Enemy Investigation || Fravia+

Fravia's Anonymity Academy

Enemy tracking

1) General stalking techniques

(Fravia shows you what you can do - or try - and where you can learn some advanced stalking techniques)


~
Enemy tracking, a very difficult art, can be divided into stalking, reversing language patterns and luring. In order to stalk you need a deep knowledge of Usenet spamming (and war) techniques like flaming, trolling and crossposting. A good Fravia can moreover easily 'reconstruct' (part of) the snailtrail of his enemies and defeat their smoke curtains applying some easy semantical reverse engineering tricks. Finally the Fravia will lure his targets into the open web and identify it.
0) Some simple stalking tools
1) General stalking techniques
1.1) Simple email stalking techniques
2) Reversing language patterns
3) Luring and social engineering tricks



Based on some private emailings from +ORC
"...they track us, our interests and our hosts, we track them, their interests and their hosts, it's an interesting match and we'll  always win, coz we do not do it for money... Work well, +ORC"

[Searching through headers and other tricks]
[An older simple stalking attempt]
[Stalking the stalkers' tool] [Balif's stalking masterpiece]
[Other links and tools] [Fravia's antispamming related page]
[how to keep in exercise]

__Stalking, an introduction__

(Part of the following: courtesy of Judith S. Donath)

Identity plays a key role on the web. In communication, which is the primary scope of any web-related activity, knowing the identity of those with whom you communicate is essential for understanding and evaluating an interaction. Yet in the disembodied world of the virtual community, identity is extremely ambiguous. Many of the basic cues about personality and social role we are accustomed to in the physical world are absent. Other cues are presents yet difficult to interpret. If you receive email from a guy whose address Eric.Staunton@innocent.com with an attached image of a middle aged man sitting comfortably on the patio of his house, you may be fooled into thinking that you have to do with a guy named Eric Staunton. It could be, yet you'll never have any real proof of it. One can have, on the web, as many electronic personas as one has time and energy to create (and memory to recall :-)

Yet, while it is true that a single person can create multiple electronic identities that are linked only by their common progenitor, that link, almost invisible in the virtual world, is of great significance. That is the weak point of any virtual created identity. It's easy to say that your avatars should have 'coherent' personalities , i.e. if you create a 'lorry driver' personality and a 'university professor' personality, the two should have COMPLETELY different speech patterns), yet this is very difficult to implement. Stalkers should be very versatile experts, ready to read and recognize voluntarily altered speech patterns.

Usenet, for obvious reason is the field you should peruse to learn the first elements of the stalking art. See: most of Usenet is meant to be non-fiction; the basic premise is that the users are who they claim to be. There are, however variances between the different newsgroups as to what constitutes a real or "legitimate" identity. And there are numerous cases of identity deception, from the pseudo-naive trolls to the name-switching spammers.

Yes, there's a vocabulary you should learn:

a) Flaming: I.e. rude comments, insults, personal attacks, etc. b) Trolling: I.e. fishing for flames. Usually takes the form of inane postings like smarmy love chatter, useless pieces of boring information, McClatchie's FAQ, etc. c) Cascades: Endless meaningless threads the posters repeat the same phrase over and over, sometimes with a little variation.  They are amusing to the ones participating in them, boring to everyone else.

Boring as most of these little silly wars are, there are GREAT lessons in stalking hidden in there (as you'll see if you follow the links below). That's why you too will have to deal with this. Actually, as usual in the Web, many of our techniques cross and merge reciprocally: anonymity techniques, how to search knowledge, reality reversing tricks, usenet techniques, anti-spamming knowledge are ALL required to tackle some of the tasks that you'll have to perform if you really intend to master what you are trying to learn now. Let's, moreover not forget how useful will be our holy software reversing skills each time we'll decide to use some of the

many tools that the Web offers to track down our targets (tools that are unfortunately at times crippled or simply too short-lived :-)
I would say that if you are an experienced 'global' Fravia you'll have more survival chances that many others, but only your own complementary work, and your own experience, will keep you as a hunter and your target as a game and not the other way round... since, for instance some of the professional spammers may turn quite nasty AGAINST you if you're not careful -and powerful- enough.
In order to gather more material, just search for 'avoiding flaming' and 'trolls flames' on Altavista or follow some of the links below... as you'll see there are all sort of documents and faqs on these subjects. 'Trolling for newbies' comes from 'trolling': a style of fishing in which one trails bait through a likely spot hoping for a byte. Real well-constructed trolls have a double audience: the idiots (newbies and flamers) that byte the bait and the 'trolls-savy' that enjoy the troll. I'll try to teach you also how to identify and track down experienced trollers, among the most interesting game out there (together with professional spammers on rogue ISP) for any 'professional' stalker... but let's go on with the basic knowledges...

So, as we were saying, the basic premise is actually, often enough, that the users are NOT who they claim to be... the danger is that the limited identity cues may make people accept at face value a writer's claims of credibility: it may take a long time - and a history of dubious postings - until people start to wonder about the actual knowledge on a self-proclaimed expert. This said it is also true that - for web related matters - 'official' experts are often FAR inferior to clever autodidacts, so you never know.

Erving Goffman, in his classic work "The Presentation of Self in Everyday Life" distinguished between the 'expressions given' and the 'expressions given off'. The former are the deliberately stated messages indicating how the one wishes to be perceived; the latter are the much more subtle - and sometimes unintentional - messages communicated via action and nuance. Both forms of expression are subject to deliberate manipulation, but the 'expression given off'' may be much harder to control. One can write 'I am female', but sustaining a voice and reactions that are convincingly a woman's may prove to be quite difficult for a man.

Writing style can identify the author of an posting. A known and notorious net personality hoping to appear online under a fresh name may have an easier time disguising his or her header ID than the identity revealed in the text. The introduction to the cypherpunks newsgroup includes this warning:

The cypherpunks list has its very own net.loon, a fellow named L. Detweiler.  The history is too long for here, but he thinks that cypherpunks are evil  incarnate. If you see a densely worded rant featuring characteristic words  such as ``medusa'', ``pseudospoofing'', ``treachery'', ``poison'', or ``black lies'',  it's probably him, no matter what the From: line says.  - Cypherpunks mailing list
In this case, where the usual assessment signal - the name in the header - is believed to be false, language is used as a more reliable signal of individual identity. See also an example of a spammer using multiple identities on the very nice "Kook of the Month!" site.

One newsgroup that contains many business-card signatures is comp.security.unix. The discussion here is about how to make unix systems secure - and about known system flaws. Many of the participants are system administrators of major institutions, others are just learning how to set up a system in a fledgling company and some, of course, are hoping to learn how to break into systems :-). A posting suggesting that administrators improve their sites by changing this or that line of code in the system software could be a furtive attempt get novice administrators to introduce security holes. Identity deception is a big concern of the participants in this group, and this makes it VERY interesting for any advanced studiosus of these matters, to try soon or later his luring abilities in this group. (When you'll do it, if you want to be taken seriously (and you'll probably don't go very far even so :-) first create 'really' your own company, say 'Software Alternative Limited', then name yourself 'Director of Software Development', create your domain and sign with something like "Director@SALSoft.com".

Many varieties of identity deception can be found within the Usenet newsgroup. Some are quite harmful to individuals or to the community; others are innocuous, benefitting the performer without injuring the group. Some are clearly deceptions, meant to provide a false impression; others are more subtle identity manipulations, similar to the adjustments in self-presentation we make in many real world situations.

ntil recently, header information was quite reliable. Most people accessed Usenet with software that inserted the account name automatically - one had to be quite knowledgeable to change the default data. Today, many programs simply let the writer fill in the name and address to be used, making posting with a false name and site is much easier. The astute observer may detect suspicious anomalies in the routing data (the record of how the letter passed through the net) that can expose a posting from a falsified location. Yet few people are likely to look that closely at a posting unless they have reason to be suspicious about its provenance.

It is useful to distinguish between pseudonymity and pure anonymity. In the virtual world, many degrees of identification are possible. Full anonymity is one extreme of a continuum that runs from the totally anonymous to the thoroughly named. A pseudonym, though it may be untraceable to a real-world person, may have a well-established reputation in the virtual domain; a pseudonymous message may thus come with a wealth of contextual information about the sender. A purely anonymous message, on the other hand, stands alone.

There are some useful tricks to narrow down the number of suspected targets in order to stalk a pseudonym user. One of the best ones I know of is the time trick, but in order to understand it you mist first know the elementary elements of an email header.


Searching through headers and other tricks

(This part -I should have checked- comes directly from Symantec's page ~ begin)

Here is a sample email header (colors added). The final receiver's address is 'you@your.domain.com'.

Received: (2228 bytes) by <your.domain.com> via sendmail with P:stdio/D:user/T:local (sender: <29086328@compuserve.com>) id m0xUFxr-001cL6C@your.domain.dom for you@your.domain.com; Sat, 8 Nov 1997 10:50:35 -0800 (PST) (Smail-3.2.0.98 1997-Oct-16 #12 built 1997-Oct-28) Received: from simon.pacific.net.sg (simon.pacific.net.sg [203.120.90.72]) by your.domain.com (8.8.7/8.7.3) with ESMTP id KAA01565; Sat, 8 Nov 1997 10:43:34 -0800 (PST) From: 29086328@compuserve.com Received: from pop1.pacific.net.sg (pop1.pacific.net.sg [203.120.90.85]) by simon.pacific.net.sg with ESMTP id CAA25373; Sun, 9 Nov 1997 02:44:51 +0800 (SGT) Received: from po.pacific.net.sg (hd58-032.hil.compuserve.com [199.174.238.32]) by pop1.pacific.net.sg with SMTP id CAA12179; Sun, 9 Nov 1997 02:43:10 +0800 (SGT) Received: from mail.compuserve.com (mail.compuserve.com (205.5.81.86)) by compuserve.com (8.8.5/8.6.5) with SMTP id GAA04211 for <87789123456@aol.com>

It may look confusing, but there are some patterns that tell you everything you need to know. The header can be broken into several sections, each beginning with the word "Received".

The first 'Received' is from your email server. This section lists the supposed sender, the message ID number, and when the message came in. The other 'Received: from' tags are from remailers that the spammer used to make it more difficult to track him/her down.

  1. Find the last 'Received: from' entry in the header. This usually shows the originating server.
  2. Find and write down the server domain and its IP address. This information appears in parenthesis in each 'Received: from' entry.

Machine Name

IP Address

mail.compuserve.com 205.5.81.86
hd58-032.hil.compuserve.com 199.174.238.32
popl.pacific.net.sg 203.120.90.85
simon.pacific.net.sg 203.120.90.72

(This part -I should have checked- comes directly from Symantec's page ~ end)

Of course you should by all means read Gandalf's info, which is far superior to the Symantec information above, at http://ddi.digital.net/~gandalf/spamfaq.html

More URLs to help you figure out how to look at the headers:

http://www.concentric.net/~Nvam

http://help.mindspring.com/features/emailheaders/index.htm

http://help.mindspring.com/features/emailheaders/extended.htm


Time pattern matters (Fravia's trick)
Now, all the above can be easily faked, what could be really important is that you may be able (unfortunately NOT always :-) to discern the TIMES of the day "patterns" when these operations have been performed that you can read above. See: if your target updates his web page, or mails letters to usenet, he will mostly tend to do it on a REGULAR basis. Even if he uses automated dynamic providers like Compuserve or AOL (which is always a good idea), and even if he writes to the usenet groups through an anonymous remailer, or DejaNew itself or whatever, he will tend to do it at FIXED TIMES. It is sometime incredibly easy to find out in which part of the world a target lives just studying his timing patterns!.
Most of the people work on Internet in the evening hours, say between 21 and 24:00 local time.
A common used 'luring' techniques consists in publishing or emailing to your target some 'luring baits' (in order to get the target to react) indicating a (faked and bogus) page of yours on some free server, where you have -supposedly- put something that the target badly needs or is interested into. Examining the loggings for that page you'll be able to see WHEN the target has accessed it. Many targets will access it anonymously just in case, yet few targets are careful enough to do that at an "abnormal" hour of the day.
Deleted postings (Balif's trick)
It may at times be useful to check which cancel messages have been sent to the newsgroups.

As Balif pointed out in a famous posting on alt.2600: to examine all the cancel messages, you can use Dejanews, which does not honor them but actually archives them. Do a power search on group alt.2600, for "control cancel", sorted by date. You can see there all cancel messages coming from a given address.

Unfortunately Dejanews strips important headers. On your news server, cancel messages do not appear in the newsgroup, and are unseen to you. However you can view them by looking in the group "control.cancel". Beware, this group will most likely be enormous. It contains every cancel message your news server has received for all groups. Mine had 75,000 some messages. Here you can examine the headers of the cancel message. Yet it takes feeling and time to stalk information in this way.


Sharp edges (SPUTUM's trick)
Say you have as your target your balooney@enemy.com; do Altavista and Dejanews searches for balooney@enemy.com looking for eventual postings where you may find his real name. Especially check all various alt.test.whatever groups, as these may contain at least one instance of 'rough' preparatory postings, when the target fine-tuned her newsreader's configuration.

Do Altavista and Dejanews searches on any "sharp edge" that sticks out.
"Sharp edges" are, according to SPUTUM "unique characteristics which can lead one to the real poster". Example: balooney@enemy.com may use as Organization: "balooney inc." on all his Usenet posts. Maybe he forgot to remove this info when posting later. You search for "Organization: balooney inc." (as well as for posts containing his sig), and maybe find all his fatuous posts to alt.fetish.threelegs, and from thence you will find (if you'r lucky) his narcissistic website chock full of juicy personal information (or at least of many more "sharp edges").

Other promising "sharp edges": trailing user name in path (...!news.foo.com!imamoron), funky newsreaders (ZippityDooDah News Alpha 0.9), unique signature components.
You may add signature patterns, and even particular emoticons like      :-->      :*)      8-[
Look hard. Be clever. Reverse your target.

There is a whole section of mine, about sharp edges:
read my Language patterns and the stalking tablet section.

3) What if the target used "X-No-Archive: yes" in her headers and all previous steps fail? You may get lucky, and find

a follow-up to a previous post which was posted without the "no-archive" clause. Otherwise, the old fashioned 'heavy' way might work: go to the relevant Usenet newsgroup, sort the posters by author name, and look for your target "by hand". Yes the task can be extremely tedious...which is why real stalking is for the patient hunter.

__Enemy identification__

An interesting example: the "Bokler guy" identification
This is an old 'historical' example, yet it will quickly show you the power of Dejanew stalking: was one of the links on my old links.htm page: an "enemy" wich I described as "worth investigating". In reality this guy is not an "enemy" of anybody (he only produces in visual basic pretty simple encryption software) and his "cracker page" is not so bad at all, he use it as "scarecrow" for the potential buyer of his software. Hope he will not grudge me if I use him as an ideal subject for this lesson... anyway he makes money scaring people with our work, I'll scare him for free showing him what I know about him :-)
Here is the original link to his page if you want to visit it:
An
enemy worth investigatingIf we hit the page above we'll see as only reference a post office box:
Bokler Software Corp. P.O. Box 261 Huntsville, AL 35804 Tel: (205) 539-9901  Fax: (205) 882-7401  e-mail: info@bokler.com
Now, let's say we want to know who is the guy behind all this...
1) Fire DejaNews
2) Search for something on his page
(he makes software, he surely did not resist the temptation to publicize it in some usenet, ideal DejaNews target... let's search for "haschipher")
And here is the answer:
Subject:      Re: How to store passwords encrypted in file? From:         jim@bokler.com (James A. Moore) Date:         1996/06/26 Message-Id:   <31d0c943.57429273@news.hiwaay.net> References:   <4qltu1$bd4@cd4680fs.rrze.uni-erlangen.de> Organization: HiWAAY Information Services Newsgroups:   comp.lang.basic.visual.misc  See http://www.bokler.com for encryption tools: DEScipher/VBX & /OCX, and HASHcipher.  James Moore
Now we have some more interesting data:
jim@bokler.com (James A. Moore)
SO, "real" name and a "real" email... what can we get more?
Well, let's have a look at his *RECENT* interests...
Number of articles posted to individual newsgroups (slightly skewed by cross-postings):  11 comp.lang.basic.visual.misc  6 comp.lang.basic.visual.3rdparty  4 comp.security.misc  3 comp.os.ms-windows.programmer.misc  3 comp.unix.bsd.freebsd.misc  2 alt.security  2 comp.os.ms-windows.apps.utilities  2 comp.os.ms-windows.apps.word-proc  2 sci.crypt  1 alt.lang.delphi  1 comp.ai.fuzzy  1 comp.databases.ms-access  1 comp.infosystems.www.servers.unix  1 comp.os.ms-windows.nt.software.backoffice  1 comp.os.ms-windows.programmer.tools.misc  1 comp.unix.questions
Uugh! A Visual Basic buff... can we gather something more searching for James Moore? Let's try and let's poke around a little using a search inside the most used newsgroup:
6 Hits for Query on DESchipher inside comp.lang.basic.visual.misc  Date   Scr        Subject              Newsgroup           Author  1. 96/08/12 017 Re: Form1.Show(1) and En comp.lang.basic.vis jim@bokler.com (Jam 2. 96/06/18 017 Re: Encryption for Visua comp.lang.basic.vis jim@bokler.com (Jam 3. 95/10/21 017 Visual Basic Control (VB comp.lang.basic.vis info@bokler.com (Bo 4. 96/04/27 016 Re: Password encrypting  comp.lang.basic.vis jim@bokler.com (Jam 5. 95/11/23 016 Re: Protection from pass comp.lang.basic.vis dbrockle@compusense 6. 96/01/09 013 VBX for Data Encryption. comp.lang.basic.vis jim@bokler.com (Jam

Well, let's have a look at this suspicious (from november 1995) Darren Brocklehurst (email address dbrockle@compusense.com -> Darren Brocklehurst), this is the only old letter about DESchipher, is a bad concealed publicity of Bokler software as you can yourself read Re: Protection from password cracks? i.e. alt.cracks (Ah! What they would not do for some more money, the commercial programmers!) and there is something interesting in this name (Brockle-->Bokler): and see his profile!

Number of articles posted to individual newsgroups (slightly skewed by cross-postings):  123 comp.lang.basic.visual.misc  35 comp.lang.basic.visual.3rdparty  26 comp.lang.basic.visual.database  1 comp.lang.basic.misc  1 comp.lang.basic.visual  1 comp.os.ms-windows.programmer.tools  1 sci.electronics

His profile is almost identical with our "James A. Moore"! Where does our Brocklehurst live? (Yahoo search)
D M Brocklehurst Albuquerque,NM 87112 (505)299-0562
So, he lives in New Mexico too...
And do we have a James. A. Moore in New mexico somewhere?
James Moore 701 W San Mateo Rd, Santa Fe, NM 87505-3921 (505)988-4370
MMM.. Sounds good: Do we have here the real guy and his pal? Let's first check out something else: using whowhere and the previous address we'll find the following:
Bokler Software Corp Santa Fe, New Mexico United States of America

good! So the Bokler company is actually registered in New Mexico, who answers the Alabama telephon? (Four11 search)
Jim Moore  Alabama, United States Of America  E-Mail Address: bockler_1@HIWAAY.NET

So is simply his HIWAAY provider, rerouting email. Telephon may also be rerouted in the same way.
Anyway if we use Infospace we get the address and the real provider of the web space the other way round:
CompanyName:  Bokler Software Corp  Address:      1570 Pacheco, Suite E-4  City:         Santa Fe  State:        New Mexico  Contact:      bockler_1@HIWAAY.NET  Domains:      BOKLER.COM
There it is: the company is registered in Santa Fe, the provider is in Alabama. Obviously such a small thing does not have a real server, and is hosted by somebody, in this case everything on the Bokler page comes through the "hiwaay" business spider, so we can now definitely narrow in on and confirm New Mexico.
Now we started with almost nothing and we found two names, two addresses, two private telephon numbers. Brocklehurst should be the real identity only if the "James Moore" name is just an Avatar (which I do not really believe given the "Visualbasicality" of these guys). "Darren Brocklehurst" is more probably a co-worker at Bokler or a good friend of James Moore and this is the guy we searched for... all in all a pretty good "counter intelligence" work!

__Enemy investigation__

An interesting example about Dejanews itself is here

Well, yes, Dejanew, as you'll learn on this very page is a very powerful stalking tool indeed, and the question "who hydes behind dejanew?" is therefore particularly legitime. (Watch it, part of the info needs to be updated: Dejanews has changed in the last 12 months!)


__Enemy investigation__


An EXTREMELY interesting example is redBalif's debunking.

You need a little background information about this: in the last couple of years alt.2600 (an old Usenet hacking group) has been heavily spammed by a guy known as 'Archangel', that used some of the most know techniques: flaming, trolling, crossposting, faked avatars and gang emailing, in order to gain some dubious personal fame. Of course, in the eyes of any Fravia worth is weight, Archangel's claims (on an Usenet group!) of having worked for the CIA and his 'attention seeking' activities did disqualify him immediately (no really competent person would ever 'seek attention' on Usenet), yet hundred of lusers and newbyes believed - and unfortunately still believe - the whole archangelology to be interesting stuff. (As Brian points out, it is relatively easy, on Usenet, to brag about things you do not know about). If you follow the link above you'll be able to read the results of Balif's stalking activity. Balif, a promising hacker, and an incredibly good stalker, has used intensively dejanews in order to reconstruct the 'history' of the spammer Archangel. Mind you: the whole Archangel saga is pretty boring (a typical case of 'flogging a dead horse' on usenet: taking topics that have been done to death and rehashing them), and DEFINITELY not worth investigating per se yet Balif's page deserves your visit if you want to learn how to perform a thorough stalking work.

BTW, if you want to investigate an earlier stalking project, here you go with Brian's redelectel balif's plot, where, among other things, you can also see what a good stalker gets out of a redpicture!


__Enemy investigation__


Some other examples: if you are interested in stalking you'll always get quite interesting info from the 'antispammers' fronts:

redhttp://www.blighty.com/products/spade/help/d_spam104.htm: Bill Mattock's stalking of a spammer.

redhttp://www.blighty.com/products/spade/help/d_spam104.htm: Bill Mattock's stalking of a pyramid scheme.

redSPUTUM: Spamkilling Personal Interface (Tactical, Enhanced) The three basic spammer types and how to stalk them. (This is the fundamental tutorial on analyzing usenet headers!)


__Let's find out who__

Interesting various links

redhttp://www.netmeg.net/faq/internet/net-abuse/troll-faq/ Gandalf's 'Dealing with Trolls'
redsearch_forms (heavy)
redsearch_forms (light)
redhttp://www.warezfaq.org/indexx.html The warez faq, useful also for stalking purposes.
redHow to search
redhttp://www.melsa.net/internet/tut11.htm How to avoid flaming.
Internet red Address finder
red Stalker page
red http://www.anywho.com/telq.html: Reverse Telephone Search page


red DejaNews, the ultimate stalking tool
red http://www.supernews.com/index10.html, another stalking tool
red http://www.reference.com, yet another one
red http://www.talkway.com/usenet/, yet another one

red Whowhere people finder
red All1one people finder

__How to keep in exercise__


For a Fravia, stalking can as much great fun as reversing software protections.

Next time you receive some spamming email DO NOT throw it away. Be cool, and try some of the tricks/techniques described above to stalk the spammer. If you have time you may even try the 'go for it' trick: most spammers, even among the most capable forging dudes, are infact trying to SELL you something, aren't they? There dwells the real weak point of these assholes. Somewhere, at a given moment they have to give you either a real address or a real telephone number or whatever in order for you to send them your money.

Fishing spammers can be real fun therefore, especially if you have time, patience, flair and a little dose of social engineering capabilities.

Once you have them you can administer your favoured punishment, from denouncing them to their upstream ISPs supplying service (not always useful) to slowbomb them (until they change real address) with faked clients requests and bogus orders for whatever product they sell (very funny and frustrating for them). This is also IMHO the best method to deal with pyramid schemes: just let a dozen postmaster@[127.0.0.1] or whatever enter the scheme eh eh.

A word of advice: don't choose too dangerous gamebirds at the beginning: real nasty people can be quite dangerous on the net. It is one thing to stalk a peaceful experienced troller, it is a completely different thing to stalk a ring of high-level protected commercial paedophiles. Learn your stalking, luring and logical reversing ABCs first and don't go around shooting yourself in your feet.



This section of my site, under perennial construction, was started on 15 november 1996
redFravia's antispam related page
redhomepage redlinks red+ORC redbots wars redstudents' essays redcounter measures
redbots wars redantismut CGI tricks redacademy database redtools redjavascript tricks
redcocktails redsearch_forms redmail_Fravia
redIs software reverse engineering illegal?

red(c) Fravia, 1995, 1996, 1997, 1998, 1999. All rights reserved

Comments