This is an actual case study of a spam that I received today and tracked to the source. It is intended as a lesson in spam-tracking for the uninitiated or the beginner in spam-tracking. It shows that with patience, all things are possible.
Are you sitting comfortably? Good, then I'll begin.
Today I got spam. That's nothing new, I get spam everyday. But this spam was from Wisconsin, and I happen to live in Wisconsin. I feel a powerful need to get rid of spam in Wisconsin. So, here is what happened and what I did about it.
This is the spam I got:
>Received: from mail.tds.net (unverified [18.104.22.168]) by mail.comp-sol.com > (EMWAC SMTPRS 0.83) with SMTP id <B0000040843@mail.comp-sol.com>; > Mon, 06 Oct 1997 15:55:11 -0500 >Received: from Comp1 (mewi0-a10.midway.tds.net [22.214.171.124]) > by mail.tds.net (8.8.5/8.8.5) with SMTP id PAA03860; > Mon, 6 Oct 1997 15:19:42 -0500 (CDT) >Date: Mon, 6 Oct 1997 15:19:42 -0500 (CDT) >Message-Id: <199710062019.PAA03860@mail.tds.net> >From: email@example.com >Subject: Your Home And Family >YOUR HOME AND FAMILY >Now available,(Your Home and Family), the consumer guide everyone >has been asking for. >This guide is filled with information every household should be >aware of. Protect yourself and your family, be informed of the >real life events that can happen to you and your household. >Read about wills and trusts (don’t let the government take >everything)! >Parents worst fears- (Drug Abuse, maybe its already there)! Be >informed! >Dealing with divorce “Get It Together” “Not The End”. >Safeguards against rape....Don’t let it happen to you, worse yet >a member of your family! >Household: Don’t let your house get the better of you, TAKE >CONTROL! >This guide is packed full of important information that you will >want to share with friends and other family members. >This is “MUST HAVE INFORMATION”. Get this NOW! >Send for your copy today! Here is how to order: Send check or >money order for $29.95 (shipping and handling included in price) >to: >Affordable Services >PO Box 352 >Medford, WI 54451 >PS: You won’t believe the startling information in the guide! >Order an extra report for your friends and neighbors! Give >yourself a little piece of mind.
The sender appears not to have hijacked a mail server to send the spam. The return address could even be legitimate, for all I know.
Therefore, it is not illegal on its face. Sending spam itself is legal, so it would appear that no laws were broken, except that I was unhappy over having gotten the spam in the first place.
So, I sent a letter of complaint to the postmaster at TDS.NET, letting them know that they are harboring a spammer. If they don't permit spamming, they may well terminate the begger. If I never get spam from him again, that should be the end of it, right?
I also did a little checking. Curious sort, am I. I used DejaNews to check out the city of Medford, WI (that's where I'm supposed to send the money for the report to, right)? Here is what I got back:
>1. 97/10/05 028 [email] (UCE) Your Home news.admin.net-abus "Nasty Mama"Ok, so it appears that Nasty Mama has also gotten this spam and has taken some action. But wait, there's more:
>10. 97/09/23 026 [email] Pyramid Sche#1/2 news.admin.net-abus Todd C. LawsonOh-ho! Pyramid scheme, eh? Well, let's just take a look!
[snip - VERY excellent information from Todd Lawson on what a pyramid scheme is, and why it is illegal. For a copy of his report, take a look at it. Use DejaNews and search for Todd Lawson.]
>Subject: [email] Pyramid Scheme from newnorth.net (Your Free Report) >From: Todd C. Lawson <firstname.lastname@example.org> >Date: 1997/09/23 >Message-Id: <email@example.com> >Newsgroups: news.admin.net-abuse.sightings >[More Headers] >X-Reply-to: news.admin.net-abuse.email >Abuse-spotted-in: mailbox firstname.lastname@example.org >Abuse-Subject: Your Free Report >Type-of-abuse: Unsolicited Email, Pyramid Scheme >Description: Pyramid Scheme
>Return-Path: email@example.comWhups, not from TDS.NET, but from NEWNORTH.NET, which is another local ISP in rural Wisconsin. Ok, so maybe this guy got bounced based on Todd's complaint. Notice the similarity in user names, though (webbs vs. webbs321).
[snip rest of headers]
>Free Report >Students! Profesionals! Unemployed! Absolutely anyone can use this >information to >make cash anytime they want. Read and save this report to use time and time >again.[snip much pyramid stuff, we've all seen it.]
>This program has remained successful >because of the >HONESTY Integrity the participants.[Well, not only does our unknown spammer send illegal pyramid schemes, but he is also a liar, as I will also show!]
[snip - more pyramid stuff]
>HERE IS THE LIST OF NAMES TO SEND TO: >1. R.D.Haar, 1628 Hillcrest St. Mesquite, TX 75149 Fargo, USA >2. James Shanahan, 2/16 Myola St., Mayfield 2304, Australia >3. Diane Wicke, PO box 32, Jump River, WI 54434, USA >4. Affordable Services, PO Box 352, Medford, WI 54451, USA
[But wait - here is the man who sent me the UCE! ^^^^^^^ ]
>5. Scott Webster, 939 High Street #102, Rib Lake, WI 54470, USA[And who could this be???]
>Mail $1.00 to each of the 5 names listed above. SEND CASH ONLY (Total >investment:[snip - more pyramid scheme]
>REMEMBER - THIS PROGRAM FAILS ONLY IF YOU ARE NOT HONEST >-PLEASE!! PLEASE BE HONORABLE...IT DOES WORK! THANK YOU[yet another exhortation to BE HONEST!!!]
POSTMASTER MEDFORD, WI 54451and we'd be done with it. But I'm just a curious guy, so I took the very last step in identifying this spammer. I called the US Post Office in Medford, WI at (715) 748-3981. Remember, if the holder of a US Post Office Box lists their PO Box as being used for business, the information is open to the public. If they check off the little box that says that they are NOT doing business with the public, then you can't get the info, but then they are committing perjury (PO Box applications are legal documents). It seems our spammer DID want to be just a little bit honest though, because the post office told me who he is (drum roll, please):
Scott's Affordable Services 939 High Street # 102 Rib Lake, WI 54470Oh gee. Seems like Mister Scott Webster from our pyramid scheme above and Affordable Services from the same list are indeed the same person. On top of that, I would venture a guess to say that webbs and webbs321 both mean Scott Webster, huh? So, same person all the way around. He just could not restrain himself from cheating on his very own pyramid scheme, the one he warns people NOT to cheat on. Shame, shame, Mr. Webster.
Now, I complain to his ISP. I print a copy of the pyramid scheme that was previously posted to news.admin.net-abuse.sightings by Todd Lawson, and I send it to the postmaster at Rib Lake, WI, and Medford, WI.
Our nasty little spammer is going to stop bouncing from ISP to ISP, because he is going to jail.
Thus endeth the lesson.
Bill Mattocks, CIIU
*************************************************************** * * * "My sense of personal integrity is none of your concern." * * -thus spake Walt "Pickle Jar" Rines * * * * "I'm going to pound your balls flat with a wooden mallet." * * -thus respondeth Bill Mattocks * * * ***************************************************************