Spammers vs Free Speech

"Why is my ISP blocking Hinet.net senders?" someone asked on my contact form. I replied:

Hello [name], thanks for filling out the form. Your email address is on the sbcglobal.net domain. Most of those are outsourced by AT&T to Yahoo Inc. The rest are managed by AT&T internally.

I am fairly sure Yahoo and AT&T do not use my lists. Therefore, I have no control over whether you can receive email from Hinet.net senders.

The Hinet.net domain belongs to Chunghwa Telecom Co., Ltd. According to Spamhaus.org (very authoritative), Chungwa a/k/a Hinet is the #4 spammer service company in the world. Like most Asian phone companies, they take nationalistic pride in ignoring complaints from the West. (Mainland China and South Korea are equally imperious, and Viet Nam is even worse.) So lots of email systems in the West are blocking Hinet. It is not to make a political statement. We know Hinet does not care, and does not take protesters seriously. It is a simple mechanical defense against the ongoing spam attack by Hinet's spammers.

So you can tell your friends in Taiwan this:
Hinet is what we call a "rogue network." Hinet seems to believe the rules of the Internet do not apply to Hinet. As long as Hinet is on the Spamhaus top ten list, lots of networks all over the world are going to block email from there. Hinet needs to change the way it does business. That is not going to happen fast, so your friends need to use some other company for their email if they want to send reliably.

Best wishes. Sorry to bring you bad news.

-Cameron in San Jose.

• A progressive activist mentioned her org's email tended to get blocked a lot. It seems to her all these ISPs are "warring" over spam emissions and they're all the same. I replied something like so.

There is a simple, widely recognized standard for contact addresses. It was published by the technical governing body of the Internet a dozen years ago, and it only formalized a tradition that was a dozen years old then. The standard is called Internet Engineering Task Force RFC2142. It says if you run a domain where there are things that can be abused, you are supposed to have an "abuse" email address on that domain for reporting said abuse. And you're supposed to have "postmaster" for reporting email issues.

Now, people who have no idea how the Internet works will tell you that there are no standards, or no standards body, or the real standards body is some corporation (Google, cisco, Microsoft...) or "RFC just stands for Request for Comment, they don't really mean anything", but that just shows their ignorance. The Internet works because people who know what they are doing voluntarily comply with the IETF's RFCs, including 2142. It's the greatest demonstration of functional anarchy, as far as I know, in all of human history.

IETF RFC2142 is so important in tracking and dealing with email abuse that there is a clearinghouse which keeps track of domains that fail. Unfortunately, the volunteers who set it up chose its name poorly, so that people who don't understand how the Internet works don't take it seriously, or even take offense at its name! Nevertheless, RFC-Ignorant.org has outlasted much more corporate or "professional" operations like Mail Abuse Prevention System, Open Relay Database, and plenty of others.

My fellow activist's ISP's domain name is listed at RFC-Ignorant.org. In fact, the evidence for the listing was submitted by me! I do that when I can't figure out where to report spam from a network, because its standard contact addresses bounce my spam report. I report most of the spam that reaches my mailbox, maybe a dozen a day. (I use tools. It's quick.) I report one or two domains to RFC-I each day, on average.

• Usually you see RFC-I listings on "resellers" or "virtual ISPs," that is marketing organizations that put their brand on a wholesale ISP's service.
• Sometimes you see RFC-I listings on Microsoft-oriented ISPs. It seems if you only took Microsoft training courses, you have "admin@example.net" (there is no "admin" in RFC2142) and no abuse or postmaster.
• Sometimes you see RFC-I listings on school districts, and small businesses that let some consultant set up their email service and don't have anyone around who knows how it works.

She said, "But every week there are a couple of new ones, or old ones that were once fixed that pop us again and have to be dealt with."

That's happening because her ISP has not been good at controlling spamming from its network. When the RFC2142 addresses don't work, or are listed as not working, you don't get the most detailed and timely reports. So you take longer to discover a spam source on your network.

Not that an RFC-I listing is the be-all and end-all of ISP ratings. But it tends to be a remarkably reliable indicator. Top-notch ISPs are hardly ever listed, with a handful of very large exceptions, while low-ballers and bumblers usually are.

Everybody gets in block lists occasionally. Verizon blocked all of Europe for a couple of weeks. But if it's happening regularly, your ISP really is doing something wrong.


Sorry if that's not what you wanted to hear.

Mailchimp.com wants you to think they're one of those post dot-com enlightened legitimate email marketing services

I got "campaign message" (spam) from their system to a trap address that's been dead for years. Reported it to their "contact us" form, not the Ethical CAN-SPAM Compliant Opt-Out link in the spam. Received a slick "sorry to see you go" message from the Client (customer of spammer-for-hire) within minutes.

That's called list washing. There was no ambiguity here. The spammer scraped or bought a list. There's no other way they would have gotten it. They took it to Mailchimp, who spammed it for them. It's what spammer-friendly service providers do. It's one of the reasons there's still spam. Spamming is what that other guy does.

Spam came through a botnet host on eastlink.ca, advertising www.icandysoaps.com. It's hosted on Microsoft's Office Live "cloud" service. I reported it to report_spam@hotmail.com and the report was automatically rejected, needs a Hotmail domain. I added@hotmail.com some@hotmail.com chaff@hotmail.com to get it past the broken robot.

I got a personally worded response from MSFT's abuse staff. They refuse to do anything about the spamvertised web site on their server. I should "unsubscribe" from its "newsletter."

Now it's official. Microsoft lets you advertise your Office Live web site in spam. Kind of like Yahoo did when they first started their small business hosting service 15 years ago.

Apparently Hotmail (Microsoft Corporation) is now selling private label email service, and some of its customers offer that service "free" to the Nigerian identity theft syndicate.

A typical fraud email offers the usual box of money stranded somehow in Nigeria, and to reclaim it I must email the gov't of Nigeria at atm.cardremmitance@hotellos.nl. (Yes, people actually fall for this. Mostly it's wanna-be con artists who think they're gonna con the Nigerians.) I got three copies. The MX records for hotellos.nl are
hotellos.nl. 86024 IN MX 0 1023266581.pamx1.hotmail.com.
hotellos.nl. 86024 IN MX 10 1023266581.pamx1.hotmail.com.
That is, Hotmail hosts this Nigerian identity theft mailbox account.

The only address that seems to work at all for Hotmail is report_spam@hotmail.com. Abuse@ and Postmaster@ don't work. I sent a complete, simple spam report. Hotmail said:

Unfortunately, in order to process your request, Hotmail Support needs a valid MSN/Hotmail hosted account.

The response came within a couple of minutes. Nobody told the abuse deaprtment about these new private-labeled domains. An automatic filter is throwing away reports of hotmail hosted spam. Until this is fixed, spammer accounts on Hotmail are pretty much bullet proof.

Labels: Hotmail, Idiots, Microsoft

This is just too funny. From a spam posted to news.admin.net-abuse.email.

Delivered-To: [redacted address]
Received: from exch2.aclu.org (smtp01.aclu.org [65.206.18.18])
   by [redacted hostname] (Postfix) with ESMTP id E004A11423
    for <[redacted address]>; Tue, 8 Apr 2008 10:27:31 -0700 (PDT)
Received: from nyexfe01.aclu.org ([10.1.1.248]) by exch2.aclu.org with Microsoft
    SMTPSVC(5.0.2195.6713);
    Tue, 8 Apr 2008 13:27:06 -0400
Received: from User ([85.120.78.130]) by nyexfe01.aclu.org with Microsoft SMTPSVC(6.0.3790.3959);
    Tue, 8 Apr 2008 13:27:05 -0400
From: "PayPal.com"
Subject: To many wrong attemps
Date: Tue, 8 Apr 2008 20:29:01 +0300
MIME-Version: 1.0
Content-Type: text/plain;
    charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID:
X-OriginalArrivalTime: 08 Apr 2008 17:27:06.0036 (UTC) FILETIME=[C42E8F40:01C8999D]
To: undisclosed-recipients:;

Because you have to many wrong attemps on your Paypal login,
we had to put your account on hold.

...
Years ago, when it was still possible to save the public email system, the ACLU carried water for the Direct Marketing (scumbag) Association, convincing Zoe "Clueless" Lofgren (D-CA) that spamming is free speech, not theft of service and illegal conversion of assets. The headers show ACLU runs Microsoft Exchange Server. Of course it got hacked and the criminal is sending phish spam exercising his first amendment rights with it. I wonder if anybody told them yet.

I get more spam from the Herbalking gang than from any other spammer. That's because Herbalking is so confident that he is "bullet proof" that he sends spam to postmaster@ addresses. Those addresses are less heavily filtered than regular users'. Spamhaus seems to think the gang, to the degree that these gangs are based in any particular country, is Indian.

Herbalking sends through botnets. My system rejects spam from most consumer-residential bots, but Herbalking also has bots on compromised web hosts and "small business" and academic servers. Those are the ones that get through here. Every few days I pick one and inform the owner of the compromised server. Unfortunately, hardly anybody else does that. More often than not, the owner's published contact info is wrong, or the reports just disappear. Of the ones who reply, most are grateful. Perhaps a fifth insist that I am wrong, and either the spam could not possibly have come from their equipment or someone else is responsible for that equipment. These people tend to be ignorant of the basics of computer networking and security, and believe that an SMTP sender IP address can be "spoofed" or that their equipment is invulnerable because they bought an "anti virus" product.

Herbalking's "pharmacy" mail order sites are mostly hosted on the rogue ISP "ZBYD" in Beijing. As far as I know, ZBYD is owned and operated by spammers. It's connected to the Internet through Great Wall Broadband Network Service Co., Ltd of Beijing, and its route to North America is through an undersea fiber operated by China Netcom, which terminates in a neutral exchange point in Los Angeles. That's three layers of companies you can't even contact. The only thing that could affect ZBYD would be if the major consumer service providers decided to block traffic from its IP addreses. They won't even talk about doing that. They're lazy and indifferent, and they're not under any real pressure to do it, and recently they've become paranoid about creating the appearance of not offering "net neutrality."