In the war against spam, its getting harder to figure out who the good guys are. Last weekend, we had an incident where a server called pure.fiber.net was relaying thousands of spam messages off one of our mail servers. While we have filters in place to block the obvious spammers (cyberpromo and others), we don't learn about new ones until they cross the line (or we get them from Paul's site at http://www.vix.com/spam -- thanks Paul!). Unfortunately, fiber.net is a 9 to 5, Monday thru Friday operation with no weekend or evening NOC. This made things difficult for us at 2 am on a Saturday night trying to get their attention. Because fiber.net was not known as a spammer, we did not want to unilaterally block them off until we could talk to them when they opened on Monday morning, so we wrote some bash scripts and ran them against our mail queue every three minutes to kill messages with specific attributes relating to the spam. On Monday, we talked with their technical contact and he said that someone on their server must have been misbehaving, but that they would look into it. Today I reviewed my logs and not only did it not stop, but they started ANOTHER spam off our mail servers. When one of our engineers called them this afternoon, they said they were innocent because someone was using them as a relay -- nice try, but if they were a relay, we should not have seen any messages other than those destined for addresses on our network. Instead, we got the entire spam feed. They even went so far as to insert forged Received headers into the messages to try and throw us off. The spammers played us as chumps. Fine -- now I have filters in my backbone routers for 204.250.13/24 and 204.250.192/19, and mail filters for *.fiber.net just in case they manage to get another IP block. Grrrrr. The bottom line is that you cant tell the good guys from the bad guys anymore. There are ISPs that support spammers and then lie about it when they get caught. Even though I detest the fact that AGIS supports cyberpromo, at least they have the guts to tell it the way it is. As an aside, today we got a message in our marketing box asking "Do you support spammers?" -- unbelievable. The poster was looking for an ISP that would allow him to post 500 to 1000 spam messages each day. I sent him a form letter telling him "no" and outlining why spam is a Bad Idea(tm). It is obvious the spammers are getting much more aggresive and may even be compiling lists of spammer friendly ISPs. Its not just getting worse -- its getting weird. Dave Stoddard US Net Incorporated 301-572-5926 dgs@us.net
On Tue, 13 May 1997, David Stoddard wrote:
In the war against spam, its getting harder to figure out who the good guys are. Last weekend, we had an incident where a server called pure.fiber.net was relaying thousands of spam messages off one of our mail servers. While we have filters in place to block the obvious spammers (cyberpromo and others), we don't learn about new ones until they cross the line (or we get them from Paul's site at http://www.vix.com/spam -- thanks Paul!).
<snip> Indeed things are getting strange, look at this letter I got in my mailbox this morning... -------------------------------------------------------------------------------------
Were I you, I would forward such a threat to some appropriate authorities. Geoff White writes:
On Tue, 13 May 1997, David Stoddard wrote:
In the war against spam, its getting harder to figure out who the good guys are. Last weekend, we had an incident where a server called pure.fiber.net was relaying thousands of spam messages off one of our mail servers. While we have filters in place to block the obvious spammers (cyberpromo and others), we don't learn about new ones until they cross the line (or we get them from Paul's site at http://www.vix.com/spam -- thanks Paul!).
<snip>
Indeed things are getting strange, look at this letter I got in my mailbox this morning...
-------------------------------------------------------------------------------------
From www@www-01.io.com Wed May 14 00:27:05 1997 Received: from www-01.io.com (www-01.io.com [199.170.88.39]) by precipice.v-site.net (8.8.4/8.8.4) with ESMTP id AAA23538 for <geoffw@v-site.net>; Wed, 14 May 1997 00:26:09 -0700 (PDT) Received: (from www@localhost) by www-01.io.com (8.8.5/8.8.5) id CAA30444; Wed, 14 May 1997 02:19:46 -0500 Date: Wed, 14 May 1997 02:19:46 -0500 Message-Id: <199705140719.CAA30444@www-01.io.com> From: The Dawn Patrol <hipcrime@post1.com> To: geoffw@v-site.net Reply-To: hipcrime@post1.com Errors-To: hipcrime@post1.com Sender: hipcrime@post1.com Subject: Your liability X-Mail-Gateway: Doug's WWW Mail Gateway 2.1.1 X-Real-Host-From: sol.infonex.com Status: RO X-Status:
Geoff White,
We have watched with some amusement the antics of your friend Robert, but we can long longer sit back passively and just watch as he continues to cause others harm and grief.
In addition to his many other transgressions, he is now threatening people with hack attacks on their systems and with physical harm. This, and all of his many other crimes must end immediately.
We are in now in the process of insuring that Robert's web presence will be revoked in all of the places he has infected with it. For the moment, we have decided to allow him to keep his E-mail accounts but we will quickly arrange for those also to be revoked if he insists on continuing to cause harm and annoyance to others on the net.
More importantly however, we will henceforth be holding you and your v-site.net site responsible for and further crimes that he commits online against the people he thinks are his enemies. If there are any security-related incidents at any of the sites run by any of these people, we will find out about it, and you will then be forced to deal with similar unfortunate events at your own site. If necessary, we will also and likewise respond to any hacking activities by Robert with additional measures against vcinternet.
We are certain that you have a significant investment in hardware and software at your site that you would not like to have placed in jeopardy, so it is in your interest now to contact your friend Robert and have him cease his threats and attacks on people on the Internet. We suggest that you use all means of persuasion at your disposal to do this, and that you do it immediately. No further warnings will be sent to you regarding this matter.
The Dawn Patrol
-------------------------------------------------------------------------
Now Robert did have a Web account here months ago, he was canned for misusing my sendmail daemon with his fameous Java applet that let's you spam the net by surfing for <mailto> tags. He is long gone but now I have to deal with clueless vigilanties who are threatening to hack my systems because of someone long gone, hey is this the french revolution or what?
In any event if it get to this I will toast anybody who trys to f*ck with my systems.
geoffw
Whoever will listen to you and has the authority to look into it :) That's going to vary depending on where you are and who you know. For ourselves, we stay on friendly terms with the local Secret Service folks... Geoff White writes:
On Wed, 14 May 1997, Dorn Hetzel wrote:
Were I you, I would forward such a threat to some appropriate authorities.
And who might that be :}
On Wed, 14 May 1997, Dorn Hetzel wrote:
Whoever will listen to you and has the authority to look into it :) That's going to vary depending on where you are and who you know. For ourselves, we stay on friendly terms with the local Secret Service folks... Geoff White writes:
On Wed, 14 May 1997, Dorn Hetzel wrote:
Were I you, I would forward such a threat to some appropriate authorities. And who might that be :}
Consider talking to their upstream providers. It can quickly draw their focused attention. Singapore Press Holdings (POST7-DOM) Netblock ocntrolled by: Asia Pacific Network Information Center (APNIC2) Tokyo Central Post Office Box 351 Tokyo 100-91 JAPAN Netname: APNIC-CIDR-BLK Netblock: 202.0.0.0 - 203.255.255.0 Maintainer: AP Coordinator: Conrad, David Randolph (DC396) davidc@APNIC.NET +81-3-5500-0480 (FAX) +81-3-5500-0481 Or place a _concerned_ call to the FBI. Black helicopters aren't so bad when they fly on your behalf. --- Jesse
And who might that be :} Singapore Press Holdings (POST7-DOM)
Yeah.
Netblock ocntrolled by: Asia Pacific Network Information Center (APNIC2)
Sigh.
Netname: APNIC-CIDR-BLK Netblock: 202.0.0.0 - 203.255.255.0 Maintainer: AP
Coordinator: Conrad, David Randolph (DC396) davidc@APNIC.NET +81-3-5500-0480 (FAX) +81-3-5500-0481
Why did you delete the part that tells people to query the APNIC server to see who we delegated the block to? The rest of the response is: Domain System inverse mapping provided by: JATZ.AARNET.EDU.AU 139.130.204.4 TECKLA.APNIC.NET 202.12.28.129 NS.KRNIC.NET 202.30.64.21 NS.RIPE.NET 193.0.0.193 MOZART.TECHNET.SG 192.169.33.107 RS0.INTERNIC.NET 198.41.0.5 *** please refer to whois.apnic.net for more information *** *** before contacting APNIC *** *** use whois -h whois.apnic.net <object> *** Record last updated on 11-Mar-97. Database last updated on 14-May-97 06:13:23 EDT. The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. PLEASE note the lines prefixed and suffixed with '***'. Thanks, -drc
On Tue, 13 May 1997, David Stoddard wrote:
of our engineers called them this afternoon, they said they were innocent because someone was using them as a relay -- nice try, but if they were a relay, we should not have seen any messages other than those destined for addresses on our network. Instead, we got the entire spam feed. They even went so far as to insert forged Received headers into the messages to try and throw us off.
Maybe in this case you were being sharked, but before we got everything clamped down on our servers we saw a number of spammers who were 'multi-hopping' their UCE and including faking headers and sending false HELO data. The excerpt below from my archives shows them bouncing mail off our server, to iea.com, and then to AOL. The real originator was at rmii.com, but they attempted to put in some semi-fake headers before that. I guess the moral of the story is "trust no one, and filter, filter, filter..." Sad, but true. Ed -------- Ed Landa ComStar Communications Corp. 770-333-8779 ----------------------- Headers --------------------------------
From secretshopping@infinite.com Thu Apr 17 05:22:57 1997 Return-Path: <secretshopping@infinite.com> Received: from comtch.iea.com (comtch.iea.com [198.17.249.2]) by emin41.mail.aol.com (8.8.5/8.8.5/AOL-2.0.0) with ESMTP id FAA02072; Thu, 17 Apr 1997 05:22:55 -0400 (EDT) From: secretshopping@infinite.com Received: from matlock.comstar.net (matlock.comstar.net [207.15.208.2]) by comtch.iea.com (8.8.5/8.8.5) with ESMTP id JAA19149; Thu, 17 Apr 1997 09:22:49 GMT Received: from comstar.net (slip156.rmii.com [166.93.1.56]) by matlock.comstar.net (8.8.5/8.7.1) with SMTP id FAA01899; Thu, 17 Apr 1997 05:22:46 -0400 Received: from You&I@infinite.com by infinite.com (8.8.5/8.6.5) with SMTP id GAA08242 for <You&I@infinite.com>; Thu, 17 Apr 1997 01:22:10 -0600 (EST) To: You&I@infinite.com Message-ID: <1992077.777@infinite.com> Date: Thu, 17 Apr 97 01:22:10 EST Subject: Why not make money shopping. . . instead of spending money! X-PMFLAGS: 128 0 X-UIDL: 1234567891011121314151617181920mabcdefghijk Comments: Authenticated sender is <powerinfo@infinite.com>
participants (6)
-
David R. Conrad
-
David Stoddard
-
dorn@atl.eni.net
-
Ed Landa
-
Geoff White
-
Jesse Caulfield