mrmaxx Posted September 7, 2005 Share Posted September 7, 2005 I keep receiving emails spamvertising websites on Aurora Direct's network. A quick look at AuroraDirect.com shows them to be a "direct marketing" comany. I've sent several spam complaints to WilTel, but they seem to be ignoring them. Any ideas? Does WilTel have an upstream that one can complain to? Link to comment Share on other sites More sharing options...
mrmaxx Posted September 7, 2005 Author Share Posted September 7, 2005 On a related topic, these emails always have a BUNCH of multipart stuff before the actual URLs. Here's a tracking URL based on one of the reports: http://www.spamcop.net/sc?id=z803925628zef...5b3ce7e74831cfz And here's the report ID: 1503854061. You can see the source of the email by looking at the report ID -- you'll see all the crap they're using, apparently to avoid automated reports about the URLs... Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 7, 2005 Share Posted September 7, 2005 you'll see all the crap they're using, apparently to avoid automated reports about the URLs... 32472[/snapback] The only thing they are using is incorrect MIME formatting. A RFC compliant email client would see one of the "blank" emails as everything after the ------------=_367610979-879236-1-- is undefined. Read it like a computer program... it should never display anything after the closing boundry. Link to comment Share on other sites More sharing options...
Wazoo Posted September 7, 2005 Share Posted September 7, 2005 As Steven states ... Header states that the e=mail is; Content-Type: multipart/alternative; boundary="----------=_367610979-879236-1" There is an opening Boundary section; ------------=_367610979-879236-1 Content-Type: text/plain; charset=ISO-8859-1 But "nothing" follows ... Then a second opening Boundary section; ------------=_367610979-879236-1 Content-Type: text/html; charset=ISO-8859-1 But "nothing" follows ... Then the closing Boundary is provided; ------------=_367610979-879236-1-- At this point, RFC compliant readers would "stop" as that's it for the "content" section of the e-mail. The remainder of the body contents would only be seen by a non-complaint e-mail reader, or a reader set to read as "plain text only" such that the MIME constructs are ignored. That should also follow that tha provided links are nit clickable. The parser results are based on the fact that the construct is so bad. However, I'm not sure if I've seen some of the parse output before, perhaps there is evidence showing of some tweaking going on ..??? Finding links in message body Recurse multipart: Parsing text part Parsing HTML part No html links found, trying text parse no links found First two parts failed due to the "no content" I mentioned above. The third item "trying to parse ..." seems new to me, but can't say why it may have failed. Link to comment Share on other sites More sharing options...
mrmaxx Posted September 8, 2005 Author Share Posted September 8, 2005 Ok, so they're guilty of "padding" their spam. What about Wiltel? Do they have a history of "pink contracts"? Anyone "upstream" from them that one could complain to? I've had about 5 spams from Aurora Direct so far today, and in each one, I've manually added abuse[at]wiltel.com and abuse[at]wcg.net. I also pointed out the specific sections of the Wiltel AUP that Aurora is guilty of violating. I don't doubt that Aurora is in compliance with the CAN spam act, but that doesn't mean that Wiltel has to allow them to spam! Just because there's a valid "remove" link doesn't mean that Aurora isn't violating the AUP. Link to comment Share on other sites More sharing options...
turetzsr Posted September 8, 2005 Share Posted September 8, 2005 <snip> What about Wiltel? <snip> Anyone "upstream" from them that one could complain to? <snip> 32499[/snapback] ...FWIW, when I did a tracert of wiltel.com, it went to phlpa.ip.att.net before it went to wcg. Link to comment Share on other sites More sharing options...
Jeff G. Posted September 8, 2005 Share Posted September 8, 2005 They don't seem to be on the up-and-up, as all of the following email addresses bounce (so I'm not going to munge them): abuse[at]wcg.net, noc[at]wcg.net, abuse[at]wilcom.com, jeff.monahan[at]wilcom.com, michael.rud[at]wcg.com, postmaster[at]mail1.wiltel.com, postmaster[at]mail2.wcg.com, postmaster[at]mail4.wcg.com, postmaster[at]gateway.wiltel.com, hostmaster[at]wcg.net, postmaster[at]wcg.net, charles.jarzbek[at]WCG.COM, and wcg.ir[at]wcg.com My current list of Manual Report addressees for Wiltel / Williams Communications is as follows (not that I actually get replies from humans, but at least I don't get bounces): hostmaster[at]wcg.net, postmaster[at]wiltel.com, abuse[at]wiltel.com, postmaster[at]wcg.com, abuse[at]wcg.com, abuse[at]level3.net, spamtool[at]level3.net, postmaster[at]wilcom.com, hostmaster[at]WCG.COM, cindy.k.smith[at]wcg.com, and media[at]wcg.com. Link to comment Share on other sites More sharing options...
btech Posted September 8, 2005 Share Posted September 8, 2005 That email is interesting.. it looks like someone typed out steps to a DnD game, yet claims to be from University of Phoenix? I know UoP is a chop shop school and has spammed me on more than one occassion, but that email is just odd. Link to comment Share on other sites More sharing options...
mrmaxx Posted September 9, 2005 Author Share Posted September 9, 2005 That email is interesting.. it looks like someone typed out steps to a DnD game, yet claims to be from University of Phoenix? I know UoP is a chop shop school and has spammed me on more than one occassion, but that email is just odd. 32518[/snapback] It's not just UoP, it's other people that are paying AuroraDirect to spam for them. I'm guessing that AuroraDirect probably has redirect pages for each client so the client can't be directly linked to the spew. Link to comment Share on other sites More sharing options...
mrmaxx Posted September 9, 2005 Author Share Posted September 9, 2005 They don't seem to be on the up-and-up, as all of the following email addresses bounce {snip} My current list of Manual Report addressees for Wiltel / Williams Communications is as follows {SNIP} 32501[/snapback] Thanks for the list of addresses. I've forwarded a copy of the last email I sent to Wiltel and the FTC to Level3. Hopefully they'll come down on Wiltel and make them crack down on AuroraDirect. I mean, according to Wiltel's aup, Aurora Direct should have been kicked off their network LONG ago.. supposedly they require opt-in for all bulk email, but they sure never asked ME if I wanted to be on their spew list... Link to comment Share on other sites More sharing options...
Wazoo Posted September 9, 2005 Share Posted September 9, 2005 Tracking message source: 206.223.145.63: Routing details for 206.223.145.63 [refresh/show] Cached whois for 206.223.145.63 : mrjim[at]nttec.com Using last resort contacts mrjim[at]nttec.com (hit the Refresh link) Tracking details Display data: "whois 206.223.145.63[at]whois.arin.net" (Getting contact from whois.arin.net ) checking NET-206-223-145-0-1 Display data: "whois NET-206-223-145-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse[at]molsonpierce.com 206.223.145.0 - 206.223.145.255:abuse[at]molsonpierce.com checking NET-206-223-144-0-1 Display data: "whois NET-206-223-144-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois mrjim[at]nttec.com 206.223.144.0 - 206.223.159.255:mrjim[at]nttec.com Routing details for 206.223.145.63 Using smaller IP block (/ 24 vs. / 20 ) Removing 1 larger (> / 24 ) route(s) from cache Using abuse net on abuse[at]molsonpierce.com No abuse net record for molsonpierce.com Using best contacts abuse[at]molsonpierce.com 09/09/05 11:21:17 IP block 206.223.145.63 Trying 206.223.145.63 at ARIN Trying 206.223.145 at ARIN NT Technology PACIFICINTERNETEXCHANGE-NET (NET-206-223-144-0-1) 206.223.144.0 - 206.223.159.255 Molson Pierce Consulting, LLC MPCLLC-NET-BLOCK (NET-206-223-145-0-1) 206.223.145.0 - 206.223.145.255 OrgName: Molson Pierce Consulting, LLC OrgID: MPCL-2 Address: 1717 E. Calumet St. Address: #116 City: Appleton StateProv: WI PostalCode: 54915 Country: US NetRange: 206.223.145.0 - 206.223.145.255 CIDR: 206.223.145.0/24 NetName: MPCLLC-NET-BLOCK NetHandle: NET-206-223-145-0-1 Parent: NET-206-223-144-0-1 NetType: Reassigned NameServer: NS1.MOLSONPIERCE.COM NameServer: NS2.MOLSONPIERCE.COM Comment: RegDate: 2005-08-31 AbuseHandle: CUSTO255-ARIN AbuseName: Customer Service AbusePhone: +1-920-273-6077 AbuseEmail: abuse[at]molsonpierce.com whois -h whois.arin.net !net-206-223-144-0-1 ... OrgName: NT Technology OrgID: NTTECH-1 Address: 2533 N.Carson St. City: Carson City StateProv: NV PostalCode: 89706 Country: US NetRange: 206.223.144.0 - 206.223.159.255 CIDR: 206.223.144.0/20 NetName: PACIFICINTERNETEXCHANGE-NET NetHandle: NET-206-223-144-0-1 Parent: NET-206-0-0-0-0 NetType: Direct Allocation NameServer: NS1.PACIFICINTERNETEXCHANGE.NET NameServer: NS2.PACIFICINTERNETEXCHANGE.NET Comment: RegDate: 2004-04-27 AbuseHandle: TW488-ARIN AbuseName: Watkins, Jim AbusePhone: +1-425-353-7103 AbuseEmail: mrjim[at]nttec.com OrgAbuseHandle: NETWO528-ARIN OrgAbuseName: Network Operations OrgAbusePhone: +1-800-561-1225 OrgAbuseEmail: David[at]pacificinternetexchange.com 09/09/05 11:30:32 Slow traceroute 206.223.145.63 12.122.12.94 RTT: 42ms TTL: 64 (ggr1-p380.dlstx.ip.att.net bogus rDNS: host not found [authoritative]) 64.200.232.201 RTT: 45ms TTL: 64 (IPP-dllstx9lce1-pos5-0.wcg.net bogus rDNS: host not found [authoritative]) 64.200.110.81 RTT: 44ms TTL: 64 (dllstx1wcx2-pos0-0-oc48.wcg.net bogus rDNS: host not found [authoritative]) 64.200.210.190 RTT: 67ms TTL: 64 (dnvrco1wcx3-pos1-0-oc192.wcg.net bogus rDNS: host not found [authoritative]) 64.200.240.182 RTT: 76ms TTL: 64 (sntcca1wcx2-pos14-0.wcg.net bogus rDNS: host not found [authoritative]) 64.200.151.94 RTT: 77ms TTL: 64 (snfcca1wcx2-pos4-0-oc48.wcg.net bogus rDNS: host not found [authoritative]) 64.200.198.250 RTT: 79ms TTL: 64 (snfcca1wcx2-pacific-internet-slot15-0.wcg.net bogus rDNS: host not found [authoritative]) * * * failed * * * failed 09/09/05 11:49:21 IP block 64.200.198.250 Trying 64.200.198.250 at ARIN Trying 64.200.198 at ARIN Williams Communications, Incorporated WCG-BLK-1 (NET-64-200-0-0-1) 64.200.0.0 - 64.200.255.255 Williams Communication IP Services WLCO-SNFCCA1INTERN-30 (NET-64-200-198-0-1) 64.200.198.0 - 64.200.199.255 whois -h whois.arin.net !net-64-200-0-0-1 ... OrgName: Williams Communications, Incorporated OrgID: WLCO Address: One Williams Center City: Tulsa StateProv: OK PostalCode: 74172 Country: US NetRange: 64.200.0.0 - 64.200.255.255 CIDR: 64.200.0.0/16 NetName: WCG-BLK-1 NetHandle: NET-64-200-0-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: STLDNS1.WCG.NET NameServer: TULDNS1.WCG.NET Comment: TO REPORT ABUSE, PLEASE CONTACT : ABUSE[at]WCG.NET RegDate: 2000-03-21 Updated: 2005-07-05 NOCHandle: NOC215-ARIN NOCName: Network Operations Center NOCPhone: +1-800-934-8434 NOCEmail: noc[at]wcg.net TechHandle: WIH-ARIN TechName: Wiltel Internet Hostmaster TechPhone: +1-918-547-2000 TechEmail: hostmaster[at]wiltel.com OrgAbuseHandle: WAC18-ARIN OrgAbuseName: Wiltel Abuse Contact OrgAbusePhone: +1-918-547-2000 OrgAbuseEmail: abuse[at]wiltel.com whois -h whois.arin.net !net-64-200-198-0-1 ... OrgName: Williams Communication IP Services OrgID: WCIS-6 Address: 3180 Rider Trail South City: Bridgeton StateProv: MO PostalCode: 63045 Country: US NetRange: 64.200.198.0 - 64.200.199.255 CIDR: 64.200.198.0/23 NetName: WLCO-SNFCCA1INTERN-30 NetHandle: NET-64-200-198-0-1 Parent: NET-64-200-0-0-1 NetType: Reassigned RegDate: 2001-11-01 TechHandle: MR1187-ARIN TechName: Rud, Michael TechPhone: +1-314-595-6082 TechEmail: michael.rud[at]wcg.com OrgTechHandle: NOC215-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-800-934-8434 OrgTechEmail: noc[at]wcg.net Whew! After all that, not sure that sorting out an upstream would actually result in any action. I'm keying on the OC48, OC192 items showing in the traceroute. If one gives any credence to the server names, bandwidth consolidation is in place. This goes back to the charges incurred and traffic totals involved, such that your spam may only be something like .0001% of traffic being routed. Going upstream would only move the decimal point a bit more to the left. That some of the 'normal' addresses are seen to be bouncing sure adds to that helpless feeling. Link to comment Share on other sites More sharing options...
get-even Posted September 10, 2005 Share Posted September 10, 2005 WilTel's contracts aren't pink - they're bright red. Wiltel/WGC is a provider of last resort; Note they are also the current bandwidth provider for Brian Kramer/Expedite and AS33012 (look up the Spamhaus records about Exipdite being dropped by MCI, Broadwing, Singtel, Mzima, Anet, TimeWarner, Sprint and a few more all in the past two months. WCG gladly took them on - and I do remember when twenty+ years ago WilTel were the good guys. Notice even companies with sullied reputrations don't want to handle Expidite (who also lost almost all their IP space, because it was hijacked illegally and revoked by ARIN); Most of what is left is actually another Peters/JTel fake ISP with a fraudulent Jamaican front comapny, disconnected telephone lines, invalid email and suspended domains for all the contacts - It is amazing the *even* WCG will carry that kind of traffic. Link to comment Share on other sites More sharing options...
rooster Posted September 15, 2005 Share Posted September 15, 2005 - It is amazing the *even* WCG will carry that kind of traffic. 32571[/snapback] I deduce that,” *even*”, is a ‘tongue-in-cheek’ reference to WCG, eh? FWIW: re: wgc.net whois -h whois.arin.net !net-64-200-0-0-1… NetRange: 64.200.0.0 - 64.200.255.255 CIDR: 64.200.0.0/16 NetName: WCG-BLK-1 NetHandle: NET-64-200-0-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: STLDNS1.WCG.NET NameServer: TULDNS1.WCG.NET Comment: TO REPORT ABUSE, PLEASE CONTACT : ABUSE[at]WCG.NET RegDate: 2000-03-21 Updated: 2005-07-05 [whois.networksolutions.com] Registrant: Williams Communications Group 111 E. 1st ST. Tulsa, OK 74103-2808 US Domain Name: WCG.NET Administrative Contact: Center, Network Operations noc[at]wcg.net Wiltel Communications 3180 Rider Trail South Bridgeton, MO 63045 US 800-934-8434 Technical Contact: Center, Network Operations noc[at]wcg.net Wiltel Communications 3180 Rider Trail South Bridgeton, MO 63045 US 800-934-8434 Record expires on 12-Feb-2006. Record created on 11-Feb-1997. Database last updated on 15-Sep-2005 05:18:44 EDT. Domain servers in listed order: STLDNS1.WCG.NET 64.200.241.28 TULDNS1.WCG.NET 64.200.255.12 [whois.networksolutions.com] [OTHER (rbl.completewhois.com) whois information for WCG.NET ] Listed in postmaster.rfc-ignorant.org: Not supporting postmaster[at]wcg.net Listed in abuse.rfc-ignorant.org: Not supporting abuse[at]wcg.net Listed in whois.rfc-ignorant.org: Inaccurate or missing WHOIS data [OTHER (whois.abuse.net) whois information for WCG.NET ] [whois.abuse.net] abuse[at]wiltel.com (for wcg.net) abuse[at]wcg.net (for wcg.net) rod Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.