Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Spam It's funny.  Laugh.

How To Catch A Scammer/Spammer 382

Joe 90 writes "An interesting story got posted on the Irish Linux Users group. It involves the arrest of a scammer/spammer working in an internet cafe. It even includes the attempt to eat a usb pen drive, several cops and a 10 minute struggle to subdue the man. Story is available on the Linux.ie mailing list By the way Gardai = the cops in Ireland."
This discussion has been archived. No new comments can be posted.

How To Catch A Scammer/Spammer

Comments Filter:
  • by dzym ( 544085 ) on Monday April 05, 2004 @10:17AM (#8768785) Homepage Journal
    He attempted to eat several cops after downing the USB drive?

    No wonder there was a struggle!

  • by conner_bw ( 120497 ) on Monday April 05, 2004 @10:18AM (#8768803) Journal
    [snip]

    on 64.21.81.131, which seems to belong to some direct marketing whorehouse.

    He logged into this as well: 66.180.174.12, which seems to be some sort
    of mail harvesting database. The login is done over SSL, so I can't find
    out more. If any militant anti-spam vigilantes want to get a good look
    at how these people organize themselves, that's probably a good place to
    start


    [/snip].
  • the power of /.ing (Score:5, Interesting)

    by basil montreal ( 714771 ) on Monday April 05, 2004 @10:20AM (#8768817) Homepage
    I kinda like all the stories I have read here about /.ing the spammers and signing them up for junk snail-mail and the like. (and if anyone can find me the link to the old story, I'd appreciate it)
  • whitelists rock (Score:3, Interesting)

    by Anonymous Coward on Monday April 05, 2004 @10:20AM (#8768820)
    after trying every spam blocker known to mankind
    I've finally switched to whitelisting. So far
    it absolutely rocks and it doesn't need any
    legal enforcement whatsoever.

    For good measure I have a password override on it
    and any email that contains the password has
    it's senders address automatically added to the
    whitelist.

    which is why I'm not afraid to put my email right
    here : j@ww.com , no spam will get through because you're still missing the password :)

    Very simple, extremely effective.
    • by internewt ( 640704 ) on Monday April 05, 2004 @10:30AM (#8768919) Journal
      which is why I'm not afraid to put my email right
      here : j@ww.com , no spam will get through because you're still missing the password :)

      I hope the password's not viagra, or some l33t speak typo variant.

    • by Anonymous Coward on Monday April 05, 2004 @10:38AM (#8768981)
      I just sent you an email containing:

      1. The meaning of life.
      2. The location of $1,000,000 I buried 10 years ago.
      3. How to get any woman you want.
      4. How to stay young and live forever.

      Oh well.
    • ...your server has that much more spam to send to the bitbucket. :)

      --JT
    • Re:whitelists rock (Score:5, Insightful)

      by Anonymous Coward on Monday April 05, 2004 @10:43AM (#8769025)
      Sorry, that doesn't solve the whole spam problem. Your mail server is still getting hammered by spam, it's just that you aren't seeing it. You are still paying for, directly or indirectly, the bandwidth that is being gobbled up by all the unwanted email that is sent to you.
      • Re:whitelists rock (Score:5, Interesting)

        by essreenim ( 647659 ) on Monday April 05, 2004 @10:55AM (#8769141)

        People generally don't care that much about the decreased bandwidth - a problem which can also be solved - use port knocking algorithm of some kind!

        And besides, spamming is pretty sophisticated these days, if the mail delivery fails, the target e-mail is often removed from the list of e-mail addresses they are trying to send scam e-mails to ( as far as I know )
        I promise I'm not a spammer, I am interested in the subject though.
        I do believe whitelisting is the way to go!
        Only way to be sure!

        • Re:whitelists rock (Score:4, Insightful)

          by Smallpond ( 221300 ) on Monday April 05, 2004 @11:36AM (#8769663) Homepage Journal
          if the mail delivery fails, the target e-mail is often removed from the list of e-mail addresses they are trying to send scam e-mails to

          Ridiculous. Spammers don't even see bounces, since most spam isn't sent from their own computers. Its mostly sent throw open relays and hijacked machines. I see attempts from names I blacklisted 5 years ago.

    • Re:whitelists rock (Score:5, Insightful)

      by Anonymous Coward on Monday April 05, 2004 @10:47AM (#8769066)
      And it also means that I can't email you, since I don't know your password, and the only way I could get your password is by asking you, and the only way I could ask you - since I don't have your address or phone number - is by emailing you.

      Doubtless that doesn't bother you, as you probably aren't interested in getting email from me. I, on the other hand, do frequently receive personal email from strangers. Your "solution" is worthless to me.
      • Re:whitelists rock (Score:3, Insightful)

        by essreenim ( 647659 )
        Yes, but that can be overcome with a web based e-mail interface.

        Its a simple idea:

        Problem: sender is not on recievers whitelist

        Solution: There is an alternative means of sending mail. sender just has to solve a simple puzzle or retype "fuzzy" text from the screen, at some designated page. The solution to the puzzle, together with senders e-mail are encrypted and sent off to the recievers web server. The senders e-mail is then TEMPORARILY added to the whitelist - i.e allowed to complete 1 smtp packet deli
    • Re:whitelists rock (Score:5, Insightful)

      by Anonymous Coward on Monday April 05, 2004 @10:48AM (#8769069)
      Except that now, anyone who cares to do a simple whois lookup [networksolutions.com] on the domain ww.com will quickly find himself in the posession of your name, address, and phone number, in addition to your e-mail.

      Not that anyone will call. But still, maybe you'd better think about that?
    • Re:whitelists rock (Score:4, Interesting)

      by enjo13 ( 444114 ) on Monday April 05, 2004 @10:51AM (#8769104) Homepage
      But not effective in all circumstances.

      For me spamming has always been an inconvienence and nothing more really. However, once I helped to implement a new customer support system at work I began to realize just how difficult the problem can be. In that setting (support via e-mail) a whitelist isn't much of an option. An aggressive spam filter isn't really an option either (we really can't have even 1 false positive). We do run a basic filtering system that catches a lot of the spam, but we're still receiving several thousand messages a day. It's a strain on our database and more importantly on our customer support staff who have to wade through all of the spam.

      At this point it's just stupid.
    • which is why I'm not afraid to put my email right here : j@ww.com
      ... but you still post anonymously ;)
  • A unmamed man aprehended a scammer and a spammer,a nd put them in the slammer using only a scanner and a spanner!

    Or something like that........
  • thumbs up! (Score:5, Interesting)

    by softwave ( 145750 ) <david@coppens.advalvas@be> on Monday April 05, 2004 @10:21AM (#8768826)
    It's a comforting thought to know that there actually is legal action being taken against those suckers.
    I find it very amusing to read how the spammer tries to struggle and fight back the cops :) I think it's a proof that he knows he's in deep trouble :)
    • by thesaur ( 681425 ) on Monday April 05, 2004 @11:03AM (#8769223)
      Some of you who were on #linux on friday will know part or most of this story already as i witnessed some of it (while drinking a truly delicious hot chocolate). For those of you who don't, the following is a report written up by a friend of mine on his succussful (or at least, it's looking good) attempt to stop and catch a 419 scammer. I feel it's worth the read

      John

      -------- Original Message --------
      Subject: I fought the scammer... and I won.
      Date: Fri, 02 Apr 2004 21:54:30 +0100
      From: Steffen Higel
      To: John Allman ,
      paulinemccaffrey at eircom.net, stevecash at ireland.com, tony.odonnel at cs.tcd.ie, declan.dagger at cs.tcd.ie, edwin.higel at brookside.ie, marynstanley at eircom.net, richard.bannister at cs.tcd.ie, oconnoat at tcd.ie, jean.higgins3 at mail.dcu.ie

      [This is long, and is quite heavy on the technical discussion. Skip the bits you don't understand. It gets interesting.]

      I work for a busy Dublin Internet cafe, doing some sysadmining and general computer maintenance. On Sunday the 28th of March, I got a rather distressing email from a sysadmin in a large U.S. University. Spamcop had blacklisted our server's external IP address. Abuse mail for the server in question gets sent to my college account (bad practice, I know, but it's a part time job). My college uses Spamcop as a blacklist source. You can probably tell what happened...

      Anyway, said email included the full headers of an email which was natted by our server pretending to be from the widow of Mr. Jonas Savimbi, offering the recipient a share of an unspecified large sum of money. The usual panicked thoughts kick in... "Have I fiddled with something which has left us as an open relay?", "Has our server been cracked?", "Have I been sleep-spamming again?". A more reasoned examination of the headers showed that the mail had originated from one of the IP addresses that we assign dynamically to people who bring laptops into the cafe. This is something of a nightmare for cafe operators, we can hardly block outbound smtp but then again it isn't possible for us to manually check every single mail either. Maybe rate limiting is a valid technical solution. Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them.

      A peek through the logs revealed:

      Mar 26 15:04:16 server dhcpd-2.2.x: DHCPDISCOVER from 00:40:f4:5d:aa:f7
      via eth1
      Mar 26 15:04:17 server dhcpd-2.2.x: DHCPOFFER on 192.168.1.70 to
      00:40:f4:5d:aa:f7 via eth1
      Mar 26 15:04:17 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
      00:40:f4:5d:aa:f7 via eth1
      Mar 26 15:04:17 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
      00:40:f4:5d:aa:f7 via eth1
      Mar 26 15:04:20 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
      00:40:f4:5d:aa:f7 via eth1
      Mar 26 15:04:20 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
      00:40:f4:5d:aa:f7 via eth1

      Bingo. I had something to work with. The network card is one based on a Cameo 32bit chipset. Matches up quite nicely with these:

      Return-Path:
      Received: from 192.168.1.70 (server.XXXXXX [XXXXXXX.29])
      byXXXXXXXXXXXXXXXXXX) with SMTP id i2QFrgi0002755
      for ; Fri, 26 Mar 2004 10:53:44 -0500 (EST)
      Reply-To: "michelle savimbi"
      From: "michelle savimbi"
      To:
      Subject: urgent response
      Date: Fri, 26 Mar 2004 15:53:26 +0000
      Organization:
      Mime-Version: 1.0
      Content-Type: multipart/alternative;
      boundary="----=_NextPart_0 00_0034_01C221EC.6C64F7B 0"
      X-Priority: 3 (Normal)
      X-MSMail-Priority: Normal
      X-Mailer: Microsoft Outlook Express 6.00.2600.0000ams
      X-MimeOLE: Produced by Microsoft MimeOLE V6.00.2800.1165

      I asked around, and a man, described as being black (or is the word African-American these days?), roughly 30, with an accent which seemed half London and half African had been in the cafe with a laptop and had a number of visitors call into
      • by Tackhead ( 54550 ) on Monday April 05, 2004 @12:27PM (#8770219)
        > Detective number 1 grabs and tries to cuff him, detective 2 starts to do the same. A struggle ensues and goes on for a full 10 minutes, basically trying to pin him on the floor and then getting his arms behind so he can be handcuffed. Michelle agrees to co-operate on numerous occasions and each time tries to run to the booth to destroy whatever is on that machine.
        >
        > Eventually, 2 more gardai arrive and he's cuffed and brought out, crying like a little girl

        ...ten minutes of watching a spammer being beaten to a quivering pulp.

        /me re-reads that sentence a few dozen more times... *aaaaaaaaah, yeaaaaah*

        Ten. Whole. Minutes. Skulls thumping, billy clubs and fists flying, and 419er whimpering.

        Video? Even grainy stuff from the internet cafe's security cam? Please? Pretty please? Pretty please with a lead pipe and a clump of spammer flesh on top?

        > What have I learned? Firstly, [ ... ]

        FIFTHLY: BRING A VIDEO CAMERA NEXT TIME! You got to see all the good stuff, and you didn't SHARE!

        • Unfortunately, from the article text, it looks like it only took 10 minutes because they really were trying to restrain him without injuring him. Joint locks are difficult if you don't get to hit the guy first. I feel pretty confident in saying that if they'd actually been able to hit him, it would have taken about 10 seconds.
  • by GillBates0 ( 664202 ) on Monday April 05, 2004 @10:21AM (#8768827) Homepage Journal
    The very next Friday (2nd of April 2004) he turned up again.

    It wasn't a scam, it was just a bad April Fool joke...and we all know we had a blast with bad jokes on Slashdot. Everybody deserves a little fun.

  • by sczimme ( 603413 ) on Monday April 05, 2004 @10:21AM (#8768833)

    From the article:

    Some of you who were on #linux on friday will know part or most of this story already as i witnessed some of it (while drinking a truly delicious hot chocolate).

    You know, more people should mention what they're drinking when relating news like this. :-)

    There is an interesting and [somewhat] related article on The Register [theregister.co.uk].
  • by Anonymous Coward
    ...but a search engine. Posted anonymously as I don't really want to have to fix their stupid server today. Thank you all very much.
  • by jetkust ( 596906 ) on Monday April 05, 2004 @10:24AM (#8768860)
    I hate spam more than I hate crackers

    But yet combining spam and crackers can be quite a tasty treat.
  • by Anonymous Coward
    Do it for Jesus
  • by capoccia ( 312092 ) on Monday April 05, 2004 @10:25AM (#8768867) Journal
    well, i guess he got his wish:
    Hope that provided some amusement. Forward it on to anyone who is interested. Really. I want to see it on the front page of slashdot and el reg within a week. And yes it really happened.

    I guess he needed to add that last line, since this all happend around the first of April.

  • by khankell ( 410682 ) on Monday April 05, 2004 @10:25AM (#8768869) Homepage
    Maybe he should have looked into the Thermite option we saw in the latest edition of The Broken?

    Of course, you don't want that going off when your trying to swallow the evidence. On second though, you don't really want it going off in your pocket either...
  • by SuperMario666 ( 588666 ) on Monday April 05, 2004 @10:26AM (#8768875)
    I work for a busy Dublin Internet cafe, doing some sysadmining and general computer maintenance. On Sunday the 28th of March, I got a rather distressing email...

    ...I asked around, and a man, described as being black (or is the word African-American these days?)

    Hmmm...

  • Cheers to the Gardai and to the Sysadmin...

    One more spammer cuffed and gone.

    CUFF THEM ALL... EVERY DAMN ONE OF THEM.

    Slainte... everyone involved in the arrest deserves a drink... stronger than that truly delicious hot chocolate. ;)

  • by nfsilkey ( 652484 ) on Monday April 05, 2004 @10:28AM (#8768892) Homepage
    Of all the fallout from the 419 spamming, I dont believe anything is funnier than Ebola Monkey Man [ebolamonkeyman.com]. Good way to kill productivity this fine Monday morning. ;)
  • sweet (Score:3, Interesting)

    by Maznafein ( 1895 ) on Monday April 05, 2004 @10:29AM (#8768898) Homepage
    This guy sent my first scam/spam to my cell phone last week. Sorry but I had to report you guys for it. I don't particuarly enjoy getting stuff to an address I've had for a week :p

    Glad you caught the bastiche though.

    -maz
  • by gmuslera ( 3436 ) on Monday April 05, 2004 @10:29AM (#8768908) Homepage Journal
    Papillon way could have been more preferrable (well, and then he should try the same with the notebook).

    Not sure if for simple spam he would have a problem under ireland's law, but as scammer probabilities go up.

  • by Anonymous Coward
    ... and waited for it to come painfully out again!


    Would be a good beginning of the punishment for spamming!

  • by robslimo ( 587196 ) on Monday April 05, 2004 @10:30AM (#8768920) Homepage Journal
    the admin narrating the story said the perp looked to be black (or is the word
    African-American these days?), roughly 30, with an accent which seemed
    half London and half African


    Uh, I don't think the term 'American' should be applied to a guy with a half London and half African accent who's currently in Ireland. I just don't see the connection.
  • Eating... (Score:2, Funny)

    by iNetRunner ( 613289 )
    Hmm.. I kind of understand the attempt to eat cops (though you could have better diet), but how do you eat a 10 minute struggle? Is that something bad tasting that doesn't stay down or is it those police men that make it thight fit for your stomach? Well.. should subdue anyone..
  • There's a certain irony to an Irishman in Ireland referring to hauling people off in the paddywagon. Especially when the guy in question actually isn't Irish.
  • by The I Shing ( 700142 ) * on Monday April 05, 2004 @10:31AM (#8768928) Journal
    What a great story!

    Hey, if the memory stick were actually swallowed and then passed through the scammer's digestive system, and the Gardai waited it out and retrieved it from the loo, and it still worked, think what a great marketing slogan the manufacturer could make from that.

    Tough enough to pass through the guts of a scammer!

    If this story turns out to be a hoax, I'll be sorely disappointed. The thought of one of these 419 scammers desperately trying to break free of the grasp of the police in order to run back and hit a kill switch on his notebook computer makes my nipples explode with delight.
    • by Zocalo ( 252965 ) on Monday April 05, 2004 @10:42AM (#8769018) Homepage
      One of our UK computer mags had an article on the robustness of these USB memory dongles in the last month or so. I skimmed it instore, but from memory the tests included:
      • Microwaving
      • Immersing in boiling water
      • Freezing in a block of ice
      • Sundry physical impacts
      Digestion wasn't on the list, but I have no doubt that patience, a rubber glove and a dunk in disinfectant would be all that stands between ingestion, data recovery and prosecution. ;)
      • MaximumPC magazine here in the States did a similar test recently. They put two leading USB keys through a series of everyday hazards such as:

        - Going through a laundry wash cycle (both did fairly well)
        - Going through a dryer cycle (not so well)
        - Being dropped from a 2-story building (pretty decent survival)
        - and so on.

        One of the "joke tests" they proposed but didn't do for fear of cheesing-off the PETA crowd was the canine-digestion test (i.e. the dog ate it).
      • by Idarubicin ( 579475 ) on Monday April 05, 2004 @12:58PM (#8770545) Journal
        Microwaving

        You might get away with brief exposure to a conventional oven, but microwaving for any length of time is going to kill one of these devices.

        There will be strong induced currents in any extended metal object, including the circuit board traces of one of these USB dongles. Very quickly, resistive heating will fry thsoe traces. Quite probably a lethal current will be induced or travel through the flash memory chip itself.

        Ever put aluminum foil in a microwave? It's a graphic demonstration of the problem. A conventional compact disc will also spark prettily in a microwave. Heck, it's possible to create arcing between chunks of sausage. I did it inadvertantly just last week. Cut two wedges of Polish sausage, five to ten millimeters thick. (90 to 120 degree sectors.) Place them on a plate so that the points of the wedges are just touching; the arrangement should look roughly like a bow tie when viewed from above. Microwave on high. Within a few seconds, induced currents should flow between the two sausage halves (I presume that there is enough salt and water in the sausage to make it a passable conductor) producing sparking.

        I assume no responsibility for damage to your sausages, microwaves, etc. Warning: sausage will be hot, yadda yadda yadda.

    • by Alsee ( 515537 ) on Monday April 05, 2004 @10:58AM (#8769168) Homepage
      The thought of one of these 419 scammers desperately trying to break free of the grasp of the police in order to run back and hit a kill switch on his notebook computer makes my nipples explode with delight.

      And twelve-thousand horny Slashot geeks go into neurotic spin-lock over gender uncertainty.

      -
  • Privacy Rights? (Score:4, Insightful)

    by Monkey42 ( 53334 ) on Monday April 05, 2004 @10:34AM (#8768951)
    Where's all the posts saying how this guy's privacy rights were destroyed/taken/bushed by the sysadmin?

    This is /. we are supposed to ignore the fact he's in public and using someone else's internet.

    • Re:Privacy Rights? (Score:4, Insightful)

      by monstroyer ( 748389 ) * <devnull@slashdot.org> on Monday April 05, 2004 @10:42AM (#8769015) Homepage Journal
      Had the person been concerned with privacy, the guy should have used PGP/GPG. Since he was more concerned with exploiting an internet cafe for purposes of sending unsolicited and unencrypted mail to potential victims, fuck him.
    • they're in the replies you nitwit. i wrote a few of them. but then this is slashdot - you probably didn't even read the article, nevermind the followups.
    • by phorm ( 591458 ) on Monday April 05, 2004 @11:20AM (#8769458) Journal
      Hmmm, well let's think for a moment:

      a) The internet cafe is more or less a public place, as well as a private establishment. If they don't have a sign indicating monitoring, at least they wouldn't have anything indicating that you do have 100% privacy

      b) No "privacy" was violated until the issue with SPAM was discovered. At this time, massive SMTP requests were tracked to a particular machine/NIC using the MAC address.

      c) MAC generally being a fairly unique identifier (not many people MAC-spoof), there was a fair bit of surety that the monitoring action was being taken against the same scummy spamming individual, used to acquisition evidence against his activity which while if perhaps not illegal, would almost indefinately violate the usage agreement for the cafe.

      d) You don't really really even have that many privacy "rights" with your ISP. They log activity for these very reasons (spammers, kiddy-fiddlers, other illegal activitiy). If you were tagged as a spammer (with a non-spam friendly ISP) or a kiddy-pr0nography, you would no doubt come under scutiny with them as well.
  • Neat :) but... (Score:5, Insightful)

    by MacAndrew ( 463832 ) on Monday April 05, 2004 @10:38AM (#8768976) Homepage
    i'm trying to picture a revived miami vice, focused on computer crimes. imagine the possibilities. ok, there aren't many...

    congrats to the irish police for taking the offense so seriously. but is anyway here wary of the snooping involved? yes the sysadmin had every right to monitor traffic, but in what depth and for what purpose? for example, there's talk here of trying to fish out the suspect's email password and so on -- at police request. wouldn't it would feel a bit different in the police, without warrant, were to do the same themselves -- imagine worst case of them bugging all internet cafes to examine generic traffic without individualized suspicion. it's bad enough they want to see what we do at the library....

    practically speaking, i would imagine the government generally lacks the resources to parse large amounts of computer data. but just wait until it can be done by computers hunting for suspicious transactions, much as the credit card companies do now to catch fraud. the capability is there.

    i'm not sure where the legal stuff comes out here, this is not US law, but wonder about future possibilities. it is debatable what expectation of privacy you have in an internet cafe -- are keyloggers ok? is decrypting information different from reading plain text? must the user be warned? as an analogy, consider that when the federal exclusionary rule was first judicially established, it did not apply to states and the "silver platter doctrine" emerged whereby state investigators would get what the feds wanted and hand it over clean of any search and seizure problem. obviously this is a charade.

    someone who acts at the behest of the government -- an agent -- pretty much *is* the government, and i wonder if this interpretation colors the reaction of anyone here on privacy -- normally /.'rs are pretty, um, passionate on privacy and gov't intrusion, even if this IS an (alleged!) spammer who by definition is not humanoid. :)
    • Re:Neat :) but... (Score:5, Insightful)

      by OmniGeek ( 72743 ) on Monday April 05, 2004 @11:05AM (#8769251)
      Well, the following considerations have a strong impact on my view of the privacy issues:

      1) Scammer was using a public Internet cafe. For that matter, he was using the Internet, and don't we all understand that anything going out over the 'Net unencrypted can be considered seen by many eyes? There's no reasonable expectation of privacy in this situation. I certainly don't expect more privacy at an Internet cafe than I can get from using SSL on a machine I control; SMTP traffic is effectively public.

      2) Scammer was caught in flagrante delicto, turned in by the sysadmin on the basis of unsolicited information from a public source. This is far, far from the situation where Ashcroft tracks my every 'Net transaction in the absence of probable cause. (And the police in this case VERY likely have probable cause to get a warrant to search the perp's computer and crack his codes.)

      Even if this weren't a spam case, (say, a kidnapping or extortion rap instead), I don't see a fundamental issue of concern in the specific circumstances involved. I worry much more about snooping in the absence of clear evidence of a crime (yes, Mr. Ashcroft, I mean YOU).
  • Best Line (Score:5, Funny)

    by Jonathan Platt ( 670802 ) on Monday April 05, 2004 @10:47AM (#8769060)
    Best Line: "Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them."
  • by adzoox ( 615327 ) * on Monday April 05, 2004 @10:49AM (#8769079) Journal
    This was a really good story. I hope more libraries, internet cafes, and wifi hotspots will monitor their traffic occasionally like this guy did.

    One line I liked, in particular:

    "What have I learned? Firstly, digging up evidence on criminals is an exciting activity. "

    This is the sentiment I have over my jackwhispers.com website. The deconstruction of the criminal mind is very fascinating - particularly when it involves a technical computer issue.

  • by spellraiser ( 764337 ) on Monday April 05, 2004 @10:51AM (#8769106) Journal

    Then, he spent a bit of time on http://www.emailspidereasy.com [emailspidereasy.com]. Don't you just love the fake google-textads?

    Yup, love is the word. I also love these links on the same page:

    Credit cards [globaldebitcard.net] - links to credit card resources

    Cheap loans [dfsc.com] - compare and get a cheap loan

    Compare mortgage quotes [jeffschultzmortgage.com] - cheap mortgages online

    Work from home [ztmi.com] - make money with working from home

    Seems this is the only site spammers need to visit; they have links to spamming resources as well! Very convenient ...

  • by freaksta ( 524994 ) on Monday April 05, 2004 @11:00AM (#8769185) Homepage
    And I would have gotten away with it, if it wasn't for you meddling kids!

  • Diet tips (Score:5, Funny)

    by zoeblade ( 600058 ) on Monday April 05, 2004 @11:04AM (#8769239) Homepage

    It even includes the attempt to eat a usb pen drive, several cops and...

    Diet tip of the day: never try to eat cops. That whole pig motif's just a cunning lie.

    • by lommer ( 566164 )
      He actually might have a future in competitive eating - I don't know anyone, even championship hotdog eaters, that has attempted to eat a 10-minute struggle!
  • Good Show! (Score:3, Interesting)

    by b_w_duncan ( 709534 ) on Monday April 05, 2004 @11:04AM (#8769245)
    This is the kind of thing that makes your day, knowing that you personally have removed at least one source of the crap that fills inboxes. Let's hope the Irish bobbies can do something amazing with your tcpdump trace and if not I'm sure there will be vigilantes out there waiting to DoS the servers you mentioned!

    We need more admins who are willing to take action.

    Is there scope for running something like spamassassin on outgoing mail? Do people do this? Would give you a chance to stop outgoing spam before you get blacklisted.
  • by mrjb ( 547783 ) on Monday April 05, 2004 @11:13AM (#8769365)
    ...are much tastier with a bit of ketchup, and easier to swallow too!
  • by RT Alec ( 608475 ) * <(alec) (at) (slashdot.chuckle.com)> on Monday April 05, 2004 @11:36AM (#8769660) Homepage Journal

    The cafe operator ought to know better:

    This is something of a nightmare for cafe operators, we can hardly block outbound smtp...

    If you operate a public Internet access point (school, library, cafe, city park, etc.) please block egress port 25 traffic! Your patrons do not need to pretend to be an e-mail server. To allow such traffic to come from your network is to invite spammers, scammers, and so on to operate freely with your resources. Anyone needing legitimate e-mail access can use webmail or pester their ISP or business to use SMTP+AUTH+SSL/TLS for initial mail submission (on a port other than 25, of course).

    Configuring a SMTP server to handle this in not difficult for a reasonably skilled sys admin, so no excuses!

    • Your average internet cafe user won't do any of the above.

      They'll just walk 200 yards down the road to the next cafe where they can use their email.
    • Blocking port 25 is only a short term fix. There's no law that says email has to be sent on port 25. Wiith spammers increasingly using cracked PCs running SOCKS proxies and the like, these can be on any port whatsoever.

      Spammers are quick to adopt countermeasures to simple technical efforts to thwart them. Anyone who receives email will have noticed how much the content of spam has changed in just the past year, in order to evade the new filtering technologies. The same thing will happen as port 25 blocking
  • by TBone ( 5692 ) on Monday April 05, 2004 @11:41AM (#8769731) Homepage

    Why not?

    You're a cyber cafe, not a shop that's set up with local accounts. Mail should be of one of two types:

    • Webmail/remotemail/etc, in which case, the mail actually doesn't get sent from your servers, it goes through the webforms/ssh/whatever to be sent from the remote server
    • Mail from actual local accounts for the Cafe's staff. This mail should be filtered to your mail server, and should only be forwarding mail from those accounts. Setting this up is fairly trivial with the many AUTH-before-SMTP methods out there.

    Either way, your proxy server should have a default DENY outbound port 25 EXCEPT from your mailserver, which itse'f is handling the authentication for the few accounts that really are allows to send mail.

  • Similar experience (Score:3, Interesting)

    by lordsilence ( 682367 ) * on Monday April 05, 2004 @11:50AM (#8769832) Homepage
    I don't think that the only problem for internet-cafes are the customers who run "illegal" software, but also the security-policies of the cafes themselves. If policies are not enforced lots can happen before someone takes action.

    I'm currently a part-time employee at a Swedish Internet-cafe where I work as a system admin. I've previously only been taking care of the Linux systems which we run for sponsored websites and gameservers but have recently been forced to take over the work of our late Windows-loving administrator.

    He had the responsibility to maintain our firewall (WatchGuard), our active-directory Windows2000 server (user-database and login) and the exchange system, aswell as other system as the check-in/out machine. These tasks has now forcedly fallen onto me as this previous admin has been removed from further duties. Perhaps he had too much on his hands or he simply didn't care, but lots of security-policies were not enforced which could have saved me lots of trouble.

    Anyhow, recently I began getting calls from an employee at a university here in sweden who told me that spam were originating from our mail.domain.se machine, after doing some further checks I noticed the e-mails were infact being sent from a software disguised as "nortonav.exe" on one of our game-machines. Acting as a spam-daemon. The first thing I did when I had recieved the password for the firewall was to block all smtp-traffic except for the trusted exchange and shutdown this terminal. I've set-up a series of security policies as well as tried to teach the cafe-staff some security-values as in maintaining the antivirus/adware-awarity. Would there be other good countermeasures to take?

    Some of the firewall-blocking:
    03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.102 64.236.62.131 4697 25 syn (SMTP)
    03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.102 64.4.50.99 4696 25 syn (SMTP)
    03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.162 200.208.9.162 3525 25 syn (SMTP)
    03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.162 213.212.42.30 3524 25 syn (SMTP)

    It may be just me who has had bad experience with all administrators at companies I've worked at, who only see Windows as the only option but is it more common for these kind of people to ignore security?
  • by oogoody ( 302342 ) on Monday April 05, 2004 @12:03PM (#8769998)
    >USB pen drives aren't very filling.

    Don't know. That's a lot of bytes.
  • An Garda Siochana (Score:5, Informative)

    by Raven42rac ( 448205 ) on Monday April 05, 2004 @12:59PM (#8770567)
    The Gardai as they are referred to are actually called, in Gaelic "Garda Siochana na hEireann", which translates to "Guardians of Peace in Ireland" . They are the cops in the Republic of Ireland. They even go on peacekeeping missions abroad.
    • (One of) their slang names is "An Garda Sicini" (pronounced with a "h" after the "s", and the two latter "i"'s are long), which means "Guardians of the Chickens".

  • by pangel83 ( 598985 ) * on Monday April 05, 2004 @01:52PM (#8771128) Homepage
    I have bought a domain (let's say johndoe.org) from a very cheap url forwarding company (at a rate of something like $15/year). It comes with unlimited e-mail forwarding aliases, and a "catch-everything" alias (let's say notexisting@johndoe.org), that forwards any e-mail send to non-existing alias to the default e-mail address that I have defined.
    The default e-mail address (let's say secret@johndoe.org) is an alias that forwards everything to my real mailbox (let's say johndoe@aol.com). Of course, my real mailbox address, my catch-all address and the "default" address are not given to ANYBODY.

    For my communication needs, or whenever asked, I just makeup a e-mail address (jonamazon@johndoe.org for amazon so that I will remember easily what address I use on the site). Since the alias is not setup in the mailserver, when amazon tries to contact me, the e-mail will follow the following alias path:
    1) jonamazon
    2) notexisting
    3) secret (default)
    4) real mailbox

    When I see an spam message (once in two weeks!!!), I just divert the alias to point to an abuse address of a random spamhaus. The good thing, is that since I use random but descriptive addresses, I can see what websites actually harvest e-mails and sell them to spammers!!!
    It is interesting to note that at some point I received e-mail that were addressed at some ridiculus random aliases (e.g. jesus@, happykitty@ etc) of my domain (clearly not used by me). Just an indication of the use of wordlists (of course every such alias got blocked).

    I have not yet reached the levels of paranoia of giving seperate e-mail addresses to any of my friends of course :P

    Anyway, it is not as complicated as it looks, and of course way less complicated than using bayesian filters and the like. And believe me, it works :)
  • by thrill12 ( 711899 ) on Monday April 05, 2004 @05:46PM (#8773539) Journal
    ... while in an internet cafe? I mean, in theory it's not much different from a hotel providing a phone service to a customer, whilst sneakingly listening in.
    Don't get me wrong here, spammers are bad and should be caught, but it doesn't do any good when the spammer is let go in a day because of lack of undisputed evidence. My eavesdropping on a communications channel doesn't really do much good there.
    I understand that when the communication actually goes to your own server there is nothing wrong (practically, in many countries it is ok to record a conversation as long as you are the one having it), but I feel that intercepting his yahoo or mail.com passwords is a little on the gray side of the law...
    Please correct me, I want to be wrong here.

Life in the state of nature is solitary, poor, nasty, brutish, and short. - Thomas Hobbes, Leviathan

Working...