How to use WHOIS effectively to track spammers. By Matt Schneider ---------------------------------------------------------------------- 1. net.demon specific stuff This article was written in the context of using the Whois tool in net.demon. The commands shown here prefixed by the '>' character are meant to represent data entered into the Whois tool's query field. Similar commands may be available in other Whois implementations. They may require you to specifiy additional information such as which Whois server to use (this is handled automatically by net.demon). Read the friendly manual for details. 1a. Smart Whois: net.demon will automatically try and fix your input to the Whois tool. This means you can paste an entire URL as input into the box and it will only perform the lookup on the relevant parts. Also, it will automatically detect certain lookups such as Handles and perform the correct action. If your input is changed to perform the actual query, the change will be output along with the data, listed as "Smart Whois on ..." so you can see what changes were made. Smart Whois can be disabled by unchecking the box, in case you want the lookup to be performed on exactly the data you give it. net.demon for Win9x is available at: http://www.netdemon.net/ ---------------------------------------------------------------------- 2. Introduction The single most important tool in tracking down a spammer's location is Whois. ---------------------------------------------------------------------- 3. Whois Servers net.demon will automatically select the correct server for your lookup by using the default "(automatic)" server setting. This can be changed to one of the combo box choices, or by typing in your own server. whois.networksolutions.com is the server you will use most often, it lists all the .com, .net, and .org domains. Even if the domain was registered somewhere else besides Network Solutions, it will be listed here. This is also the server used to do special lookups such as Name or Mailbox. whois.arin.net is the server that contains all the netblock listings, if you give it a numerical number to look up, it will find the netblock using this server. ---------------------------------------------------------------------- 4. Domain names A domain name is what you normally see as part of an URL or web page address. Examples of domains are EXODUS.NET or YAHOO.COM Let's look up a domain using Whois: >ACCESSCOM.NET Wongs Advance Technology (ACCESSCOM-DOM) 3221 Danny Pk. Metairie, LA 70002 US Domain Name: ACCESSCOM.NET So you find out the address and phone number of the company that owns this domain name. Administrative Contact: Org-Account (OR58-ORG) org-hostmaster@ACCESSCOM.NET AccessCom Internet Services 3221 Danny Pk. Metairie, Louisiana 70002 US (504) 887-0022 Fax- (504) 887-0022 This part tells you when the information in this Whois listing was last changed, for example if the company moved to a new host: Record last updated on 02-Oct-1998. Record created on 20-Jan-1995. Database last updated on 4-Apr-2000 13:51:57 EDT. This tells you the Nameservers that are being used by this domain: Domain servers in listed order: NS.ACCESSCOM.NET 204.181.176.2 NS1-AUTH.SPRINTLINK.NET 206.228.179.10 A Nameserver is what the Internet uses to resolve an IP address into a domain name and vice versa. Nameservers contain tables of domain names and which IP address they belong to. For example: -> ACCESSCOM.NET internet address = 204.181.176.2 ttl = 22559 (6 hours 15 mins 59 secs) We will take a look at Nameservers later to see a list of ALL the domains they have information about. ---------------------------------------------------------------------- 4a. Partials It's possible to find many domain names that start with the same letters. Let's say you're getting a bunch of spam for something called "Cyber Spy Software" and want to track down the people who are potentially responsible for spamming it. Just do a partial match like this: >CYBERSPY* CYBERSPYDETECTIVE.COM CYBERSPY007.COM CYBERSPY.COM Hmm, let's try this one: >CYBERSPYDETECTIVE.COM Zephyr Systems Software (CYBERSPYDETECTIVE-DOM) 1717 S. Brentwood Blvd St. Louis, MO 63144 US Domain Name: CYBERSPYDETECTIVE.COM Administrative Contact: Jackson, Dave (DJ7244) cyberspy@CYBERSPYDETECTIVE.COM System Software 1717 S Brentwood St Louis , MO 63144 708 401-0369 (FAX) 708 401-0369 And the web page told you to send money to an address in St. Louis! It looks like these could be the spammers. ---------------------------------------------------------------------- 5. Netblocks It's possible to find out who's in charge of a range of IP addresses. The Whois database at whois.arin.net contains this information. If you are using net.demon, it will automatically query this server when performing a Whois on an IP address. Let's say you get a spam advertising a web page at 208.3.115.250, but there is no domain name. Just do a Whois on this address and you will find out: >208.3.115.250 Sprint (NETBLK-SPRINTLINK-BLKS) SPRINTLINK-BLKS 208.0.0.0 - 208.35.255.255 Accesscom, Inc (NETBLK-SPRINT-D00370-1) SPRINT-D00370-1 208.3.112.0 - 208.3.127.255 The owner is the smallest range that encompasses the address you are looking at, in this case Accesscom. Now do a Whois on the handle to get more information. ---------------------------------------------------------------------- 6. Handles A handle is a unique identifier given to each record in the Whois database. These are all examples of handles: NETBLK-SPRINT-D00370-1 (netblock) ACCESSCOM-DOM (domain) OR58-ORG (organization) SW112-ARIN (person) To look up a handle you need to use an exclaimation point. This is done automatically by net.demon: >NETBLK-SPRINT-D00370-1 Accesscom, Inc (NETBLK-SPRINT-D00370-1) 3221 Danny Park Metairie, LA 70002 US For example. Also different Whois servers use different types of handles. Again, this is all taken care of automatically by net.demon. ---------------------------------------------------------------------- 7. NAME part 1 - a company name You can use the NAME command to look up names in Whois. In net.demon, you can hilight a name to look up, right-click, and use the "new Name Whois" command. Let's start out looking up a company name. Let's say you get a credit repair spam that advertises a web page, but the web page doesn't have an email address or any way to locate the spammer. It does however say this at the bottom: "Copyright 2000 Rego Enterprises." So let's take a look: >name rego enterprises Rego Enterprises (REGO-WORLD-DOM) REGO-WORLD.COM Rego Enterprises (REGO-ENTERPRISES-DOM) REGO-ENTERPRISES.COM Let's see here... >REGO-ENTERPRISES-DOM Rego Enterprises (REGO-ENTERPRISES-DOM) P.O. Box 43 Hanamaulu, HI 96715 US Domain Name: REGO-ENTERPRISES.COM Administrative Contact: Rego, Adminstrator (AR5995) admins@REGO-ENTERPRISES.COM Rego Enterprises P.O. Box 43 Hanamaulu , HI 96715 (808)245-5658 And the spam came from a dialup in Hawaii! We have a hit! ---------------------------------------------------------------------- 7a. NAME part 2 - a person's name You can also use the NAME command to look up a person's name. Usually it's in the form "Last, First" so you could search for the whole thing, or just leave the first initial, or even just the last name. Let's try and find our Hawaiian spammer: >NAME Rego, * We get a bunch of results, including: Rego, Carlos (CR5844) carlosr@ICI.NET (508) 676-9638 Rego, Chad (CR2494) ezer@ASTRO-SPACE.COM 818-352-2372 Rego, Chad (CR8631) chadrego@ALOHA.COM 8082455658 Rego, Chad (RC2998-ORG) chadrego@HSA-KAUAI.NET 808 245-5658 Rego, Charles (CR10928) charles.w.rego@INTEL.COM We're looking for someone in Hawaii so we concentrate on the 808 area code: >CR8631 Rego, Chad (CR8631) chadrego@ALOHA.COM P.O. Box 43 Hanamaulu , HI 96715 8082455658 Found our man! You can also try different variations just in case: >NAME Chad Rego Chad Rego (WEBOFMONEY-DOM) P.O. Box 43 Hanamaulu, HI 96715 US Domain Name: WEBOFMONEY.COM Administrative Contact, Billing Contact: Rego, Chad (RC2998-ORG) chadrego@HSA-KAUAI.NET Chad Rego Now we've found another web page and email address for this person! Not bad! ---------------------------------------------------------------------- 8. MAILBOX - how to look up email addresses The MAIL command can be used to find all the handles associated with a single e-mail address. For example: >MAIL wong@accesscom.net Duke, David (DD891) wong@ACCESSCOM.NET (504) 626-7714 Perrodin, Chuck (CP1542) wong@ACCESSCOM.NET 504-923-0020 (FAX) 504-923-0021 Wong, Shing (SW112) wong@ACCESSCOM.NET (504) 887-0022 Or, if we want, we can even find all the addresses that are in the same domain. It cuts off after the first 50, not useful for AOL or something, but for a small spammer domain it works better: >MAIL @accesscom.net Or let's say Sprint isn't doing anything about spam complaints, let's find the addresses of a bunch of people who work there: >MAIL @sprint.net Using net.demon, you can hilight the e-mail address you want to look up, right-click and choose "new Mailbox Whois" from the context menu. Note: net.demon does not automatically do a MAIL command if you put an e-mail address in the Whois query. The default behavior is to do a Whois lookup on the e-mail's domain. If you want to do a Mailbox lookup, you must use the MAIL command. ---------------------------------------------------------------------- 9. How to find a domain name from a NETBLK handle (method 1) Finding out who controls a netblock is great, but remember this is only showing you the information in the ARIN database. It's also useful to get the full information that's only shown in the domain listing. Let's say you've discovered the netblock your spam is coming from is owned by: Wong Advanced Technology (NETBLK-SPRINT-CCB5B0) SPRINT-CCB5B0 Now, the first thing is to look up that NETBLK handle and see what kind of information it gives you: Coordinator: , (SW112-ARIN) wong@accesscom.net In this case, the coordinator contact has an e-mail address using a domain that's under their control. Whois on "accesscom.net" will show the rest of the information about them. ---------------------------------------------------------------------- 9a. How to find a domain name from a NETBLK handle (method 2) Wong Advanced Technology (NETBLK-SPRINT-CCB5B0) SPRINT-CCB5B0 You can use the NAME lookup to see if any names in the database match the owner of this netblock: >NAME Wong Advanced Technology And since there's only one match, this one comes up automatically: Domain Name: ACCESSCOM.NET ---------------------------------------------------------------------- 10. HOST/SERVER - How to find out (most) domains hosted by a nameserver Let's say you're investigating a spamhaus, and you want to find out all of the domains being hosted. To do this, use the HOST and SERVER commands. These commands are done with the main Network Solutions server. The Whois result on a domain will show you a list of nameservers that host it. For example: Domain servers in listed order: NS.ACCESSCOM.NET 204.181.176.2 Now, we need to find the Host Record for this nameserver. This is done by using the HOST command (in net.demon, you can higlight the nameserver, right-click and choose "new Host Whois") >HOST NS.ACCESSCOM.NET This will show you the Host Record information, starting with the handle: [No name] (ACCESSCOM-HST) This is the part we're interested in. Now, use the SERVER command to see all the domains being hosted (in net.demon, you can use the right-click menu and choose "new Server Whois") >SERVER ACCESSCOM-HST This will show a list of all the domains being hosted there (up to 50): Wongs Advanced Technologies (WAT-DOM) WAT.COM David Duke (DUKE3-DOM) DUKE.ORG etc... ---------------------------------------------------------------------- 11. RADB will write this later ---------------------------------------------------------------------- 12. Case Study: MMF Spammer Let's say you get a MMF chain letter, telling you to send money to the following addresses: 1. L.S. 82 Shearwater Place Newport Beach, CA 92660 2. Scott G. 5170 Los Altos Drive Yorba Linda, Ca 92686 3. Norma Peters P.O. Box 278 Lansing, Il 60438 4. S.E.Gimbel 1280 Bison B960 Newport Beach, CA 92660 5. Michael Rodriguez 23411 Summerfield #68G Aliso Viejo, CA 92656 6. M. Tamous 7 Laconia, Irvine, CA 92614 Hey, some of those names look supiciously similar. Let's see... >NAME gimbel, s And look what it finds! Very interesting! GIMBEL, S E (SEG60) CITYSMRT@MSN.COM Gimbel, SCOTT (SGZ40) CITYSMART@HOME.COM >SEG60 GIMBEL, S E (SEG60) CITYSMRT@MSN.COM SEG SALES 82 SHEARWATER NEWPORT BCH , CA 92660 949 854 2908 (FAX) 888 777 8636 Now we have found out who the MMF spammer is! ---------------------------------------------------------------------- 13. References Technical information related to Whois: http://www.faqs.org/rfcs/rfc954.html http://www.faqs.org/rfcs/rfc1834.html A list of Whois servers for all top level domains: http://www.allwhois.com/ Web-based Whois lookup: http://www.geektools.com/cgi-bin/proxy.cgi http://www.heise.de/bin/ferret/ Useful Whois servers: whois.networksolutions.com - the main Internic Whois whois.arin.net - Find out who owns a Netblock whois.abuse.net - Look up the Abuse Contact whois.thur.de - Great for domains without their own Whois server whois.radb.net - Find the Routing information from the IP address ---------------------------------------------------------------------- White pages - you may want to look up some of these names or addresses in the real world. This site lists a bunch of online directories including reverse phone lookups: http://www.TheUltimates.com/ You may want to search the net to see if anyone else has had trouble with a particular spammer, or if they found any more information: http://www.altavista.com/ http://www.deja.com/usenet/ http://www.deja.com/group/news.admin.net-abuse.email http://www.deja.com/group/news.admin.net-abuse.sightings Where to get net.demon for Windows 9x,NT,2000 http://www.netdemon.net/ ---------------------------------------------------------------------- Disclaimer: the example whois looksups used in this document do not necessarily mean that any of the domains or people referenced are guilty of spamming, these were used for example purposes only. ----------------------------------------------------------------------