Jump to content


  • Posts

  • Joined

  • Last visited

Posts posted by HillsCap

  1. Oh, I also learned a new way to strike back at spammers that only put a phone number in their spam, and not a URL.

    The organization that issues telephone numbers and area codes, etc. is called NANPA (North American Numbering Plan Administration). Since Gregory Bryant & Associates is located in FL, this is perfect.

    Anyway, I went to the NANPA website, and looked up the telephone company that is responsible for the telephone number that GB&A advertises. Turns out it's BellSouth.

    So, I wrote an email to BellSouth, describing the problem with the spammer, and asking if there were any way we could prevent him from using that telephone number... shut off that telephone number, and you shut down the spammer.

    The whole reason they're putting a phone number in the spam, and not a URL is because they don't want their website attacked by anti-spammers. And since the number isn't toll-free, there's no real way for anti-spammers to attack it. But, this is a great way... I contact NANPA and BellSouth, include the source code of the spams and ask for help in preventing spammers from being able to effectively market via spam.

    Let's hope something comes of it...

  2. Yep, there's really a My Computer Zone... it allows you to tweak the security settings for the local computer much as you would for the Internet Zone or Restricted Zone (for instance, I've got mine set up so I'm alerted any time a scri_pt or Java applet tries to run locally).

    You can read about how to enable the My Computer Zone on the following MS web page:


    In short:

    The Flags value in the following registry key determines whether you can view the My Computer security zone on the Security tab in the Internet Options dialog box:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0

    The Flags value is a DWORD value. Setting the data value of the Flags value to 47 (in hexadecimal) causes the My Computer security zone to be displayed. Setting the data value of the Flags value to 21 (in hexadecimal) causes the My Computer security zone to be hidden.

    So, why would (Performance Systems International Inc.) be in the My Computer Zone, what does this company do? Has anyone else seen this company in their My Computer Zone?

  3. Hi, all.

    I tweaked the registry to enable the My Computer Zone in the Internet Options dialog of Internet Explorer.

    Upon going into the My Computer Zone Sites dialog box to see what was there, I noticed that the following URL was set up to be in the My Computer Zone:

    The WHOIS shows the following:

    whois -h whois.arin.net ...

    Performance Systems International Inc. PSINETA (NET-38-0-0-0-1) -

    Performance Systems International Inc. COGENT-NB-0002 (NET-38-112-0-0-1) -

    Looking further:

    OrgName: Performance Systems International Inc.

    OrgID: PSI

    Address: 1015 31st Street, NW

    City: Washington

    StateProv: DC

    PostalCode: 20007

    Country: US

    Any idea who these guys are, and why they were added into the My Computer Zone? It's especially troubling, seeing that the address is Washington, DC. Is our government spying on us, perhaps?

  4. Yeah, the spam-free days ended... right now I usually get 10-12 spams per month.

    I've got 14 in my spam folder right now (which automatically deletes anything older than 1 month), 7 of which are from Gregory Bryant & Associates. So, I'm leaning pretty hard on this guy.

    I can't really talk about it right now, but suffice it to say I'm bringing in a bit of help from my uncle Sam on this one... Sam's very interested in pursuing this spammer... I got a phone call from Sam the other day and am waiting for some paperwork to be delivered from Sam before we can proceed.

    I'll tell you all the whole story after it's all over.

  5. Hi, all.

    Whenever I submit a spam report to SpamCop, I get back a bounce error.

    Here's what it says:

    The following message to <bbrahms[at]ironport.com> was undeliverable.

    The reason for the problem:

    5.1.0 - Unknown address error 550-'<bbrahms[at]ironport.com>: User unknown in virtual alias table'

    I know IronPort recently acquired SpamCop, so I'm asking here.

    Thanks for your help.

  6. Hi, all.

    Well, something new happened today... I got a phone call from Gregory Bryant & Associates, a company that is widely associated with home mailing program spam, credit card processing spam, and music sales spam.

    The person claimed that they don't send out spam, and had no idea that one of their 'affiliates' was sending spam 'in their name'.

    Yeah, let's see... this spam has been going out for at least a year, and this is the first you've heard of it? You've never Googled your own company name and witnessed the plethora of results related to your company and spam? You've never gotten a bounce email because you're all over the Block Lists? You've never gotten an angry phone call?

    Not likely... I think I'll keep reporting any spam I receive. The whole reason they called me is because I reported the spam to the Florida BBB and the Florida State Attorney General, and surprisingly, the BBB actually did something about it (probably because I also reported it to the FL State Attorney General in the same email).

    Anybody else have any experiences with Gregory Bryant & Associates?

  7. As for the issue of "simply blow a huge mailing out overnight and then change ip addresses", that generally doesn't work very well, because you've got people like me who have it set up so we monitor our incoming email 24/7.

    If I get a spam, even at 2:00am, my computer wakes me up. I then report to SpamCop, the FTC, the California State Attorney General, several Block Lists. This is all done semi-automatically. All I have to do is click a few times.

    I then use Sam Spade to dig out the spamvertised websites and report them to the web hosts and upstream providers. If the website redirects, I'll dig out each site in the chain of spamvertised websites, and report each one. I've had some that redirected 8 times.

    After that, I go to work on some other methods that I can't really discuss.

    I had one spammer start out the day by sending a spam advertising a website hosted on a hijacked server from a nursing school in China. I reported it, they shut the website down.

    I got an identical spam a while later, from another hijacked server in China. I reported it, they shut it down.

    A while later, another identical email, this time advertising the website hosted from Venezuela. I reported it, they shut it down.

    A bit later, another identical email, this time advertising the same website, but hosted from Romania. I reported it, they shut it down.

    I haven't heard from that spammer since. If their websites keep getting shut down, they'll eventually give up.

    So far, over the last week, I've only gotten 2 spams. I'm not running any software that rejects emails based on Block Lists, the spammers just avoid our email addresses because I use some pretty vicious methods to get them shut down and to run up their costs.

    The way I see it, if they want to escalate such that they're bombarding everyone with hundreds of spams per day, I'll escalate as well. What I do can't be considered 'legal' in the strictest sense of the word, but do you think the spammers are going to report me?

    Whatever works, works. And what I do works.

  8. No, the extra lines and word wrap problems were put in by my crappy newsreader when I pasted... I tried to remove them, but couldn't. Trust me, it looks like any other email when I view the spam source in Notepad.

    The server is the receiving server... that's our mail server with the older version of IMail on it that doesn't report Source IP correctly.

    But why isn't SpamCop seeing the a href= links? Shouldn't it always try to figure out the spamvertised website? It does when I report spam from our other email server.

    It seems like SpamCop is checking the headers, and if the headers seem legit, it doesn't check the body. The headers seem legit in this case because the IMail server is inserting its own IP address in there, so it doesn't look like the sending server was forged.

  9. Hi, all.

    I read a very interesting web page about an automatically self-propogating spam network that spans the globe. Not only are there open proxies, but DNS servers and web servers, all comprised of compromised home boxes, for this spamnet.

    Read about it here:


    I think if we come across any of these, we should form a group to manually track each and every cracked box down, and shut down the whole thing. This is frightening.

  10. OK, I've posted to the newsgroup, under the title, "Older iMail servers, and links in spam...".

    Is there some way to tell you the address or whatever for the individual message in the newsgroup? (Sorry, I never used newsgroups before... I kind of skipped that whole thing when it was all the rage years back.)

    Oh, and I didn't worry about obfuscating the two email addresses of ours in the sample spam I posted... they're both turned off now.

  11. Hi, all...

    I just wanted to let you all know that so far, I'm spam-free for 100 hours and counting...

    I had to fight the spammers pretty much 24/7:

    I reported to SpamCop, the FTC, several Block Lists.

    I used Sam Spade to dig out multi-redirected websites and report all of them.

    I had to use some, how shall we say, 'other than whitehat' techniques against some of the more egregious spammers.

    But, suddenly on the 4th, all spam email dried up, and I haven't gotten any since.

    It's widely known that spammers collaborate with each other, and keep tabs on active spam-fighters. Due to the extent to which I was willing to go to stop the spammers, I think I've convinced them to put me on their 'do-not-spam' list.

    I won't tell you what 'other than whitehat' techniques I used, for fear of getting in trouble. But all I can say is, if you cost them enough money, they learn to leave you alone.

  12. Hi, all.

    One quick question:

    My web host / email provider is using iMail 6.06 (an older version of IpSwitch's iMail mail server), and it does not properly report Source IPs. Instead of placing the IP address of the sender into the headers, it places ITS OWN IP address into the headers, tricking SpamCop into thinking that it is the sender of the spam.

    Well, that's all well and good, I've reported several hundred from this mail provider, in the hopes that them receiving these reports would make them realize that they should upgrade their mail server. So far, they refuse to... so we're moving to a new web host / mail provider.

    But, the real question is this:

    Even though there are links to web pages in these spam submissions, SpamCop does not report to the responsible parties for these websites... I was wondering why?

    It seems like SpamCop looks at the headers to determine if they are forged, and if they are, it looks further for links in the body of the spam message. But, if the headers look legit, it won't try to get info about the links. The headers look legit in our case because the iMail server is ancient and doesn't work the way it should. Shouldn't SpamCop always look at the links in the body of the spam message?

  13. It could be that you are running an older IMail server... they insert your OWN IP address as the sending address in spam reports (improper Source IP reporting).

    Thus, you could have someone in your organization reporting spam, thinking that they are doing a good thing, but if you're running IMail and it's inserting its own IP address as the sending address, they are, in effect, reporting that your own server is the one doing the spamming.

    The only way to fix that is to upgrade to the latest version of the IMail server, or to make sure that no one is reporting spam from your organization. Once the spam reports with the improper Source IP reported stop, you'll naturally drop off the Block List.

    IpSwitch (the maker of IMail), knows of the problem, but has only fixed it for the newest version.

    Hope this helps...

  14. Yeah, vsmon.exe... I've got some history with that file...

    We're running the Grub client from Grub.org (a distributed crawler for indexing websites for WiseNut and LookSmart). It absolutely kills ZoneAlarm.

    The reason for this:

    ZoneAlarm is a stateful packet inspection firewall, meaning that it checks each incoming packet to see if a corresponding outgoing packet was sent to request the incoming packet. If there is, the incoming packet is allowed in. If not, it's blocked.

    The problem is that ZoneAlarm is designed for extremely light-weight use. It's lookup table is small, and the code that parses through the lookup table is inefficient and has a small memory leak.

    Thus, for any application that creates a high number of simultaneous or concurrent connections, the lookup table is quickly filled, causing ZoneAlarm to crash. This usually causes the computer to lock up. When the lookup table starts filling up, the computer will bog down first.

    With Grub running, ZoneAlarm only lasted an hour before crashing. So, I had to shut down ZoneAlarm and restart it to clear out the lookup table and recover the lost memory from the memory leak on a regular basis.

    I eventually dumped ZA and started using WinXP's ICF. It's much more robust, and has taken everything I've thrown at it (including 100 new connections per second for an extended period of time).

    So, when your computer starts bogging down, start up Task Manager and look at the ZoneAlarm files... you'll see them hogging a bunch of memory and CPU.

    Shut down ZA, wait 15 seconds for the memory to be flushed, and restart it. That'll fix things temporarily.

    ZoneLabs knows about the problem (it exists in all versions of ZA), but has decided that it's more expedient to forego fixing the code and continue shipping defective software.

    Amazingly, the same problem exists in most consumer-oriented stateful packet inspection firewalls... so, before you plunk down your hard-earned money, go to Grub.org and fire up the GrubClient for a while to test the firewall's robustness.

  15. I was wondering...

    Just as a comparison, I've been practicing on digging up the information myself using Sam Spade, then comparing the email addresses I'd dug out to those that SpamCop was reporting to.

    Then, I came across a spammer who did 6 redirects in a row on this websites. He was all over the globe... Brazil, Russia, Romania, US, China and Canada, if I remember correctly. I dug up a lot of email addresses, while SpamCop only reported to the first website's reporting address.

    Does SpamCop handle website redirects? If not, are there plans in the works to make it do so?

  16. Hi, all.

    Is it just me, or has the spam receival rate increased dramatically today?

    I'm getting some pretty persistent spammers, too. I've got one who I dug up the information on manually using Sam Spade, he was sending from an open proxy in China, through an open relay in Russia, and his website redirected 6 times! It took me 25 minutes to dig up all the information and report it.

    Then, he sent me another round of spam! So, I reported him again... and got all 6 of his websites disconnected. That makes 8 so far that I've gotten disconnected, just today.

    So far today, we've received 29 spams, and it's only 8:30am! Usually, by this time, we've got 4 or 5, tops.

    Could this be the last dying, desperate gasp of the spammers? Dare we hope?

  17. Hi, all.

    Just a quick note to the SpamCop admins...

    I reported a spam email on my own by digging up the data on a spammer (I was trying to find an upstream provider for this ISP). I was going the route of looking up who was hosting the website the spammer was using.

    I reported to abuse[at]boardtravel.com, and got back the following:

    Delivery failed 3 attempts: abuse[at]boardtravel.com

    in a bounce.

    I'm not sure who else to report to, but obviously, these guys don't care that their users are spamming. I've gotten several spams from this ISP just today.

  18. Hi, all.

    I wanted to run something by you all, and see if I'm on the right track.

    OK, I figured that if I find out about the websites that are advertised in spam, and figure out who's hosting them, then I can report to the web host and upstream providers for those unusually persistent spams that never seem to go away. I'll keep moving up the IP chain until I get a response from someone.

    So, I get the URL of the offending website from the spam email, and type this: http://uptime.netcraft.com/up/graph/?host=www.xxxxx.com

    where www.xxxxx.com is the offending website.

    This gives me the IP address of that website.

    Then, I go to http://visualroute.visualware.com/ and type in the IP address of the offending website. This gives me a visual graph (traceroute) of the upstream, as well as the geographical location of the website in question.

    Then, I use Sam Spade to dig out the abuse email addresses of the upstream providers, and send the full headers and body of the spam, along with a screen shot of the visual trace route.

    Am I on the right track, or am I messing something up and sending spam reports to the wrong places? I don't do this for all spam, just those that never seem to get handled via normal channels of reporting.

    Thanks for any help you can provide.

  19. Or, if your web host also runs the mail server on which you receive email, instead of unchecking the box next to your web host, leave it checked, but add a text blurb stating that you had nothing to do with the spamming, but that your website was mentioned in the spam.

    That way, if your web host / email provider can filter out subsequent spam from that spammer, they at least have a chance to.

  20. Hi,

    Just thought I'd tell the SpamCop admins about this:

    We host our website (sadly enough) through Interland. We were with Burlee, but they were bought by Interland.

    Speaking with Wells Montague at Interland (one of the support sups) on an unrelated topic, he mentioned that abuse reports should go to Interland now, instead of Burlee, as they don't really do much with the emails sent to Burlee's addresses.

    Just to let you know...

  21. Mahogany Rush said:

    It is unbelievable to me that my ISP, which is Yahoo by the way, doesn't have any kind of spam filtering

    Actually, Yahoo DOES have a filter, of sorts...

    Check your spam message headers for the following:


    Set up your filters so if that's in the headers, it blocks the email.

  • Create New...