Swerve

How to trace forum spammers?

11 posts in this topic

Hey all,

I've got a vBulletin forum and what I presume are bots are registering and making spam posts. The only info I have is the IP and Email address.

I want to find who is sending this spam and return the favour.

How should I go about finding information on the spammer? I've put the IP address through ARIN's WHOIS and got limited info, on this occasion the address listed is a P.O.Box in Amsterdam.

Many thanks.

0

Share this post


Link to post
Share on other sites

Hey thats a great article Octal, nice one.

I'm a bit confused whether the IP I have though is the one I need to investigate, surely proxies are used, as the Spam is of an illegal nature, thats why I'm a little p*ssed off. Is there a way of detecting if a proxy is used?

Can I post the WHOIS info here or is it against forum rules?

I don't wanna get teh bandage.

0

Share this post


Link to post
Share on other sites

You got IPs? Great! The machines are probably zombies anyway so good luck spamming them. You got email addresses? Awesome! They're probably fake or spoofed.

0

Share this post


Link to post
Share on other sites

I realise this, but it's more a case of me trying to learn.

can I post the whois info I got?

0

Share this post


Link to post
Share on other sites
yeah sure, I did it before with whois binrev.

Yeah I thought someone did, hehe

ARIN's WHOIS result:-

Search results for: 193.129.71.195


OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 193.0.0.0 - 193.255.255.255
CIDR: 193.0.0.0/8
NetName: RIPE-CBLK
NetHandle: NET-193-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1992-08-12
Updated: 2005-08-03

# ARIN WHOIS database, last updated 2007-02-07 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

RIPE Database:-

inetnum:		 193.129.71.192 - 193.129.71.255
netname: EUROCONT01
descr: Eurotherm Controls Limited
country: GB
admin-c: LM3717-RIPE
tech-c: ML9588-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: AS1849-MNT
source: RIPE # Filtered

irt: IRT-MCI-GB
address: ISG/IP Network Security
address: MCI
address: Reading International Business Park
address: Basingstoke Road
address: Reading
address: Berkshire
address: RG2 XXX
address: GB
phone: +44 118 905 6XXX
fax-no: +44 118 905 5XXX
abuse-mailbox: abuse@uk.uu.net
org: ORG-UA24-RIPE
admin-c: WERT1-RIPE
tech-c: WERT1-RIPE
auth: MD5-PW $1$aEyFevLd$QGJ6onxfBWDr/ezQePDYF/
auth: PGPKEY-5960220D
auth: PGPKEY-5E478DDC
auth: PGPKEY-92479A5D
auth: PGPKEY-B4826395
irt-nfy: ip-net-sec@de.mci.com
irt-nfy: registrar@eu.uu.net
mnt-by: MCI-EMEA-M-MNT
source: RIPE # Filtered

person: Luke MoscXXX
address: EurothXXX ContrXXX Limited
address: FaraXXX
address: Close
address: Durrington
address: West Sussex
address: BN13 XXX
address: UK
phone: +44 1903 268XXX
fax-no: +44 1903 265XXX
nic-hdl: LM3717-RIPE
mnt-by: AS1849-MNT
source: RIPE # Filtered

person: Mark LedXXX
address: EurothXXX ContrXXX Limited
address: FaraXXX
address: Close
address: Durringxxx
address: West Sussex
address: BN13 XXX
address: UK
phone: +44 1903 837XXX
fax-no: +44 1903 265XXX
nic-hdl: ML9588-RIPE
mnt-by: AS1849-MNT
source: RIPE # Filtered

% Information related to '193.128.0.0/14AS1849'

route: 193.128.0.0/14
descr: PIPEX-BLOCK1
origin: AS1849
holes: 193.128.76.0/24, 193.128.77.0/24, 193.128.184.0/22,
+ 193.128.217.0/24, 193.128.253.0/24,
+ 193.129.163.0/24,
+ 193.129.224.0/20,
+ 193.130.2.0/24, 193.130.15.0/24,
+ 193.131.64.0/23, 193.131.100.0/22,
+ 193.131.102.0/24, 193.131.114.0/23, 193.131.127.0/24,
+ 193.131.178.0/23, 193.131.247.0/24, 193.131.248.0/22, 193.128.192.0/20
remarks: UUNET UK filter inbound on prefixes longer than /24
remarks: Please send abuse notification to abuse@uk.uu.net
mnt-by: AS1849-MNT
mnt-by: WCOM-EMEA-RICE-MNT
source: RIPE # Filtered

% Information related to '193.128.0.0/14AS702'

route: 193.128.0.0/14
descr: UK PA route
origin: AS702
holes: 193.128.76.0/24
holes: 193.128.77.0/24
holes: 193.128.184.0/22
holes: 193.128.217.0/24
holes: 193.128.253.0/24
holes: 193.129.163.0/24
holes: 193.129.224.0/20
holes: 193.130.2.0/24
holes: 193.130.15.0/24
holes: 193.131.64.0/23
holes: 193.131.100.0/22
holes: 193.131.102.0/24
holes: 193.131.114.0/23
holes: 193.131.127.0/24
holes: 193.131.178.0/23
holes: 193.131.247.0/24
holes: 193.131.248.0/22
holes: 193.128.192.0/20
member-of: AS702:RS-UK,
AS702:RS-UK-PA
remarks: **********ABUSE ISSUES**********
remarks: All abuse must be reported to
remarks: abuse@uk.uu.net for this network.
remarks: ********************************
mnt-by: WCOM-EMEA-RICE-MNT
source: RIPE # Filtered

So, what do you think I should be looking at here? Do you see anything of value or interest? I just did a tutorial for Arin WHOIS but that covered queries, not what I needed I thought.

0

Share this post


Link to post
Share on other sites

The ONLY course of action is take the IPs to the ISPs who own them (not ARIN or RIPE) and they will handle it from there. This is all you can do.

0

Share this post


Link to post
Share on other sites

And I don't remember the ISPs doing anything about the reported IPs lately.

0

Share this post


Link to post
Share on other sites

Trace back this idiot

Anerenceder has been spamming us all morning with pr0n links, in any thread he could find, for no apparent reason.

0

Share this post


Link to post
Share on other sites
Trace back this idiot

Anerenceder has been spamming us all morning with pr0n links, in any thread he could find, for no apparent reason.

It's a spambot. Not a person. Tracing it back leads to a German zombie computer; and as it's been said, there's not much we can do.

There's a time a while back where I wanted to infiltrate a botnet. Leave a computer to get zombied, and sniff the traffic.

Problem is, if we're very lucky (or the botnet operator very stupid), the most we'll likely have is his IP.

Not a name. Just an IP. Worse that can happen is that the ISP shuts him down, and the spammer continues spamming from a different spot.

We won't ever find out who this person, that's causing us all so much grief, is.

Now if the botnet operator would be on multiple channels on the same server, some of them being for chat... well then we'd have something.

The odds of that? Well... :\

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now