Are you people even TRYING anymore?

I get a spam today from "Kenneth" with a subject line of "It's me, Delilah ODL8710369 from AOL 8d". Come one man, at least make the names match, or make them varients, or at the very least....make them the same gender.

Self Milking Girls

Return-Path:
Delivered-To: john@
Received: (qmail 8544 invoked from network); 11 Sep 2004 03:15:12 -0000
Received: from unknown (HELO pD958B23B.dip.t-dialin.net) (217.88.178.59)
by 2.69-93-235.reverse.theplanet.com with SMTP; 11 Sep 2004 03:15:12 -0000
Received: from starmedia.com (mx1.latinmail.com [62.37.236.140])
by pD958B23B.dip.t-dialin.net (Postfix) with ESMTP id 6E2B185318
for ; Fri, 10 Sep 2004 20:15:12 -0700
Message-ID: <000001c497ad$83f4dc23$310f11c9@starmedia.com>
From: "Jas R. Chrian"
To: John
Subject: Self milking girls
Date: Fri, 10 Sep 2004 20:15:12 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0024_55E89199.1ABD4F86"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.4682
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006
X-Virus-Scanned: by AMaViS perl-11 mion


there is no shortage of spammers to go after. I haven't even deployed my troll addresses yet but that will be covered in another post. This one is using the same targeting technique of hashes but this time it's embedded in the server name itself.
Again the actual hashes have been modified but the number of characters is preserved
http://Hereford.45839583945867393045.handicaps.hdhda.com/rd/eESw8odWRZ/mekl43WEBDeiw.htm
I'll have to modify my falsePozi.pl script later to work for this scumbag.
Hrm this one is a little tricker and I received a 404. Must be something in the hashes that I messed up.

OK let's work backwards here, inurl:hdhda.com didn't find anything on google. but the whois revealed this
Registrant:
Masterly Intl S.A.
Sabana sur
25mts al sur del
Supermercado AM PM
San Jose, CR --
CR
+011.5068246415
Fax:+011.5062722279


Domain Name: HDHDA.COM

Administrative Contact:
Admin, Domain masterlyintl@hushmail.com
Sabana sur
25mts al sur del
Supermercado AM PM
San Jose, CR --
CR
+011.5068246415
Fax:+011.5062722279


Technical Contact:
Admin, Domain masterlyintl@hushmail.com
Sabana sur
25mts al sur del
Supermercado AM PM
San Jose, CR --
CR
+011.5068246415
Fax:+011.5062722279


Record expires on 09-02-2005
Record created on 09-02-2004

Domain servers in listed order:
NS0.CLEANWEBFILES.COM 64.38.198.11
NS1.CLEANWEBFILES.COM 64.38.198.13

There was another URL in the email so let's try to work with that one
http://exclamation.00000000000000000000.spotty.hdhda.com/rd/xxxxxxxxxx/xxxxxxxxxxxxxxxx.HTM
OK this isn't work, so I went to usenet and found an an abuse posting that gave another address not linked to mine. So let's try it out instead
http://Cecropia.321908402677499182.plead.hdhda.com
another 404, I'm guessing because I don't have the hashes at the end of the URL.
Bingo, got it!
Another post had munged up the address and it still worked.
http://unevaluated.530896695780071931.poodle.hdhda.com/rd/UrHaeRXA4a/yY389QLQcc5AbG1.HTML

the page lists itself as "HELMY Enterprises, Inc." althought I doubt this moron actually files papers and has a DBA. Just a guess though.
there's an affliliate link on the bottom for http://www.gigacash.com which I'll check out later.
the link to it is another candidate for falsePozi.pl
http://www2.gigacash.com/popup/gc.php?gcaid=188234&gcsa=default

Helmy enterprises actually has a website if you can believe that.
I've linked to the google cache to make this more discreet
http://64.233.161.104/search?q=cache:VM3pMCl7uMAJ:helmy.com/+HELMY+Enterprises,+Inc.&hl=en
Here is our scumbags email addy according to the site
info2@helmy.com
email@helmy.com

The address is just a PO Box in Los Angeles

US & Canada: 888.8.HELMYS

International: 310.820.0228

PO BOX 492146, LA, CA 90049

OH wait it gets better, an employment page! Oh yes can I please work for you? I mean I have never had a job where I am considered by most to be the slime of the earth.
Let's have some fun with this now.

Now the way most forms work is they have a bunch of fields and then there is an "action" field which tells you where it's going to go. This one requires only slightly more work in that it's using POST so I can't just make a big URL and shove it down his digital throat.
In this case the relevent data is as follows

<form method="POST" action="FormMail.pl5">
<input type="text" name="name" size="40" value="">
<input type="text" name="email" size="40">
<input type="text" name="phone" size="40">
<textarea name="comments" rows="5" cols="31"></textarea>
<input type=HIDDEN name="recipient" value="email@helmy.com">
<input type=HIDDEN name="subject" value="HELMY Employment Inquiry Form">
<input type=HIDDEN name="redirect" value="http://www.helmy.com">
<input type=HIDDEN name="required" value="name, email">
<input type="submit" value=">> send" name="B12">

So this employment application goes right to his email. interesting, spamming a known spammer.. the irony is too much sometimes.
alright let's get to work here, I need to create a modified HTTPsend.pl script so I can send in my work request. I'm also going to have to hide my request by going through an anonymous proxy so he doesn't just check his logs tomorrow and blag my IP address. It will all be documented in the next post so stay tuned (not that anyone is actually reading this).

Creating false positives for spammers

Since he is trying to figure out who is "live" in his spam rolodex let's have a little fun.
The first tool to use would be a random text generator or in this case a simple encoder.
We don't need truely random here so Mime64 encoded using localtime() output will work just fine.


So here is what I came up with for blingcash so far

#!/usr/bin/perl -w
use strict;
use LWP::UserAgent;
use MIME::Base64;

my $text= "spammersuck";

# Create a user agent object
my $ua = LWP::UserAgent->new;
$ua->agent("Mozilla/8.0"); # pretend we are very capable browser :)


my $baseURL='http://birdgenus.com/web09.php/';

sub getPage
{
my $key = localtime();
#removing anything that is not a digit
$key=~s/\D//g;
$key=rand($key);
my $encoded = encode_base64("$key:$text");

#original email had a 16 char hash so just making sure mine is similar
my $hash=substr($encoded,0,15);

my $req = HTTP::Request->new(GET => $baseURL.$hash);
$req->header('Accept' => 'text/html');

# Pass request to the user agent and get a response back
my $res = $ua->request($req);

# Check the outcome of the response
if ($res->is_success) {
print $hash . " " .$res->status_line . "\n";
}
else {
print "Error: " . $res->as_string . "\n" if ($res->status_line!~/404/);
}
}

foreach my $try (1..5)
{
getPage();
}

hey from teenie

New format here, I will post the headers first and the results afterwards. This may make it easier later on if this blog ever gets viewed by another person.
Return-Path:
Delivered-To: john@
Received: (qmail 17769 invoked from network); 11 Sep 2004 16:17:26 -0000
Received: from unknown (HELO felicite.kwiksuzie.com) (209.200.9.148)
by 2.69-93-235.reverse.theplanet.com with SMTP; 11 Sep 2004 16:17:26 -0000
Received: from mail pickup service by megamarge.com with Microsoft SMTPSVC;
Sun, 12 Sep 2004 00:05:26 -0800
Received: from 197.208.117.20 by by7fd.bay7.megamarge.com with HTTP;
Sun, 12 Sep 2004 00:05:26 GMT
X-Originating-IP: [197.208.117.20]
X-Originating-Email: [teeniefgcd@megamarge.com]
X-Sender: teeniefgcd@megamarge.com
From: teenie
To: John
Subject: hey
Date: 12 Sep 2004 00:05:26 -0400
Mime-Version: 1.0
Content-type: text/html
Message-ID:
Return-Path:

This spammer is using the same type of stealthing techniques, random dictionary words, url encoding and a targeted URL.

the URL's are designed to tie back to the email address like a hash. In fact this probobly is a hashed value which is tied to a database entry.
http://birdgenus.com/web09.php/REWDgUhozXE482E
I've obviously changed this value around a little. In fact one of the perl scripts I love using makes random values which will cause lots of false positives in their database.

Hrm the result looks awefully familiar. Just like the one I saw in my first post. It may even be the exact same person respamming me. It's not like these spammers have morals or ethics.
Ya it's the same guy from http://www.blingcash.com. I used the same technique as last time, take the script shown below and change document.write to alert and view the content safely.
I've been thinking of changing to this to populating a text field so I can easily cut and past the results.

<br /><script language=JavaScript>function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,20,2,21,43,60,61,62,6,42,0,0,0,0,0,0,34,50,52,1,46,59,17,4,57,56,26,27,15,39,25,12,10,18,7,58,54,47,40,28,9,41,49,0,0,0,0,51,0,55,13,36,35,16,23,0,3,44,30,45,19,24,32,33,37,5,11,31,38,8,14,48,53,22,29);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decrypt_p("NTWBuM5tUtNBORzAgUXZR4OBF0HZXl5AvMY@F_WBXh5tUtHIalvSnKLIZfIxPrkxmjmpX7IoqjiAfROwfdNpqv5xGdOwR45xCh5xmyNohsbZuhix3liZOUiwmyNoPUWSPlWwmjVSR0OtPfbwraVnbRzB30Y@PPkBQUIZX_5A2KOZya5@84OAP2WaORk@gak@2tmo22WaORknXPmBP4WARl5xmyN@uh5AesOZfdNpXJkZf4WAXsOZfKbt1tmAPKOZF_iArdXpXJzBGRbBydXpXjbwy_5aGsWAgdXpX8kA3dNpXtOwhRbt3tVBORWBbdNM3yN@bhO_2aWBmvNp3tVx8sbwgUW0mQN@yK5xgh5A5dXp2AVM9s5_rjWAeszdOSHoK7JtdsLHVhjoyskZmjuZR4OBF0HZXl5AvsmorlOAgdHo34WxRyIwflOAgsiAfROwfdNpq@OZfrO_rrb_CRz_myNoul5x2_5AbhO_2aWBmyNor45xgKb_sh5tUtHIalvSnfVxfKOtRTWBFf6MP9VBQr6@RMO_rriZGKz_rJiAu4m_OR6@3aWxJPbt1yNp3yNphJbtzvmxmjHoqDOZuhOtRP6oqv5xGdOwR45xCh5xmyNoul5x2_5AQ_WwFaOt3yuAGskwOUW_g_iwbRbt3yIAPsbwy_5agUH4N9IIalvSnKLIZUH4N9m_FdWAK2")</script><br />

I've already covered blingcash.com so let's move on to another one.

my methods

I wanted to spend some time documenting my methods. I only use freeware tools at this point such as perl, outlook express and vim.
Outlook Express is my collector, it is cofigured for the catch all address of my domain. For every oddball site I've ever gone to I would enter a custom email. In one case MPCMag who offered free magazine subscriptions the spam would get sent to MPCMag@mydomain.com
Once the spams are in my inbox (with previewing turned off of course) I would simply click on the file and hold, drag it onto my desktop and then edit the file using vim. Vim is VI improved for those who don't know and is a great free text editor.
The non free tool I use to speed things up are Komodo a fantastic perl IDE I purchased a year ago from Activestate (now Sophos). I could do without it but I really love the tool and it is nice when I'm coding to have an interactive debugger like this handy.

The normal mode of operation here is to find a page of entry which is usually in the email itself and then download the page in my perl script. This prevents any nasty activeX or other surprises from infecting me. In linux I would use curl for this of course.
Here is a sample perl script I use.

#!/usr/bin/perl
use strict;

use LWP::UserAgent;

# Create a user agent object
my $ua = LWP::UserAgent->new;
# $ua->agent("$0/0.1 " . $ua->agent);
$ua->agent("Mozilla/8.0"); # pretend we are very capable browser :)
my $counter;
# Initialize proxy settings from environment variables
$ua->env_proxy;
my @dictionary;
# Create a request

# this is an actual spammer URL that was sent to a troll account
my $baseURL='http://www.ad0u.com/maildeny.php';

sub getPage
{
my $req = HTTP::Request->new(GET => $baseURL);
$req->header('Accept' => 'text/html');

# Pass request to the user agent and get a response back
my $res = $ua->request($req);

# Check the outcome of the response
if ($res->is_success) {
print $res->content;
}
else {
print "Error: " . $res->status_line . "\n" if ($res->status_line!~/404/);
}
}

getPage();

First Post

Spam Hunting is a new sport I've decided to engage in. I know of others who do this in one way or another. Some play as dirty as the spammers but since I'm cataloging this I'll obviously stay clean.
My first piece of spam was from a bounce account on my domain. Bounce accounts are accounts friends used to have on my domain and have discontinued. But the spammers don't know that and still send junk their way. There is a lot of cat and mouse games with these scum such as encrypting pages using scripts.
Our first came in a strange letter that just said Hi in the subject.
[note: for obvious reasons I removed the address of the recipient but feel free to spam the spammer :) ]
the actual text of the message is encoded using HTML encoding (&xx;) with random dictionary words peppered in comment tags. It points to a site http://goedog.com/

So I fire up my trusty perl debugger from and pull down the page. I would use curl if I had my linux box up but I'm at my work laptop so windows it is.
The result is a single line of javascript with an encoded page. It's meant to keep prying eyes away from the inner workings. Pretty lame though. So I paste this into my HTML editor and change a single piece. Instead of document.write now it will use document.alert. So the HTML will not render but show up in a pop up box.

<br /><script language="JavaScript">function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,3,57,58,6,52,39,47,33,45,0,0,0,0,0,0,10,22,4,5,32,28,35,55,31,19,1,8,15,17,16,36,24,38,13,21,43,56,20,18,37,30,2,0,0,0,0,25,0,42,27,49,46,9,11,41,48,23,50,14,59,54,29,40,44,0,51,7,34,62,53,12,61,60,26);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=string.fromcharcode(165^w&255);w>>=8;s-=2}else{s=6}}alert(r)}}decrypt_p("_mE5K6yQ7Q_5wsnjq7ecsTw5M02ceIyjk6gtMrE5e1yQ7Q2UGIk3DbLUciUv@f9vPYPXeuU8CYpjiswhiF_XCkyvBFwhsTyvJ1yvPA_81HRcK1pvSIpcw7phPA_8@7E3@IEhPYo3s0wQ@iRhfGoDRsn5S0gt@@95W7UceryjZbwcAGyt4Twj@ZEGws9tqG9tZQP8ZZEGws9De@P5@TEjsIyvPA_tK1yjNHwciF_Xez9ciTEjeHwcibRQVQPj@bwcMrpjfFeXezn5BsR5AFeXeYRhAryGBHEjqFeXe49jSF_XeQwh1sRQSQo5wsE5RF_6SA_tR1wrZGE5Pk_XSQov4HRhq7E0PW_tAbyvq1yjyFeXZjo6aHyrfYEjNHnFw328buzQFHL2o1Y8AH9cPYKcsTw5M02ceIyjkHP8fIwjqF28STEvsAUhiIwjqHpjiswhiF_XCtwcifwrffRrJsnrPA_8KIyvZryjR1wrZGE5PA_8fTyvqbRrH1yQ7Q2UGIk3DiovibwQsmE5Mix6@ao5Wfxts6wrffpcBbnrfzpjKTPrwsxtSGEvz@RQVA_XSA_X1zRQnkPvPY28CdwcK1wQs@x8CkyvBFwhsTyvJ1yvPA_8KIyvZryjWrEhMGwQSAKjBH9hw7ErqrphRsRQSAUj@HRhAryGq72T_aUUGIk3DbLUc72T_aPrMFEjbZ")</script><br />

The page of course points to yet another site, http://www.blingcash.com/
[urls]
http://www.blingcash.com/exit/ex/
http://www.blingcash.com/hit.php?w=100000&s=8&p=2

Blingcash seems to be nothing more then a porn site, however once you start playing with the variables new pages appear.

<br />http://www.blingcash.com/hit.php?w=1000000000000000000000000000000000000000000000000000000&s=800000000000000000000000000000000000&p=3<br />

The title of the page, BlingCash.com ::: Covert Like the Ole' Days!
Ya the good ole days..
Here was something disturbing. It was targeted to people that were part of the reseller (spamming) program. In particular
"
What happens when your Epoch customer cancels

his membership with your paysite? Simply send

him one of our new cross sale mailers...a

single click later and you've earned $15.

Let us show you how to profit off cancellations!

CLICK HERE to learn more!
"

From there I found a contact page!

US Phone:
(702) 547-0900

Canada Phone:
(416) 691-2812

Marketing Email:
sales@blingcash.com

Support Email:
support@blingcash.com

ICQ Contact :
96944506

OK I'll play. Let's talk to the scum bag and see what he says.

Return-Path:
Delivered-To: john@com
Received: (qmail 22370 invoked from network); 9 Sep 2004 00:42:03 -0000
Received: from unknown (HELO bebe.sylviidae.com) (209.200.9.195)
by 2.69-93-235.reverse.theplanet.com with SMTP; 9 Sep 2004 00:42:03 -0000
Received: from mail pickup service by citysilvia.com with Microsoft SMTPSVC;
Thu, 9 Sep 2004 08:50:47 -0800
Received: from 104.106.80.174 by by7fd.bay7.citysilvia.com with HTTP;
Thu, 9 Sep 2004 08:50:47 GMT
X-Originating-IP: [104.106.80.174]
X-Originating-Email: [Merryxeqh@citysilvia.com]
X-Sender: Merryxeqh@citysilvia.com
From: Merry
To: John
Subject: hi
Date: 9 Sep 2004 08:50:47 -0400
Mime-Version: 1.0
Content-type: text/html
Message-ID:
Return-Path: