBN: 059610006X
EAN: 2147483647
Year: 2003
Pages: 121
Authors: Robert Jones F.R
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
GO! with Microsoft Office 2003 Brief (2nd Edition)
PMP Practice Questions Exam Cram 2
What is Lean Six Sigma
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy