How To Catch A Scammer/Spammer

Joe 90 writes "An interesting story got posted on the Irish Linux Users group. It involves the arrest of a scammer/spammer working in an internet cafe. It even includes the attempt to eat a usb pen drive, several cops and a 10 minute struggle to subdue the man. Story is available on the Linux.ie mailing list By the way Gardai = the cops in Ireland."

We have a Hannibal Lecter here or something?

He attempted to eat several cops after downing the USB drive?

No wonder there was a struggle!

Re:We have a Hannibal Lecter here or something?

As long as he's not sticking the USB drive up where the sun don't shine in public.

Call me odd, but I'd be prepared to tolerate watching that happen in public. I reckon it'd only need to happen a few times before the flow of spam becomes <ahem> constipated.

This one goes out to all the ladies...

[snip]

on 64.21.81.131, which seems to belong to some direct marketing whorehouse.

He logged into this as well: 66.180.174.12, which seems to be some sort
of mail harvesting database. The login is done over SSL, so I can't find
out more. If any militant anti-spam vigilantes want to get a good look
at how these people organize themselves, that's probably a good place to
start

[/snip].

They've already been notified...

and they are investigating.

They are a co-lo facility, barebones, FYI.

Re:This one goes out to all the ladies...

Well, let's all start flood pinging it before we start to start thinking about our actions, its neighbor IPs, or whether the information is even really accurate :)

the power of /.ing

I kinda like all the stories I have read here about /.ing the spammers and signing them up for junk snail-mail and the like. (and if anyone can find me the link to the old story, I'd appreciate it)

whitelists rock

after trying every spam blocker known to mankind
I've finally switched to whitelisting. So far
it absolutely rocks and it doesn't need any
legal enforcement whatsoever.

For good measure I have a password override on it
and any email that contains the password has
it's senders address automatically added to the
whitelist.

which is why I'm not afraid to put my email right
here : j@ww.com , no spam will get through because you're still missing the password :)

Very simple, extremely effective.

Re:whitelists rock

which is why I'm not afraid to put my email right
here : j@ww.com , no spam will get through because you're still missing the password :)

I hope the password's not viagra, or some l33t speak typo variant.

Re:whitelists rock

I just sent you an email containing:

1. The meaning of life.
2. The location of $1,000,000 I buried 10 years ago.
3. How to get any woman you want.
4. How to stay young and live forever.

Oh well.

Re:whitelists rock

If he's using something like TMDA, he can view all emails that have been queued and not delivered yet. This means you can kiss your $1,000,000 stash goodbye =)

Re:whitelists rock

Sorry, that doesn't solve the whole spam problem. Your mail server is still getting hammered by spam, it's just that you aren't seeing it. You are still paying for, directly or indirectly, the bandwidth that is being gobbled up by all the unwanted email that is sent to you.

Re:whitelists rock

People generally don't care that much about the decreased bandwidth - a problem which can also be solved - use port knocking algorithm of some kind!

And besides, spamming is pretty sophisticated these days, if the mail delivery fails, the target e-mail is often removed from the list of e-mail addresses they are trying to send scam e-mails to ( as far as I know )
I promise I'm not a spammer, I am interested in the subject though.
I do believe whitelisting is the way to go!
Only way to be sure!

Re:whitelists rock

if the mail delivery fails, the target e-mail is often removed from the list of e-mail addresses they are trying to send scam e-mails to

Ridiculous. Spammers don't even see bounces, since most spam isn't sent from their own computers. Its mostly sent throw open relays and hijacked machines. I see attempts from names I blacklisted 5 years ago.

Re:whitelists rock

And it also means that I can't email you, since I don't know your password, and the only way I could get your password is by asking you, and the only way I could ask you - since I don't have your address or phone number - is by emailing you.

Doubtless that doesn't bother you, as you probably aren't interested in getting email from me. I, on the other hand, do frequently receive personal email from strangers. Your "solution" is worthless to me.

Re:whitelists rock

Except that now, anyone who cares to do a simple whois lookup [networksolutions.com] on the domain ww.com will quickly find himself in the posession of your name, address, and phone number, in addition to your e-mail.

Not that anyone will call. But still, maybe you'd better think about that?

Re:whitelists rock

I've got absolutely nothing to hide,
by Anonymous Coward

Um...

Re:whitelists rock

But not effective in all circumstances.

For me spamming has always been an inconvienence and nothing more really. However, once I helped to implement a new customer support system at work I began to realize just how difficult the problem can be. In that setting (support via e-mail) a whitelist isn't much of an option. An aggressive spam filter isn't really an option either (we really can't have even 1 false positive). We do run a basic filtering system that catches a lot of the spam, but we're still receiving several thousand messages a day. It's a strain on our database and more importantly on our customer support staff who have to wade through all of the spam.

At this point it's just stupid.

Sounds like a Monty Python episode

A unmamed man aprehended a scammer and a spammer,a nd put them in the slammer using only a scanner and a spanner!

Or something like that........

Re:Sounds like a Monty Python episode

Heh, more like "The Court Jester" circa 1956.

"The pellet with the poison's in the flagon with the dragon; the vessel with the pestle has the brew that is true."

thumbs up!

It's a comforting thought to know that there actually is legal action being taken against those suckers.
I find it very amusing to read how the spammer tries to struggle and fight back the cops :) I think it's a proof that he knows he's in deep trouble :)

Full article text (for the lazy)

Some of you who were on #linux on friday will know part or most of this story already as i witnessed some of it (while drinking a truly delicious hot chocolate). For those of you who don't, the following is a report written up by a friend of mine on his succussful (or at least, it's looking good) attempt to stop and catch a 419 scammer. I feel it's worth the read

John

-------- Original Message --------
Subject: I fought the scammer... and I won.
Date: Fri, 02 Apr 2004 21:54:30 +0100
From: Steffen Higel
To: John Allman ,
paulinemccaffrey at eircom.net, stevecash at ireland.com, tony.odonnel at cs.tcd.ie, declan.dagger at cs.tcd.ie, edwin.higel at brookside.ie, marynstanley at eircom.net, richard.bannister at cs.tcd.ie, oconnoat at tcd.ie, jean.higgins3 at mail.dcu.ie

[This is long, and is quite heavy on the technical discussion. Skip the bits you don't understand. It gets interesting.]

I work for a busy Dublin Internet cafe, doing some sysadmining and general computer maintenance. On Sunday the 28th of March, I got a rather distressing email from a sysadmin in a large U.S. University. Spamcop had blacklisted our server's external IP address. Abuse mail for the server in question gets sent to my college account (bad practice, I know, but it's a part time job). My college uses Spamcop as a blacklist source. You can probably tell what happened...

Anyway, said email included the full headers of an email which was natted by our server pretending to be from the widow of Mr. Jonas Savimbi, offering the recipient a share of an unspecified large sum of money. The usual panicked thoughts kick in... "Have I fiddled with something which has left us as an open relay?", "Has our server been cracked?", "Have I been sleep-spamming again?". A more reasoned examination of the headers showed that the mail had originated from one of the IP addresses that we assign dynamically to people who bring laptops into the cafe. This is something of a nightmare for cafe operators, we can hardly block outbound smtp but then again it isn't possible for us to manually check every single mail either. Maybe rate limiting is a valid technical solution. Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them.

A peek through the logs revealed:

Mar 26 15:04:16 server dhcpd-2.2.x: DHCPDISCOVER from 00:40:f4:5d:aa:f7
via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPOFFER on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:20 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:20 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1

Bingo. I had something to work with. The network card is one based on a Cameo 32bit chipset. Matches up quite nicely with these:

Return-Path:
Received: from 192.168.1.70 (server.XXXXXX [XXXXXXX.29])
byXXXXXXXXXXXXXXXXXX) with SMTP id i2QFrgi0002755
for ; Fri, 26 Mar 2004 10:53:44 -0500 (EST)
Reply-To: "michelle savimbi"
From: "michelle savimbi"
To:
Subject: urgent response
Date: Fri, 26 Mar 2004 15:53:26 +0000
Organization:
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0 00_0034_01C221EC.6C64F7B 0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000ams
X-MimeOLE: Produced by Microsoft MimeOLE V6.00.2800.1165

I asked around, and a man, described as being black (or is the word African-American these days?), roughly 30, with an accent which seemed half London and half African had been in the cafe with a laptop and had a number of visitors call into

The important question...

> Detective number 1 grabs and tries to cuff him, detective 2 starts to do the same. A struggle ensues and goes on for a full 10 minutes, basically trying to pin him on the floor and then getting his arms behind so he can be handcuffed. Michelle agrees to co-operate on numerous occasions and each time tries to run to the booth to destroy whatever is on that machine.
>
> Eventually, 2 more gardai arrive and he's cuffed and brought out, crying like a little girl

...ten minutes of watching a spammer being beaten to a quivering pulp.

/me re-reads that sentence a few dozen more times... *aaaaaaaaah, yeaaaaah*

Ten. Whole. Minutes. Skulls thumping, billy clubs and fists flying, and 419er whimpering.

Video? Even grainy stuff from the internet cafe's security cam? Please? Pretty please? Pretty please with a lead pipe and a clump of spammer flesh on top?

> What have I learned? Firstly, [ ... ]

FIFTHLY: BRING A VIDEO CAMERA NEXT TIME! You got to see all the good stuff, and you didn't SHARE!

Oh come on, give him a break

The very next Friday (2nd of April 2004) he turned up again.

It wasn't a scam, it was just a bad April Fool joke...and we all know we had a blast with bad jokes on Slashdot. Everybody deserves a little fun.

important details

From the article:

Some of you who were on #linux on friday will know part or most of this story already as i witnessed some of it (while drinking a truly delicious hot chocolate).

You know, more people should mention what they're drinking when relating news like this. :-)

There is an interesting and [somewhat] related article on The Register [theregister.co.uk].

Re:important details

"Our top story this evening, 13 people slaughtered in what can be called the worst case of a mass Serial Killer that escaped from prison last thurday night. On a lighter note, this coffee is magnificent! So rich and smooth, with a perfect blend of roasted beans..."

Re:Not a direct marketing whorehouse...

You ought to look sometime at how many marketing/spam/spyware sites are front-ended by a "search" engine. It gets them classified as search engines in web filter databases.

Spam vs Crackers

I hate spam more than I hate crackers

But yet combining spam and crackers can be quite a tasty treat.

Re:Spam vs Crackers

Ugh please don't eat that crap. It's all fun and games until somebody gets mad cow from ground up whetever-the-hell is in that stuff.

Given that Spam is spiced ham [hormel.com] I doubt that anyone is going to get Mad Cow Disease from it...

he got his wish

well, i guess he got his wish:

Hope that provided some amusement. Forward it on to anyone who is interested. Really. I want to see it on the front page of slashdot and el reg within a week. And yes it really happened.

I guess he needed to add that last line, since this all happend around the first of April.

Destruction of Evidence

Maybe he should have looked into the Thermite option we saw in the latest edition of The Broken?

Of course, you don't want that going off when your trying to swallow the evidence. On second though, you don't really want it going off in your pocket either...

Did I miss out on Ireland becoming the 51st state?

I work for a busy Dublin Internet cafe, doing some sysadmining and general computer maintenance. On Sunday the 28th of March, I got a rather distressing email...

...I asked around, and a man, described as being black (or is the word African-American these days?)

Hmmm...

Re:Did I miss out on Ireland becoming the 51st sta

No! Say it ain't so! It's bad enough we export McDonald's and Britney, but now we're exporting our political-correctness?

An "African-American" is a person of African origin living in America. Not all African-Americans are black, and not all blacks are African. Certainly it would be a strange coincidence if this black person in Dublin was visiting from America, and also happened to be originally from Africa.

This stuff hurts my head.

Re:Did I miss out on Ireland becoming the 51st sta

So he would be an Irish-American? Err, wait...

Re:Did I miss out on Ireland becoming the 51st sta

Someone prominent in the U.S referred to Nelson Mandela as an African-American. I can't remember who but it brings a smile to my face whenever I hear it.

I was poking fun at them :-)

Re:Did I miss out on Ireland becoming the 51st sta

Unfortunately it would seem that whilst you have obviously been furnished with a good understanding of the term 'African-American' you obviously have zero understanding of the term 'humour'.

Re:Did I miss out on Ireland becoming the 51st sta

No! Say it ain't so! It's bad enough we export McDonald's and Britney, but now we're exporting our political-correctness?

An "African-American" is a person of African origin living in America. Not all African-Americans are black, and not all blacks are African. Certainly it would be a strange coincidence if this black person in Dublin was visiting from America, and also happened to be originally from Africa.

It almost killed me when I heard a US newscaster refer to Nelson Mandela as African-American.
When your world is all round pegs, what can you do when you encounter a square one?

Re:Did I miss out on Ireland becoming the 51st sta

It almost killed me when I heard a US newscaster refer to Nelson Mandela as African-American.

The correct term, as everyone should know, is African-African.

Er, wait...

Re:Did I miss out on Ireland becoming the 51st sta

African-American is about the stupidest PC label ever. First, as you rightly point out, it technically has no racial connotation and covers all the other racial groups who have lived in Africa for generations.

Secondly, a Kenyan I knew (who happened to be a black Kenyan), once told me never to call an African African. "There are no such things as Africans. There are not even Kenyans or other such nationalities, although I can tolerate being referred to as Kenyan since it is the best compromise between easily identifiable to foreigners and almost correct."

Technically my wife's boss and daughter are African-American, since both of them were born in South Africa. They're also white, and it would be side-splitting to have her report her "race" in college as African American. I'd wager there are more than a few college scholarships naively defined as being for African Americans, when they really mean blacks.

Re:Did I miss out on Ireland becoming the 51st sta

The jury is still out on that question [theomahachannel.com].

ebolamonkeyman time!

Of all the fallout from the 419 spamming, I dont believe anything is funnier than Ebola Monkey Man [ebolamonkeyman.com]. Good way to kill productivity this fine Monday morning. ;)

sweet

This guy sent my first scam/spam to my cell phone last week. Sorry but I had to report you guys for it. I don't particuarly enjoy getting stuff to an address I've had for a week :p

Glad you caught the bastiche though.

-maz

Eating his pen drive?

Papillon way could have been more preferrable (well, and then he should try the same with the notebook).

Not sure if for simple spam he would have a problem under ireland's law, but as scammer probabilities go up.

Strange understanding of ethnicity

the admin narrating the story said the perp looked to be black (or is the word
African-American these days?), roughly 30, with an accent which seemed
half London and half African

Uh, I don't think the term 'American' should be applied to a guy with a half London and half African accent who's currently in Ireland. I just don't see the connection.

Re:Strange understanding of ethnicity

He's being sarcastic and poking fun of the spread of the term "African-American." My students write in their exams all the time about "African-American" tribes in Africa. A friend who teaches in England has had exchange students from America ask about "African-American" history in England.

I wanted to see ...hauled off in a paddywagon.

There's a certain irony to an Irishman in Ireland referring to hauling people off in the paddywagon. Especially when the guy in question actually isn't Irish.

Would have to be one tough USB memory card

What a great story!

Hey, if the memory stick were actually swallowed and then passed through the scammer's digestive system, and the Gardai waited it out and retrieved it from the loo, and it still worked, think what a great marketing slogan the manufacturer could make from that.

Tough enough to pass through the guts of a scammer!

If this story turns out to be a hoax, I'll be sorely disappointed. The thought of one of these 419 scammers desperately trying to break free of the grasp of the police in order to run back and hit a kill switch on his notebook computer makes my nipples explode with delight.

Re:Would have to be one tough USB memory card

One of our UK computer mags had an article on the robustness of these USB memory dongles in the last month or so. I skimmed it instore, but from memory the tests included:

• Microwaving
• Immersing in boiling water
• Freezing in a block of ice
• Sundry physical impacts

Digestion wasn't on the list, but I have no doubt that patience, a rubber glove and a dunk in disinfectant would be all that stands between ingestion, data recovery and prosecution. ;)

Re:Would have to be one tough USB memory card

Microwaving

You might get away with brief exposure to a conventional oven, but microwaving for any length of time is going to kill one of these devices.

There will be strong induced currents in any extended metal object, including the circuit board traces of one of these USB dongles. Very quickly, resistive heating will fry thsoe traces. Quite probably a lethal current will be induced or travel through the flash memory chip itself.

Ever put aluminum foil in a microwave? It's a graphic demonstration of the problem. A conventional compact disc will also spark prettily in a microwave. Heck, it's possible to create arcing between chunks of sausage. I did it inadvertantly just last week. Cut two wedges of Polish sausage, five to ten millimeters thick. (90 to 120 degree sectors.) Place them on a plate so that the points of the wedges are just touching; the arrangement should look roughly like a bow tie when viewed from above. Microwave on high. Within a few seconds, induced currents should flow between the two sausage halves (I presume that there is enough salt and water in the sausage to make it a passable conductor) producing sparking.

I assume no responsibility for damage to your sausages, microwaves, etc. Warning: sausage will be hot, yadda yadda yadda.

Re:Would have to be one tough USB memory card

The thought of one of these 419 scammers desperately trying to break free of the grasp of the police in order to run back and hit a kill switch on his notebook computer makes my nipples explode with delight.

And twelve-thousand horny Slashot geeks go into neurotic spin-lock over gender uncertainty.

-

Privacy Rights?

Where's all the posts saying how this guy's privacy rights were destroyed/taken/bushed by the sysadmin?

This is /. we are supposed to ignore the fact he's in public and using someone else's internet.

Re:Privacy Rights?

Had the person been concerned with privacy, the guy should have used PGP/GPG. Since he was more concerned with exploiting an internet cafe for purposes of sending unsolicited and unencrypted mail to potential victims, fuck him.

Re:Privacy Rights? None

Hmmm, well let's think for a moment:

a) The internet cafe is more or less a public place, as well as a private establishment. If they don't have a sign indicating monitoring, at least they wouldn't have anything indicating that you do have 100% privacy

b) No "privacy" was violated until the issue with SPAM was discovered. At this time, massive SMTP requests were tracked to a particular machine/NIC using the MAC address.

c) MAC generally being a fairly unique identifier (not many people MAC-spoof), there was a fair bit of surety that the monitoring action was being taken against the same scummy spamming individual, used to acquisition evidence against his activity which while if perhaps not illegal, would almost indefinately violate the usage agreement for the cafe.

d) You don't really really even have that many privacy "rights" with your ISP. They log activity for these very reasons (spammers, kiddy-fiddlers, other illegal activitiy). If you were tagged as a spammer (with a non-spam friendly ISP) or a kiddy-pr0nography, you would no doubt come under scutiny with them as well.

Neat :) but...

i'm trying to picture a revived miami vice, focused on computer crimes. imagine the possibilities. ok, there aren't many...

congrats to the irish police for taking the offense so seriously. but is anyway here wary of the snooping involved? yes the sysadmin had every right to monitor traffic, but in what depth and for what purpose? for example, there's talk here of trying to fish out the suspect's email password and so on -- at police request. wouldn't it would feel a bit different in the police, without warrant, were to do the same themselves -- imagine worst case of them bugging all internet cafes to examine generic traffic without individualized suspicion. it's bad enough they want to see what we do at the library....

practically speaking, i would imagine the government generally lacks the resources to parse large amounts of computer data. but just wait until it can be done by computers hunting for suspicious transactions, much as the credit card companies do now to catch fraud. the capability is there.

i'm not sure where the legal stuff comes out here, this is not US law, but wonder about future possibilities. it is debatable what expectation of privacy you have in an internet cafe -- are keyloggers ok? is decrypting information different from reading plain text? must the user be warned? as an analogy, consider that when the federal exclusionary rule was first judicially established, it did not apply to states and the "silver platter doctrine" emerged whereby state investigators would get what the feds wanted and hand it over clean of any search and seizure problem. obviously this is a charade.

someone who acts at the behest of the government -- an agent -- pretty much *is* the government, and i wonder if this interpretation colors the reaction of anyone here on privacy -- normally /.'rs are pretty, um, passionate on privacy and gov't intrusion, even if this IS an (alleged!) spammer who by definition is not humanoid. :)

Re:Neat :) but...

Well, the following considerations have a strong impact on my view of the privacy issues:

1) Scammer was using a public Internet cafe. For that matter, he was using the Internet, and don't we all understand that anything going out over the 'Net unencrypted can be considered seen by many eyes? There's no reasonable expectation of privacy in this situation. I certainly don't expect more privacy at an Internet cafe than I can get from using SSL on a machine I control; SMTP traffic is effectively public.

2) Scammer was caught in flagrante delicto, turned in by the sysadmin on the basis of unsolicited information from a public source. This is far, far from the situation where Ashcroft tracks my every 'Net transaction in the absence of probable cause. (And the police in this case VERY likely have probable cause to get a warrant to search the perp's computer and crack his codes.)

Even if this weren't a spam case, (say, a kidnapping or extortion rap instead), I don't see a fundamental issue of concern in the specific circumstances involved. I worry much more about snooping in the absence of clear evidence of a crime (yes, Mr. Ashcroft, I mean YOU).

Best Line

Best Line: "Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them."

A really good story ... I have a similar notion

This was a really good story. I hope more libraries, internet cafes, and wifi hotspots will monitor their traffic occasionally like this guy did.

One line I liked, in particular:

"What have I learned? Firstly, digging up evidence on criminals is an exciting activity. "

This is the sentiment I have over my jackwhispers.com website. The deconstruction of the criminal mind is very fascinating - particularly when it involves a technical computer issue.

www.emailspidereasy.com

Then, he spent a bit of time on http://www.emailspidereasy.com [emailspidereasy.com]. Don't you just love the fake google-textads?

Yup, love is the word. I also love these links on the same page:

Credit cards [globaldebitcard.net] - links to credit card resources

Cheap loans [dfsc.com] - compare and get a cheap loan

Compare mortgage quotes [jeffschultzmortgage.com] - cheap mortgages online

Work from home [ztmi.com] - make money with working from home

Seems this is the only site spammers need to visit; they have links to spamming resources as well! Very convenient ...

Re:SMTP transparent proxy?

I do my transperant proxying using iptables.

Just forward outgoing traffic on port 25 to local:25.

You need to do some sanity checking afterwards, to make sure you haven't ended up as an open relay. Other than that, it works fine for me.

Meddling Kids

And I would have gotten away with it, if it wasn't for you meddling kids!

Diet tips

It even includes the attempt to eat a usb pen drive, several cops and...

Diet tip of the day: never try to eat cops. That whole pig motif's just a cunning lie.

Good Show!

This is the kind of thing that makes your day, knowing that you personally have removed at least one source of the crap that fills inboxes. Let's hope the Irish bobbies can do something amazing with your tcpdump trace and if not I'm sure there will be vigilantes out there waiting to DoS the servers you mentioned!

We need more admins who are willing to take action.

Is there scope for running something like spamassassin on outgoing mail? Do people do this? Would give you a chance to stop outgoing spam before you get blacklisted.

USB drives....

...are much tastier with a bit of ketchup, and easier to swallow too!

Block egress port 25!

The cafe operator ought to know better:

This is something of a nightmare for cafe operators, we can hardly block outbound smtp...

If you operate a public Internet access point (school, library, cafe, city park, etc.) please block egress port 25 traffic! Your patrons do not need to pretend to be an e-mail server. To allow such traffic to come from your network is to invite spammers, scammers, and so on to operate freely with your resources. Anyone needing legitimate e-mail access can use webmail or pester their ISP or business to use SMTP+AUTH+SSL/TLS for initial mail submission (on a port other than 25, of course).

Configuring a SMTP server to handle this in not difficult for a reasonably skilled sys admin, so no excuses!

"we can hardly block outbound smtp"

Why not?

You're a cyber cafe, not a shop that's set up with local accounts. Mail should be of one of two types:

• Webmail/remotemail/etc, in which case, the mail actually doesn't get sent from your servers, it goes through the webforms/ssh/whatever to be sent from the remote server
• Mail from actual local accounts for the Cafe's staff. This mail should be filtered to your mail server, and should only be forwarding mail from those accounts. Setting this up is fairly trivial with the many AUTH-before-SMTP methods out there.

Either way, your proxy server should have a default DENY outbound port 25 EXCEPT from your mailserver, which itse'f is handling the authentication for the few accounts that really are allows to send mail.

Similar experience

I don't think that the only problem for internet-cafes are the customers who run "illegal" software, but also the security-policies of the cafes themselves. If policies are not enforced lots can happen before someone takes action.

I'm currently a part-time employee at a Swedish Internet-cafe where I work as a system admin. I've previously only been taking care of the Linux systems which we run for sponsored websites and gameservers but have recently been forced to take over the work of our late Windows-loving administrator.

He had the responsibility to maintain our firewall (WatchGuard), our active-directory Windows2000 server (user-database and login) and the exchange system, aswell as other system as the check-in/out machine. These tasks has now forcedly fallen onto me as this previous admin has been removed from further duties. Perhaps he had too much on his hands or he simply didn't care, but lots of security-policies were not enforced which could have saved me lots of trouble.

Anyhow, recently I began getting calls from an employee at a university here in sweden who told me that spam were originating from our mail.domain.se machine, after doing some further checks I noticed the e-mails were infact being sent from a software disguised as "nortonav.exe" on one of our game-machines. Acting as a spam-daemon. The first thing I did when I had recieved the password for the firewall was to block all smtp-traffic except for the trusted exchange and shutdown this terminal. I've set-up a series of security policies as well as tried to teach the cafe-staff some security-values as in maintaining the antivirus/adware-awarity. Would there be other good countermeasures to take?

Some of the firewall-blocking:
03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.102 64.236.62.131 4697 25 syn (SMTP)
03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.102 64.4.50.99 4696 25 syn (SMTP)
03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.162 200.208.9.162 3525 25 syn (SMTP)
03/31/04 19:05 firewalld[159]: deny out eth1:0 48 tcp 20 128 192.168.0.162 213.212.42.30 3524 25 syn (SMTP)

It may be just me who has had bad experience with all administrators at companies I've worked at, who only see Windows as the only option but is it more common for these kind of people to ignore security?

more filling

>USB pen drives aren't very filling.

Don't know. That's a lot of bytes.

An Garda Siochana

The Gardai as they are referred to are actually called, in Gaelic "Garda Siochana na hEireann", which translates to "Guardians of Peace in Ireland" . They are the cops in the Republic of Ireland. They even go on peacekeeping missions abroad.

my W*O*R*K*I*N*G spam filtering method

I have bought a domain (let's say johndoe.org) from a very cheap url forwarding company (at a rate of something like $15/year). It comes with unlimited e-mail forwarding aliases, and a "catch-everything" alias (let's say notexisting@johndoe.org), that forwards any e-mail send to non-existing alias to the default e-mail address that I have defined.
The default e-mail address (let's say secret@johndoe.org) is an alias that forwards everything to my real mailbox (let's say johndoe@aol.com). Of course, my real mailbox address, my catch-all address and the "default" address are not given to ANYBODY.

For my communication needs, or whenever asked, I just makeup a e-mail address (jonamazon@johndoe.org for amazon so that I will remember easily what address I use on the site). Since the alias is not setup in the mailserver, when amazon tries to contact me, the e-mail will follow the following alias path:
1) jonamazon
2) notexisting
3) secret (default)
4) real mailbox

When I see an spam message (once in two weeks!!!), I just divert the alias to point to an abuse address of a random spamhaus. The good thing, is that since I use random but descriptive addresses, I can see what websites actually harvest e-mails and sell them to spammers!!!
It is interesting to note that at some point I received e-mail that were addressed at some ridiculus random aliases (e.g. jesus@, happykitty@ etc) of my domain (clearly not used by me). Just an indication of the use of wordlists (of course every such alias got blocked).

I have not yet reached the levels of paranoia of giving seperate e-mail addresses to any of my friends of course :P

Anyway, it is not as complicated as it looks, and of course way less complicated than using bayesian filters and the like. And believe me, it works :)

Is it legal to tap someone's internet traffic...

... while in an internet cafe? I mean, in theory it's not much different from a hotel providing a phone service to a customer, whilst sneakingly listening in.
Don't get me wrong here, spammers are bad and should be caught, but it doesn't do any good when the spammer is let go in a day because of lack of undisputed evidence. My eavesdropping on a communications channel doesn't really do much good there.
I understand that when the communication actually goes to your own server there is nothing wrong (practically, in many countries it is ok to record a conversation as long as you are the one having it), but I feel that intercepting his yahoo or mail.com passwords is a little on the gray side of the law...
Please correct me, I want to be wrong here.

Re:Just so I'm clear, here...

Eh how about you read the mail.

Our cafe was *BLACKLISTED* by spamcop. I checked the logs. I found his MAC address and when he came in with his laptop. I asked the staff. They described him. He came back and I caught him red handed.

Re:Just so I'm clear, here...

This is a story that starts with a sysadmin seeing a 419 scam, hearing that there was a black guy with a "suspicious" accent in his cafe, deciding that this must be our criminal, and deciding to read his e-mail to find out...

Right?

Not totally. He first said that a company (Spamcop?) blacklisted him and he didn't know why. He went back to investigate and looked through the logs, he saw a lot of traffic by someone using a laptop at the cafe and figured that the person was spamming. He had the hours it happened, and asked, and the person told him about the "suspicious" people during those hours.

Re:Just so I'm clear, here...

No, a sysadmin has his IP balcklisted because of spam, discovers it was sent from a laptop and when. Then he finds out that there was someone in with a laptop at the right time and they had visitors while they were there (which is not rare or suspicious of itself in a net cafe, but it attracts attention and can look suspicious depending on what they are doing). The guys description was male, black, 30 and a half london, half african accent. The sysadmin had the MAC address of the laptop and asked the staff to watch out for the same man. When the same guy appeared the sysadmin raced in and after the guy had waited to get a particularly private booth the sysadmin saw the mac address appear and hence had his confirmation. But the police wanted someone caught in the act of doing something illegal so he had to keep watching until the spam went again. Not quite as you described it eh?

Re:Racist Bullshit

He didn't say they were scammers, did he? Re read the quote you posted. Doesn't say a thing about them being involved, does it?
You're not being politically correct, you're being an asshole.