IP Address tracking?

Hi,

I, or rather, my company have recently become the victims of deliberate
spamming in the form of "e-mail injection".
This is where a spammer/hacker etc repeatedly submits blank or nonsense
messages on a clients web site contact form, causing them to receive phoney
enquiries.

I can track IP addresses on the server, so what do I do once I have an IP
address that I feel is suspicious (ie. was showing as being on the site at
the time of the phoney form submissions)?

What do I do now? How do I go about tracking the person/PC responsible?
Is this even possible?

Thanks
Nath.

tradmusic.com

In article <dg1qrh$d49$>, on Sun, 11 Sep 2005 17:51:45 +0000
(UTC), tradmusic.com wrote:

| Hi,
|
| I, or rather, my company have recently become the victims of deliberate
| spamming in the form of "e-mail injection".
| This is where a spammer/hacker etc repeatedly submits blank or nonsense
| messages on a clients web site contact form, causing them to receive phoney
| enquiries.
|
| I can track IP addresses on the server, so what do I do once I have an IP
| address that I feel is suspicious (ie. was showing as being on the site at
| the time of the phoney form submissions)?
|
| What do I do now? How do I go about tracking the person/PC responsible?
| Is this even possible?

The following tools will give you interesting information about the ip addresses.

nslookup
whois
tracert

You can find online versions at <http://centralops.net/co/>

See also:

<http://www.netdemon.net/tutorials/whois.txt>
<http://www.elsop.com/wrc/nospam.htm>
--
DavidPostill

DavidPostill

On Sun, 11 Sep 2005 17:51:45 +0000 (UTC), "tradmusic.com"
<> wrote:

>Hi,
>
>I, or rather, my company have recently become the victims of deliberate
>spamming in the form of "e-mail injection".
>This is where a spammer/hacker etc repeatedly submits blank or nonsense
>messages on a clients web site contact form, causing them to receive phoney
>enquiries.
>
>I can track IP addresses on the server, so what do I do once I have an IP
>address that I feel is suspicious (ie. was showing as being on the site at
>the time of the phoney form submissions)?
>
>What do I do now? How do I go about tracking the person/PC responsible?
>Is this even possible?
>
>Thanks
>Nath.

Take a look at:

http://samspade.org

Why not post some of the IP addresses used here for comment.
--
Jim Watt
http://www.gibnet.com

Jim Watt

"tradmusic.com" <> wrote in message
news:dg1qrh$d49$...
> Hi,
>
> I, or rather, my company have recently become the victims of deliberate
> spamming in the form of "e-mail injection".
> This is where a spammer/hacker etc repeatedly submits blank or nonsense
> messages on a clients web site contact form, causing them to receive
phoney
> enquiries.
>
> I can track IP addresses on the server, so what do I do once I have an IP
> address that I feel is suspicious (ie. was showing as being on the site at
> the time of the phoney form submissions)?
>
> What do I do now? How do I go about tracking the person/PC responsible?
> Is this even possible?

For where you sit, not as such.

The official route (effectiveness will vary. A lot) is to plug the IP into
WHOIS and find out which ISP owns the space. Don't bother with actual
companies - just grab the ISP.

If they're any good (many aren't) then they'll try to ensure that the
originating machine is cleaned of nasties (simple self interest, in
protecting their own infrastructure)

From your description, though, I can't see that you'd be able to provide
sufficient proof - don't you track the IPs of specific submissions? So that
you can track down exactly who entered the data? And wouldn't this be a good
first step?

You may well find that it's quite close to home... unless there's an
individual that's specifically ****ed-off with your company. And even then,
"disgruntled employee" works for both local and remote submissions ;o)

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Hairy One Kenobi

Use whois to find out the contact info for the domain administrator for
that IP address. If the admin wont help you, block the subnet for that
address using firewall rules, ACL, web site scripting etc. The security
community needs to share info on where these spammers are coming from.
Then we can take more action.
scramble
tradmusic.com wrote:
> Hi,
>
> I, or rather, my company have recently become the victims of deliberate
> spamming in the form of "e-mail injection".
> This is where a spammer/hacker etc repeatedly submits blank or nonsense
> messages on a clients web site contact form, causing them to receive phoney
> enquiries.
>
> I can track IP addresses on the server, so what do I do once I have an IP
> address that I feel is suspicious (ie. was showing as being on the site at
> the time of the phoney form submissions)?
>
> What do I do now? How do I go about tracking the person/PC responsible?
> Is this even possible?
>
> Thanks
> Nath.

scramble68@gmail.com

writes:

>Use whois to find out the contact info for the domain administrator for
>that IP address. If the admin wont help you, block the subnet for that
>address using firewall rules, ACL, web site scripting etc. The security
>community needs to share info on where these spammers are coming from.
>Then we can take more action.

YOu do not understand how they work. Spammers work hand in hand with the
virus people. The virus people crack computers. They sell the list of
cracked computers to the spammers, who then use them to send out spam.
Thus the locations you are blocking are "innocent" third parties who have
been screwed over twice.
Ie, the spammers "come from" your friend, your neighbor, etc.

Sometimes stupid spammers will use their own machines. And they can be
caught (although how you launch a case against someone in Nigeria I do not
know.)



>scramble
>tradmusic.com wrote:
>> Hi,
>>
>> I, or rather, my company have recently become the victims of deliberate
>> spamming in the form of "e-mail injection".
>> This is where a spammer/hacker etc repeatedly submits blank or nonsense
>> messages on a clients web site contact form, causing them to receive phoney
>> enquiries.
>>
>> I can track IP addresses on the server, so what do I do once I have an IP
>> address that I feel is suspicious (ie. was showing as being on the site at
>> the time of the phoney form submissions)?
>>
>> What do I do now? How do I go about tracking the person/PC responsible?
>> Is this even possible?
>>
>> Thanks
>> Nath.

Unruh

On 13 Sep 2005 08:15:19 -0700, wrote:

>Use whois to find out the contact info for the domain administrator for
>that IP address. If the admin wont help you, block the subnet for that
>address using firewall rules, ACL, web site scripting etc. The security
>community needs to share info on where these spammers are coming from.
>Then we can take more action.
>scramble

It used to be as easy as that, but these days its impossible to trace
a lot of it, and often the people that are relaying it really don't
seem to care

--
Jim Watt
http://www.gibnet.com

Jim Watt

Unruh wrote:

> writes:
>
>>Use whois to find out the contact info for the domain administrator for
>>that IP address. If the admin wont help you, block the subnet for that
>>address using firewall rules, ACL, web site scripting etc. The security
>>community needs to share info on where these spammers are coming from.
>>Then we can take more action.
>
> YOu do not understand how they work. Spammers work hand in hand with the
> virus people. The virus people crack computers. They sell the list of
> cracked computers to the spammers, who then use them to send out spam.
> Thus the locations you are blocking are "innocent" third parties who have
> been screwed over twice.
> Ie, the spammers "come from" your friend, your neighbor, etc.
>
> Sometimes stupid spammers will use their own machines. And they can be
> caught (although how you launch a case against someone in Nigeria I do not
> know.)
>
>
>
>>scramble
>>tradmusic.com wrote:
>>> Hi,
>>>
>>> I, or rather, my company have recently become the victims of deliberate
>>> spamming in the form of "e-mail injection".
>>> This is where a spammer/hacker etc repeatedly submits blank or nonsense
>>> messages on a clients web site contact form, causing them to receive
>>> phoney enquiries.
>>>
>>> I can track IP addresses on the server, so what do I do once I have an
>>> IP address that I feel is suspicious (ie. was showing as being on the
>>> site at the time of the phoney form submissions)?
>>>
>>> What do I do now? How do I go about tracking the person/PC responsible?
>>> Is this even possible?
>>>
>>> Thanks
>>> Nath.

Good points...

Imhotep

>
> The following tools will give you interesting information about the ip
addresses.
>
> nslookup
> whois
> tracert
>
> You can find online versions at <http://centralops.net/co/>
>
> See also:
>
> <http://www.netdemon.net/tutorials/whois.txt>
> <http://www.elsop.com/wrc/nospam.htm>
> --
> DavidPostill

############################
I would add
nbtstat -A IP_address to that list even though it's a ot harder to get the
NetBIOS table these days. There were times when I tracked people right to
their door with that and other searches.
Donnie

Donnie

On Fri, 16 Sep 2005 00:38:50 GMT, "Donnie" <>
wrote:

>nbtstat -A IP_address to that list even though it's a ot harder to get the
>NetBIOS table these days. There were times when I tracked people right to
>their door with that and other searches.

Problem is the use of proxy servers, of which there seem
to be a huge number which the bastard still trying to spam my
message board with 100 mesages a day uses.

I suspect its a robot as nobody could be so stupid and
persistent.
--
Jim Watt
http://www.gibnet.com

Jim Watt