North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: contact for the world etc (nanog)

  • From: David A.Ulevitch
  • Date: Tue Dec 14 14:31:00 2004

The text the guy cites isn't from our staff, we don't even have an
auto-ack system. Maybe it's from some customer or maybe entirely
forged, he doesn't include any headers and seems to just want to vent.

Barry, we can follow up offlist.

Here's the full text of the email (one of a quite a few just yesterday).

I'm unsure how abuse desks are supposed to even deal with things like this. We've plonked the user but we have no way to let you know. We also have no way of getting you to actually email [email protected] instead of my personal email address.


Received: (qmail 25489 invoked by uid 114); 14 Dec 2004 06:15:37 -0000
Received: from by fiona (envelope-from <[email protected]>, uid 106) with qmail-scanner-1.24
(clamdscan: 0.80/614. spamassassin: 3.0.1.
Processed in 3.873291 secs); 14 Dec 2004 06:15:37 -0000
X-Spam-Status: No, hits=4.4 required=5.0
X-Spam-Level: ++++
Received: from (HELO (
by with SMTP; 14 Dec 2004 06:15:33 -0000
Received: (from [email protected])
by (8.12.8p1/8.12.8) id iBE6ACu2008864;
Tue, 14 Dec 2004 01:10:12 -0500
Date: Tue, 14 Dec 2004 01:10:12 -0500
Message-Id: <[email protected]>
To: [email protected]
References: <[email protected]>
In-Reply-To: <[email protected]>
From: [email protected] (Mail Delivery Subsystem)
Subject: EVERYDNS piracy spams not allowed
X-Mailer: SpamStopper
Cc: [email protected], [email protected], [email protected]

This is an automated mailing in response to your spamvertisement for
pirated software - and porn websites purporting to depict images of rape.

If you are receiving this message it is likely because you are a spammer.

Perhaps you host the site of the spammer, last seen at
(APPZPLANET.COM; APPZPLA.NET). Then, you are a spammer.

DNS for this netblock is owned by, administered by,
and zone-transferred by (possibly illegally) to EV1.NET's spammer-
service subsidiary "EVERYDNS.NET" - also known as,,, etc.

domain: HOBOT.RU
phone: +7 095 7967750
e-mail: [email protected]
created: 2000.04.03
paid-till: 2005.05.01
source: TC-RIPN has address has address has address has address

EVERYDNS.NET however is currently aliased to at is the responsible party for these and a huge number of other
recent spams that tout illegal and fraudulent products, services and content.

OrgName: Inc.
Address: 333 S. Beverly Drive
Address: Suite 207
City: Beverly Hills
StateProv: CA
PostalCode: 90212
Country: US

NetRange: -
NetName: COLOC1-LVLT-64-158-219
NetHandle: NET-64-158-219-0-1
Parent: NET-64-152-0-0-1
NetType: Reassigned
RegDate: 2004-05-24
Updated: 2004-05-24

OrgTechHandle: TECHN143-ARIN
OrgTechName: Technical
OrgTechPhone: +1-310-286-1107
OrgTechEmail: [email protected]

This spammer has been scanning networks worldwide in order to exploit
any found "open SMTP proxies". He is also documented to have broken
into zombied machines to use their DSL connections for spam transmission
and, as previously stated, transferring DNS zones to mask the origins of
both his spams and websites.

Thus a spammer, a software pirate AND a burglar.

A criminal, in any event.

The unread message which you just sent to an unassigned address on our
network, and which follows, has already been sent to law enforcement

Hopefully you will be sent to them as well, shortly.

[Administrators and legal/investigative officials reading this:
We urge you to consider a course of action which will result in
termination of all services to the above-referenced hosts and
netblocks as soon as administratively possible - a more permanent
solution pending completion of any additional investigation.

Regarding those investigations we may be counted upon to furnish
any additional documentation we can offer to assist in prosecution,
and to ensure civil liability.]

----- Original message follows, unread -----

From [email protected] Tue Dec 14 01:10:11 2004
Received: from ( [])
by (8.12.8p1/8.12.8) with ESMTP id iBE69kja005923
for <[email protected]>; Tue, 14 Dec 2004 01:09:47 -0500
Received: from unknown (HELO localhost) (
by with SMTP; Tue, 14 Dec 2004 06:18:14 +0000
Received: from ([])
by (IMP) with HTTP
for <[email protected]>; Tue, 14 Dec 2004 06:18:14 +0000
Message-ID: <[email protected]>
From: "Mike" <[email protected]>
To: "Benny" <[email protected]>
Subject: Any software backups for lowest pricest.
Date: Tue, 14 Dec 2004 06:18:14 +0000
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.2.2

<P>2005 is just a few days away. Start the new year with a much needed software
<P>Tired of your old Windows system? Get XP Professional here for only $33 ($170
cheaper than stores):<BR><A href="";></A></P>
<P>Your old Office program no longer state of the art? Get the superb Office
2003 here for $38 less than retail:<BR><A
<P>View our full software selection. Whether you need new virus software, art
and graphical software or anything else,<BR>we have it - and so much cheaper
than the stores. =)</P>
<P><A href="";></A> or <A