Spam-tracking 102 (the many uses of DejaNews)
Subject: LESSON: Spam-tracking 102 (the many uses of
DejaNews)
From: bmattocks@comp-sol.com
(Bill Mattocks)
Date: September 12, 1997
Message-ID:
<34196431.52790950@news.alpha.net>
Newsgroups: news.admin.net-abuse.email
Are you sitting comfortably? Good, then I'll begin.
Since posting Lesson 101 (spam
tracking for newbies), I have received a few comments by people curious
about DejaNews and how it works. Quite simply, DejaNews is one of the
dedicated spam-tracker's most powerful tools, and it is quite simple to
use.
DejaNews is a free service and
trademark of Deja News Research Service, Inc. They make their money by
selling banner advertising that the user sees across the top of their
screen when it is used.
DejaNews is the memory of UseNet. There are ways to prevent a given
UseNet message from being archived by DejaNews, and there are ways to
remove your OWN information from DejaNews, but for legitimate
spam-trackers, that's not important. For the most part, DejaNews
simply records a major part of UseNet News traffic, and indexes EVERY
SINGLE WORD of it (that's important, as we'll see later).
What is important is that DejaNews has many powerful features that we
can use to track spam back to its source.
Keeping in mind that most spammers have been at it for awhile, we can
use DejaNews for the following:
- Determining from where and for how long a spammer has been spamming.
- Determining if anyone has succeeded in unmasking the spammer yet.
- Determining if the spammer has given away clues to his or her own
identity over a period of time.
To expand on that:
- By searching for a spammer's name or address, we can see if the
spammer has been spamming from more than one location over time. In
effect, we can track the spammer's history as they are kicked from ISP
to ISP. This is useful information!
Often, we get "I'm sorry" responses from clueless ISPs or
even the spammers themselves, who want to fool us into thinking that
they are "beginners" at the spamming game. DejaNews can
put the lie to this one right away! If an ISP gets a spam report,
that's one thing. But, if the ISP gets a report that gives detailed
information on just how long the spammer has been at it, and how
they've been kicked from ISP to ISP, that's quite another. It may
be enough to convince some ISPs to dump the spammer, since he has
been lied to. In any case, you'll know when NOT to believe the
clever "I'm sorry" lie.
- One can see how quickly the messages fly by in NANAE. This can make it
hard to recall exactly who said what to whom and when. Often, a
spammer is unmasked due to the hard work of some anti-spammer, and
then is RE-unmasked by another anti-spammer 6 weeks later. Before
investing all of your time and energy in tracking a spammer, do
yourself a favor and see if the job has already been done for you!
Of course, you must still exercise due diligence to be certain that
the spammer is the same one you're after, but take the time to look!
The power of DejeNews lets you network with anti-spammers who are
speaking to you, as it were, from the past.
- Spammers often change little bits and pieces of their spam as they
fine-tune it. If they find that they've left themselves vulnerable,
they change the ugly bit and continue on. They hope that nobody
realizes that they've fixed whatever it was that gave them away in the
first place. However, DejaNews is the answer here. By comparing past
and present spams from the same spammer, one can find interesting
things which can finish a puzzle sometimes. This is not frequent, but
it does happen. Keep your eyes open for subtle changes in a spammer's
methods that might indicate a weak link.
HOW TO USE DEJANEWS:
Quite simple to begin. Go to http://www.dejanews.com and type in the
name or mailing address of the spammer. Click on the FIND button.
However, sometimes it is not as simple as all of that. Fortunately, as I
said earlier, DejaNews indexes the COMPLETE TEXT of all that it collects.
Given that, you can search on random bits of text that can shed light on
the identity of a spammer. Is he using a PO Box? If so, type that in.
You'd be amazed at how many spammers are too cheap to get a new PO Box
after they're unmasked at one spam and move on to another. Same PO Box
generally means same spammer. Phone numbers. Searching for ISPs can give
a clue as to whether or not they've been known to host spammers. Use your
imagination! Try matching up the IP address that the spammer came in
from. That is less useful, since most IP numbers are pseudo-random when
they're hosting a dialup account, but you never know. It might be an IP
address that's been made to look like a dialup, but is really a dedicated
circuit. You have to think a bit like a detective. Use logic and
reasoning to satisfy yourself that a hit is or is not the spammer you're
looking for. Even a ".sig" line can ID a spammer sometimes.
Spammers are often quite gray little blobby creatures, devoid of
individual traits, but sometimes one burns with a bit of creativity, or
happens to seize upon a certain phrase which they like to use over and
over. It can be their undoing.
Don't forget to search ALL the way back in DejaNews. At the end of the
initial search, you'll see another block with your original search in it,
and a couple of radio buttons for "recent" and "old"
news. The default that you've just completed is recent. Make sure to
check out the "old" news as well.
DejaNews has many powerful features, including a "power search"
mode. I encourage you to explore those features as well, although you'll
have to learn a bit about boolean logic, which is beyond the scope of
this lesson.
That's it for now. Remember, DejaNews is a big hammer for the
anti-spammer. Don't be afraid to use it to clobber a spammer.
Best Regards,
Bill Mattocks, CIIU
PS - All rights granted to republish this in any form, so long as the
information is complete and attributed to the author. Have fun.
***************************************************************
* Keep up to date on SPAM in the MEDIA! Visit SpamWatch and *
* click your way to useful up-to-date information for free! *
* http://www.psyclone.com/spamwatch *
***************************************************************