How to Trace a Spammer's Web Site

To be added: examples using Sam Spade and UXN Spam Combat

How to identify the service provider (WhoIs lookup)

How to use Traceroute to identify the site's IP address

How to deal with IP address cloaking in an advertised site

How to identify the service provider

(1) The spam. Friday 13 is sure going to be this guy's unlucky day, because I needed an example to put here.

Status:   U
Return-Path:    <xxxhottxxx@gmx.net>
Received:   from ool-4356a00f.dyn.optonline.net ([67.86.160.15]) by sparrow.mail.pas.earthlink.net (EarthLink SMTP Server) with SMTP id 18mSrf52J3NZFjV0 for <wlevinso@ix.netcom.com>; Fri, 13 Dec
2002 08:13:17 -0800 (PST)
Received: from relay.seanet.ru (relay.seanet.ru [195.5.158.34]) by lensveld.com (8.10.2/8.10.2) with SMTP id gAPHcX700601 for <wlevinso ix.netcom.com>; Fri, 13 Dec 2002 16:13:46 +0000
Received:   from eposta.kablonet.com.tr (unknown [62.248.102.66]) by n2.peterstar.net (8.11.6/8.11.4) with SMTP id gAR8vj815706 for <wlevinso ix.netcom.com>; Fri, 13 Dec 2002 16:13:46 +0000
Received: from unknown (HELO manch.terra.net.lb) (212.98.130.3) by master.overseas.spb.ru (8.9.3/8.9.3) with ESMTP id NAA62560; for <wlevinso ix.netcom.com>; Fri, 13 Dec 2002 16:13:46 +0000
From: "awiper" <xxxhottxxx@gmx.net>
To: "" <wlevinso ix.netcom.com>
Subject: Free DVD               <==== see statement at right
X-Priority:    3
X-MSMail-Priority:    Normal
         X-Mailer:     Mozilla 4.75 [en] (Win95; U)
             Date:    Fri, 13 Dec 2002 16:13:46 +0000
      Message-ID:               <36894D0B18FCD6118FD000B0D078BB59377E00@DW_ANTWERP_II>
Mime-Version:   1.0
      Content-Type:    text/plain; charset="us-ascii"
   X-Mozilla-Status:    8001
X-Mozilla-Status2:    00000000
          X-UIDL:    18mSrf52J3NZFjV0.0

*****100% FREE ADULT DVD & VIDEOS***500+ choices ************
Celebrities in compromising positions!
[various obsceneties deleted]
Asians, Ebony, Farm Girls and VIRGINS!!
http://pornadultdvds.com/store15/index.htm <===== TARGET

31472-30428-21903

Note also that this spam may violate a couple of Pennsylvania laws. (Not legal advice, I am not a lawyer.)

10 (A.1) DISSEMINATION OF EXPLICIT SEXUAL MATERIAL VIA AN
11 ELECTRONIC COMMUNICATION.--NO PERSON, KNOWING THE CONTENT OF THE
12 ADVERTISEMENT TO BE EXPLICIT SEXUAL MATERIALS, AS DEFINED IN
13 SUBSECTION (C)(1) AND (C)(2), SHALL TRANSMIT OR CAUSE TO BE
14 TRANSMITTED AN UNSOLICITED ADVERTISEMENT IN AN ELECTRONIC
15 COMMUNICATION AS DEFINED IN SECTION 5702 (RELATING TO
16 DEFINITIONS) TO ONE OR MORE PERSONS WITHIN THIS COMMONWEALTH
17 THAT CONTAINS EXPLICIT SEXUAL MATERIALS AS DEFINED IN
18 SUBSECTIONS (C)(1) AND (C)(2) WITHOUT INCLUDING IN THE
19 ADVERTISEMENT THE TERM "ADV-ADULT" AT THE BEGINNING OF THE
20 SUBJECT LINE OF THE ADVERTISEMENT.

See the subject line at left. As for the phony address:

28     (l) Penalty for attempt to evade prosecution.--Any person
29 who violates subsection (a)(10) (A.1) and attempts to avoid       <--
30 prosecution by knowingly including false or misleading
1 information in the return address portion of the electronic   <--
2   COMMUNICATIONS such that the recipient would be unable
3 to send a reply message to the original, authentic sender shall,
4 in addition to any other penalty imposed, upon conviction, be
5 sentenced to pay a fine of not less than $100 nor more than $500
6 per message or to imprisonment for not more than 90 days, or
   7 both, for a first offense and a fine of not less than $500 nor
8 more than $1,000 or to imprisonment for not more than one year,
9 or both, for a second OR SUBSEQUENT offense.

It's possible that the spam has to include explicit material (like photos) as opposed to linking to it, but this might be usable against some spammers.

(2) Finding out who the spammer is: Sam Spade tools

This gives you very extensive information on the spammer, including the domain's IP address and WhoIs lookup.

whois -h magic pornadultdvds.com

pornadultdvds.com is registered with ABACUS AMERICA, INC. DBA NAMES4EVER - redirecting to whois.names4ever.com

     whois -h whois.names4ever.com pornadultdvds.com
...
     Registrant:
        R T H, Inc.
        PO Box 801123
        Aventura, FL 33180
        United States

Domain Name: pornadultdvds.com

     Administrative Contact:
        G M (2GZKP) info@ahugepenis.com [I'll grant that the guy is a BIG PRICK]
        R T H, Inc.
        PO Box 801123
        Aventura, FL 33180
        United States
        Phone: 786-417-3506

     Technical Contact:
        G M (2GZKP) info@ahugepenis.com
        R T H, Inc.
        PO Box 801123
        Aventura, FL 33180
        United States
        Phone: 786-417-3506

     Billing Contact:
        G M (2GZKP) info@ahugepenis.com
        R T H, Inc.
        PO Box 801123
        Aventura, FL 33180
        United States
        Phone: 786-417-3506

     Record last updated on 2002-11-21 15:18:10.453
     Record created on 2002-11-18 16:10:35.673
     Record expires on 2003-11-18 16:10:35.673

     Domain servers in listed order:
        ns1.fakinbacon.com <==== See if it has an abuse address
        ns2.fakinbacon.com

     Registration Service Provider: R T H, Inc.
          info "at" bozombo.com
          (305) 9818525

....
]Sam Spade automatically performs a traceroute as well.]
traceroute pornadultdvds.com

pornadultdvds.com resolves to 64.70.23.243

Do not contact either Los Nettos (ln.net) or Centergate Research Group (centergate.com) based on the results of this traceroute.

Your computer, or the tracing computer (at ln.net) is at the top.
Do not complain to the service providers at the top!
      3    130.152.180.21   3.603 ms   isi-1-lngw2-atm.ln.net [AS226] Los Nettos origin AS
      4    198.172.117.161 9.217 ms   ge-2-3-0.a02.lsanca02.us.ra.verio.net [AS2914] Verio
      5    129.250.29.136   5.580 ms   xe-1-0-0.r21.lsanca01.us.bb.verio.net [AS2914] Verio
      6    129.250.2.187    11.784 ms p16-1-1-0.r21.snjsca04.us.bb.verio.net [AS2914] Verio
      7    129.250.2.198    14.569 ms p16-1-1-2.r21.plalca01.us.bb.verio.net [AS2914] Verio
      8    129.250.3.85     11.809 ms p16-1-0-0.r00.plalca01.us.bb.verio.net [AS2914] Verio
      9    129.250.9.58     11.819 ms p4-0.cw.plalca01.us.bb.verio.net [AS2914] Verio
     10    208.172.146.101 15.150 ms agr1-loopback.SantaClara.cw.net
     11    208.172.156.165 16.502 ms dcr2-so-6-0-0.SantaClara.cw.net
     12    208.172.34.99    15.244 ms dcr1-loopback.Anaheim.cw.net
     13    208.172.44.98    15.341 ms dhr1-pos-0-0.Elsegundola1.cw.net
     14    216.34.192.33    16.383 ms dcr01-g2-0.elsg01.exodus.net (DNS error) [AS3967] Exodus Communications
     15    216.34.192.243   18.737 ms csr12-ve242.elsg01.exodus.net(DNS error) [AS3967] Exodus Communications
     16    64.70.23.243     15.525 ms DNS error [AS3967] Exodus Communications
The spammer is at the bottom. In this case, complain to abuse "at" exodus.net.

Summary: complaints were sent to abuse "at" exodus.net and fakinbacon.com, and postmaster "at" fakinbacon.com

Fakinbacon.com was undeliverable, but abuse "at" exodus.net works.

(2) Finding out who the spammer is: UXN Spam Combat

Checking server [whois.crsnic.net]
Checking server [whois.names4ever.com]

In some cases, it is worth checking to see if the registrar has an abuse (spamming) policy. This one does not, but godaddy.com may revoke proven spammers' domain name registrations.

Results:
...
Registrar for .com .org and .net domain names.

   Registrant:
   R T H, Inc.
     PO Box 801123
   Aventura, FL 33180
    United States

Domain Name: pornadultdvds.com

   Administrative Contact:
    G M (2GZKP) info@ahugepenis.com   [The BIG PRICK again]
     R T H, Inc.
     PO Box 801123
    Aventura, FL 33180
    United States
      Phone: 786-417-3506

   Administrative Contact:
        G M (2GZKP) info@ahugepenis.com
        R T H, Inc.
        PO Box 801123
        Aventura, FL 33180
        United States
        Phone: 786-417-3506

     Technical Contact:
        G M (2GZKP) info@ahugepenis.com
        R T H, Inc.
        PO Box 801123
        Aventura, FL 33180
        United States
        Phone: 786-417-3506

     Billing Contact:
        G M (2GZKP) info@ahugepenis.com
        R T H, Inc.
        PO Box 801123
        Aventura, FL 33180
        United States
        Phone: 786-417-3506

     Record last updated on 2002-11-21 15:18:10.453
     Record created on 2002-11-18 16:10:35.673
     Record expires on 2003-11-18 16:10:35.673

    Domain servers in listed order:
    ns1.fakinbacon.com
   ns2.fakinbacon.com

Registration Service Provider: R T H, Inc.
info@bozombo.com
(305) 9818525

You can actually do a traceroute on the doman name itself:

traceroute to PORNADULTDVDS.COM (64.70.23.243), 30 hops max, 40 byte packets
1 manny.Firewall.Opus1.COM (192.245.12.95) 4.883 ms
2 Opus-GW (207.182.35.49) 17.577 ms
3 66.62.80.165 (66.62.80.165) 28.319 ms
4 lax1-core-02.tamerica.net (66.62.5.130) 49.802 ms
5 slc1-core-01.tamerica.net (66.62.3.6) 47.848 ms
6 slc1-core-02.tamerica.net (66.62.3.33) 54.684 ms
7 den1-core-01.tamerica.net (66.62.3.22) 51.754 ms
8 den1-edge-01.tamerica.net (66.62.4.3) 54.684 ms
9 den-core-01.tamerica.net (205.171.4.177) 94.721 ms
10 * * *
11 * * *
12 acr2.Denver.cw.net (208.172.162.62) 52.731 ms
13 * * *
14 dcr1-so-0-2-0.Anaheim.cw.net (208.172.44.9) 86.908 ms
15 dhr1-pos-0-0.Elsegundola1.cw.net (208.172.44.98) 88.861 ms
16 dcr01-g2-0.elsg01.exodus.net (216.34.192.33) 89.838 ms
17 csr12-ve242.elsg01.exodus.net (216.34.192.243) 90.814 ms
18 64.70.23.243 (64.70.23.243) 91.791 ms

Another one. Friday 13 will definitely not be a "happy time" for this moron.

To display this in Netscape Communicator: go to the menu bar and select VIEW, then HEADERS, then FULL. "View Page Source" also works.

Status: U
Return-Path: <information@happytime2000.com>
Received: from email ([200.60.136.236]) by sparrow.mail.pas.earthlink.net (EarthLink SMTP Server)
with SMTP id 18mX4b7Ar3NZFjV0 Fri, 13 Dec 2002 13:08:54 -0800 (PST)
From: "www.happytime2000.com" <information@happytime2000.com>
To: "www.happytime2000.com" <information@happytime2000.com>
Subject: «Â¦Óè 30 ÁûÅø¸ËW¯Å¯S»ù¥un 149 ü¤¸¡A¥§¡¤@Áû¤£
¨ì 5 ü¤¸¡A¥þ²yµ´¹ï¨S±o¤ñªº»ù®æ
Date: Fri, 13 Dec 2002 15:58:04 -0500
Mime-Version: 1.0
X-Mailer:
RET Mailer
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="BIG5"
Content-Disposition: inline
Content-Length: 664
Message-ID: <200212131308.18mX4b7Ar3NZFjV0@sparrow.mail.pas.earthlink.net>
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: 18mX4b7Ar3NZFjV0.24

«Â¦Óè 30 ÁûÅø¸ËW¯Å¯S»ù¥un 149 ü¤¸¡A¥§¡¤@Áû¤£¨ì 5 ü¤¸¡A¥þ²yµ´¹ï¨S±o¤ñªº»ù®æ

ÅF°Ê¥@Éªº¨k©Ê¨}ÃÄ«Â¦Óè¡A¹ï©ÊµL¯à©Î§•õ±wªÌO¤@Ó²ö¤jªºÀ°§U¡A ¤£¯à¹L©Ê¥Í¡ªº¤H¥un¦Y¤W¤@²É¡A¥bÓ¤p®É´N¯•¤j®¡A«ùÄò«ÂªZ¡A
¨ÉºÉ•y¡AÁÙµ¥¤°»ò¡A§Ö¨Ó happytime Ý¤@¤U ....

http://www.happytime2000.com

More about the domain server Dragonfans.com from Sam Spade's Address Digger

www.dragonfans.com resolves to 200.24.166.75
Mail for dragonfans.com is handled by mail.dragonfans.com (10) 200.24.166.67

This is in Latin America (see at right). It's consistent with the E-mail analysis. A lookup on LACNIC for this IP address yields

inetnum:     <A HREF="/cgi-bin/lacnic/whois?lg=EN&qr=200.24.166/24">200.24.166/24</A>
status:      reassigned
owner:       Dragonfans (Comercial Formosa S.A.)
ownerid:     <A HREF="/cgi-bin/lacnic/whois?lg=EN&qr=PE-DCFS-LACNIC">PE-DCFS-LACNIC</A>
address:     Jr. de la Torre 161, Lince
address:     Lima,
country:     PE
owner-c:     CI62-ARIN
inetrev:     200.24.166/24
[deleted]

nic-hdl:     CI62-ARIN
person:      CORE INTERNET
e-mail:      isp.gestion "at" ATTLA.COM <==== Complain to this ISP as well
address:     AT&T PERU S.A.
address:     Chinchon 910 San Isidro
address:     LIMA, LIMA LIMA 27
country:     PE
phone:       +51-1-610-5555 ext.
source:      ARIN-LACNIC-TRANSITION

Using Sam Spade:

happytime2000.com is registered with DOTSTER, INC. - redirecting to whois.dotster.com

whois -h whois.dotster.com happytime2000.com
[Check dotster.com to see if it will revoke a domain registration for spamming. No such statement was found, but it's worth looking into. Godaddy.com apparently does have an acceptable use policy.]

      Registrant:
        Think More Inc             [He should have thought more before spamming!]
        Road Banana 2349
        5th avenued mistir town
        asa, Liy 28659
        KM

        Registrar: DOTSTER
        Domain Name: HAPPYTIME2000.COM
           Created on: 23-JAN-02
           Expires on: 23-JAN-03
           Last Updated on: 23-JAN-02

        Administrative Contact:
           Jix, Yun coolphoto66@yahoo.com
           Think More Inc
           Road Banana 2349
           5th avenued mistir town
           asa, Liy 28659
           KM
           1123345455
           344434446

Technical Contact: [same]

        Domain servers in listed order:
           NS2.DRAGONFANS.COM
           NS1.DRAGONFANS.COM

In this case, there is no traceroute!
Dragonfans.com is actually in South America (the page is in Spanish) which is consistent with the E-mail trail to Peru. Maybe this guy is trying to spam Asia from South America!
Complaint sent to coolphoto66@yahoo.com, abuse "at" dragonfans.com, payment "at" dragonfans.com (this address was found on their Web page), abuse "at" attila.com, isp.gestion "at" attila.com

How to use Traceroute

Addition (12/8/01): Sam Spade's tools include a reverse IP address lookup feature. This will get an address to report the spam even if Traceroute does not identify the domain of origin.

Windows comes with a very useful utility called TRACERT.EXE. It is in the Windows directory. You can use it to trace a route from your server to the spammer's, and thus identify the spammer's service provider. This is very useful, since:

WhoIs records may not be up to date
The spammer's service provider may show only an IP address

TRACERT www.iamaspammer.com >>x:spam.txt

Your

spammer's

Example: TRACERT WWW.MMAILDIRECT.COM

Tracing route to www.mmaildirect.com [207.201.213.33]
over a maximum of 30 hops:

1     *        *        *     Request timed out.
2   189 ms   179 ms   199 ms wbr-pa-gw1.netcom.net [165.236.65.65]
3   214 ms   187 ms   199 ms h0-0-1.nwk-nj-gw1.netcom.net [163.179.209.1]
4   250 ms   230 ms   227 ms h2-0-ny-nap.netcom.net [163.179.232.217]
5   195 ms   190 ms   210 ms BR1.PSK1.Alter.net [192.157.69.60]
6   209 ms   199 ms   199 ms Hssi2-0.CR2.EWR1.Alter.Net [137.39.100.30]
7   214 ms   199 ms   199 ms 112.ATM11-0-0.XR1.EWR1.ALTER.NET [146.188.176.18]
8   190 ms   308 ms     *     100.ATM10-0-0.TR1.EWR1.ALTER.NET [146.188.176.74]
9   228 ms   229 ms   250 ms 105.ATM4-0-0.TR1.HOU4.ALTER.NET [146.188.137.42]
10   225 ms   250 ms   248 ms 100.ATM8-0-0.XR1.HOU4.ALTER.NET [146.188.240.169]
11   250 ms   250 ms   259 ms 193.ATM11-0-0.GW1.HOU1.ALTER.NET [146.188.240.153]
12   262 ms   299 ms   299 ms ACSI-SW-gw.customer.ALTER.NET [157.130.128.26]
13   274 ms   288 ms   269 ms elpaso-tx-1-a11-0.acsi.net [206.222.97.7]
14   285 ms   270 ms   290 ms tucson-az-1-a12-0.acsi.net [206.222.97.8]
15     *     dakotacom.net-cpe.acsi.net [206.222.101.238] reports: Destination net unreachable.

Trace complete.
Send your spam complaint to acsi.net (last known provider in the trace)

Example: TRACERT 205.238.206.150

Tracing route to hot-live-sex.com [205.238.206.150]
over a maximum of 30 hops:

1     *        *        *     Request timed out.
2   204 ms   187 ms   200 ms wbr-pa-gw1.netcom.net [165.236.65.65]
3   195 ms   200 ms   200 ms h0-0-1.nwk-nj-gw1.netcom.net [163.179.209.1]
4   206 ms   196 ms   186 ms h2-0-ny-nap.netcom.net [163.179.232.217]
5   405 ms   379 ms   349 ms BR1.PSK1.Alter.net [192.157.69.60]
6   360 ms     *        *     Hssi2-0.CR2.EWR1.Alter.Net [137.39.100.30]
7   199 ms   198 ms   194 ms 105.Hssi8-0-0.GW1.PHL1.Alter.Net [137.39.58.225]
8   269 ms   239 ms   219 ms Fddi0.SR1.PHL1.Alter.Net [137.39.40.132]
9   235 ms   220 ms   230 ms epix2-gw.customer.ALTER.NET [137.39.34.68]
10   246 ms   246 ms   239 ms svcr05-3.epix.net [199.224.88.61]
11   216 ms   239 ms   269 ms mtrs01-2b.epix.net [199.224.103.122]
12   385 ms   383 ms   339 ms cust-datamg.epix.net [199.224.103.222]
13   260 ms   269 ms   219 ms hot-live-sex.com [205.238.206.150]

Trace complete.

You would forward the spam to epix.net. Note that, even if the spammer provides only an IP address, tracert will identify the domain.

How to deal with IP address cloaking

From January 1999 Spammers are now coding their IP addresses to prevent TRACEROUTE from working. Here's how to deal with this.
I got a spam with the http address 3448153922 (a porn site). This is not a standard-format IP address.
(1) PING 3448153922 to get the IP address
Pinging 205.134.167.66 with 32 bytes of data:
Reply from 205.134.167.66: bytes=32 time=269ms TTL=249
(2) TRACEROUTE 205.134.167.66
Tracing route to 205.134.167.66 over a maximum of 30 hops
1     *        *        *     Request timed out.
2   245 ms   250 ms   239 ms wbr-pa-gw1.netcom.net [165.236.65.65]
3   218 ms   199 ms   199 ms h0-0-50-nwk-nj-gw1.netcom.net [165.236.95.165]
4   197 ms   200 ms   205 ms h0-0-50-nwk-nj-gw1.netcom.net [165.236.95.165]
5   197 ms   210 ms   230 ms BR1.PSK1.Alter.net [192.157.69.60]
6   207 ms   209 ms   219 ms Hssi2-0.HR2.EWR1.Alter.Net [137.39.100.30]
7   206 ms   660 ms   550 ms 112.ATM3-0.XR2.EWR1.ALTER.NET [146.188.176.30]
8   230 ms   700 ms   549 ms 292.ATM3-0.TR2.NYC1.ALTER.NET [146.188.179.14]
9   208 ms   209 ms   209 ms 104.ATM7-0.TR2.DCA1.ALTER.NET [146.188.136.217]
10   218 ms   210 ms   210 ms 198.ATM7-0.XR2.TCO1.ALTER.NET [146.188.161.181]
11   220 ms   210 ms   210 ms 192.ATM9-0-0.GW2.TCO1.ALTER.NET [146.188.160.61]
12   219 ms   209 ms   230 ms uu-peer.pos-4-oc12-core.ai.net [205.134.160.2]
13   240 ms   220 ms   230 ms 205.134.167.66
Trace complete.
Complaint sent to alter.net (UU.NET) and AI.NET.
From March 2001 I Miss You SOOOOOOOO Bad!!!!
I am sitting here at work thinking about how good it would feel to have your hands sliding up my skirt.(I don't have any panties on!) I'm so horny right now!
I just remembered. I have my digital camera with me. I'll take some pictures for you to look at. Hehe. I'm so bad today.
Click here to see the pics I took for you bad boy. (The following is all one line) http://678.595.375.77-wausdiux-mcxqg-qirsc.htm
@00000000320.00000000223.0000000050.00000000160/?
redirect=www.fortunecity.com/bfwwfwtq/svcaouvul/qtxvayhw.htm
Turns out that the site is http://00000000320.00000000223.0000000050.00000000160/ and the rest is irrelevent.
You want to PING 00000000320.00000000223.0000000050.00000000160 to get the IP address
Pinging 208.147.40.112 with 32 bytes of data:
Reply from 208.147.40.112: bytes=32 time=471ms TTL=244
Reply from 208.147.40.112: bytes=32 time=480ms TTL=244
Reply from 208.147.40.112: bytes=32 time=560ms TTL=244
Reply from 208.147.40.112: bytes=32 time=430ms TTL=244
Ping statistics for 208.147.40.112:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 430ms, Maximum = 560ms, Average = 485ms
Tracing route to 208.147.40.112 over a maximum of 30 hops
1   174 ms   199 ms   199 ms srv5-3-16.nwr2.bd.ans.net [207.205.234.130]
2   206 ms   190 ms   200 ms gw1.nwr2.bd.ans.net [207.205.234.252]
3   230 ms   230 ms   250 ms core-snfx1-atm.grid.net [206.80.188.234]
4   280 ms   249 ms   237 ms core3-atm3-0.sanfrancisco.cw.net [198.32.128.12]
5   255 ms   240 ms   250 ms corerouter1.sanfrancisco.cw.net [204.70.9.131]
6   260 ms   260 ms   240 ms acr1-loopback.sanfranciscosfd.cw.net [206.24.210.61]
7   259 ms   239 ms   249 ms acr1-loopback.washingtondck.cw.net [206.24.226.61]
8   249 ms   250 ms   243 ms bar5-loopback.washingtondck.cw.net [206.24.226.10]
9   300 ms   299 ms   310 ms dn-inc.washingtondck.cw.net [208.173.6.122]
10   289 ms   269 ms   284 ms 208.147.40.112
Trace complete.
Complaint to abuse "at" cw.net

E-mail:
"Spam Delenda Est" antispam home page

visitors since 7 January 2003