Thursday, February 03, 2011

 

lunarpages.com thinks a phishing report is a "virus"

I've been receiving phish spam from a Lunarpages VPS ("lunariffic.com") this year.  When I send a sample, included inline in a plain text email, their inbound email machine (sharpmail.lunarpages.com, 64.50.162.254) waits until the end of the DATA phase of the SMTP conversation.  Then it says:




     554 rejected due to virus



which means it's refusing the message.  I opened a ticket in their abuse system.  The technician insisted that since the message says "virus" there must actually be a computer virus in the message.  I pointed out that the message was in plain text and contained nothing like any kind of malware, and he simply repeated the response.  The spamming continued.  I called tech support and they insisted that since I am not a customer they are not allowed to talk to me about it.  But he suggested I try sending from another provider.  I have not been able to identify any human being at Lunarpages who is allowed to talk to an email admin outside his own company.  Somehow, I suspect if postmaster@yahoo.com calls, they'll talk to him.  But maybe their lawyers have to arrange an appointment first.

I tried sending the spam report from my account at freeshell.org.  Same result.

This dysfunction, folks, is why the email medium is dying.

Incidentally, the RFC 2142 addresses abuse@lunarpages.com and abuse@lunariffic.com are listed as not working, with evidence, at RFC-Ignorant.org.  No surprise there, since they don't work.  The abuse.net clearinghouse suggests you try hostmaster there.

Saturday, October 31, 2009

 

What's with Hinet.net?

"Why is my ISP blocking Hinet.net senders?" someone asked on my contact form. I replied:

Hello [name], thanks for filling out the form. Your email address is on the sbcglobal.net domain. Most of those are outsourced by AT&T to Yahoo Inc. The rest are managed by AT&T internally.

I am fairly sure Yahoo and AT&T do not use my lists. Therefore, I have no control over whether you can receive email from Hinet.net senders.

The Hinet.net domain belongs to Chunghwa Telecom Co., Ltd. According to Spamhaus.org (very authoritative), Chungwa a/k/a Hinet is the #4 spammer service company in the world. Like most Asian phone companies, they take nationalistic pride in ignoring complaints from the West. (Mainland China and South Korea are equally imperious, and Viet Nam is even worse.) So lots of email systems in the West are blocking Hinet. It is not to make a political statement. We know Hinet does not care, and does not take protesters seriously. It is a simple mechanical defense against the ongoing spam attack by Hinet's spammers.

So you can tell your friends in Taiwan this:
Hinet is what we call a "rogue network." Hinet seems to believe the rules of the Internet do not apply to Hinet. As long as Hinet is on the Spamhaus top ten list, lots of networks all over the world are going to block email from there. Hinet needs to change the way it does business. That is not going to happen fast, so your friends need to use some other company for their email if they want to send reliably.

Best wishes. Sorry to bring you bad news.

-Cameron in San Jose.

Friday, October 02, 2009

 

We seem to get blocked a lot. But we love our ISP! RFC-Ignorant.org.

A progressive activist mentioned to me that her organization's email tended to get blocked a lot.  From her perspective,  all these Internet companies (ISPs) are the same, and they're "warring" over spam emissions with nobody doing anything to clean it up.  But we already know all ISPs are not the same.  A single web query showed what was really wrong at her ISP.  (I looked up her domain at the link four paragraphs down from here.)  I replied something like so.The problem is your Internet company sends a lot of spam and doesn't know it.  That's because their contact address for that is broken.

There is a simple, widely recognized standard for contact addresses. It was published by the technical governing body of the Internet a dozen years ago, and it only formalized a tradition that was a dozen years old then. The standard is called Internet Engineering Task Force RFC2142. It says if you run a domain where there are things that can be abused, you are supposed to have an "abuse" email address on that domain for reporting said abuse. And you're supposed to have "postmaster" for reporting email issues.  It's common sense to have a standard for that, and the IETF is the body that publishes standards like that.

Now, people who have no idea how the Internet works will tell you that there are no standards, or no standards body, or the real standards body is some corporation (Google, cisco, Microsoft...) or "RFC just stands for Request for Comment, they don't really mean anything."  But that just shows their ignorance. The Internet works because people who know what they are doing voluntarily comply with the IETF's RFCs, including 2142. It's the greatest demonstration of functional anarchy, as far as I know, in all of human history.  A voluntary association of network operators who agree to run their networks so that they're all compatible with each other.

IETF RFC2142 is so important in tracking and dealing with email abuse that there is a clearinghouse which keeps track of domains that fail. Unfortunately, the volunteers who set it up chose its name poorly, so that people who don't understand how the Internet works don't take it seriously, or even take offense at its name! Nevertheless, RFC-Ignorant.org has outlasted much more corporate or "professional" operations like Mail Abuse Prevention System, Open Relay Database, and plenty of others.

My fellow activist's ISP's domain name is listed at RFC-Ignorant.org. In fact, I submitted the evidence for that listing! I do that when I can't figure out where to report spam from a network, because its standard contact addresses bounce my spam report. I report most of the spam that reaches my mailbox, maybe a dozen a day. (I use tools. It's quick.) I report one or two domains to RFC-I each day, on average.

She said, "But every week there are a couple of new [ISPs blocking us], or old ones that were once fixed that pop us again and have to be dealt with."

That's happening because her ISP has not been good at controlling spamming from its network. When the RFC2142 addresses don't work, or are listed as not working, you don't get the most detailed and timely reports. So you take longer to discover a spam source on your network.

Not that an RFC-I listing is the be-all and end-all of ISP ratings. But it tends to be a remarkably reliable indicator. Top-notch ISPs are hardly ever listed, with a handful of very large exceptions, while low-ballers and bumblers usually are.

Everybody gets in block lists occasionally. Verizon blocked all of Europe for a couple of weeks. But if it's happening regularly, your ISP really is doing something wrong.


Sorry if that's not what you wanted to hear.

Friday, July 24, 2009

 

Listwashed at Mailchimp.com

Mailchimp.com wants you to think they're one of those post dot-com enlightened legitimate email marketing services

I got "campaign message" (spam) from their system to a trap address that's been dead for years. Reported it to their "contact us" form, not the Ethical CAN-SPAM Compliant Opt-Out link in the spam. Received a slick "sorry to see you go" message from the Client (customer of spammer-for-hire) within minutes.

That's called list washing. There was no ambiguity here. The spammer scraped or bought a list. There's no other way they would have gotten it. They took it to Mailchimp, who spammed it for them. It's what spammer-friendly service providers do. It's one of the reasons there's still spam. Spamming is what that other guy does.

Saturday, July 11, 2009

 

new Microsoft spam support service, Office Live

Spam came through a botnet host on eastlink.ca, advertising www.icandysoaps.com. It's hosted on Microsoft's Office Live "cloud" service. I reported it to report_spam@hotmail.com and the report was automatically rejected, needs a Hotmail domain. I added@hotmail.com some@hotmail.com chaff@hotmail.com to get it past the broken robot.

I got a personally worded response from MSFT's abuse staff. They refuse to do anything about the spamvertised web site on their server. I should "unsubscribe" from its "newsletter."

Now it's official. Microsoft lets you advertise your Office Live web site in spam. Kind of like Yahoo did when they first started their small business hosting service 15 years ago.

Monday, May 11, 2009

 

Hotmail stupidity protects spammers

Apparently Hotmail (Microsoft Corporation) is now selling private label email service, and some of its customers offer that service "free" to the Nigerian identity theft syndicate.

A typical fraud email offers the usual box of money stranded somehow in Nigeria, and to reclaim it I must email the gov't of Nigeria at atm.cardremmitance@hotellos.nl. (Yes, people actually fall for this. Mostly it's wanna-be con artists who think they're gonna con the Nigerians.) I got three copies. The MX records for hotellos.nl are
hotellos.nl. 86024 IN MX 0 1023266581.pamx1.hotmail.com.
hotellos.nl. 86024 IN MX 10 1023266581.pamx1.hotmail.com.
That is, Hotmail hosts this Nigerian identity theft mailbox account.

The only address that seems to work at all for Hotmail is report_spam@hotmail.com. Abuse@ and Postmaster@ don't work. I sent a complete, simple spam report. Hotmail said:

Unfortunately, in order to process your request, Hotmail Support needs a valid MSN/Hotmail hosted account.

The response came within a couple of minutes. Nobody told the abuse deaprtment about these new private-labeled domains. An automatic filter is throwing away reports of hotmail hosted spam. Until this is fixed, spammer accounts on Hotmail are pretty much bullet proof.

Apr1l 2010 update.  I think I'll list the problem domains here.
8u8.tw, admin.it.th, banat.ps, discuz.org, hotellos.nl, hotmail.com.tw, info.al, live.co.uk, mycin.net, nba2k.com.cn, qatar.io, ufo.tc, w.cn, ws.tc

Labels: , ,


Sunday, April 13, 2008

 

ACLU server hijacked for phishing

This is just too funny. From a spam posted to news.admin.net-abuse.email.

Delivered-To: [redacted address]
Received: from exch2.aclu.org (smtp01.aclu.org [65.206.18.18])
   by [redacted hostname] (Postfix) with ESMTP id E004A11423
    for <[redacted address]>; Tue, 8 Apr 2008 10:27:31 -0700 (PDT)
Received: from nyexfe01.aclu.org ([10.1.1.248]) by exch2.aclu.org with Microsoft
    SMTPSVC(5.0.2195.6713);
    Tue, 8 Apr 2008 13:27:06 -0400
Received: from User ([85.120.78.130]) by nyexfe01.aclu.org with Microsoft SMTPSVC(6.0.3790.3959);
    Tue, 8 Apr 2008 13:27:05 -0400
From: "PayPal.com"
Subject: To many wrong attemps
Date: Tue, 8 Apr 2008 20:29:01 +0300
MIME-Version: 1.0
Content-Type: text/plain;
    charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID:
X-OriginalArrivalTime: 08 Apr 2008 17:27:06.0036 (UTC) FILETIME=[C42E8F40:01C8999D]
To: undisclosed-recipients:;

Because you have to many wrong attemps on your Paypal login,
we had to put your account on hold.

...
Years ago, when it was still possible to save the public email system, the ACLU carried water for the Direct Marketing (scumbag) Association, convincing Zoe "Clueless" Lofgren (D-CA) that spamming is free speech, not theft of service and illegal conversion of assets. The headers show ACLU runs Microsoft Exchange Server. Of course it got hacked and the criminal is sending phish spam exercising his first amendment rights with it. I wonder if anybody told them yet.

This page is powered by Blogger. Isn't yours?