a fun little story about catching a spammer red-handed: for the last month or two a computer in our main library wireless network has been sending large quantities of spam to various other mail servers on the internet. we had assumed that it was a student laptop infected with a virus, though the computer information didn't show up in any of our management databases. the problem was complicated because it takes about a day or so for spam reports to make their way back to us, and every time we recieved a report the computer was once again off our network. i happened to be in the middle of email correspondence with the mail admin for the university of washington about a seperate virus-related instance, who then replied saying that they were getting hammered by the same machine, which i'll just refer to as "C" through the rest of this. here's the full information on C: hostname: d249.wireless.[redacted].edu windows network name: "CNU3270BRK" windows workgroup: "oldgroup" dhcp information (note: times are in GMT): lease [redacted].254.249 { starts 2 2004/03/02 13:59:24; ends 2 2004/03/02 19:35:24; tstp 2 2004/03/02 19:35:24; binding state active; next binding state free; hardware ethernet 00:08:02:f6:e8:65; uid "\001\000\010\002\366\350e"; client-hostname "CNU3270BRK"; } at this point, the machine was still on the network, so i decided to take a passing investigation to see if we could track down the owner of the machine to force them to get their computer fixed (we were still pretty sure this was being caused by a virus at this time). there wasn't any identifiable characteristics about this machine, so i figured i would send it a message that would get displayed on the desktop of the machine (this is called a "winpopup" message, and can be sent by remote administrators and other clever individuals). unfortunately, the machine was set up to not accept such remote messages. but it did happen to be sharing its "my documents" folder on the network to anyone interested enough to connect (that is, no user/pass required). poking around in there, i found many documents written by a "Michael [redacted]", who seemed to have some involvement with a "N[redacted], LLC". a search on the pennsylvania department of state shows [redacted] is registered as an llc. it's also registered as a ficticious name, owned by: 1 MICHAEL [redacted] 2 JASON [redacted] 3 MICHAEL [redacted] at this point, i assumed it was a third party consultant firm hired out by the library, so i spoke with one of the librarians there. she'd never heard of them before, nor had anyone else in the library (or in its). fortunately, i happened to find an "invoices" directory, and some of these documents were listed with a phone number at which niche wave media could be contacted, so i called the number. the phone conversation was roughly: 2004/03/02, 10:30 AM m: "hello?" s: "hi, my name is sean [redacted], a unix systems administrator at [redacted] college. I'm trying to reach a michael [redacted] of [redacted]." m: (uncomfortable pause) ... "uh, this isn't michael, i got this phone from somebody else". s: "okay, would you happen to have a number at which i could reach michael then? I'm trying to get in touch with him" m: "um, could i take a message? i could, um, tell him you called" s: "sure. we're pretty sure he's on our campus and we'd like to get in touch with him" m: "what was your name again?" s: "sure, it's ..." and immediately after the phone conversation, his computer was offline and no longer on our network. i'd say it's safe to surmise that i did in fact speak with the michael [redacted] in question. of course at the time, as sketchy of a conversation as it was, we gave him the benefit of the doubt. however, we did decide to continue in our quest to learn about the mythical mike [redacted] and [redacted]. it turns out that [redacted] has two web sites, [redacted].com and [redacted].com. one is "under construction", the other requires login access before you can get to anything substantial, but it does say this in a short summary: -------- About Us [redacted] was founded in 2002 by Jason [redacted] & Michael [redacted] with the ambitious idea to create and maintain useful, interactive, and entertaining niche college websites for every major college university. Over the past year we have been successful in our quest to establish a major website at each major university desired. Our goal is to continue to build our network and expand on creative applications the will continue to help and entertain students nationwide. We believe that with the right resources at each university that we will be able to accomplish our mission and continue to create environment that values diversity, in gender, race, values, and culture among our communities. -------- (note that Jason [redacted] is also listed the pa state filing) again, we just figured that they were some 3rd party consultant firm who someone we hadn't spoken to had brought in. we thought we'd do them a favor and let them know that they seemed to have a laptop with a virus on it. of course, we didn't have a phone number at which we could reach them, other than the cell phone number listed above... or did we? a little bit about dns: when you register a domain name, such as [redacted].com, you must register your name with a certified registrar. this information is then used to keep track of who owns what domain, and who to contact about problems, billing, administration, et c.. and all of this can be queried with the unix "whois" command: $ whois [redacted].com Organization: Jason [redacted] JASON [redacted] 2520 [redacted] rd` [redacted], PA 19018 US Phone: 610 [redacted] Email: [redacted] Administrative Contact: Jason [redacted] JASON [redacted] 2520 [redacted] rd` [redacted], PA 19018 US Phone: 610 [redacted] Email: [redacted] so we have another phone number, as well as an address, which is a stone's throw away in secane. i called the number, which sounded like a family (mother's? "this is the [redacted] residence, leave a message at the beep") answering machine, and i didn't want to be a disturbance, so i didn't leave a message. a search on google shows the number registered to a diane [redacted] at the same address. it even provides a convenient link to yahoo! maps, in case we ever wanted to visit. at this point, we went back to getting real work done, had lunch, and came back. that afternoon, while going through more of postmaster mail, fran discovered that the emails were specifically targeted to the universities to which they were sent (and they were only sent to universities, which i had written off as a virus writer disgruntled with higher education). here's an excerpt from uw's rejected spam: > -------- Original Message --------
> Subject: Wicked awesome Washinton site!!
> From: aluisa35@u.washington.edu
> Date: Mon, March 1, 2004 9:26 am
> To: rachel545@u.washington.edu
>
> go to www.thehuskieweb.com, its a +cool website for Washington students, its about time we had something like this > which is now more than fishy. this is definitely targeted direct marketing, given what [redacted]'s "mission statement" seems to imply. just to glue the pieces together: $ whois thehuskieweb.com Administrative Contact: [redacted], Kellie [redacted] 227 [redacted] Rd [redacted] Estates, Pa 19023 US 267-847-[redacted] hmm... does that email address look familiar? ... but wait! there's more! some googling by fran turns up an article on temple university's web site about two young entrepreneurs from drexel who had started on online site for temple students. the article was entitled "OwlWeb ruffles feathers": http://www.temple-news.com/news/2003/03/06/News/Owlweb.Ruffles.Feathers-388440.shtml care to guess who the students were? what's really neat about the article is that it has a picture of Mike [redacted]: http://media.collegepublisher.com/media/paper143/stills/w13wbzi5.gif and here's jason, courtesy of google images: http://images.google.com/images?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=jason+kilpatrick+drexel&sa=N&tab=wi apparently he plays lacrosse. go drexel sports. anyway, at this point i'd feel safe to say we know exactly who's been behind this. so to sum up what we learned from a days worth of poking here and there: mike [redacted] of [redacted] llc has apparently been using [redacted] library's free wireless access to send large (~10-100k per blast) amounts of unsolicited bulk email to students of various universities. we are not sure for how long he has been doing this, but i would imagine at least two months intermittently. you can reach mike or his partner jason with the following contact information: [redacted], llc 2520 [redacted], Clifton Heights, PA 19018 michael [redacted] (267) 847 [redacted] jason [redacted] (610) 543-[redacted] jason.[redacted]@[redacted].com 2520 [redacted] Rd, Clifton Heights, PA 19018 epilogue: i was contacted by mike and jason about a month after posting this. turns out gabe's blog + google put this story of mine ahead of even their own website, and it was affecting some of their more legitimate business relationships. they came by my office and apologized profusely, promising to never again use our network for such activities. after some serious thought, and later procrastination, and against the advice of my friends, i've decided to redact mike and jason's personal details, as well as that of their business. i just don't feel that it really gains me anything to further make their lives miserable and drive their business to ruin. i got them to acknowledge the fact that they were caught, wrong, and even apologize, and i have a great story to boot. note that this should in no way be interpreted as my waiving the right to disclose this information, which i will still do for friends or anyone who i feel has a valid reason to have this information. note that there's also one small piece of information in this document which hasn't been redacted and could be used by a clever person to figure this all out for themselves, but i won't say what it is :)