Tracking the "Crusader Spammer".

The source of the forged cancels.
From: scheidell@fdma.com (Michael S. Scheidell)
Newsgroups: news.admin.net-abuse.misc
Subject: location of crusader proved!!
Date: 2 Oct 1995 16:18:26 -0400
Message-ID: <44phei$m4a@fdma.fdma.com>

OK, ive got the the proof of where the crusader email spam AND the forged 
cancels came from. (thank you danhiel at uunet.....)

BOTH CAME FROM asso.nis.garr.it.

No matter WHAT they say.  No matter if they deny it.
It they DIDN'T DO IT then their root is compromised.

I have copies of the uunet news log with THEIR site as originator of the 
spam cancels.

I have a copy of our tcp_wrapper log, proving the origin of one copy of 
the crusader email spam.


HERE IS UUNETS LOG OF CANCEL FORGERIES....
notice the ip address
192.12.192.10 (uunet doesn't have time for reverse lookup)

but, here is nslookup:

Default Server:  localhost
Address:  127.0.0.1

> 192.12.192.10
Server:  localhost
Address:  127.0.0.1

Name:    asso.nis.garr.it
Address:  192.12.192.10

> 

guess what.. These bastards have denied having anything to do with this.

But, this AND the tcp_wrapper log on OUR sendmail showing and VERIFYING 
their site as the originator, of not only the crusader email spam, BUT 
also of the forged cancels.

I think these people need to be taken off the air NOW.

(email address at uunet XXXed out at senders request)

Forwarded message:
> From XXXXXXX@uunet.uu.net Mon Oct  2 14:42:28 1995
> Resent-Date: Mon, 2 Oct 1995 14:43:32 -0400
> Resent-From: XXXXX@uunet.uu.net (Danhiel Baker)
> Resent-Message-Id: <QQzjte20983.199510021938@odin.UU.NET>
> From: XXXXX@uunet.uu.net (Danhiel Baker)
> Date: Mon, 2 Oct 1995 14:43:31 -0400
> Message-Id: <OAA27395.199510021843@news-in2.UU.NET>
> To: XXXXXX@uunet.uu.net
> Subject: It. Forgeries
> Sender: XXXXX@uunet.uu.net
> Resent-To: scheidell@fdma.com
> 
> Sep 29 18:18:54.073 - 192.12.192.10 <cancel.44gtlu$pn0@fdma.fdma.com> 437 Whitespace in "Newsgroups" header -- "news.admin.net-abuse.misc "
> Sep 29 18:20:26.264 + 192.12.192.10 <cancel.44gtlu$pn0@fdma.fdma.com> (control/cancel/240080) uu!net
> Sep 29 18:23:06.848 - 192.12.192.10 <cancel.44h7fg$blf@agate.berkeley.edu> 437 Whitespace in "Newsgroups" header -- "news.admin.net-abuse.misc "
> Sep 29 18:23:58.242 + 192.12.192.10 <cancel.44h7fg$blf@agate.berkeley.edu> (control/cancel/240084) uu!net pipex
> Sep 29 18:25:18.090 + 192.12.192.10 <cancel.44hi7v$c1@bcarh8ab.bnr.ca> (control/cancel/240089) uu!net pipex
> Sep 29 18:28:07.075 + 192.12.192.10 <cancel.44hhgp$6sb@nimitz.fibr.net> (control/cancel/240097) uu!net pipex
> Sep 29 18:28:51.274 + 192.12.192.10 <cancel.DFoGKp.Hr6@midway.uchicago.edu> (control/cancel/240098) uu!net pipex
> Sep 29 18:29:52.028 + 192.12.192.10 <cancel.44g6pr$53d@mark.ucdavis.edu> (control/cancel/240099) uu!net pipex
> Sep 29 18:31:09.710 + 192.12.192.10 <cancel.44gl4f$b0h@clarknet.clark.net> (control/cancel/240103) uu!net pipex
> Sep 29 18:33:14.367 + 192.12.192.10 <cancel.44go5u$ida@sundog.tiac.net> (control/cancel/240105) uu!net pipex news.sprintlink.net
> Sep 29 18:35:34.964 + 192.12.192.10 <cancel.44gqui$p59@clarknet.clark.net> (control/cancel/240112) uu!net pipex
> Sep 29 18:38:59.511 + 192.12.192.10 <cancel.jas-2909951043370001@async4.groupz.net> (control/cancel/240116) uu!net pipex
> Sep 29 18:39:33.814 + 192.12.192.10 <cancel.44h7pa$n40@universe.digex.net> (control/cancel/240117) uu!net pipex
> Sep 29 18:40:16.478 + 192.12.192.10 <cancel.44h94f$860_003@slc39.xmission.com> (control/cancel/240119) uu!net news.sprintlink.net
> Sep 29 18:41:19.889 + 192.12.192.10 <cancel.44he1m$9pl@geraldo.cc.utexas.edu> (control/cancel/240127) uu!net pipex
> Sep 29 18:41:55.407 + 192.12.192.10 <cancel.44grl3$g5o@vixen.cso.uiuc.edu> (control/cancel/240129) uu!net pipex
> Sep 29 21:15:15.000 + 192.12.192.10 <cancel.Pine.SOL.3.91.950930080955.29926A-100000@lawson.its.utas.edu.au> (control/cancel/240519) uu!net pipex news.sprintlink.net
> Sep 29 21:17:41.438 + 192.12.192.10 <cancel.44httc$me7@shellx.best.com> (control/cancel/240526) uu!net
> Sep 29 23:04:23.080 + 192.12.192.10 <cancel.44ib0s$p7e@sadie.digex.net> (control/cancel/240736) uu!net pipex
> Sep 29 23:05:55.217 + 192.12.192.10 <cancel.44i92p$3qp@segfault.monkeys.com> (control/cancel/240740) uu!net pipex
> Sep 29 23:09:17.792 + 192.12.192.10 <cancel.irons-2909952014560001@dak176-85.hampshire.edu> (control/cancel/240746) uu!net pipex
> Sep 29 23:10:37.425 + 192.12.192.10 <cancel.44hqkq$suo@falcon.ccs.uwo.ca> (control/cancel/240747) uu!net pipex
> Sep 29 23:11:20.255 + 192.12.192.10 <cancel.44i78a$3fn@segfault.monkeys.com> (control/cancel/240748) uu!net pipex
> Sep 30 04:39:41.501 + 192.12.192.10 <cancel.44if6c$t7t@panix.com> (control/cancel/241299) uu!net pipex news.sprintlink.net
> Sep 30 04:43:16.218 + 192.12.192.10 <cancel.rnewman-2909952206130001@dial1-30.cybercom.net> (control/cancel/241302) uu!net pipex
> Sep 30 04:50:04.973 + 192.12.192.10 <cancel.44if8j$80k@wilma.widomaker.com> (control/cancel/241325) uu!net pipex
> 
> 




-- 
Michael S. Scheidell                    Florida Datamation, Inc. 
<mailto:scheidell@fdma.com>             <http://www.fdma.com/>
Distributors of QNX Real Time OS        (407) 241-2966
Definition of an Upgrade: Take old bugs out, put new ones in.
By: lan@panix.com