The Deadbeats Hall of Lame
 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Warning: Not all menu items are working. We're working on this but this site is a low-priority project. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This spam report is at Anti-Spam Assistance Pages
Subject: Re: REMOVE ME FROM YOUR SPAM LIST - [Fwd: Accept Major Credit Cards
Date: 1/18/98 11:38 AM
To: cheron@fda.net
On 1/18/98 6:23 AM, Cheri sent the following ASCII stream:
This spam presents an interesting lesson that only comes from having a good memory,
reading "news.admin.net-abuse.email" and "alt.stop.spamming" as well as actively
fighting spam.
You made a very minor mistake in reporting this spam by responding to a SPAMMER DOMAIN.
T-1net.com is a spammer site. They were shut down on January 2 by Sprint.
Go to "www.tucows.com" and download some DNS/Whois/Finder/Traceroute programs, I think
you'll need them going forward. I can't recommend anything because I don't go online
with my PC very often, and therefore I can't really actively test out these applications.
I know I should, but I'm more based on my Mac for web development. 4 Macs, 1 Win95, one
Win3.1 actually in one of the Macs.
>Received: from kinsey.fia.net (root@mail.fia.net [206.171.100.7]) by
>ns2.fda.net (8.8.5/8.7.3) with ESMTP id WAA16505 for <cheron@fda.net>;
>Sat, 17 Jan 1998 22:34:19 -0800 (PST)
>Received: from mail.t-1net.com (quick.notfalse.com [209.136.153.21]) by
>kinsey.fia.net (8.8.5/8.7.3) with ESMTP id WAA22887 for <cheron@fia.net>;
>Sat, 17 Jan 1998 22:32:54 -0800 (PST)
>Date: Fri, 16 Jan 1998 11:02:52 -0600
>Message-Id: <199801161702.LAA01336@mail.t-1net.com>
>From: MAILER-DAEMON@kinsey.fia.net
>Subject: Accept Major Credit Cards Online For $39.95!
I'm not going to break this one down like I did the other one. I'm going to treat this
line a "normal" spam.
>nslookup 206.171.100.7
Server: dns.mediacity.com
Address: 205.216.172.10
Name: mail.fia.net
Address: 206.171.100.7
OK, this resolves. Hmm, didn't the other one come from there?
This is the relaying domain.
I typically will say something like:
FIA.NET:
Your server was hijacked to relay spam. Please secure your server to prevent future
attacks.
Complaints go to "postmaster" and "abuse" at that domain, plus these addresses that this
"whois" shows up:
>whois fia3-dom
First Internet Franchise Corp (FIA3-DOM)
1060 Calle Cordillera, Suite 101
San Clemente, CA 92673
Domain Name: FIA.NET
Administrative Contact:
Gibbs, Michael (MG211) mgibbs@FIA.NET
714-498-7400 (FAX) 714-498-7401
Technical Contact, Zone Contact:
Network Operations Center (NO161-ORG) domain.entries@FIA.NET
714-498-7400
Fax- 714-498-7401
Billing Contact:
McLaughlin, Ron (RM1331) ronm@FIA.NET
(714) 498-7400
Record last updated on 06-Jan-98.
Record created on 16-Oct-95.
Database last updated on 18-Jan-98 04:00:47 EDT.
Domain servers in listed order:
NS.FIA.NET 206.171.100.5
NS.HTP.NET 206.112.34.13
Now, this is two from this domain. I am suspecting a rogue domain. Perhaps it is time
to complain to their upstream provider. This is where this is very important for you to
have something that can do a traceroute from YOUR ISP because my path may vary from your
path. You need to complain to the right path.
In my case:
>traceroute fia.net
traceroute to fia.net (206.171.100.7), 30 hops max, 40 byte packets
1 grfge002 (205.216.172.1) 0.347 ms 0.264 ms 0.259 ms
2 bordercore2-hssi0-0.SanFrancisco.mci.net (166.48.15.249) 2.813 ms 2.894 ms 2.752 ms
3 bordercore3.SanFrancisco.mci.net (166.48.16.1) 3.678 ms 4.282 ms 3.583 ms
4 pbnap.ibm.net (198.32.128.49) 93.213 ms 88.996 ms 90.221 ms
5 * 165.87.33.97 (165.87.33.97) 78.115 ms 90.103 ms
6 la32-0-br2.ca.us.ibm.net (165.87.32.2) 106.025 ms 99.694 ms 112.537 ms
7 165.87.32.110 (165.87.32.110) 104.689 ms 98.705 ms 98.603 ms
8 * la-pacbell-pop-la.ca.us.ibm.net (165.87.224.5) 109.160 ms 102.455 ms
9 ign2.lsan03.pbi.net (206.13.29.6) 110.355 ms 107.528 ms 98.588 ms
10 pbi.lsan03.fia.net (206.13.9.20) 94.984 ms 95.093 ms 112.960 ms
11 mail.fia.net (206.171.100.7) 110.346 ms 112.016 ms 108.487 ms
From MediaCity, where I telnet to get shell access, I can clearly see that MediaCity
hops onto MCI. MCI hand it off to a router port on IBM.Net's backbone that is their
gateway to MCI to Pacific Bell. It is then loaded onto a router port(same router) to
IBM.Net's Pacific Bell Network Access Point (NAP). It then hits a few other routes to
get to the nearest location. PBI.Net(Pacific Bell Internet) are the upstream providers.
Complaints should go to:
postmaster and abuse @ PBI.Net
Now, onto the forged originating site:
First, I IGNORE the DNS entries. This is important in this one because they do not match.
>nslookup 209.136.153.21
Server: dns.mediacity.com
Address: 205.216.172.10
Name: quick.notfalse.com
Address: 209.136.153.21
This is the TRUE originating location. The t-1net.com entry is bogus, most likely as a
result of a deliberate bad entry into the TCP/IP stack on Windows95.
Complaints go to postmaster and abuse @ notfalse.com. My complaint would read something
like:
NOTFALSE.COM:
One of your customers is using your service to originate spam and to hijack third-party
servers to send out spam. Please terminate this customer for spamming.
Typically, I will see if the service has a web site and see if I can find an acceptable
usage policy. I may substitute the last line for something mentioning AUP(acceptable usage
policy) violations if this is expressly prohibited in the AUP.
>whois notfalse.com
Golfballs Unlimited, USA (NOTFALSE-DOM)
11743 West Bellfort Ste 112
Stafford, TX 74777
Domain Name: NOTFALSE.COM
Administrative Contact, Technical Contact, Zone Contact:
Jones, Dana (DJ1372) ballman@GOLFBALLSUNLIMITEDUSA.COM
281-560-0133 (FAX) 281-568-5474
Billing Contact:
Jones, Dana (DJ1372) ballman@GOLFBALLSUNLIMITEDUSA.COM
281-560-0133 (FAX) 281-568-5474
Record last updated on 08-Dec-97.
Record created on 25-Oct-97.
Database last updated on 18-Jan-98 04:00:47 EDT.
Domain servers in listed order:
NS1.NOTFALSE.COM 209.136.153.10
NS2.NOTFALSE.COM 209.136.153.11
Excuse my lanuage, but "oh shit!". You're fucked on this one. Dana Jones, the golf ball
spammer became a spam site. He supports his domain being used to originate spam. DO NOT
COMPLAIN to this domain. Now traceroutes are VERY important:
This is NOT looking good....
>traceroute notfalse.com
traceroute to notfalse.com (209.136.153.10), 30 hops max, 40 byte packets
1 grfge002 (205.216.172.1) 0.333 ms 0.265 ms 0.278 ms
2 bordercore2-hssi0-0.SanFrancisco.mci.net (166.48.15.249) 2.795 ms 2.785 ms 2.944 ms
3 core3.WillowSprings.mci.net (204.70.4.25) 51.280 ms 50.569 ms 50.764 ms
4 ameritech-nap.WillowSprings.mci.net (204.70.1.198) 51.931 ms 52.695 ms 52.450 ms
5 chicago-nap.acsi.net (198.32.130.65) 107.920 ms * *
6 louisv-ky-1-a12-0-1.acsi.net (206.222.97.12) 101.814 ms 100.732 ms 109.504 ms
7 * nashvi-tn-1-a12-0.acsi.net (206.222.97.14) 104.132 ms 101.114 ms
8 memphi-tn-1-a12-0.acsi.net (206.222.97.15) 118.849 ms 113.034 ms 112.991ms
9 * little-ar-1-a12-0.acsi.net (206.222.97.2) 123.486 ms 115.330 ms
10 fortwo-tx-1-a12-0.acsi.net (206.222.97.6) 124.646 ms 130.985 ms 127.852 ms
11 housto-tx-1-a12-0-6.acsi.net (206.222.100.130) 159.062 ms * 158.201 ms
12 206.222.105.114 (206.222.105.114) 160.852 ms * 156.521 ms
13 ns1.notfalse.com (209.136.153.10) 160.469 ms 153.918 ms 136.045 ms
This is NOT good. ACSI.Net rapidly became a rogue site, quickly accepting spammer sites.
Complaints to this domain are rather useless, but they don't create new spamming lists
from the complaints. In my case, I would complain to MCI:
abuse @mci.net, postmaster @mci.net and spamcomplaints@mci.net
This sort of knowledge is only obtainable from folks such as myself or your own personal
adventures in anti-spam. This is a particularly evil one.
I'm NOT done yet. Skip to the end:
If you wish to be removed from our mailing lists, please type REMOVE in the subject field
and email to imsco@amystery.com.
Opt-Out is illegal.
Now, is this a valid addresses?
I can't tell. Telnet to attempt raw POP3 commands times out. I can not verify the address
and I don't feel like using my mail server to find the true site.
So, in such cases, I just do this:
>whois amystery.com
Seymour (AMYSTERY-DOM)
P.O. Box 11541
Albuquerque, NM 87192
US
Domain Name: AMYSTERY.COM
Administrative Contact, Technical Contact, Zone Contact:
Johnson, Seymour (SJ2294) seymoursays@HOTMAIL.COM
505-238-0666 (FAX) 505-238-0666
Billing Contact:
Johnson, Seymour (SJ2294) seymoursays@HOTMAIL.COM
505-238-0666 (FAX) 505-238-0666
Record last updated on 09-Jan-98.
Record created on 09-Jan-98.
Database last updated on 18-Jan-98 04:00:47 EDT.
Domain servers in listed order:
PINOCHIO.NOTRUE.COM 207.53.74.100
LIAR.NOTRUE.COM 207.53.74.101
But the DNS servers make me suspicious.
>whois notrue.com
False Information Co (NOTRUE-DOM)
c/o d. jones
11743 West Bellfort
Ste 112
Stafford, TX 77477
US
Domain Name: NOTRUE.COM
Administrative Contact, Technical Contact, Zone Contact:
Jones, Seymour (SJ2295) yonotell@AOL.COM
281-922-8731
Billing Contact:
Jones, Seymour (SJ2295) yonotell@AOL.COM
281-922-8731
Record last updated on 08-Jan-98.
Record created on 08-Jan-98.
Database last updated on 18-Jan-98 04:00:47 EDT.
Domain servers in listed order:
PINOCHIO.NOTRUE.COM 207.53.74.100
LIAR.NOTRUE.COM 207.53.74.101
OK, just complain to postmaster and abuse @ amystery.com. Alert them that a spammer
is using their service as a drop box to gather complaints and remove requests to
create new spamming lists of "live" addresses.
Now for t-1net.com, just to show their disconnection:
>traceroute t-1net.com
traceroute: unknown host t-1net.com
t-1net.com was run by Dana Jones's "we-deliver.net", part of this jerk's spam empire.
Thorough enough for you? I tend to intimidate most of my customers by my degree of detail.
They appreciate it, but it overwhelms them.
I need to start making additional online documentation, such as public whois servers and
sites that can help you do functions that your local provider doesn't offer. While this
may not save me time, it will help others.
Thanks for allowing me to help again.