NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| Call for participation! Msgr Spam investigation
As you all should know by now I'm a big proponent against the newest Spam scourge known as Messenger spam...
I've been asking for volunteers to act as Messenger SPAM sensors, but as of yet there have been few takers.
We'll now I'm upping the ante ... I've convinced a major Newspaper to do an Investigative Report on this topic and I REALLY need 10-12 people to become MS SPAM sensors.
If you've ever wanted to learn how to use a network analyzer (absolutely key if you want to learn about security issues) now is your chance....if you volunteer to participate I'll give you a one-on-one tutorial on setting up and using Ethereal.
Please email me ASAP if interested...this project starts TODAY and runs for the next two weeks.
support AT mynetwatchman.com
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Do we have to use Ethereal? I've used a homebrew listener on my Linux box to capture messenger spam dating back to April, I have nearly 3,000 samples comprising of approximately 200 unique messenger spam texts. They're cataloged in a MS Access 97 database. If you like I can dump this data into a format you can use and send it to you. |
|
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
 ·Comcast
| reply to NetWatchMan
Lawerence....is this in reference to your ongoing Spam thread....Need help nabbing a Spammer ?
If so....does the below comment from that thread still hold true ? Would love to help but I'm 2000+ miles away.
said by Lawrence from other post:
Thanks...unfortunately you seem to be even further away from the source than I am...so far psloss (LAX area) is the closest...he's a total of 16 hops from the spammer (ending TTL of 48).
Do we have anyone else here on roadrunner West coast...San Diego or San Franscisco would be perfect---that can run this test.
--
"Well, butter my butt and call me a biscuit." |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to kpatz
Re: Call for participation! Msgr Spam investigatio
said by kpatz  :
Do we have to use Ethereal? I've used a homebrew listener on my Linux box to capture messenger spam dating back to April, I have nearly 3,000 samples comprising of approximately 200 unique messenger spam texts. They're cataloged in a MS Access 97 database. If you like I can dump this data into a format you can use and send it to you.
If you can capture the IP/UDP headers for each packet, I believe those are important in this case. I wasn't doing this, except as a side effect of other captures, until the last few weeks.
Philip Sloss
--
(Thanks, anonymous!) Feedback? e-mail: stuff@lupwa.org |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| I don't have the full (raw) UDP headers, but I do have the following information (as reported by ipchains): Date, Time, Protocol, Source IP, Source Port, Destination IP, Destination Port, Packet Length, TOS, IP ID (sequence), flags/fragmentation offset, TTL. I also have the text of the spam itself, but not the header information in the spam packet (I can pull this from the capture logs though, they just aren't in the Access DB). |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| said by kpatz :
I don't have the full (raw) UDP headers, but I do have the following information (as reported by ipchains): Date, Time, Protocol, Source IP, Source Port, Destination IP, Destination Port, Packet Length, TOS, IP ID (sequence), flags/fragmentation offset, TTL. I also have the text of the spam itself, but not the header information in the spam packet (I can pull this from the capture logs though, they just aren't in the Access DB).
That sounds like a pretty good subset of the IP and UDP header information...it's up to you whether you want to contact Lawrence, of course.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to kpatz
Re: Call for participation! Msgr Spam investigation
You don't have to use Ethereal, but anything that will capture the Time-to-Live (TTL) in the packet. If you're on a Unix box than I assume you have tcpdump, so just do:
tcpdump -i # -s 0 -w trace.dat "udp and (port 135 or port 1026 or port 1027 or port 1028 or port 1029)"
This will save to binary trace file. Because Ethereal uses the same packet capture engine as tcpdump, its traces can be read with Ethereal.
Ethereal users would need to add the above filter (no quotes) in the Ethereal capture window...yet another nicety...the capture filter syntax is identical.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
bADbRAINs
join:2000-01-11
43°n 79&
| reply to psloss
Re: Call for participation! Msgr Spam investigatio
Count me in! Spammers target me on udp port 1026 all day everyday! I've logged 5or 6 addresses in total.
I know that they hope to get a response from win2k messenger service; I always disabled the service anyway.
I must have gone to a site or was redirected against my will and my ip logged for later spam abuse. I did a dig on the addresses and sent info to their ISP, s but have yet to get a response and the spammers still are at it. |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to kpatz
said by kpatz :
I don't have the full (raw) UDP headers, but I do have the following information ...**TTL**.
That's all you really need then...but I'm really truely interested if you receive an Spam from a source that is *close* to you. Can you craft a query to your Access db that finds cases where (Powerof2 - TTL) TTL).
Good luck with that one.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to Bubba
Re: Call for participation! Msgr Spam investigation
said by Bubba :
If so....does the below comment from that thread still hold true ? Would love to help but I'm 2000+ miles away.
HR>
This project is much more broad than what I was posting before...I'm looking to get diverse sensors...diverse both from a Geography standpoint AND and ISP standpoint.
It would be VERY helpful to compare what you see on RR in Memphis to what I see here (relatively close to you) here in Atlanta on Comcast.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to NetWatchMan
SPAM Net is widening, currently:
1) Atlanta, GA - Comcast
2) Orange Cnty, CA - Roadrunner
3) New York, NY - Verizon
4) San Jose, CA - Speakeasy
5) San Diego, CA - setup in process
6) San Fran, CA - setup in process
7) Memphis, TN - Roadrunner
8) xxxx, TX - Comcast
9) xxxx, OK - Cox
Keep it coming...
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch
[text was edited by author 2003-10-01 09:26:55] |
|
kkb
Pack your own parachute
join:2000-06-11
Montrose, CO | reply to NetWatchMan
Sadly I'm on dialup. Installed Ethereal/WinPCap but can't get it to sniff DUN (it's not listed on the available interfaces list.)
Is there something special I need to set up, or is there another sniffer I should use?
BTW: Win XP Home |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to NetWatchMan
Re: Call for participation! Msgr Spam investigatio
said by NetWatchMan :
That's all you really need then...but I'm really truely interested if you receive an Spam from a source that is *close* to you. Can you craft a query to your Access db that finds cases where (Powerof2 - TTL) TTL).
How *close* are you looking for? Within 10 hops? 5 hops? 2 hops? Let me know and I'll run a query.
In the past 24 hours I've received 62 messenger spams, including one "new" one, a new variant of EasyPopupBlocker. |
|
catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East | reply to NetWatchMan
Re: Call for participation! Msgr Spam investigation
Bump 
What information do you need, IP/TTL...? |
|
doppler
join:2003-03-31
Blue Point, NY | reply to NetWatchMan
Here is two IP's for sure
203.199.177.196 and 203.197.199.185
Asia pacific area.
Show just how am I going to stop spam coming from
out of the pacific ocean area?
Yes, port 1026 traffic is on the increase. All really
taking off since 3 weeks ago. |
|
plencnerb
Premium
join:2000-09-25
Racine, WI
clubs:
| reply to NetWatchMan
Re: Call for participation! Msgr Spam investigation
said by NetWatchMan :
SPAM Net is widening, currently:
1) Atlanta, GA - Comcast
2) Orange Cnty, CA - Roadrunner
3) New York, NY - Verizon
4) San Jose, CA - Speakeasy
5) San Diego, CA - setup in process
6) San Fran, CA - setup in process
7) Memphis, TN - Roadrunner
Keep it coming...
I see you don't have anyone from IL yet. I'm in Zion, IL, and if possible, would love to help out on this.
My ISP is Comcast, and I have a few machines at home running behind a Netgear Router with NAT (not sure if that will mess up your test or not).
Let me know if you want me to help, what software I need to download, etc, etc, and I'll do what I can.
Thanks
--
============================
--Brian Plencner
E-Mail: saursesCancer@comcast.net
Note: Kill Cancer to Reply via e-mail |
|
Buffalo-2
@easynet.be
 from:
dja
| reply to NetWatchMan
I use Portpeeker ( »www.linklogger.com/portpeeker.htm )
As soon as my firewall reports an inbound connection attempt, I fire up portpeeker to listen on the port the connection is being made, and I allow the firewall the inbound connection.
I allready nail 3 American SPAM-scumbags using it ! Does wonders ! |
|
exocet_cm
Thank a cop
Premium
join:2003-03-23
New Orleans, LA
clubs:  |  reply to NetWatchMan
I want to help. |
|
catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
| If you want to help:
said by NetWatchMan :
Unfortunately, I'm also convinced that this joker is sending the traffic using a *forged* IP address from two different locations...I'm pretty sure they are both in the US or Canada.
When I receive this traffic I note that he ending TTL (time-to-live) in the packets are 48 and 53. Assuming a starting TTL of 64, that would mean the spammer is only 16 and 11 hops away from me, respectively. Thus, my conclusion that this traffic is NOT actually coming from China, but much more local.
This is a good opportunity to test an idea that I've had for backtracing the source of spoofed traffic...I call it "TTL Triangulation" ... it works much like a GPS receiver...by collecting spam packets from various locations and comparing the TTLs we should be able to hone in where the actually source of this traffic is.
So I ask anyone here that wants to participate and has the ability to take full packet captures of inbound Messenger spam to capture packets from this IP and email them to me.
My guide to setting up Ethereal is here:
»www.mynetwatchman.com/pckidiot
You'll want to enter the following string in the 'Filter' box on the Capture screen:
[edit for new filter]
(port 135 or port 1026 or port 1027 or port 1028 or port 1029)
Feel free to email or phone me, I'll be happy to give some one-on-one help if you're not clear on how to set this up.
+1.678.624.0924
support (at) mynetwatchman . com
Note the TTL value in the example packet...the closer your value is to 64 the closer YOU are to the spammer...if I can at least identify which ISP he's using I can nab him.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch
[text was edited by author 2003-09-20 10:01:51]
|
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to kkb
I'm pretty sure this won't work (as I don't think it'll work on XP), but give this a try:
»www.mynetwatchman.com/downloads/netxcap1.zip
Above is a enhanced demo version of NetXray (I knew the owners) you can capture unlimited packets, but only view the first five. But no matter, if you do file save/as, then specify .enc as a file extension, it'll write the *full trace* in Sniffer format..which you can then read into Ethereal and view ALL packets.
A bit clumsy, but NetXray works great on all kinds for funky adapters, dialup, PPPoE, etc..
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
