nanog mailing list archives

Is there anyone at Netcom with a clue

From: Ehud Gavron <GAVRON () ACES COM>
Date: Mon, 01 Mar 1999 16:21:04 -0700 (MST)

If there's anyone at Netcom who can read English, I'd appreciate a
hand.  The operational item is that ongoing abuse is being ignored,
and shunted into form-letters that look stupid.

Ehud

--- Begin Message --- From: abuse () netcom com (Netcom Policy Management)
Date: Mon, 01 Mar 1999 15:18:40 -0800 (PST)

--Boundary_(ID_8dmTpy0AEgyS8Gy2P+lbpw)
Content-type: TEXT/PLAIN; CHARSET=ISO-8859-1
Content-Transfer-Encoding: 7BIT

Netcom, despite there being nothing linking US to the spam below,
your customer (knelson () ix netcom com) has been sending this shit
to every possible address he can think of at our domain.

Despite my comment that
      1. he's clueless
      2. there's nothing in there related to US, our clients, or
         our network, he won't stop
      3. here's his stupid response where he claims a "division"
         of our company yada yada yada.

We have no divisions.
We have no users.
Our customers are large corporate networks that don't do spam,
and are not mentioned in the spam below.

Nevertheless, we think your user has wasted enough of our time.
Please remove him as per your 'harrassing' section of your AUP
and let us know what's been done.

Cheers,

Ehud,
ACES Research,
Tucson
[**** Insert text here ****]

--Boundary_(ID_8dmTpy0AEgyS8Gy2P+lbpw)
Content-type: MESSAGE/RFC822

Return-path: knelson () ix netcom com
Received: from dfw-ix5.ix.netcom.com ([206.214.98.5])
by ACES.COM (PMDF V5.2-27 #9830) with ESMTP id <01J86CXW57EC8WZ4BH () ACES COM>
for GAVRON () ACES COM (ORCPT rfc822;GAVRON () ACES COM); Thu,
25 Feb 1999 22:08:21 -0700 (MST)
Received: (from smap@localhost) by dfw-ix5.ix.netcom.com (8.8.4/8.8.4)
id XAA20736 for <GAVRON () ACES COM>; Thu, 25 Feb 1999 23:08:18 -0600 (CST)
Received: from stl-mo6-18.ix.netcom.com(204.31.116.210)
by dfw-ix5.ix.netcom.com via smap (V1.3)      id rma020660; Thu Feb 25 23:08:04 1999
Date: Thu, 25 Feb 1999 23:12:01 -0600
From: Kevin Nelson <knelson () ix netcom com>
Subject: Re: [Fwd: Returned mail: User unknown]
To: Ehud Gavron <GAVRON () ACES COM>
Message-id: <36D62D20.10DBA96B () ix netcom com>
MIME-version: 1.0
X-Mailer: Mozilla 4.5 [en] (Win98; U)
Content-type: text/plain; charset=iso-8859-1
X-Accept-Language: en
Original-recipient: rfc822;GAVRON () ACES COM
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by office2.corp.netcom.com id AAA00622

actually using traceroute I found you. it came from a division of your co=
mpany, I
shall go higher now.

Ehud Gavron wrote:

Why do you keep sending this to us?  It's clear that this spam didn't
originate from us or our clients.  Stop forwarding it to more and more
aces.net/aces.com addresses -- we have nothing to do with it.

Cheers,

Ehud Gavron
ACES Research, Inc.

-------- Original Message --------
Subject: Returned mail: User unknown
Date: Wed, 24 Feb 1999 00:27:30 -0600 (CST)
From: Mail Delivery Subsystem <MAILER-DAEMON () ix netcom com>
To: <knelson () ix netcom com>

The original message was received at Wed, 24 Feb 1999 00:27:25 -0600
(CST)
from smap@localhost

  ----- The following addresses had permanent fatal errors -----
<abuse () ACES NET>

  ----- Transcript of session follows -----
... while talking to aces.com.:

RCPT To:<abuse () ACES NET>

<<< 550 5.1.1 unknown or illegal user: abuse () ACES NET
550 <abuse () ACES NET>... User unknown

  ----- Original message follows -----

Return-Path: <knelson () ix netcom com>
Received: (from smap@localhost)
         by dfw-ix4.ix.netcom.com (8.8.4/8.8.4)
        id AAA12681 for <abuse () ACES NET>; Wed, 24 Feb 1999 00:27:25 -=

(CST)
Received: from stl-mo7-18.ix.netcom.com(205.187.206.50) by
dfw-ix4.ix.netcom.com via smap (V1.3)
      id rma012666; Wed Feb 24 00:27:01 1999
Message-ID: <36D39C97.9D153F8B () ix netcom com>
Date: Wed, 24 Feb 1999 00:30:47 -0600
From: Kevin Nelson <knelson () ix netcom com>
X-Mailer: Mozilla 4.5 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: abuse () ACES NET
Subject: [Fwd: Does your Hosting Company pay you?]
Content-Type: text/plain; charset=3Diso-8859-1
Content-Transfer-Encoding: 8bit

-------- Original Message --------
Return-Path: <automate02 () hotmail com>
Received: from ntmail.mfblouin.com ([208.31.8.10])by
ixmail10.ix.netcom.com (8.8.7-s-4/8.8.7/(NETCOM v1.01)) with SMTP id
WAA14197; for <knelson () ix netcom com>; Tue, 23 Feb 1999 22:15:17 -0800
(PST)
Received: from 1Cust165.tnt9.atl2.da.uu.net
(1Cust165.tnt9.atl2.da.uu.net [153.34.23.165]) by ntmail.mfblouin.com
(NTMail 3.02.13) with ESMTP id fa017087 for <knelson () ix netcom com>;
Tue, 23 Feb 1999 15:41:38 -0500
Date: Tue, 23 Feb 99 15:29:41 EST
From: automate02 () hotmail com
To: red
Subject: Does your Hosting Company pay you?
Message-ID: <wed>
Reply-To: wed
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: A8E9AE5356603F3FAD01E529E51C6FD3

We would like to wish you a very Happy and Prosperous
1999! We hope your online business is doing well.

Have you considered where you want to be in the year 2000
with your online business? Are you providing your contacts the
information and online marketing tools that build relationships?
We would like to offer you two unique solutions to consider.

1) A =93one of a kind=94 PC based database management
software that completely automates your follow-up.

2) A Premier Web Hosting package for under
$25/month.; A =93full service=94 feature packed plan simply
not offered anywhere at this price. Plus you're paid
residual income for referrals and their referrals and
so on down 4 levels and a $20 fast start bonus for each!

For more information feel free to call us or fill out this online
form and someone from our office will get in touch with you.

<A
HREF=3D"http://209.139.57.8/Prosper-2000/";>http://209.139.57.8/Prosper=

-2000/</A>

1) AUTOMATE YOUR EMAIL FOLLOW UP!

Powerful PC-based desktop software helps you
make maximum advantage of email: The perfect
follow-up software to manage all your contacts
and automate your follow-up. Convert more leads
into sales and get more bang from your advertising
dollars by putting your email follow up on autopilot!
Ask about the FREE Two-tiered reseller program
also available.

2) Not All Hosting Companies Are Created Equal!

Do you know how important your Web Hosting
company is to your Internet sales. You will learn
about a company that can provide you the
performance, speed, experience and support you
need to compete in Today's Internet of big bandwidth
and fast websites. And they pay you RESIDUAL
income for referring people to the absolute best value
on the Internet.;

Premier Hosting and Web Development products
at unheard of prices. The complete package for only
$24.95/month.

Automatically qualify as a distributor and get your
own replicating Website to promote your new Hosting
Business for FREE. Plus a complete online =93REAL TIME=94
downline, genealogy and up to the minute commission
tracking!!!

Come see the future of Web Hosting=85=85.

* 30 meg Website with FULL ACCESS on Award
winning ultra-fast UNIX servers.

* Your web pages will load lighting fast from the 2nd
largest web hosting facility in the World and Yahoo is
across the isle! Plus the most experienced engineers
and programmers on staff 24/7.

* UNLIMITED POP EMAIL Accounts &amp; browser based
email with FREE UNLIMITED Autoresponders!

* FREE SECURE SERVER! With FREE Shopping
Cart system to provide the commerce solutions you need!

* Web based software to automatically add your own
metatags and SUBMIT your Website to the 20 major
search engines from ONE FORM as often as you want.

* Complete control and access with ftp, CGI-bin etc.
Know your website traffic patterns without counters
broadcasting it to the world.

For more information feel free to call us or fill out this online
form and someone from our office will get in touch with you.

<A
HREF=3D"http://209.139.57.8/Prosper-2000/";>http://209.139.57.8/Prosper=

-2000/</A>

If you would like to be removed form our list click here,
<A HREF=3D"http://209.38.140.32/remove.html";>Take me to the remove
list/</A>,
and fill in the needed information.

Best Wishes,

Diane
Prosper 2000
888-389-2912

--Boundary_(ID_8dmTpy0AEgyS8Gy2P+lbpw)--


Hello,

We appreciate your email.  Because of your efforts and many others Netcom
is able to find and address abusers using our Network.  We have examined
the headers of the message you have forwarded to us, and determined in
this case:

        It did not originate from a NETCOM user
        It did not advertise a site hosted by NETCOM
        The reply to address (if Netcom) is fake/forged

While there may be a NETCOM account name listed somewhere in the message,
or references "netcom.com" it is forged.  It is not uncommon for
spammers to forged headers to include "netcom" somewhere in them.

Forwarding SPAM to abuse () netcom com
====================================
Please realize the importance of contacting the *originating* domain when
you receive spam.  

The only time you should contact NETCOM in regards to spam is if you
determine it originated from NETCOM.  If you determine it originated 
elsewhere, it's important you contact that domain. 

Getting SPAM? Want it to stop?
============================== 
Consider using an email program that supports filters.  You can filter on
domains, subject line words, and content key words to drastically reduce
SPAM.  Most modern email programs have filtering capabilities.

Other Prevention Techniques
============================ 
There are many other ways that your email address can be obtained over the
Internet by bulk mailers:

        NEVER Respond to requests to remove your name.  Spammers use
        this as a way or verifying that your address is valid.
        * We recommend just deleting the mail. Do not reply to them
        or follow removal procedures.  Once your address is
        verified as valid it will be sold thus the problem becomes
        worse. *

        Random list generators.  E.g. choosing common usernames.
        Example of random lists:

                adam () ix netcom com
                apple () ix netcom com
                angie () ix netcom com (etc etc)

        Avoid having a common username, i.e. sam () ix netcom com
        or having something to easy to guess at or a username 
        found in the dictionary

        Some web pages can get information regarding email addresses,
        host IP, type of computer, program used for access, files and
        pages viewed, where you came from and what pages you went to.

        Usernames can also be found through postings to Usenet
        newsgroups or mailing lists.

More notes about the spam you received
====================================== 
Please keep in mind, that if you see, DFW-IX*.IX.NETCOM.COM in the headers
this is our mail-relay server. These servers cannot originate mail, they
can in some instances relay mail. However, the received-by or
received-from line below the DFW line must be the originator, no matter
how forged it appears to be.

We do have software installed on our servers to prevent mail relaying,
however, very small quantities of relay spam do slip through sometimes.
Literally thousands of attempted relays are blocked every day.  To see a
daily log of these attempts visit the newsgroup:

news.admin.net-abuse.bulletins. 

- Marc
NETCOM Policy Management

----------------------------------------------------------------------
NETCOM On-Line Communication Services, Inc.          abuse () netcom com
NETCOM Policy Management:   (408) 881-3499           M-F 9AM-5PM PST
24-Hour Technical Support:  (408) 881-1810       support () ix netcom com
----------------------------------------------------------------------

--- End Message ---

Current thread:

Is there anyone at Netcom with a clue Ehud Gavron (Mar 01)
- Re: Is there anyone at Netcom with a clue Phil Howard (Mar 01)
  - Re: Is there anyone at Netcom with a clue Kevin Oberman (Mar 01)
    - Re: Is there anyone at Netcom with a clue Brandon Ross (Mar 01)
  - Re: Is there anyone at Netcom with a clue Steven J. Sobol (Mar 01)