Re: [Emerald] Help finding Spammer...

Jeff Woods ( jwoods@deltacomm.com )
Mon, 13 Dec 1999 10:19:16 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: Brian Johnson: "RE: [Emerald] Help finding Spammer..."
Next message: Ronnie Franklin: "Re: [Emerald] Help finding Spammer..."
In reply to: David Routh: "[Emerald] Help finding Spammer..."
Next in thread: Ronnie Franklin: "Re: [Emerald] Help finding Spammer..."

Yes, this can be done. This isn't the forum, however.

Please Email me privately, a couple (only a couple, please) complete
examples, with full headers, and I'll let you know if it really did come
from you. I need to know what IP's you have allocated to you by your
upstream (or permanent blocks by ARIN), your domain name, etc.

To find out who was online at the time, you have to do an SQL query in
MSSQL directly -- Emerald won't search on that criteria. Find the IP
number in question, then go to SQL Query tool, and on the Emerald DB
perform this search:

Select AcctStatusType, CallDate, UserName, FramedAddress from Calls
Where FramedAddress = "www.xx.yyy.zz" // the IP in question
And CallDate >= "12/11/99"
Order By CallDate

It will then give you a report that looks like this (my calls from home in
December, with IP addresses altered):

AcctStatusType CallDate UserName FramedAddress
-------------- --------------------- --------- ----------------
1 Dec 4 1999 11:55AM jeff 192.168.1.2
2 Dec 4 1999 12:24PM jeff 192.168.1.2
1 Dec 6 1999 9:59AM jeff 192.168.1.2
2 Dec 6 1999 9:59AM jeff 192.168.1.2
1 Dec 6 1999 10:03AM jeff 192.168.1.2
2 Dec 6 1999 10:13AM jeff 192.168.1.2
1 Dec 9 1999 9:28PM jeff 192.168.1.2
2 Dec 9 1999 9:34PM jeff 192.168.1.2
1 Dec 11 1999 1:44PM jeff 192.168.1.2
2 Dec 11 1999 1:45PM jeff 192.168.1.2
1 Dec 12 1999 11:54AM jeff 192.168.1.2
2 Dec 12 1999 12:05PM jeff 192.168.1.2

(12 row(s) affected)

In the first column, 1 = log on time, 2 = log off time. Thus, you can
tell that I was online on IP 192.168.1.2 from 11:55 am to 12:24 pm on
December 4th, etc.

Now, since I have a static IP, they were all *me* in my query, but you'll
get a plethora of different users, and can match up the times spam was sent
to the user who happened to be on that IP at the time, and
WHAMMO. Cancelled account(s).

At 07:19 AM 12/13/99 -0600, you wrote:
>Hello,
>
>Is there a way to pull information like which customer was logged on at
>what time and using what IP?
>
>The reason I ask is we evidently had someone spamming from our site over
>the weekend using bogus info on the headers... our IPs were associated with
>MindSprings servers... now, I'm not real good at deciphering headers but
>looks like I may have to learn.
>
>Anyway, I've got PLENTY of headers that were sent back to us over the
>weekend so I can determine the time and have the IPs associated from the
>headers...
>
>If there's no way to do this how would I go about setting up so we can tell
>when a customer was logged on and on what IP...
>
>Thanks for your help.
>David
>
>For more information about this list (including removal) go to:
>http://www.iea-software.com/support/maillists/liststart

For more information about this list (including removal) go to:
http://www.iea-software.com/support/maillists/liststart

Previous message: Brian Johnson: "RE: [Emerald] Help finding Spammer..."
Next message: Ronnie Franklin: "Re: [Emerald] Help finding Spammer..."
In reply to: David Routh: "[Emerald] Help finding Spammer..."
Next in thread: Ronnie Franklin: "Re: [Emerald] Help finding Spammer..."