The Story of "Nadine" 270
Guinnessy writes: "We've all accidentally typed in a wrong email address sooner or later. But can it all go horribly wrong? On http://www.spamresource.com there is the story of Nadine, an account of what happened after an Internet user accidentally gave a wrong email address when she visited a web page and signed up for a sweepstakes. Live in fear...."
Old News (Score:3, Informative)
/. server part 1 (Score:2, Informative)
Both sites choked - Google to the rescue (Score:5, Informative)
Read it off the Google cache [google.com]
(Note to people accusing me of karma-whoring: The search formatting above is non-obvious)
Sig: What Happened To The Censorware Project (censorware.org) [sethf.com]
Re:/. server part 2 (Score:1, Informative)
/. server part 3 (Score:1, Informative)
The spam from enlist.com for AT&T finally caused me to do some research. Visiting the enlist.com web site, I found what seemed like an appropriate person to contact, and sent this official-looking message, complete with ticket number and RBL references. Naturally I had some hope that a [possibly fruitful] discussion might ensue.
Once again my hopes were shown to be unrealistic.
Answer: We Believe In You, Even If You Don't.
Some readers might not be astonished by what followed, but I was. In the surreal reply that arrived the next day, the "ePrivacy Coordinator" at
247Media revealed personal information about a subscriber to a complete stranger. The details included full name, complete address with 9-digit ZIP code, and date of birth.
Fortunately, 247Media are "members of both TRUSTe and the Direct Marketing Association" and "strictly adhere to the privacy guidelines they provide". One can only speculate about what horrifying breaches of confidence might have occurred had this not been the case. Also a note of encouragement was the "exclude from future mailings from our partners" promise. As we shall see, alas, that was as empty as the promise of privacy.
Always ready to grab for the last word in any debate, no matter how one-sided, with some asperity I offered a rejoinder.
/. server part 4 (Score:1, Informative)
There was a bit of a lull in the non-Harris onslaught until September 2000, when Home Shopping Network decided to join the party. Note that they obtained Nadine's information just over one month after Nadine had been assured that it would take three to five days to make certain that she would not receive any further mailing from 247Media's "partners". HSN apparently was prepared for this, as the end of their message suggests that opting out of their blasts is not as easy as one would hope. Until their last blast on 14 December 2001 they averaged one message every seven to ten days. Update: on 21-Mar-2002 HSN reappeared. Perhaps we will soon have some idea how effective the bounce processing is at 4at1.com.
Our breathless wait for new material was prolonged until October, when enlist found another sterling client, viz. thirdvoice. Nothing has been heard from them before or since.
In November, it was Hewlett Packard who elected to become the next object of derision. They likewise appear to have chosen other advertising channels.
The parade of one-time enlist.com clients continued with half.com, enews.com and finally SimplyHealth.com. After that, enlist.com sank beneath the waves. The last mention of enlist, matchlogic or delivere came in April, 2001, in a couple of bleats from peopliknow.com, who share a ZIP code with them.
Then things took a darker turn.
/. server part 5 (Score:1, Informative)
/. server part 5 (Score:1, Informative)
How the list[s] containing Nadine's supposed email address propagated from here on is a matter of conjecture. None of the items received from this point on mention any of the original culprits. It may be that financial challenges accompanying the general bursting of the net.fantasyland bubble caused fire sales of various magnitudes.
Ombramarketing.com
First amongst the new gathering shadows was Ombra Marketing Corp., who began to bombard Nadine with a variety of offers on 18 April, 2001. They sent an average of four blasts per month. They are currently in the local deny lists, and are discussed in a number of other areas of the World Wide Web, for example here.
itsImazing: Is It a Threat or Merely a Menace?
Cometh now the "itsImazing.com Network" by and through its first spewer, (apparently) ted2.net. Especially touching are the parts that thank Nadine for "registering at www.mindsetinteractive.com", proclaiming that these valuable messages will only infest the mailboxes of those "...who have specifically requested or agreed to receive our special offers...". Who can imagine the spewage that might occur should the senders be minded to send their stuff to just any old address? (NOTE: on 13 December 2001 I personally began receiving itsImazing spew from etoll.net, directed to an address used only for registering Palm Pilot software. Time to update the deny list.)
Rumors on various anti-spam forums were that the "ted2" operation encountered some difficulties in maintaining its network connectivity. This is plausible, because subsequent detritus has issued from m-ul.com and TargitMail (see below). We did get one subsequent delivery attempt from ted2.net on 21 December 2001.
m-ul.com are currently in the local block list, but these stout-hearted troupers were not dismayed by this minor contretemps -- until 16-Jan-2002 they continued to exhibit earnest hope that eventually I would let them back in to molest Nadine.
Hah.
Meanwhile, the itsImazing menagerie continues to expand, with coopt.com making its long-expected arrival on 23 December 2001. itsImazing appears also to have attempted to sneak in on 27 December 2001 through the facilities of virtumundo.com. On 17 Jan 2002, PO-1.COM began their spew on behalf of itsImazing.
On 20-Feb-2002 Nadine heard from gossipflash.com. Oh joy. Yet another threat of more "exciting promotional offers".
Without a helpful local deny list, Nadine would be receiving several itsImazing announcements per day. Imazingly prolific and persistent folks.
The Grouplotto Flood
On the same day as the first itsImazing blast came not one but two vital messages from "Grouplotto", sent from networkpromotion.com. This was just the nose of the camel, as more than thirty messages containing the string "grouplotto" arrived between that date and 12 December 2001. (This does not take into account the ones that would have arrived had the senders not been blocked.)
Grouplotto are apparently more resourceful than some of the other contenders, since they appear to share their databases amongst an agglomeration of senders with diverse offerings (although itsImazing definitely gives them some crushing competition here).
Senders and product types identified so far include:
networkpromotion.com -- Gambling (what else?) and a special product (see below).
etracks.com -- Consumer products (phones, Motorola Talkabout radios, VISA cards, satellite TV systems, digital camera [oops, that's a premium for switching long distance service], a sports wagering system, foreclosed merchandise, DVDs from Columbia House, and a "Start A Profitable Home Business and Become Rich Using the Internet" opportunity that would have been hard to pass up. And one additional product, also sent from networkpromotion, which deserves its own separate section below.
ProcessRequest.com -- only one from them got through before they were chucked into the deny list: an offer for the American Express(R) Platinum Cash Rebate Card. They made two more tries on 12 December 2001, then nothing more arrived until 10 February 2002, when the envelope sender was "reedscienc@ProcessRequest.com".
All of the senders above are in the local deny list, so there may be other valuable commodities on offer that Nadine will never hear about, at least not from the Grouplotto Borg. etracks.com made multiple tries nearly every day until 13-Feb-2002. networkpromotion.com tried a little less frequently and apparently gave up after 26-Jan-2002.
Miss Cleo's Psychic Insight Blows a Fuse
The GroupLotto product singled out for special treatment was a series of breathlessly vital disclosures from Miss Cleo.
She Who Knows All was so convinced of Nadine's existence that she took the trouble to send a personal note. A short time later, apparently unfazed by the lack of response, Miss Cleo sent another enticing missive.
Perhaps the puzzling lack of response (should we assume that psychics can be puzzled?) led Miss Cleo to send a poorly formatted rerun of Message Two, this time through networkpromotion.com rather than etracks.com.
Who can fathom the mysterious ways of the Gifted? Gumshoes in Florida, perhaps?
TargitMail (GTMI, Walt Rines)
Here we have a true relic of the rip-roaring early days of unsolicited broadcast email. I will make no comments, other than to suggest that the reader who wants to know more may submit the strings "Walt Rines", "IEMMC" and "picklejar" to www.google.com and especially to Google's Usenet Newsgroup search engine, looking in the news.admin.net-abuse.* groups.
TargitMail began sending itsImazing stuff from various tm0[digit].net addresses on 28 November 2001, beginning with tm03.net. They subsequently have sent from tm01.net, tm02.com and tm04.com as well. All of these domains are in the deny list. They made their last successful delivery on 09 Jan 2002 with a nice itsImazing offer of great deals from Fingerhut, sent from the heretofore-not-blocked tm02.com. They were last seen in the server logs on 09 Feb 2002.
customoffers.com
As uninvited spewers go, customoffers.com is pretty unremarkable. They first showed up on 9 November 2001 and managed to blap in 17 messages before I finally blocked them. Like most of the others, however, being rejected with a "553 Depart Ye Cursed Spammers" message initially did not impress their infrastructure.
They appeared to have given up after 22 Dec 2001, but then something arrived from the Scott Hirsch operation claiming to be an advertisement for stuff from Sears.
em5000.com, em5000.net
On 28 November 2001 em5000.com began sending touts for ImazingOffers, winfreestuff, ItsAllAboutGreatOffers, Chase Manhattan Bank, gambling and college scholarships. Five messages in three days caused them immediate admission to the elite ranks of the blocked.
There is reason to believe that this was not the only list they have ended up in, as they changed IP blocks and reappeared as em5000.net, managing to slip two more in on 12 December before I noticed and updated their listing. Like so many others, they tried frequently for quite a spell.
02-Feb-2002: They are now using a new envelope sender, jdrmedia1.net
11-Feb-2002: This time they have decided to abandon even the pretense of using a valid envelope sender, and claim to be something "@bounce.37.121.144". This would appear to be a seriously dim move, given the number of systems that now refuse mail from an invalid envelope sender. But then, the whole operation seems to be characterised by a significant lack of wattage.
intervolved.net
This player sent the usual "thanks for signing up with us" note in late November, 2001. I am personally fascinated by the "if you don't opt out, you have agreed to our terms" bit. I'm also somewhat intrigued by their "This message is not intended for anybody living in a state that has an anti-spam law" clause. What do you suppose that means?
They went into the bozo bin after the third blast on 04 Dec 2001 and were last heard from on 06 Feb 2002.
ixs1.net, ixs2.net
Before joining the Chorus of the Banned, this domain pair sent Nadine four "winfreestuff.com" adverts, beginning with this one, in which the senders claim that Nadine visited their web site and entered a sweepstakes.
I suppose it is indeed possible that the real "Nadine" was still giving out the same wrong email address 613 days after committing the first error. Personally, I have confidence that she would by this time have noticed that nobody ever responded (at least not in a way that she could observe).
After a long hiatus, they made another attempt on 11-Jan-2002.
ROI1.NET (Img Direct)
Their first one is a keeper: entirely HTML, work-from-home opportunity, web tracking bugs. Plucky though blocked, they kept trying until 11 Feb 2002.
oii1.net, oi2.net, oihost.net (Optin Inc)
The first piece is an IMPORTANT NOTICE reminding Nadine that "per our TOS (Terms of Service), you wisely agreed to receive third party promotions from our network's preferred affiliates". I was so overawed by a mention of Terms of Service from this well-known Florida operation that I somehow managed to leave the web bug in while trimming the HTML portion.
A few days later, two copies of a "Confirmation" arrived, identical except that the second one fails to mention "Custom Offers". Perhaps I was too hasty in blocking customoffers.com and missed all of the valuable information about Nadine's voluntary subscription to this wonderful service. Life has its unexpected setbacks.
sendoutmail.com
Nadine received one message and a couple of subsequent blocked delivery attempts originating from this domain. A responsible party from this domain has contacted me personally, and I have responded to his request for the details of the messages sent to Nadine. Being convinced that sendoutmail.com is making a determined effort to adopt the most effective list management practices, I have removed the IP and envelope sender blocks against sendoutmail.com.
topica.com
This message was surprising and profoundly disappointing. I had been led to believe that topica.com were rather strict in their list verification standards. If they would like help in diagnosing the point of failure, I'll be happy to assist. Unfortunately they were still trying to deliver email as of 14- Feb-2002, despite numerous rejections (and several visits to this page from topica's corporate IP space).
DM360.com
The list is sold yet again. On 19 December comes an advert apparently for REI sent by dm360.com on behalf of network60.com. Visiting the link, however, just gets you to www.freebieclub.com, with no obvious REI involvement. What a tangled web.
This sender has made a sufficient number of subsequent attempts after being blocked to rate their own reject log page.
Later on in the piece (30-Jan-2002), we find that their erstwhile client, network60.com, has decided to take things into their own hands and do their own polluting of the general netspace. (Or, perhaps, the two entities are really joined at the hip. Who can fathom these mysteries without buying a programme from a passing vendor?)
Postmaster General (pm0.net)
This sender's customer at least doesn't bother to try the "thanks for signing up at our web site" prevarication or the "you visited a 'marketing partner' and requested drivel" pretense. The lack of HTML is also a redeeming feature. pm0.net was added to the parade of unwelcome intruders, and they hammered away until 02-Jan-2002. I removed them from the deny list on 15-Jan-2002 after having a conversation with the Mindshare Design Standards & Practices people, who convinced me that changes are afoot at pm0. If this turns out to have been an incorrect impression, I will note it here.
Bigfoot Interactive (bfi0.com)
I've always been fascinated by a "this message is confidential -- don't do like we did and send it to a completely unrelated party" clause in email and FAX messages. What exactly does the sending party in this case have to hide, might one ask?
Virtumundo.com / vmadmin.com
Here is an organism that claims that somebody who doesn't exist went to a web site (the same one the itsImazing folks claim she visited) and gave permission for them to send bunches of advertising.
What makes this all the more fascinating is that somebody from Virtumundo apparently visited us here a few hours before the spam started.
Interesting news: Virtumundo has announced a lawsuit against two list vendors, including Mindset Interactive, who provided the list for the message discussed above.
Scott Hirsch (edirect.com, offermail.net, eDirectNetwork, optin-offers.net)
This submission arrived in the wee hours of 30 December 2001. These notes were originally slotted to appear in the "Spamming Scum" section, in view of eDirectNetwork's colorful history of adding unwilling participants to its list of targets for valuable offers. Upon reflection, I decided that eDirectNetwork meets many but not all of the criteria set forth there -- at least, not recently. So, eDirectNetwork joins the other Florida operations here in the slightly more prestigious "Hogs" section.
The apparent proprietor, one Scott Hirsch, has been mentioned in the press from time to time. A brief Google search for this entity nets quite a bit of discussion of their, uh, methods. Those who want an example of the great care taken by this organization to verify that the recipients really want the advertising may observe eDirectNetwork spamming the abuse address here.
As for offermail.net, you have to admire the earnest, honest sincerity of a firm that in its domain registration gives its business address as the White House and its telephone number as toll-free information. Spiffy folks, to be sure. (And not entirely on the mark when it comes to research. An Authoritative Source has sent me tidings to the effect that the White House ZIP is actually 20500.)
I held off chucking offermail into the bozo bin because, I freely confess, I wanted to see what would happen next. I speculated that Scott might read this and spoil my fun. It has been several months since he has hit one of my personal addresses.
However, on 03-Jan-2002 "what happens next" was not at all unusual as spam goes (although I do have to wonder whether the return-path account name is a bit spelling-challenged). So, I blocked offermail and waited to see: would they pay any attention to bou[n]ces?
Nope. (But they did eventually fix Irma La Bouce).
Then, on 09-Jan-2002, our dear comrades at CustomOffers apparently leaped into the hammock with our friends at eDirectNetwork and sent Nadine an important custom offer for Sears Custom Fit Windows. Shades of Diana Mey.
And then, sent to the "Tagged by SPEWS" sump by an incorrect mail sorting filter, there is this gem, in which Scott urges Nadine to consider plastic surgery for breast augmentation.
Time to bung eDirectNetwork into the deny list and give them their own rejection log.
On 13 Jan 2002 another metamorphosis occurred, and stuff started arriving with an envelope sender of optin-offers.net. I was not particularly quick on the deny list entry update, and ol' Scott managed to slip in two more that afternoon. The first was a delightful Path to Sudden Wealth blandishment, which offers yet another Work From Home and Make Big Bux opportunity. The other one was sent apparently on behalf of Gevalia Coffee, who certainly should know better.
PO-1.COM
Yet another itsImazing tentacle put its suckers on the window on 17-Jan-2002, with threats of even more exciting offers soon to festoon the lonely inbox. Into the bin with them.
Mediatrec
Transmissions with an envelope sender of something@MEDIATREC.ROI1.NET were a regular occurrence here until they halted suddenly on 3 January 2002. Then on 19 January 2002 this mysterious piece arrives, with its peculiar "sorry to see you go" clause, but with links that appear to point strictly to an opt-out function.
Curious to see what their list management practices might be, I visited their web page, signed up for their mailings and waited to see what would happen. A short time later this confirmation message arrived, inclining me to the belief that they do indeed practice safe mailing, at least as far as new subscribers at their own web site are concerned. Time will tell.
24-Jan-2002: What time tells us is that they don't practice safe mailing when purchased lists are involved, as they dropped this item in the hopper on behalf of VoiceStream Wireless. So, into the deny list they go. Bon voyage. The record of their rejected delivery attempts is here.
16-Mar-2002: They've been averaging more than one futile attempt per day for quite some time, sending from the myz.com IP block at 65.105.159.*. Perhaps others have blocked myz.com and/or the mediatrec.com envelope sender, and they needed to find something that would temporarily let them get through. Regardless of the reason, they are now sending from mediatreclists.net, from their own IP space. Since they dumped five days of pent-up traffic on Nadine this morning, it seems likely that they saw a high non-delivery rate with myz.com and needed to make up for lost time. Here is one for Full Access Medical, the subject of many a search-engine visit to this site. Those interested in an exclusive money- making program need go no further than here. Maybe a free cellphone? Fancy an unsecured credit card (of unspecified type and issuer)? DVDs from Columbia House? It's all here, whether you have the sense to ask for it or not (assuming that you exist at all, of course).
So, into the Plonk-O-Matic with mediatreclists.net.
DirectNet Advertising (dnadv.com, valudesk.com, valudesk1.com)
These folks have enjoyed some popularity amongst those who receive and report spam. Nadine also received the "Free Chocolates" spam mentioned in some of those reports. In the non-HTML portion, they began their Nadine involvement with no attempt to explain how they came into possession of Nadine's address. Only if you browse down to the web-encumbered portion do you see the shift of blame to "valued marketing partners" and the typical threat to continue the bombardment if no opt-out action is taken.
Before the opportunity arose to add this section to the story, somebody from a network address belonging to dnadv.com spent half an hour or so reading Our Saga. I hope they come back, now that they are a featured character.
NETWORK60.COM
On 30-Jan-2002 there comes a "Membership Confirmation for NADINE" from an already-familiar denizen of the swamp.
We first encountered network60.com as an apparent client of DM360.COM. One is tempted to speculate about the tendency for apparent clients of spewers-for-hire to begin doing their own spewing, as is for example the case with Mediatrec and ROI1.NET.
When the spewing for RadioStakes apparently began in earnest on 08-Feb-2002, the envelope sender "NETWORK60.COM" went into the bozo bin.
Two-River.com (Harvest Marketing, GDTRFB.COM)
On 16-Feb-2002 we first hear from the Two-River Co-op, formerly known as Prime Offers but calling itself Harvest Marketing in the domain registry. We receive the welcome assurance that "Two-River Co-op never sends unsolicited email", but are forced to ponder: if the commercial relationship is launched with such a transparently fraudulent statement, what sort of confidence shall we have in the worth of the commercial offers?
Again on 15-Mar-2002 we see that things haven't changed much.
And on 20-Mar-2002 it would appear that AOL needed some assistance with their sales programme, with a little help from dnadv.com, for reasons best known to those who best know reasons.
Alas, it looks like it is time for the bin for Two-River Co-op. The envelope sender on the most recent atrocity was . River.com is apparently an unrelated domain in Colorado, whereas two-river.com is in New Hampshire and gdtrfb.com claims to be in New Jersey. Considering that the delivering server calls itself "two.river.com" when in fact it is listed as "jupiter.gdtrfb.com" by its own DNS server, and looking at the river.com web site one may perhaps be forgiven for exhibiting a modicum of doubt that river.com has any involvement with these misdeeds. And in fact my communication with the actual owner of river.com confirms that river.com has no connection with two-river.com and has not authorized them to use a river.com address or host name.
mxsys.net (dandyoffers.com, youclickhere.net) on behalf of memolink.com, dreammates.com et al.
Pretty ordinary. First a mailing for memolink.com, then another one that seems less than fully suited to the demographic information that DandyOffers presumably purchased along with a bogus email address.
On 25-Feb-2002 there was another spam for Sonix Systems / AT&T. Since I'm getting spam from mxsys.net for the "imesh" list to another bogus address @honet.com, there's no obvious reason not to award mxsys.net a prime spot in the bin forthwith. And since they've persisted in knocking at the gates, let's give them their own reject log.
sign2002.com
The presence of links to www.opt-track.net in this piece suggests that sign2002.com is just a new disguise for the masters of opt-in-ness, Optin Inc. Regardless, it has the exceedingly tiresome mendacity "This message was not sent unsolicited. You are currently subscribed to the Open2Win mailing list". As if "you are subscribed" somehow transforms an unsolicited message to a nonexistent person into a legitimate, requested communication.
Gag.
Then again, I'm interested in whether the folks at discounts.com, who don't seem to be affiliated with anybody mentioned in this message, would approve of the apparent sender being "HotelDiscountCard@discounts.com". Hmm... staff@webmagic.com seems to be the place to knock. 27-Feb- 2002: Email from webmagic.com gives me the distinct impression that they aren't too happy with this use of their domain name. Imagine that.
Meanwhile, on 26-Feb-2002 the next piece arrives, signaling that The Hour of The Bozo Bin has arrived for sign2002.com.
Exactis
As a proud carrier of the "Motel Six Discount Card" (or AARP membership, as it is sometimes called) I note that in this piece The Hartford makes some sensible use of the demographic information that somebody fraudulently sold them.
Although they wisely chose exactis.com to send their advertisement for an AARP-branded insurance plan, all was not entirely well in this particular shot. For instance, the valuable quartz clock is not available in Nadine's home state (and apparently only in Nadine's home state). One would expect greater diligence from these professionals.
Additionally, this message is the first one in ages to make an explicit reference to delivere.com. The HTML version of the payload attempts to retrieve an image from the server consumer.delivere.com, which is strange, since the name servers for delivere.com are unreachable (at least from any network to which I have access) and have been for quite some time. Odd.
valoffers.com
What can we say about this initial salvo (other than a minor carp about a missing ">" in the Message-ID)? Not much. We'll just have to wait for the inevitable Drizzle of Irresistible Offers.
Which began to arrive on 19-Mar-2002, manifesting as Yet Another Free Cellphone Offer (YAFCO). Time for a new deny list entry.
dartmail3.net
On 22-Mar-2002 Nadine received a "privileged and confidential" offer of magazine subscriptions by Synapse Group Inc, from dartmail3.net, through flonetwork.com.
tinglobal.com
This is apparently an IMG Direct (optin-inc) operation. More information here. Sample here. The "strict Code of Ethics" bit is a hoot.
jobsonline.com (emailoffersondemand, Toplander Corporation)
One is tempted to speculate just who has demanded the email offers, of which Nadine received four in the three days that elapsed before the sender was carefully inserted into the deny list. Since three of them were very similar YAFCO advertisements -- two for AT&T Wireless, one for Voicestream -- on three successive days, the use of the phrase "this recurring mailing" was particularly apt. Sample here.
Re:Both sites choked - Google to the rescue (Score:5, Informative)
Mirror [pantherweb.org]
/. server part 6 (Score:1, Informative)
Before the messages below arrived, there was still a slim but tangible pretense that this stream of offal was some how "opt-in". The senders sent from their own equipment at [relatively] stable IP addresses; most of the senders were contactable by one means or another. Some of them even made detectable efforts to be legitimate, ethical businesses. Some of those appear to have failed more through lack of competence than lack of ethics (although it is important to note that the net effect is the same, in the end).
Such is not the case with the senders in this section.
Demonstrably they are fully aware that
Their material is unwanted.
The addresses they send to are largely scraped from public forums such as Usenet newsgroups, web pages and user profiles -- places where people reveal their email addresses with no expectation whatever that they will become the victims of postage-due electronic advertisers.
System owners will take measures to block their transmissions.
With this set of facts in mind, they take steps to evade, whenever possible, efforts to stop them from blowing their trash into people's mailboxes. These steps include
Sending from "throw-away" dial-up accounts. Eventually enough complaints will arrive at the dialup provider that the account they are using will be deactivated for network abuse. But they expect this, and have opened a large number of such accounts; when one account is cancelled, they merely proceed on to the next.
Hijacking email servers -- there are still many email servers that will allow anybody to use them to send email. By setting their spewing software to send through these open relays, spammers gain several benefits, chief amongst which is that they can consume someone else's bandwidth to do their dirty work. By rotating their spews through a large number of servers, they increase the likelihood that they will be able to bypass countermeasures in place at their targets' providers.
Adding "filter busters" (strings of nonsense characters) to the subjects and bodies of their messages, in the hope of confusing filters that look for known spam messages.
The "AmyWilson@btamail.net.cn" Spammer
Messages with this "From:" address (and multitudes from other addresses taking the form "[some female name with surname]@btamail.net.cn") have arrived here before, all sent to addresses that either were scraped from Usenet posts or were the targets of spammers before honet.com was even registered as a domain.
In this case, we see a message with classic "spammer" hallmarks -- origination from a dialup, sent through hijacked servers. It claims to have been sent on behalf of Sonix Systems, LLC, an AT&T wireless dealer.
Random spam through ptt.ru
Those who track spammers as a hobby or a full-time job will recognize a number of familiar things here, assuming they want to wade through atrocious quoted-printable-mangled HTML.
Inept Pump-and-Dump Stock Scam from optinservices.com
Here we have an exceptionally incompetent attempt at shady activity. First, the spammer unwisely chose to steal relay services from a Korean server that failed to mask the sending IP address (65.213.157.9), which belongs to optinservices.com, supposedly in Pompano Beach, FL. Then, the HTML payload appears to have been prepared with Microsoft Word, which inserts abominable amounts of cruft but also embeds intriguing information, including the apparent original author's names, which in this case appear to be "Natalie Morgen" and "ECogen". Finally, it was sent with an unreachable domain, offers4utoday.com, in the envelope sender; this will cause lots of well-run systems to reject it immediately. As spammers go, this lot are not leading the league.
And of course, in keeping with the Sacred Traditions of Spamming, the usual "Murkowski" S1618 disclaimer demands that we accept this piece as legitimate communication, even though this legislation was never enacted into law (and even if it had been, this spam doesn't actually comply with it).
Wanting to share the joys this gem has brought, I sent a copy to the "enforcement" mailbox at sec.gov. Perhaps they will find it valuable.
4optinonly.com: The Buffoonery Continues
The next day after the optinservices.com fiasco, we hear directly from 4optinonly.com, the domain that appeared in the "remove from list" link above. Oddly enough the sending server called itself "optinservicesco" when it connected here, even though its IP address carries the whimsical name "optin2.4optinonly.com". Ah, well, at least both of the supposed senders are named "Debra" and they both tell us that Nadine is a subscriber to the eNetwork mailing list.
The overwhelming impressions of honesty and competence here would certainly motivate me to seek an unsecured gold card through their ministrations. I'd probably make some investments, too. Yep.
13-Mar-2002: Not wanting to leave any doubt about who was responsible for the first stock fraud missive, but keen to clean up the MS-Word-to- HTML disaster, they resend a less-crufty version of the original not-from-a-Kim-and-Eddie-Marin-IP tout. Oofta. Hyphen city.
Then on 26 Mar 2002 the menagerie is augmented by a piece from addmeat.com/addmeat.net for quickenloans.quicken.com, and on 29 Mar 2002 a new but still MS-Word-cruft-infested version of the LKNG pump-and-dump stock tout.
Why not fix it the old-fashioned way? (Score:3, Informative)
If you made a mistake in your contact info, you could've rectified the problem by voice phone and fax. That's what I did when the contact info for a domain I registered had to be updated because the email was an expired domain for a now-defunct company. Network Solutions had surprisingly good customer service and once they verify the credentials via fax (or even snail-mail) they will make any changed required without the use of email.
That way seems low-tech and backwards, but you don't need to register an otherwise useless domain and it costs nothing more than your time (certainly mot much more than the trouble of registering a domain and setting up the DNS).
Us techie types should be careful not to overlook the most simple solution because it is low tech...
OTOH, the useless domain could be useful to keep track of how many OTHER people make that typo...kinda like the Slashdor site [slashdor.org]...
Tip (Score:2, Informative)
Re:I'm no email antispam guru... (Score:2, Informative)
I am not SPEWS.
Re:Now what about spam-terror? (Score:5, Informative)
Re:I do it all the time (Score:1, Informative)
I'd suggest using example.com (which is reserved, so nobody will ever suffer) or else the domain name of the company you're sending the form to (which will encourage them to start confirming subscriptions.)
Re:I hate spam, but ... (Score:4, Informative)
Perhaps the story itself is not so unique, but I find his analysis very important to understand.
From the essay [honet.com]:"Subject only to the agreements and contracts that an Internet entity has with its providers and customers, that entity is absolutely sovereign within its own domain. Service providers and system administrators are completely free to decide to accept or reject any network traffic they choose; they simply must accept whatever reactions such decisions may evoke from those with whom they have agreements.
An individual consumer's service providers have absolutely no economic incentive to provide transit and storage for advertising, especially advertising delivered by email. On the contrary, many providers have discovered that swift remedial reaction to consumer complaints about unwanted communications can both increase customer loyalty and decrease operating costs. As a result, the unwritten "I will carry your traffic if you will carry mine" agreement is subject to re-evaluation, with the possible conclusion "I don't care whether you carry my traffic or not, so I won't carry yours." And there are many ways to say "I Won't".
He states that this goes against the very flow of information that transpires in other forms of media. I find it fascinating that people expect to have a captive audience on the Internet because they did on TV, radio and magazines. Frankly, this is a new world and it isn't governed by the same rules.
Re:What to do (Score:1, Informative)
Re:I hate spam, but ... (Score:3, Informative)
Are there people out there that really care?
I thought there was supposed to be something gone terribly wrong in this article (like someone killed as a result of spammers)...
Much ado about butt-kiss..
Re:I hate spam, but ... (Score:3, Informative)
http://www.samspade.org
http://www.spamhaus.or
http://www.spamcop.net
http:
There's no reason to get upset or frustrated when looking for spammers. Rule 3 says they're stupid so they're usually rather easy to trace down, if you know what you're doing. Once you've taken the time to educate yourself on how to read email headers, trace through them to find the originating ISP, open relays/proxies that forwarded the email, and decode the spamvertised URL, rooting out any redirection services or encryption used to obfuscate the spammers actual website (read cash generator), it's like anything else and can become second nature. It only took me about six months to get a good handle on all of the above and then another year to refine it to a science. I'm currently administering my own Linux mail server. I'm also pulling mail out of two POP accounts, one of which gets the majority of my spam, the other which has never been published anywhere and hasn't received spam... YET. I'm using a combination of DNS-based blocklists on postfix, iptables and a procmail filter to keep my spamload down to about 1-2 messages a day.
The only thing I can say is use the above links and get familiar with the process. Read news.admin.net-abuse.email and ask questions of the inhabitants on how to fight spam. Make certain you stock up on Nomex underwear as it can be a pretty rough group to follow. A speed reading course may be helpful to keep up with the flow of articles.
Hope this help....
Rich
--
Consumer Watchdog! Yes, we're rough on bogus businesses! And today,
Consumer Watchdog reports on protecting you, the consumer, from being
consumed by dangerous products and phony packaging. -- Firesign Theatre
TINLC Unit #2309 Death to all spammer accounts.
Re:I'm no email antispam guru... (Score:5, Informative)
- Post "test" posts to a few newsgroups, I suggest alt.test and alt.business.multi-level, using your new spamtrap address as the From and Reply-To address. (Technically, test posts are not appropriate in alt.business.multi-level, but if you want a fast track to spam, that's the place to go.)
- Visit the "remove" links in spam you already get at your existing mailboxes, and type your spamtrap address into the remove box. If you have the time or patience, you can do the same thing with spam which contains a remove address instead of a link; send remove requests from your spamtrap. Removal is spammerspeak for opting in, so this will grow your spam collection quickly.
- Embed a mailto link to your spamtrap address on a couple of webpages you control. Make the mailto visible only to web-scraping robots by linking to a 1x1 pixel black image file in place of a period on your page; human viewers will see it as a period, harvesting programs will see it as fresh meat.
Whatever you do, don't give your spamtrap address to anyone for legitimate email, and don't sign up for anything using that address. If you follow those two guidelines, every single message that mailbox receives is guaranteed to be spam. This will give you the ability to archive, auto-report, etc. the incoming mail without fear of false positives.Shaun
Re:Prevention measures (Score:3, Informative)
Use me@privacy.net instead (Score:5, Informative)
me@privacy.net
See their website [privacy.net] for more info.
A friend of mine runs a domain that happens to be used a lot by people who think they enter a non-existant domain, and it's driving him nuts. Well, there is some amusement value in noticing how many variations people come up with, but still...
Re:I'm no email antispam guru... (Score:2, Informative)
When I first started this, I thought I'd "catch" a huge number of companies selling or using my email address without their permission. But what I've noticed over time is that I almost never receive any spam at these addresses. That is, probably 95-99% of the companies that I've signed up with have respected my preferences and have not sold or spammed my email address. Nearly all the spam that I receive (and I get a lot, though switching to the fastmail [fastmail.fm] IMAP mail service has cut my spam significantly) is sent to:
an old address that I used 10 years ago to post on usenet
the address that I used when registering my domain
I think it's somewhat heartening that most companies that I have any real business or interaction with have properly protected my email address, the spam seems to come almost entirely from various types of harvesters.
Re:That only answers half the question... (Score:3, Informative)
I've never investigated the details, as I don't have the bandwidth to host my own publicly available blocklist. I would if I could. I contribute to the proxy.relays.osirusoft.com blocklist, but that's only because people don't hit me directly for the queries.
If I'm thinking what you're thinking, these are known as "teergrubes" which is the German word for "tarpits." A spammer connects, and his spamware becomes trapped in several hundred SMTP connections which don't close, but instead transfer something on the order of 1 byte per minute. The spamming program gets hopelessly hung up in sockets that won't close, preventing his machine from opening more connections. A lot of people who run SMTP relay honeypots also run them as "teergrubes."
Shaun
spamcop helper (Score:4, Informative)
Then I use this script to fire it all off to spamcop once a day:
#!/usr/local/bin/perl
$reporting_addr = 'submit.yourspamcopidhere@spam.spamcop.net';
$/ = undef; #slurp mode
$buf = < #slurp
@spams = split(/\nFrom
for ($i=1; $i<=$#spams; $i++) {
open (MAILER,"| mail $reporting_addr");
$msg = "From " . $spams[$i];
print MAILER $msg;
close MAILER;
}
Not perfect, and you still have to visit the spamcop site to finish the reporting thing, but it's semi-automated at least. And forgive my clunky perl idioms.