how much anonymity an internet cafe provides

Eugen Leitl eugen at leitl.org
Mon Apr 5 09:36:51 PDT 2004 

http://www.linux.ie/pipermail/ilug/2004-April/013049.html

[ILUG] [Fwd: I fought the scammer... and I won.]
John Allman allmanj at houseofireland.com
Mon Apr 5 09:33:39 IST 2004

    * Previous message: [ILUG] bringing users to Linux (RFC)
    * Next message: [ILUG] [Fwd: I fought the scammer... and I won.]
    * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Some of you who were on #linux on friday will know part or most of this
story already as i witnessed some of it (while drinking a truly
delicious hot chocolate). For those of you who don't, the following is a
report written up by a friend of mine on his succussful (or at least,
it's looking good) attempt to stop and catch a 419 scammer. I feel it's
worth the read

John

-------- Original Message --------
Subject: 	I fought the scammer... and I won.
Date: 	Fri, 02 Apr 2004 21:54:30 +0100
From: 	Steffen Higel <Steffen.Higel at cs.tcd.ie>
To: 	John Allman <allmanj at houseofireland.com>,
paulinemccaffrey at eircom.net, stevecash at ireland.com,
tony.odonnel at cs.tcd.ie, declan.dagger at cs.tcd.ie,
edwin.higel at brookside.ie, marynstanley at eircom.net,
richard.bannister at cs.tcd.ie, oconnoat at tcd.ie, jean.higgins3 at
mail.dcu.ie



[This is long, and is quite heavy on the technical discussion. Skip the
bits you don't understand. It gets interesting.]

I work for a busy Dublin Internet cafe, doing some sysadmining and
general computer maintenance. On Sunday the 28th of March, I got a
rather distressing email from a sysadmin in a large U.S. University.
Spamcop had blacklisted our server's external IP address. Abuse mail for
the server in question gets sent to my college account (bad practice, I
know,  but it's a part time job). My college uses Spamcop as a blacklist
source. You can probably tell what happened...

Anyway, said email included the full headers of an email which was
natted by our server pretending to be from the widow of Mr. Jonas
Savimbi, offering the recipient a share of an unspecified large sum of
money. The usual panicked thoughts kick in... "Have I fiddled with
something which has left us as an open relay?", "Has our server been
cracked?", "Have I been sleep-spamming again?". A more reasoned
examination of the headers showed that the mail had originated from one
of the IP addresses that we assign dynamically to people who bring
laptops into the cafe. This is something of a nightmare for cafe
operators, we can hardly block outbound smtp but then again it isn't
possible for us to manually check every single mail either. Maybe rate
limiting is a valid technical solution. Or a contraption which hits the
user on the head for every mail they send. So if they send 1 an hour,
it's a mild nuisance. But if they send 100 a minute, it'll probably kill
them.

A peek through the logs revealed:

Mar 26 15:04:16 server dhcpd-2.2.x: DHCPDISCOVER from 00:40:f4:5d:aa:f7
via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPOFFER on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:20 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:20 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1

Bingo. I had something to work with. The network card is one based on a
Cameo 32bit chipset. Matches up quite nicely with these:

More information about the cypherpunks-legacy mailing list