How to trace forum spammers?
Posted 08 February 2007 - 08:01 PM
I've got a vBulletin forum and what I presume are bots are registering and making spam posts. The only info I have is the IP and Email address.
I want to find who is sending this spam and return the favour.
How should I go about finding information on the spammer? I've put the IP address through ARIN's WHOIS and got limited info, on this occasion the address listed is a P.O.Box in Amsterdam.
Posted 08 February 2007 - 08:27 PM
I'm a bit confused whether the IP I have though is the one I need to investigate, surely proxies are used, as the Spam is of an illegal nature, thats why I'm a little p*ssed off. Is there a way of detecting if a proxy is used?
Can I post the WHOIS info here or is it against forum rules?
I don't wanna get teh bandage.
Posted 08 February 2007 - 09:01 PM
Posted 08 February 2007 - 09:07 PM
can I post the whois info I got?
Posted 08 February 2007 - 10:22 PM
yeah sure, I did it before with whois binrev.
Yeah I thought someone did, hehe
ARIN's WHOIS result:-
Search results for: 184.108.40.206 OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL ReferralServer: whois://whois.ripe.net:43 NetRange: 220.127.116.11 - 18.104.22.168 CIDR: 22.214.171.124/8 NetName: RIPE-CBLK NetHandle: NET-193-0-0-0-1 Parent: NetType: Allocated to RIPE NCC NameServer: NS-PRI.RIPE.NET NameServer: NS3.NIC.FR NameServer: SUNIC.SUNET.SE NameServer: NS-EXT.ISC.ORG NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET NameServer: TINNIE.ARIN.NET Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois RegDate: 1992-08-12 Updated: 2005-08-03 # ARIN WHOIS database, last updated 2007-02-07 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.
inetnum: 126.96.36.199 - 188.8.131.52 netname: EUROCONT01 descr: Eurotherm Controls Limited country: GB admin-c: LM3717-RIPE tech-c: ML9588-RIPE status: ASSIGNED PA "status:" definitions mnt-by: AS1849-MNT source: RIPE # Filtered irt: IRT-MCI-GB address: ISG/IP Network Security address: MCI address: Reading International Business Park address: Basingstoke Road address: Reading address: Berkshire address: RG2 XXX address: GB phone: +44 118 905 6XXX fax-no: +44 118 905 5XXX abuse-mailbox: email@example.com org: ORG-UA24-RIPE admin-c: WERT1-RIPE tech-c: WERT1-RIPE auth: MD5-PW $1$aEyFevLd$QGJ6onxfBWDr/ezQePDYF/ auth: PGPKEY-5960220D auth: PGPKEY-5E478DDC auth: PGPKEY-92479A5D auth: PGPKEY-B4826395 irt-nfy: firstname.lastname@example.org irt-nfy: email@example.com mnt-by: MCI-EMEA-M-MNT source: RIPE # Filtered person: Luke MoscXXX address: EurothXXX ContrXXX Limited address: FaraXXX address: Close address: Durrington address: West Sussex address: BN13 XXX address: UK phone: +44 1903 268XXX fax-no: +44 1903 265XXX nic-hdl: LM3717-RIPE mnt-by: AS1849-MNT source: RIPE # Filtered person: Mark LedXXX address: EurothXXX ContrXXX Limited address: FaraXXX address: Close address: Durringxxx address: West Sussex address: BN13 XXX address: UK phone: +44 1903 837XXX fax-no: +44 1903 265XXX nic-hdl: ML9588-RIPE mnt-by: AS1849-MNT source: RIPE # Filtered % Information related to '184.108.40.206/14AS1849' route: 220.127.116.11/14 descr: PIPEX-BLOCK1 origin: AS1849 holes: 18.104.22.168/24, 22.214.171.124/24, 126.96.36.199/22, + 188.8.131.52/24, 184.108.40.206/24, + 220.127.116.11/24, + 18.104.22.168/20, + 22.214.171.124/24, 126.96.36.199/24, + 188.8.131.52/23, 184.108.40.206/22, + 220.127.116.11/24, 18.104.22.168/23, 22.214.171.124/24, + 126.96.36.199/23, 188.8.131.52/24, 184.108.40.206/22, 220.127.116.11/20 remarks: UUNET UK filter inbound on prefixes longer than /24 remarks: Please send abuse notification to firstname.lastname@example.org mnt-by: AS1849-MNT mnt-by: WCOM-EMEA-RICE-MNT source: RIPE # Filtered % Information related to '18.104.22.168/14AS702' route: 22.214.171.124/14 descr: UK PA route origin: AS702 holes: 126.96.36.199/24 holes: 188.8.131.52/24 holes: 184.108.40.206/22 holes: 220.127.116.11/24 holes: 18.104.22.168/24 holes: 22.214.171.124/24 holes: 126.96.36.199/20 holes: 188.8.131.52/24 holes: 184.108.40.206/24 holes: 220.127.116.11/23 holes: 18.104.22.168/22 holes: 22.214.171.124/24 holes: 126.96.36.199/23 holes: 188.8.131.52/24 holes: 184.108.40.206/23 holes: 220.127.116.11/24 holes: 18.104.22.168/22 holes: 22.214.171.124/20 member-of: AS702:RS-UK, AS702:RS-UK-PA remarks: **********ABUSE ISSUES********** remarks: All abuse must be reported to remarks: email@example.com for this network. remarks: ******************************** mnt-by: WCOM-EMEA-RICE-MNT source: RIPE # Filtered
So, what do you think I should be looking at here? Do you see anything of value or interest? I just did a tutorial for Arin WHOIS but that covered queries, not what I needed I thought.
Posted 09 February 2007 - 07:44 PM
Posted 10 February 2007 - 09:18 AM
Posted 10 February 2007 - 12:06 PM
It's a spambot. Not a person. Tracing it back leads to a German zombie computer; and as it's been said, there's not much we can do.
Trace back this idiot
Anerenceder has been spamming us all morning with pr0n links, in any thread he could find, for no apparent reason.
There's a time a while back where I wanted to infiltrate a botnet. Leave a computer to get zombied, and sniff the traffic.
Problem is, if we're very lucky (or the botnet operator very stupid), the most we'll likely have is his IP.
Not a name. Just an IP. Worse that can happen is that the ISP shuts him down, and the spammer continues spamming from a different spot.
We won't ever find out who this person, that's causing us all so much grief, is.
Now if the botnet operator would be on multiple channels on the same server, some of them being for chat... well then we'd have something.
The odds of that? Well... :\
BinRev is hosted by the great people at Lunarpages!