Wiltel & "Pink" Contracts?

[mrmaxx]

I keep receiving emails spamvertising websites on Aurora Direct's network. A quick look at AuroraDirect.com shows them to be a "direct marketing" comany. I've sent several spam complaints to WilTel, but they seem to be ignoring them. Any ideas? Does WilTel have an upstream that one can complain to?

[mrmaxx]

On a related topic, these emails always have a BUNCH of multipart stuff before the actual URLs. Here's a tracking URL based on one of the reports:

http://www.spamcop.net/sc?id=z803925628zef...5b3ce7e74831cfz

And here's the report ID: 1503854061. You can see the source of the email by looking at the report ID -- you'll see all the crap they're using, apparently to avoid automated reports about the URLs...

[StevenUnderwood]

you'll see all the crap they're using, apparently to avoid automated reports about the URLs...

32472[/snapback]

The only thing they are using is incorrect MIME formatting. A RFC compliant email client would see one of the "blank" emails as everything after the

------------=_367610979-879236-1--

is undefined.

Read it like a computer program... it should never display anything after the closing boundry.

[Wazoo]

As Steven states ... Header states that the e=mail is;

Content-Type: multipart/alternative; boundary="----------=_367610979-879236-1"

There is an opening Boundary section;

------------=_367610979-879236-1

Content-Type: text/plain; charset=ISO-8859-1

But "nothing" follows ...

Then a second opening Boundary section;

------------=_367610979-879236-1

Content-Type: text/html; charset=ISO-8859-1

But "nothing" follows ...

Then the closing Boundary is provided;

------------=_367610979-879236-1--

At this point, RFC compliant readers would "stop" as that's it for the "content" section of the e-mail.

The remainder of the body contents would only be seen by a non-complaint e-mail reader, or a reader set to read as "plain text only" such that the MIME constructs are ignored. That should also follow that tha provided links are nit clickable.

The parser results are based on the fact that the construct is so bad. However, I'm not sure if I've seen some of the parse output before, perhaps there is evidence showing of some tweaking going on ..???

Finding links in message body

Recurse multipart:

Parsing text part

Parsing HTML part

No html links found, trying text parse

no links found

First two parts failed due to the "no content" I mentioned above. The third item "trying to parse ..." seems new to me, but can't say why it may have failed.

[mrmaxx]

Ok, so they're guilty of "padding" their spam. What about Wiltel? Do they have a history of "pink contracts"? Anyone "upstream" from them that one could complain to? I've had about 5 spams from Aurora Direct so far today, and in each one, I've manually added abuse[at]wiltel.com and abuse[at]wcg.net. I also pointed out the specific sections of the Wiltel AUP that Aurora is guilty of violating.

I don't doubt that Aurora is in compliance with the CAN spam act, but that doesn't mean that Wiltel has to allow them to spam! Just because there's a valid "remove" link doesn't mean that Aurora isn't violating the AUP.

[turetzsr]

<snip>

What about Wiltel? <snip> Anyone "upstream" from them that one could complain to?

<snip>

32499[/snapback]

...FWIW, when I did a tracert of wiltel.com, it went to phlpa.ip.att.net before it went to wcg.

[Jeff G.]

They don't seem to be on the up-and-up, as all of the following email addresses bounce (so I'm not going to munge them): abuse[at]wcg.net, noc[at]wcg.net, abuse[at]wilcom.com, jeff.monahan[at]wilcom.com, michael.rud[at]wcg.com, postmaster[at]mail1.wiltel.com, postmaster[at]mail2.wcg.com, postmaster[at]mail4.wcg.com, postmaster[at]gateway.wiltel.com, hostmaster[at]wcg.net, postmaster[at]wcg.net, charles.jarzbek[at]WCG.COM, and wcg.ir[at]wcg.com

My current list of Manual Report addressees for Wiltel / Williams Communications is as follows (not that I actually get replies from humans, but at least I don't get bounces): hostmaster[at]wcg.net, postmaster[at]wiltel.com, abuse[at]wiltel.com, postmaster[at]wcg.com, abuse[at]wcg.com, abuse[at]level3.net, spamtool[at]level3.net, postmaster[at]wilcom.com, hostmaster[at]WCG.COM, cindy.k.smith[at]wcg.com, and media[at]wcg.com.

[btech]

That email is interesting.. it looks like someone typed out steps to a DnD game, yet claims to be from University of Phoenix?

I know UoP is a chop shop school and has spammed me on more than one occassion, but that email is just odd.

[mrmaxx]

That email is interesting.. it looks like someone typed out steps to a DnD game, yet claims to be from University of Phoenix?

I know UoP is a chop shop school and has spammed me on more than one occassion, but that email is just odd.

32518[/snapback]

It's not just UoP, it's other people that are paying AuroraDirect to spam for them. I'm guessing that AuroraDirect probably has redirect pages for each client so the client can't be directly linked to the spew.

[mrmaxx]

They don't seem to be on the up-and-up, as all of the following email addresses bounce {snip}

My current list of Manual Report addressees for Wiltel / Williams Communications is as follows {SNIP}

32501[/snapback]

Thanks for the list of addresses. I've forwarded a copy of the last email I sent to Wiltel and the FTC to Level3. Hopefully they'll come down on Wiltel and make them crack down on AuroraDirect. I mean, according to Wiltel's aup, Aurora Direct should have been kicked off their network LONG ago.. supposedly they require opt-in for all bulk email, but they sure never asked ME if I wanted to be on their spew list...

[Wazoo]

Tracking message source: 206.223.145.63:

Routing details for 206.223.145.63

[refresh/show] Cached whois for 206.223.145.63 : mrjim[at]nttec.com

Using last resort contacts mrjim[at]nttec.com

(hit the Refresh link)

Tracking details

Display data:

"whois 206.223.145.63[at]whois.arin.net" (Getting contact from whois.arin.net )

checking NET-206-223-145-0-1

Display data:

"whois NET-206-223-145-0-1[at]whois.arin.net" (Getting contact from whois.arin.net )

Found AbuseEmail in whois abuse[at]molsonpierce.com

206.223.145.0 - 206.223.145.255:abuse[at]molsonpierce.com

checking NET-206-223-144-0-1

Display data:

"whois NET-206-223-144-0-1[at]whois.arin.net" (Getting contact from whois.arin.net )

Found AbuseEmail in whois mrjim[at]nttec.com

206.223.144.0 - 206.223.159.255:mrjim[at]nttec.com

Routing details for 206.223.145.63

Using smaller IP block (/ 24 vs. / 20 )

Removing 1 larger (> / 24 ) route(s) from cache

Using abuse net on abuse[at]molsonpierce.com

No abuse net record for molsonpierce.com

Using best contacts abuse[at]molsonpierce.com

09/09/05 11:21:17 IP block 206.223.145.63

Trying 206.223.145.63 at ARIN

Trying 206.223.145 at ARIN

NT Technology PACIFICINTERNETEXCHANGE-NET (NET-206-223-144-0-1)

206.223.144.0 - 206.223.159.255

Molson Pierce Consulting, LLC MPCLLC-NET-BLOCK (NET-206-223-145-0-1)

206.223.145.0 - 206.223.145.255

OrgName: Molson Pierce Consulting, LLC

OrgID: MPCL-2

Address: 1717 E. Calumet St.

Address: #116

City: Appleton

StateProv: WI

PostalCode: 54915

Country: US

NetRange: 206.223.145.0 - 206.223.145.255

CIDR: 206.223.145.0/24

NetName: MPCLLC-NET-BLOCK

NetHandle: NET-206-223-145-0-1

Parent: NET-206-223-144-0-1

NetType: Reassigned

NameServer: NS1.MOLSONPIERCE.COM

NameServer: NS2.MOLSONPIERCE.COM

Comment:

RegDate: 2005-08-31

AbuseHandle: CUSTO255-ARIN

AbuseName: Customer Service

AbusePhone: +1-920-273-6077

AbuseEmail: abuse[at]molsonpierce.com

whois -h whois.arin.net !net-206-223-144-0-1 ...

OrgName: NT Technology

OrgID: NTTECH-1

Address: 2533 N.Carson St.

City: Carson City

StateProv: NV

PostalCode: 89706

Country: US

NetRange: 206.223.144.0 - 206.223.159.255

CIDR: 206.223.144.0/20

NetName: PACIFICINTERNETEXCHANGE-NET

NetHandle: NET-206-223-144-0-1

Parent: NET-206-0-0-0-0

NetType: Direct Allocation

NameServer: NS1.PACIFICINTERNETEXCHANGE.NET

NameServer: NS2.PACIFICINTERNETEXCHANGE.NET

Comment:

RegDate: 2004-04-27

AbuseHandle: TW488-ARIN

AbuseName: Watkins, Jim

AbusePhone: +1-425-353-7103

AbuseEmail: mrjim[at]nttec.com

OrgAbuseHandle: NETWO528-ARIN

OrgAbuseName: Network Operations

OrgAbusePhone: +1-800-561-1225

OrgAbuseEmail: David[at]pacificinternetexchange.com

09/09/05 11:30:32 Slow traceroute 206.223.145.63

12.122.12.94 RTT: 42ms TTL: 64 (ggr1-p380.dlstx.ip.att.net bogus rDNS: host not found [authoritative])

64.200.232.201 RTT: 45ms TTL: 64 (IPP-dllstx9lce1-pos5-0.wcg.net bogus rDNS: host not found [authoritative])

64.200.110.81 RTT: 44ms TTL: 64 (dllstx1wcx2-pos0-0-oc48.wcg.net bogus rDNS: host not found [authoritative])

64.200.210.190 RTT: 67ms TTL: 64 (dnvrco1wcx3-pos1-0-oc192.wcg.net bogus rDNS: host not found [authoritative])

64.200.240.182 RTT: 76ms TTL: 64 (sntcca1wcx2-pos14-0.wcg.net bogus rDNS: host not found [authoritative])

64.200.151.94 RTT: 77ms TTL: 64 (snfcca1wcx2-pos4-0-oc48.wcg.net bogus rDNS: host not found [authoritative])

64.200.198.250 RTT: 79ms TTL: 64 (snfcca1wcx2-pacific-internet-slot15-0.wcg.net bogus rDNS: host not found [authoritative])

* * * failed

* * * failed

09/09/05 11:49:21 IP block 64.200.198.250

Trying 64.200.198.250 at ARIN

Trying 64.200.198 at ARIN

Williams Communications, Incorporated WCG-BLK-1 (NET-64-200-0-0-1)

64.200.0.0 - 64.200.255.255

Williams Communication IP Services WLCO-SNFCCA1INTERN-30 (NET-64-200-198-0-1)

64.200.198.0 - 64.200.199.255

whois -h whois.arin.net !net-64-200-0-0-1 ...

OrgName: Williams Communications, Incorporated

OrgID: WLCO

Address: One Williams Center

City: Tulsa

StateProv: OK

PostalCode: 74172

Country: US

NetRange: 64.200.0.0 - 64.200.255.255

CIDR: 64.200.0.0/16

NetName: WCG-BLK-1

NetHandle: NET-64-200-0-0-1

Parent: NET-64-0-0-0-0

NetType: Direct Allocation

NameServer: STLDNS1.WCG.NET

NameServer: TULDNS1.WCG.NET

Comment: TO REPORT ABUSE, PLEASE CONTACT : ABUSE[at]WCG.NET

RegDate: 2000-03-21

Updated: 2005-07-05

NOCHandle: NOC215-ARIN

NOCName: Network Operations Center

NOCPhone: +1-800-934-8434

NOCEmail: noc[at]wcg.net

TechHandle: WIH-ARIN

TechName: Wiltel Internet Hostmaster

TechPhone: +1-918-547-2000

TechEmail: hostmaster[at]wiltel.com

OrgAbuseHandle: WAC18-ARIN

OrgAbuseName: Wiltel Abuse Contact

OrgAbusePhone: +1-918-547-2000

OrgAbuseEmail: abuse[at]wiltel.com

whois -h whois.arin.net !net-64-200-198-0-1 ...

OrgName: Williams Communication IP Services

OrgID: WCIS-6

Address: 3180 Rider Trail South

City: Bridgeton

StateProv: MO

PostalCode: 63045

Country: US

NetRange: 64.200.198.0 - 64.200.199.255

CIDR: 64.200.198.0/23

NetName: WLCO-SNFCCA1INTERN-30

NetHandle: NET-64-200-198-0-1

Parent: NET-64-200-0-0-1

NetType: Reassigned

RegDate: 2001-11-01

TechHandle: MR1187-ARIN

TechName: Rud, Michael

TechPhone: +1-314-595-6082

TechEmail: michael.rud[at]wcg.com

OrgTechHandle: NOC215-ARIN

OrgTechName: Network Operations Center

OrgTechPhone: +1-800-934-8434

OrgTechEmail: noc[at]wcg.net

Whew! After all that, not sure that sorting out an upstream would actually result in any action. I'm keying on the OC48, OC192 items showing in the traceroute. If one gives any credence to the server names, bandwidth consolidation is in place. This goes back to the charges incurred and traffic totals involved, such that your spam may only be something like .0001% of traffic being routed. Going upstream would only move the decimal point a bit more to the left. That some of the 'normal' addresses are seen to be bouncing sure adds to that helpless feeling.

[get-even]

WilTel's contracts aren't pink - they're bright red. Wiltel/WGC is a provider of last resort; Note they are also the current bandwidth provider for Brian Kramer/Expedite and AS33012 (look up the Spamhaus records about Exipdite being dropped by MCI, Broadwing, Singtel, Mzima, Anet, TimeWarner, Sprint and a few more all in the past two months. WCG gladly took them on - and I do remember when twenty+ years ago WilTel were the good guys. Notice even companies with sullied reputrations don't want to handle Expidite (who also lost almost all their IP space, because it was hijacked illegally and revoked by ARIN); Most of what is left is actually another Peters/JTel fake ISP with a fraudulent Jamaican front comapny, disconnected telephone lines, invalid email and suspended domains for all the contacts - It is amazing the *even* WCG will carry that kind of traffic.

[rooster]

- It is amazing the *even* WCG will carry that kind of traffic.

32571[/snapback]

I deduce that,” *even*”, is a ‘tongue-in-cheek’ reference to WCG, eh?

FWIW:

re: wgc.net

whois -h whois.arin.net !net-64-200-0-0-1…

NetRange: 64.200.0.0 - 64.200.255.255

CIDR: 64.200.0.0/16

NetName: WCG-BLK-1

NetHandle: NET-64-200-0-0-1

Parent: NET-64-0-0-0-0

NetType: Direct Allocation

NameServer: STLDNS1.WCG.NET

NameServer: TULDNS1.WCG.NET

Comment: TO REPORT ABUSE, PLEASE CONTACT : ABUSE[at]WCG.NET

RegDate: 2000-03-21

Updated: 2005-07-05

[whois.networksolutions.com]

Registrant:

Williams Communications Group

111 E. 1st ST.

Tulsa, OK 74103-2808

US

Domain Name: WCG.NET

Administrative Contact:

Center, Network Operations noc[at]wcg.net

Wiltel Communications

3180 Rider Trail South

Bridgeton, MO 63045

US

800-934-8434

Technical Contact:

Center, Network Operations noc[at]wcg.net

Wiltel Communications

3180 Rider Trail South

Bridgeton, MO 63045

US

800-934-8434

Record expires on 12-Feb-2006.

Record created on 11-Feb-1997.

Database last updated on 15-Sep-2005 05:18:44 EDT.

Domain servers in listed order:

STLDNS1.WCG.NET 64.200.241.28

TULDNS1.WCG.NET 64.200.255.12

[whois.networksolutions.com]

[OTHER (rbl.completewhois.com) whois information for WCG.NET ]

Listed in postmaster.rfc-ignorant.org: Not supporting postmaster[at]wcg.net

Listed in abuse.rfc-ignorant.org: Not supporting abuse[at]wcg.net

Listed in whois.rfc-ignorant.org: Inaccurate or missing WHOIS data

[OTHER (whois.abuse.net) whois information for WCG.NET ]

[whois.abuse.net]

abuse[at]wiltel.com (for wcg.net)

abuse[at]wcg.net (for wcg.net)

rod