Should I have reported my ISP for spamming me?

[kae]

This email was received by my ISP email address that I don't give out or use on the internet. I don't opt-in, I don't subscribe to anything with it. I use another account on another ISP for all that trash. Anyway, I've started to receive some spam messages on this email account (very few and very far between, but I've received a few and I've reported them). In the past few months, I've received more, not tons, but more. Where I used to get one a year, it seems that in the past month or two I've gotten two or three spam emails. Yeah, I know I'm whining about this, but I figure that someone has finally scooped my "unadvertised" email from somewhere and added it to a spam list and now my ISP has my email address on their spam list. Anyway, I digress....

You can check out the spam yourself at: Spamcop report

I added comments to my spam report which went like this:

While I am a <my ISP> customer, I have never opt-in'ed this email address for marketing email. If <my ISP> sent this to me as a customer, they didn't use my <my ISP> assigned email address registered with <my ISP> customer accounts and billing which is a completely different <my ISP> email address. If this is advertising from <my ISP> or their marketing department/advertisers, I suspect that they recently pulled in an email-marketing list in which this email addressed appeared, but for which the email list providers unscrupulously obtained their email addresses. I believe there will be no proof that I subscribed with this email address.

Recently, I have seen a sudden increase of spam coming to this email address. I suspect the email [sic] has finally been peddled into a higher marketing email list and will soon be inundated with spam.

I'm not sure why I've removed personal information since there appears to be personal information all over the spam headers, but I figured that it was the "right" thing to do, however futile.

I received an email at my unadvertised ISP email address that was advertising my ISP's services. At first I wasn't going to report it because I thought that it might be just a service announcement from my ISP, but it wasn't sent to my ISP assigned email address, which is where I receive all email from my ISP. Instead, it was sent to an email address that I created when I joined. I've never given the email address out and only occasionally (like maybe once a year) I get something that's like spam.

I did some nslookups and some whois lookups to see if the IP address was associated with my ISP. I had a hard time linking the IP address to my ISP, so I started thinking that this may be from some advertiser that they hired to spam for them. The funny thing was the email came from a domain that was like <my ISP>info.com or something.

Anyway, I tossed the thought around in my head (yeah, it's pretty empty up there) and I decided to report it and low and behold my ISP responded with some email asking me for more information saying that they were going to get to the bottom of this and investigate. Here is the email asking for my participation. The names have been changed to protect the guilty.

This is <his name> from <my ISP>! Internet, Cable and Phone Abuse Department. I received your SpamCop complaint regarding a spam message that originated from <my ISP>!. I spoke with our marketing department, and they reassured me that they do not message people’s alternate emails unless they opt-in.

I would like to work with you and see exactly how this issue has come up. Can you please send me the email address that this spam message was sent to, and also send me your <ISP>.com email address? From there, we will investigate the issue.

Sincerely,

<his name>

<my ISP>! Security Engineer

So, I'm an idiot and I responded to them using my real email address at my ISP and thinking that his is really interested in figuring this out. I'm an idiot on three counts.

1. I'm thinking that they are going to do something.
   
2. I sent email using my unadvertised ISP email account.
   
3. My email address is all over the headers because the marketing department tears it apart and uses it in the header for bounces. Why did he ask me for my email in the first place? If spamcop sends him a link to the message, then he already had all the information he needed.
   

It doesn't take a rocket scientist to figure this out. Even an empty headed idiot like me can figure this out albeit, after the fact.

This is his response:

Mr. <my name>,

When it comes to email advertisements coming from <my ISP>!, we send them to all <my ISP>.com and <another domain they own>.com domains. Every email has a link to opt-out of receiving additional marketing emails. I’m not sure why you haven’t seen them on your <my email address> account. However, we have not sent out many emails recently. If you created that account fairly recently, you may not have received one yet.

If you do decide to opt-out your <my email address>, keep in mind that this only affects marketing emails. Any changes to policies, issues or problems will still be emailed to the account.

If you have any other questions, feel free to email me back.

Sincerely,

<his name>

<my ISP>! Security Engineer

Now his first email asking for my cooperation in his investigation told me in no uncertain terms that the marketing department doesn't spam anyone that hasn't opt'd in. I know he read my response because he says that the marketing department doesn't send spam to "alternate" email accounts. He obviously knows that the email account that I'm reporting is an "alternate" account and not my "main", "ISP assigned" email address. His response tells me that they spam their own customers until they opt out, which is a violation of their own terms of use.

Sounds like a We just make the rules, we don't have to follow them kind of operation to me.

Anyway, I sent him this response.

Dear <his name>,

Are you continuing to investigate this issue or is this the end of your investigation?

I have had my <email> account since I became a <ISP> customer, which I think was either the summer of 2001 or 2002. The only <ISP> advertisements, policy changes, issues or problem emails that I've ever gotten have always gone to my <ISP assigned email> account which is the account that was given to me by <ISP>. All other accounts (except one) were changed to different email addresses. I haven't received any advertisements from <ISP> on any of my other email logins at <ISP> except the <ISP assigned> address. I have reported some advertisements that I've gotten on the <unadvertised email> account to spamcop, but they weren't from <ISP>. The reason that I report advertisements on my <unadvertised email> account is that I never use that account to subscribe to any email or "opt-in" lists. So any advertisements that come to the <unadvertised email> account are unsolicited. This is why I mentioned in my response that I was hesitant to report this advertisement. This last sentence doesn't make sense here, but I think I was thinking that I shouldn't report it because it was reporting new services or something.

I don't believe that I have ever reported <ISP> marketing emails that come to the <ISP assigned> account and I wouldn't report <ISP> policy, issues or other problems that are emailed to me on any email account I have with <ISP> since they are not advertisements. I can't remember now, but i may have opt'd out of marketing emails for the <ISP assigned> account.

Since I've never received any marketing email from <ISP> on any of my email accounts except the <ISP assigned email> account, I've never had to opt-in or opt-out those other email accounts.

I do have a few questions though.

Does the <ISP> marketing department send marketing email advertisements to anyone other than their <ISP> or <other ISP domain> customers? If so, where does the marketing department obtain those email addresses? Are they sure that those email addresses are valid "opt-in" addresses or are they just generated email addresses or scanned email addresses? It's common for unscrupulous businesses to build email databases by generating email addresses or using a website entry form that does no checking or validation that the holder of the email account even wants advertisement email. They can then sell those addresses to others as "opt-in" lists. Is the marketing department sure they haven't gotten email addresses from those kinds of lists?

If the marketing department sends <ISP> email advertisements to all users on both <ISP> and <other ISP domain> domains, why didn't I get five copies of the advertisement (one for each email account that I have)? Maybe marketing sends only one email per customer, but I'm still very suspicious that the email address came from an invalid "opt-in" email list. If I "opt-out" of the <ISP> marketing distribution list for one email address, then does that mean that marketing will just choose the next email address in the customer's list of five email addresses that have not been opt'd-out?

Does <ISP> keep a list of email addresses that have opt'd out and when they opt'd out? If so, have you checked to see if I have opt'd out the <ISP assigned> email address or any of my <ISP> email addresses?

Doesn't including and using the <ISP> customer email list to send marketing advertisements mean that <ISP> does use distribution lists that include people who have not given their permission to be included in such a distribution process? It's a violation for customer's to do that, but is that okay for <ISP> marketing?

I still feel that reporting the <ISP> email advertisement was the right thing to do since I didn't "opt-in" to advertisements on that account.

Thank you.

<my name>

I guess I'm wondering if I did the right thing to report it or if I should have just deleted it. I think I'm a little too miffed about this to be objective.

If they aren't spamming, then why did they setup a different domain that isn't linked (or at least I couldn't see that it was linked) to their own domain? Why don't they send the "opt-in" and "valid" emails from their own domain? Seems fishy to me.

What is your opinion?

[Telarin]

Wow, thats a tough call...

On one hand, you have an existing business relationship with them, and have not specifically asked them not to send you spam, so I would say no, don't report it unless you ask them not to send it and they keep sending it.

On the other hand, its a violation of their own terms of service, and it is unsolicited, so I would say report away.

This falls into a pretty grey area, I'd be interested to hear what the deputies had to say on the matter.

[kae]

That's why I debated on what to do.

I get spam advertising DirecTV all the time. I have a relationship with DirecTV too, but those advertisements don't come from DirecTV they come from some unknown IP addresses, so I report them.

I decided that if I could see that the IP address was owned by my ISP, then I wouldn't report it. I started doing nslookups and whois lookups to figure out who owned the IP(69.45.17.228) that it came from.

The thing that made my decision was that the IP address that it came from didn't look like it was owned by my ISP but by some other organization named level3.com.

The links to unsubscribe pointed to this other organization even though the advertising links pointed to my ISP, so I decided that I would report it.

I wasn't too surprised when the spamcop parse came up with the abuse address of my ISP because there were html links in the email pointing to my ISP's web data.

I'm interested to hear what the deputies have to say too.

As of now, I still think that I should have reported it, but only because I couldn't link the info domain name with my ISP (nslookup and whois are probably not the best tools to use to find domain ownership). If I could have linked it to my ISP, then I would have just unsubscribed and not reported it.

I'm just interested in what the "right" course of action should have been.

I got this email from my ISP's Security Engineer so I guess I'll see what they say.

I have forwarded your questions and concerns to our marketing department for further investigation. I will update you when I get a reply from them.

I'm thinking that my ISP hired a firm to do email advertisement for them, but that is total speculation on my part. It still could be an organization in the ISP. I think they have concentric do their billing and online account status.

[Telarin]

ARIN shows that that netblock belongs to Interland.

http://ws.arin.net/whois/?queryinput=64.45.17.228 returns:

OrgName: Interland, Inc.

OrgID: INTD

Address: 101 Marietta Street

City: Atlanta

StateProv: GA

PostalCode: 30039

Country: US

NetRange: 64.45.0.0 - 64.45.63.255

CIDR: 64.45.0.0/18

NetName: NETLIMITED-3

NetHandle: NET-64-45-0-0-1

Parent: NET-64-0-0-0-0

NetType: Direct Allocation

NameServer: DNS1.NETSERVERS.NET

NameServer: DNS2.NETSERVERS.NET

Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

Comment:

RegDate: 2000-02-24

Updated: 2004-06-07

OrgAbuseHandle: ABUSE579-ARIN

OrgAbuseName: ABUSE

OrgAbusePhone: +1-404-260-8434

OrgAbuseEmail: abuse[at]interland.com

OrgTechHandle: ASNAD3-ARIN

OrgTechName: ASNADMIN

OrgTechPhone: +1-404-260-8434

OrgTechEmail: asnadmin[at]interland.com

# ARIN WHOIS database, last updated 2006-08-21 19:10

# Enter ? for additional hints on searching ARIN's WHOIS database.

[kae]

I didn't see interland when I searched. Maybe I'm doing the wrong thing to lookup information; however, it seemed to match the spamcop parse pretty close though.

This is the command I ran:

$ whois -h whois.arin.net 69.45.17.228

Level 3 Communications, Inc. LVLT-ORG-69-44 (NET-69-44-0-0-1)

69.44.0.0 - 69.45.255.255

Endai Corporation WLCO-TWC02085640-ENDAI-NETWORKS (NET-69-45-16-0-1)

69.45.16.0 - 69.45.17.255

I followed that with these two commands to see information on both networks:

$ whois -h whois.arin.net !NET-69-44-0-0-1

$ whois -h whois.arin.net !NET-69-45-16-0-1

That's where I saw the abuse addresses for level3.com. All the email for Endai seemed to go to the same email address.

I should probably stop using whois.

[Telarin]

Ok, yeah, I'm an idiot... That was a 69, not a 64... You are correct, it is Endai Corporation. Abuse address listed in arin is sysops+arin[at]endai.com... Hmm is a '+' a valid character in email? I might consider trying abuse[at]endai.com. Level3 is a very large top tier provider, and would be their upstream.

[Wazoo]

Hmm is a '+' a valid character in email?

Technically valid, but not universally supported. Some apps (both server and client) need to be configured to allow/recognise it, some won't handle it at all .....

[StevenUnderwood]

Technically valid, but not universally supported. Some apps (both server and client) need to be configured to allow/recognise it, some won't handle it at all .....

SpamCop EMAIL systems supports it, but as mentioned, I have found many automated address checkers barf on the + character.

[kae]

I got this email from the head of security.

Mr. <my name>,

At this time, we do not send e-mails to anyone other than our current customer base. We are researching as to why only one of your accounts received the e-mail, when all <ISP>! e-mails that have not unsubscribed should have received that e-mail. We appreciate you bringing this to our attention so we can research what happened.

All <ISP>! e-mail accounts must unsubscribe individually but please let us know all of your e-mail addresses with <ISP>! and we will unsubscribe them from any future solicitation e-mails. Again, we appreciate you bringing to our attention an issue that needs addressed.

Sincerely,

<His Name>

<ISP>! Security Engineer

I had to wonder if this guy was really working for my ISP or not, so I called my ISP and verified that yes indeed he was the head of security. It surprised me that he needed to ask me for my email addresses and couldn't get them on his own. Hmmm.... Strange.

It worries me when he says "we appreciate you bringing this to our attention so we can research what happened" and "we appreciate you bringing to our attention an issue that needs addressed." It makes me wonder if they'll just make sure that every possible customer email address gets the email. It would help if they made it clear that they have this other company that does their marketing.

My reply was this.

Mr. <His Name>,

I thought you might be able to see my email addresses in my E-mail Accounts information, but I found out that I can't even see my secondary email accounts on the "E-Mail & Web Maintenance" page. Should I be able to see them?

All email accounts end in [at]<ISP>. Here is the list:

1) <Email-1> - Assigned by <ISP>

2) <Email-2>

3) <Email-3>

4) <Email-4>

5) <Email-5> - Assigned by <ISP>

I've had all of these accounts since I started with <ISP>.

I wanted to let you know why the email got reported. I would not have reported it if I had known for sure that it came from <ISP>. Here are the steps I took to decide if the email came from <ISP>or not.

1) The source IP address (69.45.17.228) was not owned by <ISP>, but another entity named Endai Corporation.

2) The nameserver information for wowwayinfo.com returns an IP address that is in an address block assigned to Endai Corporation.

3) The marketing email removal links pointed to wowwayinfo.com instead of <ISP domain name> or <ISP 2nd domain name>. I was not sure if this would remove me or if it would just confirm that this email address is valid (opening it up to more unsolicited email).

4) I actually typed http://www.wowwayinfo.com into a browser and got a sparse looking page that didn't say anything about <ISP domain name> or <2nd ISP domain name>.

5) The domain registration of wowwayinfo.com was different than the registration for <ISP domain name> and <2nd ISP domain name>. The contact information of wowwayinfo.com pointed to email at the wowwayinfo.com domain instead of to an email address at <ISP domain> or <2nd ISP domain>.

I reported it because I couldn't link it to <ISP>, so my assumption was that some other third party had gotten my email address and started sending me advertisements. As I said earlier, I had gotten unsolicited email advertisements at that address before. I assumed this was another one that just happened to have advertising for <ISP> in it. In cases like this, I would even question the contents of the email being legitimate.

Anyway, that was my thought process and steps I took to try to investigate before reporting it.

Thank you for your time and effort in this matter.

-<My Name>

[Miss Betsy]

I got this email from the head of security.I had to wonder if this guy was really working for my ISP or not, so I called my ISP and verified that yes indeed he was the head of security. It surprised me that he needed to ask me for my email addresses and couldn't get them on his own. Hmmm.... Strange.

It worries me when he says "we appreciate you bringing this to our attention so we can research what happened" and "we appreciate you bringing to our attention an issue that needs addressed." It makes me wonder if they'll just make sure that every possible customer email address gets the email. It would help if they made it clear that they have this other company that does their marketing.

<snip>

I think that they request the email addresses as part of verifying that you are who you say you are.

They want to say as little as possible about what is happening because that's the way 'security' is - the less anyone knows about how things work, the easier it is to secure them.

Also, ISTM that many in the technical field automatically assume that customers don't know anything and are better off knowing nothing because if they discover something, they won't understand it and then they will complain.

IMHO, it would have been better to skip the spamcop report and write your letter to your ISP directly to the ISP. In fact, any entity that you have had prior dealings with, IMHO, that you think is spamming should be dealt with directly. It has nothing to do with spamcop rules. I just think it is more effective.

Miss Betsy

[agsteele]

It seems to me that the Head of Security is genuinely attempting to assist the OP and it doesn't, to me, sound like list-washing although that is what will happen.

Given the existing business relationship I'd take the offer to find out how the problem arose as genuine and assist him with whatever reasonable information he requests.

Andrew

[kae]

Also, ISTM that many in the technical field automatically assume that customers don't know anything and are better off knowing nothing because if they discover something, they won't understand it and then they will complain.

IMHO, it would have been better to skip the spamcop report and write your letter to your ISP directly to the ISP. In fact, any entity that you have had prior dealings with, IMHO, that you think is spamming should be dealt with directly. It has nothing to do with spamcop rules. I just think it is more effective.

You are right. A few years ago, I was getting a lot of spam advertising DirecTV and I sent some of it to DirecTV asking if they were sending it to me. They said no, they don't advertise that way, so I started reporting the spam figuring that it wasn't DirecTV.

I should extend the same courtesy to any entity that I've had prior dealings. They may not know that their service is being advertised by spamming and it lets them investigate their own marketing and advertising.

From the last coorespondence I'm not sure I'll hear from them again, but if I do I'll also take Andrew's advice and assist them in any way they need.

Thanks Miss. Betsy and Andrew

Actually, thanks to everyone that responded.

[Wazoo]

You are right. A few years ago, I was getting a lot of spam advertising DirecTV and I sent some of it to DirecTV asking if they were sending it to me. They said no, they don't advertise that way, so I started reporting the spam figuring that it wasn't DirecTV.

Another side to that story was the campaign from other SpamCop.net users (there were other folks for sure, buit that would require hitting the repositories of the NANAE newsgroup) that went wild trying to explain to the Corporate and Legal folks at DirectTV that their sitting back and allowing their "affiliates" to continue to spam was just plain stupid. They finally got a clue ....

[rooster]

I’ve been curious about this thread since I happened on it a couple of days ago; and waiting in hope someone would chime in at least a passing reference to something that doesn’t quite compute to the dilettante, "probably-should-stick-to-something-he-knows-something-about"-type spamjammer like me. Reason being; without that one wrinkle, Kae’s dilemma viz his ISP is not hard to explain … at least in theory. Why his ISP’s engineer avoided mentioning it, pretty much convinces me I am blind to something so obvious to everyone else that it doesn’t even deserve mention.

Posted by: Kae

This email was received by my ISP email address that I don't give out or use on the internet. I don't opt-in, I don't subscribe to anything with it. I use another account on another ISP for all that trash.

Then there is the header itself:

Fri, 18 Aug 2006 23:17:39 CDT

Received: (qmail 10552 invoked by uid 0); 19 Aug 2006 03:55:03 -0000

Date: 19 Aug 2006 03:55:03 -0000

Message-ID: <2006__________________mail[at]mta1.wowwayinfo.com>

If this little spittle of spam was, “received by [Kae’s] ISP email address”, how/where does this nomination of a gmail account fit into the picture?

rooster

boundary bay, bc

[StevenUnderwood]

If this little spittle of spam was, “received by [Kae’s] ISP email address”, how/where does this nomination of a gmail account fit into the picture?

That is not gmail, it is qmail (QMAIL) which is a mail server application. Easy enough mistake to make, however.