|
fravia's anonymity pages Enemy tracking 0) Some simple stalking tools 1) General stalking techniques 2) Reversing language patterns 3) Luring and social engineering tricks
|
updated June 1999 |
Fravia's Anonymity Academy Enemy tracking1) General stalking techniques(Fravia shows you what you can do - or try - and where you can learn some advanced stalking techniques)~ Enemy tracking, a very difficult art, can be divided into stalking, reversing language patterns and luring. In order to stalk you need a deep knowledge of Usenet spamming (and war) techniques like flaming, trolling and crossposting. A good reverser can moreover easily 'reconstruct' (part of) the snailtrail of his enemies and defeat their smoke curtains applying some easy semantical reverse engineering tricks. Finally the reverser will lure his targets into the open web and identify it. 0) Some simple stalking tools 1) General stalking techniques 1.1) Simple email stalking techniques 2) Reversing language patterns 3) Luring and social engineering tricks |
---|
"...they track us, our interests and our hosts, we track them, their interests and their hosts, it's an interesting match and we'll always win, coz we do not do it for money... Work well, +ORC"
Yet, while it is true that a single person can create multiple electronic identities that are linked only by their common progenitor, that link, almost invisible in the virtual world, is of great significance. That is the weak point of any virtual created identity. It's easy to say that your avatars should have 'coherent' personalities , i.e. if you create a 'lorry driver' personality and a 'university professor' personality, the two should have COMPLETELY different speech patterns), yet this is very difficult to implement. Stalkers should be very versatile experts, ready to read and recognize voluntarily altered speech patterns.
Usenet, for obvious reason is the field you should peruse to learn the first elements of the stalking art. See: most of Usenet is meant to be non-fiction; the basic premise is that the users are who they claim to be. There are, however variances between the different newsgroups as to what constitutes a real or "legitimate" identity. And there are numerous cases of identity deception, from the pseudo-naive trolls to the name-switching spammers.
Yes, there's a vocabulary you should learn:
a) Flaming: I.e. rude comments, insults, personal attacks, etc. b) Trolling: I.e. fishing for flames. Usually takes the form of inane postings like smarmy love chatter, useless pieces of boring information, McClatchie's FAQ, etc. c) Cascades: Endless meaningless threads the posters repeat the same phrase over and over, sometimes with a little variation. They are amusing to the ones participating in them, boring to everyone else.
Boring
as most of these little silly wars are, there are GREAT lessons in stalking hidden in there (as
you'll see if you follow the links below). That's why you too will
have to deal with this. Actually, as usual in the Web, many of our techniques cross and merge reciprocally:
anonymity techniques, how to search knowledge, reality reversing tricks, usenet techniques,
anti-spamming knowledge are ALL required to tackle some of the tasks that you'll have
to perform if you really intend to master what you are trying to learn now. Let's, moreover not
forget how useful will be our holy software reversing skills each time we'll decide to
use some of the many tools that the Web offers to track down our targets (tools that are
unfortunately at times crippled or simply too short-lived :-)
I would say that if you are an experienced 'global' reverser you'll have more survival
chances that many others, but only your own complementary work, and your own experience,
will keep you
as a hunter and your target as a game and not the other way round... since, for instance
some of the professional spammers may turn quite nasty AGAINST you if you're not careful -and powerful- enough.
In order to gather more material, just search for 'avoiding flaming' and 'trolls flames' on
Altavista or follow some of the links below... as you'll see
there are all sort of documents and faqs on these subjects.
'Trolling for newbies' comes from 'trolling': a style of fishing
in which one trails bait through a likely spot hoping for a byte. Real well-constructed
trolls have a double audience:
the idiots (newbies and flamers) that byte the bait and
the 'trolls-savy' that enjoy the troll. I'll try to teach you also how to
identify and track down experienced trollers, among the most interesting game out
there (together with
professional spammers on rogue ISP) for any 'professional' stalker... but let's go on with the
basic knowledges...
So, as we were saying, the basic premise is actually, often enough, that the users are NOT who they
claim to be... the danger is that the
limited identity cues may make people accept at face value
a writer's claims of
credibility: it may take a long time - and a history of dubious postings - until
people start to wonder about the actual knowledge on a
self-proclaimed expert. This said it is also true that - for web related
matters - 'official' experts are often FAR inferior to clever autodidacts, so you never
know.
Erving Goffman, in his classic work "The Presentation of Self in Everyday Life" distinguished between the 'expressions given' and the 'expressions given off'. The former are the deliberately stated messages indicating how the one wishes to be perceived; the latter are the much more subtle - and sometimes unintentional - messages communicated via action and nuance. Both forms of expression are subject to deliberate manipulation, but the 'expression given off'' may be much harder to control. One can write 'I am female', but sustaining a voice and reactions that are convincingly a woman's may prove to be quite difficult for a man.
Writing style can identify the author of an posting. A known and notorious net personality hoping to appear online under a fresh name may have an easier time disguising his or her header ID than the identity revealed in the text. The introduction to the cypherpunks newsgroup includes this warning:
The cypherpunks list has its very own net.loon, a fellow named L. Detweiler. The history is too long for here, but he thinks that cypherpunks are evil incarnate. If you see a densely worded rant featuring characteristic words such as ``medusa'', ``pseudospoofing'', ``treachery'', ``poison'', or ``black lies'', it's probably him, no matter what the From: line says. - Cypherpunks mailing listIn this case, where the usual assessment signal - the name in the header - is believed to be false, language is used as a more reliable signal of individual identity. See also an example of a spammer using multiple identities on the very nice "Kook of the Month!" site.
One newsgroup that contains many business-card signatures is comp.security.unix. The discussion here is about how to make unix systems secure - and about known system flaws. Many of the participants are system administrators of major institutions, others are just learning how to set up a system in a fledgling company and some, of course, are hoping to learn how to break into systems :-). A posting suggesting that administrators improve their sites by changing this or that line of code in the system software could be a furtive attempt get novice administrators to introduce security holes. Identity deception is a big concern of the participants in this group, and this makes it VERY interesting for any advanced studiosus of these matters, to try soon or later his luring abilities in this group. (When you'll do it, if you want to be taken seriously (and you'll probably don't go very far even so :-) first create 'really' your own company, say 'Software Alternative Limited', then name yourself 'Director of Software Development', create your domain and sign with something like "Director@SALSoft.com".
Many varieties of identity deception can be found within the Usenet newsgroup. Some are quite harmful to individuals or to the community; others are innocuous, benefitting the performer without injuring the group. Some are clearly deceptions, meant to provide a false impression; others are more subtle identity manipulations, similar to the adjustments in self-presentation we make in many real world situations.
ntil recently, header information was quite reliable. Most people accessed Usenet with software that inserted the account name automatically - one had to be quite knowledgeable to change the default data. Today, many programs simply let the writer fill in the name and address to be used, making posting with a false name and site is much easier. The astute observer may detect suspicious anomalies in the routing data (the record of how the letter passed through the net) that can expose a posting from a falsified location. Yet few people are likely to look that closely at a posting unless they have reason to be suspicious about its provenance.
It is useful to distinguish between pseudonymity and pure anonymity. In the virtual world, many degrees of identification are possible. Full anonymity is one extreme of a continuum that runs from the totally anonymous to the thoroughly named. A pseudonym, though it may be untraceable to a real-world person, may have a well-established reputation in the virtual domain; a pseudonymous message may thus come with a wealth of contextual information about the sender. A purely anonymous message, on the other hand, stands alone.
There are some useful tricks to narrow down the number of suspected targets in order to stalk a pseudonym user. One of the best ones I know of is the time trick, but in order to understand it you mist first know the elementary elements of an email header.
Searching through headers and other tricks
(This part -I should have checked- comes directly from Symantec's page ~ begin)
Of course you should by all means read Gandalf's info, which is far superior to the Symantec information above, at http://ddi.digital.net/~gandalf/spamfaq.htmlHere is a sample email header (colors added). The final receiver's address is 'you@your.domain.com'.
Received: (2228 bytes) by <your.domain.com> via sendmail with P:stdio/D:user/T:local (sender: <29086328@compuserve.com>) id m0xUFxr-001cL6C@your.domain.dom for you@your.domain.com; Sat, 8 Nov 1997 10:50:35 -0800 (PST) (Smail-3.2.0.98 1997-Oct-16 #12 built 1997-Oct-28) Received: from simon.pacific.net.sg (simon.pacific.net.sg [203.120.90.72]) by your.domain.com (8.8.7/8.7.3) with ESMTP id KAA01565; Sat, 8 Nov 1997 10:43:34 -0800 (PST) From: 29086328@compuserve.com Received: from pop1.pacific.net.sg (pop1.pacific.net.sg [203.120.90.85]) by simon.pacific.net.sg with ESMTP id CAA25373; Sun, 9 Nov 1997 02:44:51 +0800 (SGT) Received: from po.pacific.net.sg (hd58-032.hil.compuserve.com [199.174.238.32]) by pop1.pacific.net.sg with SMTP id CAA12179; Sun, 9 Nov 1997 02:43:10 +0800 (SGT) Received: from mail.compuserve.com (mail.compuserve.com (205.5.81.86)) by compuserve.com (8.8.5/8.6.5) with SMTP id GAA04211 for <87789123456@aol.com>
It may look confusing, but there are some patterns that tell you everything you need to know. The header can be broken into several sections, each beginning with the word "Received".
The first 'Received' is from your email server. This section lists the supposed sender, the message ID number, and when the message came in. The other 'Received: from' tags are from remailers that the spammer used to make it more difficult to track him/her down.
- Find the last 'Received: from' entry in the header. This usually shows the originating server.
- Find and write down the server domain and its IP address. This information appears in parenthesis in each 'Received: from' entry.
Machine Name
IP Address
mail.compuserve.com 205.5.81.86 hd58-032.hil.compuserve.com 199.174.238.32 popl.pacific.net.sg 203.120.90.85 simon.pacific.net.sg 203.120.90.72 (This part -I should have checked- comes directly from Symantec's page ~ end)
More URLs to help you figure out how to look at the headers:
http://www.concentric.net/~Nvam
http://help.mindspring.com/features/emailheaders/index.htm
http://help.mindspring.com/features/emailheaders/extended.htm
As Balif pointed out in a famous posting on alt.2600: to examine all the cancel messages, you can use Dejanews, which does not honor them but actually archives them. Do a power search on group alt.2600, for "control cancel", sorted by date. You can see there all cancel messages coming from a given address.
Unfortunately Dejanews strips important headers. On your news server, cancel messages do not appear in the newsgroup, and are unseen to you. However you can view them by looking in the group "control.cancel". Beware, this group will most likely be enormous. It contains every cancel message your news server has received for all groups. Mine had 75,000 some messages. Here you can examine the headers of the cancel message. Yet it takes feeling and time to stalk information in this way.
Do Altavista and Dejanews searches on any "sharp edge" that sticks out.
"Sharp
edges" are,
according to SPUTUM "unique characteristics which can lead one to the real poster".
Example: balooney@enemy.com may use as Organization: "balooney inc." on all his
Usenet posts. Maybe he forgot to remove this info when posting later.
You search for "Organization: balooney inc." (as well as for posts
containing his sig), and maybe find all his fatuous
posts to alt.fetish.threelegs, and from thence
you will find (if you'r lucky) his narcissistic website chock full of juicy
personal information (or at least of many more "sharp edges").
Other promising "sharp edges": trailing user name in path
(...!news.foo.com!imamoron), funky newsreaders (ZippityDooDah News Alpha
0.9), unique signature components.
You may add signature patterns, and even particular
emoticons like :--> :*) 8-[
Look hard.
Be clever. Reverse your target.
There is a whole section of mine, about sharp edges:
read my
Language patterns and the stalking tablet section.
3) What if the target used "X-No-Archive: yes" in her headers and all previous steps fail? You may get lucky, and find a follow-up to a previous post which was posted without the "no-archive" clause. Otherwise, the old fashioned 'heavy' way might work: go to the relevant Usenet newsgroup, sort the posters by author name, and look for your target "by hand". Yes the task can be extremely tedious...which is why real stalking is for the patient hunter.
Bokler Software Corp. P.O. Box 261 Huntsville, AL 35804 Tel: (205) 539-9901 Fax: (205) 882-7401 e-mail: info@bokler.com
Subject: Re: How to store passwords encrypted in file? From: jim@bokler.com (James A. Moore) Date: 1996/06/26 Message-Id: <31d0c943.57429273@news.hiwaay.net> References: <4qltu1$bd4@cd4680fs.rrze.uni-erlangen.de> Organization: HiWAAY Information Services Newsgroups: comp.lang.basic.visual.misc See http://www.bokler.com for encryption tools: DEScipher/VBX & /OCX, and HASHcipher. James Moore
Number of articles posted to individual newsgroups (slightly skewed by cross-postings): 11 comp.lang.basic.visual.misc 6 comp.lang.basic.visual.3rdparty 4 comp.security.misc 3 comp.os.ms-windows.programmer.misc 3 comp.unix.bsd.freebsd.misc 2 alt.security 2 comp.os.ms-windows.apps.utilities 2 comp.os.ms-windows.apps.word-proc 2 sci.crypt 1 alt.lang.delphi 1 comp.ai.fuzzy 1 comp.databases.ms-access 1 comp.infosystems.www.servers.unix 1 comp.os.ms-windows.nt.software.backoffice 1 comp.os.ms-windows.programmer.tools.misc 1 comp.unix.questions
6 Hits for Query on DESchipher inside comp.lang.basic.visual.misc Date Scr Subject Newsgroup Author 1. 96/08/12 017 Re: Form1.Show(1) and En comp.lang.basic.vis jim@bokler.com (Jam 2. 96/06/18 017 Re: Encryption for Visua comp.lang.basic.vis jim@bokler.com (Jam 3. 95/10/21 017 Visual Basic Control (VB comp.lang.basic.vis info@bokler.com (Bo 4. 96/04/27 016 Re: Password encrypting comp.lang.basic.vis jim@bokler.com (Jam 5. 95/11/23 016 Re: Protection from pass comp.lang.basic.vis dbrockle@compusense 6. 96/01/09 013 VBX for Data Encryption. comp.lang.basic.vis jim@bokler.com (Jam
Number of articles posted to individual newsgroups (slightly skewed by cross-postings): 123 comp.lang.basic.visual.misc 35 comp.lang.basic.visual.3rdparty 26 comp.lang.basic.visual.database 1 comp.lang.basic.misc 1 comp.lang.basic.visual 1 comp.os.ms-windows.programmer.tools 1 sci.electronics
D M Brocklehurst Albuquerque,NM 87112 (505)299-0562So, he lives in New Mexico too...
James Moore 701 W San Mateo Rd, Santa Fe, NM 87505-3921 (505)988-4370MMM.. Sounds good: Do we have here the real guy and his pal? Let's first check out something else: using whowhere and the previous address we'll find the following:
Bokler Software Corp Santa Fe, New Mexico United States of America
Jim Moore Alabama, United States Of America E-Mail Address: bockler_1@HIWAAY.NET
CompanyName: Bokler Software Corp Address: 1570 Pacheco, Suite E-4 City: Santa Fe State: New Mexico Contact: bockler_1@HIWAAY.NET Domains: BOKLER.COM
Well, yes, Dejanew, as you'll learn on this very page is a very powerful stalking tool indeed, and the question "who hydes behind dejanew?" is therefore particularly legitime. (Watch it, part of the info needs to be updated: Dejanews has changed in the last 12 months!)
You need a little background information about this: in the last couple of years alt.2600 (an old Usenet hacking group) has been heavily spammed by a guy known as 'Archangel', that used some of the most know techniques: flaming, trolling, crossposting, faked avatars and gang emailing, in order to gain some dubious personal fame. Of course, in the eyes of any reverser worth is weight, Archangel's claims (on an Usenet group!) of having worked for the CIA and his 'attention seeking' activities did disqualify him immediately (no really competent person would ever 'seek attention' on Usenet), yet hundred of lusers and newbyes believed - and unfortunately still believe - the whole archangelology to be interesting stuff. (As Brian points out, it is relatively easy, on Usenet, to brag about things you do not know about). If you follow the link above you'll be able to read the results of Balif's stalking activity. Balif, a promising hacker, and an incredibly good stalker, has used intensively dejanews in order to reconstruct the 'history' of the spammer Archangel. Mind you: the whole Archangel saga is pretty boring (a typical case of 'flogging a dead horse' on usenet: taking topics that have been done to death and rehashing them), and DEFINITELY not worth investigating per se yet Balif's page deserves your visit if you want to learn how to perform a thorough stalking work.
BTW, if you want to investigate an earlier stalking project, here you go with Brian's electel balif's plot, where, among other things, you can also see what a good stalker gets out of a picture!
http://www.blighty.com/products/spade/help/d_spam104.htm: Bill Mattock's stalking of a pyramid scheme.
SPUTUM: Spamkilling Personal Interface (Tactical, Enhanced) The three basic spammer types and how to stalk them. (This is the fundamental tutorial on analyzing usenet headers!)
http://www.netmeg.net/faq/internet/net-abuse/troll-faq/ Gandalf's 'Dealing with Trolls'
search_forms (heavy)
search_forms (light)
http://www.warezfaq.org/indexx.html
The warez faq, useful also for
stalking purposes.
How to search
http://www.melsa.net/internet/tut11.htm How to avoid flaming.
Internet
Address finder
Stalker
page
http://www.anywho.com/telq.html: Reverse Telephone Search
page
Next time you receive some spamming email DO NOT throw it away. Be cool, and try some of the tricks/techniques described above to stalk the spammer. If you have time you may even try the 'go for it' trick: most spammers, even among the most capable forging dudes, are infact trying to SELL you something, aren't they? There dwells the real weak point of these assholes. Somewhere, at a given moment they have to give you either a real address or a real telephone number or whatever in order for you to send them your money.
Fishing spammers can be real fun therefore, especially if you have time, patience, flair and a little dose of social engineering capabilities.
Once you have them you can administer your favoured punishment, from denouncing them to their upstream ISPs supplying service (not always useful) to slowbomb them (until they change real address) with faked clients requests and bogus orders for whatever product they sell (very funny and frustrating for them). This is also IMHO the best method to deal with pyramid schemes: just let a dozen postmaster@[127.0.0.1] or whatever enter the scheme eh eh.
A word of advice: don't choose too dangerous gamebirds at the beginning: real nasty people can be quite dangerous on the net. It is one thing to stalk a peaceful experienced troller, it is a completely different thing to stalk a ring of high-level protected commercial paedophiles. Learn your stalking, luring and logical reversing ABCs first and don't go around shooting yourself in your feet.