Thanks For The Bounce

Originally, I did not monitor bounces to the donotreply.com domain. Then one day I noticed the girlie - i think Sarah - on techtv decided to enter her email address while demonstrating a program. She entered kat@donotreply.com (they actually have their email addresses listed on their site, so why she didn't enter that is beyond me).

Sadly, she had not paid for an account with me and did the oh so not tech savvy thing of just entering a made up address on someone else's server. Who sends email to a woman on a tech show they think they outsmarted by capturing the email she enters into a form? Sad, sad, lonely, lonely men.

In retrospect I should have had some fun with these lonely men. When she chose to use my server for her little misguided attempt, she actually gave up some of her privacy, she allowed me to see the pathetic life of a premium cable star.

So I wondered, who else would give me insight into their world?

The answer is surprising and terrifying. Most of what I got was not someone entering their name as a donotreply.com address, but the bounced mails from companies who used donotreply.com in the sender field. Their private mail, instead of returning to them, came to me. Often with all the secrets revealed.

The worst offender was a Hong Kong translation company. Which if you are going to spam with your domain in the spam, why not let your spammee respond easily?

Who else?

A title company who was shocked that i was getting private information on title work bounced to me. Seems their software company granite software, slugged into their software iclosing direct, the email address please@donotreply.com. Thanks guys! The title company was just a victim of lazy programming and were shocked at the info I was receiving.

Then there was the address - NewHireWebApplication@DoNotReply.com from restricted.chase.com. I thought a bank would not like to see this, so I called them to let them know. I am still getting them. So far about 300 email addresses of people somehow related to chase and their web application. I sure hope the new hire can fix this bug.

And the last of this group (there are more, I will mention these every so often) is from Fairchild Semiconductor. And to them, in case they didn't get the message. You had 5,340,000 pcs. of Frame, SOT-23 Quad Strand Etch fail IQC Rejection. You might want to have someone look at that. Oh, and instead of using the email address of Incoming_Quality_System@donotreply.com to push around your seemingly internal issues (some 300 in just a day! hope your - this factory has been accident free for X days sign is doing better), you might want to have the incoming quality issues, actual come into your plant. Not mine. Because I won't fix them, I will just laugh at them.

Worldispnetwork.com = hostdepartment.com = huh?

Website temporarily unavailable. Please contact your network provider for further information.

Please accept our apology for the inconveniences.

- lolik.u35.worldispnetwork.com site administrator

Sorry for the inconvenience??? Sure, sorry this site is not infecting you with new virsus. We apologize for that, Interland hopes to provide bandwidth for a new site on the worldispnetwork.com shortly!

Here is some fun - to show what stand up kids run worldispnetwork.com - you have cut-n-pasted that url right? Well if not - here is what sits on their professional site.

To report any network abuse or spams originating from our network please email abuse@worldispnetwork.com

You can also mail a complaint to:
1455 Tallevast Road
Suite L1167
Sarasota, FL 34243
Fax: (954) 252 2423

Thank you for choosing World ISP Network!

Of course their whois shows

Whois Privacy Protection Service, Inc.
Whois Agent (rhgwysmrkg@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4254842044
PMB 368, 14150 NE 20th St - F1
Bellevue, WA 98007
US

But check my first post on on Interland on why that is so funny.

But for fun - visit this link.

This is called fishing for credit cards. Okay, or maybe AOL has farmed out all their credit card processing to hostdepartment. Hell, maybe aol owns hostdepartment.com?? Because gosh darn that looks official!!!

A whois on hostdepartment.com shows us they are hosted by nativehosting.com and this is their info:

HostDepartment.Com Ltd
Mailing Address (registrar@hostdepartment.com)
+1.866-887-HOST
Fax: +1.9542522423
1455 Tallevast Road
Sarasota, FL 34243
US

Where have we seen that address?

Oh yeah... for worldispnetwork.com. Don't get excited, the 866 number just tells us to improve their service, they have dropped the phone service and now use live chat.

But so that AOL dealie must be new right?

This post is from november of 2003

When I got Ivan in live chat, he dropped me when i posted that link, right after he told me he hosted 150,000 sites. So he is trying to say a legit hosting company with 150,000 sites, uses a fake proxy company to hide their dns servers??

Let me guess the excuse, it is for our resellers... we couldn't register them with legit data, or use a real proxy service, so this is what we did.. blah blah blah.

Something sure seems fishy here.

By the way, here are some other companies hostingdepartment goes under:
www.Blowoutservers.com
www.Cheap-domain-name-registration-services.info
www.Cheap-web-site-hosting-services.info

These all have the same florida whois except for
Domain Name:CHEAP-DOMAIN-NAME-REGISTRATION-SERVICES.INFO
Registrant Name:Jimmy Rianto Tanzil
Registrant Organization:HostDepartment.Com Limited
Registrant Street1:17/92 Bush Rd
Registrant City:Auckland
Registrant State/Province:AU
Registrant Postal Code:1311
Registrant Country:NZ

Jimmy, why the one New Zealand address?

Again, something sure seems fishy here.

In case anyone doesn't think the aol thing seems fishy, or they pull it finally after 2 months.

here is what the form does:
FORM action=http://www.1CREATIVE.com/cgi-bin/formail.pl
INPUT type=hidden value=MikeW585982@aol.com name=recipient
INPUT type=hidden value=Billing name=subject
INPUT type=hidden value=GetPaid@nigga.com name=email

I believe they started using GetPaid@nigga.com after Steve Case left AOL.

Interland, Still Supplying a Trojan To You

32 hours later. Got another spam leading me to the trojan. The site is still up. Spoke with another tech last night, he understood the issue 100%, said he was not authorized to disable the site but would contact those who could.

Guess they were unavailable?

So my original guesstimate remains. Monday morning. 48 hours of an obvious Microsoft site rip, pumping out trojans to the world while Interland does nothing.

A little tip from someone who has followed this industry for a long time and knows how to read the pattern of a company going under. Short Interland Monday. I will not to avoid any conflict of interest, but when a company behaves like this, it is normally a pretty clear sign they are desperate for cash.

Interland.com -dialtoneinternet.net this trojan is thanks to them!

Here is the virus/trojan our buddies at dialtone.net / interland.com are allowing to propagate. This is a trojan, which sits on your PC, connects to the host, and allows them to use your PC at their whim. For all you know, if infected, you could be used as zombie to launch a denial of service attack or maybe set up to send more spam.

Again I have the code if anyone can decipher it to see what is is doing.

I know one thing it is not doing. Prompting Interland to take action, prompting them to shut this site down. After almost 20 hours, it is still up.

Interland has a little note on their site - over 4 million people have used their web site builder and hosting services. Are they counting infected machines contacting their system in that number?

That would be some bragging rights - Over 5 million people infected with trojans spawned from our sites!!!! Because remember, the impact isn't just the people directly infected by visiting this site, but those people, once infected, are they being used as zombies to infect even more people?

Why in the world would anyone ever trust Interland with their business? They obviously are either clueless or simply do not care about the havoc their customers cause. I notified them over 20 hours ago of a serious issue, and they have done nothing. At this point, I am betting they don't do anything until monday morning.

Maybe someone else will have better luck informing them, getting them off their butts to actually help someone. Give them a call at 1.800.589.5060

Here is the url in question

DO NOT VISIT THIS LINK USING IE AND/OR NOT HAVING VIRUS PROTECTION.
01@%642341647.%7535.wo%72%6c%64%69%73%70netwo%72%6b.com/update/

DO NOT VISIT THAT LINK USING IE AND/OR NOT HAVING VIRUS PROTECTION.

I only post it because I have been accused of lying about this.

So visit it if you think I am lying (but don't really, seriously.) It resolves to web4.worldispnetwork.com which is owned by dialtoneinternet.net - who is owned by interland.com. There number again is 1.800.589.5060 or the corporate office - 404.260.2477 Please, I am not trying to win points by frying interland, this is a serious issue and i would appreciate any help in getting interland to act on this issue.

Security warning Spam Virus - Thanks Interland!

I was up early Saturday completing the move of some sites on evilemail when I got some spam posing as being from Microsoft. That is always bad, that means a virus.

So checking the mail, I figure it is coming from Worldispnetwork If you notice these people are also mentioned in ebay and paypal scams and are spammy. They are on interland.com/dialtoneinternet.net's ip space, so I contacted interland's tech support at 8:15am.

The first tech (I guess you have to call him that since he answered the tech support phone number), confirmed that the ip in question was from their ip-space, and insisted that Worldispnetwork was not their customer, and I guess if i let him continue he would have told me how they didn't allow spam, yeah right.

The problem with this spam/virus is simple, often people, including me, will go to the site of the spam to just look, well this site tries to install the virus if you visit it (which is why i am not posting it here). I visited the site using mozilla and was safe, but in IE, who knows.

So I tried to explain to the tech that this was bad, really bad and they should get someone to take immediate action or hundreds if not thousand of people would be infected (ignoring that the site was stomping all over Microsoft's trademark and copyright). No go, he said I had to mail abuse. When I pointed out that means this would get sat on for days, he just "humphed", so I asked to speak to a supervisor and he promptly disconnected me.

So I tried again, this time calling the Linux side of support. This time I got a quick witted tech who pointed out that this was a Windows Virus so it was not his issue. When I asked to speak to his supervisor, he said he had none. Who knew the president of interland answered the tech support lines at 8:30am on a Saturday morning, but there you go.

This is classic BS on all parts, first here is the root link to the site in question:
http://d2341647.u35.worldispnetwork.com/ it says the site has been suspended, that is just to throw you off, no it hasn't - the complete link will still take you to virus land.

worldispnetwork.com's site just has a fax number and an abuse address, but here is the fun stuff. Checking their whois, shows they anonymous and are protected whoisprivacyprotect.com, sound familiar? Yep, another fake who privacy company. Visiting http://www.whoisprivacyprotect.com a parked page on enom. Nice.

So if you get this virus - VBS.suzer.C trojan, let interland know how much you appreciate someone trying to warn them and prompt them into action to stop its spread. You getting infected wasn't important, what was important was that they collected as much hosting fees as possible.

Interland's toll free number: 800.617.1407

THANKS INTERLAND!!!!

The spam title is Security warning and it pretends to come from
security-center@microsoft.com

Added note - i do have the source code of the virus so if a security expert could help - my email is chet @ chetrocks dt com

What to do when you get spam

Running my mail service, I often get CC'd or told by my users what they do when they get spam. Most of what they do is a bad idea. So here are some simple tips.

First before I suggest what to do, here are some things not to do. Do not reply, do not click to remove your address. No matter how much better you will feel sending them an angry email, you will accomplish nothing but verify that the email account works. Same for the remove, even people following the recent can-spam act, don't trust them. I am currently running tests on companies saying they follow the can-spam act to see if removal requests generates more spam.

If you want to vent, first see if the spam has a phone number, give them a call (hit *67 first to hide your identity (does not work on 800 calls)) and let them know you don't appreciate their spam. Don't yell at the sap answering the phone, half the time it is an answering service. Ask for the marketing director or president. Let them know you don't appreciate the spam.

If you want to visit the site who sent the spam, do not just click on the link provided. Cut it out of your email and check to see if there is any coding, either your email address or other id. If you just clicked, they would use this information to confirm your identity, so add or remove some numbers or letters.

Here are some examples:
DOMAINREMOVED/c77p/index.php?id=c77
I would guess there is not coding on this link, but i would first just try the domain without the extra info, then with the coding. Often companies just redirect to other sites, and you can't find the real culprit unless you follow the code.

DOMAINREMOVED1/Gt?e=302516186&j=15221&c=7660&h=-470725028&to=*http://DOMAINREMOVED2/page3/default.asp?btag=MS_734100_207850_153738

Now with this one, if you just went to DOMAINREMOVED1, you would get a blank page, which is fine, that person is guilty of spamming. But so most likely is the person the spam redirects you to. So for this url, i would first test changing or adding a number to every group of numbers, in this case that works fine.

Why go after the target site and not just the first domain? Because many companies under the guise of an affiliate program will spam themselves.

So what to do with the mail?

First, for any mail client you use, learn how to display the full headers of the email. Here is a good list.. I will just add, for people using evilemail, when an email message is open, click on headers. If you have not already set your settings to show the full headers, you will see this option there. Once set, every new message will show the full headers.

Why is this important? Because anyone you mail about the spam needs to see not only the message, but the full headers as well. A great deal of the spam you see out there today did not originate from the person listed in the from field. Anyone can put anything they want in that field, and there are even viruses out there that will go through an infected machine and pull up addresses from address books and their browser cache and send as one of those addresses or domains.

So the first thing, and easiest you can do is take the spam and the headers and mail them to UCE@FTC.GOV . But there is more you can do, and some of them will even earn you money.

First on the money, it won't happen often, but one seriously crazy spammer get spamming about guaranteed government loans. While I do not know that much about the interworkings of the US government, I do know the only thing guaranteed is taxes. So I filed a complaint at the FTC for false claims. When the company was eventually busted, I was part of the settlement and received a check for $49! But before I could do that, I had to know somethings about the spammer.

The can-spam law loosely says companies have to include that is is an ad, give you a way to be removed and must list their physical address. If they do not do any of those, I would suggest taking a minute and using the FTC complaint form or detailing in your email to them why this is more than just regular spam.

What else can you do?
Check the headers to see who really sent it. You will see a line like this:
Received: from mail4.globm.com [64.124.173.215] by mail3.oldmanmurray.com with ESMTP
(SMTPD32-7.15) id A88AB960190; Fri, 16 Jan 2004 12:24:42 -0800

After received, some spammers will forge the next part. So to insure you have the right information, you want to check the ip address listed next to it. Most mail clients will separate this out, or as in this case box it. Do not believe any other ip listed, those are thrown in to try and confuse filters.

To look up the IP, you can either run tracert or ping locally or I suggest using a site like Sam Spade and putting the IP address into their traceroute box and checking it out.

When it lists the information for that ip, the last one is the mailer, the one right above that, or above when their name stops being used, is probably the bandwidth provider. But it depends. On a local dialup they will all be the provider towards the bottom. On a webhost, the last one may be the hosting company.

Before you contact the hosting company, you want to check to make sure they are not the same people as the spammer. You can use the whois on sam spade, or my favorite www.whois.sc. I suggest registering with them as you then have available some great tools.

If they are different, I suggest emailing the abuse account at the host first, if the mail bounces because they do not have any abuse department? Don't bother going any further with them, go upstream and do a whois on the domain listed above them. Send that company an email at abuse.

What if that bounces? Don't go any higher. When you travel around on the interent, there is not a direct connection between you and the site you are visiting. The same happens with email. The mail may pass through numerous providers who have nothing to do with the spammer, they merely having peering agreements to let the various networks communicate.

For the actual mailings, you will see most spam these days comes from a few large US companies, and then a million Korean and Chinese companies. I do not bother emailing the Korean or Chinese companies. But don't worry, there is more we can do.

If you visited the site, you should also take that domain and run a traceroute and whois. There are two parts to most spam, the sender and the advertised site. Both should be stopped. So once you do your traceroute on the site name, follow the same rules as the ip in the header on who to contact.

Here you will find, a large number of companies asking for your personal information or credit cards are hosted in China, India and other far off places. No offense to the majority of the population of these countries, but do you really trust giving someone your credit card who had to hide their business in china?

Thats enough to get you started. Later I will give some more examples and some advanced things you can try and do. But remember, you are responsible for any action you take, I am in no way suggesting you harass or do anything illegal.

If you have any corrections, comments, suggestions or stories of your own, please email me at c h e t at d o n o t r e p l y . c o m