In this episode, we're going to talk about spammers, and the people who try to get away with it. Some even have the nerve to try to seek compensation for "loss of business" when we terminate their account due to the abuse reports that start flowing in.
Generally, if someone calls us and asks, "Do you block port 25?", red flags go up, and we give them a fairly standardized answer. We tell them, "No, you are given an IP address when you connect, and there are no filters between that IP and the rest of the world. However, per our terms of service agreement, if you use our service to send out bulk, unsolicited e-mail, and we receive any abuse reports which are tracked back to your account, your account will be terminated immediately, without refund."
Our dial-up lines are set up like many other small ISP's are. We have ISDN PRI lines coming into our facility, terminated into Ascend Max 4048 Remote Access Servers. Those Maxes are plugged into an ethernet switch, one of the ethernet ports on our main border router is also plugged into that switch, and the Maxes use that router as a default gateway. That border router has several dedicated connections to the Internet and there aren't any control lists nor is there any firewalling done on any of those interfaces. Anyone connected to the Maxes has a straight, unfiltered path to the rest of the world.
Our story starts on Monday, February 4th, 2002 when we opened a new account for a man who called and asked the magic question, "Do you block port 25?". After receiving a close adaptation of the statement above by one of our support technicians, he agreed and asked to go ahead and start an account. We happily oblidged and got all of the necessary accounting information. Then he came by our office with a check for the first month, and we activated his account.
A short time later, he called to speak to one of our support technicans and asked why we were blocking him from using port 25. Our technician was puzzled by the question, but assured him that between his modem connection and the outside world, there is nothing on our network that will block him from making connections to anywhere else on port 25.
He must have figured something out, because on February 12, we began receiving abuse reports from SpamCop. After investigating the reports, we determined that the person connected to the IP in which the spam originated was, indeed, this same man who had asked about port 25. Per our Acceptable Use Policy, our abuse technician disabled his account.
The man called to speak to one of our support technicians again to ask why he couldn't get connected to our dial-up lines. After looking into the notes on his account, our technician informed the man that we had received spam abuse reports that originated from that account. The man became outraged and said that he was only e-mailing people who had asked to be e-mailed, and that he had a signed statement from all of them. Our technician explained to him again that we have a zero tolerance on spam, and that since we had received abuse reports, and the account was locked out due to abusive activity, there was nothing that he could do. The man then asked to speak to a manager, so our technican passed the call over to our project manager. Our project manager was on the phone for a while, trying to explain that it's our policy to terminate without refund after receiving abuse reports. The man finally hung up out of frustration, but not before mentioning that five other ISPs have "cut him off for the same reason."
And, there you have it. No wonder there's so much spam going around out there. There are people like this that actually exist in the world who make it happen.
Here are the examples of some of the abuse reports. For the most part, they are un-doctored. We have only removed the portions that would disclose e-mail addresses or names. This is to help keep more spam from being circulated by web spiders which harvest e-mail addresses for spam lists.
From //e-mail removed// Thu Feb 14 20:27:51 2002 Return-Path: <//e-mail removed//> Received: from SCUACC.scu.edu (scuacc.scu.edu [184.108.40.206]) by mail-gw.ao.net (8.12.0.Beta19/8.12.0.Beta19/Debian 8.12.0.Beta19) with ESMTP id g1BIk8IA013108 for <[redacted]@ao.net>; Mon, 11 Feb 2002 13:46:14 -0500 Received: from cio ([220.127.116.11]) by scuacc.scu.edu (PMDF V6.0-23 #41421) with SMTP id <01KE58FKQUN8000XPU@scuacc.scu.edu> for [redacted]@ao.net; Mon, 11 Feb 2002 10:45:59 -0800 (PST) Date: Mon, 11 Feb 2002 10:55:55 -0800 From: //name removed// <//e-mail removed//> Subject: Junk Mail To: [redacted]@ao.net Message-id: <003e01c1b32d$bc551f80$a092d281@cio> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Dear Sir/Madam, Please follow up on the junk message belowed sent via your network. Please reply to us. Otherwise, we will have no choice but to block all mail from "mail.ao.net" on our server. Thanks David System Administrator for //name removed// Return-Path: <Johnie@mail2world.com> Received: from mail.ao.net (mail.ao.net [18.104.22.168]) by ceo.deltapath.com (8.11.6/8.8.7) with ESMTP id g1BIf7w15013 for <//e-mail removed//>; Tue, 12 Feb 2002 02:41:08 +0800 Received: from mail.ao.net (port05.max1.ao.net [22.214.171.124]) by mail.ao.net (8.12.0.Beta19/8.12.0.Beta19/Debian 8.12.0.Beta19) with SMTP id g1BIeiIA011393 for <//e-mail removed//>; Mon, 11 Feb 2002 13:40:58 -0500 Message-Id: <200202111840.g1BIeiIA011393@mail.ao.net> From: "Johnie" <Johnie@mail2world.com> Date: Mon, 11 Feb 2002 13:38:00 To: //e-mail removed// Subject: Win $10,000 dummie MIME-Version: 1.0 Content-Type: text/plain;charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-UIDL: bo]"!jI/!!'2l!!PL2"! ----- Original Message ----- From: "Johnie" <Johnie@mail2world.com> To: <//e-mail removed//> Sent: Monday, February 11, 2002 1:38 PM Subject: Win $10,000 dummie > MIGHTY MOUNTAINEERS > COME WALK WITH THE WEST VIRGINIA HISTORICAL SOCIETY AND FIND > FACTS THAT ARE MORE INTERESTING THAN FICTION. > > We wish to introduce you to West Virginia Supreme Court Justice Larry V. Staarcher, and share with you facts which showed up in our research: > > YOU MAY WIN UP TO $10,000 FOR THE > RIGHT ANSWERS TO OUR QUIZ > > If you know the answers to the following 10 QUESTIONS, call the numbers below to claim your Prize. > > In the spirit of fairness, please do not guess. Sorry if the nmbers may be long distance, but we wish out quiz to get the best results we can achieve. > > 1. Question: Why has Larry V. Starcher refused to take a drug test since 1962? > a. He is afraid of needles; > b. He has been out of town and could not make an appointment; > c. He knows what the results will be and is afraid others will reveal this information; > d. He believes sincerely drug tests do not work; > e. All of the above; > f. None of the above. > > > > Answer: _________________ > > > 2. Question: When did Larry V. Starcher first become involved with and succumb to organized crime's wishes? > > a. 1981; > b. 1982; > c. 1983; > d. It hapened over a different period of time; > e. All of above; > f. None of above. > > > Answer: _______________ > > 3. Question: Larry Starcher was best liked during what period of time? (This one is tricky so be careful) > a. His first day as judge; > b. The day he wet his pants at a high school basketball game; > c. The day before he was born; > d. All of the above; > e. None of the above; > > > Answer: ____________ > > 4. Question: Did Larry Starcher ever run for any other office than judge and fail? > a. No.; > b. He ran for dog catcher and won; > c. He ran for Sunday School teacher with the Jehovah's Witness Church and won; > d. He ran for sheriff and lost so bad people laughed at him for 2 years; > e. All of the above; > f. None of the above. > > > Answer: ______________ > > 5. Question: Who made Larry V. Starcher join organized Crime? > a. Flash Gordon and the space cadets; > b. His mother and father to make sure he had retirement security; > c. His attorney, S. J. Angotti; > d. All of the above; > e. None of the above. > > > Answer: ________________ > > 6. Question: If Larry Starcher is a judge, why would he have a lawyer? > a. He was trying to learn about the law so he could be a good judge; > b. He was under a federal drug investigation; > c. He was too young to get into the bar he liked; > d. All of the above; > e. None of the above. > > > Answer: _________________ > > 7. Question: Does/has Larry V. Starcher take/taken drugs? > a. No one is for sure because he refuses to take a drug test; > b. His drug use was talked about on the Morgantown radio so everyone knows; > c. He can not help if his nose runs all the time; > d. He has been seen using at parties with his friends; > e. All of the above; > f. None of the above. > > > Answer: _________________ > > 8. Question: Who did Larry V. Starcher buy his drugs from when he worked at Legal Aid? > a. Zorro; > b The 3 Stooges; > c. Ex football player and known dealer, Willie Winston; > d. All of the above; > e. None of the above. > > > Answer: __________________ > > 9. Question: Why did Larry V. Starcher's first wife approve him taking drugs? > a. She thought the cocaine was gotten from his doctor's periscription; > b. She thoughtpot looked good while growing and adding oxygen in their upstairs rooms; > c. She did not approve and left him because of drugs, not because of his philandering; > d. All of the above; > e. None of the above. > > > Answer: ______________ > > 10. Question: Why has Larry V. Starcher not been arrested for taking drugs? > a. He has been and then he forced the cops to let him loose; > b. He has been, but the records have been sealed; > c. He is part of organized crime and is immune from arrest; > d. All of the above; > e. None of the above. > > > Answer: _________________ > > > WARNING: If you think you can guess and call to annoy the people on the other end of the line, those taking answers, please do not or you will piss them off and they just might be bigger than you and give you a poke in the nose. However, if you know something else about Larry V. Starcher that you believe is strange, wrong or you think probably is illegal, you may call this information in and get some extra points for the questions you missed. This contest is in fun, but folks who take advantage of fun are often disliked by others. > > In Southern West Virginia call: In Northern West Virginia, call > (304)347-5136 (304)234-0100 > > Ask for the person on duty who is taking answers to the Larry Starcher questions. These people are busy, so please only give them facts. Thank you. > > Good Luck Hillbillies. Mountaineers are always free!!!!!!!!!!!!!!!!!!!!!!!! > > This is an editorial product, which are the beliefs of the author, and reflect the opinons or beliefs of no one other than the author, published to promote good humor, friendship, to polk fun and stimulate hillbilly thinking about what is going on in this great state. > > THIS EMAIL IS NEVER SENT OUT UNSOLICITED! You are arreceiving this email because you signed up through one of our selected opt-out offers. Removal instructions appear below. To remove yourself from this mailing list, point your browser to alandarlin@Juno.com Enter your email address (firstname.lastname@example.org) in the field provided and in the subject line type "Unsubscribe" The mailing list ID is "theechurchlady". >
Here's another one. The content of the spam is the same, so it was left out, but the report and headers have been left. It looks like person submitting the report left out the e-mail addresses for us.
Return-Path: <email@example.com> Received: from shelob.julianhaight.com (shelob.julianhaight.com [126.96.36.199]) by mail-gw.ao.net (8.12.0.Beta19/8.12.0.Beta19/Debian 8.12.0.Beta19) with ESMTP id g1BMhRIA006945 for <[redactec]@ao.net>; Mon, 11 Feb 2002 17:43:28 -0500 Received: from spamcop.net (shagrat.julianhaight.com [188.8.131.52]) by shelob.julianhaight.com (8.11.1/8.11.1) with SMTP id g1BMhRp12768 for <[redacted]@ao.net>; Mon, 11 Feb 2002 17:43:27 -0500 (EST) (envelope-from firstname.lastname@example.org) Received: from [184.108.40.206] by spamcop.net with HTTP; Mon, 11 Feb 2002 22:43:27 GMT From: email@example.com To: [redacted]@ao.net Subject: [SpamCop (220.127.116.11) id:61055084] Win $10,000 dummie Precedence: list Message-ID: <firstname.lastname@example.org> Date: Mon, 11 Feb 2002 15:19:37 -0500 X-Mailer: Mozilla/4.73 [en] (Win95; U) via http://spamcop.net/ v1.3.3 - SpamCop V1.3.3 - This message is brief for your comfort. Please follow links for details. http://spamcop.net/w3m?i=z61055084z35ee69dad594ccbfd3b965f38f1b9339z Email from 18.104.22.168 / Mon, 11 Feb 2002 15:19:37 -0500 Offending message: Return-Path: <Johnie@mail2world.com> Received: from mail.ao.net ([22.214.171.124]) by mail.uark.edu (Netscape Messaging Server 4.15) with ESMTP id GRDXT200.VDV for <x>; Mon, 11 Feb 2002 14:19:50 -0600 Received: from mail.ao.net (port05.max1.ao.net [126.96.36.199]) by mail.ao.net (8.12.0.Beta19/8.12.0.Beta19/Debian 8.12.0.Beta19) with SMTP id g1BKJQIA009148 for <x>; Mon, 11 Feb 2002 15:19:37 -0500 Message-Id: <200202112019.g1BKJQIA009148@mail.ao.net> From: "Johnie" <Johnie@mail2world.com> Date: Mon, 11 Feb 2002 15:16:35 To: x Subject: Win $10,000 dummie MIME-Version: 1.0 Content-Type: text/plain;charset="iso-8859-1" Content-Transfer-Encoding: 7bit //content of message snipped//
It doesn't take rocket science to see that these two reports are plainly of spam, even if they do say that they are not unsolicited in the body of the message. I don't care how many folks ask you to send e-mail to them, they're not going to ask you to send them one with "Win $10,000 dummie" in the Subject.
There were several other reports, but they all looked fairly the same, so I'll spare you the details.
The way we determine which one of our customers is sending the unsolicited e-mail is by checking the timestamp in the e-mail from when it originally hit the outgoing e-mail server. We go through the logs and find which account was connected to that dynamic IP at the time the message was originally sent. Here is a copy of that piece of log. We've removed the name of the account and the caller ID phone number to protect the guilty, but it does, indeed, have his account name listed.
Feb 11 12:24:33 max1 ASCEND: slot 4 port 11, LAN session up, //removed// [MBID 295; 407//removed//->1033] Feb 11 16:34:19 max1 ASCEND: slot 4 port 11, LAN session down, //removed// [MBID 295; 407//removed//->1033] Feb 11 16:34:20 max1 ASCEND: call 72 CL 0K u=//removed// c=45 p=60 s=53333 r=26400 h=188.8.131.52
He connected at 12:24:33 and disconnected at 16:34:19. The entire time the he was connected, his assigned IP address was 184.108.40.206. This matches the time and the originating IP address that the spam reports show, and yes, we are in GMT -0500.
Here is an example of one of the 46,117 lines of log file. This one shows that the spam was originating from a different IP than above.
Feb 11 12:19:05 mail sm-mta: g1BHIQIA023891: from=<Johnie@mail2world.com>, size=6254, class=0, nrcpts=1, msgid=<200202111718.g1BHIQIA023891@mail.ao.net>, proto=SMTP, daemon=MTA, relay=port32.max1.ao.net [220.127.116.11]
We checked through the dial-up logs, and sure enough, it's the same account connected. It looks like in trying to send out all of this data, he flooded himself off of his dial-up connection somewhere in the middle because the time he disconnected was very close to the time that the mail server received the last connection from his IP. In the minute that he was connected, he managed to send out 60 e-mails.
Feb 11 12:18:11 max1 ASCEND: slot 5 port 1, LAN session up, //removed// [MBID 286; 407//removed//->1033] Feb 11 12:19:57 max1 ASCEND: slot 0 port 0, LAN session down, //removed// [MBID 286; 407//removed//->1033] Feb 11 12:19:57 max1 ASCEND: call 60 CL 0K u=//removed// c=45 p=60 s=53333 r=26400 h=18.104.22.168
His activity generated 10,053,339 bytes of mail server log file alone. He had a recipient list of 11,681 individual, unique e-mail addresses. A search through the log reveals that his activity generated 11,997 individual messages to be sent, which means that some recipients probably received the spam more than once. Of the 11,997 e-mails that went out, 8,767 were actually delivered to their destination. This all means that potentially, we could receive that many abuse reports and our mail server could be put on blacklists, preventing our customers from sending legitimate e-mail. This is why we call it "abuse" and have zero tolerance for it.