Spam is a pain in the behind. But until the 12th of September 2003, it was a pain that I put up with, accepted, and dealt with using anti-spam solutions.
So, what happened on the 12-09-2003? I started receiving email bounces from numerous old or non-existant email accounts. The bounces contained a copy of the email I was supposed to have sent to these addresses...and it turned out to be spam! Spammers had decided to steal my identity. Detailed here is all the information I gathered on the spammers and an account of what I did to try and stop the spam.
The typical spam email looked like this:-
Return-Path: <mcMillanpj@mcooper.demon.co.uk>
Received: from dns2.mks.net (dns1.mks.net [207.134.64.2] (may be forged))
by dns1.mks.net (8.11.6/linuxconf) with ESMTP id h8C9N9D10759
for <236@mtl.net>; Fri, 12 Sep 2003 05:23:09 -0400
Received: from trappenberg.de (93.60.33.65.cfl.rr.com [65.33.60.93])
by dns2.mks.net (8.11.6/linuxconf) with ESMTP id h8C8IAN31169
for <236@mtl.net>; Fri, 12 Sep 2003 04:18:11 -0400
MIME-Version: 1.0
Date: Fri, 12 Sep 2003 08:30:36 +0000
Message-ID: <68b501c37908$01bef367$0906a47f@jzu7tp3>
Subject: =?ISO-8859-1?b?UmU6R2VuZXJpYyBWaWFncmEgKFNpbGRlbmFmaWwgQ2l0cmF0ZSkgLSBObyBTaGlwcGluZy9QcmVzY3JpcHRpb24=?=
To: 236@mtl.net
From: "Dora McMillan" <mcMillanpj@mcooper.demon.co.uk>
Content-Type: text/html
Content-Transfer-Encoding: 8bit
<html>lt;body>
<center><!--4natv53aw4i8--><a href="http://www.banke4.com/host/default.asp?ID=omni"><img src="http://vanline2.com/pics/gv1.gif" height="270" width="405"></a></center>
</html></body>
The spam email contained a link to a GIF image advertising Viagra. The GIF image was hosted on the following url's:-
http://discountrate2.com/pics/gv1.gif
http://purchasese.com/pics/gv1.gif
http://vanline2.com/pics/gv1.gif
http://visithere3.com/pics/gv1.gif
The GIF image had a link on it that took you to the spammers site where they sold the Viagra. Their sites url's were:-
http://www.account45.com/host/default.asp?ID=omni
http://www.account7x24.com/host/default.asp?ID=omni
http://www.banke4.com/host/default.asp?ID=omni
http://www.cardcheaper1.com/host/default.asp?ID=omni
http://www.coolfee1.com/host/default.asp?ID=omni
http://www.copyrighte.com/host/default.asp?ID=omni
http://www.currency4.com/host/default.asp?ID=omni
http://www.donat43.com/host/default.asp?ID=omni
http://www.eibs3.com/host/default.asp?ID=omni
http://www.pharmeed.com/host/default.asp?ID=omni
http://www.refer34.com/host/default.asp?ID=omni
http://www.region365.com/host/default.asp?ID=omni
http://www.remarkhere.com/host/default.asp?ID=omni
http://www.wholesale22.com/host/default.asp?ID=omni
Checking the DNS information, all the servers were being serviced by niccool.com and nicmtg.com The upstream provider for these hosts turned out to be ChinaNet
Doing domain lookups on all these web servers showed they were all registered through whois.paycenter.com.cn in China. All the domains turned out to have been regsitered by three people:-
So, what could I do about all this? Who could I complain to? Well, so far I'd gathered the following information:-
I sent this email to the spammers, and got this email from Yahoo due to their email accounts being over quota!
Interestingly, one of the email addresses ( liubing2335@yahoo.com.cn ) didn't bounce so I assume it got to their mailbox atleast, although I'll have no idea if they read it or not.
Not hearing anything back from them within 12 hours, I started to escalate the complaints. Firstly I emailed ChinaNet's abuse department with their details. I filled in directnic's online abuse webform, the domain registrar for the spammers niccool.com and nicmtg.com domains which provided DNS services for all their other domains. I also sent demon, my ISP provider, an email to their abuse department letting them know what was going on. Update 16-Sep-2003:
I got an email that really had me thinking:-
Were these three identities responsible for the theft of my identity and the Viagra spam? Doing a google web search and a deja.com usenet search turned up numerous spam complaints about those email addresses.
cheng du
NO 10 North Peoples Road
cheng du Sichuan 610081
China
tel: 86 28 85056610
fax: 86 28 85056610
tianyingdde1@yahoo.com.cn
chongqing
50 da shi rd. nan an
chongqing Chongqing 400060
China
tel: 86 023 62803275
fax: 86 023 62803275
rudaifu1@yahoo.com.cn
guang zhou
1799 huang pu rd
guangzhou Guangdong 510735
China
tel: 86 020 82061321
fax: 86 020 82061321
liuqinhou23@yahoo.com.cn
I hummed and harred as to whether to contact the spammers directly to ask/tell them to stop using my email address. On the plus side they might actually stop, on the minus they might try and make it worse. I decided to email them as if I got Yahoo to close their email accounts I might have to trace them all over again.
Ther DNS registration company: Paycenter.com.cn
Their upstream provider: ChinaNet
Their email provider: Yahoo China
Contact details: Five distinct points of contact in China
I got a good reply from directnic, stating that the niccool.com domain had been suspended but, strangely, the nicmtg.com wasn't with them, which it clearly was. I did notice, however, that the DNS servers for the nicmtg.com domain had been updated. So, as per directnic's email I also submitted a report to ICANN's online report webform
What was interesting about this email was that it was the actual spam and it had been sent to me directly, to my main email address! Was this the spammer 'replying' to me? Had the liubing2335@yahoo.com.cn email got through??
The domain in the From address doesn't exist.
From - Tue Sep 16 14:32:43 2003
X-UIDL: 3f6711290000004f
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-path: <jeff_mcGowanqr@mu.mu>
Received: from pop3.mail.demon.net [194.217.242.253]
by localhost with POP3 (fetchmail-5.9.0)
for mcooper@localhost (single-drop); Tue, 16 Sep 2003 14:16:06 +0100 (BST)
Received: from punt-3.mail.demon.net by mailstore
for *****@mcooper.demon.co.uk id 19zFWH-0001wE-BG;
Tue, 16 Sep 2003 13:11:17 +0000
Received: from [68.57.65.149] (helo=limmat.switch.ch)
by punt-3.mail.demon.net with esmtp id 19zFWH-0001wE-BG
for *****@mcooper.demon.co.uk; Tue, 16 Sep 2003 13:05:26 +0000
MIME-Version: 1.0
Date: Tue, 16 Sep 2003 21:05:26 +0000
X-Mailer: Pegasus Mail for Win32 (v3.12a)
Subject: =?iso-8859-1?B?UmU6SG93IGRvZXMgVmlhZ3JhIHdvcms/?=
Message-ID: <1063746326.5988@mu.mu>
From: "Jeff McGowan" <jeff_mcGowanqr@mu.mu>
To: *****@mcooper.demon.co.uk
Content-Type: text/html
Content-Transfer-Encoding: 8bit
<html><body>
<center><!--c3uh7d31sfym--><a href="http://www.banke4.com/host/default.asp?ID=omni"><img src="http://purchasese.com/pics/gv1.gif" height="270" width="405"></a></center>
</html></body>
Update 17-Sep-2003:
Filled out an online abuse webform at Yahoo and got the following useless reply.
Did some more digging on Google and deja.com and found some very revealing information! It looks like the spam campaign is far greator and wider than I could ever imagine.
I've found other people who have had their identities stolen for the same spam campaign!
Looking on news.admin.net-abuse.sightings, I've come across numerous people complaining about receiving the spam. All of which is coming from differing From addresses.
Using google to search for anything matching the spam's differing Subject lines has thrown up the spam posted to a number of web pages, typically bulletin boards.
The email tianyingdde1@yahoo.com.cn pops up on a couple of message boards and bulletin boards and uncovers another domain owned by the spammers called starthere2.com, which again is served by directnic.
So far I haven't actually processed all the spam data to get an accurate picture of exactely where the spam is coming from, rather I've concentrated on cutting of their potential revenue stream from the spam. However, looking at the mails I have and the ones in the newsgroups, it easy to see that the number of source addresses is far more than just a bunch of through away dial-up accounts. I'm starting to wonder if the emails are coming from hacked or virus/worm infected PC's?
Update 18-Sep-2003:
Found some more usenet posts of people complaining about Identity theft by the china spammer.
I haven't received a bounce in 24 hours now! Looks like either the message has got through or they've moved on to a different victim.
I've sat down and had a good look through all the bounce messages I have, which I have in one big mbox format file. I wrote a couple of awk scripts and stripped the messages out into single files so I could do some more processing on them.
So I now have some, interesting, stats! Of the 163 messages I have as evidence, 134 have some sort of Mailer header. 117 have verifiable Received headers showing the source address of the mail.
Once I had the source addresses, I did whois lookups on them to find out who owned each IP.
The networks involved belonged to:-
Adelphia Cable Communications
America Online
AT&T WorldNet Services
Century Telephone Enterprises
Charter Communications
Comcast Cable Communications Holdings, Inc
Eckerd College
GTE Intelligent Network Services
Infomagic
Internet America, Inc.
KMC TELECOM, INC.
Luce McQuillin Corporation
McLeodUSA Incorporated
Road Runner
ROADRUNNER
TCA Internet
TDS TELECOM
Verizon Internet Services
VIANET
Williams College Campus
CARNet dial-in access
Chello Com21
Deutsche Telekom AG
Energis UK
France Telecom
Golden Lines
INFOSTRADA
ISLnet
Kabelnettet.dk
Kimsuil
KOREA TELECOM
Oita Cable Television Broadcasting Inc.
OPTUS INTERNET - RETAIL
SOFTBANK BB CORP
Telefonica Deutschland GmbH
Telenor Business Solution AS
Tiscali BV
TTnetTurkTelekom
Number Country
90 US
7 KR
5 JP
4 CA
3 DE
2 NL
2 AU
1 TR
1 NO
1 IT
1 IS
1 IL
1 HR
1 GB
1 FR
1 DK
1 CL
Update 30-Sep-2003:
Received another spam from them today, directed straight to my personal email account ( rather than a bounceback ). As usual, the website is *still* hosted by Chinanet on the same address, with the domain again registered ( on the 20-September-2003 ) with paycenter.com.cn!! The DNS is provided by dnsmed.com this time, and they are using a new email address of wuting34s@yahoo.com.cn. The mail was sent from yet another comcast address.
Doing some google searches on this new information, I found another couple of domain's they are using called www.openuptheworld1.com and offroad23.com. Also another DNS provider ( through directnic.net as usual ) of dnscoast.com.
Update 04-Oct-2003:
Received another spam directed at one of my main email addresses. This was with another new domain called ezdonethe.com, which is registered through paycenter.com.cn as usual, and complaints are showing up on usenet. It was sent via an AT&T address.
Update 06-Oct-2003:
Another day, another spam. This time using another two new domains, safeimpro.com and set445cvddc.com ( registered through paycenter.com.cn and hosted by dnsmed.com again ). Rather than originating in the US however, this one apparently came from Telia in Sweden.
Oh, and the domains were registered with another new yahoo address, huyaofaier4@yahoo.com.cn.
This brings the total domain's I've seen used to 25, with the most recent registered on the 27th August proving the spammers are still up and running :(
Update 09-Oct-2003:
While playing with Google's usenet search, I came across a search term that returned a huge number of hits regarding complaints about the spammer(s). As of the time of writting, the search was returning twenty five thousand hits, which I think may have been limited by google, so the possible number of people effected is quite huge if you take into account only a certain, small, percentage of people will actually complain about it in news.admin.net-abuse.sightings.
Update 11-Oct-2003:
Received emails from two different people who, having read this web page, told me about their own spam problems with the china spammers.
Update 12-Oct-2003:
Another spam, this time from iiimm00l.com. The inline graphic uses backpac455w.com. Paycenter.com.cn and dnsmed.com as usual.
Update 28-Jan-2005:
Now working as a systems engineer for a leading UK DSL LLU company and seeing large scale spam's of AOL.com addresses from various customers. Each time we disconnect the user, they claim it's a virus or something. With upto 500,000 AOL.com addresses being spammed at a time, advertising the domains softmmeds.com.txt and gagnermeds.com Guess who provides DNS and webservices for these domains? Yup, you guessed it ... Chinanet!<
Using open relays is one thing, but using virii/worm's as spam tools? Surely that is breaking the law!!?
Came across this page on scams which mentions chinanet.
If your interested in blocking all traffic to/from chinanet, visit http://www.blackholes.us/zones/isp/chinanet.txt!
Update 13-Feb-2006:
Rather amusingly, I just received the following email. Basically someone ( I wonder who, lol ) bitching at me for complaining to DirectNIC about incorrect registration details. ROFL. Needless to say, I'll forward this email to Hotmail for their attention.