LWD - Spam's Empire

EdisonRex submitted the following "

Chapter 6 – Hunting Tools, and some Evidence

Hunting for board spammers is different in some ways from hunting for mail spammers. For one thing, there isn't an obvious trail to follow. There aren't any long mail headers to analyse. The false members leave dead end mail accounts, from unhelpful providers. We don't have as much to go on in that there is little immediate information to use. Certainly we are not able to directly communicate with either Mr. Karabanov, or, much more interestingly, the elusive Mr. Radomanov.

Second order information, such as patterns of abuse, spamshot timing, and especially the particular use of IP ranges as relays, are the best we can work with. Having the cooperation of other forum administrators, and the help of many willing volunteers makes the job easier.

An effective collection of tools for the spam hunter, and some tried and true techniques are essential. There is a community of folks out there who make it their business to chase after spammers. It is a noble undertaking, and I have learned a lot from reading this past week. I can particularly recommend the Spam Huntress and especially her amazing wiki which I found to be a comprehensive source of information on tracking the different kinds of spam.

There is arguably a core set of tools which one should have in one's toolkit for tracking down spammers. Forum spammers differ in that a lot of the information you will need is not going to be readily available without asking someone. If you are a forum moderator, or a site admin, you can find information like IP addresses of the posters, but you can't find it for other sites, unless you can enlist the aid of the site admins or moderators there. We did precisely that, especially once we had discerned the particular timestamps of the spam runs we wanted to identify.

My two favourite tools are Neotrace and Sam Spade. Neotrace (also known briefly as Visual Trace) is a combination trace, geolocation, whois (domain owner finder), and network range locator. Sam Spade is a domain name lookup tool, with some very good extra tools integrated with it. Perhaps the most valuable tool in Sam Spade is the WWW dump facility. A lot of these websites are of such shady origin that one wouldn't want to trust one's browser to such exposure. Sam Spade's WWW dump simply opens a text window to look at the raw text coming from the site. The site's contents simply dumps into a window for you to look at. You do need to have a good understanding of HTML and Javascript though, as you aren't looking at the results, you are looking at the raw data. Although the two tools above are for Windows systems, it actually isn't a good idea to use Windows based browsers when tracing forum spammers. Whatever you do, do not use Internet Explorer, unless you really have a good idea of your risk and you are willing to accept that you are likely to be compromised. You are much safer with Sam Spade.

In addition to using these tools, all of the commercial search engines, and the Internet Archive's Wayback Machine, are extremely useful tools. Also, don't forget the Google Cache. Finally, a good screen capture utility is key.

Data collection is a very good idea, but have a good idea of what you are trying to prove. Tracking down Oleg's site wasn't particularly hard since the guy was so completely brazen. However, other spammers can try to be more subtle and might take a few searches in order to get to know them. It helps to track back a ways, for example, if you are doing a traceroute search, do not simply collect data on the endpoint, make sure you collect data on the next to last hop (usually the ISP) and possibly a few more back (the owner of a block of IP ranges might be related, or condoning, the spamming). Taking screenshots is as valuable as saving URL references. URLs can disappear faster than you can investigate, but good screenshots which capture all of the the pertinent information will help to preserve data. You can always delete it later, or make it available to someone who might be interested in investigating on your behalf. The main problem is almost all spamshots, that is, all except those of a rank amateur, are from a relay or bot. It is usually of some significance to someone to make sure that those sources are captured, especially with a timestamp to provide evidence which can be used by someone else.

There are many spam blacklists. There are only a few good ones, however. I like spamhaus.org for its good data.

Something we have noticed is that there really isn't a lot of awareness of forum spamming in the spamcatcher circles. There is even less awareness of it in the ISP and governmental circles. It is certain that the spammers are using this ignorance to perfect their art form. It is certainly ambiguous in the context of an ISP's Acceptable Use Policy. Ann Elisabeth's excellent WebHuntress site has some thoughts about this and it is a recommended read. In any case, any good forum administrator should make sure that there are clear rules posted, and that those rules match up with both the ISP's AUP and the local laws in the jurisdiction the server resides in.

Both Oleg Karabanov's and Andrey Radomanov's local Internet Service Providers are on the Spamhaus list. Not all Russian ISPs are. In fact, not all of the ISPs hosted at the same street address are on such lists. We continue to note that we have never found any connection between Oleg and Andrey, other than that that both of them use mail.ru, both of them block mail from a number of English speaking domains, and both of them speak English. It just doesn't add up.

We have not in any way finished our investigation of Oleg. Our favourite part of the investigation is, in fact, taking much longer, because, well, it can only really be done about 30 minutes a day. Yes, we have someone playing Oleg's game. Our undercover agent has been describing the experience of playing the game, such as it is, and we are finding out more about the “free” claim (it isn't). We are starting to examine how it is that an unfinished, dull, text based game could possibly make money for its owners.

So stay with us, as soon we will hear from Agent Sully. "


Telling it like it is...