File Archive Haven

How To Find A Spammer (GMI-Solutions.com as an example)

Edit:  Good news, it looks like whoever is running this particular ‘company’ finally heard some of you!  Maybe the real solution is to post articles about it 🙂

“This is so wrong.  We are not a scam company.  You even link us to GMI Enterprises, which we are not related to at all.  I have had several people point this blog post out to me and the only person here doing an injustice is you by slandering us this way.  I wouldn’t leave my domain registration public if I was looking to scam someone, especially with my own phone number.  I’m sorry if you received an email from Alex in error.  The (working) unsubscribe link or a friendly DNC note would have made much more sense.

[email protected] Jeff Brown (IP: 50.173.84.238 , c-50-173-84-238.hsd1.ca.comcast.net)”

Ironically, the email received contained no unsubscribe links and DNC requests sent out were ignored by both “Jeff” and “Alex”.  If proper practices were followed, this article would never have existed.

What about people who have read the article?  How have you gotten these people to stop spamming you?  Hit up the comments if you have any tips!

Do you ever get too much spam from someone and wish you could take a deeper look?  And have you ever wondered how long it takes to get to the bottom of a spam email?  On average it takes about 30 minutes – but you can find the people responsible quite easily.

cryingchildren

Why would you want to dig deeper at an email? 

Sometimes you may just want to find out where they got your contact details.  Sometimes you could be just preventing spam.  And at the same time it is sometimes fun just having the challenge if identifying the parties responsible!  So, today, I wanted to put up a small blog post for people newer to IT, to help them understand basic tracking techniques for finding a spammer..

Today, I happened to receive an email from [email protected] – this is one of about 10 emails they have sent so far, and they have ignored all removal requests and replies.

So, lets use this as an example and see what we can find!  Googling around, this is a ‘company’ that makes it money several ways.  Typically their goal is to scam people from money by taking cash for products that don’t exist – gathering contact information, or finding other ways to part you from your money with the least amount of effort.  Like many money making schemes, these guys are completely based around scamming people.  After all, if they were legitimate – would they really need to resort to spam?

For the purpose of this post I will show you how to dig a little bit deeper.  If you are ready for more information beyond this article:

How do they get your email address or phone number?

Avoiding & Tracking Data Theft

tracking

There are a lot of ways.  One way to avoid these things is to give your information out very carefully.  Anytime I enter my name & address for a contest, prize, or draw for example.  I always use my secondary address field or last name entry field to include the company.  So if I used First Name: Joe, Last Name: Smith [Provided to Telus], I can use this to hunt down the leak later on in life.

As an example I worked at an unmentioned phone company for a while.  This phone company lost a laptop containing all their client data including credit card numbers.  They also happened to have a privacy clause that did not force them to disclose lost data.  So the only way you could ever know that a company like this lost your data is to buffer your information with tell tale signs.

Your information can be stolen directly from a computer such as a laptop.  It can be pruned from systems using viruses and malware at corporate locations.  It can be pulled from systems using SQL injections.  It can be grabbed a thousand different ways.  And once stolen – it is typically purchased off of unmonitored auction websites for 10+ years.

This data is almost never cleaned.  So if you ‘pad’ your information for tracking, you will eventually receive an email that says “Dear Joe Smith [Provided to Telus].  Did you know…”.

Another good system is to simply “Google” your contact details.  This may help you see where your information is posted, and leaves you with the option to follow up.

How they Operate

gears_and_people_(Medium)

Once you are ready to start looking up a spammer, it can be critical to understand how they operate and how they plan to make money.  Sometimes spam is sent to collect information back.  Sometimes it is sent to wait for a response simply to see if you are an active account.  And sometimes they are clearly sending it to you to get you to click on a link.  And sometimes they are trying to get you to click on a link with the intent of having you report the website.  This can be done to shut down competition or to retaliate against companies they dislike.

In this particular case they want to see if you are active, they will send you a fake brochure.  And obtain money for you in the hopes of taking classes that don’t exist.  Typically the email comes from an email address such as [email protected].  (In this case, this particular company is also known to call users and try to convince them to pay for services they don’t need such as discussed here),  To make it worse – this particular individual tries to imitate other companies named GMI Solutions in an attempt to either build up trust or discredit them. At any rate, we know this is a situation where they need your response for money.

What does this tell us?  The domain name must exist as well as the email address.

In the end the person running GMI-Solutions domain name takes money for a product that never exists and moves on to the next person in their list.

So, how do you find someone like this?

needle_in_the_haystack

I’m not going to go into great depth or provide information and techniques that can get you into trouble.  There are many ways to try and find the person responsible but the best case scenario is simply to follow the breadcrumbs.  The internet is full of information and we can often use just that to find the individual – and that is exactly what we will do in this case.

We know they need a response and that means there is a trace back to the requester.  We can also assume that Alex Smith does not exist.  This particular company is pretending to be in marketing and training.  And marketing teams just loves image and branding!  So, when you scan people in Linkedin named Alex Smith you will quickly realize none of them work at a company called GMI-Solutions.

Actually, no one does. Because GMI-Solutions is not a company, it is just one man or lady controlling a domain name.

Do They Exist?

Now, I don’t support hacking.  You will get yourself in trouble and it won’t do you any good to have that information.

I do support querying servers and systems for basic end user information.  Later in this article, we will check and see if social media sites treat users as “valid” – however doing so is a little bit debatable as a best practice.  We will not reset passwords, or try to access the accounts.  We are just testing to see if the accounts are “valid” and active and I will have more on this later.

Because before we start looking up accounts we need as many accounts as we can to look up.

Tracking the Email

Fake-mailer

It is important to understand that email addresses are often spoofed when spamming – meaning the originator never actually sent the email.  Sometimes they even send you the email from yourself!  This is because some email servers still use the same technology that the internet offered on day one and they offer very little protection for validating information.

Back in the day, to spoof an email, a person needed to log into an email server using any type of telnet client.  They were often in plain text and asked a series of questions that you could use to generate an email.  And one of the questions was always “what email address is sending this message?”.  This query has no validation and the spoofer could enter anything they wanted.

These days users tend to use prebuilt clients that simply log onto known mail servers that still have simplified access.  They tells the server “who it is” (regardless of it being valid or not), who it is reaching, and message details almost the exact same way we did back in the day.  This is also how you get fake emails from Microsoft.

In this particular case however the email spammer actually wants a response from you.  That means the email address needs to exist for them to collect money and the email address needs to be valid and accessible to them.

So how do we track this down better?

Email Headers

Email servers track a lot of detail for you.  It may not always let you hunt down the person responsible, but it will let you see how they reached you.  It also shows you common mail servers they use, and these mail servers have abuse email boxes you can reach out to.

First, you need to get a copy of the email being sent to you and find a way to view the raw header.

  • Tip: For Outlook 2010 and up, open the email.  And select File > Properties and view the Internet header. 

In here you will see a lot of gibberish, but some valuable data:

List-Unsubscribe: <mailto:[email protected]>
X-Report-Abuse-At: [email protected]
X-Originating-IP: [66.59.6.222] [email protected]

What you are looking for is IP Addresses, email addresses, and systems they used.  Sometimes the header may have unsubscribe details.  It may also have abuse emails to reach out to in order to file a complaint about the spam.

In this case, we can contact both of these email server administrators to mention about a large volume of unwanted spam.  On this note some administrators care about this (especially companies) because this can cause all email from them to be blocked on sites such as gmail.  Other mail servers (home made servers for example) could be run by the spammers themselves and they would have no interest in helping.

Unsubscribe Details

unsubscribe-button1

We are a little bit lucky here.  The actual unsubscribe link in the email (that does not appear to work) has very similar characteristics to the List-Unsubscribe.

  • Unsubscribe details in the Email header:
    • List-Unsubscribe: <mailto:unsubscribe+XqzO+20831581+iQj10GZ@me-ss2-cxlkwz.mailengine1.com>
  • Unsubscribe details in the email itself:
    • http://app.streamsend.com/private/XqzO/WDD/iQj10GZ/unsubscribe/20831581>

Notice some similarities?  This means the email server annoying you, and the unsubscribe link on the www.streamsend.com website, are one and the same.  This means we have another company we can contact (streamsend.com).

  • Tip:  Once in a blue moon, you have a company that uses sequential unsubscribe threads.  This means it ends in /1, /2, /3 etc for each user.
    • How does this benefit us?  If you are a developer type – it is very easy to run a URL query to unsubscribe every single user in the spammers email list.  It isn’t exactly polite, as they may have legitimate users who want information.  But when dealing with someone known to run scams, it makes you feel a little bit good to remove all users in their spam list to everyone’s benefit.

Caution Around Phone Numbers & Addresses

What about the phone number in the email?  Thanks to Google Voice, and other IP solutions, do not trust these phone numbers.  The Area Code may say the US, but the person answering could live in Jordan for all we know.  Additionally, caller ID can also be spoofed, making it even less reliable.

If you get right down to true telephony hackers, they can even temporarily “take over” phone numbers, so the number itself can never be trusted.

Finding the Person

people-search-pic

Now, one fact is that domain names have to have certain registration information to be compliant.  This includes an abuse contact, and ownership details.  Sometimes this is run through an anonymous entity – but they also have to handle information with care.

If you do not receive the level of attention needed from the administrative contacts, you can escalate this.

In this case, we are lucky.  The domain administrator for GMI-Solutions.com appears to have posted his personal information.  This is cheaper, and he doesn’t have to be at risk from a domain registrar from following up on abuse requests.  And our advantage, is we can escalate it through the link above.

So, lets lookup GMI-Solutions.com on any old domain name registration lookup service.

Domain Lookup:  http://www.networksolutions.com/whois/index.jsp

Admin Name: Jeffrey Brown
Admin Street: 440 Alcatraz Avenue
Admin City: Oakland
Admin State/Province: CA
Admin Postal Code: 94609
Admin Country: US
Admin Phone: +1.4154305405
Admin Email: [email protected]

Remember we can’t trust addresses or phone numbers very well.  And this may be a legitimate website domain admin who does not know about the spam.  Always give them the benefit of the doubt and logs that prove there is an issue.

Checking If These People Exist

So, what are some less “nice” ways to check if a user exists?  Well, we have email address.  You could see if the website recognizes their logon.  You could try and add them to see if it populates.  You can even try searchign using their details.

[email protected] / Jeffrey Brown – Owner of the domain.  What do we find?

Results:  He seems to exist.  He is in Linked-In, Facebook and other social media websites.  He appears to actually be living in the city above, which means we likely have the correct information.  We know he is likely a valid individual in social media, and more likely to respond and help.  Keep in mind though, his social media accounts may be falsified.  And he may truly be a domain admin unaware of what is going on (although that is doubtful).

Taking this a step further, we can also search and see that Jeffrey has a whole bunch of websites with similar activities.  Meaning this may not be his only source of income.  It also suggests he may have a larger footprint for scamming users.

[email protected] / Alex Smith – Fake person emailing us.  What do we find?

Results:  This definitely looks more and more like a fake account.  It has no existence on Facebook, Linked-in or any other popular social media website.  It has no real entries into any system I can find (even Googling the address only takes you sites reporting spam).

Conclusion

conclusion-introduction-starter-plenary5

So, now we have a good idea of who is spamming us.  We understand why.  We have some details that may help us understand the depth of impact.  And we have found a whole bunch of ways to report the abuse.  And we even believe we have found the person responsible.  We looked at ways to see if your information was leaked, and we even found ways to help track companies that “lose” our data in the future.

The last thing we can do?  Put up a blog post to share what we found!  The idea is to get the information out there and visible, so people can work together to discover who these people are.  This way if a thousand more users get spammed, some of them may Google.  Find your website.  And see where to report the abuse and provide additional details.

We invested 30 minutes to find this information.  On the one hand this can be quite useful.  On the other hand this is a lot of time to invest to research spam on the internet.  You probably do not want to spend this much time researching spam – but for those rare moments when you do… you now have the basic founding principles for getting started.

~ed.

(21866)

One thought on “How To Find A Spammer (GMI-Solutions.com as an example)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.