Eclectical Engineering

One particularly odious breed of internet scammer plays on the desires of lonely single men for female companionship (and the targets of this scam are always men — I seldom see similar mail from nice young men reaching out to random women). Like other “one-on-one” scams (and unlike most conventional “selling-stuff” spam), these frauds require close and continued contact via e-mail. And so, one way of fighting back is to attempt to have the scammer’s incoming e-mail blocked. Some of these scammers don’t make it easy for us; this page describes how to locate their mail hosts and file appropriate abuse reports on them.

Occasionally, I get waves of messages purporting to be from young foreign women seeking simple friendship or romance. Here’s a typical example:

Hello I am a single 26 girl. I recently moved and I saw your post looking for new friends. Lets Chat and I will send a Picture right away. Write me at Francis446@SuperGolovaWorld.com

Such messages are come-ons for a form of advance-fee fraud; the party at the other end of this address is likely to be a hard-boiled con artist who will attempt to string the victim along with false promises and high-powered emotional manipulation, and then at the right moment put the bite on for money (to buy plane tickets for a promised rendezvous, fix medical or personal problems, etc.). Sadly, these scams do work; I’ve received appeals for help from sad and humiliated victims who’ve been stung in this way.

While most spammers have absolutely no interest in hearing back from you (except to place orders at their websites), many e-mail fraudsters do depend upon getting replies via e-mail in order to identify suckers who can be fleeced. That’s why we can dispense in such cases with the standard advice to ignore e-mail addresses in spam; in fact, it is quite appropriate to report abuse of e-mail addresses that the fraudster uses to collect replies from recipients. This isn’t always easy to do, however.

Quite often, e-mail fraudsters will use freemail services (e.g., from Yahoo, Hotmail, or less-well-known providers) to collect their replies, and such addresses are not difficult to report. In some cases, however, the scammers set up their own “private” mail services that are used exclusively for their fraud (so that they can control their own incoming mail, largely unmolested by providers). For example, the case above used such a “jackleg” mail service to the SuperGolovaWorld.com domain (since expired).

In order to report such abuse, we must (1) find out where (i.e., to which mail host) messages to the reply address will be sent, and (2) unearth the contacts to which abuse reports regarding this host can be sent.

Step 1: Identify the domain-part of the reply e-mail address. This is pretty easy; all you have to do is hack off the “@” sign and everthing to the left of it; what you will be left with is the domain part of the address. For example, for the (fictitious) address candi@crookmail.foo, the domain part is simply crookmail.foo.

Step 2: Find the mail exchanger(s) for this domain. You next need to know which specific hosts have been “blessed” as the collection point for mail entering the crookmail.foo domain; these are known as mail exchangers or MXs. Since all mail heading for crookmail.foo passes through one of these hosts, the “intake” of fresh victims can be halted if these MX hosts can be removed from the picture.

In order to find the MX hosts, you use a DNS lookup of type “MX” (e.g., nslookup -t MX crookmail.foo from a command window on Windows systems). I myself prefer to use the dig command (e.g., dig mx crookmail.foo) because dig tells me a bit more about the domain, and dig is available from my Mac OS X Terminal app (not usually the case with Windows systems). You may also be able to use web-based tools to run this query. See the links at the end of this post for more information.

A couple of notes here:

• Usually, a particular domain will be served by more than one MX (most providers of any size deploy multiple MX hosts for load-sharing and improved availability). More than likely, however, scammers of this sort will only have a single MX.
• Also, it is not necessary for the MX host to be in the same domain as the one it serves; that is, you might find something like mx.icheatu.foo as the MX for crookmail.foo.

If you can’t find an MX host at all, this means that it would be impossible for you to deliver any messages to this domain right now. This could mean that the scammer has already been dealt with, or it might just mean that the scammer’s DNS service is not working reliably. If you get no MX hosts in your query, you can retry the query some time later to see whether the situation changes; otherwise, you may be content simply to conclude that the operation is offline (and that you can stop work).

Step 3A: Get contact info for the IP addresses of the MX host. Now that you have one or more MX hosts for the scam operation, you need to find out where these MX hosts are on the public network, and to whom we can report abuse. For this step, we once again turn to DNS to get the IP addresses used by the MX hosts. For example, if the MX host is mx.icheatu.foo, then we can use a simple lookup (using, say, nslookup, host, or dig) to get its IP address.

If you can’t get an IP address for any of the MX hosts you’ve found (e.g., perhaps the domain doesn’t exist), then you can probably stop work and declare the scam mail system dead (unless you want to try again later).

If you do get an address, then your next step is to find out who controls this address, and where you can send abuse reports. You do this using an IP-WHOIS lookup (see the links at the bottom of this page). The WHOIS report should identify the netblock in which the address resides, the institution that controls the netblock, and various means of contacting this institution (including, usually, an e-mail contact for abuse reports).

Step 3B: Find the registrar who sold the domain for the MX hosts. You may not always want to send reports under your name to the kinds of small-potatoes providers who are usually associated with these scam operations. If you don’t, you can approach the problem from a different direction by reporting abuse of the domain in which the MX host resides. In our ongoing example, we would want to find the domain registrar that sold the icheatu.foo domain so that we could report criminal activity involving the MX host mx.icheatu.foo in this domain.

To find the registrar, simply identify the domain for the MX host (in this case, icheatu.foo) and do a domain-WHOIS lookup (again, see the links at bottom for help). The WHOIS report should identify the registrar who sold the domain, as well as contact information about the party who registered the domain. It is probably not worth your time to follow up on the latter information, since scammers generally do not supply correct contact information when they register their domains. The domain-registrar information, however, should be authentic.

Technically, domain registrars’ responsibilities are rather limited when it comes to mail abuse; however, both registrars and their customers are bound by their ICANN agreements to abide by local laws, and frauds of this sort are very much against the law everywhere. So, be sure to mention in your report that you suspect criminal fraud.

Step 4: Report the abuse. Send an e-mail to the contact addresses you have obtained in steps 3A and/or 3B. This e-mail should contain (1) the full raw text of the e-mail you received, including the headers, and (2) a statement indicating that the MX hosts you’ve identified are serving the reply address, and that they reside at the IP you found for them. You should request that the MX hosts be dealt with (by having their network services suspended, or by having their domains null-routed) so that they can no longer be used to perpetrate the scam.

What happens next? Once you have filed your report, the recipients may take action. Or, they may not. Or, you may have nailed the wrong parties with a misdirected report. You might get a personal response, but more than likely you will not.

Whatever the case, you have more than discharged your duty by reporting this particular problem, and you can then wash your hands of it and move on to the next one. Many novice spam-fighters feel the need to follow up every incident to the bitter end, but this can very quickly lead to burnout. It’s better to keep plugging away for a long time at what you can easily do, rather than give up and stop reporting altogether after a couple of weeks of frustration. There will be plenty more spams and scams in the years to come, we’ll need your help on those.