Tracking the "Crusader Spammer".

Tracking the "Crusader Spammer"

From: lan@panix.com (Larry)
Newsgroups: news.admin.net-abuse.misc
Subject: New site for Crusader email-spam...
Date: 26 Sep 1995 02:47:33 -0400
Message-ID: <4487m5$t2t@panix3.panix.com>

He's got a new home:  mc3.hq.eso.org.  

My interpretation of the headers is that this spam came directly off
of that site, which happens to be in Germany -- I think the slip.net
is a red herring.  Interestingly, I beleive this type of thing is
illegal in Germany, so perhaps they will start a criminal
investigation.

Also, note that my account that got hit has made only one posting
ever, to misc.test on August 9th, 1995.  If he's combing usenet, then
that's where it came from.

I sent myself a message through both implicated sites.  (I tried to do
this via cdsxb6.u-strasbg.fr as well, but that machine is either down
or behind a firewall.)

Both have received lines that look like:

============================================

> Received: from panix3.panix.com by mc3.hq.eso.org (4.1/ eso-4.2)
>        id AA09471; Tue, 26 Sep 95 06:39:10 +0100

and

> Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by
> slip-1.slip.net (8.6.9/8.6.9) with SMTP id WAA17147 for
> <lan@panix.com>; Mon, 25 Sep 1995 22:24:42 -0700

===========================================

After comparing those to the headers on the original message (below),
I think that at the very least, this mail entered the SMTP stream at
mc3.hq.eso.org.  I think the reference to slip.net was most likely put
there by the spammer. (Does anyone know if slip.net had a problem with
some nazis at some point?)

Original headers:  (attacked site hidden by me.)

> Received: from XXXXXXX (XXX.XXXXX.XXXX [XXX.XX.XXX.XX]) by panix4.panix.com (8.6.12/8.6.12+PanixU1.1) with SMTP id BAA16440 for <lan@panix.com>; Tue
> , 26 Sep 1995 01:08:42 -0400
> Received: from mc3.hq.eso.org by XXXXXXX (5.x/SMI-SVR4)
>         id AA19392; Tue, 26 Sep 1995 01:08:17 -0400
> Received: by mc3.hq.eso.org (4.1/ eso-4.2)
>         id AA07019; Tue, 26 Sep 95 05:24:03 +0100
> Received: by slip-1.slip.net (8.6.9/8.6.9)
>         id AA27149; Mon, 25 Sep 95 20:11:43 -0700
> Date: Mon, 25 Sep 95 20:11:43 -0700
> From: Crusader@National.Alliance (Crusader)
> Message-Id: <568.32472628@National.Alliance>
> Subject: The Long March
> Apparently-To: Crusader@panix.com


I will be tracking the search for this person on
http://www.panix.com/~lan/crusader -- if you have any relevant
information for the web page, please email it to me.

--L
http://www.panix.com/~lan



By: lan@panix.com