How To Trace
The first step is to locate the active URL in the source code of the e-mail.
Depending on your mail client it will resemble one of the samples on the URL
page.
The way to find the active URL in the source code is to look for a long URL containing what appear to be boxes( ),control characters(^T),equal sign followed by a number (=2), ampersand and number sign followed by a number (), three digit numbers separated by backslash(\020\) or a percent sign and number (%20) series.
Immediately following this series will be a domain name possibly followed by a":80" or another port number. Just after the number or the domain name will be a forward slash (/). The next two sets of entries will be the address for the page on angelfire. Currently ETC is using
com-rules.com, londonville.org and lllllllll.com, these may be different in your spam.
Using the example below
http://www.hi4.twidd.mx^T^B^T^E^T.com|net.fr^B^E^T^B^T^E^T^T.
londonville.org:80/hi4/twiddlez
Remove everything after the www. through the :80 and substitute angelfire.com
to get https://www.angelfire.com/hi4/twiddlez .
This is the throw away start page, send a message to abuse@angelfire.com regarding this page and include the headers and source of the spam and angelfire will nuke the page. Once the angelfire page is down, the chain is broken and the link in the spam is useless.
For anyone on a non windows based machine, and to those who do not wish to click on the link, this is
probably as far as you will be able to go on your own in regards to tracking the
sites. You can still alert the DNS providers to help end the use of the
"screwy" domain names. Tracing the injection point of the spam in the headers will not be covered in this FAQ.
If you need help with headers see, http://www.stopspam.org/email/headers/headers.html
Non windows users can try to use the link created with the angelfire substitution to see if it will work. It has in some cases.
For those willing to click the link, you can do a bit more. Even though the daughter window hides the location from you, you can still find out where
the site is located by simply closing the browser window after the JavaScript
has run it's course and re-opening it. Once it has re-opened, look in the history folder. By clicking on the links listed, one of them will take you back to the final site in a regular browser window with an address bar. You can now copy this URL from the address bar and paste it into notepad or other text program for use.
If you use a packet logger or a personal firewall that records all connections,
you may also get this information from those logs.
The URL that you have copied may need to be decoded. The most recent spams have not needed this step, but it may become necessary
again in the future. To do this you will need a URL decoder, some available include
Netdemon from
netdemon.net and SamSpade personal from samspade.org.
After decoding the URL, if necessary, you can proceed.
The new online decoder at www.netdemon.net/decode.html
will now resolve most forms of the URL's to give the location of the starting
site, either on Angelfire or on Empire Towers own block.
Then, using standard tools (Ipblock look-up, DNS, traceroute etc.) determine who is hosting and who is upstream of the site.
These tools can be found in Netdemon or Samspade personal, or can be found and
used on websites, including samspade.org and combat.uxn.com. Some operating
systems include some of these tools. Check the hosting provider against the list
in the History section and the Clients/Partners
section, to help insure that you are not contacting ET itself. You can also
check the list of lart targets listed here.
In the case of PopLaunch spams it is necessary to determine who provides name servers for the domains involved. It is the name servers that allow the use of the strange URLs. These parties should also be contacted.