elind Posted December 12, 2007 Posted December 12, 2007 Moderator Edit: extracted from http://forum.spamcop.net/forums/index.php?showtopic=8987 after seeing the conclusion that there was no relationship between this spam issue and the 'blackmail threats' I have received several hundred spam for "Free adult chat site now open", and they are still coming in every few seconds as I write this. They all report to APLUS.NET which seems to be a legit US ISP. On the basis of the above, I wonder if this could be related? Perhaps this is directed at APLUS.NET and I will just delete rather than continue to report and make it even worse for them.
Wazoo Posted December 12, 2007 Posted December 12, 2007 On the basis of the above, I wonder if this could be related? Not sure how anyone could answer your 'question' (?) You don't show how you think that there's a connection at all. The 'blackmail threats' appear to have been made against "make-fast-maoney-at-home" type sites. IS this what you found at your identified APLUS site? Providing a Tracking URL would have possibly helped fill in the major missing details, starting with just what context this APLUS URL was referenced. "Report to" doesn't really define anything for me.
elind Posted December 12, 2007 Author Posted December 12, 2007 I was hoping something like this was recognized. Once, some time ago there was a wave of all the same spam, but this one is still going on hours later and must be in the many hundreds now. The website in the spam is invalid, so I guess it's an attack on aplus.net for whatever reason (or me at my spamcop email, but I doubt it). If nobody else is getting them, here are the headers. Content-Type: text/html; charset="iso-8859-1" Return-Path: <admin[at]sweet-tequila-nights.com> Content-Transfer-Encoding: quoted-printable Received: from hrndva-mxlb.mail.rr.com ([10.128.255.5]) by hrndva-imta08.mail.rr.com with ESMTP id <20071211235402.MXSC26211.hrndva-imta08.mail.rr.com[at]hrndva-mxlb.mail.rr.com> for <ulind[at]tampabay.rr.com>; Tue, 11 Dec 2007 23:54:02 +0000 X-IronPort: hrndva-mx02.mail.rr.com 236862927 X-RR-Connecting-IP: 216.154.195.49 Received: from c60.cesmail.net ([216.154.195.49]) by hrndva-mxlb.mail.rr.com with ESMTP; 11 Dec 2007 23:54:02 +0000 Received: from unknown (HELO beta.cesmail.net) ([192.168.1.150]) by c60.cesmail.net with SMTP; 11 Dec 2007 18:54:02 -0500 Received: (qmail 13147 invoked by uid 0); 11 Dec 2007 23:54:01 -0000 Message-ID: <20071211235401.13146.qmail[at]beta.cesmail.net> Delivered-To: spamcop-net-xxxxxxxx[at]spamcop.net Received: (qmail 20815 invoked from network); 11 Dec 2007 23:53:34 -0000 X-spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on filter7 X-spam-Level: ********************* X-spam-Status: hits=21.2 tests=FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,FORGED_OUTLOOK_TAGS,HEAD_ILLEGAL_CHARS,HTML_FONT_SIZE_LARGE,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MISSING_MID,MISSING_MIMEOLE,MPART_ALT_DIFF,RCVD_NUMERIC_HELO,RDNS_DYNAMIC,SARE_BADGIRLS,SARE_UNSUB18,SUBJ_ALL_CAPSversion=3.2.3 Received: from unknown (192.168.1.107) by filter7.cesmail.net with QMQP; 11 Dec 2007 23:53:34 -0000 Received: from 69-64-89-90.dedicated.abac.net (HELO 69.64.89.90) (69.64.89.90) by mx70.cesmail.net with SMTP; 11 Dec 2007 23:53:34 -0000 From: =?iso-8859-1?B?ROsv76Pup2ggxfFH66M=?= <admin[at]sweet-tequila-nights.com> Reply-To: =?iso-8859-1?B?ROsv76Pup2ggxfFH66M=?= <admin[at]sweet-tequila-nights.com> To: <xxxxx[at]spamcop.net> X-MSK: Off X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Subject: FREE ADULT CHAT SITE NOW OPEN! Date: Tue, 11 Dec 2007 20:44:46 -0300 X-Mailer: Microsoft Outlook, Build 10.0.2616 MIME-Version: 1.0 X-Priority: 3
Wazoo Posted December 12, 2007 Posted December 12, 2007 If nobody else is getting them, here are the headers. Sorry ... I don't see any connection whatsoever with the subject of this Topic. Your APLUS.NET seems to be the e-mail address/Domain of the contact for the current owner of the 69.64.64.0/19 IP Block ... hardly a "web-site" .... You offer up the headers of an e-mail, talk about the abuse contact point for the source of that e-mail .... This Topic was about the threatened inclusion of a URL within spam e-mails (look up the term spamvertised in the Glossary or WIki) .... there is no connection at this point between your query, sample, and the actual Topic here.
elind Posted December 12, 2007 Author Posted December 12, 2007 Seems you are more interested in finding reason to dismiss a post than address it. Yes, it is not the same in that it is not an inclusion of a web site in an email, but it would appear to be a malicious attack against an ISP which seem to be common with the thread and it uses my spamcop email address, unless it is something dumber, like a programming error. The spamcop tracing labels it as an open proxy, and a little further searching also finds a company called Abacus which is hosted by Aplus.net and that company also has a few google hits that cause some suspicion as to what business they are really in. However, in all my years with spamcop I have never seen a surge like this. It suddenly shut off somewhere around 3 am this morning, but by then I had received well over 500 identical spam pointing to a non existent web site. I had hoped someone else might also have received them or at least had more information to satisfy my curiosity. Instead I get a petty analysis as to why the question is technically not identical to the thread topic. Forget it.
Farelf Posted December 12, 2007 Posted December 12, 2007 Elind, I think the point is that you might get more response if this was in its own topic. Anyone having a similar experience might have passed by this part of the discussion, perhaps not even reading it. I will give you the option, do you want this split off into its own topic? 69-64-89-90.dedicated.abac.net was certainly well and truly listed last I saw and I would interpret that to mean they were compromised somehow. So sure, they are under attack, the same way as every other service is. And aplus.net has its share of detractors as you note - see also the reviewer comments for http://www.siteadvisor.com/sites/aplus.net - I'm not sure they deserve any sympathy but reports can only help them track down the injection point, if they have a mind to do that.
Wazoo Posted December 13, 2007 Posted December 13, 2007 At one moment in time, I actually had the line "Moderator Edit: extracted from <this Topic>" edited into elind's first post here ... had all the relating posts tagged and was actually going to "split out and move" this whole section .... that it until it came time to give it a new Subject Line/Title and select a location .... Based on the limited data provided ..... It wasn't a Reporting issue - addresses involved matched the header sample provided It wasn't a SpamCopDNSBL issue It wasn't a spam submittal issue, as it was stated that report targets were generated and had been sent It wasn't a Lounge issue, based on that the query seemed to be about tying this spam to the 'blackmail threats' It definitely had nothing to do with a SpamCop.net e-mail account problem It was at this point that I re-edited elind's initial post to remove my 'extracted from' note ... posted my last 'there is no connection' post. And for all that, someone feels rejected/ignored/slighted ????? Seems you are more interested in finding reason to dismiss a post than address it. Issue was addressed in the framework of trying to join your query to the Topic it was posted into and painted as a question about that relationship. Yes, it is not the same in that it is not an inclusion of a web site in an email, but it would appear to be a malicious attack against an ISP which seem to be common with the thread ?? I don't follow that at all. Topic was started about an e-mail received that threatened possible action against web-sites. The only thing you've offered thus far is a spam e-mail header that would seem to be pointed to the person/entity in charge of an IPA Block as far as reporting goes. Where are the similarities? The spamcop tracing labels it as an open proxy, Someone else lists 'open proxies' ... the parsing tool checks those other lists. and a little further searching also finds a company called Abacus which is hosted by Aplus.net Yes, that's the way the SpamCop.net Parsing & Reporting code works ... However, in all my years with spamcop I have never seen a surge like this. It suddenly shut off somewhere around 3 am this morning, but by then I had received well over 500 identical spam pointing to a non existent web site. Funny, I see it all the time. There are multiple instances of folks posting about seemingly similar instances, some are the spam recipients, others are the folks wondering why their e-mail (server) has been blocked .. on adn on .. I had hoped someone else might also have received them or at least had more information to satisfy my curiosity. Instead I get a petty analysis as to why the question is technically not identical to the thread topic. My focus was on trying to sort out why you wanted to see a connection between your spam and the 'blackmail threats' that the Topic was actually about. At this point, it sounds like a Post into the Lounge are with the actual questions you are wondering about would have generated a totally different kind of response ... maybe even from 'all those others that should have seen your spam' .... At this point, I'm not sure just what your question really is. I don't see anything 'new' in your described scenario.
Wazoo Posted December 13, 2007 Posted December 13, 2007 elind's 'new' Topic split out from where it was originally posted to 'here' .. PM sent to advise of this action. As far as the question has anyone else eseen this please see the SpamCop newsgroup traffic at [scspamcop] Whoa! 2000+ spam mails within hours! Andrew Engels Rump (formerly Leif Andrew Rump) and the following traffic.
Farelf Posted December 13, 2007 Posted December 13, 2007 While sweet-tequila-nights is presently NXD, Googling shows there was such a sleeze-pit until recently, record at http://www.dynadot.com/domain/whois.html?d...uila-nights.com. Maybe the fallout from the ad campaign got it shut down (momentarily)?
agsteele Posted December 13, 2007 Posted December 13, 2007 Moderator Edit: extracted from I have received several hundred spam for "Free adult chat site now open", and they are still coming in every few seconds as I write this. I received 1987 copies of this item between 10pm and 8am this morning. I simply reported them all before reading this thread so cannot offer any analysis. Whether the source is a legit ISP or not I could not say from the data available but, either way, they need to know what's going on... The source IP appears to be 69.64.89.90 which is managed by aplus.net the company that owns A+ is something called Abacus America Inc. Senderbase shows a 1263% increase in mail volumes so they have a problem. The ip is already listed in cbl.abuseat.org Andrew
Recommended Posts
Archived
This topic is now archived and is closed to further replies.