Game On

Kjell Wooding | 2002-04-02

Every second week, I let loose with a bit of vitriol in this space. Usually, It's because I'm a bit irked at something or someone.

But this week, I'm right pissed off.

The subject of my fury is every punk-assed, snot-nosed spammer in the business. It started, as all good jihads do, on a slow day. I was perusing the day's access logs, and I came across this little gem: 

141.152.245.82 - - [25/Mar/2002:18:42:40 -0700] 
"GET /cgi-bin/formmail.pl?email=formmailed\%40\
yahoo%2Ecom&subject=www%2Ecodetalker%2Ecom\
%2Fcgi%2Dbin%2Fformmail%2Epl&recipient=spaz\
dialer%40spazdialer%2Ecom&msg=slikk%20and\
%20drew%20owned%20\you%2E HTTP/1.1Content-Type:\
application/x-www-form-urlencoded" 404 3682 "-"\
"Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)"

It's not that I was particularly surprised to see it. (The novelty of seeing vulnerability scans in my server logs wore off half an hour after starting a computer security company.) What surprised me was that this particular formmail scan didn't send its results to an AOL address.

In fact, this scan lead right to the would-be-spammer's front door.

So how could I resist?

To: spazdialer@spazdialer.com, ToxicJuice@yahoo.com
Subject: Break-in Attempt
Date: Tue, 26 Mar 2002 11:21:36 -0700

To:Keith Salay Jr.
615 Benton Lane
Morrisville, PA 19067
(215) 736-0250

Mr. Salay

On Mar 25, at 6:42 Mountain time, you attempted to exploit a common CGI vulnerability against our web server. (a.k.a the formmail hole)

Thank-you for helping me test the security of my web site. Unfortunately, It was not vulnerable.

By now I'm sure your mailbox is starting to fill with numerous "slikk and drew owned you" messages. Do you realize that each of these messages represents a compromised system? The laws against computer intrusion are getting fairly stringent these days. As a matter of fact, recent changes to your country's Terrorist Bill have actually made certain types of computer intrusions a Terrorist Act.

Are you a Terrorist, Mr. Salay?

I suspect you're not. I suspect you're simply another upstanding member of the pornography community that thinks sending Spam is an acceptable business practice.

Of course, spam itself is illegal in several states now, but you are not simply sending Spam, Mr. Salay. you are breaking into machines to do it.

This is a serious offence. I will treat it as such.

Now, on the off chance you don't know what is going on, You might want to start by finding whoever was using the IP Address 141.152.245.82 on March 25 at 6:48pm Mountain time. If you need help, I've looked up the ARIN record for you:

Verizon Internet Services (NETBLK-VZ-DSLDIAL-PHLAPA-13)
141.152.224.0 - 141.152.255.255

It's a Philadelphia NOC. It's practically right in your backyard. Go check it out.

In the meantime, Mr. Salay, please do not attempt to break into any more of my machines. It's not particularly friendly. In fact, it's quite illegal.

And very un-Masonic.

Goodbye Mr. Salay. I hope not to hear from you in the near future.

Kjell Wooding
Security Administrator, pintday.org

When you fire off a note like this, you don't really expect a reply, unless you count having your email address added to numerous unpleasant mailing lists. Imagine my shock, then, when I received this reply, a mere hour and a half later:

From: "spazdialer" <spazdialer@spazdialer.com>
To: <abuse@pintday.org>
Subject: Re: Break-in Attempt
Date: Tue, 26 Mar 2002 14:50:02 -0500
X-Mailer: Microsoft Outlook Express 5.00.2615.200

Dear Sirs,

I deeply apologize for any problems this may have caused. I received your letter early today and had my systems analyst check it out. I was told that I was infected with a virus known as "SubSeven 1.8" which I was told was a backdoor. This program/virus allowed someone access to my computer plus complete control to do what they wish with my bandwidth. I have notified Verizon Online of this security breech. If you need my lawyers contact information for any liable fee's please let me know. I again apologize for this problem that has occurred. We have gotten rid of the virus here.

Regards,
Keith Salay Jr.

Now, I'm not going to get off on a rant about this particular excuse. Sure, “My computer got broken into” has been the near unanimous reply in my six-odd years of vulnerability reporting, and sure, even if it was true, it's not a valid way to squirm out of responsibility for the act. No, I'm not even going to go after the improbability of the argument that “Someone broke into my computer and configured it to mail vulnerable machine names to my personal email address. I found and fixed the problem in the last 60 minutes”. Nope. I'm going to leave those for another day's rant.

I say exchanged, but in reality, that means I send them mail, and their replybot assigns me an ephemeral tracking number.

What I am going to go off about is that Mr. Salay's response is the only response that I received on the issue, replybots excluded. You see, the mail to Mr. Salay was sort of an afterthought. At that point, I had already mailed all the ISPs, upstream providers, and service vendors along the path from his desktop machine to here, and back again. None of which had the courtesy to respond, because service providers do not care to solve the problem.

Case in point: I am currently embroiled in the pleasure of tracking down a little bastard that is sending out spam using one of my old email addresses on the From: line. In the last week or so, I have exchanged over 70 pieces of mail with various ISPs and vendors on the issue. I say exchanged, but in reality, that means I send them mail, and their replybot assigns me an ephemeral tracking number. Thus ends the exchange. In those 70 pieces of mail (all of which now carry a very explicit “Please have the courtesy to reply to this message in person,”) only two replies have been made by a non-bot:

Somewhere in this replybot-fueled-trouble-ticket-hell, I came to realize the problem. For me, years of vulnerability reporting, log scanning, and email abuse had taken their toll. If I received spam, I deleted it. If I was scanned for vulnerabilities that weren't present, I ignored them. When some snot-nosed spammer-punk send mail with my spoofed address in the From: line, I just deleted the bounces and snottygrams. Over the years, I'd put in my time. I'd reported the vulnerabilities, and I had gotten exactly nowhere. The attacks didn't slow. The spam didn't stop.

In short, I'd gone numb.

Now, if my experiences last week were any indication, the numbness is now industry-wide. Nobody cares about CGI-scans. Nobody cares about firewall logs. Nobody cares about spam. Due diligence means installing a replybot and random-ticket-number-generator as your abuse@ email address.

Well, I'm not gonna stand for that any more. I've decided time to shake off the numbness and become an active participant in this game again. If you try and fleece me with a reply bot and random number generator, I'm going to make your life a living hell. If you take a poke at one of my servers, you're going to get poked back. Don't get the wrong impression. I haven't traded my green lightsabre for a red one. No, half the fun of this game is finding new and innovative ways of legitimately humiliating lusers.

No what I'm saying is this: I'm awake now, and I suspect that I'm going to be waking up a few others along the way. It's game on, baby, and you'll probably read about it here.

But that's a story for another Tuesday.

Kjell Wooding

Tuesday, April 2, 2002
PD DXLI

pintday.org » Fresh every Tuesday.