The Detective Game
I'm calling this "The Detective Game" because I wanted to have a little fun and show just how easy it is to track these little idiots down. Below are the headers of a single instance of MMF spammism. I challenge you to decide where to complain (don't bother to actually write and complain, this little sucker's long gone already). Afterwards, I'll do some detective work and show you how.
"Path:pacifier!homer.alpha.net!newsfeeds.sol.net!newspump.sol.net!howland.erols.net! news.sprintlink.net!news-peer.sprintlink.net!news.sprintlink.net!newspull.sprintlink.net! news.sprintlink.net! news-ana-7.sprintlink.net!news.fuse.net!usenet
From: Cassady (DewB@satellite.com)
Newsgroups: rec.boats.racing.power
Subject: Nothing to Lose
Date: Mon, 30 Dec 1996 21:36:00 +0000
Organization: Satellite Daydream Ltd.
Lines: 181
Message-ID: (32C841DA.4110@satellite.com)
Reply-To: *
NNTP-Posting-Host: rubicon-75.fuse.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 3.0Gold (Macintosh; I; PPC)
If you have time to browse the newsgroups, you have time to do yourself a huge favor...
Please just give this a shot.
This is the fairest, most honest way to really share the wealth, and YOU
should be a part of it!
Take just 5 MINUTES to read this and you will not be disappointed! If you want to know how to make thousands of dollars quickly with NO CATCH, then keep reading.
The Internet has grown tremendously. It doubles in size every 4 months. Think about it. You see those 'Make Money Fast' post more and more. That's ... because it WORKS! So I thought, all those new users might make it work. Besides, what's $5.00?
There is incredible potential for success, because $5 is all anyone ever invests in this system. Period. That's all.
*********** 3 QUICK & EASY STEPS ***************
STEP 1
Invest your $5 by writing your name and address on five separate pieces
of paper along with the words: "Please add me to your mailing list."
(In this way, you're not just sending a dollar to someone; you're paying
for a legitimate service.) Fold a $1 bill inside each paper, and mail them
to the following 5 addresses:
1) K. Curan 2490 Blackrock, Turnpike #194 Fairfield, CT 06430 2) S. Hyatt 6022 Foxland Drive Brentwood, TN 37027 3) H. Toy 1565 Pacific Avenue San Francisco, CA 94109 4) B. Dougherty 185 Marine Ave. Apt.3B Brooklyn, NY 11209 5) D. Cabrera 7237 Camargowoods Dr. Cincinnati, OH 45243
STEP 2
Now remove the #1 name from the list, and move the other names up. This
way, #5 becomes #4 and so on. Put YOUR name in as the fifth one on the list.
STEP 3
Post this article to at least 250 newsgroups. (There's instructions below
if you need them.) There are at least 20,000 newsgroups at any give moment
in time. *The more groups you post to, the more people will see your article
and send you cash!
STEP 4
You are now in business for yourself, and should start seeing returns within
7 to 14 days. Remember, the Internet is new and constantly growing. There
is virtually no way you can lose.
*Many business ideas for making money, no matter how well thought out and implemented, simply don't get off the ground. In many cases this is due to advertising costs, but the exposure obtained through the Internet is quite honestly -- pretty awesome, so please study this article carefully taking all the time you want, because the moment you begin participating you will be on track for some serious financial rewards.
This is all you really need to know to get started, but there's additional info included below. Hope this 5 minutes is worth your while.
BEST WISHES and GOOD LUCK!
Take care.
******************************************************************
Now here is how and why this system works:
Out of every block of 250 posts you make,say you get back about 5
responses. Yes, thats right,only 5. You make $5.00 in cash,
not checks or money orders, but real cash with your name at
#5.
Each additional person who sent you $1.00 now also makes 250
additional postings with your name at #4, 1000 postings. On
average then, 50 people will send you $1.00 with your name at
#4,....$50.00 in your pocket!
Now these 50 new people will make 250 postings each with your
name at #3 or 10,000 postings. Average return, 500 people= $500.
They make 250 postings each with your name at #2= 100,000
postings=5000 returns at $1.00 each=$5,000.00 in cash!
Finally, 5,000 people make 250 postings each with your name at
#1 and you get a return of $60,000 before your name drops off
the list. And that's only if everyone down the line makes only 250
postings each! Your total income for this one cycle is $55,000.
The end result depends on you. You must follow through
and repost this article everywhere you can think of.
The more postings you make, the more cash ends up in
your mailbox. It's too easy and too cheap to pass up!!!
So that's it. Pretty simple sounding stuff, huh? But it
works. There are millions of people surfing the net every day, all
day, all over the world. And 100,000 new people get on the net
every day. You know that, you've seen the stories in the paper.
So read and follow the simple instructions and play
fair. That's the key, and that's all there is to it.
REMEMBER....HONESTY IS THE BEST POLICY.YOU DON'T
NEED TO CHEAT THE BASIC IDEA TO MAKE THE BUCKS!
GOOD LUCK TO ALL, AND PLEASE PLAY FAIR AND YOU WILL
WIN AND MAKE SOME REAL INSTANT FREE CASH!
If you're really not sure or still think this can't be for real,
then don't do it. But please print this article and pass it along
to someone you know who needs the money and see what happens.
*********** TIPS ON AUTOMATING THE PROCESS **************
Copy/Paste is the easiest way, but you can also do this:
Make any necessary changes to this article as explained in step (2) and when you're satisfied, save it as a .txt file and import it into the body of your email or newsreader program. This way you only have to change the name of the newsgroup or email address for each redistribution.
GOOD ADVICE: Use a word processor to ensure people that first read it via their newsreader program see it clearly laid out. Re-format it with a simple text editor such as "notepad," or "WordPad" if you're using "Windows 95." Providing the text is clearly visible and does not scroll into the right margin, it should be ok!
NEXT: Locate the newsgroups you intend on posting to, Netscape 3.0 or a similar newsreader is excellent for this, because you can highlight dozens of newsgroups all at once, enabling you to distribute your article to 1000's of locations in less than an hour. Highlight all newsgroups you want to mail your letter to ( Hold down CTRL while left clicking.) You will then see all newsgroups you highlighted displayed in the Newsgroups Field.
NEXT: Select/highlight your newsgroups, then click "To News" place a sensible title in the "Subject" location, click on "Attachments" whereupon another box appears. Locate the file you are going to distribute, click on the file and then click "Open" again click OK; provided you followed these instructions, you should see your file grayed out in the "Attachments" box. Hit "Send" . . . and that's it!
PLEASE NOTE:
This system is based on everyone being honest, but it's all too tempting
not to bother mailing out envelopes with dollar bills inside. The success
for all participating is dependent upon this taking place and if carried
out will mean a 500% INCREASE on your article being redistributed!
*******************FINAL NOTE*****************
By the very nature of the way the system works you may not see the benefits the first week. BUT COMMENCING THE SECOND WEEK, YOUR INTAKE OF MAIL FROM AROUND THE WORLD WILL TRULY ASTONISH YOU! Please give this some serious thought, because this is one of the few money making concepts that really does work.
GOOD LUCK!!!"
It's interesting that this net.idiot has an actual percentage worked out for the higher returns if you actually send the letters and the money. Wonder how he got that?Anyway, did you figure out where to send the complaint? Did you say postmaster@ and abuse@satellite.com? Sorry, that's not correct. Before we go into that, let's see if this dummy made any more posts. Let's do a check of DejaNews for other posts by this same email address:
[Deja News - The Source for Newsgroups] ----------------------------------------------------------- [Image] [Image] 33 Hits for Query: Date Scr Subject Newsgroup Author 1. 97/01/01 025 EMP/ECP Cancelled (T#2/2 news.admin.net-abus rbraver@ohww.norman 2. 97/01/01 024 EMP/ECP Cancelled (T#1/2 news.admin.net-abus rbraver@ohww.norman 3. 97/01/01 022 MMF canceled (variou#1/8 news.admin.net-abus news@hammer.msfc.na 4. 96/12/31 022 Here You Go #2/2 alt.sex.pictures.ma Cassady (DewB@satel 5. 96/12/31 022 MMF canceled (variou#1/6 news.admin.net-abus news@hammer.msfc.na 6. 96/12/31 022 MMF canceled (variou#1/6 news.admin.net-abus news@hammer.msfc.na 7. 96/12/31 022 Get Some! #2/2 uk.adverts.personal Cassady (DewB@satel 8. 96/12/31 022 Tied Up? #2/2 alt.sex.bondage.fur Cassady (DewB@satel 9. 96/12/31 022 Here You Are #2/2 alt.sex.wanted Cassady (DewB@satel 10. 96/12/31 022 Whatever You Want #2/2 alt.sex.escorts.ads Cassady (DewB@satel 11. 96/12/31 022 "Get Your Drink On!"#2/2 alt.college.us Cassady (DewB@satel 12. 96/12/31 022 JUst Do it #2/2 alt.sex.pictures.mi Cassady (DewB@satel 13. 96/12/31 022 Have It All! #2/2 alt.sex.prostitutio Cassady (DewB@satel 14. 96/12/31 022 You'll Never Know #2/2 alt.sex.toons Cassady (DewB@satel 15. 96/12/31 022 Get All That Equipme#2/2 rec.boats.racing.po Cassady (DewB@satel 16. 96/12/31 022 Quit Playing Around #2/2 rec.games.frp.gurps Cassady (DewB@satel 17. 96/12/31 022 $exual Healing #2/2 alt.sex Cassady (DewB@satel 18. 96/12/31 021 Here You Go #1/2 alt.sex.pictures.ma Cassady (DewB@satel 19. 96/12/31 021 Get Some! #1/2 uk.adverts.personal Cassady (DewB@satel 20. 96/12/31 021 Tied Up? #1/2 alt.sex.bondage.fur Cassady (DewB@satel 21. 96/12/31 021 Here You Are #1/2 alt.sex.wanted Cassady (DewB@satel 22. 96/12/31 021 Whatever You Want #1/2 alt.sex.escorts.ads Cassady (DewB@satel 23. 96/12/31 021 "Get Your Drink On!"#1/2 alt.college.us Cassady (DewB@satel 24. 96/12/31 021 JUst Do it #1/2 alt.sex.pictures.mi Cassady (DewB@satel 25. 96/12/31 021 Have It All! #1/2 alt.sex.prostitutio Cassady (DewB@satel 26. 96/12/31 021 You'll Never Know #1/2 alt.sex.toons Cassady (DewB@satel 27. 96/12/31 021 Get All That Equipme#1/2 rec.boats.racing.po Cassady (DewB@satel 28. 96/12/31 021 Quit Playing Around #1/2 rec.games.frp.gurps Cassady (DewB@satel 29. 96/12/31 021 $exual Healing #1/2 alt.sex Cassady (DewB@satel 30. 96/12/30 021 Here It Comes #2/2 alt.sex.pictures Cassady (DewB@satel 31. 96/12/30 021 Not that small #2/2 alt.sex.pictures.fe Cassady (DewB@satel 32. 96/12/30 020 Here It Comes #1/2 alt.sex.pictures Cassady (DewB@satel 33. 96/12/30 020 Not that small #1/2 alt.sex.pictures.fe Cassady (DewB@satel ---------------------------------------------------------------------------- Individual word hit counts * dewb@satellite.com: 33 ---------------------------------------------------------------------------- New Search: Usenet database: Current Old All other search options (number of hits per page, filter, etc.) will remain in place ---------------------------------------------------------------------------- [Image] [Image] ---------------------------------------------------------------------------- Home Power Search Post to Usenet Ask DN Wizard Help Why use DN? | Advertising Info | New Features! | Jobs | Policy Stuff Copyright © 1996 Deja News, Inc. All rights reserved.
Because of the way DejaNews reports hits, there are actually only 14 posts here from Mr. DewB (what an original name, Mr. Doobie. Probably gives some clues to your other habits besides illegal spamming). Also, be aware that DejaNews does not report them all - I know of at least 3 others I personally saw from this idiot that aren't listed here.I have to say, though, this guy is more original with his title lines than most - he at least tailored them to the groups he was posting to. "Tied Up?" for alt.bondage, "Get All That Equipment" for rec.boats.racing.power, "Quit Playing Around" for rec.games.frp.*. Still doesn't excuse him, though.
Notice the posts at the beginning of the list from Robert Braver and a NASA site - these are cancellations issued for these messages.
OK, we know he's done some more spamming. Now let's take a look at those headers. This guy apparently already knows it's illegal, not only because the "DewB@satellite.com" is obviously a fake (look at the NNTP-Posting-Host: & the Path: - both have fuse.net in them), but also because the message-ID is also faked, which is not so easy to do. Just for kicks, try doing a nslookup on satellite.com and you get:
pacifier:~/incoming% nslookup satellite.com Server: pacifier.com Address: 199.2.117.161 *** pacifier.com can't find satellite.com: Non-existent host/domainOK, let's see what Internic (domain registration) has to say about satellite.com:
pacifier:~/incoming% whois satellite.com Roxy Systems, Inc. (SATELLITE5-DOM) 60 Pinewood Rd. Bolton, MA 01740 USA Domain Name: SATELLITE.COM Administrative Contact, Billing Contact: Keith Clougherty (KC-ORG) kroxy@IX.NETCOM.COM 508-779-0516 Fax: 508-779-6819 Technical Contact, Zone Contact: TIAC Hostmaster (TIAC-HM) domreg@TIAC.NET tel.: 617-932-2000 fax.: 617-932-2098 Record last updated on 06-Aug-96. Record created on 08-Jul-96. Domain servers in listed order: ZORK.TIAC.NET 199.0.65.2 SUNDOG.TIAC.NET 199.0.65.9 The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information.Well, there USED to be a satellite.com, anyway. Unfortunately, Internic's records are so out of date and un-verified that they can't be depended on for a lot of things. Let's try telnetting to the mail port (25) of the supposed satellite.com, just to make sure:
pacifier:~/incoming% telnet satellite.com 25 satellite.com: Unknown hostWe can pretty much ignore satellite.com and concentrate on fuse.net now. Besides, why would someone in Cincinnati, Ohio be using an ISP in Bolton, MA? Stranger things have happened, but it's another suspicious point about satellite.com.
While we normally can't get much information about .net domains (being a separate entity from the rest of usenet and the internet and only connected to them), we can usually at least verify their existance using whois:
pacifier:~/incoming% whois fuse.net Cincinnati Bell Telephone (FUSE3-DOM) 201 E. 4th St Cincinnati, OH 45202 Domain Name: FUSE.NET Administrative Contact, Technical Contact, Zone Contact, Billing Contact: Pickering, Robert (RP93) rob@PICKERING.NET (513) 232-1456 (FAX) (513) 232-3127 Record last updated on 09-Apr-96. Record created on 12-Dec-95. Domain servers in listed order: NS1.FUSE.NET 206.230.20.10 NS1.SPRINTLINK.NET 204.117.214.10 NS2.SPRINTLINK.NET 199.2.252.10 NS3.SPRINTLINK.NET 204.97.212.10 NS2.FUSE.NET 206.230.21.10 The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. pacifier:~/incoming%Gotcha! OK, let's telnet to their mail server:
pacifier:~/incoming% telnet 206.230.20.10 25 Trying 206.230.20.10... Connected to 206.230.20.10. Escape character is '^]'. 220 enterprise.fuse.net ESMTP Sendmail 8.8.4/8.8.4; Mon, 30 Jan 1997 23:59:33 -0500 (EST) VRFY abuse 250 (abuse@enterprise.fuse.net) EXPN abuse 250-Deven T. Corzine (deven@enterprise.fuse.net) 250 Robert A. Pickering Jr. (|/usr/local/bin/procmail@enterprise.fuse.net) VRFY postmaster 250 (postmaster@enterprise.fuse.net) EXPN postmaster 250-Deven T. Corzine (deven@enterprise.fuse.net) 250 Robert A. Pickering Jr. (|/usr/local/bin/procmail@enterprise.fuse.net)OK, we see that they have both an abuse and a postmaster address, but they both are processed by procmail to the same user, Mr. Pickering, who is also listed as the Administrative Contact, Technical Contact, Zone Contact, & Billing Contact at this domain. So we need only complain to one of them - I usually go to abuse@ when given a choice... I believe it is more descriptive and also points out that you are not a run-of-the-mill complainer, who usually don't know about the abuse@ address.
Now let's have even more fun.... let's try to bag this guy even further. UsingWhoWhere, a popular Name/Address to Phone number directory available via the web, and using the address given in the body of the spam, we find:
WhoWhere? found the following match Ruben M Cabrera 7237 Camargowoods Dr Cincinnati OH 45243-2219 Phone : 513-561-1270And yet another little piece of information falls into place. Could little Cassady (DewB) be using Netscrape and his Daddy's (Ruben) or Mommy's Power PC Mac (see the X-Mailer: header: Mozilla 3.0Gold (Macintosh; I; PPC) to post bad things to the usenet? Perhaps Mommy and Daddy might like to know - but then, their account has probably already been cancelled, and they have figured something out. Maybe Junior will get a timeout in the corner, huh? (In my day, I when I did something I wasn't supposed to, I got a spanking, and it didn't "stunt my emotional growth" one bit - on the contrary, that connection between the butt and the brain contributed considerably to my emotional growth and sense of responsibility for my own actions... but off the soapbox now...).
The Postal Inspector for that location would be:
The Postal Inspection Service office that serves CINCINNATI OH can be contacted at: POSTAL INSPECTION SERVICE UNITED STATES POSTAL SERVICE PO BOX 14487 CINCINNATI OH 45250-0487 Phone : 513-684-5700 Fax : 513-684-5686And now, the final peg in the coffin for this one... using a mapping service and the address given in the letter, we can actually see approximately where in Cincinnati the slimy little scumball lives (note that these maps are sometimes inaccurate, but give a pretty good general idea...):
Believe me, you can find out even more about these idiots if you want to spend a little more time. I researched this guy in about 5 minutes total - spend an hour, and you can give a person's life history in many cases.
