Subject: LESSON: Spam-tracking 102 (the many uses of DejaNews) From: bmattocks@comp-sol.com (Bill Mattocks) Date: 1997/09/12 Message-Id: <34196431.52790950@news.alpha.net> Newsgroups: news.admin.net-abuse.email Are you sitting comfortably? Good, then I'll begin. Since posting Lesson 101 (spam tracking for newbies), I have received a few comments by people curious about DejaNews and how it works. Quite simply, DejaNews is one of the dedicated spam-tracker's most powerful tools, and it is quite simple to use. DejaNews is a free service and trademark of Deja News (TM) is a trademark of Deja News Research Service, Inc. They make their money by selling banner advertising that the user sees across the top of their screen when it is used. DejaNews is the memory of UseNet. There are ways to prevent a given UseNet message from being archived by DejaNews, and there are ways to remove your OWN information from DejaNews, but for legitimate spam-trackers, that's not important. For the most part, DejaNews simply records a major part of UseNet News traffic, and indexes EVERY SINGLE WORD of it (that's important, as we'll see later). What is important is that DejaNews has many powerful features that we can use to track spam back to its source. Keeping in mind that most spammers have been at it for awhile, we can use DejaNews for the following: 1) Determining from where and for how long a spammer has been spamming. 2) Determining if anyone has succeeded in unmasking the spammer yet. 3) Determining if the spammer has given away clues to his or her own identity over a period of time. To expand on that: 1) By searching for a spammer's name or address, we can see if the spammer has been spamming from more than one location over time. In effect, we can track the spammer's history as they are kicked from ISP to ISP. This is useful information! Often, we get "I'm sorry" responses from clueless ISPs or even the spammers themselves, who want to fool us into thinking that they are "beginners" at the spamming game. DejaNews can put the lie to this one right away! If an ISP gets a spam report, that's one thing. But, if the ISP gets a report that gives detailed information on just how long the spammer has been at it, and how they've been kicked from ISP to ISP, that's quite another. It may be enough to convince some ISPs to dump the spammer, since he has been lied to. In any case, you'll know when NOT to believe the clever "I'm sorry" lie. 2) One can see how quickly the messages fly by in NANAE. This can make it hard to recall exactly who said what to whom and when. Often, a spammer is unmasked due to the hard work of some anti-spammer, and then is RE-unmasked by another anti-spammer 6 weeks later. Before investing all of your time and energy in tracking a spammer, do yourself a favor and see if the job has already been done for you! Of course, you must still exercise due diligence to be certain that the spammer is the same one you're after, but take the time to look! The power of DejeNews lets you network with anti-spammers who are speaking to you, as it were, from the past. 3) Spammers often change little bits and pieces of their spam as they fine-tune it. If they find that they've left themselves vulnerable, they change the ugly bit and continue on. They hope that nobody realizes that they've fixed whatever it was that gave them away in the first place. However, DejaNews is the answer here. By comparing past and present spams from the same spammer, one can find interesting things which can finish a puzzle sometimes. This is not frequent, but it does happen. Keep your eyes open for subtle changes in a spammer's methods that might indicate a weak link. HOW TO USE DEJANEWS: Quite simple to begin. Go to http://www.dejanews.com and type in the name or mailing address of the spammer. Click on the FIND button. However, sometimes it is not as simple as all of that. Fortunately, as I said earlier, DejaNews indexes the COMPLETE TEXT of all that it collects. Given that, you can search on random bits of text that can shed light on the identity of a spammer. Is he using a PO Box? If so, type that in. You'd be amazed at how many spammers are too cheap to get a new PO Box after they're unmasked at one spam and move on to another. Same PO Box generally means same spammer. Phone numbers. Searching for ISPs can give a clue as to whether or not they've been known to host spammers. Use your imagination! Try matching up the IP address that the spammer came in from. That is less useful, since most IP numbers are pseudo-random when they're hosting a dialup account, but you never know. It might be an IP address that's been made to look like a dialup, but is really a dedicated circuit. You have to think a bit like a detective. Use logic and reasoning to satisfy yourself that a hit is or is not the spammer you're looking for. Even a ".sig" line can ID a spammer sometimes. Spammers are often quite gray little blobby creatures, devoid of individual traits, but sometimes one burns with a bit of creativity, or happens to seize upon a certain phrase which they like to use over and over. It can be their undoing. Don't forget to search ALL the way back in DejaNews. At the end of the initial search, you'll see another block with your original search in it, and a couple of radio buttons for "recent" and "old" news. The default that you've just completed is recent. Make sure to check out the "old" news as well. DejaNews has many powerful features, including a "power search" mode. I encourage you to explore those features as well, although you'll have to learn a bit about boolean logic, which is beyond the scope of this lesson. That's it for now. Remember, DejaNews is a big hammer for the anti-spammer. Don't be afraid to use it to clobber a spammer. Best Regards, Bill Mattocks, CIIU PS - All rights granted to republish this in any form, so long as the information is complete and attributed to the author. Have fun. *************************************************************** * Keep up to date on SPAM in the MEDIA! Visit SpamWatch and * * click your way to useful up-to-date information for free! * * http://www.psyclone.com/spamwatch * ***************************************************************