Who sent the spam?
“What is the IP address of the spammer?” You probably eager to know. Well. It is not easy. It is almost impossible to get the IP address of the sender. If you are very technical and want to know more about the details, please read this article first.
Install a firewall
A better way than shutting down the Messenger service is to install a firewall. By install a firewall, you gain the follow benifit.
- You eliminate NET SEND SPAM and other kind of attack and virus.
- You log the IP address of all attackers so you can take actions to fight back.
There are handful of great personal firewall software available. If you are using Windows XP, you already have a firewall installed. It is called Windows Internet Connection Firewall (a.k.a. ICF). You only need to follow these steps to enabled it.
To enable or disable Internet Connection Firewall
- Open Network Connections (Click Start, click Control Panel, and then doubleclick Network Connections.)
- Click the Dialup, LAN or HighSpeed Internet connection that you want to protect, and then, under Network Tasks, click Change settings of this connection.
- On the Advanced tab, under Internet Connection Firewall, select one of the following:
- To enable Internet Connection Firewall (ICF), select
the Protect my computer and network by limiting or preventing access to
this computer from the Internet check box.
- To disable Internet Connection Firewall, clear the Protect my computer and network by limiting or preventing access to this computer from the Internet check box. This disables the firewall, your computer and network are then vulnerable to intrusions.
Enable Firewall logging
This is a good article on how to enable firewall logging. After you enable the logging, you keep the record of all attack to your server.
Analysis the report
On of the easy way is to utilize myNetWatchMan. Follow the steps to register and download an agent. The agent will check the log file on your computer and send the attack information to the server. After aggregating all the report from many agents (about 5000+ currently), it will send abuse compliane to the network owner, thus prevent futher spam.
You can also check for yourselves. Here is an sample from my personal firewall log:
2002-11-08 21:38:25 DROP UDP 188.8.131.52 184.108.40.206 1026 137 78 - - - - - - -
If you find a lot DROP lines from a source while it indicates port is UDP 137, it seems like a spam.
Use this command in Command line (replace the IP address with the IP you saw in your log file
NBTSTAT -a 220.127.116.11
You will get return like this:
Node IpAddress: [18.104.22.168] Scope Id: 
NetBIOS Remote Machine Name Table
Name Type Status
SPAM-01 <00> UNIQUE Registered
SPAM <00> GROUP Registered
SPAM-01 <20> UNIQUE Registered
SPAM <1E> GROUP Registered
MAC Address = 00-10-A4-BB-E2-C3
Note the last line: it is the MAC address of the spammer. MAC address is the serial number of a Network Interface card. It is burnt into the chip and cannot be changed. Unfortunately, there is no reliable way to narrow down to certain geographic location from IP address. But by know the MAC address, it is very solid evidence that the package is sent out from the computer of the MAC address owner.
We need more
The topic of NET SEND SPAM never stops. I will fine tune this article and replace some general concept to some resources and steps. I believe we need to unite to fight back to NET SEND SPAM.