General stalking techniques Enemy tracking, a difficult art, can be divided into various lore: stalking, reversing language patterns and luring. In order to stalk people (especially messageboards' characters) you need a thorough knowledge of Usenet spamming (and war) techniques like flaming, trolling, avatar mobbing (socketpuppets) and crossposting. A good reverser can moreover try to 'reconstruct' (part of) the snailtrail of his enemies and defeat their smoke curtains applying some semantical reverse engineering tricks. Finally the reverser will lure his targets into the open web and identify them. Slowbombing them, or applying other sort of web-attacks may follow. Stalking, an introduction Some simple stalking tools (Traceroute, Lookup) Yellow pages, White pages (stalking people on the web) Simple email stalking techniques Reversing language patterns Stalking through images Luring Lore and other social engineering tricks Usenet Lore Trolling Lore "...they track us, our interests and our hosts, we track them, their interests and their hosts, it's an interesting match and we'll always win, coz we do not do it for money... +ORC" |
Boring
as most of these little silly wars are, there are GREAT lessons in stalking hidden in there. That's why you too will
have to deal with this. Actually, as usual in the Web, many of our techniques cross and merge reciprocally:
Anonymity techniques, how to search general knowledge,
reality cracking tricks, usenet techniques,
anti-spamming and anti-advertisement knowledge are ALL required to tackle some of the tasks that you'll have
to perform if you really intend to master what you are trying to learn now. Let's, moreover not
forget how useful will be our holy software reversing skills each time we'll decide to
use some of the many tools that the Web offers to track down our targets (tools that are
unfortunately at times crippled or simply too short-lived :-)
If you are an experienced 'global' reverser you'll have more survival
chances that many others, but only your own complementary work, and your own experience,
will keep you
acting as a hunter while keeping at the same time your target acting as a game and not the other way round.
Some professional spammers may turn quite nasty AGAINST you, when you'r chasing them, if you're not careful -and powerful- enough.
In order to gather more material, just search for 'avoiding flaming' and 'trolls flames' on
any good search engine or follow some of the links provided here. As you'll see
there are plenty of documents and faqs on these subjects all over the web.
Trolling, in the stalking context, deserves a special mention: the verb denotes, originally, a style of fishing
in which one trails bait through a likely spot, hoping for a byte. Real, able and powerful,
Master trolls have a double audience:
the idiots (newbies and flamers) that bait the bait and
the 'trolls-savy' (often silent) that enjoy the troll. It is indeed possible, albeit difficult, to
identify and track down experienced trollers. They are in fact among the most interesting game out
there (together with
professional spammers on rogue ISP) for any 'professional' stalker.
So, as said, the basic premise is actually, often enough, that the counterpart, on the web, is NOT who he/she
claims to be... the danger is that the
limited identity cues of the netherworld may make people accept at face value
a writer's claims of
credibility: it may take a long time - and a history of dubious postings - until
people start to wonder about the actual knowledge of a
self-proclaimed expert.
This said it is also true that - for web related
matters - 'official' experts are often FAR inferior to clever autodidacts, so you never
know :-)
When examining communications,
it is important to try to distinguish between the
'expressions given' and the
'expressions given off'. The former are the deliberately stated
messages indicating how one wishes to be perceived; the latter are
the much more subtle - and sometimes unintentional - messages
communicated via action and nuance in the real world. Both forms of
expression are subject to deliberate manipulation, but the "expression given off"
is much harder to control. This is true for the cyber world as well, even if we lack, here,
the many clues offered by "real world" body language. One can write "I am
female", but sustaining a mind set and reactions that are
convincingly a woman's may prove to be quite difficult for a man.
Writing style can identify the author of an posting. A known and notorious net personality hoping to appear online under a fresh name
may have an easier time disguising his or her header ID than the identity revealed in the text. The introduction to the cypherpunks
newsgroup includes this warning:
The cypherpunks list has its very own net.loon, a fellow named L. Detweiler. The history is too long for here, but he thinks that cypherpunks are evil incarnate. If you see a densely worded rant featuring characteristic words such as ``medusa'', ``pseudospoofing'', ``treachery'', ``poison'', or ``black lies'', it's probably him, no matter what the From: line says. - Cypherpunks mailing listIn this case, where the usual assessment signal - the name in the header - is believed to be false, language is used as a more reliable signal of individual identity. See also how spammers use multiple identities on the very nice "Kook of the Month" site.
Many varieties of identity deception can be found within the Usenet newsgroup. Some are quite harmful to individuals or to the community; others are innocuous, benefitting the performer without injuring the group. Some are clearly deceptions, meant to provide a false impression; others are more subtle identity manipulations, similar to the adjustments in self-presentation we make in many real world situations.
Until recently, header information was quite reliable. Most people accessed Usenet with software that inserted the account name automatically - one had to be quite knowledgeable to change the default data. Today, many programs simply let the writer fill in the name and address to be used, making posting with a false name and site is much easier. The astute observer may detect suspicious anomalies in the routing data (the record of how the letter passed through the net) that can expose a posting from a falsified location. Yet few people are likely to look that closely at a posting unless they have reason to be suspicious about its provenance.
It is useful to distinguish between pseudonymity and pure anonymity. In the virtual world, many degrees of identification are possible. Full anonymity is one extreme of a continuum that runs from the totally anonymous to the thoroughly named. A pseudonym, though it may be untraceable to a real-world person, may have a well-established reputation in the virtual domain; a pseudonymous message may thus come with a wealth of contextual information about the sender. A purely anonymous message, on the other hand, stands alone.
There are some useful tricks to narrow down the number of suspected targets in
order to stalk a pseudonym user. One of the best ones I know of is the time trick, but
in order to understand it you mist first know the elementary elements of an email header.
Searching through headers and other tricks (This part -I should have checked- comes directly from Symantec's page ~ begin)
Of course you should by all means read Gandalf's info, which is far superior to the Symantec information above, at http://ddi.digital.net/~gandalf/spamfaq.htmlHere is a sample email header (colors added). The final receiver's address is 'you@your.domain.com'.
Received: (2228 bytes) by <your.domain.com> via sendmail with P:stdio/D:user/T:local (sender: <29086328@compuserve.com>) id m0xUFxr-001cL6C@your.domain.dom for you@your.domain.com; Sat, 8 Nov 1997 10:50:35 -0800 (PST) (Smail-3.2.0.98 1997-Oct-16 #12 built 1997-Oct-28) Received: from simon.pacific.net.sg (simon.pacific.net.sg [203.120.90.72]) by your.domain.com (8.8.7/8.7.3) with ESMTP id KAA01565; Sat, 8 Nov 1997 10:43:34 -0800 (PST) From: 29086328@compuserve.com Received: from pop1.pacific.net.sg (pop1.pacific.net.sg [203.120.90.85]) by simon.pacific.net.sg with ESMTP id CAA25373; Sun, 9 Nov 1997 02:44:51 +0800 (SGT) Received: from po.pacific.net.sg (hd58-032.hil.compuserve.com [199.174.238.32]) by pop1.pacific.net.sg with SMTP id CAA12179; Sun, 9 Nov 1997 02:43:10 +0800 (SGT) Received: from mail.compuserve.com (mail.compuserve.com (205.5.81.86)) by compuserve.com (8.8.5/8.6.5) with SMTP id GAA04211 for <87789123456@aol.com>
It may look confusing, but there are some patterns that tell you everything you need to know. The header can be broken into several sections, each beginning with the word "Received".
The first 'Received' is from your email server. This section lists the supposed sender, the message ID number, and when the message came in. The other 'Received: from' tags are from remailers that the spammer used to make it more difficult to track him/her down.
- Find the last 'Received: from' entry in the header. This usually shows the originating server.
- Find and write down the server domain and its IP address. This information appears in parenthesis in each 'Received: from' entry.
Machine Name
IP Address
mail.compuserve.com 205.5.81.86 hd58-032.hil.compuserve.com 199.174.238.32 popl.pacific.net.sg 203.120.90.85 simon.pacific.net.sg 203.120.90.72 (This part -I should have checked- comes directly from Symantec's page ~ end)
More URLs to help you figure out how to look at the headers:
http://www.concentric.net/~Nvam
http://help.mindspring.com/features/emailheaders/index.htm
http://help.mindspring.com/features/emailheaders/extended.htm
As Balif pointed out in a famous posting on alt.2600: to examine all the cancel messages, you can use Dejanews, which does not honor them but actually archives them. Do a power search on group alt.2600, for "control cancel", sorted by date. You can see there all cancel messages coming from a given address.
Unfortunately Dejanews strips important headers. On your news server, cancel messages do not appear in the newsgroup, and are unseen to you. However you can view them by looking in the group "control.cancel". Beware, this group will most likely be enormous. It contains every cancel message your news server has received for all groups. Mine had 75,000 some messages. Here you can examine the headers of the cancel message. Yet it takes feeling and time to stalk information in this way.
Do Altavista and Dejanews searches on any "sharp edge" that sticks out.
"Sharp
edges" are,
according to SPUTUM "unique characteristics which can lead one to the real poster".
Example: balooney@enemy.com may use as Organization: "balooney inc." on all his
Usenet posts. Maybe he forgot to remove this info when posting later.
You search for "Organization: balooney inc." (as well as for posts
containing his sig), and maybe find all his fatuous
posts to alt.fetish.threelegs, and from thence
you will find (if you'r lucky) his narcissistic website chock full of juicy
personal information (or at least of many more "sharp edges").
Other promising "sharp edges": trailing user name in path
(...!news.foo.com!imamoron), funky newsreaders (ZippityDooDah News Alpha
0.9), unique signature components.
You may add signature patterns, and even particular
emoticons like :--> :*) 8-[
Look hard.
Be clever. Reverse your target.
There is a whole section of mine, about sharp edges:
read my
Language patterns and the stalking tablet section.
3) What if the target used "X-No-Archive: yes" in her headers and all previous steps fail? You may get lucky, and find a follow-up to a previous post which was posted without the "no-archive" clause. Otherwise, the old fashioned 'heavy' way might work: go to the relevant Usenet newsgroup, sort the posters by author name, and look for your target "by hand". Yes the task can be extremely tedious...which is why real stalking is for the patient hunter.
Bokler Software Corp. P.O. Box 261 Huntsville, AL 35804 Tel: (205) 539-9901 Fax: (205) 882-7401 e-mail: info@bokler.com
Subject: Re: How to store passwords encrypted in file? From: jim@bokler.com (James A. Moore) Date: 1996/06/26 Message-Id: <31d0c943.57429273@news.hiwaay.net> References: <4qltu1$bd4@cd4680fs.rrze.uni-erlangen.de> Organization: HiWAAY Information Services Newsgroups: comp.lang.basic.visual.misc See http://www.bokler.com for encryption tools: DEScipher/VBX & /OCX, and HASHcipher. James Moore
Number of articles posted to individual newsgroups (slightly skewed by cross-postings): 11 comp.lang.basic.visual.misc 6 comp.lang.basic.visual.3rdparty 4 comp.security.misc 3 comp.os.ms-windows.programmer.misc 3 comp.unix.bsd.freebsd.misc 2 alt.security 2 comp.os.ms-windows.apps.utilities 2 comp.os.ms-windows.apps.word-proc 2 sci.crypt 1 alt.lang.delphi 1 comp.ai.fuzzy 1 comp.databases.ms-access 1 comp.infosystems.www.servers.unix 1 comp.os.ms-windows.nt.software.backoffice 1 comp.os.ms-windows.programmer.tools.misc 1 comp.unix.questions
6 Hits for Query on DESchipher inside comp.lang.basic.visual.misc Date Scr Subject Newsgroup Author 1. 96/08/12 017 Re: Form1.Show(1) and En comp.lang.basic.vis jim@bokler.com (Jam 2. 96/06/18 017 Re: Encryption for Visua comp.lang.basic.vis jim@bokler.com (Jam 3. 95/10/21 017 Visual Basic Control (VB comp.lang.basic.vis info@bokler.com (Bo 4. 96/04/27 016 Re: Password encrypting comp.lang.basic.vis jim@bokler.com (Jam 5. 95/11/23 016 Re: Protection from pass comp.lang.basic.vis dbrockle@compusense 6. 96/01/09 013 VBX for Data Encryption. comp.lang.basic.vis jim@bokler.com (Jam
Number of articles posted to individual newsgroups (slightly skewed by cross-postings): 123 comp.lang.basic.visual.misc 35 comp.lang.basic.visual.3rdparty 26 comp.lang.basic.visual.database 1 comp.lang.basic.misc 1 comp.lang.basic.visual 1 comp.os.ms-windows.programmer.tools 1 sci.electronics
D M Brocklehurst Albuquerque,NM 87112 (505)299-0562So, he lives in New Mexico too...
James Moore 701 W San Mateo Rd, Santa Fe, NM 87505-3921 (505)988-4370MMM.. Sounds good: Do we have here the real guy and his pal? Let's first check out something else: using whowhere and the previous address we'll find the following:
Bokler Software Corp Santa Fe, New Mexico United States of America
Jim Moore Alabama, United States Of America E-Mail Address: bockler_1@HIWAAY.NET
CompanyName: Bokler Software Corp Address: 1570 Pacheco, Suite E-4 City: Santa Fe State: New Mexico Contact: bockler_1@HIWAAY.NET Domains: BOKLER.COM
Well, yes, Dejanew, as you'll learn on [this] page is a very powerful stalking tool indeed, and the question "who hides behind dejanew?" is therefore particularly legitime. (Watch it, part of the relative info needs to be updated: Dejanews has changed a lot in recent times!)
You need a little background information about this: back in the nineties alt.2600 (an old Usenet hacking group) was heavily spammed by a guy known as 'Archangel', that used some of the most widespread techniques: flaming, trolling, crossposting, faked avatars and gang emailing, in order to gain some dubious personal fame. Of course, in the eyes of any reverser worth is weight, Archangel's claims (on an Usenet group!) of having worked for the CIA and his 'attention seeking' activities did disqualify him immediately (no really competent person would ever 'seek attention' on Usenet), yet hundred of lusers and newbyes believed the whole archangelology to be "cool and interesting stuff". It is amazingly easy, on the web, to brag about things you do not know nothing about. Until some years ago it was still possible to peruse the results of Balif's stalking activity. Balif, a promising hacker and an incredibly good stalker, used intensively the usenet repositories in order to reconstruct the 'history' of the spammer Archangel. Mind you: the whole Archangel saga was pretty boring (a typical case of 'flogging a dead horse' on usenet: taking topics that have been done to death and rehashing them), and DEFINITELY not worth investigating per se yet Balif's pages represented an effective example of a thorough stalking work.
BTW, if you want to investigate an earlier stalking project, here you go with an older search, where, with Brian's and "electel balif's plot" (among other things), you can also see what a good stalker gets out of a picture found on the web!
http://www.auditmypc.com/freescan/antispam.html Audit's antispam.
http://www.mailwasher.net/: Mailwasher's free antispam.
SPUTUM: Spamkilling Personal Interface (Tactical, Enhanced) The three basic spammer types and how to stalk them. (This is the fundamental tutorial on analyzing usenet headers!)
http://www.netmeg.net/faq/internet/net-abuse/troll-faq/ Gandalf's 'Dealing with Trolls'
search_forms (heavy)
http://www.warezfaq.org/indexx.html
The warez faq, useful also for
stalking purposes.
How to search
http://www.melsa.net/internet/tut11.htm How to avoid flaming.
Internet
Address finder
Stalker
page
http://www.anywho.com/rl.html: Reverse Telephone Search
page
Next time you receive some spamming email DO NOT throw it away. Be cool, and try some of the tricks/techniques described above to stalk the spammer. If you have time you may even try the 'go for it' trick: most spammers, even among the most capable forging dudes, are infact trying to SELL you something, aren't they? There dwells the real weak point of these assholes. Somewhere, at a given moment they have to give you either a real address or a real telephone number or whatever in order for you to send them your money.
Fishing spammers can be real fun therefore, especially if you have time, patience, flair and a little dose of social engineering capabilities.
Once you have them you can administer your favoured punishment, from denouncing them to their upstream ISPs supplying service (not always useful) to slowbomb them (until they change real address) with faked clients requests and bogus orders for whatever product they sell (very funny and frustrating for them). This is also IMHO the best method to deal with pyramid schemes: just let a dozen postmaster@[127.0.0.1] or whatever enter the scheme eh eh.
A word of advice: don't choose too dangerous gamebirds at the beginning: real nasty people can be quite dangerous on the net. It is one thing to stalk a peaceful experienced troller, it is a completely different thing to stalk a ring of high-level protected commercial paedophiles. Learn your stalking, luring and logical reversing ABCs first and don't go around shooting yourself in your feet.