Re: anonymous email address

[Capps]

My two cents....

Although one could alter the email address, and the reply address,
this provides only some degree of "anonymous". Yes, this will slow
down the email harvesting, but there are degrees of opaqueness. This
would be a mostly opaque mechanism. The rub is that it's still
leaking some info out that might be more dangerous than your
email address.

Example:

If you look at the headers (click on file properties, details, message
source)
and expand this, you will see something like:
-----------
NNTP-Posting-Date: Mon, 11 Aug 2003 19:47:59 -0500
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
NNTP-Posting-Host: 216.182.12.3
--------------

While the email address is hidden, the IP address of the machine
is not. One can then use this knowledge and do a nslookup, and
a whois, to find the ISP that has this address, physical location and
so on. Should a legal issue come up, it might be possible for law
enforcement to get the IP to user name mapping. (DHCP, and
PPP type connections make this a bit trickier, but not impossible,
as the time will identify the user's account in the log files.) For the
example above, this IP address is provided by:

Tellurian Networks, Inc.
172 Spring Street
Newton, NJ 07860
US

Domain Name: PLANET.NET

Administrative Contact-
The Tellurian Hostmaster: hostmaster@tellurian.net
Tellurian Networks, Inc.
172 Spring Street
Newton, NJ 07860
US
Phone- 973-300-9211
Fax- 973-579-3643
Technical Contact-
The Tellurian Hostmaster: hostmaster@tellurian.net
Tellurian Networks, Inc.
172 Spring Street
Newton, NJ 07860
US
Phone- 973-300-9211
Fax- 973-579-3643

This ISP is in the New Jersey area. And should things need
work, you have their contact information.
Also, since the IP address is known, one could then begin
probing TCP port 25, to see if you have a mail server. If that
works, then one can begin sending mail to root@IP_addr, and
again, become annoying. Various other port scans on the IP addr
might also be revealing, and provide further information about the
"anonymous" user. (see nmap, finger, and so on)
Should this poor user not be the sharpest tool in the shed, he/she might
have
TCP ports 135,137,139, and 445 open. Ok that would be bad, so perhaps
one can just map their shares. After that, your email address is the least
of your
worries.

Also, in the above example, the news posting software identified itself.
Vendor, software package name, and version number. This is also information.
Knowing the specifics about your software can expose one to crackers that
know which version have what holes.

Another level of anonymous would be to have custom posting
software that morphs some of these fields.
Another level, would be to post to a news server that posts on your
behalf and provides its IP address and info, instead of yours.

What level of "anonymous" you choose is up to you.

I have chosen to post with real email addresses, because that
is the way it was intended to be. Yes, I have to invest my time
in anti-spam mechanisms, anti-virus, and firewall technologies,
but I just don't want to give up and hide in the darkness, cowering
from the abusers that are trying to make the net unfriendly, and
eventually, un-usable.

Enjoy,
Don Capps

P.S. If you're going to use a fake email address, you might
want to either use a real email address, of someone else,
or try something like:
Email: Introspective@127.0.0.1
Email Reply address: Introspective@127.0.0.1
This should help the spammer get in touch with him/her self :-)


"mto" <nobody@dontsendmeanyspam.com> wrote in message
news:tRudnfd4DIrdpKWiXTWJhQ@seg.net...
>
> "darren sanborn" <sandmansdream4u@insightbb.com> wrote in message
> news:j9bgjv4nu4m4fib022cnabmctvhvngvu3h@4ax.com...
> > OK I am a newbie, so clue me in. How do you get one of those e-mail
> > address all you guys use?
>
> Open up your news account properties box. Type in anything you please
under
> email address. Try to be nice and make sure you aren't sending your mail
> somewhere real Save it or click apply.
>
>

[Jbob]

"Capps" <capps@iozone.org> wrote in message
news:nHb_a.604$v9.73@nwrddc01.gnilink.net...
> My two cents....
>
> Although one could alter the email address, and the reply address,
> this provides only some degree of "anonymous". Yes, this will slow
> down the email harvesting, but there are degrees of opaqueness. This
> would be a mostly opaque mechanism. The rub is that it's still
> leaking some info out that might be more dangerous than your
> email address.
>
> Example:
>
> If you look at the headers (click on file properties, details, message
> source)
> and expand this, you will see something like:
> -----------
> NNTP-Posting-Date: Mon, 11 Aug 2003 19:47:59 -0500
> X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> NNTP-Posting-Host: 216.182.12.3
> --------------
>
<Snipped>

All the more reason to be behind NAT at least!

[Al Bundy]

"Capps" <capps@iozone.org> wrote in
news:nHb_a.604$v9.73@nwrddc01.gnilink.net:

> My two cents....
>
> Although one could alter the email address, and the reply address,
> this provides only some degree of "anonymous". Yes, this will slow
> down the email harvesting, but there are degrees of opaqueness. This
> would be a mostly opaque mechanism. The rub is that it's still
> leaking some info out that might be more dangerous than your
> email address.
>
> Example:
>
> If you look at the headers (click on file properties, details,
> message
> source)
> and expand this, you will see something like:
> -----------
> NNTP-Posting-Date: Mon, 11 Aug 2003 19:47:59 -0500
> X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> NNTP-Posting-Host: 216.182.12.3
> --------------
>
> While the email address is hidden, the IP address of the machine
> is not. One can then use this knowledge and do a nslookup, and
> a whois, to find the ISP that has this address, physical location and
> so on. Should a legal issue come up, it might be possible for law
> enforcement to get the IP to user name mapping. (DHCP, and
> PPP type connections make this a bit trickier, but not impossible,
> as the time will identify the user's account in the log files.) For
> the example above, this IP address is provided by:
>
> Tellurian Networks, Inc.
> 172 Spring Street
> Newton, NJ 07860
> US
>
> Domain Name: PLANET.NET
>
> Administrative Contact-
> The Tellurian Hostmaster: hostmaster@tellurian.net
> Tellurian Networks, Inc.
> 172 Spring Street
> Newton, NJ 07860
> US
> Phone- 973-300-9211
> Fax- 973-579-3643
> Technical Contact-
> The Tellurian Hostmaster: hostmaster@tellurian.net
> Tellurian Networks, Inc.
> 172 Spring Street
> Newton, NJ 07860
> US
> Phone- 973-300-9211
> Fax- 973-579-3643
>
> This ISP is in the New Jersey area. And should things need
> work, you have their contact information.
> Also, since the IP address is known, one could then begin
> probing TCP port 25, to see if you have a mail server. If that
> works, then one can begin sending mail to root@IP_addr, and
> again, become annoying. Various other port scans on the IP addr
> might also be revealing, and provide further information about the
> "anonymous" user. (see nmap, finger, and so on)
> Should this poor user not be the sharpest tool in the shed, he/she
> might have
> TCP ports 135,137,139, and 445 open. Ok that would be bad, so perhaps
> one can just map their shares. After that, your email address is the
> least of your
> worries.
>
> Also, in the above example, the news posting software identified
> itself. Vendor, software package name, and version number. This is
> also information. Knowing the specifics about your software can expose
> one to crackers that know which version have what holes.
>
> Another level of anonymous would be to have custom posting
> software that morphs some of these fields.
> Another level, would be to post to a news server that posts on your
> behalf and provides its IP address and info, instead of yours.
>
> What level of "anonymous" you choose is up to you.
>
> I have chosen to post with real email addresses, because that
> is the way it was intended to be. Yes, I have to invest my time
> in anti-spam mechanisms, anti-virus, and firewall technologies,
> but I just don't want to give up and hide in the darkness, cowering
> from the abusers that are trying to make the net unfriendly, and
> eventually, un-usable.
>
> Enjoy,
> Don Capps
>
> P.S. If you're going to use a fake email address, you might
> want to either use a real email address, of someone else,
> or try something like:
> Email: Introspective@127.0.0.1
> Email Reply address: Introspective@127.0.0.1
> This should help the spammer get in touch with him/her self :-)
>
>
> "mto" <nobody@dontsendmeanyspam.com> wrote in message
> news:tRudnfd4DIrdpKWiXTWJhQ@seg.net...
>>
>> "darren sanborn" <sandmansdream4u@insightbb.com> wrote in message
>> news:j9bgjv4nu4m4fib022cnabmctvhvngvu3h@4ax.com...
>> > OK I am a newbie, so clue me in. How do you get one of those e-mail
>> > address all you guys use?
>>
>> Open up your news account properties box. Type in anything you
>> please
> under
>> email address. Try to be nice and make sure you aren't sending your
>> mail somewhere real Save it or click apply.
>>
>>
>
>

I know this is an old piece of mail but I've recently discovered this
group and have been going through the thousands of posts over time to get
my feet wet about spyware.

Anyway....

> P.S. If you're going to use a fake email address, you might
want to either use a real email address, of someone else,
or try something like:
Email: Introspective@127.0.0.1
Email Reply address: Introspective@127.0.0.1
This should help the spammer get in touch with him/her self :-)


Q is if an address miner picks up on xxx@127.0.0.1 and tries to send
email, is it the spammer that gets the bounce or the spammers server? Not
that it matters, just curious.

[Mangled&Munged]

Answers below:

"Al Bundy" <Al.Bundy@127.0.0.1> wrote in message
news:Xns9422C67BDD8D2AlBundy@news.verizon.net...
> Q is if an address miner picks up on xxx@127.0.0.1 and tries to send
> email, is it the spammer that gets the bounce or the spammers server? Not
> that it matters, just curious.

There are two possibilities:

(Spammer has a mail server)
The IP address 127.0.0.1 is the address of the local host's loopback
device. Thus it is a valid IP address, and if it happens to have a
mail server listening on port 25, then indeed, the spammer is the
one that gets his/her own spam. This has the added advantage that
the spammer consumes no real network bandwidth (ISP, or Internet),
just burns his/her own CPU bandwidth. It will not only tie up CPU
sending the email to itself, but it will likely reply with an error.
"Undeliverable, unknown user". The reply will be sent back to 127.0.0.1
and the loop begins again, as the spammer will likely not use a reply
address that is routable :-) Outch, in this case the mail server is now
going to try over and over to deliver the screwy email, for around
3 days and then give up. If enough people use this method the
spool area on the spammers email server will overflow, and the
CPU resources will become depleated. Oh well, they were not being
used for anything useful anyway :-)

(Spammer does not have a mail server)
If the system does not have a mail server running, then the email
will be sent to the ISP. At this point the destination of 127.0.0.1 will
be again a valid IP address and will be the loopback device on the
ISP's server. Again, the only bandwidth consumed is limited to the
spammers host, and the ISP's server. Again, the spam does not
traverse the Internet. But wait, if one were just a bit more clever then
one would use an email address of postmaster@127.0.0.1 By
using this address, the mail that makes it to the ISPs server will be
sent to the mail server running on the same ISP host. But this time
the recipient exists. He/She is very likely the administrator of the
mail server. And, when he/she starts getting hammered by this
spammer, he/she will get very motivated to terminate their account.
Another possibility would be abuse@127.0.0.1 but most harvestors
are smart enough to detect this and avoid sending mail to anyone
named "abuse" :-)

For even more interesting possible interactions, think about

Yall@224.0.0.1

This is a multi-cast, that is directed at all systems on a subnet, but
not going to be forwarded through a router. Hmmm... If the
spammer has a mail server, or a bunch of them, this could be
an interesting email address :-)

Or perhaps hello@224.0.1.125

This is the address for Poly-Com relays. So.. perhaps one might
even affect the phone systems at the spammers site :-)

Or perhaps remote@224.0.12.1
This is the address for multi-cast MSNBC. So... with any luck
you might be able to affect the spammer's ability to watch MSNBC
on their systems in the building. :-)

Oh darn, I can't seem to find an interesting address that might
cause the elevator, or the garage door to malfunction...Too bad :-)

Yours truly,
Mangled&Munged

[Al Bundy]

"Mangled&Munged" <postmaster@127.0.0.1> wrote in
news:XxTnb.4713$Q9.2410@nwrddc02.gnilink.net:

> Answers below:
>
> "Al Bundy" <Al.Bundy@127.0.0.1> wrote in message
> news:Xns9422C67BDD8D2AlBundy@news.verizon.net...
>> Q is if an address miner picks up on xxx@127.0.0.1 and tries to send
>> email, is it the spammer that gets the bounce or the spammers server?
>> Not that it matters, just curious.
>
> There are two possibilities:
>
> (Spammer has a mail server)
> The IP address 127.0.0.1 is the address of the local host's loopback
> device. Thus it is a valid IP address, and if it happens to have a
> mail server listening on port 25, then indeed, the spammer is the
> one that gets his/her own spam. This has the added advantage that
> the spammer consumes no real network bandwidth (ISP, or Internet),
> just burns his/her own CPU bandwidth. It will not only tie up CPU
> sending the email to itself, but it will likely reply with an error.
> "Undeliverable, unknown user". The reply will be sent back to
> 127.0.0.1 and the loop begins again, as the spammer will likely not
> use a reply address that is routable :-) Outch, in this case the mail
> server is now going to try over and over to deliver the screwy email,
> for around 3 days and then give up. If enough people use this method
> the spool area on the spammers email server will overflow, and the
> CPU resources will become depleated. Oh well, they were not being
> used for anything useful anyway :-)
>
> (Spammer does not have a mail server)
> If the system does not have a mail server running, then the email
> will be sent to the ISP. At this point the destination of 127.0.0.1
> will be again a valid IP address and will be the loopback device on
> the ISP's server. Again, the only bandwidth consumed is limited to
> the spammers host, and the ISP's server. Again, the spam does not
> traverse the Internet. But wait, if one were just a bit more clever
> then one would use an email address of postmaster@127.0.0.1 By
> using this address, the mail that makes it to the ISPs server will be
> sent to the mail server running on the same ISP host. But this time
> the recipient exists. He/She is very likely the administrator of the
> mail server. And, when he/she starts getting hammered by this
> spammer, he/she will get very motivated to terminate their account.
> Another possibility would be abuse@127.0.0.1 but most harvestors
> are smart enough to detect this and avoid sending mail to anyone
> named "abuse" :-)
>
> For even more interesting possible interactions, think about
>
> Yall@224.0.0.1
>
> This is a multi-cast, that is directed at all systems on a subnet, but
> not going to be forwarded through a router. Hmmm... If the
> spammer has a mail server, or a bunch of them, this could be
> an interesting email address :-)
>
> Or perhaps hello@224.0.1.125
>
> This is the address for Poly-Com relays. So.. perhaps one might
> even affect the phone systems at the spammers site :-)
>
> Or perhaps remote@224.0.12.1
> This is the address for multi-cast MSNBC. So... with any luck
> you might be able to affect the spammer's ability to watch MSNBC
> on their systems in the building. :-)
>
> Oh darn, I can't seem to find an interesting address that might
> cause the elevator, or the garage door to malfunction...Too bad :-)
>
> Yours truly,
> Mangled&Munged
>
>
>
>


Love it! Even if it is only theory. Archived it anyway :-) Thanks.