how much anonymity an internet cafe provides
http://www.linux.ie/pipermail/ilug/2004-April/013049.html [ILUG] [Fwd: I fought the scammer... and I won.] John Allman allmanj at houseofireland.com Mon Apr 5 09:33:39 IST 2004 * Previous message: [ILUG] bringing users to Linux (RFC) * Next message: [ILUG] [Fwd: I fought the scammer... and I won.] * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Some of you who were on #linux on friday will know part or most of this story already as i witnessed some of it (while drinking a truly delicious hot chocolate). For those of you who don't, the following is a report written up by a friend of mine on his succussful (or at least, it's looking good) attempt to stop and catch a 419 scammer. I feel it's worth the read John -------- Original Message -------- Subject: I fought the scammer... and I won. Date: Fri, 02 Apr 2004 21:54:30 +0100 From: Steffen Higel <Steffen.Higel at cs.tcd.ie> To: John Allman <allmanj at houseofireland.com>, paulinemccaffrey at eircom.net, stevecash at ireland.com, tony.odonnel at cs.tcd.ie, declan.dagger at cs.tcd.ie, edwin.higel at brookside.ie, marynstanley at eircom.net, richard.bannister at cs.tcd.ie, oconnoat at tcd.ie, jean.higgins3 at mail.dcu.ie [This is long, and is quite heavy on the technical discussion. Skip the bits you don't understand. It gets interesting.] I work for a busy Dublin Internet cafe, doing some sysadmining and general computer maintenance. On Sunday the 28th of March, I got a rather distressing email from a sysadmin in a large U.S. University. Spamcop had blacklisted our server's external IP address. Abuse mail for the server in question gets sent to my college account (bad practice, I know, but it's a part time job). My college uses Spamcop as a blacklist source. You can probably tell what happened... Anyway, said email included the full headers of an email which was natted by our server pretending to be from the widow of Mr. Jonas Savimbi, offering the recipient a share of an unspecified large sum of money. The usual panicked thoughts kick in... "Have I fiddled with something which has left us as an open relay?", "Has our server been cracked?", "Have I been sleep-spamming again?". A more reasoned examination of the headers showed that the mail had originated from one of the IP addresses that we assign dynamically to people who bring laptops into the cafe. This is something of a nightmare for cafe operators, we can hardly block outbound smtp but then again it isn't possible for us to manually check every single mail either. Maybe rate limiting is a valid technical solution. Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them. A peek through the logs revealed: Mar 26 15:04:16 server dhcpd-2.2.x: DHCPDISCOVER from 00:40:f4:5d:aa:f7 via eth1 Mar 26 15:04:17 server dhcpd-2.2.x: DHCPOFFER on 192.168.1.70 to 00:40:f4:5d:aa:f7 via eth1 Mar 26 15:04:17 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from 00:40:f4:5d:aa:f7 via eth1 Mar 26 15:04:17 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to 00:40:f4:5d:aa:f7 via eth1 Mar 26 15:04:20 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from 00:40:f4:5d:aa:f7 via eth1 Mar 26 15:04:20 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to 00:40:f4:5d:aa:f7 via eth1 Bingo. I had something to work with. The network card is one based on a Cameo 32bit chipset. Matches up quite nicely with these:
participants (1)
-
Eugen Leitl