Tracking the bad guys

Mike Tancsa mike at
Mon May 31 14:17:42 UTC 2004

At 09:58 PM 30/05/2004, Sean Donelan wrote:

>   "Initially you start to work backwards from the e-mail and find that to
>   be a very frustrating route," said Daniel Larkin, chief of the FBI's
>   Internet Crime Complaint Center, the unit that is coordinating Project
>   Slam Spam.  "that doesn't lead to a live body.  We have collectively
>   realized you have to go the other way and follow the money trail."

No doubt it is easier to follow the money... Although not impossible I find 
it frustrating that when I do find who is controlling the spam proxies, 
there is no one really to report it to.  I feel sorry for the FTC as they 
no doubt get deluged with useless spam complaints, just like we do.  (My 
fav's are "one of your users is abusing us. Stop them!"... No IP, no date, 
nothing!)... So how do you separate the useless complaints from the ones 
that are actually actionable.

   On a number of occasions, I watched in real time as a spammer nailed up 
a connection to one of our infected users and started spamming out via 
them.  I reported the info complete with tcpdumps of the entire session to 
the large colo provider in the US with no response / results.  Yes, it 
could just be yet another compromised computer, but somehow I doubt it 
was.  The rwhois info did look rather suspicious (PO box, phone # bogus, 
email contact bounced) and no public services what so ever on the /28 
allocated to the group of servers.  This was back in the deep dark days of 
2000-2001 when times were tough for many such hosting companies and the 
temptation no doubt great to make a quick buck.


More information about the NANOG mailing list