North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Is there anyone at Netcom with a clue

  • From: Ehud Gavron
  • Date: Mon Mar 01 18:23:12 1999

If there's anyone at Netcom who can read English, I'd appreciate a
hand.  The operational item is that ongoing abuse is being ignored,
and shunted into form-letters that look stupid.

--- Begin Message ---
>Content-type: TEXT/PLAIN; CHARSET=ISO-8859-1
>Content-Transfer-Encoding: 7BIT

>Netcom, despite there being nothing linking US to the spam below,
>your customer ([email protected]) has been sending this shit
>to every possible address he can think of at our domain.

>Despite my comment that
>	1. he's clueless
>	2. there's nothing in there related to US, our clients, or
>	   our network, he won't stop
>	3. here's his stupid response where he claims a "division"
>	   of our company yada yada yada.

>We have no divisions.
>We have no users.
>Our customers are large corporate networks that don't do spam,
>and are not mentioned in the spam below.

>Nevertheless, we think your user has wasted enough of our time.
>Please remove him as per your 'harrassing' section of your AUP
>and let us know what's been done.


>ACES Research,
>[**** Insert text here ****]

>Content-type: MESSAGE/RFC822

>Return-path: [email protected]
>Received: from ([])
> by ACES.COM (PMDF V5.2-27 #9830) with ESMTP id <[email protected]>
> for [email protected] (ORCPT rfc822;[email protected]); Thu,
> 25 Feb 1999 22:08:21 -0700 (MST)
>Received: (from [email protected]) by (8.8.4/8.8.4)
> id XAA20736 for <[email protected]>; Thu, 25 Feb 1999 23:08:18 -0600 (CST)
>Received: from
> by via smap (V1.3)	id rma020660; Thu Feb 25 23:08:04 1999
>Date: Thu, 25 Feb 1999 23:12:01 -0600
>From: Kevin Nelson <[email protected]>
>Subject: Re: [Fwd: Returned mail: User unknown]
>To: Ehud Gavron <[email protected]>
>Message-id: <[email protected]>
>MIME-version: 1.0
>X-Mailer: Mozilla 4.5 [en] (Win98; U)
>Content-type: text/plain; charset=iso-8859-1
>X-Accept-Language: en
>Original-recipient: rfc822;[email protected]
>Content-Transfer-Encoding: quoted-printable
>X-MIME-Autoconverted: from 8bit to quoted-printable by id AAA00622

>actually using traceroute I found you. it came from a division of your co=
>mpany, I
>shall go higher now.

>Ehud Gavron wrote:

>> Why do you keep sending this to us?  It's clear that this spam didn't
>> originate from us or our clients.  Stop forwarding it to more and more
>> addresses -- we have nothing to do with it.
>> Cheers,
>> Ehud Gavron
>> ACES Research, Inc.
>> >-------- Original Message --------
>> >Subject: Returned mail: User unknown
>> >Date: Wed, 24 Feb 1999 00:27:30 -0600 (CST)
>> >From: Mail Delivery Subsystem <[email protected]>
>> >To: <[email protected]>
>> >The original message was received at Wed, 24 Feb 1999 00:27:25 -0600
>> >(CST)
>> >from [email protected]
>> >   ----- The following addresses had permanent fatal errors -----
>> ><[email protected]>
>> >   ----- Transcript of session follows -----
>> >... while talking to
>> >>>> RCPT To:<[email protected]>
>> ><<< 550 5.1.1 unknown or illegal user: [email protected]
>> >550 <[email protected]>... User unknown
>> >   ----- Original message follows -----
>> >Return-Path: <[email protected]>
>> >Received: (from [email protected])
>> >          by (8.8.4/8.8.4)
>> >         id AAA12681 for <[email protected]>; Wed, 24 Feb 1999 00:27:25 -=
>> >(CST)
>> >Received: from by
>> > via smap (V1.3)
>> >       id rma012666; Wed Feb 24 00:27:01 1999
>> >Message-ID: <[email protected]>
>> >Date: Wed, 24 Feb 1999 00:30:47 -0600
>> >From: Kevin Nelson <[email protected]>
>> >X-Mailer: Mozilla 4.5 [en] (Win98; U)
>> >X-Accept-Language: en
>> >MIME-Version: 1.0
>> >To: [email protected]
>> >Subject: [Fwd: Does your Hosting Company pay you?]
>> >Content-Type: text/plain; charset=3Diso-8859-1
>> >Content-Transfer-Encoding: 8bit
>> >-------- Original Message --------
>> >Return-Path: <[email protected]>
>> >Received: from ([])by
>> > (8.8.7-s-4/8.8.7/(NETCOM v1.01)) with SMTP id
>> >WAA14197; for <[email protected]>; Tue, 23 Feb 1999 22:15:17 -0800
>> >(PST)
>> >Received: from
>> >( []) by
>> >(NTMail 3.02.13) with ESMTP id fa017087 for <[email protected]>;
>> >Tue, 23 Feb 1999 15:41:38 -0500
>> >Date: Tue, 23 Feb 99 15:29:41 EST
>> >From: [email protected]
>> >To: red
>> >Subject: Does your Hosting Company pay you?
>> >Message-ID: <wed>
>> >Reply-To: wed
>> >X-Mozilla-Status: 8001
>> >X-Mozilla-Status2: 00000000
>> >X-UIDL: A8E9AE5356603F3FAD01E529E51C6FD3
>> >We would like to wish you a very Happy and Prosperous
>> >1999! We hope your online business is doing well.
>> >Have you considered where you want to be in the year 2000
>> >with your online business? Are you providing your contacts the
>> >information and online marketing tools that build relationships?
>> >We would like to offer you two unique solutions to consider.
>> >1) A =93one of a kind=94 PC based database management
>> >software that completely automates your follow-up.
>> >2) A Premier Web Hosting package for under
>> >$25/month.; A =93full service=94 feature packed plan simply
>> >not offered anywhere at this price. Plus you're paid
>> >residual income for referrals and their referrals and
>> >so on down 4 levels and a $20 fast start bonus for each!
>> >For more information feel free to call us or fill out this online
>> >form and someone from our office will get in touch with you.
>> ><A
>> >HREF=3D"";>
>> >Powerful PC-based desktop software helps you
>> >make maximum advantage of email: The perfect
>> >follow-up software to manage all your contacts
>> >and automate your follow-up. Convert more leads
>> >into sales and get more bang from your advertising
>> >dollars by putting your email follow up on autopilot!
>> >Ask about the FREE Two-tiered reseller program
>> >also available.
>> >2) Not All Hosting Companies Are Created Equal!
>> >Do you know how important your Web Hosting
>> >company is to your Internet sales. You will learn
>> >about a company that can provide you the
>> >performance, speed, experience and support you
>> >need to compete in Today's Internet of big bandwidth
>> >and fast websites. And they pay you RESIDUAL
>> >income for referring people to the absolute best value
>> >on the Internet.;
>> >Premier Hosting and Web Development products
>> >at unheard of prices. The complete package for only
>> >$24.95/month.
>> >Automatically qualify as a distributor and get your
>> >own replicating Website to promote your new Hosting
>> >Business for FREE. Plus a complete online =93REAL TIME=94
>> >downline, genealogy and up to the minute commission
>> >tracking!!!
>> >Come see the future of Web Hosting=85=85.
>> >* 30 meg Website with FULL ACCESS on Award
>> >winning ultra-fast UNIX servers.
>> >* Your web pages will load lighting fast from the 2nd
>> >largest web hosting facility in the World and Yahoo is
>> >across the isle! Plus the most experienced engineers
>> >and programmers on staff 24/7.
>> >* UNLIMITED POP EMAIL Accounts &amp; browser based
>> >email with FREE UNLIMITED Autoresponders!
>> >* FREE SECURE SERVER! With FREE Shopping
>> >Cart system to provide the commerce solutions you need!
>> >* Web based software to automatically add your own
>> >metatags and SUBMIT your Website to the 20 major
>> >search engines from ONE FORM as often as you want.
>> >* Complete control and access with ftp, CGI-bin etc.
>> >Know your website traffic patterns without counters
>> >broadcasting it to the world.
>> >For more information feel free to call us or fill out this online
>> >form and someone from our office will get in touch with you.
>> ><A
>> >HREF=3D"";>
>> >If you would like to be removed form our list click here,
>> ><A HREF=3D"";>Take me to the remove
>> >list/</A>,
>> >and fill in the needed information.
>> >Best Wishes,
>> >Diane
>> >Prosper 2000
>> >888-389-2912



We appreciate your email.  Because of your efforts and many others Netcom
is able to find and address abusers using our Network.  We have examined
the headers of the message you have forwarded to us, and determined in
this case:

	It did not originate from a NETCOM user
        It did not advertise a site hosted by NETCOM
        The reply to address (if Netcom) is fake/forged

While there may be a NETCOM account name listed somewhere in the message,
or references "" it is forged.  It is not uncommon for
spammers to forged headers to include "netcom" somewhere in them.

Forwarding SPAM to [email protected]
Please realize the importance of contacting the *originating* domain when
you receive spam.  

The only time you should contact NETCOM in regards to spam is if you
determine it originated from NETCOM.  If you determine it originated 
elsewhere, it's important you contact that domain. 

Getting SPAM? Want it to stop?
Consider using an email program that supports filters.  You can filter on
domains, subject line words, and content key words to drastically reduce
SPAM.  Most modern email programs have filtering capabilities.

Other Prevention Techniques
There are many other ways that your email address can be obtained over the
Internet by bulk mailers:

        NEVER Respond to requests to remove your name.  Spammers use
        this as a way or verifying that your address is valid.
        * We recommend just deleting the mail. Do not reply to them
        or follow removal procedures.  Once your address is
        verified as valid it will be sold thus the problem becomes
        worse. *

        Random list generators.  E.g. choosing common usernames.
        Example of random lists:

                [email protected]
                [email protected]
                [email protected] (etc etc)

        Avoid having a common username, i.e. [email protected]
        or having something to easy to guess at or a username 
        found in the dictionary

        Some web pages can get information regarding email addresses,
        host IP, type of computer, program used for access, files and
        pages viewed, where you came from and what pages you went to.

        Usernames can also be found through postings to Usenet
        newsgroups or mailing lists.

More notes about the spam you received
Please keep in mind, that if you see, DFW-IX*.IX.NETCOM.COM in the headers
this is our mail-relay server. These servers cannot originate mail, they
can in some instances relay mail. However, the received-by or
received-from line below the DFW line must be the originator, no matter
how forged it appears to be.

We do have software installed on our servers to prevent mail relaying,
however, very small quantities of relay spam do slip through sometimes.
Literally thousands of attempted relays are blocked every day.  To see a
daily log of these attempts visit the newsgroup: 

- Marc
NETCOM Policy Management

NETCOM On-Line Communication Services, Inc.          [email protected]
NETCOM Policy Management:   (408) 881-3499           M-F 9AM-5PM PST
24-Hour Technical Support:  (408) 881-1810       [email protected]

--- End Message ---