Politech mailing list archives

FC: Confirmed: Calif. gov wannabe Bill Jones is a recidivist spammer


From: Declan McCullagh <declan () well com>
Date: Thu, 28 Feb 2002 12:22:38 -0500

Previous Politech message:

"Calif. governor candidate, DNC chairman turn to political spam"
http://www.politechbot.com/p-03199.html

*********

Date: Thu, 28 Feb 2002 08:42:10 -0800
From: Laura Atkins <laura () blighty com>
To: Neil Schwartzman <neil () petemoss com>
Cc: declan () well com
Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political spam

On Thu, Feb 28, 2002 at 10:45:27AM -0500, Neil Schwartzman wrote:

> Hi Declan,
>
> My colleague Laura Atkins (who is the newly appointed President of an
> influential anti-spam group (shh! That's a scoop!), spoke with Mr.
> Jones' campaign workers and it has been confirmed that this was
> indeed not a "joe job" i.e. a forged spam to set him up. She's been
> copied in on this - perhaps she can confirm or deny, as appropriate.

Hi, Declan,

I did get the Bill Jones spam (3 times, actually). I called the Bill
Jones campaign after receiving the first one and talked to the woman
who answered the phone. I asked for the person in charge of their
email campaign and she asked me if I'd gotten the recent email. I said
yes. She explained that they had gotten a number of phone calls about
it but that they didn't know who actually sent it. Furthermore, since
the mail didn't come through their servers (it came through an open
proxy in Korea) that it was obvious they were not responsible, and
they would never do anything so unpopular right next to a campaign.

By this time, my business partner was also on the phone. We run a
consulting / software business that helps people track email
(word-to-the-wise.com). At this point believing the woman on the
phone, we provided her with all the information we had about the spam,
including the Korean open proxy and the website hosted on terra.es. We
hang up the phone and send a copy of our analysis by email.

Meanwhile, I dropped a note to a Wired reporter who had recently
interviewed Steve about the abuse of Korean relays. She was very
interested and asked for all the details. I then provided the gist of
my conversation with the Bill Jones campaign worker. She responded
that he had spammed before.

At that point, we started digging a little deeper. And, yes, he
appears to have spammed around December 11 and around January
21. Given that we'd been outright lied to by the campaign worker,
Steve called back. He then spoke to Darren Ng (Press Secretary) who
admitted to him that they were responsible for the spam. Another
individual, Bill Carton, has confirmed he talked with the same person
and got the same admission.

The interesting bit is that Bill Jones' numbers start to tank in
December and are still falling. Cause and effect are hard to judge,
but it would be interesting to see if his numbers were falling before
the first December spam, or after.

For the record, I actually received 3 of his spams to two separate
addresses.

Laura

--
Laura Atkins
laura () blighty com

*********

Date: Thu, 28 Feb 2002 10:45:27 -0500
To: declan () well com
From: Neil Schwartzman <neil () petemoss com>
Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political
 spam
Cc: Laura Atkins <laura () blighty com>

At 2:07 -0500 2/28/02, Declan McCullagh wrote:
Kevin Poulsen sends email asking the real question: "Is this indiscriminate spamming actually the work of candidate Jones, or a wily opponent?" I invite Bill Jones to reply.

Hi Declan,

My colleague Laura Atkins (who is the newly appointed President of an influential anti-spam group (shh! That's a scoop!), spoke with Mr. Jones' campaign workers and it has been confirmed that this was indeed not a "joe job" i.e. a forged spam to set him up. She's been copied in on this - perhaps she can confirm or deny, as appropriate. Failing that, or supporting it, there has been media coverage about Jones doing this before (December being the last time):
<http://www.msnbc.com/news/671170.asp>
<http://www.latimes.com/news/local/politics/cal/la-022002jones.story>

But what has not been reported are the ironies in this latest spew:

Apart from the most obvious one for me, personally, that this bozo is spamming the chair of the Coalition Against Unsolicited Commercial Email - Canada [CAUCE.ca] (moi) is the fact that a) whoever sent this spam on his behalf used an open relay in Korea (essentially exploiting a security vulnerability, tantamount to hacking of a computer located in another country) and b) his website is HOSTED IN SPAIN - a tactic used increasingly by spammers who know that North American webhosts will not tolerate sites touted on their systems as the "payload" in spam - they usually kill them off pretty quickly. So much for being a proud American.

What is obvious and apparent to me is that whomever did this was a fairly sophisticated spammer, and that this is the last gasp effort of someone well into the decline of his political career. I hope the coverage you afford this will be the last nail in the coffin, quite frankly; we need personal and moral leadership from our politicians; not the type who would consort with the purveyors of Penis & Breast enlargement schemes.
--
Neil Schwartzman - Editor & Publisher
Pete Moss Publications, Industry & Trade Journals
<http://spamNEWS.com><http://virus-news.com>
<http://spamFLAMES.com><http://petemoss.com>

*********

Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political spam
Date: Thu, 28 Feb 2002 08:00:51 -0800
From: David Lawrence <david () online-today com>
To: "Declan McCullagh" <declan () well com>

Declan,

We covered this on Online Tonight last night. Lili and I got over a dozen
ourselves, all from different variations on the KatieXXXXXXX/MSN address,
and all with circuitous routes between the originating IP and me, taking
the message through the Netherlands and Korea.

We have a call in to Bill Jones' office to find out who he pissed off and
would try to spamframe him, or who among his supporters is misguided and
overzealous, as the natural conclusion is that the Secretary of one of
the more spam-conscious state legislatures couldn't be stupid enough to
actually do this.

He is, after all, a Republican, and we are much smarter than that...we'd
have Liddy do it.

I'll keep you posted.

David

*********

Date: Thu, 28 Feb 2002 03:21:05 -0800
From: Lewis McCarthy <pseudonym () acm org>
To: declan () well com
Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political spam

Declan,

I'd be surprised if these messages turn out to be official Jones for Governor
campaign materials. In addition to the discrepancies observed by others,
consider this paragraph from one of the messages:

    "So while other candidates for Governor are spending over $10,000,000
    dollars on 30 second TV ads, I am trying something new. What's new is this
    ­ I am only going to provide you with the facts on my record. Please go to
    my <http://195.235.97.200/personal8/inacct48/>web site and check it out
    for yourself."

According to Bill Jones' candidate statement in the Official Voter Information
Guide mailed out by the state -- which incidentally bears his signature on the
certificate of correctness on the front, as Secretary of State -- his campaign
website is www.billjones.org. That site is much more extensive than
http://195.235.97.200/personal8/inacct48/ , which consists of little more than
the text of a half-dozen press releases.

Furthermore, while these messages attempt to position Jones on some sort of
moral high ground w.r.t. the use of TV ads, his real campaign adopts quite a
different tone. In fact, there's a prominent link on the front page of billjones.org
inviting visitors to "See the new campaign commercials!" at
http://www.billjones.org/Home/HomeList.cfm?c=19 .

-Lewis
"just another registered Libertarian voter in California"

*********

From: Charlie Oriez <coriez () oriez org>
Organization: Lumber Cartel [tinlc]
To: declan () well com, politech () politechbot com
Subject: Analysis of alleged Bill Jones spam
Date: Thu, 28 Feb 2002 08:21:59 -0700

Spam sent from billjones () mail wiredwebsites com is posted here:

http://groups.google.com/groups?q=+%22bill+jones%22+group:news.admin.net-abuse.*&hl=en&scoring=r&as_drrb=b&as_mind=1&as_minm=2&as_miny=2002&as_maxd=28&as_maxm=2&as_maxy=2002&selm=nans20020215200252%245890%40news.killfile.org&rnum=3

An NSlookup for the IPA and domain name shown in the spam shows an A
record:

mail.wiredwebsites.com  86398   IN      A       64.7.197.9

Wired Websites might want to confirm or deny that the Bill Jones
campaign is a customer of theirs or that the address was a forgery.
The message ID would tell them who sent the spam if they do not have
an open relay.

A relay test run thru John Levine's abuse.net shows that IPA is
posssibly open to third party relay (confirm at
<http://www.abuse.net/relay.html> by entering the IPA) but Osirusoft
has it in a list of IPAs that have specifically tested clean and are
not to be retested.  Either they have since fixed their relay, or
someone with that Bill Jones address is a customer.  His web site is
NOT hosted by them, or by any other California ISP.  His web site is
hosted by a Maryland ISP, VirtualSprockets, LLC in a fine display of
his support  for California businesses.

Contact info for both Virtual Sprockets and Wired Websites, from a
whois:

Registrant:
         Bill Jones Campaign (BILLJONES2-DOM)
            1801 I St.
            Sacramento, CA 95814
            US

            Domain Name: BILLJONES.ORG

            Administrative Contact, Billing Contact:
               VirtualSprockets, LLC  (G16821-OR)
no.valid.email () worldnic com
               VirtualSprockets, LLC
               20010-G Fisher Avenue, Ste 205
               Poolesville, MD 20837
               US
               3019727415 fax: 3014070394

            Technical Contact:
               Kittleman, Laura  (LK614)  laura () SPACELY COM
               Virtual Sprockets, Inc.
               P.O. Box 450
               Barnesville, MD 20838
               301 972-7415 (FAX) 301 972-7415



              Administrative, Technical Contact:
                 Griffiths, Jason  jason () wiredwebsites com
                 Wired Websites
                 3340 E. Collins Ave #53
                 Orange, CA  92867
                 US
                 714.538.5016

Incidentally, a from address of someaddr () msn com with a bogus
excite.com address in the reply-to header is a common forgery in one
of the spam tools.  The sample you posted didn't have complete
headers, so I can't tell for sure that this was the case in that
specific instance.  However, that particular forgery is so common in
spam, and non existent in legitimate mail, that some filter tools
automatically block on that combination.  I'm not aware of any
examples where mail with that combination actually goes thru an
msn.com server.  Your original correspondent can probably confirm
that, since I see that he copied his mail to the msn address and
almost certainly got a '550 user unknown' error message for his
trouble.  I'm not a fan of Microsoft (see sig), but they aren't to
blame here.

Spamcop shows purported Bill Jones spam also coming thru
211.251.245.66 and 211.114.51.233   Both IPAs are identified by a
number of the anti-spam lists as open relays registered to the Korean
ISP kornet and they are now blocked.   The first one is ultimately
assigned to a Korean Middle School mail server and spamcop says that
92% of the traffic coming through it is from known spammers.  Great
demonstration of someone's respect for private property, in my view.

A usenet post of a reject log showing those IPAs on alleged Bill
Jones spam:
http://groups.google.com/groups?hl=en&threadm=a5keou%246v2%40hearye.mlb.semi.harris.com&rnum=2&prev=/groups%3Fas_q%3D%26num%3D100%26as_scoring%3Dr%26btnG%3DGoogle%2BSearch%26as_epq%3Dbill%2Bjones%26as_oq%3D%26as_eq%3D%26as_ugroup%3Dnews.admin.net-abuse.*%26as_usubject%3D%26as_uauthors%3D%26as_umsgid%3D%26lr%3D%26as_qdr%3D%26as_drrb%3Db%26as_mind%3D1%26as_minm%3D2%26as_miny%3D2002%26as_maxd%3D28%26as_maxm%3D2%26as_maxy%3D2002

Osirusoft whois showing the Korean data:
http://relays.osirusoft.com/cgi-bin/addressblock.cgi?addr2=211.251.245.66
http://relays.osirusoft.com/cgi-bin/addressblock.cgi?addr2=211.114.51.233


--
Charles Oriez, coriez () oriez org
39  34' 34.4"N / 105 00' 06.3"W

*********

Date: Thu, 28 Feb 2002 08:14:45 -0500
From: Rich Kulawiec <rsk () firemountain net>
To: Declan McCullagh <declan () well com>
Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political spam

On Thu, Feb 28, 2002 at 02:07:40AM -0500, Declan McCullagh wrote:
> Kevin Poulsen sends email asking the real question: "Is this indiscriminate
> spamming actually the work of candidate Jones, or a wily opponent?"

Several contributors to Spam-L have posted information that indicates that
they've spoken to someone at billjones.org, and that they (billjones.org)
are deliberately doing this.  From the mail headers I've seen analyzed
so far, it looks like they've hijacked open relays in Korea and Spain
to send this spam.  See the two notes enclosed below for some additional
info.  I also note in passing that billjones.org fails to comply with
RFC 2142 -- apparently they like sending spam, but don't wish to receive any.

---Rsk

==========
Item 1:
==========
> From: Laura Atkins <laurat () MAGPAGE COM>
> Date:         Wed, 27 Feb 2002 18:15:06 -0500
> Sender: Spam Prevention Discussion List <SPAM-L () PEACH EASE LSOFT COM>
> Subject: Re: SPAM, HELP: Bill Jones for California Governor 6785nXjP1-362LAhl15
> To: SPAM-L () PEACH EASE LSOFT COM
>
> [...]
>
> http://www.latimes.com/news/politics/la-022002jones.story?coll=la-headlines-politics
>
> http://www.lugod.org/mailinglists/archives/vox/2002-01/msg00189.html
>
> http://stacks.msnbc.com/news/671170.asp?cp1=1
>
> And, Darrel Ng at the Bill Jones for Governor office just admitted
> sending it while we were on the phone with him.
>
> laura

==========
Item 2:
==========

> From: Joe Wagner <joepublics-l () HYPERBACKUP COM>
> Date:         Wed, 27 Feb 2002 19:20:04 -0500
> Sender: Spam Prevention Discussion List <SPAM-L () PEACH EASE LSOFT COM>
> Subject: Re: SPAM, HELP: Bill Jones for California Governor 6785nXjP1-362LAhl15
> To: SPAM-L () PEACH EASE LSOFT COM
>
> When the story originally broke  a while ago about Bill Jones campaign
> admitting sending spam, I proactively sent via a fax and via the contact
> form on their website a formal notice to not sent any  Unsolicited email to
> any of our users.  Funnily enough the  Billjones.org's website only offers a
> webform for email...I guess they don't want spammers finding _their_ email
> addresses and spamming them. How classy. Even their web contact form, when
> it sends a confirmation copy of your message back to you, they use _your_
> address as the sender.  Check out the headers at the bottom.  I sent a
> followup webform comment about that.
>
> Both messages of course were never answered. However, the Bill Jones folks
> promptly started spamming the abuse () hypertouch com email address that we
> provided on the webform.  It's clear now that they're not clueless, they've
> chosen to act this way.
>
> I wonder if I should send them an invoice...
>
> Joe
>
> --
> Hello,
>  I understand that Bill Jones has ill-advisedly begun to use
> Unsolicited Bulk Email (UBE or "spam") to advertise his political campaign
> and drive voters to his website.  According to a story on MSNBC
> (http://www.msnbc.com/news/671170.asp  "California candidate spams voters")
> this has been confirmed by a spokesperson of the campaign,Beth Pendexter.  I
> will not reiterate the many, many reasons why this is wrong, both legally
> and morally.  It is clear from Ms. Pendexter's  quote in the MSNBC article
> that the Bill Jones campaign has considered the implications of it actions
> and has willfully chosen to pursue the practice.
>
>  The missive is a FORMAL NOTICE to the Bill Jones campaign that it is
> not permitted to send _ANY_ unsolicited email messages to any of the
> accounts serviced by Hypertouch's mail servers.  We host a number of domains
> on our servers and you are not permitted to send messages through our
> servers to ANY account of ANY domain name. Hypertouch Inc. servers are
> located in the state of California which has a number of laws prohibiting
> spam... The sending of any unsolicited email advertising messages,
> unsolicited bulk email advertising messages and all other forms of email
> abuse to Hypertouch.com, reasonabledoubt.com or other domains owned, hosted
> or managed by Hypertouch Inc. is expressly forbidden. Our mail servers are
> mail.hypertouch.com, mail2.hypertouch.com, mail3.hypertouch.com and
> mail4.hypertouch.com. It is your responsibility to clean your email lists.
> It is a simple matter to look up the IP addresses of our servers and make
> sure that the domains you are sending to do not use any of our servers.
> Furthermore, if any of a domain's DNS servers are one of Hypertouch's
> servers, e.g. dns1.hypertouch.com, then it is also pretty obvious we own,
> host or manage that domain.
>
>  Finally, having received this formal notice on December 13, 2001, if
> the Bill Jones campaign, or any contractor, supporter, or otherwise directed
> third party does send any email messages to Hypertouch's servers, that shall
> constitute agreement by the Bill Jones campaign to pay Hypertouch Inc a fee
> $1000 per email address used per message. This is in addition to any civil
> or criminal penalties imposed by law. To repeat:
>
> THE SENDING OF ANY UNSOLICITED EMAIL TO OR THROUGH ANY HYPERTOUCH SERVER
> CONSTITUTES AGREEMENT TO PAY HYPERTOUCH INC. $1000 PER EMAIL ADDRESS USED
> PER MESSAGE.
>
>  The sole exception to this fee agreement is for email sent to
> abuse1 () hypertouch com, to which you may send freely without penalty for the
> purposes of constructive discussion.
>
>  The Bill Jones campaign has chosen an incredibly irresponsible
> manner in which to conduct itself. It of course removes any chance of
> support Bill Jones might have engendered had he not forced others to bear
> the cost of advertising for his campaign.  I urge you to reconsider.
>
> Thank you,
>
> James Joseph Wagner
> President, Hypertouch Inc
> 235 Belmont Ave
> Redwood City, CA 94061
> 650-367-6664 (voice/FAX)
>
> --
> A copy of this OPT-OUT/Fee notice was submitted to the Bill Jones Campaign
> via the www.billjones.org website.
> --
> Here's the lame confirmation copy you get from their website's contact from,
> note they do not provide a return address, they just use yours.  Nice...
> --
> Received: from [207.188.212.40] (HELO elroy) by mail.hasit.com (Stalker SMTP
> Server 1.8b8) with ESMTP id S.0000006950 for <abuse1 () hypertouch com>; Thu,
> 13 Dec 2001 01:53:24 -0800
> Received: from 207.188.212.40 ([207.188.212.40]) by elroy with Microsoft
> SMTPSVC(5.0.2195.2966);
>   Thu, 13 Dec 2001 04:54:23 -0500
> Content-type: text/plain
> Date: Thu, 13 Dec 2001 04:53:51 -0500
> From: abuse1 () hypertouch com
> Subject: Your message to Bill Jones for Governor
> To: abuse1 () hypertouch com
> X-mailer: mailer () VirtualSprockets com
> Return-Path: abuse1 () hypertouch com
> Message-ID: <ELROYKRfcjcMzfoV1qd00001152@elroy>
> X-OriginalArrivalTime: 13 Dec 2001 09:54:23.0562 (UTC)
> FILETIME=[24AEF2A0:01C183BC]
>
>
> Hello,
>  I understand that Bill Jones has ill-advisedly begun to use
> Unsolicited Bulk Email (UBE or "spam") to advertise his political campaign
> and drive voters to his website.
> [...snip the copy of the rest of my message...]
>

*********




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------


Current thread: