How to trace forum spammers?

[Swerve 4]

Hey all,

I've got a vBulletin forum and what I presume are bots are registering and making spam posts. The only info I have is the IP and Email address.

I want to find who is sending this spam and return the favour.

How should I go about finding information on the spammer? I've put the IP address through ARIN's WHOIS and got limited info, on this occasion the address listed is a P.O.Box in Amsterdam.

Many thanks.

[Octal 2]

http://www.irongeek.com/i.php?page=security/ipinfo

Irongeek made an article about this.

It seems to be missing something. I remember that article had information about finding location. odd...

Edited February 9, 2007 by Octal

[Swerve 4]

Hey thats a great article Octal, nice one.

I'm a bit confused whether the IP I have though is the one I need to investigate, surely proxies are used, as the Spam is of an illegal nature, thats why I'm a little p*ssed off. Is there a way of detecting if a proxy is used?

Can I post the WHOIS info here or is it against forum rules?

I don't wanna get teh bandage.

[tehbizz 0]

You got IPs? Great! The machines are probably zombies anyway so good luck spamming them. You got email addresses? Awesome! They're probably fake or spoofed.

[Swerve 4]

I realise this, but it's more a case of me trying to learn.

can I post the whois info I got?

[Octal 2]

yeah sure, I did it before with whois binrev.

[Swerve 4]

yeah sure, I did it before with whois binrev.

Yeah I thought someone did, hehe

ARIN's WHOIS result:-

Search results for: 193.129.71.195


	OrgName:	RIPE Network Coordination Centre 
	OrgID:	  RIPE
	Address:	P.O. Box 10096
	City:	   Amsterdam
	StateProv:  
	PostalCode: 1001EB
	Country:	NL

	ReferralServer: whois://whois.ripe.net:43

	NetRange:   193.0.0.0 - 193.255.255.255 
	CIDR:	   193.0.0.0/8 
	NetName:	RIPE-CBLK
	NetHandle:  NET-193-0-0-0-1
	Parent:	
	NetType:	Allocated to RIPE NCC
	NameServer: NS-PRI.RIPE.NET
	NameServer: NS3.NIC.FR
	NameServer: SUNIC.SUNET.SE
	NameServer: NS-EXT.ISC.ORG
	NameServer: SEC1.APNIC.NET
	NameServer: SEC3.APNIC.NET
	NameServer: TINNIE.ARIN.NET
	Comment:	These addresses have been further assigned to users in
	Comment:	the RIPE NCC region. Contact information can be found in
	Comment:	the RIPE database at http://www.ripe.net/whois
	RegDate:	1992-08-12
	Updated:	2005-08-03

	# ARIN WHOIS database, last updated 2007-02-07 19:10
	# Enter ? for additional hints on searching ARIN's WHOIS database.

RIPE Database:-

inetnum:		 193.129.71.192 - 193.129.71.255
netname:		 EUROCONT01
descr:		   Eurotherm Controls Limited
country:		 GB
admin-c:		 LM3717-RIPE
tech-c:		  ML9588-RIPE
status:		  ASSIGNED PA "status:" definitions
mnt-by:		  AS1849-MNT
source:		  RIPE # Filtered

irt:			 IRT-MCI-GB
address:		 ISG/IP Network Security
address:		 MCI
address:		 Reading International Business Park
address:		 Basingstoke Road
address:		 Reading
address:		 Berkshire
address:		 RG2 XXX
address:		 GB
phone:		   +44 118 905 6XXX
fax-no:		  +44 118 905 5XXX
abuse-mailbox:   abuse@uk.uu.net
org:			 ORG-UA24-RIPE
admin-c:		 WERT1-RIPE
tech-c:		  WERT1-RIPE
auth:			MD5-PW $1$aEyFevLd$QGJ6onxfBWDr/ezQePDYF/
auth:			PGPKEY-5960220D
auth:			PGPKEY-5E478DDC
auth:			PGPKEY-92479A5D
auth:			PGPKEY-B4826395
irt-nfy:		 ip-net-sec@de.mci.com
irt-nfy:		 registrar@eu.uu.net
mnt-by:		  MCI-EMEA-M-MNT
source:		  RIPE # Filtered

person:		  Luke MoscXXX
address:		 EurothXXX ContrXXX Limited
address:		 FaraXXX
address:		 Close
address:		 Durrington
address:		 West Sussex
address:		 BN13 XXX
address:		 UK
phone:		   +44 1903 268XXX
fax-no:		  +44 1903 265XXX
nic-hdl:		 LM3717-RIPE
mnt-by:		  AS1849-MNT
source:		  RIPE # Filtered

person:		  Mark LedXXX
address:		 EurothXXX ContrXXX Limited
address:		 FaraXXX
address:		 Close
address:		 Durringxxx
address:		 West Sussex
address:		 BN13 XXX
address:		 UK
phone:		   +44 1903 837XXX
fax-no:		  +44 1903 265XXX
nic-hdl:		 ML9588-RIPE
mnt-by:		  AS1849-MNT
source:		  RIPE # Filtered

% Information related to '193.128.0.0/14AS1849'

route:		   193.128.0.0/14
descr:		   PIPEX-BLOCK1
origin:		  AS1849
holes:		   193.128.76.0/24, 193.128.77.0/24, 193.128.184.0/22,
+			 193.128.217.0/24, 193.128.253.0/24,
+			 193.129.163.0/24,
+			 193.129.224.0/20,
+			 193.130.2.0/24, 193.130.15.0/24,
+			 193.131.64.0/23, 193.131.100.0/22,
+			 193.131.102.0/24, 193.131.114.0/23, 193.131.127.0/24,
+			 193.131.178.0/23, 193.131.247.0/24, 193.131.248.0/22, 193.128.192.0/20
remarks:		 UUNET UK filter inbound on prefixes longer than /24
remarks:		 Please send abuse notification to abuse@uk.uu.net
mnt-by:		  AS1849-MNT
mnt-by:		  WCOM-EMEA-RICE-MNT
source:		  RIPE # Filtered

% Information related to '193.128.0.0/14AS702'

route:		   193.128.0.0/14
descr:		   UK PA route
origin:		  AS702
holes:		   193.128.76.0/24
holes:		   193.128.77.0/24
holes:		   193.128.184.0/22
holes:		   193.128.217.0/24
holes:		   193.128.253.0/24
holes:		   193.129.163.0/24
holes:		   193.129.224.0/20
holes:		   193.130.2.0/24
holes:		   193.130.15.0/24
holes:		   193.131.64.0/23
holes:		   193.131.100.0/22
holes:		   193.131.102.0/24
holes:		   193.131.114.0/23
holes:		   193.131.127.0/24
holes:		   193.131.178.0/23
holes:		   193.131.247.0/24
holes:		   193.131.248.0/22
holes:		   193.128.192.0/20
member-of:	   AS702:RS-UK,
				AS702:RS-UK-PA
remarks:		 **********ABUSE ISSUES**********
remarks:		 All abuse must be reported to
remarks:		 abuse@uk.uu.net for this network.
remarks:		 ********************************
mnt-by:		  WCOM-EMEA-RICE-MNT
source:		  RIPE # Filtered

So, what do you think I should be looking at here? Do you see anything of value or interest? I just did a tutorial for Arin WHOIS but that covered queries, not what I needed I thought.

[tehbizz 0]

The ONLY course of action is take the IPs to the ISPs who own them (not ARIN or RIPE) and they will handle it from there. This is all you can do.

[WhatChout 1]

And I don't remember the ISPs doing anything about the reported IPs lately.

[Aghaster 23]

Trace back this idiot

Anerenceder has been spamming us all morning with pr0n links, in any thread he could find, for no apparent reason.

[Seal 20]

Trace back this idiot

Anerenceder has been spamming us all morning with pr0n links, in any thread he could find, for no apparent reason.

It's a spambot. Not a person. Tracing it back leads to a German zombie computer; and as it's been said, there's not much we can do.

There's a time a while back where I wanted to infiltrate a botnet. Leave a computer to get zombied, and sniff the traffic.

Problem is, if we're very lucky (or the botnet operator very stupid), the most we'll likely have is his IP.

Not a name. Just an IP. Worse that can happen is that the ISP shuts him down, and the spammer continues spamming from a different spot.

We won't ever find out who this person, that's causing us all so much grief, is.

Now if the botnet operator would be on multiple channels on the same server, some of them being for chat... well then we'd have something.

The odds of that? Well... :\