IP Address tracking?

Discussion in 'Computer Security' started by tradmusic.com, Sep 11, 2005.

  1. Hi,

    I, or rather, my company have recently become the victims of deliberate
    spamming in the form of "e-mail injection".
    This is where a spammer/hacker etc repeatedly submits blank or nonsense
    messages on a clients web site contact form, causing them to receive phoney
    enquiries.

    I can track IP addresses on the server, so what do I do once I have an IP
    address that I feel is suspicious (ie. was showing as being on the site at
    the time of the phoney form submissions)?

    What do I do now? How do I go about tracking the person/PC responsible?
    Is this even possible?

    Thanks
    Nath.
     
    tradmusic.com, Sep 11, 2005
    #1
    1. Advertising

  2. tradmusic.com

    DavidPostill Guest

    In article <dg1qrh$d49$-infra.bt.com>, on Sun, 11 Sep 2005 17:51:45 +0000
    (UTC), tradmusic.com wrote:

    | Hi,
    |
    | I, or rather, my company have recently become the victims of deliberate
    | spamming in the form of "e-mail injection".
    | This is where a spammer/hacker etc repeatedly submits blank or nonsense
    | messages on a clients web site contact form, causing them to receive phoney
    | enquiries.
    |
    | I can track IP addresses on the server, so what do I do once I have an IP
    | address that I feel is suspicious (ie. was showing as being on the site at
    | the time of the phoney form submissions)?
    |
    | What do I do now? How do I go about tracking the person/PC responsible?
    | Is this even possible?

    The following tools will give you interesting information about the ip addresses.

    nslookup
    whois
    tracert

    You can find online versions at <http://centralops.net/co/>

    See also:

    <http://www.netdemon.net/tutorials/whois.txt>
    <http://www.elsop.com/wrc/nospam.htm>
    --
    DavidPostill
     
    DavidPostill, Sep 11, 2005
    #2
    1. Advertising

  3. tradmusic.com

    Jim Watt Guest

    On Sun, 11 Sep 2005 17:51:45 +0000 (UTC), "tradmusic.com"
    <> wrote:

    >Hi,
    >
    >I, or rather, my company have recently become the victims of deliberate
    >spamming in the form of "e-mail injection".
    >This is where a spammer/hacker etc repeatedly submits blank or nonsense
    >messages on a clients web site contact form, causing them to receive phoney
    >enquiries.
    >
    >I can track IP addresses on the server, so what do I do once I have an IP
    >address that I feel is suspicious (ie. was showing as being on the site at
    >the time of the phoney form submissions)?
    >
    >What do I do now? How do I go about tracking the person/PC responsible?
    >Is this even possible?
    >
    >Thanks
    >Nath.


    Take a look at:

    http://samspade.org

    Why not post some of the IP addresses used here for comment.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 12, 2005
    #3
  4. "tradmusic.com" <> wrote in message
    news:dg1qrh$d49$-infra.bt.com...
    > Hi,
    >
    > I, or rather, my company have recently become the victims of deliberate
    > spamming in the form of "e-mail injection".
    > This is where a spammer/hacker etc repeatedly submits blank or nonsense
    > messages on a clients web site contact form, causing them to receive

    phoney
    > enquiries.
    >
    > I can track IP addresses on the server, so what do I do once I have an IP
    > address that I feel is suspicious (ie. was showing as being on the site at
    > the time of the phoney form submissions)?
    >
    > What do I do now? How do I go about tracking the person/PC responsible?
    > Is this even possible?


    For where you sit, not as such.

    The official route (effectiveness will vary. A lot) is to plug the IP into
    WHOIS and find out which ISP owns the space. Don't bother with actual
    companies - just grab the ISP.

    If they're any good (many aren't) then they'll try to ensure that the
    originating machine is cleaned of nasties (simple self interest, in
    protecting their own infrastructure)

    From your description, though, I can't see that you'd be able to provide
    sufficient proof - don't you track the IPs of specific submissions? So that
    you can track down exactly who entered the data? And wouldn't this be a good
    first step?

    You may well find that it's quite close to home... unless there's an
    individual that's specifically pissed-off with your company. And even then,
    "disgruntled employee" works for both local and remote submissions ;o)

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Sep 12, 2005
    #4
  5. tradmusic.com

    Guest

    Use whois to find out the contact info for the domain administrator for
    that IP address. If the admin wont help you, block the subnet for that
    address using firewall rules, ACL, web site scripting etc. The security
    community needs to share info on where these spammers are coming from.
    Then we can take more action.
    scramble
    tradmusic.com wrote:
    > Hi,
    >
    > I, or rather, my company have recently become the victims of deliberate
    > spamming in the form of "e-mail injection".
    > This is where a spammer/hacker etc repeatedly submits blank or nonsense
    > messages on a clients web site contact form, causing them to receive phoney
    > enquiries.
    >
    > I can track IP addresses on the server, so what do I do once I have an IP
    > address that I feel is suspicious (ie. was showing as being on the site at
    > the time of the phoney form submissions)?
    >
    > What do I do now? How do I go about tracking the person/PC responsible?
    > Is this even possible?
    >
    > Thanks
    > Nath.
     
    , Sep 13, 2005
    #5
  6. tradmusic.com

    Unruh Guest

    writes:

    >Use whois to find out the contact info for the domain administrator for
    >that IP address. If the admin wont help you, block the subnet for that
    >address using firewall rules, ACL, web site scripting etc. The security
    >community needs to share info on where these spammers are coming from.
    >Then we can take more action.


    YOu do not understand how they work. Spammers work hand in hand with the
    virus people. The virus people crack computers. They sell the list of
    cracked computers to the spammers, who then use them to send out spam.
    Thus the locations you are blocking are "innocent" third parties who have
    been screwed over twice.
    Ie, the spammers "come from" your friend, your neighbor, etc.

    Sometimes stupid spammers will use their own machines. And they can be
    caught (although how you launch a case against someone in Nigeria I do not
    know.)



    >scramble
    >tradmusic.com wrote:
    >> Hi,
    >>
    >> I, or rather, my company have recently become the victims of deliberate
    >> spamming in the form of "e-mail injection".
    >> This is where a spammer/hacker etc repeatedly submits blank or nonsense
    >> messages on a clients web site contact form, causing them to receive phoney
    >> enquiries.
    >>
    >> I can track IP addresses on the server, so what do I do once I have an IP
    >> address that I feel is suspicious (ie. was showing as being on the site at
    >> the time of the phoney form submissions)?
    >>
    >> What do I do now? How do I go about tracking the person/PC responsible?
    >> Is this even possible?
    >>
    >> Thanks
    >> Nath.
     
    Unruh, Sep 13, 2005
    #6
  7. tradmusic.com

    Jim Watt Guest

    On 13 Sep 2005 08:15:19 -0700, wrote:

    >Use whois to find out the contact info for the domain administrator for
    >that IP address. If the admin wont help you, block the subnet for that
    >address using firewall rules, ACL, web site scripting etc. The security
    >community needs to share info on where these spammers are coming from.
    >Then we can take more action.
    >scramble


    It used to be as easy as that, but these days its impossible to trace
    a lot of it, and often the people that are relaying it really don't
    seem to care

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 13, 2005
    #7
  8. tradmusic.com

    Imhotep Guest

    Unruh wrote:

    > writes:
    >
    >>Use whois to find out the contact info for the domain administrator for
    >>that IP address. If the admin wont help you, block the subnet for that
    >>address using firewall rules, ACL, web site scripting etc. The security
    >>community needs to share info on where these spammers are coming from.
    >>Then we can take more action.

    >
    > YOu do not understand how they work. Spammers work hand in hand with the
    > virus people. The virus people crack computers. They sell the list of
    > cracked computers to the spammers, who then use them to send out spam.
    > Thus the locations you are blocking are "innocent" third parties who have
    > been screwed over twice.
    > Ie, the spammers "come from" your friend, your neighbor, etc.
    >
    > Sometimes stupid spammers will use their own machines. And they can be
    > caught (although how you launch a case against someone in Nigeria I do not
    > know.)
    >
    >
    >
    >>scramble
    >>tradmusic.com wrote:
    >>> Hi,
    >>>
    >>> I, or rather, my company have recently become the victims of deliberate
    >>> spamming in the form of "e-mail injection".
    >>> This is where a spammer/hacker etc repeatedly submits blank or nonsense
    >>> messages on a clients web site contact form, causing them to receive
    >>> phoney enquiries.
    >>>
    >>> I can track IP addresses on the server, so what do I do once I have an
    >>> IP address that I feel is suspicious (ie. was showing as being on the
    >>> site at the time of the phoney form submissions)?
    >>>
    >>> What do I do now? How do I go about tracking the person/PC responsible?
    >>> Is this even possible?
    >>>
    >>> Thanks
    >>> Nath.


    Good points...
     
    Imhotep, Sep 14, 2005
    #8
  9. tradmusic.com

    Donnie Guest


    >
    > The following tools will give you interesting information about the ip

    addresses.
    >
    > nslookup
    > whois
    > tracert
    >
    > You can find online versions at <http://centralops.net/co/>
    >
    > See also:
    >
    > <http://www.netdemon.net/tutorials/whois.txt>
    > <http://www.elsop.com/wrc/nospam.htm>
    > --
    > DavidPostill


    ############################
    I would add
    nbtstat -A IP_address to that list even though it's a ot harder to get the
    NetBIOS table these days. There were times when I tracked people right to
    their door with that and other searches.
    Donnie
     
    Donnie, Sep 16, 2005
    #9
  10. tradmusic.com

    Jim Watt Guest

    On Fri, 16 Sep 2005 00:38:50 GMT, "Donnie" <>
    wrote:

    >nbtstat -A IP_address to that list even though it's a ot harder to get the
    >NetBIOS table these days. There were times when I tracked people right to
    >their door with that and other searches.


    Problem is the use of proxy servers, of which there seem
    to be a huge number which the bastard still trying to spam my
    message board with 100 mesages a day uses.

    I suspect its a robot as nobody could be so stupid and
    persistent.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 16, 2005
    #10
  11. tradmusic.com

    Donnie Guest

    "Jim Watt" <_way> wrote in message
    news:...
    > On Fri, 16 Sep 2005 00:38:50 GMT, "Donnie" <>
    > wrote:
    >
    > >nbtstat -A IP_address to that list even though it's a ot harder to get

    the
    > >NetBIOS table these days. There were times when I tracked people right to
    > >their door with that and other searches.

    >
    > Problem is the use of proxy servers, of which there seem
    > to be a huge number which the bastard still trying to spam my
    > message board with 100 mesages a day uses.
    >
    > I suspect its a robot as nobody could be so stupid and
    > persistent.
    > --
    > Jim Watt
    > http://www.gibnet.com

    ##################################
    That's true about proxy servers and opened relays. I have alerted admins to
    that and they have closed the holes. I also have gotten accounts closed.
    The problem is that it took about 3 hours of tracing headers, running whois
    and a bunch of other commands on a Unix box to close 2 or 3 holes. By that
    time you just say "__________" (fill in the blank).
    Donnie
     
    Donnie, Sep 21, 2005
    #11
  12. tradmusic.com

    Jim Watt Guest

    On Wed, 21 Sep 2005 00:51:10 GMT, "Donnie" <>
    wrote:

    >
    >"Jim Watt" <_way> wrote in message
    >news:...
    >> On Fri, 16 Sep 2005 00:38:50 GMT, "Donnie" <>
    >> wrote:
    >>
    >> >nbtstat -A IP_address to that list even though it's a ot harder to get

    >the
    >> >NetBIOS table these days. There were times when I tracked people right to
    >> >their door with that and other searches.

    >>
    >> Problem is the use of proxy servers, of which there seem
    >> to be a huge number which the bastard still trying to spam my
    >> message board with 100 mesages a day uses.
    >>
    >> I suspect its a robot as nobody could be so stupid and
    >> persistent.
    >> --
    >> Jim Watt
    >> http://www.gibnet.com

    >##################################
    >That's true about proxy servers and opened relays. I have alerted admins to
    >that and they have closed the holes. I also have gotten accounts closed.
    >The problem is that it took about 3 hours of tracing headers, running whois
    >and a bunch of other commands on a Unix box to close 2 or 3 holes. By that
    >time you just say "__________" (fill in the blank).


    The rejection log is a handy resource if I ever need a good proxy
    server ...

    Most of them seem to be CISCO webcache boxes and they
    have changed the default admin password :)

    As the website has adequate connectivity I can just watch
    the person bashing away against a brick wall as my scripts
    seem to deal with his scripts.

    I've got some ideas to implement when time permits, or the tactics
    change. In the meantime its amazing how stupid some people can
    be to continue a lost cause.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 21, 2005
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Splibbilla
    Replies:
    2
    Views:
    4,759
    Splibbilla
    Jul 23, 2005
  2. bluehmann \(removethis\) @mchsi.com

    Tracking Warning

    bluehmann \(removethis\) @mchsi.com, Nov 29, 2003, in forum: Microsoft Certification
    Replies:
    2
    Views:
    506
    Hall_R_Bob
    Dec 11, 2003
  3. Harald Mayr

    Tool for MAC address tracking

    Harald Mayr, Jul 30, 2004, in forum: Cisco
    Replies:
    1
    Views:
    22,757
    Victor Cappuccio
    Jul 30, 2004
  4. ~¢makey$

    Tracking post address?

    ~¢makey$, Jul 27, 2003, in forum: Computer Support
    Replies:
    10
    Views:
    815
    trout
    Jul 27, 2003
  5. Edw. Peach

    Tracking Someone Tracking Me

    Edw. Peach, Jun 15, 2005, in forum: Computer Security
    Replies:
    4
    Views:
    676
    Olden Doode
    Jul 7, 2005
Loading...

Share This Page