May 24, 2000
In the first half of the year 2000,
a spammer began forging my domain name in the return address and headers
of her spam sends. The domain forging resulted in thousands of undeliverable
emails flying back at my mail server, and the possible blocking of my domain
by other mail server administrators. I countered by having the Internet
account used to send the spam cancelled. For the spammer responsible this
was warning shot number one.
The spammer came back on-line through another ISP and continued to forge my domain in her spam messages. I responded by having her second Internet account cancelled;. this was warning shot number two. The spammer came back on the Internet through an AOL dial-up and began forging my domain for a third time. Strike three - you're out.
Normally I am too busy to be bothered with the everyday activities of a small time huckster, but this one was beginning to piss me off. To top it off inexperienced anti-spammers were sending bitch mail to me for an offense I had nothing to do with. It was apparent that a slight deterrent was not going to be enough to alter this spammers behavior. It had become enough of an annoyance to warrant my attention.
I make my living providing Internet access, advanced TCP/IP network know how, and Internet security for a variety of customers. One of the best ways to protect someoneís computer network is to know how a hacker can get in. I read all the hacker "how-to" books, I visit all the hacker web pages, I examine all the hacker software worth looking at, and I am subscribed to all the major hacking mailing list. Learning how to keep hackers out of my customerís networks has made me a valuable asset to anyone who hires me. It has also made me a skilled hacker.
When the spammer made her next mailing I was ready for her. By carefully examining the email headers and message body of previously sent spams I was able to identify a unique signature that appeared in every email the spammer sent. I designed an email filter to detect this signature, and placed it on the mail gateway of a high volume Internet mail server. Once the filter detected an incoming email with the signature it would automatically page me, and drop a copy of the snagged email in to my waiting mailbox. All I needed to do now was wait. Several days went by without a word. Finally on the fourth day my digital pager went off. The message on the LCD read; "Spammer is on-line!"
I quickly logged on to the Internet and examined the caught email. Sure enough the spammerís signature was present, it was a spam, and my domain name was forged in the return address. Inside the email header was the current IP address of the spammer. I pinged the IP address, and it answered with an echo reply. The spammer was still on-line, and her luck had just run out.
At that moment I silently came across the Internet from thousands of miles away, and hacked my way in to the spammerís computer. The following screen-shot is a picture of the spammerís Windows desktop caught in the act of forging my domain. 1st Class Mail is a bulk email program. It is used for spamming the Internet. It has no other purpose.
Once I had escalated my remote access to that of a full privileged local user, I blew the offending 1st Class Email software right off the spammerís hard drive. I knew the spammer would just re-install it, but I was gambling that when she did she would choose someone else's domain to forge. I also downloaded enough information from other data files to determine who I was dealing with. Despite my dislike for spammers, I left the laptop otherwise un-harmed.
After disconnecting from the Internet, I poured over the retrieved data trying to determine as much about the spammer as possible. I discovered the spammerís name was Rodona Garst. Rodona was more than just the rogue spammer I was expecting. She was working in concert with several other spammers, and she was the ringleader. They were spammers for hire, and they called themselves "Premier Services".
At that moment a mind numbing thought occurred. If Rodona was working in concert with other spammers, then she may not have been the only one forging my domain! Her whole company of spammers could be forging my domain! Ooooh no! Now I was dealing with multiple individuals. There was only one way to find out how many of them were forging my domain. I was going to have to hack them all! All of Premier Services!
Over the next few weeks I spread like a silent wildfire through Rodona's computer network. The satellite spammers she had working in other locations met my silent attack as well. From Clarksville, Tennessee to Los Angeles, California, and from the office server to the bedroom laptop, I tracked down Rodona's spammers one by one. I was not interested in denial of service. I was not interested in deleting their files. What I wanted was unrestricted access to the data on their hard drives, and computer by computer I got it.
In the end I gleaned over 100 megabytes of Premier Services sensitive internal data. I also recovered over 1300 usernames and passwords stolen by Premier Services from customers of America On-Line. I anonymously turned over the stolen usernames and passwords to AOL security along with the contact information for all parties involved. Premier Services is also guilty of pump and dump stock scams, and insider stock trading.
This web page will reveal how they did it in their own words complete with photographs. If you are an anti-spammer looking for an inside peek at the world of spamming, you have just found Fort Knox!
-Man In The Wilderness