Tracking the "Olga Spammer"


>From: snowhare@xmission.xmission.com (Snowhare)
>Newsgroups: news.admin.net-abuse.misc
>Subject: Re: Ukranian ladies e-mail spam in progress
>Date: 6 Jul 1995 16:48:00 -0600
>Organization: High Mountain Warren
>Message-ID: <3thp70$buj@xmission.xmission.com>
>References: <3t9jp8$9du@engnews1.eng.sun.com> <3tagig$ed5@news.eecs.nwu.edu> <3tb7hm$lqh@murphy.servtech.com> <3tfq0n$763@dana.ncd.com>
>NNTP-Posting-Host: xmission.xmission.com

-----BEGIN PGP SIGNED MESSAGE-----

Nothing above this line is part of the signed message.

In article <3tfq0n$763@dana.ncd.com>,
S. Spencer Sun  wrote:
>So.  What can we do next?  Hope that one of email.mt.gov or
>physics1.byu.edu is logging connections to the SMTP port?

If they are logging it, three gets you one they report it originated from 
one of the open access computer labs at the University of Utah.

'Olga' is a young male apparently attending the U of U. Rides a bicycle. Is 
clever about using standard programs to access open SMTP ports anonymously.
Likes to use Macintoshes.

The U of U Marriott Library Microcomputer Center staff actually physically 
had him. Until a system admin from the U of U Computer Center, with a big 
ego and little sense, scared him out his mind with legal sounding threats on 
the phone, finishing with telling him 'Stay there - I'm calling the campus 
police'. Yeah, right. Figure the odds.

- -- 
Benjamin Franz; No longer even in Utah.

"And that admin actually had the gall to bitch that 
we hadn't *physically* (_illegally_) detained the kid..."

"I should tell you about the time a hacker broke into that same admin's 
system and started replacing the binaries...resulting in the admin 
accusing a local radio disk jockey who couldn't even install Waffle by 
himself...I should know - I'm the one who installed Waffle for him."

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBL/xmpujpikN3V52xAQG4TQP7BBAWMacemlgJEkZk947R4g2ij9foo+Te
WDilq3Wtl3XsPStQrLy5Krm9RUvmtPkd7/5WecKYjTE02YnBqMcnnSrkg5lU9AFY
ZEslVaFepy24hk/OKNrdTVG9qfXQUdZoefg+BnhRE3x2eKPvtSD0xa5e7hCm8+LL
2V4+it6POAs=
=6lz/
-----END PGP SIGNATURE-----


>From: wmb@xmission.xmission.com (william m biesele) >Newsgroups: news.admin.misc,news.admin.net-abuse.misc,alt.current-events.net-abuse.spam >Subject: Re: Olga spammer assistant or address! >Date: 7 Jul 1995 03:00:14 GMT >Organization: bill nye science labs >Message-ID: <3ti7vu$9g7@news.xmission.com> >References: <3th9rk$kak@nntp.crl.com> >NNTP-Posting-Host: xmission.xmission.com 667 - the neighbor of the beast (dragnet@crl.com) has already denied ever writing <3th9rk$kak@nntp.crl.com> : | This is from dragnet.com. | Here's an e-mail address that obviously received the mail about | the "lists" commands, with some additional output from my | syslog (added line breaks mine): | Jun 29 15:04:13 dragnet sendmail[10973]: PAA10973: to=majordomo, | delay=00:00:00, mailer=local, stat=User unknown | Jun 29 15:04:13 dragnet sendmail[10973]: PAA10973: from=u.cc.utah.edu!rsb3958, | size=630, class=0, pri=30630, nrcpts=1, | msgid=, proto=UUCP, relay=uucp@localhost | I saw the headers and this message was definitey sent to many | machines all at once. Probably the same machines that were in | the mail the lists on my machine received. geez, i knew my school account would come in handy someday. this is from u.cc.utah.edu : --- begin quote --- u ~ % last rsb3958 rsb3958 ttyp2 128.110.171.89 Tue Jul 4 17:35 - 17:36 (00:00) rsb3958 ttyq2 128.110.171.89 Tue Jul 4 16:43 - 16:46 (00:02) rsb3958 ttyp4 128.110.171.89 Tue Jul 4 16:24 - 16:35 (00:10) rsb3958 ttypc 128.110.171.89 Tue Jul 4 15:57 - 16:05 (00:08) rsb3958 ttyp0 emcb015x.utah.ed Mon Jul 3 21:26 - 21:27 (00:01) rsb3958 ttyp4 emcb016x.utah.ed Mon Jul 3 21:08 - 21:35 (00:26) rsb3958 ttype emcb016x.utah.ed Mon Jul 3 20:16 - 21:01 (00:44) rsb3958 ttyq0 128.110.56.22 Mon Jul 3 19:49 - 19:50 (00:00) rsb3958 ttyq8 emcb009x.utah.ed Sat Jul 1 17:31 - 17:34 (00:03) rsb3958 ttyq5 emcb003x.utah.ed Sat Jul 1 17:17 - 17:18 (00:01) rsb3958 ttyqc emcb003x.utah.ed Sat Jul 1 17:08 - 17:11 (00:02) rsb3958 ttyqb emcb003x.utah.ed Sat Jul 1 17:03 - 17:05 (00:01) rsb3958 ttypa emcb003x.utah.ed Sat Jul 1 16:18 - 17:04 (00:45) wtmp begins Sat Jul 1 02:01 u ~ % fgrep rsb3958 /etc/passwd rsb3958:*no give back-jh6jul1995*##rsb3958:16002:81:richard brock:/home/users/rsb3958:/bin/csh u ~ % ---end quote--- whoever it was, they were logging on from a few macs around the engineering department, and their account is now suspended w/no hope of reactivation for some unspecified reason. (suspended just today, apparently.) ---mike -- "when Truth is gone, there's always Justice. william michael biesele and when Justice is gone, there's always Force. and when Force is gone, there's always... Mom. wmb@xmission.com (hi, Mom!)" ---laurie anderson http://www.xmission.com/~wmb

Email: lan@panix.com