F****n’ Spammers

I’m not dead.  Or at least my body continues to move about under its own power.  Allergy season just zaps the hell out of me.  And the pounding headache didn’t help.  But today seems a little better in that at least the headache is gone.

Anyhow, it seems that some “sidewindin bushwackin, hornswaglin, cracker croaker” has used one of my domains for the return address on their POS spam emailing.

So far I’ve only gotten 12 bounces, but it’s really annoying, and it’s a form of theft.  They’re stealing my resources to abdicate their own responsibility for spewing crap about some stupid penny stock.

If any of you should come across “Budget Waste Inc” or “tententwelvecorp.info”, drop a bomb on them for me.

Update:  More on this topic here.

222 Comments

  1. Neil Jackson says:

    Just thought I’d say hi – as a fellow sufferer of the TenTenTwelveCorp.com spams… smile

    I’m on my 23rd bounce-message in 3 days – but I’ve had worse in the past. Like you, various forms of my ‘[email protected]’ are being abused as the sender address (which happens all the time, alas) and of course, ‘well-meaning and helpful’ ISP servers en-route are kindly passing back error-messages to me, when they can’t route the mail through to its intended recipient.

    Pain in the neck. I’ve been here before – my domain is over 13 years old, so I’ve seen my fair share of spam and similar ‘attacks’… but this is an annoying one. Usually, I’m able to tell (from the bounce-back messages from the ISPs) what the single ‘injection point’ was, for the source – and get it shut down by working with its ISP.

    This time, however, it looks like TenTenTwelveCorp are using a ‘bot-net’ – a network of infected machines all over the planet, which become the ‘spam zombies’ and do the sending for it. I’m seeing injection points all over the USA (Houston, Georgia, Philadelphia, and more), from many different ISPs (RoadRunner, Comcast, Verizon), and from many different countries (Norway, USA, Japan, India).

    As such, this is making ‘shutting it off’ really hard! Practically impossible, unless one is prepared to follow up each ‘injection point’ ISP and get them to ask their affected user to virus-clean their systems! Past experience shows me this is a longwinded and often difficult process (not all ISPs are clever, and some barely rate as sentient, when it comes to spam-handling, or keeping their users ‘clean’).

    Anyway – I just thought I’d say hi, and tell you you’re not alone. If it helps to know this, the domain ‘tententwelvecorp.com’ has already been shut down for ‘breach of Acceptable Use Policy’, but of course, that won’t stop the ‘bot-net’ still working away by its merry little self. But in case it’s of use to you, the WHOIS record for tententwelvecorp.com shows this:

    Administrative Contact, Technical Contact:
        Eddisson, Johnson [email protected]
        [email protected]
        Vivo, CA 99325
        US
        718-799-7542

    Of course, it’s highly likely that email address is not really his, and perhaps even the registrant’s name is faked too, or an innocent bystander… but if you’re in the USA (I’m not), and you were interested, perhaps it’s a starting point to finding out. I’ve searched for that name but come up with nothing, though on the SpamHaus.Org ‘Register of Known Spam Organisations’ (ROKSO), I found a tantalisingly feasible name that could have been the basis for the ‘Edisson Johnson ’ name… and that is ‘Edward Davidson’ – and certainly his modus operandi (stock-spamming, criminal botnet usage, etc) seems to fit the pattern…

    (I tried to put in the URL to his record, but your system (wisely) stopped me! I’m sure you can find him yourself on Spamhaus.org if you needed to)

    Anyway – just an experiment in research for me really. Passed on in case it’s any help to you. Have a fun day and don’t let these SPAM losers get you down. They’ll get theirs, when the time comes, and the law catches up (and it always does).

    Regards

    Neil

  2. Neil,

    Thanks for stopping by!  At least I know I’m not alone in this.

    Like you, I started to analyze the headers to determine the originator and found that they were coming from a variety of addresses.  Getting a bot-net stopped is near impossible, so for now I’m just grinning and bearing it.  But I’m up to 79 bounces and they keep trickling in.

    What would be great would be to get hold of a couple of his bots and see if it would be possible to track him back to his control node.  Of course, it’s likely that he’s just renting the bot net, but that might just be the thread needed to unravel his nasty little enterprise.

    But you have to wonder what profit there can be in spamming these days, when it’s so universally loathed.  I guess the very small percentage of gullible respondents still makes it profitable, which is a pity.  In the meantime, every time I hear my email’s notification sound I deeply regret that it’s illegal to stake spammers to a fire ant mound.

  3. Neil Jackson says:

    Still getting them here, too – three more since I made that post… I reckon this will continue until Monday, at least (judging by what’s written in the spammed stock-ramp).

    I thought about tracing his bot-net too… but I fear it would probably land me in hot water under some law or other. Only way to find his net, would be to port-scan one of the infected machines… the IP addresses of which I have stored, pending a ‘mass complaint’ to the various ISPs concerned. But port-scanning itself is considered ‘hostile’ by most ISPs, and even if that wasn’t detected/acted upon, I think they’d look pretty dimly at any attempts to enter, or worse control or use that infected machine via its bot-net port, which would be considered criminal. Taking the law into our own hands, and all that.

    Shame really… cos there’s no effective way of policing this sorta thing, and the real cops are either so busy, or not ‘net-cops’ (like some sysadmins I know!) enough to do the job. Not even sure where I’d begin in reporting this, to be frank – apart from each of the ISPs of the infectees. Some ISPs are next to useless when it comes to quick (or even useful) action when you make a report to them… and three guesses which ISP’s customers most-frequently get infected and zombified? You’d almost think the spammers targeted them deliberately… Hmmm…. smile

    Just wish they wouldn’t use my domain in their forged-froms, I guess. I s’pose I only have myself to blame – I used to be a member of ‘The Lumber Cartel’ (TinLC) and CAUCE back in the old days, and took reporting and tracing of spam very seriously between 1993 and 1999 (when it was still a worthwhile means of control) and I must’ve got at least a thousand ‘wannabee’ spammers kicked off their accounts, over the years. Hardly surprising that one of them’s found his ‘retribution’ (not that it really gives me any concern… more of a logic puzzle to while away the odd weekend, really! smile)

    Either that – or its simply someone I know who’s been infected, and added my domain to the list of pooled ‘viables’ that the botnet uses.

    I’d love to know which… just out of simple curiousity.

    Oh – and as for ‘marketability’ of spam ventures – don’t think it’s not worth money still. It is. In spades. Sadly, not even half the small businesses I know in the UK have even the remotest clue as to how to handle their online marketing. They’ll pay anyone anything to be able to email adverts more cheaply than via post or phone. They very often just don’t understand ‘the technical stuff’, and aren’t aware that what they’re being offered by some slick ‘online marketer’ is actually going to be sub-contracted to a spam or botnet. There are some cases of much bigger, allegedly more-responsible companies being caught out too!

    From personal experience, I’ve worked with a small company that was all set to mass email everybody it had ever seen an email address for – until I stopped them! Thankfully, they now run an opt-in list, which is routinely cleansed and scrutinised by me, and whose entry requirements are very strict! Customer must say yes (on record) and give his email address, or we won’t send – that sort of thing. Needless to say, it took a LOT of explaining and effort to make the company aware of its responsibilities in terms of data-gathering and online marketing approach.

    And if there’s one like that, there must be thousands… whom I didn’t reach, to wise ‘em up! They are the Spammer Fodder, alas, and it’ll be a good few years yet before the UK gets wise. Then we only have the rest of the world to deal with… LOL!

    Take care,
    Neil

  4. I’ve been the same sort of bounce messages for the pass 3 days, with forged header saying there from random users of my domain.

    I’ve contacted my domain provider to see about addian   SPF text to the DNS. So far they have not got back to me.

    see: http://www.openspf.org

    It’s not a perfect solution, but it will let spam catcher work better, by rejecting messages from domain names, that have not come from approved servers.

  5. Jonathan Locke says:

    Permit me to join the brethren of the afflicted. I’m now up over a hundred bounce-backs, and I’m on my second penny-stock offering. I was hoping that it would end for me this week, but now that Budget Waste has followed the southeast-Asian mining company, I’m getting worried. Nice to know I’m not alone in this.

    – Jon

  6. Mike says:

    I found you as I was taking time to see if I could find anything on “tententwelvecorp”.  I have been hit hard by those kind folks.  Going onto two weeks.  Bounce backs are at leat 100 a day… A real pain in the but.  I own 4asset4, and they are just making up addrss ending in @4asset4.

    I realize the idea is to find really stupid folks with computers that wuill go out and buy the stock and run it up.  Most likly the same brain dead folks with infected computers.

    In my perfect world there would be a way to find these folks and just brake thier fingers….  I’m not a violant person, but, I’ll bet most of you would like to hear they got thier little fingers smashed.

    And now systems like this have ID’ed anything with 4assat4 as a spamer, making my domain almost worthless.  Blacklisting the inocent victoms is also a rat F#[email protected] thing to do!

  7. Neil Jackson says:

    Mike said: “And now systems like this have ID’ed anything with 4assat4 as a spamer,
    making my domain almost worthless.  Blacklisting the inocent victoms is also
    a rat F#[email protected] thing to do!”

    If it helps, Mike, any system with any sense (most of them, thank goodness) WILL NOT have blacklisted your domain-name on the basis of this kind of thing. Virtually all blacklist systems do their blocking on the basis of IP addresses (which are an order of magnitude more difficult to forge), not domain-names. So fear not… your good (domain) name is not besmirched! smile

    Secondly, the people who might, unwittingly, end up being blacklisted by any of the main blacklists (Spamhaus, MapsRBL, etc) would be those morons who’ve become infected, and haven’t realised or exerted proper control over their PCs. In my book, tough titty! It’s their own fault, and my heart doesn’t skip a beat to know that they might find themselves unable to access the rest of the net, and getting a call from their ISP telling them to take some basic precautions for ‘safe computing’ in the 21st Century! LOL.

    Even better, if one particular source is VERY active, and gets noticed by some of the more ‘hardcore’ blacklists, there’s a very good chance that instead of just blacklisting the individual IP address that is a source of (some of) this crap, they’ll blacklist an entire SUBNET range. Which can, in some cases, result in 253 different IPs (and different customers) at the same ISP getting blocked. Temporarily, usually – but those people’s complaints are usually a darn good way of getting the attention of an ISP that isn’t fully clued-up, and isn’t reacting fast enough to instances where their downstream users have ‘gone zombie’!

    There are up-sides in this game too, I guess! smile Be of good cheer – we’re the ones WITHOUT the viruses, sitting on the sidelines watching someone else’s war. While it’s annoying to have to spike each of these bounces, we all know that we have a simple job, compared to the poor spoonheads who are one day going to have to deal with the fallout of the virus they probably dozily ‘just-press-yes’ installed from a website or email one day, and which is now ruining their PC.

    Arf… Ain’t Karma great? wink

  8. Scott Fraser says:

    Guys, me too…  I just found this blog post trying to track them down.  “tententwelvecorp.com” and “Budget Waste”.  They have been using my personal domain as the “From:” address on many many emails.  I am still getting bounces today. cool grin 

    Looks like they used to have a fake disclaimer up at “10 10 12”. info, which appears to have been taken down by a foreign ISP.

    Also looks like the domain was just recently registered, I suppose in preperation for the spam blast.

    Also a bunch of (German?) folks talking about it here:

    http://www.antispam.de/forum/showthread.php?p=57215

    -Scott

  9. Neil Jackson says:

    Interesting, Scott… ta for the heads-up on the German front. It coincides with the fact that tonight, I’m seeing bounces for messages which were originally injected by German (and French) IP addresses.

    This tends to suggest (to me at least), that the botnet is being controlled ‘live’ (ie, by a real human on the ‘master control node’) – by targetting French and German zombified PCs at what is now their night-time, the ‘evil spammer’ mastercriminal is less like to show out. Put simply… if the zombified luser is in bed, asleep, he won’t notice his PC (which he’s left on 24/7) churning away on a spam-run.

    Clever, eh? The rotten sod!

    I would still dearly love to know the rationale behind the selection of the domains to use as from-spoofs. If it’s just ‘random’ (ie, pruning of infectee’s contact-lists for viable from and to addresses), then that’s one thing – but if it’s ‘deliberate targeting of domain-donor-victims’, then there would (presumably) be some common link between us all here. We’re either all reporters of SPAM to ISPs, or have somehow ‘crossed’ this guy at some time in the past, maybe?

    I would also love to know what the ‘infection method’ was… virussed email, or website with embedded browser-exploit, or something even more sinister? Can’t even begin to do that without maybe portscanning a few infectee injection point IPs… but my local laws preclude me from doing that. I could, of course, post up a list of about 40 IPs that are infectee injection points, though, if anyone is living in a locale that allows portscanning? Just say the word… wink

  10. Up to 106 bounces now.  But the messages don’t have any websites in them anymore (neither the “.com” or “.i*n*f*o” ones), and they’re hawking a company called Labwire now.  The domain registration infomation for both the .com and the .i*n*f*o are very similar, although the contact data for the .i*n*f*o registration looks like it’s bogus.

    I begin to suspect that my domains are being used because I used to track the spammers down and get them booted by their webhosts and/or ISPs.

    I’ve had this happen once in the past, although it was a pretty quick hit (just a hundred or so emails, and they all came in a short time, rather than this drawn-out water torture of dribs and drabs of email bounces).  I also had one spammer add my Spamcop email address (one I’d made up solely for that purpose) to a spam list.  I’ll grant that I was grimly amused by the irony of that one.

    I’ve also been doing a running battle with trackback and comment spammers, but I’m not sure that there’s anything personal there.  I’ve just taken the approach of banning nearly anything questionable (including some entire TLD’s, like “.b*i*z”) using .htaccess and the filters built into Expression Engine (as some of you might have noticed).

  11. XStylus says:

    You’re not alone. The same thing is happening to my domain, xstylus.com. I googled up one of the sites mentioned in the spam and your blog posting came up as a result. I can’t seen to find any other results otherwise.

    There doesn’t seem to be much that can be done for now except disable catch-all email retrieval for a while.

  12. meechee says:

    Add me to the afflicted, 2 of my domains are being used and the bounces keep coming.  I’ve had domains that were joe jobbed before, I’ve just never had the domains used for so many days.  When will it stop!!!  Hundreds of bounces, Aiiieeee!!

  13. Bob Boatman says:

    Over 100 bounces every 24 hours.  My filters catch it, but I still have to intervene everytime in order to let legimtimate mail through.  Seems as though mine isn’t the only demon domain afflicted either.

  14. Jonathan Mitchell says:

    I’m another victim! At least I’m only getting a dozen or so a day of these undeliverables. Neil Jackson asked about any common factors between victims- I notice that although they come from all over (and at all times of day) a high proportion seem to come from UK ISPs (I’m in Scotland) and within that a high proportion are from my own ISP, blueyonder. But I don’t see that I can practically do anything about this- the only solution would be to get inside the infected computer and as I’m not running Windows at least I shouldn’t be one of them!

    By the way Aubrey, I found I couldn’t enter my domain’s email address or a URL for this comment because they were said to be ‘blacklisted’- any connection to the original problem? My domain is jonathanmitchell, followed by info.

    The question was asked- what’s the point of this spam- a recent Washington Post article suggested that payment is made of 10-30 US cents for each infected computer.

    Best wishes

  15. In a fit of pique over getting hundreds of different domain variations for various pharmaceutical products in my referrers, I blacklisted everything ending with “.info”,  “.biz”, and a few others that were the worst offenders.

    I just removed those from the blacklist and I’ll see how things go over the next few days.

  16. Leon Stolk says:

    Add me too, they used my discomusicdotnl domain for reply adress with random characters in front of it. Received about 70 of them, starting last Friday april 14th. I also came across your blog while searching for some info about this tententwelve thing on google.

    It really pisses me off, the way those assholes think they can use somebody elses name for sending this rubbish.

  17. Neil Jackson says:

    @Bob Boatman – nope, you’re quite right. In case you hadn’t already sussed, I’m a Demon customer too.

    Oh, and add another 37 bounces received since my last post yesterday! Almost at the big one hundred in total now (I don’t want to feel left out – some of you reached that ages ago!) smile

    No takers for a bit of port-scanning then? I must confess, I am sorely tempted. Thinking it all over in the car today, I realised that even if I report each one of these hundred lamers to their ISP, what would actually get done? Very little, probably – the useless clowns would presumably be made to clean up their machines, but would that stop the flow? Nope – not a bit of it, I think. It’s already apparent that the spammer has a significantly large botnet, and he’s already been seen to be ‘rotating’ his outgoing spool to various PCs at will, and picking times to suit people’s sleeping arrangements!

    We would just end up with more of the same, but from different sources… all of which would also need to be followed up with their ISPs, before there was any chance of the ‘botnet’ being busted.

    The temptation to portscan a few of these losers, just to find a way in to ‘master spam HQ’ is extremely high. Someone please talk me out of it! smile

  18. After two tries with my dns/site service (http://www.mysitespace.com), I’ve got them to add a SPF record to my DNS entry.

    see: http://www.openspf.org

    I’ll report back in 24 hours to see if this has stopped or slowed down the number of returns messages I get.

    Mark

  19. I just added SPF records to my domains as well.  Since the spammer is now using both my “.com” and “.org” domains, I tried setting one to “softfail” (~all) and the other to “fail” (-all) to see what difference it makes.

  20. Vince says:

    I to did a search of tententwelvecorp and came across your blog, our works domain was hammered over the easter weekend by bounce back messages all relating to this spammer, he’s spoofed our domain and Mail Marshal’s stopped about 400 in the past 2 days.
    I wish to kill the spammer as I have to check all the mail marshall messages to ensure some are’nt actually real messages that mail marshals overzealous rules have stopped inadvertantly.

    anyway back to checking messages.

  21. Clayton McCloud says:

    hey, ive just come across your site from google and too have been getting these spam emails from tententwelvecorp on a daily basis. Its driving me insane. i dont know as much bout this stuff as u guys, so how do i block this shit from hammering my inbox.
    cheers from ‘down under’

  22. Neil Jackson says:

    Brainwave time!!! I’ve just thought how we could nail this guy, WITHOUT breaking any laws or misusing any computers!

    OK – first off – a bit of background. I’ve been checking the net for info on Bot-Nets, and it turns out most of them are controlled via IRC (Internet Relay Chat). Quite literally, the ‘infected’ PC joins a ‘chat-room’ on an IRC server somewhere (one which is probably not globally networked like most IRC servers).

    This actually means that it would be POINTLESS to attempt to port-scan any IP addresses given up by NDRs as ‘infected’… because there would be no useful ports opened anyway (and of course, it’s illegal). Apart from anything else, if the bots worked this way (ie, having a secretly-opened listening port on the infected PC), then the hacker/spammer would not be able to ‘reach in’ and connect to them, in many cases (NATed LANs, Private 192.168.x.x IPs not port-forwarded on the external router for the correct ports, inbound firewall rulesets, etc, etc).

    Nope – with IRC, the zombied machine does the calling itself – and this will be seen by many (outgoing) firewalls as ‘just one of my users doing stuff – let him through’ (unless they have been specifically set up to block outgoing IRC traffic). Using IRC (or something similar) even takes care of the NAT private/public IP address translation nonsense.

    Quite literally, the zombied PC joins a secret chat-channel, and waits for commands from the spammer. He just ‘talks to them’ via text in an IRC client (he will be in the same ‘chatroom’), and they’re programmed to listen and do his bidding. Quite neat, really – if it wasn’t so naughty.

    Anyway… how to get hold of the IRC server’s IP address and channel being used? If we could get this, we could shut it down very quickly, by contacting the ISP (who may also want to analyse him for a while, and report him to the cops).

    And how do we do this without hacking?

    Easy… we need a copy of the exact virus that was used to infect the zombied PCs. Hmm… not so easy, cos there are hundreds of these things out there. Even if we could identify the TYPE, we maybe couldn’t identify this variant – and it will be this variant ALONE which is connecting to this guy’s personal IRC server, so we need an exact copy, before we could work out which IRC server it connects to.

    We need a pre-existing victim to send us a copy of his ‘infection’…

    How do we get that?

    Luckily, Microsoft Exchange is stupid. It has a habit of sending NDRs without first checking the sender’s actual criteria. I have received about three NDRs from MS Exchange implementations, where the copy of the undeliverable message doesn’t contain any IP addresses or ‘normal’ SMTP information – just the basic stuff, as you’d normally find on a corporate internal message NDR, inside Outlook.

    This tells me that the infected machine in THIS case, was probably INSIDE the corporate LAN of the person sending me the NDR. Because Exchange is dumb, it’s completely ignored the fact that the message ACTUALLY came from (say) Workstation 3, and instead, it’s sent the NDR message out on the big internet to ‘[email protected]’, whereupon I received it.

    So… using this knowledge, I am starting to contact a few of these Exchange-using sites, in the hope that their responsible Postmasters will respond. I’m obviously warning them about the fact that they may already be compromised, and giving some advice as to their firewalls/Exchange config/etc (cos I’m a nice guy)… but hopefully, I can also get them to at least tell me WHAT virus/trojan they discover when they do a check – and if possible, I’ll try and get one to send me an ACTUAL copy of the virus, as found on their machine(s).

    Armed with that, I’m hoping I should be able to get at the IRC Server IP address buried inside the virus’s code – and with that, we’ve GOT THE BUGGER!

    All legal and above board, too! smile

  23. Mike says:

    I’m still geting hit but the last one had a phone number to call for removal of 310 5987434.  This is a “Los Angeles” Calif phone number, when you call it you get a mans voice stateing to leave your e-mailaddress for removal.  I have tried to back trace this number and found nothing.

  24. Neil,

    I’ve never paid much attention to how botnets operate until now.  I never had to worry about them beyond the occasional trackback/referrer spam attack, and I’ve mostly got that under control.

    Your plan is a good one.  I hope they get back to you with that information.  Finding the botnet controller (or at least shutting down the control path) would be a great break.  Further, if it resulted in the arrest of the botnet controller, that’d be even better.  If he isn’t the spammer, perhaps he could be persuaded to give up the spammer (or at least as much as he knows; I’m given to understand that these botnets are often rented out via shady IRC channels, although there still has to be some kind of money transfer).

  25. Neil Jackson says:

    Me neither, Aubry! Sure, I knew OF botnets, but hadn’t really looked into the exact nature of how they worked, till now. This experience has been different to the usual ‘NDR-flood’, for me. In the past, they mostly seemed to emanate from one or two IP addresses in one range, making the follow-up reports back to a single ISP a lot easier.

    This time, it’s ‘whack-a-mole’, though – the NDRs are from all over the world. I’m seeing Japan, Netherlands, Germany, Switzerland, USA, Italy, Brazil, Trinidad, Malta – you name it! And it occurred to me that if I diligently just reported each instance back to each ISP, not only would that take me forever, and embroil me in a million different awkward conversations with clueless ‘[email protected]’ departments, it would also just resolve one BRANCH of the tree of problems.

    Sure, I’d help clean up THAT ISP… and HE would feel snug… but I (and you, and all of us here) would still keep getting this garbage from different branches of the botnet tree. That sucks. No reward for lots of effort…not even ‘closure’. 🙁

    I’ve not heard back from any of the postmasters I’ve emailed yet, but I’m hopeful. Maybe. The thing is, if they are clueless enough to allow their corporate mailservers to accept from-spoofed SPAM and send an NDR to the spoofed party, then what chance do I have of reaching someone able to understand the situation!

    I have to confess I laughed when I saw some of the affected corporate LANs domain-names… one is a major European car-manufacturer, and another is a massive multi-national mega-corp in the systems and appliance-control marketplace (a household name). One of them didn’t even have a working ‘[email protected]’ address (which is a requirement of ANY domain on the internet, since year dot!)

    I’ve also made contact with a bunch of folks at my own ISP, who have all been Joe-Jobbed this weekend too. It’s possible I can enlist the services of my ISP directly – they’re pretty clued in to all this stuff, from past experience, so maybe our prospects are good.

    Still receiving bounces as I write this. Onwards and upwards! wink

  26. Robin MacEwen says:

    I suppose it is comforting to find there is a community of souls whose domains have been hi-jacked for this spoofed mail.  I have 2 domains – one for a charity I help run and my own and both have now been hi-jacked in this way.  I too came upon this site when I googled tententwelvecorp. More strength to your elbow all of you, in any attempts to stop the characters who have been stealing our identities. I have now had well over a 1000 bounces on my charity email and about 200 on my own address. The earlier ones seemed to be coming back predominantly from .de addresses but now they are from all over. If I had to I could just abandon my own domain name and start another but I can’t do that for the charity as I need people to be able to find it easily. I despair of a solution.

  27. Chris Dempsey says:

    I started receiving these spams shortly after joining “www.thecavernforum.com” It’s a legit forum but perhaps they’ve been infected as Neil suggests. I’ve been trying to find the source too and ended up here, you know more than most. Good hunting.

  28. With my SPF record on my DNS, I’m still getting bounce SPAM, but the the numbers seem to be down.  But my numbers were never as high as some of your are reporting.

    My personal testing of the SPF recond has not shown any effect (it was not rejected), so a lot of mail servers out there are no yet using this protocal.

    Using this page:
    http://www.kitterman.com/spf/validate.html?

    It looks like the service has set it up correctly.

    It can’t hurt, but to be safe I now have sent mail through my site server’s stmp, instead of my IPS.

  29. Bob Boatman says:

    Hi
    As predicted, after monday the first series dried up.  Unfortuneatly, also as predicted, another series as started today advertising different shares. 
    These are originating predomnantly in Europe and I wonder if it is due to the mix of langauges in continental europe that is the issue here.  I have sent complaints to several of the ISPs but when I read the text of my messages I am not sure how easy to understand these will be given that I am sending it to German, Belgian, Dutch and Danish ISPs.  Certainly if someone from these countries complained to me in their own language I wouldn’t have a clue what they were talking about (except maybe the Belgian as my french isn’t that bad).  This may explain why the ones from the US have stopped in as much as there will be no problem explaining to the ISP what the issues are.
    Anyhow it appears that until this idiot is stopped, he is here to stay and be the bane of our online lives.

  30. Mark says:

    I also have these emails coming into my work email account. I don’t usually use it to email outside of the company but recently did email a dive shop in the Florida Keys. Now I am getting these stupid emails from tententwelvecorp. What are the steps to removing any infections I may have? Thanks for the post, although most of it is above my level of understanding! raspberry

  31. Leti says:

    Hi everyone! Im in the same situation as Mark rolleyes I started to receive those TenTenTWelve emails into my work account and don’t know how to get rid of them

  32. Neil Jackson says:

    Let me see if I can clear up a couple of misconceptions that seem to be worrying a few folks…

    1 – If you are receiving the ACTUAL SPAMs (ie, without a ‘this message could not be delivered to [email protected]’ container-message with the original spam inside it, then you have NOTHING to worry about. You’re just a receiver of this junk-mail (which itself is not harmful, just annoying to get). All it means is that someone, somewhere, who’s been hi-jacked, has your email address in their contact-list, and thus has added your email address to the list of ‘potential targets’ to receive the spam. You may receive only one – or you may receive hundreds – it really depends on how efficient the botnet is, and whether all the bots in the network are dumb enough to re-send to the same names without cross-checking (which is highly likely). You can report the SPAM to the ISP that is responsible for the ‘injecting’ IP address (ie the root-source of the email), but even if that ISP does something, it will not stop that same email arriving from a DIFFERENT injection source, at a different ISP. You’ll just have to keep complaining to the various ISPs concerned, until finally it dies off.

    2 – If you are receiving ‘bounce-back’ messages (Non Delivery Reports, aka NDRs) advising you that ‘your’ message (which you never sent) could not be deliver to [email protected], then again, you have nothing to fear in terms of having a virus infection or a trojan. You don’t. You have simply been ‘Joe Jobbed’ – ie, someone else (perhaps many someone-elses!) are simply sending email ‘out there’, but faking your domain-name as the sender address. The site which receives these emails may discover that the intended recipient doesn’t exist, so it dutifully send the NDR back to the place it THINKS was the source… it looks up the faked ‘from’ address in the message, and sends the NDR back there. This is how they end up with you. Again, there is NOTHING in the emails to be scared of, no viruses or trojan – it’s just a picture (containing the Stock Market ‘tip’), and some words designed to fool any spam-filters that the intended recipient might have in place. Once again, you can begin the task of reporting each instance to the ISPs who ‘own’ the injection-point IP address, so that they can find the zombified PC on their network and advise its stupid and unwitting owner about it. But because you are the subject of a ‘Joe Job’, you can expect MANY more of these ‘bounces’ than just one or two, because MANY more emails are being forged with your name on them as the sender. The process of reporting is therefore a LOT bigger, if you want to make it stop – and in practice, all you really end up doing is helping each stupid, uncaring ISP clean up THEIR problem, but without actually addressing the root-problem… the botnet itself. You merely help clean up one ISP, but the flow continues from ten others who still aren’t clean… and by the time you’ve got them clean (and gone grey-haired dealing with the ISP helpdesks), the ‘spammer’ will probably have infected just as many NEW PCs, and thus extend his botnet as fast as you are helping to get bits of it shut down. Life’s a bitch, but apart from the annoyance factor, you are at no risk of infection from these particular messages, okay?

    3 – The situation which causes the real risk, is true infection… If you got infected with something like Bagle, MyTob, or any one of a number of other trojans or viruses (the ones which do ‘botting’ and spam-delivery), then you do, of course, have something to fear. Your machine will run slower (because it’s spending half its time sending emails on the spammers behalf, secretly, without you noticing, and talking to its ‘command-channel’ via IRC secretly. Eventually, it’ll be discovered, and you might find in the interim, that your IP address has been added to various Spam Blacklists, and thus your email doesn’t always go through to genuine recipients (it depends whether your recipient, or their ISP is subscribing to a blacklist where it might find your IP address recorded as a spam-source). The point is, these viruses/trojans which actually DO the work of ‘being a bot’ are generally picked up ENTIRELY separately than via email. Most of them use exploits in Windows (LSASS, to name but one route), to infect your PC while it is connected to the internet, if it is an UNPATCHED copy of Windows, and has no firewalls or other security in place. If you’re running a patched version of Windows, and have a virus checker and/or some other security tools in place (Ad-Aware, Spybot S&D, etc), then your chances of infection (and thus your chances of ‘becoming a bot’ are pretty slim).

    The main point is, just because you are receiving either the SPAMs themselves, or NDRs about failed-delivery of the SPAMs, does NOT mean you have ANY INFECTION AT ALL! You’ll get these, either because you were a target for receipt of the spammers message, or because he ‘chose’ your domain to pretend to be when sending email to other people (thus doing a ‘Joe Job’ on you).

    I hope that puts a few folks minds at rest. Most of us here have been ‘Joe Jobbed’, but I have a feeling one or two of us are just ‘recipients of the SPAM itself’. So far, nothing anybody has said leads me to think that they are actually BOTS, or have been virussed/trojanned, ok? One way to check, would be to grab hold of a copy of the free utility called TCPView (from http://www.sysinternals.com/Utilities/TcpView.html), and use it to check if there is any traffic going out from your machine on TCP Port 6667 (the IRC port), which you’re not expecting to see. If there is, then maybe your machine is ‘hooked up’ to the botnet, and receiving commands from its (unlawful) master. If you find anything odd, you’re welcome to contact me on my forum at http://forum.bigjacko.com and I’ll see if I can help there (I don’t want to flood Aubrey’s blog with unrelated tech-support, you see).

  33. Madis says:

    cool grin I just received one too, it came from [email protected]
    It’s the first one, the message itself is stupid picture with text on it and at the bottom there is removal e-mail with url tententwelvecorp.com-> but the domain is taken down, and it didn’t come from there.

  34. Neil Jackson says:

    Madis – from what you describe, you are just a ‘receiver of the spam’, and you may be lucky in that this MAY be the only copy you receive. Please let me know if that’s not the case (because it tells me something about the bot-net running the operation).

    For ref – it did NOT come from anyone at napavalleylimousines.com (they have been ‘Joe Jobbed’, like a few others of us here), and they will NOT be able to help you, so don’t bother complaining to them. The Sender email address in the message is a fake – the bot behind it, has just made up a short username (ctrbwl) and appended it to the domain-name (napavalleylimousines.com), and shoved it into the mail system intended for delivery to your address.

    If you know how to access the SMTP email headers (Properties, in MS Outlook Express), you can usually work out what the IP address of the actual bot was, from the ‘Received From’ headers – but it’s a bit tricky if this is your first time deciphering SMTP headers!! Probably better to just delete this, and hope you don’t get any more. Alas, even if you are able to pinpoint the bot’s true IP address, and report it to their ISP, it won’t stop the thousands of other bots running elsewhere at other ISPs, all delivering the same junk to millions of other folk (and possibly even to you again).

    The tententwelvecorp websites were both taken down by their respective ISPs around the 12th April, I think, as soon as it was obvious they were implicated in this Spam-run. Alas, the spammer doesn’t NEED those websites at all (they are merely sacrificial lambs, used in a cynical attempt to make it LOOK as if the Spam is compliant with the law by providing an ‘opt-out’ address or website. I’m sure the spammer had ZERO intention of removing anyone from their list anyway – just as they clearly have ZERO intention of doing anything else ‘legal’ in this operation (running botnets, turning PCs into bots, and ‘Joe-Jobbing’ are all highly illegal now, so it’s clear that the law is not really anything the spammer is even concerned about).

    Regards

  35. Neil,

    That’s a good summary.  I hope everyone has a chance to read it, and for those who have just received the spams, it provides a bit of piece of mind.

    Mark Pulver,

    I found that the wizard uses the “~all” directive in the SPF record, which means a softfail.  I think you may have to change it to “-all” to indicate a “hard” failure.

    However, it’s up to the individual MTA to decide how it wants to implement SPF.  I noticed with GMail, for example, that it simply adds a header to the email, but doesn’t actually reject it.  And at present, you can’t set a filter using that header, either.

  36. Johan Pohjanheimo says:

    Hi! I stumbled across this discussion, apparently as many before me, while googling for tententwelvecorp.. I’m just a “reciever” but since monday I’ve receieved 8 “tententwelve” emails, all from different “senders”.. Surely nothing life-threatening, but it still bugs me..  smile

  37. Rob Mack says:

    Just wanted to say hi.  I’m also dealing with the tententwelve bounced messages on my domain too.  They have used my domain for two penny stock spam mailings so far.

  38. Tim says:

    I for one am only a recipient of the spam.  But since it was the first spam received at my work email address, I googled “ten ten twelve” and ended up here.  For better or worse, Aubrey’s site has become a focal point for people looking for answers on this one.

    One thing I’d like to point out:  Since this site does rate so highly in a google search, there is a chance that the spammer himself has found it, and has read Neil’s plans to track him down.  I don’t have enough understanding to know if this gives him insight as to how to protect himself; but I thought you might want to consider it.

    In any case, good luck Neil!  I hope he doesn’t choose to add email addresses he finds here to his list of dummy senders.  (I’ve faked mine to avoid that possibility; paranoia perhaps.  And Aubrey, don’t worry:  I am not checking “Notify me of follow-up comments”.)

  39. Adrian Franks says:

    Given I have two addresses receiving this BS, and both started recieving this spam at the same time, and only about 3 people have both (hundreds have either); can I safely assume that one of these persons is the infected computer? And, if so, will Sbybot S&D clean their machine? Thanks all.

  40. Neil Jackson says:

    @Tim (p38) – don’t worry… wink

    @Adrian (p39) – it’s a plausible assumption, but likely to be wrong, I feel. As you said, hundreds of people have one of your two addresses – and of those hundreds of people, all it would need is for two of them to have been compromised by the same trojan. You’d have a hard job pinning down which two people it was…

    In contrast, the chance of one of only three people in the world (who possess both your email addresses) getting himself infected is a lot slimmer, really.

    Doesn’t mean it’s not worth checking those three out, though! smile At least that is a feasible operation, maybe! Yes, I would think SpyBot S&D (with the latest updates) would probably give a clue as to whether they were infected, and perhaps resolve it (but you’d have to check its helpfiles, I guess). Depends on the trojan concerned.

    Hope this helps (and my apologies to Aubrey if his blog is turning into an impromptu triage and help-desk!)

  41. Tim,

    One of the precautions I took when I customized the templates for this site is that I made sure to hide your email.  You’ll notice that the only way a person’s name gets turned into a hotlink is if they put in a website.  The default was to create “mailto:” links for anyone who didn’t have a website in the comment.  I did this to prevent spammers from harvesting emails.  One day I may turn the feature back on, but only after adding some sort of mechanism that prevents harvesting.  Right now, I’m the only one who will see email addresses.

    Adrian,

    It may also be possible that of the two groups of hundreds who have either of your addresses that at least one machine in each group got infected, such that the spammer harvested both of your addresses by getting them individually from each group.

    Provided you can get to one of the infected machines, I don’t think an adware remover would do any good.  These machines are generally infected with a virus or a worm, which requires either an antivirus program or manual intervention to remove .

  42. Neil,

    It’s OK.  I don’t mind the comments.

    I looked at SpyBot S&D a little just now, but didn’t see anything helpful.  Like you said, it’d probably depend on what is infecting the machine.  If it’s a known trojan that is linked to spyware, it’d probably show up.  But if its main purpose is for remote control/spam/zombie attacks, then it may not be there.  I couldn’t see their list of known threats, so I can’t determine if they scan for these sorts of things.

  43. Neil Jackson says:

    Cool smile Glad that’s ok, Aubrey. Thanks wink

    I’ve had a look at Spybot’s site, and you’re right – they don’t list everything that’s detected by that app, so it’s hard to be sure.

    In any case – I kinda assumed that the people whom Adrian would need to be checking would hopefully already have an antivirus app installed already… but I guess that’s a bad assumption to make. If they have nothing, try http://free.grisoft.com/ for the free version of AVG, which is very good, and will also pick up most known bots too, I think.

    There’s a certain amount of ‘crossover’ between all these apps – even though strictly speaking most bots are not viruses, they sometimes exhibit ‘virus-like’ behaviour when replicating (usually through port 445 or one of the netbios ports) – and because of that, some antivirus developers include them, and others don’t.

    Personally I run with both the above, and AdAware too. It may be overkill, but I’d rather be doing too much checking than not enough. 😀

    I dug up some interesting insights into ‘what is a botnet’ and how they work – here http://www.honeynet.org/papers/bots/ – it’s a tad technical for some, maybe, but it’s pretty enlightening (if a little long). But if you’re worried about bots, and what they mean for us nowadays, this will explain everything you ever wanted to know, and why it’s right to be cautious!

  44. codeman38 says:

    Another tententwelve victim here.  I’m posting a bit of a rant on my own blog about these guys.

    Seriously, I’d love to see these spammers get a taste of their own medicine…

  45. Mycroft says:

    To Boardman, who’s worrying about the lingo-mix in Europe – Any ISP over here is prepared to understand and write English. But help/abuse desk people are the same kind everywhere.

  46. Kenneth Oldfield says:

    I am not as experienced with a PC as obviously many of you are. I did however do a search on the tententwelve and just got nowhere. There is a law against people send out this kind of crap isn’t there? Will it ever stop or should I just get a new email address?????

  47. Neil Jackson says:

    Kenneth, yes, there are laws, but because these are usually international, the enforcement is, er, a bit sketchy. It’s not worth changing your email address, because sooner or later, it’ll happen again, and you’ll just end up in a cycle of forever changing your addresses just to avoid spam. Why bother? You’d just be exchanging the inconvenience of processing and deleting unwanted SPAM, for the task of notifying all your friends and contacts every time you change your address!

    In my experience, these things usually don’t go on forever – once the botnet has been traced, it’ll get shut down. Or, quite possibly, the next job that a Spammer comes to the BotNet operator with, will use different ‘From’ and ‘To’ addresses, and thus we might get some peace (while some other poor souls gets the hassle).

    Not much solace, really – but all I can suggest is just ‘grin and bear it’… it’ll pass… eventually.

    For ref (just as an aside), I’ve so far had zero luck in getting ANY of the postmasters at sites where it’s obvious the ‘bot’ was working INSIDE their corporate LAN. This time, I’m naming and shaming, though, because I’m fed up with big businesses that don’t understand the first damn thing about how to run an internet-based system.

    So, Volkswagen/Bentley, Flextronics, and Brightpoint – you suck! And Honeywell, your system has now sent me TWO distinct sets of bounces and your ‘[email protected]’ address (a legal requirement for any internet domain) doesn’t even work – so you suck the worst! A plague on all your houses, and I hope this bot ruins your corporate LANs, your reputation, and costs you big to clean it off. Such inept system-administration shouldn’t be allowed on the internet, and you’re as bad as the damn bot-operator, in my opinion!

    Grrrr.. 🙁

  48. Mark says:

    Neil – First let me thank you and Aubrey for all your time and effort you have put to this posting. It is nice to see people who care. grin

    Second – thanks for setting my mind at ease. I was worried I might be “bot” computer but realize now I am just a recipient of this evil mail. I know it must be frustrating for all of us and especially you two to have to answer all of thequestions from us noobs. Thanks again!!

    Third – If you ever find out who the perp is and want to use my computer as a “bot” to spam the hell out of him, sign me up!! I know life’s a bitch but payback is sweet!  cool smirk

  49. Erin says:

    What is going on here?  I thought mac-users weren’t supposed to get bombarded with all this crap-mail, yet every morning for the past week I have woken up to some creatively-titled e-mail informing me which stocks I should be “watching like a hawk” that day.  It seems there is no common searchable factor between any of them, other than their attached content, and this is making it quite impossible for me to have them routed directly to the trash.  I suspect everyone here has already discovered that. 
    Has anyone tried calling the “removal number” listed at the bottom of the e-mail?  It might be fun so long as it’s done from an untraceable public phone.  I don’t really even understand the point of all of this, but I do speculate that this loser is getting a good laugh out of all of us, driving to work, plotting his demise, writing blogs and devoting all this time to eradicating something that seems to be minimally harmful at most.  Maybe he is some kind of sociololgical mad scientist testing the boundaries of human bonding in a digital age.  Or maybe he is just another skinny internet bully- in which case we should all rally in the parking lot of his workplace today and pounce on him like ferocious tigers as he walks to his car.

  50. Yoni says:

    Hello all,

    I am a mac user as Erin is, and use a .mac account for email and such, and was very suprised to see spam in my mailbox! (Please hold off on all apple/mac jokes seeing as that doesn’t help and I hear quite enough of those already)

    I came across you guys as mike did looking for info on who these F***ers are!!! All of you seem to be far more knoledgeable as to how to handle these things than me. I do not run a server so don’t get any “bounces” but even as a single email user I get screwed. So far it has only been a few but anyone who would be willing to help. (I put my email in the thing)

    I can list them in my junk-list but I would like a more permant solution if such a thing exists…

    Any help will be much appreciated…

    -Yoni

    P.S. please keep in mind I know some about computers but not a WHOLE lot so try to keep explanations and suggestions fairly simple if at all possible?

  51. Yoni says:

    oh one more thing…mine is not joe job or w/e….its a bunch of random ppl

  52. Erin,

    As you noticed, it doesn’t really matter whether you use a Mac or a PC, since this is directed at your email. 

    I’ll have to hand it to this spammer in that his spam generator is pretty crafty.  He constantly changes the signature of the emails as they are sent, making Bayesian filtering nearly useless.  By the time you get one of his signatures, he’s already sent thousands of spams with that signature and has moved on to a new pattern.  Also, by constantly changing the sender name and address he defeats filtering on the sender (although I suppose if one filtered on the known domains, one could have some success, but that bothers me in that it means you’ve blacklisted my domains).

    Anyhow, he’s doing all this in the interest of pumping and dumping various penny stocks so he can make a profit on them.  So long as he thinks he can influence the market with these spams he will continue trying to send them.

  53. Neil Jackson says:

    Aubrey – if it helps – nobody (with any sense) blocks by specific email address or domain-name information these days. It’s just too unreliable a method (and has been, since about 1995), precisely because of these kinds of ‘Joe Job’ incident.

    Sure, on a per-user level, some sysadmins allow a user to block a specific email address (eg, from someone they actually KNOW is linked to that address, and who is sending them bad stuff).

    But most ISP-level blocking (and frontline corporate SMTP filtering) is done via the main ‘RealTime Blacklists’… all of which work by IP address, not domain-name or email address.

    Your domain’s reputation IS safe, I promise you (well, apart maybe from a few unaware end-users out there who might associate those faked ‘From’ email addresses with you, but they won’t be in a position to inhibit your normal mail flow).

    The spammer/botnet-operator on this occasion is being marginally more smart than most I’ve seen in the past, but he’s no rocket-scientist, tbh.

    The ‘trick’ he’s using to get past most heuristic spam-filters is an old one – send a GIF image containing a PICTURE of the words you really want to send, format it as an HTML display, and fill the rest of it with random words from a few storybooks, and the Bayesian filters will think it’s a ‘real’ letter from someone. It simply doesn’t ‘see’ the text in the picture. And as you said, if the ‘crap text’ is randomised everytime, there’s no repeating pattern for the filters to learn as ‘known spam fingerprints’ for future reference.

    Net result – it gets through every time – and will always do so. Alas, this limit of Bayesian filters has been known about for a couple of years now – but up to now, the effects have been less noticeable. This is because, in the past, the filters COULD still sometimes be triggered by repeated items in the hidden message headers – such as a non-random ‘HELO’ prompt used at SMTP mail-delivery time, or by ‘giveaway’ non-random faked email address usernames (the bit before the @ sign). Some old (stupid) SPAM programs (the type that clueless marketers use) would actually put a hidden header in the message, identifying the actual spamware being used! Needless to say, these kinds of ‘fingerprint’ can readily be detected by most heuristic spam-filters very quickly.

    But this guy has merely combined past Spammer knowledge to come up with a better mousetrap. Because he’s using a bot-net, the ‘fingerprints’ in the headers don’t occur. HELO prompts are randomized, email usernames are randomized, and the infected PC’s own mail-client software means there are no ‘easy’ headers which can be filtered (bayesian filters don’t tend to block messages with ‘MS Outlook’ as an SMTP header, simply because there is so much Non-SPAM traffic with that same header. Bayesian filters need to be ‘taught’ what is spam and what isn’t, before they can ‘trust’ their learned-logic on their own, thus they can’t associate ‘MS Outlook’ as being either, absolutely.

    The only definitely ‘fingerprintable’ bit of info in the headers, is the IP address of the infected bot computer… and if that ends up in a spam-filter, well, our man doesn’t give a darn. He’s got THOUSANDS of other computers, all with different addresses, and they won’t be recognised and filtered instantly. He can ‘dribble’ his message out for days, via multiple sources, and most likely, (given the rate of infection of PCs) he will suffer no net loss overall, in the number of bots he has under his control.

    So, basically, he’s a bit smarter than most spammers, maybe – but he’s not THAT clever, really. By injecting ‘bayesian-fooling’ email bodies from all over the world, he introduces ‘bayesian-fooling’ headers, too. It’s merely the next logical step.

    What is most unfortunate, is that soon, ALL spam will be done this way, and we’ll be back where we were before Bayesian filters were invented (ie, about 1995). I dread to think how many million times the potential ‘spam-base’ has multiplied since then, or how we’re going to combat it.

    It might be time to ‘teach’ Bayesian filters about messages with one, consistently-sized GIF image, or perhaps even to learn ‘fingerprints’ inside image-attachments. Alas, that’ll slow down mail delivery a tad more, and increase the load (and expense) on servers and ISPs and all of us, no doubt. But such is life in the 21st Century, eh?

    Like I said – regards THIS incident, there is absolutely NOTHING we can do to stop the overall flow, and even reporting individual emails to their originating ISPs (worked out from the IP address in the headers, NOT the email address of the sender, who will be totally uninvolved and unaware) is a pointless task, because it merely removes ONE infected bot from a network of potentially thousands, which is growing every day.

    Our only hope is identification of the ‘bot’ virus/trojan itself, (which means getting hold of an infected person), and then cracking that to determine where it ‘phones home’ by IRC. Then, we can make a report to the ISP responsible for that network, and get the IRC server (from which he controls the bots) shut down, which would bring the spam-run to an end.

    That is, of course, assuming he doesn’t have a NETWORK of IRC servers all interlinked together, and just run away when the ISP shuts down his IRC server. Very often, the IRC server itself will be on a hijacked PC too, and he’ll probably have a backup plan, or a backup IRC server… but the process of ‘switching over’ the bots to use any replacement is not insignificant, so at the very least, we’d have him on the back foot for a while.

    Annoyingly, though – what usually happens is that he’ll be discovered and dealt with and nobody tells us (where’s the satisfaction in that justice, eh?), or he’ll simply just ‘move on’ and start using different sender addresses to ‘Joe Job’ with… at which time we all wander off, but it happens again, next time to other folks, and as soon as they get close, he moves along again.  Sucks, don’t it? 🙁

  54. In the last 3 days I have received 7 or 8 e-mails from tententwelvecorp.com. I called the phone # on the bottom of the e-mails, 310.598.7434 if hopes it’ll end. Sounds like it won’t. Turns out, most of us at work are getting these.

  55. By the way, I meant 7 to 8 e-mails EACH of those 3 days.

  56. Neil Jackson says:

    Word of advice..

    DON’T CALL THE NUMBER!!!!

    At least, don’t (for goodness’ sake) give him your email address.

    The guy’s a crook. He’s patently breaking all kinds of law already. What makes you think he’s going to honour your request for removal?

    More to the point, by calling him and giving an email address, you actually give him THREE bits of valuable information…

    1 – that your email address IS definitely active (so he can include it again on a spam-run, KNOWING he will reach you).

    2 – now that he’s verified you (or rather, you’ve verified yourself), he has one more name on his list that he can charge whoever he’s spamming for that li’l bit extra. Lists of WORKING email addresses are worth money… on a PER-ADDRESS basis!!! You’ve just made him an extra dollar!

    3 – Quite possibly, knowing that YOU at that address are genuine, he may attempt to add ‘well-known’ usernames to that same domain-name, purely on the basis of exploiting probability. Expect future spams to that domain on ‘[email protected]’, ‘[email protected]’, ‘[email protected]’ and so on. Sure, many of them won’t go through, but he won’t care. He’ll add them because the DOMAIN is live, and it’s a chance they’ll use those addresses too. And of course, that’s another three names (at least) that he can add to his fee, isn’t it?

    On a different tack, it’s quite likely he’s gaining some amount of the call-charges, for calls to that telephone number. Cynical? You bet!

    Seriously – avoid direct contact, removal-lists, and all that jazz. You’re better off talking to your own ISP, or the ISP of the ‘infectee’, or a handy nearby brick wall, I’m afraid 🙁

  57. Sebastian says:

    I have had the same returned email problem having been joe jobbed. I have no site just a domain which has been ‘stolen’…..my service provider sai sorry cant help, we are just an email forwarding service…

    The people who are behind this seem to be: (taken from a press release)

    Contact: Investor Relations Department
    Phone: 1-866-369-9476
    E-Mail:  Email Contact
    Website: http://www.swmdmedical.com
    Corporate Phone: 1-877-576-0936
    Southwestern Medical Solutions, Inc.

  58. Gillian says:

    Hi,

    I am just a receiver, but in the past 48 hours I have received 5 of these emails at my work email address all appearing to come from different domains:

    kggreen.fsnet.co.uk
    stowehofinn.com
    t-dos.de
    nerves.net
    sterlingequipment.com

    Hope you figure out someway to shut this guy down soon!

  59. Neil,

    I know that people don’t usually filter by full domains.  But, then, when someone is under attack by spam, sometimes one takes desperate measures.  I know that with this weblog that I have not only filtered by domain, but sometimes by entire TLD’s!  But that’s a different type of spam…

    Sebastian,

    I don’t think Southwestern Medical is behind these emails.  Or at least it’s not likely.  What has happened is that the spammer is trying to pump up their stock price so he can profit from it.  It’s likely that they are just as much victims in this as we are.  I’m not an expert in securities law, but I’d suspect that an email campaign aimed solely at driving up the stock price would be frowned upon by the SEC.

  60. Gazmik says:

    Would it be worthwhile for everybody being affected by this spammer to file complaints with the FTC at https://rn.ftc.gov/pls/dod/wsolcq$.startup?Z_ORG_CODE=PU01, or to forward copies of the bounce messages to [email protected]?

    I haven’t really heard of how much prosecution the FTC has done of spammers lately.

  61. Neil Jackson says:

    Sebastian – par for the course… the email-forwarder isn’t responsible for the domain traffic… you are, alas 🙁 You could try disabling the ‘catch-all’ address, temporarily, and the NDRs will never reach you (but then neither will anything else that’s badly addressed, but genuinely intended for you).

    Ref the address you’ve given – to be fair, that company is the SUBJECT of the penny-stock ramp… I very much doubt that they will have had anything to do with it, or even be aware of the situation. I think the US Securities and Exchange Commission would tear them to bits, if there was the slightest hint that they were ‘ramping’ their stock in this way… it’s totally illegal.

    Far more likely, it’ll be a bunch of dissatisfied longterm investors who’ve decided it’s time to dump their stock, but want a better price… so the ol’ ‘pump-and-dump’ tactic is being applied. Oldest trick in the book – but alas, it still works. 🙁

    Other news… I have just received an email from someone at Honeywell! Yippee! It’s not the correct IT person, but she’s been helpful enough to try and direct my enquiry to that dept, and is hopeful that I should get some cooperation. Now, if I can get the IT guy at Honeywell to verify that two of their machines WERE indeed compromised, and give me a copy of the virus, we may be on the home straight. smile

    Still a ways to go yet, but I am hopeful!

  62. Adam Watkins says:

    I’ve been suffering bouncebacks for about two weeks now, ever since my personal domain name got spoofed onto these spam e-mails.  Looking up tententwelvecorp.com led me here and … well here I am.  Hello fellow sufferers!

    I’ve taken a slightly different tack in getting this all stopped – going after the companies that are being pushed in these e-mails.  You don’t think they’re entirely *innocent* in all this do you?  I’ve taken two tacks on this so far.

    Tack one – 1) Reporting it to the SEC, FTC, FBI.  What good this might do you say?  Well, seeing how the spams come out a day or so before the “stock push” we’re actually in an excellent position to forewarn the authorities that an illegal activity will happen on a certain date.  They could a) halt trading entirely costing the pump/dumper a bunch of cash b) trace individual huge transactions and find who’s behind the scheme c) warn people ahead of time and the scheme then just won’t work.  Innocent and responsible companies would probably be happy to cooperate with all this.

    (Of course all this relies on the authorities being timely, efficient and pro-active – so I’m not exactly holding my breath …)

    Tack two – researching the companies being pushed.  The evidence I’ve uncovered so far shows definite patterns regarding the directors in charge of these companies.  Like they’ll all mysteriously resign from one (after it’s pump/dump period), then magically re-appear at another 6 months before it too starts getting pushed – in exactly the same way using exactly the same style of spam.
    Coincidence?  Not likely.  It’s also amazingly suspicious how the same names/law firms/domain registrars/addresses keep turning up time and again.  Has no-one even thought to check this crap?  Apparently not!

    In my opinion this is white-collar crime being comitted here, plain and simple.  If the SEC had it’s crap together half these scam artists would not be able to operate front companies and the pump/dump schemes could never even get off the ground.  I mean, can anyone explain why Southwestern Medical Solutions, Inc. used to be Fashion Handbags Inc.Com?  Seems like a bit of a radical strategy shift for a company, eh?

  63. Wills says:

    Add me to the list. Im not soo badly affected – 100 or so emails every couple of days.

    Just emailed labwire. They are claiming to be innocent. I actually believe them after I got a reply from the CEO.

    Im not sure why this bastard’s doing it. I dont see how he is benefiting.

    I’ve bookmarked this page and will check back every day or 2 to see if someones shot his backside up.

  64. Neil Jackson says:

    @Adam – NICE tacks! Well done indeed. Tack 1 I’ve tried before (with spams to a UK stock-trading BBS that I used to haunt when I was a day-trading myself) – in practice, I heard nothing back from the US authorities, and the spamming is STILL going on there. Prolly because I’m in the UK and not a US Citizen, they’re just penny-stocks anyway, and heck, it’s all too much trouble for US govt to do stuff with foreigners, maybe?

    Even the company whose BBS it was, either didn’t know enough, or didn’t want to ‘make a scene’, so they pretend it doesn’t happen… still.

    Tack 2, however, is just genius. I’m narked that I didn’t think of it myself! smile Alas, what with ‘real life’ and ‘work’ to contend with, it’s been hard enough just correlating what I’ve already received by way of SPAMs and NDRs (yeah, I’ve been getting it BOTH ways… my wife’s account got spammed this morning as well!)

    You’ve changed my level of cynicism with regards to the ‘pumped stocks’ actually being complicit, that’s for sure. Do let us know if you decide to publish this info somewhere, I’d be very interested in a read! smile

  65. Oswaldo says:

    I’ve been getting that stuff from TenTenTwelve whatever too.
    All I’ve been doing is forwarding it to [email protected] along with all those notices of lottery winnings, windfalls, and other fortunes offered me. Any other suggestions?

    Oswaldo

  66. Canned Spam says:

    Has anyone thought of forwarding their catch all accounts to the companies who are being advertised?

    Think it will do any good?

  67. Tony Miller says:

    I found you guys while trying to figure out what I was dealing with.  Are there any ideas on how to get off the list?  I’d really love for this to stop.

  68. Matthew Goeckner says:

    Hi:

    I have been trying to track this back – always sending copies of things to [email protected]  ,  Clearly this is a case of pump and dump and hence a federal crime in the US.  They can track it through the sellers of the stock. 

    Also it is clearly a botnet that has been rented – I had a switch from one type of spam (phishing) to this almost over night.  This happened about 10 days ago.  I get between 5 to 10 a day.  NOTE I am not an ISP = this is just my email account at work!

    I’d love to get these guys.  (The phishers I used to feed false info…  once set up a JAVAscript to dump ~100 faked master card numbers )

    grin

  69. Mick says:

    Greetings fellow suffers,

    I’ve been recieving penny stock updates since january. However they have taken the form which you are all familiar with since the middle of march. Not having a domain and just suffering from this spam is annoying enough, my sympathies to all. Not having the greatest computer skills the best solution I see would be to limit any profits these scum can make by Alerting the SEC to these stock market traders. Clearly there is a pattern here and if they had to limit the anount of shares they could trade this may be the solution……
    Best of luck to all.

    And if anyone who is considering spamming is reading this – just think that I will NEVER buy anything from you or invest in any product or share EVER…..
    and when you go to prison i just hope your 350lb cell mate named Bubba has a fetish for rough sodomy…..

    Mick

  70. Adam says:

    Oh joy. 

    Now it’s “Midland Baring Financial Group” MDBF.PK being pushed.  Quick – let’s throw all our savings at it and make millions!

    Interesting how this one no longer has the spam text along with as well.  Too excited about scamming people on this expensive stock I guess (not pennies – bucks on this one).  Well, off to the SEC with this one.

    I’ve now had it confirmed by an IT friend of mine that he definitely suspects a russian botnet.

    A couple weeks back I got sent a identifying piece of spam for a scam company called gtt-marketing.com.  Tracing stuff back on it, everything leads back to russia.  Who’d a thunk it?

  71. Kim says:

    I too am getting these bounced emails – have hundreds so far.

    Am located in Australia – have notified the relevant “spam” authorities, but i doubt they will do much about it…

    Surely some government department could look at the stocks of these companies, and trace/freeze any large sales of shares or something… (pending investigation, or whatever they do).

    I wonder if the actual 3 or 4 companies mentioned in these emails have anything to do with it. They appear to be unrelated…?

    Kim

  72. Steve says:

    I am in the UK and the receipient of 2 or 3 tententwelve emails a day at the moment. I started receiving these emails on the 18th. So whilst the volume is low at the moment, who is to say it won’t get worse? Good luck to those seeking to get this person shut down.

  73. Steve says:

    Over the last four days since this started for me, I have received 1 email about stock for Labwire Inc and around 9 emails for stock for Southwestern Medical Inc. Today I received 1 email about stock for Midland Baring Financial Group.

    I assume this person just going to keep switching stock?

    I have no idea where this person harvested my email address from. I am very careful about where I use my email address after fighting a losing battle with spam a few years ago, so I am assuming perhaps the pc of someone I know has been infected and their address book has been compromised.

    Is this assumption correct?

    Would it be worth collating a list of these email headers to get an idea on the number of infected machines that are being used as the injection points?

  74. Adam Watkins says:

    Steve – check what e-mail address the spammer is actually spoofing with.  If its (for example) “[email protected]” then your e-mail address *has* been harvested from somewhere.  That really sucks and theres not alot you can do.

    If its something like “[email protected]” then its simply your domain name thats been harvested (probably generated from a simple whois query).  In that case you could ask your ISP to limit incoming mail to just the e-mail addresses you *actually* use.  That might solve your problem entirely.

    I am in this last category, so I could do something about it.  But right now Im specifically wanting to capture all e-mail a) for possible evidence b) to apologise to anyone who writes to complain about the spam they think Ive “sent” to them.  In my industry I have a public profile, so I need to avoid pissing off any potential customers 🙁

  75. Steve says:

    Adam, the spammer has harvested my e-mail address – the problem is I don’t know from where. As I mentioned earlier, I am ultra careful about where I use my address, which is why I think someone I know must have a virus/trojan harvesting their address books.

    Looks like I’m doomed!

  76. Matthew Goeckner says:

    This could be because you forwarded a joke email at one point – and the next person forwarded it and the next and the next and soon it has ~100 email addresses that can be taken….  So it might not be someone you know directly

  77. Neil Jackson says:

    @Steve – if you’re saying you’re a ‘spam-receiver’, rather than a ‘bounce-back receiver’, then yes, one of the bots in the network will have ripped your email address from any one of a number of places, and used it as a potential recipient address.

    F’rinstance:
    1 – Address Books/Contact Lists on the compromised computer

    2 – Internet temporary file/folder (some bots search here in all files for anything with an @ symbol in it… and if your email address happens to be visible on a website that the infected PC-user visited before infection, the bot will find it)

    3 – the entire mail-directory and all stored email messages on the compromised PC (for instance, if someone had CCed you on an email they sent to ‘[email protected]’, and Bill got infected, Bill’s bot would still find you, even though Bill himself may not know you at all).

    4 – and of course, the bot-net itself is perfectly capable of ‘trading’ all known lists with each bot on the network. Gone are the days when (often) ‘virus-created’ spam could be easily traced back to the person you knew who’d become infected and sent the mail to their contacts unawares. Now, it’s quite feasible that a bot in the USA ‘gives you up’ to the pool of information, and it’s twenty bots in Russia or Germany that actually send you the junk! Or all of them!

    Nightmare, innit? 🙁

    For ref, I’ve not received any NDR/bounce-backs now since the Thursday afternoon (UK time). I dunno whether this means the botnet has finally been brought down, or whether it’s just decided to ‘Joe-Job’ someone else’s domain instead of mine. How’s it going for the other Joes on this list? Are you still getting your daily dribble, or has it gone quiet for you, too?

  78. meechee says:

    I had one of my 2 affected domains email shutdown (by choice) etirely as I don’t use any email associated with it, so I can only report on 1 now.  That said, the last bounce I received was yesterday early evening, Mountain Standard time.  The bounce was for a new stock referencing that it would “blow up” on Monday, so I don’t think they plan on quitting.  Perhaps they have moved on with the joejobbing since by now most of our domains are on someones blacklist and I’m sure they want to get their spam out to as many people as possible.  I’m just hoping that the long term ramifications of a joe job that has gone on this long, are minimal.  Grrrrrrr.

  79. See the other thread <http://www.aubreyturner.org/index.php?/orglog/comments/1375&gt; for my post (#14) on how I’m trying to filter these bounce messages.  That same filter may work even better with the original spam.

  80. Canned Spam says:

    Neil,
    Daily crap is very much down. I had only one bouceback email yesterday, and one so far today, which suggests to me the botnet spammer has either been evicted by another renter, a large part of the botnet has been shut down, or the spammer has gone off grabbing replacement domains.

    Im glad its down, but im not soo pleased for the long term repercussions for my domain. This is almost indentity theft!

    Anyone fancy writing a script to upload all emails from outlook/outlook express to get a list of all all infected machines?

  81. Canned Spam says:

    ^^ Appologies for the grammer of “IM” (I’m)

  82. meechee says:

    Okay it’s obvious that I spoke too soon, 2 bounces in the last hour.  Same Monday “exploding” stock, so I expect more through out the weekend, lovely.  vampire

  83. Canned Spam says:

    China World Trade adds itself to the victims list.

    The spammer obviously couldnt decide what stock to buy. 🙁

    Im going to add all these companies to yahoo and monitor them – see if they actually do anything

  84. Robin MacEwen says:

    Well I’ve only had 3 bounces today, which is well down on average.  I’ve now had over 2300 since last November and at one point it was about 100 a day

  85. You’ve had 2300 since last November?  How many of those were stock pump-and-dumps from 10-10-12?

    I’ve gotten a few bounces here and there, but nothing like started happening on April 13.

  86. Matthew Goeckner says:

    Hi Canned:

    I watched one of those stocks when this first started – even sent something to the company MAGP.PK

    They went from around $1.25 when it started to $0.25 last I looked.  (Just checked – it back up to $0.50 – you can only get 5 days of history on Yahoo.  During the hieght of the P&D there were ~45k shares trading a day – it was 2,400 yesterday – and I saw some days as low as 400 shares) The CEO of the company was very unhappy with what was going on.  Apparently he had just managed to fix a bad financial problem and thought he was out of the woods….  This may kill the company.

  87. Interesting…  it appears that the bounces have stopped for now.  I only got two yesterday and none today (at least so far, as of 5:15PM Central).

  88. Damn!  Spoke too soon.  Just got a bounce for a “China World Trade” pump-and-dump spam.

  89. Jesse Worley says:

    I’m getting these too, and they’re not letting up. Seems like this person is pushing a new one every few days.

    The phone number listed in one of them is 310-598-7434. I paid an investgator to dig this number and get me anything about the person on the other end, and I came up with a poor felow in California who has had his name inproperly stuck all over it. He will be going to the police Monday morning to see what can be done about this, and will be further checking to make sure the spammer isn’t using his credit card to pay for this phone number.

    In the meantime I’m having the same poor luck with injection data that everyone else here is.

    I wonder if the SEC can check all these stocks for similarities. Maybe if the same person’s name shows up on them all it could be followed as a potential lead. I’ve sent what I have, but maybe if we could put together a nice tight docket the authorities might do something about it. I’m sure the spammer is in violation of a number of federal laws at this point.

    Either way, I’ve decided that I will not stop chasing this individual until they’re caught. Money is no object, I will see this person in prison before this is done.

  90. Jesse Worley says:

    By the way, here’s the list I’ve had returned to me thus far, with approximate dates of ownership by the culprit:

    China World Trade (Symbol: CWTD) | 24 April, 2006
    Midland Baring Financial Group (Symbol: MBFG) | 21 April, 2006
    Southwestern Medical, Inc. (Symbol: SWNM) | 20 April, 2006
    Labwire, Inc (Symbol: LBWR) | 18 April, 2006
    Budget Waste, Inc. (BDWT) | 17 April, 2006

    I’m trying to get a more complete list of these organizations together. First and foremost they’ll be delivered to the SEC for processing. As a secondary step, because federal law enforcement agencies are notoriously useless, I’ll be hiring a private investigation firm to index the lists of investors in these organizations around those dates in an attempt to find a common name.

    Additionally, my initial investigator returned information that the telephone number, 310-598-7434, is carried by AT&T Local. While I won’t divulge the name and address of the “owner” of the number, as the individual is just as much a victim as are we in this matter, perhaps some calls to AT&T would help get this person caught. The phone line had to be paid for somehow. Also note that the information might not be correct, and AT&T might very well not be involved. I’m still actively following up on this myself.

    Who says these people can’t be caught? All I see are leads…

  91. Matthew Goeckner says:

    You have missed MAGP.pk   The P&D came out about March 21 or 22 – and lasted maybe until April 1.

    That was the first one I got.  (I am a receiver not ISP.)  It went to PK on March 17th and dropped like a rock from March 23 to about April 2.  Started at ~1.35 and hit a low of ~$0.25

    CWTD is sitting at 1.55 to 1.40 and seems to have stayed there for a while.  (Months)

    Can’t find MBFG (Looking on my Schwab account)

    SWNM is sitting about $0.10 to $0.15 and has for months

    LBWR is sitting about $0.08 to $0.16 and has for months – although it has been slightly higher the last few days

    BDWT openned on March 22 and fell from ~S0.63 to ~S0.40 the next day and has sat about there ever since.

    I am going to look through for more companies…

  92. Matthew Goeckner says:

    FYI I have gotten 19 of these since April 17th – and I don’t know how many before that – and I am just a regular person with ONE email address.

  93. Matthew Goeckner says:

    grin

    Just for humor – I went chasing a hacked server a month ago and found that it had been hacked a second time…  Here is what I sent the server admin and Google:


    Ok you have been hacked not once but twice at:

    http://202.129.49.42/PULSE-EFT/index.htm

    Oh and Google you need to do something about him/her….

    This is just too funny.  From the hacked hacked page…..

     

    Welcome—THIS IS A FAKE PAGE ON A THAI SERVER; I WAS ABLE TO GAIN ACCESS. THIS “PHISHER’S” EMAIL ADDRESS IS [email protected]. THIS IS WHERE ACCOUNT INFORMATION WAS BEING SENT. PLEASE TELL HIM/HER HOW YOU FEEL ABOUT TRYING TO STEAL YOUR IDENTITY.

  94. Robin MacEwen says:

    Steve, you asked how many of my 2300 bounces were these stock pump and dumps from 10 10 12. Sorry I don’t know.  I didn’t realise at first that these were being sent out from different nodes on a botnet and thought that by identifying one of the senders and reporting the spam to the ISP it would stop so I paid no attention to the spam content. It definitely wasn’t all pump and dump to begin with but unfortunately I deleted the lot quite recently so can’t go back and explore.  I’m pretty sure a lot of it was for Viagra etc to begin with.  But today all the bounces are for China World Trade and only on one of my domain names. So maybe they do move on to new domains. At one point the bounces were so numerous that if I didn’t check my mail for a few days the mail box on my ISP’s server got overloaded.

    I’m now quite sanguine about it and just filter off all mail delivery failures (well almost all – some of the foreign language ones still get through)into a separate folder which I can check for any failures for my own emails when it suits me.  Its still helpful to know that others are suffering and what might be tried to stop the abuse.  As others have commented it brings discredit on your own domain name and could lead to it being blacklisted which would be the real injustice.

  95. Neil Jackson says:

    Said it once, I’ll say it again…

    I’ve been joe-jobbed on average once or twice a year, sometimes more, since about 1995/6, and I’ve NEVER been blacklisted by any of the realtime IP-lookup-lists (Spamhaus, SORBS, MAPS, etc) that are used by ISPs and sentient people with their own spam-filtering solutions (SpamAssassin, etc).

    I’ve had the same domain-name since 1993, and have not had a SINGLE email that I’ve sent, blocked by a blacklist entry or returned undeliverable because of past joe-job activity or as a result of any mis-placed belief that techno.demon.co.uk originates Spam.

    Really, the ONLY risk you run is that some INDIVIDUAL might add the faked email address or your root domain name to their crappy and poorly-implemented PERSONAL ‘blacklist’ (there are a few home products available which I will not deign to mention, because they’re snake-oil, mostly) – but the chances are, this idiot won’t be a contact you’d ever meet or want to email anyway. It will limit the ‘reach’ of your email world, by a factor of, er, one ignoramus.

    Blacklisting by domain-name or full email-address is COMPLETELY POINTLESS these days, and only the clueless bother with it. Think about it… how difficult is it for a someone with a set of IP addresses to purchase a new domain-name, map it to those IP addresses, and begin spamming immediately, with this new domain identity? How effective, therefore, is blacklisting by NAME? Approaching zero, really.

    Blacklisting by IP address is, was, and will always be, the way it’s MEANT to be done – and as I’ve shown elsewhere, it won’t harm YOU – only the infected PC who’s forwarding the spam.

    In all my 13 years on the net, I have had only ONE instance of a person receiving joe-job spam and bothering to send me an email complaining about it to me. Far from ‘damaging my reputation’, once I had clued-up this individual and explained what was really happening, they were greatly impressed both at the scale of the problem, and the lesson in ‘life on the internet’ that they had gained from my explanations, and they apologised for their initial over-reaction AND said thank you!

    The way I look at it, the only ‘reputation damage’ you’re likely to ever suffer from this stuff, is ‘a lowering of your standing amongst idiots’… which frankly, shouldn’t bother you. Besides, it’s easier to shine again in front of such idiocy, when you make it clear to them what’s REALLY going on.

    So don’t sweat it… your reputation is as safe as it always was, and nothing serious (other than your personal workload increasing for a while) is ever REALLY likely to arise from a Joe-Job. Trust me… I’ve had it happen more times than I’d care to recollect! Being a hardcore spam-fighter in the early 1990s kinda makes you a target! You’d think if it WAS an issue, I would have changed my email address or domain by now, wouldn’t you? No chance… because there’s NO NEED!

  96. Robin MacEwen says:

    Thanks Neil – glad that your experience suggests no lasting harm.  When I think about it the chance of anyone I know receiving Spam apparently from my domain is not great.

  97. Piet says:

    grin Hi, the same happans in Germany! I thing we will got them like discribed at http://www.cauce.org
    Greetings and thanks. – Piet

  98. Neil, you need to tone it down.  Yes, people who filter by domain name may not be the msot clueful Internet users, but it does *not* make them idiots.  Ignorant perhaps, but not stupid.

    And domain blocking *can* provide a temporary solution to the problem if the user keeps getting hit with spam from the same spoofed domain or with E-mails containing links to the same domain.  Yes, the spammer can set up a new domain, but these “idiots” can then filter that domain.

    As you said, chances are that these aren’t people who ever would have dealt with that domain anyway, so they won’t be missing anything, either.

    And, as these aren’t the most Internet-savvy people, how are they supposed to know how to filter by IP address?  First, they’d have to know to look at the E-mail headers, which are often hidden.  Second, they’d have to know which IP address to filter, a task made more difficult if somebody spoofs fake headers in the chain.

    And, even if they did this for one IP address, it wouldn’t help much if the botnet contains hundreds (or *thousands*) of machines.

    Your points are generally good, but let’s not insult the people getting spammed just because we happen to know more than they do.  They’re just people trying to use the Internet to make life more convenient or interesting; they don’t want to become Internet experts.  (Yes, I know they don’t have to truly become “experts”, but it will seem that way to them.)

    Just because I may not know much about internal combustion engines, I wouldn’t want my mechanic calling me an idiot because I couldn’t adjust my timing.  I just want to drive my car to work, not become a mechanic myself.

    Let’s save the insults for the person who really deserves them—the low-life cretin sending this garbage.

  99. Neil Jackson says:

    I see your point, Steve, but we’ll have to agree to disagree. smile

    I would respectfully suggest that someone you know (and thus cared about), who blocked “*@yourdomain.com” as a temporary ‘stem-the-flow’ filter, without adding a whitelist entry for your KNOWN email address, was not using the best of his mental powers, wouldn’t you? It’s not a question of knowing the ‘tech’.. it’s just commonsense. It’s not THAT hard to work out what email address is being used, or what SYSTEM of email addresses – and filter SENSIBLY (thus causing you, the Joe-Jobbed victim) no extra headaches.

    Just to clarify, I’m not for a moment suggesting that ‘all people who get this spam’ are idiots – they have zero control over the dilemma, alas.

    I’m just suggesting that leaping for the first ‘most-convenient-looking’ widget that purports to ‘solve spam’, without actually doing much real homework to understand what’s happening and how best to react, is something THEY have to accept some small responsibility for, when it turns out they’ve made a less than wise choice.

    If one has already been joe-jobbed, overzealous blocking by end-users merely adds to one’s overall number of problems, and doesn’t solve any at all – not even for the blocker (because the SPAM will still arrive via other faked domain-names, as it always does!). I will just add the rider, that the number in this group of blockers is usually tiny, and (because it’s so far ‘downstream’), usually unnoticeable to you anyway, in terms of ‘credibility damage’.

    I guess to me, it’s the equivalent of shoving one’s fingers in one’s ears and going ‘la-la-la’ a lot – the blocker is deaf to those GOOD admins in the blocked domains that he MIGHT otherwise get help (or be asked for further information) from, and he doesn’t contribute anything directly to the pool of general information (ie, if he doesn’t report it to the originating ISP(s), or in some other way, get it ‘dealt with’ properly – and if he DID, chances are, he’d find out about how to PROPERLY implement blocking).

    Anyway – it’s small beer, really, and I hope nobody is feeling too ‘got at’ or put out by my use of the term.

    I do agree that ‘yer man’ spammer is the one who is wholly deserving of the very best of our collective wrath… and I hope his time will come. I’m almost sorry to say I’ve still not had a bounce-message since the 20th, so I’m thinking someone else has managed to bag his scalp, and we’ll be denied the satisfaction of doing the job ourselves 🙁

  100. I think you’re arguing something different now, Neil.

    > I would respectfully suggest that someone you
    > know (and thus cared about), who blocked
    > “*@yourdomain.com” as a temporary
    >‘stem-the-flow’ filter, without adding a
    > whitelist entry for your KNOWN email address,
    > was not using the best of his mental powers,
    > wouldn’t you?

      That’s different from what you mentioned before, where the person blocking the domain didn’t know anything about that domain. 

      However, if somebody knows you’re at a domain and *still* blocks the domain without allowing your E-mail through, that’s a different story.  Of course, if you really do know that person, it shouldn’t be too hard to call them and tell them how to not block your E-mail, right?  (If it’s just an Internet relationship, you can always send them E-mail from another domain.)  And does that one foolish act of blocking your domain really make the person you care about an idiot?

      As for not getting any bounces since the 20th, maybe you’re just lucky.  I’m still getting them, so maybe they just stopped using your domain.  I wouldn’t jump to the conclusion that they’ve caught the loser.

      The bounces do seem to have slowed down since their worst point, so maybe the loser has moved on from my domain to another victim and I’m seeing the last remnants of his spamming (I hope).  Of course, I will be sorry for any new victim, but not as sorry as I’ll feel if I keep getting bounces.  smile

  101. Rob Mack says:

    So far all of my bounces have been about penny stocks, with the last one being China World Trade.  However, I just got two bounces that are an ad for a company called http://rental-easy.net/ .  Has our spammer decided to diversify?  Or is my domain just being used by two unrelated spammers?  Can anyone confirm they also are seeing bounces for an ad for a company called Rental Easy?

  102. Rob,

    No, I haven’t seen that one.  It’s likely that some other spammer has started using your domain…

    It’s interesting to note that your inclusion of the “r*e*n*t*a*l-e*a*s*y” URL has caused spam filters on demon.co.uk and virgin.net to reject notifications to users who subscribed to this thread.  Looks like others have encountered them in the past.

    On a technical, site-related note, I just discovered that there’s a default limit of 100 comments built into Expression Engine.  I had to go fiddle with the templates to get your comment to show up.

  103. I also got a Rental-Easy bounce spoofing my domain.  Because there’s a link to a Web site in it, this may be easier to shut down (even though the WHOIS information is questionable).

  104. Kim says:

    To too am getting bounce backs from that rental easy company spam.

    And I have started getting bounces from a new stock company – “Sticky Web Inc” – SIKY.PK

    *sigh* It just keeps continuing 🙁

    I wonder if the rental easy thing is a good lead. It looks like a seperate thing, but maybe the company are using the same spammer/marketing place.

    It appears to be a company in Ireland (according to the email) – the email signs off Roy Denner, Manager,  Rental Easy, 4 Molesworth Street Dublin, Ireland.  The website has 34 Molesworth Street as the contact address. And the WHOIS of the domain is someone different – Jo Foltz from IBC int Laer (organisation), Box 1122, 17059 Mifflintown, USA.

    Many other people getting these same rental emails now?

    Kim

  105. Kim says:

    Just did a google search on “34 Moleseworth Street Dublin” – and look what came up:

    Norweigian Embassy
    34 Molesworth Street, Dublin

    So the contact details for this company is fake. I was considering emailing them to see if they could provide details of the internet marketing company they use – however seeing as the company seems fake i dont think i will. The WHOIS of their domain says the domain was created/updated yesterday… so not really sure what this one is about.

    Kim

  106. Robin MacEwen says:

    I’m now getting sticky web bounces too

  107. Adam Watkins says:

    Way way back at the beginning of all this mess I received an e-mail from a company calling itself GTT-Marketing (a marketing scam outfit).  It’s been relatively simple to track back all pertinent information and determine that it’s forged.  The address given in L.A. is actually one of the top honda dealerships, if you can believe that. 

    The only *real* clues are their contact e-mail address (which is russian) and their conduit for getting peoples information, which is their web-based forms (which also feeds back to Russia).  I’m currently stringing along someone from this outfit, seeing if I can tease a physical address or bank info out of them.

    I thought I had a promising lead with “Pechala’s reports” – you’ll frequently see ‘em posted alongside the scammed stock on Yahoo finance with “Buy a report for $10 or $15.”  It occurred to me that would be a really good scam – getting an easy 10 bucks a pop for a report that says the company has problems, versus pump dumping the stock which is traceable by the SEC.  It would be all above board too, and could be done for the cost of generating an excel spreadsheet off available data.

    You realize there is absolutely no information available against this company whatsoever? Faked domain registration info even!  Yet they’re passing out extremely authoritative looking reports containg info thats slightly tweaked but is roughly the same as that received for free by anyone with a Schwab account.  Hmmmmmm …

    The only problem with this great theory is they haven’t consistently been linked against *every* scammed stock we’ve seen here, so I think it’s a different scam entirely (I’ll try reporting it to Yahoo and see what happens).

    [sarcasm on] Wow.  That Sticky Web looks like a promising company.  As someone else describes it, they’ve found a way to patent spam.

  108. Kim says:

    And it continues…. now we have iKarma incorperated 🙁 (ICMA)

  109. meechee says:

    Not only continuing, but worse than it was in the passed few days.  I have received about 20 bounces in the last hour compared to about 20 over the entire weekend.

    I would think that they would cycle through new domains rather than using the same ones over and over, this is the oddest joejob I’ve ever encountered.  12 years on the net and the longest continuous use of my domain for this sort of purpose.

    Arrgggghhhh!

  110. Jasper says:

    Hello all,
    It seems like just sending a single .gif attachment is a new way of sending spam.

    I’m a system administrator in a hospital in Sneek, The Netherlands, and some of our users are receiving these spam emails since the beginning of March.
    I see spoofed domain names like give-music.com, Franklinnational.com and acc-soft.ch. We use MailMarshal from NetIQ for spam filter and antivirus, but these emails just get delivered. Do you guys maybe have any idea how to stop the emails from being delivered? The domain names, subjects and attachment names are constantly changing….

    I find it very helpful to read so much information about this spam on this website!

    I hope someone has an idea how to stop this.

    Jasper
    Sneek, The Netherlands

  111. Anonymous says:

    Neil, you seem very confident that this bastard will not damage the usefulness of your domain, even if he will be allowed to continue his crimes.  You believe spam-blockers are intelligent enough to blame the computer that SENT the spam, rather than blame the computers that are MENTIONED by the spam.  That is good.  But have you considered Bayesian spam-blocking systems?  They do not have real intelligence.  Every time a Bayesian system is commanded to “learn” from a spam message which mentions your domain name, it increases the probability that your domain name will be interpreted as a spam-indicator by that system in the future.

  112. Vince says:

    Jasper : Sneek : Netherlands
    Check out the Mai Marshal forums

    http://www.marshal.com

    Theres some inrtuctions on there for getting Mail Marshal to recognise and block these attachments, I followed them and it has stopped at least 90% of these stock spam messages getting into our system.

    You’ll have to register to access the forums but there very helpful

  113. Neil Jackson says:

    To ‘Anonymous’ (post 111):

    I’m pretty confident, yes – because I’ve been here before many times, and this situation hasn’t, in the past, ever resulted in any appreciable downstream issues for me or my clients. As I’ve said, though – there remains a possibility that someone I’ve never been acquainted with, who runs his own anti-spam system ON HIS OWN SYSTEM that filters by sender domain-address (or worse, whole domain-name) might have blocked me, but I really don’t care much about those sorts of extremely isolated case.

    With regards to Bayesian systems, I use them myself – I have a SpamAssassin filter configured on my local mailsystem, downstream from the Brightmail system that my ISP uses. Brightmail filters most of the stuff before it ever hits my systems (saving me the download cost) – SpamAssassin filters a percentage of anything Brightmail misses (but not everything, obviously – no system is perfect) – by deleting anything with a spam-score of 10 or greater, and marking-up and delivering into a ‘spam’ folder anything between 5 and 10. I teach the Bayesian filter in SpamAssassin every day, by dumping anything that really WAS spam into a learning folder, and likewise with any ‘Ham’ (non-spam, mis-identified as spam).

    My system also use the various RBLs – MAPS, Spamhaus, etc, to cross-reference any IP address in the headers of incoming messages, against known spammer/zombie IPs currently stored on these black-lists.

    For the most part, Bayesian filters don’t take account of the headers, as far as I’m aware (but it’s been about three years since I checked, so maybe I’d better go do that today!) Heuristic header-checking a risky concept… consider that ALL messages (spam or not) will have phrases like “received from”, “To”, “Date”, and all other stock SMTP headers in them. If the Bayesian filter is taking account of these, and the user is not properly teaching it what is HAM (as well as SPAM), then pretty soon, the Bayesian filter will decide EVERYTHING is SPAM, because it contains the aforementioned headers.

    Many people aren’t aware that a vital part of ‘teaching’ a Bayesian filter is giving it lots of ‘good’ stuff to take lessons from as being good, as well as the bad stuff to learn from as being bad.

    So – it may depend on WHICH Bayesian based anti-spam program one is using, and it may depend on how well it’s set up and operated by the user – but frankly, I’m confident that a badly-setup system is unlikely to be being used by any ISP that I care about (in terms of users behind it). Having said that, it’s never happened that I’m aware of, and at no time have any of my REAL acquaintances or contacts reported any issues.

    Certainly, I’ll concede there IS a small risk in terms of ‘end-users’ and their own personal solution – but frankly, that’s not a major concern to me. If someone sets up his email so that it blocks valid email from me, or ‘learns’ domains and blocks them entirely, then it’s quite likely he’s already ‘lost’ access to everything from Hotmail, Yahoo, Gmail, and AOL long, long, long before he blocked me – and thus his mail-system is already well into the ‘broken’ arena already! Not much I can do about it, and I doubt that there’ll be much likelihood of us needing to communicate anyway.

    And there’s another aspect to this… less obvious, but important, all the same.

    How many people that you do not know, do you have to email? If it’s a business contact, and you don’t know them, they’re either someone you’re attempting to reach for assistance (such as your electric company) – in which case they’ll often report back an NDR anyway, or it’s relatively easy to determine (by other means, such as phone) whether they got your email, and if you have a problem. But if it’s a ‘cold call’ business email that you’re sending out to an unknown individual or company, as far as I’m concerned, that’s spam anyway!

    Anyway – all I can really go by, is my personal experience and the knowledge I’ve gained over the past 13 years – and so far, I’m happy to report ‘no damage done’. Long may it continue – but I’m not going to lose any sleep over it. Quite apart from anything else, I have a number of domains that I own, and I can always follow up a ‘suspected domain-blocked’ email with one from another domain (which isn’t being Joe-Jobbed), to see whether that gets through where the other didn’t. So far, I’ve never had to actually do that, so I’m confident (by example) that this situation is minimal, if not entirely absent.

    Hope that helps!

    Still no bounces received since the 20th, I’m happy to say. Unfortunately, nothing further received from Honeywell or the others.

    As a general note to others – if you’re clued-up on how to read SMTP headers of the enclosed original messages (attached to the bounces, usually), look out for ones where there are no IP addresses listed at all in the headers. Very often, this is a sign that the message originated inside a corporate LAN running a badly set-up version of MS Exchange, and that the bounce-message was sent to the faked sender domain (ie you). In THOSE instances alone, there is a small chance that an email to the postmaster at the domain that sent you the bounce, MAY possibly enable you to get hold of the actual virus from said postmaster, and work out more about the botnet. Slim chance, but it’s the only way we here will find out anything of much use in the bigger picture. Alas, the five I’ve had haven’t responded – but who knows, maybe one of us will get lucky and find a postmaster who cares!

    Good luck all!

  114. Steve says:

    I have noticed that the spammer is now starting to change the stock being pushed more frequently.
    22nd April – 24th April: pushing CWTD
    25th April: pushing SIKY
    26 April (today): pushing IKMA

    I notice the spammer is including a Securities Act statement, presumable to make the email seem more credible.

    I also noticed that the spammer has dropped the tententwelvecorp name (unless these latest emails are from a diferent spammer – unlikely as the emails are all very similar?)

    Further more I also noticed some of the gif images in a few of the emails were screwed up (cropped). So maybe the spammer is making mistakes?

    On a positive note, my ISP’s automatic spam filter system is now correctly identifing many of these messages are spam ( even though I have not spoken to them myself yet – I assume someone else must have?). Many of these messages are being automatically forwarded to my on-line Spam folder, so as long as this continues I don’t think this will clutter my in box too much.

    Steve

  115. Matthew Goeckner says:

    5 today – and just think this is an individual email address – This must now represent a large fraction of all spam on the web.  (I got only one more and that was for an enhancement device… which of course I don’t need wink )

    I feel sorry for you guys who are getting joe jobbed.

  116. meechee says:

    Well get this, not only do the bounces continue from the joejobbing but I have now actually received the spam on a different domain.  Getting it from both sides.  So they are sending to new addresses because this was an address that was “out there” for about a month (for a shopping cart) 2 years ago. 

    Beyond frustrated.

  117. Matthew Goeckner says:

    Meechee:

    You made me go look at my Yahoo address – which only a couple of people know about! 17 messages – all in the last few days!

  118. meechee says:

    Bastaaads!!

  119. Unknown says:

    The new disclaimer is /interesting/

    If he tries any more to comply with SEC rules, his emails will be doing completely the opposite of its intended purpose… but really, who reads the last paragraph of a business report anyway? If I was some idiotic invester, I would have read of half way down and be shouting “BUY” down a phone already.

  120. Jesse Worley says:

    So far, that I know of. Dates are approximate:

    Magplane Technological (MAGP.pk) | 21 March, 2006
    China World Trade (Symbol: CWTD) | 24 April, 2006
    Midland Baring Financial Group (Symbol: MBFG) | 21 April, 2006
    Southwestern Medical, Inc. (Symbol: SWNM) | 20 April, 2006
    Labwire, Inc (Symbol: LBWR) | 18 April, 2006
    Budget Waste, Inc. (BDWT) | 17 April, 2006
    Sticky Web, Inc. (SIKY.pk) | 25 April, 2006
    iKarma Incorporated (IKMA) | 26 April, 2006
    Pingchuan Pharmaceutical, Inc. (PGCN.ob) | 28 April, 2006

    I’ve been over and over the mess with law enforcement. It seems to me that a telephone number and a big list of companies would be a couple of decent leads, but I guess they want more of the answer handed to them.

    I’m building an index of injection data. Maybe it’ll help somehow. If anyone has IP’s to add to the list, post them here or send them to me via my web page (linked below). It’s a longshot, but maybe we can tie the botnet into something else that might be happening elsewhere (another spam campaign, etc). It’ll also maybe give us a list of corporations to call for a copy of the virus. We’re not out of ways to get this person yet. I’ll put up the list of IPs when it becomes large enough to expose patterns.

  121. Just for information, I’m up to 193 bounces since 4/13, and 41 just this week so far (since 4/24).  The filter I suggested catches probably 75-80% of these.

  122. Anonymous says:

    I found something which might be useful for a tententwelvecorp victim who has “geek skills.”  If you set up DomainKeys and put an r= tag in your DomainKeys policy record, you’ll get a notification when the spammer tries to forge your domain name.  Without DomainKeys, you only get a notification if the message isn’t deliverable (e.g. addressed to a non-existent account), and only if the receiver uses accept-then-bounce (which is increasingly rare these days).

    There’s also an o=- tag which can actually block the spammer’s attempts to send messages using your domain name, and also block attempts to add some junk to one of your real messages and then re-send it in your name.  But be careful with o=- because, unfortunately, some legitimate mailing lists do exactly that: they add some junk to your message and then re-send it in your name.  So if you use o=- you could end up causing your own real messages to be blocked, if you send them through a mailing list which (innocently) monkeys with your messages.

    These tags only have an effect if the spam reaches a mail server which understands DomainKeys, but that includes some very big e-mail providers like Yahoo and Google.  I guess the r= tag might be a good idea for every tententwelvecorp victim, and o=- only if you’re sure you don’t send important mail through any mailing lists which don’t work with DomainKeys.

  123. General Fault says:

    I have a lead!!!
    The domain TenTenTwelve.com (very close to TenTenTwelveCorp.com) was registered around the same time and is still registered. I also found a guy posting to a new blog started around the same time called tententwelve.blogspot.com created by a guy going by the name Franklin Christos.
    Still following up.

  124. General Fault says:

    Have any of you ever seen this from this spammer? Looks like a bot command.

      From:    Ecartis <[email protected]>  Add to Addresses   Block Sender
    Date: Friday, April 28, 2006 1:27 PM
    To: [email protected] Add to Addresses
    Subject: Ecartis command results:—Binary/unsupported file stripped by Ecartis—
    Size: 2 KB

    >> Content-Type: text/plain;
    Unknown command.

    >> charset=“windows-1252”
    Unknown command.

    >> Content-Transfer-Encoding: quoted-printable
    Unknown command.
    —-
    Ecartis v1.0.0 – job execution complete.

  125. Neil Jackson says:

    @General Fault (post 124): – nope, alas, it’s nothing so exciting as a bot command. Ecartis is a mailing-list program – see http://www.ecartis.org/ for more info about it.

    Basically what’s happening is that the infected PC (the bot) has dutifully sent the spam to an email address where an Ecartis list-manager is expecting to receive commands (like signing up to the list, unsubscribing, requesting the list’s FAQ, etc).

    However, Ecartis has obviously barfed on the message it received (no wonder, really), and is basically replying to what it thinks is the sender (ie, you, if you’ve been ‘joe-jobbed’), to tell you that it didn’t manage to make sense of your ‘request’ (which of course, was the spam content itself).

    Specifically, the three lines you show are Ecartis choking on one of the MIME-encoding separators which demarcate the sections of the email (I think our spammer is sending a graphical section containing the GIF or JPG image with the picture of the words of the spam, and a bog-standard ‘text/plain’ section with the words designed to fool any anti-spam filters on the way).

    Open any a few emails in your email client, and (if possible) have a look at the FULL un-doctored text of the message (in Outlook Express, that’s File, Properties, Details, Message Source, for example), and you’ll see these MIME separators all over the place, usually. Email clients rely on them to determine HOW to display the various parts and attachments in messages these days.

    Sorry the answer’s not so exciting as maybe you’d hoped! smile

  126. Matthew Goeckner says:

    Ouch 13 of them today!  This approaching my regular level of email (within less then a factor of 5)  I hate to think of what fraction of the internet bandwidth this ONE person is now consuming.  My guess is close to 10%

  127. It looks like the loser is pushing Stonebridge Resources Exploration (SBRX) now.

    Even more interesting is that he also is pushing China World Trade Corporation (CWTD) again.  (It’s not an old bounce—the trading date is May 1, not April 24 like before.)  I wonder why.  Did he get a whole bunch of new entries for his mailing list?

  128. I. G. Farben says:

    Johnson Eddisson is a fake name.  His real name is Thomas L. DiStefano III, of Boca Raton.  He’s the new boss of the Estrela Marketing / Adam Taub spam gang.  DiStefano has a long history of spamming and stock pumping without going to jail, but this time he has made MANY people angry.

    The press release linked below gives names and phone numbers of enforcers who just dropped the hammer on a similar stock swindling spam gang.  I wonder if they would like to drop it on DiStefano as well.

    Law enforcement personnel can contact Spamhaus to request additional evidence of this gang’s activities which has not been made available to the public.

    http://www.sec.gov/news/press/2006/2006-50.htm

  129. Kim says:

    Hi I.G. Farben. Do you know it is Thomas L DiStefano III for sure? (How can you be certain?). I’m just trying to find an email address of Mark K Schnfeld (the law enforcement person who’s contact was on that SEC page).

    Also – I found this page with a list of BOT commands: http://www.honeynet.org/papers/bots/botnet-commands.html

    I wonder if it would be possible to use these to somehow connect to each of the effected bot nets, and run a command do shut down the bot? I have no idea if this is acchievable..?

    Kim

  130. Kim says:

    A search of Thomas DiStefano comes up with some interesting things – he is the CEO of StickyWeb (one of the companies that the spam emails mentioned). StickyWeb bought out Estrele Marketing, and there is a bit of info about them on Spamhaus.org

    Hmm. Where to go from here?

  131. Unknown says:

    Have a read about Thomas L. DiStefano III here:
    http://www.stickywebinc.com/aboutus.html

  132. Unknown says:

    Interesting…
    Spamhaus have got this record of a stickyweb advertisement..

    …it sems to have familure wording…

    http://www.spamhaus.org / rokso / evidence.lasso?rokso_id=ROK6597

  133. Unknown says:

    Definate match on that wording.

    Same email structure, same phrases, same disclaimer.

    Estrela Marketing marketed StickyWeb’s stock in the period of that ROKSO report. StickyWeb wanted the value of their stock to go up and so enlisted Estrela Marketing to send that email out.
    I believe StickyWeb brought out Estrela Marketing after that. I cannot be sure of timing.
    This StickyWeb advertisement has exactly the same features as some of the emails we’ve been getting.

    Who and how the hell did we jump from no information to “Thomas L. DiStefano III”?
    I don’t recall any mention of StickWeb or Estrela Marketing in past emails…

  134. Unknown says:

    Huh..What I just wrote makes no sense at all. *slaps forehead*—Please ignore #133 LOL  red face
    Okay, why would the spammer advertise his own company?

    May 3, 2005: Sticky Web buys Estrela Marketing

  135. Neil Jackson says:

    @Kim (post 129), who said “I wonder if it would be possible to use these to somehow connect to each of the effected bot nets, and run a command do shut down the bot? I have no idea if this is acchievable..?”

    Nice idea, Kim, and I wish it was possible. But alas, the bots don’t work that way. For it is THEY who connect outwards, to a remote (and as yet, unknown and undiscovered) IRC server. Our spammer (who is connected to the same place) then controls them via the commands you listed.

    Basically, there’s no way IN to the bots themselves (or believe me, I would’ve tried by now, probably – even though it would technically be illegal). The bots listen to stuff on the IRC chat-channel on the specific server they’re hooked in to. We would have to be logged in, on the same server, in the same ‘room’, in order that they would even consider ‘listening’ to us or our commands. 🙁

    Bummer, isn’t it?

    Hopefully this explains why it is so important to get in touch with an infectee (by tracing an injection IP address, and establishing contact), and getting them to send us (if they can) a copy of the infection that they actually suffer from.

    Only then could the bot’s program code be disassembled completely enough to discover the domain-name and IP address of the IRC server which it ‘phones home’ to. Alas, we can’t just randomly guess at which infection it MIGHT have been – there are too many bot-types, and too many variants of each type, for us to get it right. We need a real victim of THIS particular operation, to cooperate.

    And so far, I’m finding that rocking-horse poop is easier to get hold of. 🙁

  136. From their About page, it sounds like Sticky Web may be another patent troll, like NTP and Forgent.  Did you read their press releases (at least four in April, which all sound basically similar)?  It sounds like they’re trying to claim patents for things like Web creation tools (Dreamweaver, etc.) and chat facilities (phpBB, vBulletin, etc.).  If they’re spamming as well, that would make them much, much worse.

    I looked at the Spamhaus site cited by #132, and it was a bunch of domain registrations (mostly by Christopher Monteleone, part of Sticky Web’s management team) and a spam E-mail pumping Sticky Web stock similar to what we got bounces for.  However, I didn’t see anything that proved that Sticky Web wasn’t an innocent victim just like the other companies being pushed.  Is there any proof that DiStefano or his minions is controlling the bot net?

    As for Estrela Marketing Solutions, #133, check Sticky Web’s press releases for May 2005.  It says they reached an agreement to purchase them.

  137. Anonymous says:

    Searching for info about Estrela and Sticky Web, I noticed that both companies keep changing the spelling of their domain name, something real companies never do.  Maybe they damaged their own domain name repeatedly, by spamming and other abuse, until they got the bright idea to damage ours instead.

    Estrela Marketing’s changing domain names:
    ESTRELAMARKETING.COM
    ESTRELAMS.COM
    EMSEMAIL.BIZ
    EMSEMAIL1.COM
    ESTRELAMS.NET

    Sticky Web’s domain names:

    MYSTICKYWEB.COM
    Service terminated by Ciberlynx for spamming, July 2001.
    Terminated by Go Daddy for violations of Spam and Abuse policies, June 2005.
    Shut down by Dotster for spamming, April 2006.

    STICKYWEBINC.COM
    Terminated by Go Daddy for violations of Spam and Abuse policies, June 2005.
    Shut down by Dotster for spamming, April 2006.

    SIKYNEWS.COM
    Shut down by Dotster for spamming, April 2006.

    Sticky Web doesn’t look like an innocent victim to me.

  138. Even if they are spammers, they also have at least the pretense of being a legitimate company (if you can call patents trolls “legitimate”).  And, yes, I realize that a lot of spyware and spamming companies also put up that same pretense.

    However, if another spammer is pumping-and-dumping their stock, they’re still a victim (albeit an unsympathetic one).  In fact, what about the scenario where another spammer is trying to damage the finances of Sticky Web to get their business?  The conspiracy theories are endless.  grin

    Regardless of who is spamming, I have two main goals.  First, to get the bounces (and challenge/response E-mails) to my system to stop.  Second, to see that whoever is doing this gets castrated with a rusty scythe.

  139. meechee says:

    He’s ramping up or something now, the bounces have doubled and it’s driving me nuts.

  140. Kim says:

    If anyone has info on this – here is the person to contact. I’ve been told to do it by regular mail (for security reasons).

          Jason R. Gettinger
          Securities and Exchange Commission    
          3 World Financial Center, Room 4300  
          New York, New York 10281

    So if anyone has any more info about this – send the stuff by hard copy on! This probably means it will get looked at more seriously – as I imagine they get swamped with electronic mail.

    My bounces have slowed down *a little* – I have implemented SPF on my web host. Still testing it now, but I’ve only recieved 3 bounces since then (normally would have recieved several).

    Kim

  141. Kim says:

    I wonder if the ‘spammer’ monitors this blog? Hopefully we are not sending them further into hiding?

  142. I feel your pain Aubrey – the ****** is doing it with my domain too, and I’m up to 200 bounced emails now.
    Richard

  143. Matthew Goeckner says:

    Can someone tell how you might be able to tell IF a computer were part of a bot?  This is really important.  Remember I wrote that I am getting emails on an account that only two of my friends know about – or at least that is all of the email I have gotten there in a year or so.  They have windoze OS – I think XP and I am sure that both have the latest virus scanners… but this may not mean much.  What port should they watch and how is it done on a windoze PC.  (I run OSX at home and OSX and linux at work… so I don’t do windoze that much.)  They know that we find something to not destroy it….

    Matthew
    PS I am a hardware guy by training but I can occasionally program as well….

  144. Adam Watkins says:

    Cyberhand Tecnologies International (CYHD) just started bouncing in …

  145. Neil Jackson says:

    @Matthew (post 143) – The infected PCs that are running the bot software will (if they are using IRC to connect) most likely be opening an OUTBOUND tcp socket on port 6667 (which is the standard IRC port).

    But it will depend on the specifics of the infection – it’s perfectly feasible that the creator has modded it so that it uses another port – or perhaps my entire analysis is wrong and they’re being controlled by a completely different method.

    However, given past experience of bots, IRC is the most likely, and most common – and most spammers aren’t renowned for their ingenuity – I expect the most that will have been done in terms of ‘customisation’ is to set up the IRC server address and port in the bot’s config files somewhere.

    In terms of checking port activity on a Windows PC, you can use TCPView (from http://www.sysinternals.com) or even the full-blown Ethereal packet sniffer from http://www.ethereal.com.

    In terms of detecting whether there is infection, use Ad-Aware (http://www.lavasoft.de) or Spybot S&D (http://www.spybot.info) – don’t rely solely on standard ‘virus checkers’ because some don’t regard trojans/bots as viruses, and expect you to buy other addons to detect them. Varies with the product, so you’ll have to make sure.

    For ref, as said before – if you’re RECEIVING spam, or if you’re receiving BOUNCES (ie, you’ve been joe-jobbed), then the chances are extremely high that YOU are NOT infected. Certainly, there’s nothing you did which accounts for why you’re receiving the spam or bounces.

    Sometimes (with bots in the past) it’s been the case that the recipient or joe-job victim have had some contact with the infectee (ie, the infected PC uses an address book reference to you, and starts sending you junk) – but in this instance I have found no proof of such a connection. For all we know the bots are ‘pooling’ their stolen contact book info on the IRC network, and are cross-mailing for each other precisely so that the trail is harder to pick up. Bear in mind that the spammer would NOT want a recipient or a Joe to readily be able to consult the infectee, or to obtain info on the infection that might help find the bot network’s IRC control point. Thus, it’s in the spammers interest to obfuscate any ‘linkages’ between people, that could be used against him.

    Alternatively, it’s even possible that the spammer has a ‘master list’ compiled elsewhere, of both his intended spam recipients and the domain-names he’s prepared to Joe-job. He may ‘inject’ these into the individual bots at the point where he commands them remotely, for all we know – thus again ensuring that the chance of ‘infectees’ actually knowing recipients and Joes, is minimal, and thus making any detective work that bit harder.

    We really have no way of knowing which mechanism is being used. I’ve not recieved a single bounce-message now since the 20th April, having received about a hundred of them before. Is this because the spammer has found this blog, and has ‘pruned’ my domain from his joe-job list, fearing I’ll track him? Or is it just because all the infected machines ‘near’ me (in terms of having my domain-name in their contact books) have all been cleaned up and taken off the botnet now, as a result of reports to ISPs (not that I have bothered with that, for reasons mentioned earlier)? Alas, I can’t tell. Insufficient data, at this time! smile

    However – if your email address is REALLY only known about by two individuals, and you are sure beyond all doubt that nobody else knows of it, then you could be on to something. Yes, get them vetted, and fast, using the tools mentioned above. If they DON’T come back clean, it would seem to indicate that the BOTS are doing the discovery of at least the recipient addresses on their own.

    But PLEASE, don’t simply wipe the virus off the face of the earth, if you find one – Quarantine a copy, and get in touch with us here, because someone (me included) will want a copy for examination. It could lead us to his botnet, and help us bring the whole thing down. The law will probably want it as evidence too.

    Good luck – and please keep us posted! smile

  146. Matthew Goeckner says:

    I am looking – or more to the point my friends are looking – The account I have has only been used by my two friends for about the last year and there is no other spam (except occasional spam from MS!) – but it is a very old account so the address might have come from something I did 8 years ago…  Yes the address is that old.

  147. Great, another stock being pumped.  This time it’s Metro Gold Mines Mineral Resources (MGMX) of Colombia.

    I’m also up to 248 bounces and challenges.  🙁

  148. And yet another stock!  HE-5 Resources Corp.(HRRP) for May 3.

    I also got an out-of-office bounce, too.  <sigh>

  149. John says:

    I’m up to 150 returned emails from this guy’s Joe job on my domain.  My latest today is for HRRP also.

    Is there a way to somehow get this web site so it would likely be found by someone that has received an actual spam email, if they were to try to do a search on the web?  Would that provide some useful information to have a copy of the original pump and dump spam?

  150. Neil Jackson says:

    @John (post 149) – alas no, that wouldn’t help us at all. I’ve actually received some of the spam via my wife’s main account, direct (as opposed to the joe-job which was happening). It doesn’t tell us anything more than the bounces do – namely, the IP address of the infected machine which did the sending.

    What we need is someone with an infection to pass us a copy of it. Alas, those people probably won’t even have the merest clue what their machine is doing (or they wouldn’t be infected), and even if they did, they probably wouldn’t know or see anything that ties in with this particular run of pump-and-dump spams. More likely, they’ll finally re-format or clean up their PC after a few months of go-slow, and never even realised the damage they’ve contributed to. 🙁

  151. Adam Watkins says:

    Okay chaps.  I’ve got an interesting theory percolating away here.  As soon as someone gets a new pumped company (not HRRP or MGMX) post it here, and also see if you can find from the bounce e-mail the time it was orginally sent.  e.g. 4:12 ET or something like that.

  152. Adam Watkins says:

    Hmmm, Okay.  I’ve got a re-post of HRRP for 4th May – my guess is that will be the only one pushed on this time round. If anyone gets anything different, please post!

  153. I’ve got a bounced HE5 Resources dated 5/3/2006 at 3:52 PM…. does that help?

    Neil – post #150 – if we had the infected IP address, couldn’t the ISP contact that user or block that account?  I know… you might think I’m smoking crack, but AOL will block users they think are spamming.

    Rich

  154. Sorry – that IS HRRP – I didn’t read it close enough
    Rich

  155. Neil Jackson says:

    @Rich (post 153) – absolutely, yes, most ISPs will remove said infectee, and I have (in the past) always dealt with matters that way, and had generally good results.

    However… this run is a bit different. The botnet is (presumably) unaffected by a few infected PCs being terminated by alert or responsive ISPs, because new infections are (presumably) happening every day.

    So… contacting individual ISPs about individual infections really only serves to help THAT particular ISP clean up their tiny branch of the botnet, and generally, they do this without informing us, the recipients of all the bounces, anything at all about the nature of the infection, the place that the bot was calling for commands, or indeed ANYTHING useful to us at all, in terms of getting to the ROOT of this ever-growing tree of pain!

    Obviously if just ONE of these ISPs was smart enough to actually demand full copies of the infection from their infected customer, and then examine the code to find the place it was connecting to, then yes, this whole scam would be cleaned up in moments, really. That ISP, with the power of its own reputation on the internet as an ISP (rather than as humble Joes like you and me), would find it childishly simple to contact the OTHER ISP, on whose network the IRC command-server is being run (probably illegally).

    That ISP in turn, could then do all sorts of logging and cooperating with law enforcement, and it probably wouldn’t be long before the guy was caught red-handed and banged into jail.

    Of course, it’s perfectly possible one of the many ISPs involved MIGHT already be doing that – but frankly, I doubt it. Most Abuse teams don’t have time to go THAT far (they just clean the puddle off of THEIR front-door, and leave it at that). And besides, if they were doing this, they’ve had time to nail this guy ten times over, since the attack began in mid-April.

    So, to be perfectly frank, if they’re not going to help me (or any of us) other than by taking minimal steps to protect THEIR reputations, I’m really not all that bothered to cross the street to help them. I would have had to have dealt with about fifty different ISPs in the course of the hundred or so bounces I’ve received, and that means a hundred sets of ‘auto-responses’ and emails from level one tech-support drones, formatted in fifty different ways, all asking me the same basic crap over and over again, and generally replying with nothing more than ‘the user has been corrected’, and that’s it!

    I know I’m being harsh (well, strict with my time, maybe)… but I am aware that OTHER PEOPLE have alerted various ISPs about this bot run, and (apart from the loss of that bot node), not much has stopped, has it? So to me, it’s a (semi)futile task, and I’d rather wait until such time as I get sight of a real infection, from a fellow human being out there that gives a damn to help, and THEN pass it over to the relevant ‘root’ ISP on a plate, and notify law enforcement (with some decent, useable evidence) at that point.

    In the meantime, all I can do is wait, and hope that I get a lucky break (or that one of us fellow sufferers gets the same).

    Not great, really, is it? But it’s about all I have left, sadly. 🙁

  156. The f*****s sent me an original one now!

    Status:  U
    Return-Path: <[email protected]>
    Received: from maiko.lnet.lut.fi ([157.24.107.104])
    by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1fBsJ81BI3Nl34g0
    for <[email protected]>; Wed, 3 May 2006 21:33:58 -0400 (EDT)
    Received: from [157.24.141.199] (helo=mjk.de)
    by maiko.lnet.lut.fi with smtp (Exim 4.43)
    id 1FbSjw-0003Lj-OL; Thu, 4 May 2006 04:34:48 +0300
    Message-ID: <[email protected]>
    From: “Rosaline Finley” <[email protected]>
    To: <[email protected]>
    Subject: identification
    Date: Thu, 4 May 2006 04:33:19 +0300
    MIME-Version: 1.0
    Content-Type: multipart/related;
    type=“multipart/alternative”;
    boundary=”——=_NextPart_000_000A_01C66F33.F65AF858”
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2800.1165
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    X-ELNK-Info: spv=0;
    X-ELNK-AV: 0
    X-ELNK-Info: sbv=0; sbrc=.0; sbf=0b; sbw=000;

    Does this header info do any good?  The security guy at zebec.net said the bounced message header was clearly forged, but an original would be more help? I checked RIPE and emailed a complaint and explanation to abuse at lnet.lut.fi abuse at scp.fi and abuse at lut.fi… but if this was forged too…

    Rich

  157. Unless that To address was changed, expect more spam, Richard, now that you’ve posted your E-mail address on the Internet for all of the harvesters to find.

  158. Anonymous says:

    Dr. Niolon, if your mailbox is at Earthlink, and if you believe Earthlink’s computers are not spammer-controlled, then you should trust the parts of the headers that were added or verified by Earthlink.  That includes lines 4 and 5, and the IP address in line 3.  It might also include the lines that start with “X-ELNK”.  But lines 6 through 21, and the e-mail address in line 2, and possibly the domain name in line 3, were added by other computers before Earthlink received the message, so you can’t trust that information.

    I suspect that the computer which delivered the message to Earthlink, [157.24.107.104] (according to DNS, that machine is really named maiko.lnet.lut.fi) was telling the truth.  That would mean that everything in lines 6 through 8 is true, except the domain name in line 6 (mjk.de) which is false.

    Thus, the infected bot is [157.24.141.199].  Querying WHOIS on this address indicates that <[email protected]> is responsible.

    If I’m wrong about maiko telling the truth, then maiko is itself the bot, and WHOIS indicates that <[email protected]> is responsible.

    I did a search on maiko.lnet.lut.fi and immediately found another turd from the same spammer: <http://www1.ietf.org/spam-archive/sipping/msg46794.html&gt;.  This one seems to have come from [157.24.105.60], another lnet.lut.fi address.  Lappeenranta University of Technology is infested by this spammer virus!

    By the way, folks… DiStefano changed the spelling of his domain name AGAIN.  The new spelling, stickwebCORP.com instead of stickywebINC.com, was registered just a few days ago.

  159. I was trying to come up with ways to stop this spammer.  So far we’ve been focusing on catching him, which would obviously be the best way to stop him.

    However, there is another way—make this venture unprofitable.  If we could do something to take away his profit or, even better, make him lose money, his incentive for spamming would be gone.

    I’ve come up with two ways to do this.

    1.  Try to get the SEC to suspend trading on these stocks for the trading date listed in the spam (and one or two days earlier and later, if possible).  If people can’t buy the stock, they may decide to give up.

    The disadvantage is that this would require not only the cooperation of a governmental body, but *fast* action.

    2.  Publicize that the stocks are likely being pumped fraudulently.  Perhaps by mentioning each stock here, anybody doing research on the Web would be more likely to see this thread and decide to not buy the stock.

    The disadvantage of this is that telling people not to buy a stock could get soembody sued, even if we took precautions to avoid libel.

    Maybe we could set up a Web site to trade information about pump-and-dump schemes with forums where people could post spam they had gotten listing the companies *and dates*.

    Do either of these sound like good ideas?

  160. Great, just as I was typing my last post, I got another HRRP bounce.  This one was really interesting—it was to somebody at cia.gov! 

    This spammer has chutzpah.  If I were spamming, I’d make sure no .gov addresses were in my mailing list.

    Anyway, if you don’t see any posts from me again, the CIA probably sent a wetworks squad out to visit me.  grin

  161. Kim says:

    Would contacting DiStefano threatening legal action or something make any difference? Probably not – if anything maybe it would encourage him to spam my domain even more…

  162. Neil Jackson says:

    Rich – your detective work is sound. The injecting bot was 157.24.141.199 (which has no reverseDNS name), and the Abuse address that covers it is [email protected] (the RIPE information explains that depending on the IP-block, one of several abuse addresses is the right one). They all seem to be at the same university, though:

    Lappeenranta University of Technology
    Computing Centre
    P. O. Box 20
    Lappeenranta
    53851
    FINLAND

    Presumably you’ll get a report back from them, telling you they’ve sorted out the infected machine, and then you’ll never hear from them again.

    But tomorrow, the spam (and the bounces) will continue to come streaming in from other sources, unabated, and we’re no closer to a real end to this.

    For ref… you realise that in most bounces (well, many, if not most), you’ll be given the headers of the original message, or perhaps even the whole original message itself. From these, you can do the exact-same detective work, to trace the injection IP address, and repeat the report-to-appropriate-abuse-dept operation. You don’t need an ORIGINAL (ie non-bounced) spam… you can very often do it from bounces too, if they include the original’s key information (the SMTP headers).

    But as I said earlier… unless you’re going to religiously email each and every abuse dept, for each and every instance of a direct spam or decoded-original-from-a-bounce, this will STILL not stop. Even if you DID, it won’t stop, because the bounces you receive are only a small, unroutable fragment of the stuff the bots are chucking out. We’re not seeing even a fraction of the ‘big picture’ here.

    However… never say die. With a well-crafted email to a helpful abuse department with a clue, you MIGHT get lucky enough to establish decent contact, and get them to do some PROPER investigation instead of just ‘termination’.

  163. Hi All
    Thanks for the backup. [email protected] is indeed my “underneath” address that earthlink gives me when I host a domain there.  However, I’ve never used it so, any email going to it is by definition, undesired and unsolicited, or spam in my book and goes right in the “Deleted Items”.  I use the one at my domain exclusively.

    I tried reporting to the bounced email domains – after 13 reports of “It doesn’t come from us” (which is the default response from Earthlink on every single piece of spam I’ve ever reported to them in the six years I’ve been with them), I gave up, thinking those headers must be forged too.

    Rich

  164. Neil Jackson says:

    Rich – I think that while you seem to have it sussed, on the ‘direct spam’ front, you might be getting your wires crossed on the ‘bounces’ front.

    You shouldn’t report the bounce itself back to the ISP or domain that actually sent it to you. They are just doing their job, and returning a mail that was sent to them for delivery to a non-existant user in their domain, to the person who ‘apparently’ sent it – namely you. Their systems work by email address, not IP address, so it doesn’t realise that the orginal message had a spoofed ‘From’ address, and that it didn’t really come from you at all, but the bot.

    The point I was trying to make about ‘useful information even inside the bounces’ is that the bounce-messages sent to you USUALLY contain information about the ORIGINAL message that had been received at the non-existent-recipient’s ISP. This information may be a separate attachment to the bounce-message (for example, the entire undeliverable original spam) or sometimes the bounce-message just has the headers from the original tacked on to the bottom of the body text.

    Using THAT information (ie, the ‘SMTP envelope’ for the ORIGINAL, not the bounce-message’s OWN headers), you can usually still find (usually in the last ‘Received From’ header) the IP address of the injecting bot, and then email THAT relevant ISP.

    The ISP who sent you the bounce will, quite rightly, say ‘nothing to do with us, and it didn’t start here’, because it didn’t, and THEY can’t help you one iota!

    Here’s the process that’s actually transpiring, in case it helps to visualise it, and then work out who you SHOULD be reporting to, in cases where you’ve received a bounce…

    Step 1 – A bot (somewhere on the INFECTED.COM network, let’s say) creates a message, forging [email protected] as the sender, and with recipient address set to [email protected]. It doesn’t realise that [email protected] doesn’t exist, nor does it care. It just found that address somewhere, and is going to give it a try.

    Step 2 – the bot will then connect to an SMTP mailserver, which will either be the local ‘smarthost’ SMTP server for the bot PC’s ISP at INFECTED.COM (depending on how the PC was set up), or it will connect to the ISP that handles mailboxes for SOMEPLACE.COM. Either way, one of these two machines will receive the email from the bot, and log the necessary details about the bot’s IP address in the lower-most ‘Received From’ header in the email. Some mailservers do a better job of this than others, but most, at the very least, record the IP address well enough to verify). In ALL cases, however, the recorded sendername will be [email protected]

    Step 3 – If the bot sent the message through its own ISP at INFECTED.COM, then INFECTED.COM will soon enough pass the message to SOMEPLACE.COM, because that’s where the non-existent FRED’s email box would be. However, when SOMEPLACE.COM finally receive the message and accept it for delivery, they find that, hang on… FRED doesn’t exist! Oops! Time to send the message back, thinks SOMEPLACE.COM – return-to-sender… address-unknown (cue Elvis)…

    Step 4 – So, SOMEPLACE.COM take the original message intended for FRED (along with its entire set of SMTP headers up to the that point), and turn it into an attachment for a Bounce-Message – a ‘non-delivery-report’ (NDR) or a ‘delivery-service-notification’ (DSN). All basically the same thing… a report of WHY the message was undeliverable (FRED mailbox non-existent), and a copy of the original message and/or its SMTP headers, all bagged up neatly for return to the sender. Of course, SOMEPLACE.COM doesn’t realise at this point, that the sender is NOT truly [email protected]… but it sends the bounce-message to you anyway, cos that’s all it can do.

    Step 5 – [email protected] receive the bounce-message. In it, you’ll see the information about “we couldn’t deliver your message, please have it back”, and think… Hmmm… I never sent that! It would do you NO good at all at this point to contact any abuse dept at SOMEPLACE.COM, because they can’t help you any further than the information already contained in the bounce-message they sent you. Instead, you need to open the bounce-message’s attachment (preferably in a safe text editor, just in case its not one of THESE spams, but something more hostile, like a well-crafted virus), and scour the headers of THAT part of the contents. You will pretty soon find EXACTLY the same sort of stuff as you found in your other ‘direct-spam’ incident above… The bottom ‘Received From’ line which will have recorded (probably) a fake random HELO prompt of something like ‘xxx.yyy’ or ‘abcd.xyz’, and the IP address of the true sender (the Bot!). You may even be able to determine whether the bot connected to INFECTED.COM’s smart-mailserver, or direct to SOMEPLACE.COM, though this doesn’t really make much difference.

    The MAIN thing is that, from the IP address recorded in that line, you can then lookup the true name of whoever ‘INFECTED.COM’ really is, and what their Abuse team’s address is…and THEY are the ones who most certainly cannot reply with ‘it didn’t originate from here’ – because it DID!!!

    More likely, they’ll say “Thanks for letting us know… this user is now terminated.”

    Sure… one less bot off the botnet, one ISP who’s reputation just got better by a factor of one less infected clueless idiot… but of course, there’s still a torrent of the same stuff coming from all the other bots in the network (elsewhere, not at ‘INFECTED.COM’) and doubtless, the fifteen new morons who got themselves infected with ‘our’ bot-trojan from a porn-website that day, and are the latest new bots in the network today.

    It’s like the Hydra… except that it doesn’t really matter if you cut one head off… two new ones will grow anyway, even if you don’t cut one off… and it will keep doing this until you smash the body. 🙁

  165. Neil Jackson says:

    Oh… and for ref… the bot is not (so far as my evidence has revealed) adding any forged ‘Received From’ headers, nor is it taking specific advantage of sending only via badly-configured SMTP mailservers that don’t properly record the IP address or the HELO prompt.

    Those ‘tricks’ are usually employed by old-school spammers who were sending from machines they actually owned or paid for, and it was generally done to stop easy tracing. By adding fake ‘received from’ lines or choosing ‘deaf and blind’ SMTP servers to send through, they would obscure their tracks, sometimes completely.

    However, this bot operator really doesn’t give a damn whether we trace back to the bots individually. He’s quite obviously got thousands of them to play with, and a constant supply of new ones, so it’s unnecessary to have the bots attempt to cover their tracks. Quite simply, the bots are using whatever ‘outbound email’ rules are already set up on the infected PCs at the time of infection.

    All the emails I’ve seen for this ‘run’ (over a hundred now), have NO attempt to spoof anything other than the ‘MAIL FROM’ (sender) email address.

    As a general rule, therefore (on this run alone), I would say it is safe to trust the SMTP ‘Received From’ headers pretty much completely. Any ‘hiccups’ I’ve come across have usually be explainable by simple ‘misconfiguration of an SMTP server along the way’ rather than anything deliberate as an attempt to cover. And it’s not surprising, really… many of the less-informed people who end up getting bot infections, also tend to use cheap (and consequently also less-informed) ISPs and email services. C’est la vie.

    But no, I’m not seeing anything deliberately imaginative going on with the SMTP headers themselves. This bot really doesn’t care if it leaves glowing footprints back to its clueless infected owners.

  166. John says:

    Someone, most likely the spammer or a person or group that hired the spammer, is probably making big bucks off the resulting manipulation.  HRRP which was most recently promoted for today, opened at about $.13, or about 45% above yesterday’s price of $.09.  These spammers would already own the stock before they promote it and then sell into that increased demand.  The stock is already down to $.11. 

    Can someone recommend a web page that explains in detail how to read email headers?  Thanks.

    I’m up to 163 returned Joe job emails.  They are from all over the world.

  167. Dewy says:

    John,

    For e-mail headers, this is a good one here:
    http://www.stopspam.org/email/headers.html

    All info on E-mail headers is a slightly boring read unless you really want to learn it.  (Even has pictures!)

    Anyway, I am still receiving them directly.

    I got tired of trying to hunt down abuse addresses for the ISP’s and just forwarded all of them to the SEC and FTC addresses.  Hope they nail this dude.

    Cheers!

  168. Richard says:

    Ah Neil… I must be reading the wrong set of headers then. Some of the emails return with a text attachment of the email bounced, and some return with the graphic only and I’ve been reporting the *latter*.  You’re saying that one DID come from the headers – the ISP that bounced it too me.  It’s the **former** that will have the headers of the **original** email, and that’s the one I should be reporting.  Stupid…  I should have realized that…

    Well I won’t have time this weekend, but when I get back, I’ll send a slew of the most recent ones out.
    Thanks!
    Rich

  169. meechee says:

    Well my update, I am getting about 40 bounces a day now (on 1 domain) and I have another domain that is receiving the spam, on 4 different addresses. Of those 4 addresses, I have no idea how they got 2 as they exist but have never been publicly used. 
    I have no idea what to do and I am really getting annoyed.  This has got to be the most aggressive campaign, in length and breadth I have ever seen and I’ve had a domain for well over 10 years.  I am hoping that their ever widening net is going to expand so much that someone who can actually do something, will. 
    Up till now I have been fortunate (and smart about filters and keeping emails obscured) in that about 2 pieces of spam on 5 domains and about 20 emails gets through, till today. 
    I can’t take it.

  170. Kim says:

    I too am getting MORE bounce backs lately – and that is despite adding an SPF record for my domain. I guess most web hosts do not recognise SPF dns records.

    I also got a bounce back from an unrelated spam – it was for a “World & Countries” business recruiting workers. I wonder if I could follow up on this and possibly find a lead to the spammer…

    Kim

  171. From Adam Watkins Post 151

    <quote>Okay chaps.  I’ve got an interesting theory percolating away here.  As soon as someone gets a new pumped company (not HRRP or MGMX) post it here, and also see if you can find from the bounce e-mail the time it was orginally sent.  e.g. 4:12 ET or something like that. </quote>

    My newest bounce is for De Greko, Inc (OTC: DGKO).

    The bounce is dated 5/4/2006 8:18PM.

    Here’s the text of the bounce message:
    <quote>This report relates to a message you sent with the following header fields:

      Return-path:
      Received: from ims-ms-daemon.po09.wxs.nl by po09.wxs.nl
      (iPlanet Messaging Server 5.2 HotFix 2.07 (built Jun 24 2005))
      id <[email protected]> (original mail from [email protected])
      ; Fri,  5 May 2006 03:23:36 +0200 (MEST)
      Received: from po08.wxs.nl ([10.94.77.24])
      by po09.wxs.nl (iPlanet Messaging Server 5.2 HotFix 2.07 (built Jun 24 2005))
      with ESMTP id <[email protected]> for [email protected]; Fri,
      05 May 2006 03:23:36 +0200 (MEST)
      Received: from smtp15.wxs.nl ([10.94.77.6])
      by po08.wxs.nl (iPlanet Messaging Server 5.2 HotFix 2.07 (built Jun 24 2005))
      with ESMTP id <[email protected]> for [email protected]
      (ORCPT [email protected]); Fri, 05 May 2006 03:23:34 +0200 (MEST)
      Received: from dsl.dynamic85100229185.ttnet.net.tr
      (dsl.dynamic85100229185.ttnet.net.tr [85.100.229.185])
      by smtp15.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004))
      with SMTP id <[email protected]> for [email protected]; Fri,
      05 May 2006 03:23:36 +0200 (CEST)
      Received: from [85.100.187.24] (helo=bdpind)
      by dsl.dynamic85100229185.ttnet.net.tr with smtp (Exim 4.43)
      id 1Fbp6Y-0007Jp-Bz; Fri, 05 May 2006 04:27:38 +0300
      Date: Fri, 05 May 2006 04:18:18 +0300
      From: Madeleine Nash
      Subject: Earth outlast
      To: [email protected]
      Message-id: <[email protected]>
      MIME-version: 1.0
      X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
      X-Mailer: Microsoft Outlook Express 6.00.2800.1409
      Content-type: multipart/related;
      boundary=”——=_NextPart_000_0005_01C66FFB.A833F6A0”;
      type=“multipart/alternative”
      X-Priority: 3
      X-MSMail-priority: Normal

    Your message cannot be delivered to the following recipients:

      Recipient address: [email protected]
      Original address: [email protected]
      Reason: Over quota
    </quote>

  172. Matthew Goeckner says:

    Original reciept: #1

    May 4, 2006 9:41:10 PM CDT

    Headers: (with a change to XXXX of my employer’s name)

    From:  [email protected]
    Subject: ***SPAM*** stroller
    Date: May 4, 2006 9:41:10 PM CDT
    To:  [email protected]
    Return-Path: <[email protected]>
    Received: from iq1.XXXX.edu (iq1-pmn.XXXX.edu [192.168.1.7]) by inbox.XXXX.edu (Cyrus v2.2.12) with LMTPA; Thu, 04 May 2006 21:50:22 -0500
    Received: from localhost (mf2-pmn.XXXX.edu [192.168.1.14]) by iq1.XXXX.edu (Postfix) with ESMTP id 467A6AFD0 for <[email protected]>; Thu,  4 May 2006 21:50:22 -0500 (CDT)
    Received: from mx2.XXXX.edu ([129.110.10.17]) by localhost (mf2.XXXX.edu [10.110.10.14]) (amavisd-new, port 10024) with LMTP id 22276-01-98 for <[email protected]>; Thu,  4 May 2006 21:50:20 -0500 (CDT)
    Received: from host49-177.pool8251.interbusiness.it (host49-177.pool8251.interbusiness.it [82.51.177.49]) by mx2.XXXX.edu (Postfix) with SMTP id A69E63471 for <[email protected]>; Thu,  4 May 2006 21:50:17 -0500 (CDT)
    Received: from [82.51.144.200] (helo=mryrdi.cm) by host49-177.pool8251.interbusiness.it with smtp (Exim 4.43) id 1FbqRk-0008cK-Ho; Fri, 5 May 2006 04:53:36 +0200
    X-Sieve: CMU Sieve 2.2
    X-Greylist: delayed 308 seconds by postgrey-1.21 at mx2; Thu, 04 May 2006 21:50:17 CDT
    Message-Id: <[email protected]>
    Mime-Version: 1.0
    Content-Type: multipart/related; type=“multipart/alternative”; boundary=”——=_NextPart_000_0005_01C66FFF.64DDF831”
    X-Priority: 3
    X-Msmail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2800.1409
    X-Mimeole: Produced By Microsoft MimeOLE V6.00.2800.1409
    X-Antivirus: avast! (VPS 0618-2, 04/05/2006), Outbound message
    X-Antivirus-Status: Clean
    X-Virus-Scanned: amavisd-new at XXXXX.edu
    X-Spam-Status: Yes, score=17.425 tagged_above=1 required=8 tests=[BAYES_80=2, EXTRA_MPART_TYPE=1.091, HTML_90_100=0.113, HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=1.102, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046, UTD_NJABL_SORBS_DUL=6]
    X-Spam-Score: 17.425
    X-Spam-Level: *****************
    X-Spam-Flag: YES

  173. Matthew Goeckner says:

    Original reciept #2

    May 4, 2006 7:00:20 PM CDT

    Headers: (with a change to XXXX of my employer’s name – this time getting them all! – and yes with the IP you can figure it out…)

    From:  [email protected]
    Subject: ***SPAM*** Peace Corps proverbial
    Date: May 4, 2006 7:00:20 PM CDT
    To:  [email protected]
    Return-Path: <[email protected]>
    Received: from iq1.XXXX.edu (iq1-pmn.XXXX.edu [192.168.1.7]) by inbox.XXXX.edu (Cyrus v2.2.12) with LMTPA; Thu, 04 May 2006 19:03:32 -0500
    Received: from localhost (mf2-pmn.XXXX.edu [192.168.1.14]) by iq1.XXXX.edu (Postfix) with ESMTP id 3F643AFA5 for <[email protected]>; Thu,  4 May 2006 19:03:32 -0500 (CDT)
    Received: from mx2.XXXX.edu ([129.110.10.17]) by localhost (mf2.XXXX.edu [10.110.10.14]) (amavisd-new, port 10024) with LMTP id 13869-01-39 for <[email protected]>; Thu,  4 May 2006 19:03:28 -0500 (CDT)
    Received: from host225.201-253-128.telecom.net.ar (host225.201-253-128.telecom.net.ar [201.253.128.225]) by mx2.XXXX.edu (Postfix) with SMTP id ED4073452 for <[email protected]>; Thu,  4 May 2006 19:03:18 -0500 (CDT)
    Received: from jgua ([201.253.167.86]) by host225.201-253-128.telecom.net.ar (8.13.2/8.13.2) with SMTP id k4503lt7037168; Thu, 4 May 2006 21:03:47 -0300
    X-Sieve: CMU Sieve 2.2
    X-Greylist: delayed 306 seconds by postgrey-1.21 at mx2; Thu, 04 May 2006 19:03:18 CDT
    Message-Id: <[email protected]>
    Mime-Version: 1.0
    Content-Type: multipart/related; type=“multipart/alternative”; boundary=”——=_NextPart_000_0008_01C66FBE.297AF079”
    X-Priority: 3
    X-Msmail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2800.1165
    X-Mimeole: Produced By Microsoft MimeOLE V6.00.2800.1165
    X-Virus-Scanned: amavisd-new at XXXX.edu
    X-Spam-Status: Yes, score=9.634 tagged_above=1 required=8 tests=[BAYES_50=0.001, EXTRA_MPART_TYPE=1.091, HELO_DYNAMIC_IPADDR=4.2, HTML_90_100=0.113, HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=1.102]
    X-Spam-Score: 9.634
    X-Spam-Level: *********
    X-Spam-Flag: YES

  174. Matthew Goeckner says:

    Aubrey :

    Could fix my post (two posts up) to remove employer’s name….  I missed a couple of them – and if possible would like to not have that hanging out there.

    Thanks

    Matthew

  175. Adam Watkins says:

    Eeeek!  Careful now – don’t want to flood this blog with too much unneeded info.

    The relevant info to look for is embedded in the data, and marks the first time the spam is launched from the bot machine – *frequently* from a made up helo data string generated by the bot.

    So for all the posting on this page so far (using the Fire fox find command):

    Received: from [157.24.141.199] (helo=mjk.de)
    by maiko.lnet.lut.fi with smtp (Exim 4.43)
    id 1FbSjw-0003Lj-OL; Thu, 4 May 2006 04:34:48 +0300

    Received: from [85.100.187.24] (helo=bdpind)
    by dsl.dynamic85100229185.ttnet.net.tr with smtp (Exim 4.43)
    id 1Fbp6Y-0007Jp-Bz; Fri, 05 May 2006 04:27:38 +0300

    Received: from [82.51.144.200] (helo=mryrdi.cm) by host49-177.pool8251.interbusiness.it with smtp (Exim 4.43) id 1FbqRk-0008cK-Ho; Fri, 5 May 2006 04:53:36 +0200

    Received: from jgua ([201.253.167.86]) by host225.201-253-128.telecom.net.ar (8.13.2/8.13.2) with SMTP id k4503lt7037168; Thu, 4 May 2006 21:03:47 -0300

    My theory is to do with the timing of the spams in relation to the news releases that they always quote, something along the lines of which comes first the chicken or the egg? 

    I’ll post my analysis on this tomorrow.  It’s an interesting angle.

    BTW is anyone else get non-stock spam?  Like spams for actual scam websites?  I’ve had 2 now.

  176. meechee says:

    In reply to Adam,
    Yes an email address that started getting the stock spam 2 days ago, is now getting all sorts of other spam.  This is an address that up to now, has NEVER gotten 1 piece of spam at all so it has to be related. 

    Man this is making me sick.

  177. Anonymous says:

    Steve #159: Your idea #1, getting the SEC to suspend trading, is a good idea.  Idea #2, getting prospective buyers to see this thread and decide to not buy the stock, will never work, because the buyers are incredibly stupid and/or careless.  How could we expect any of them to bother to do any research on the Web, if they don’t even bother to finish reading the spam!?

    Take a look at the bottom of the recent version of the spam.  It almost comes right out and says: “I intend to dump hundreds of thousands of shares very soon, so you will probably lose all your money if you invest in this stock.”  What kind of person would invest after reading that?

    I guess the spammer decided to start putting a few sentences of truth at the bottom of every message, so he won’t get nailed for fraud when he gets caught.  But that’s stupid: every single message is still a blatant act of fraud, because every message still includes a lie about who sent it!

    Kim #161: I would bet a week’s salary that he either is sending the spam, or knows who is sending it.  A search for his name turns up four pages in ROKSO, the database of the world’s worst hardcore spammers.  Have any of the other companies been intimately connected with (or, as in this case, actually signed a “definitive purchase agreement” with) a ROKSO-listed hardcore spam gang?

    A criminal investigation would be able to subpoena records about him from his phone company and ISP, the stock exchange, state government corporate filings, etc. and would also have access to the “special version” of ROKSO for qualified law enforcement agencies.  Would a civil lawsuit provide enough access to this kind of information?  I don’t know; it might be worth asking a lawyer about it.

    Kim #170: if SPF doesn’t solve the problem, you might want to reconsider using it.  It has some problems of its own: http://david.woodhou.se/why-not-spf.html

  178. Adam Watkins says:

    Right.  Here’s my latest analysis for what it’s worth!  It’s a long one, so apologies and bear with me.  In all this mess I’ve been looking for some sort of consistent pattern (anything!) – and I found something.  So I thought I’d post it to get everyone’s thoughts.

    It was one of the bounced spams I received on Monday May 1st that got me thinking.  It was for Cyberhand Tecnologies, and I could see that it was first received by the first *legitimate* ISP source at 4:29pm ET.  In the spam e-mail was text from the CEO of Cyberhand: “Michael Burke, CEO of Cyberhand Technologies said, “Because of the potential collateral damage …. products for private and military purposes.”

    This was the first time I’d seen Cyberhand spammed, so I immediately went over to pinksheets.com to find out more, and start looking for links with earlier spammers (like I guess we all are, right?)

    I checked the news out for CYHD and found a press release posted that afternoon at 4:15pm ET (after close of markets).  In the release was the quote from the press release *absolutely word-for-word identical*

    Interesting.  In the last couple of days I’ve gone back slowly through previous spammed stocks and found all instances of news releases being directly plagiarised in the spam.  You can do this for yourself.  Simply use
    http://www.pinksheets.com/quote/company_profile.jsp?symbol=CYHD and flip across to the news for the company.

    HRRP – May 3 2006 8:30AM ET, (MARKET WIRE via COMTEX) = Directly Quoted in Spam
    “is a growth-oriented and emerging natural resources company”
    MGMX – May 2 2006 4:05PM ET, (MARKET WIRE via COMTEX) = Directly Quoted in Spam
    “MGM Mineral Resources…to sustain maximum production “
    CYHD – Apr 28 2006 4:15PM ET, (MARKET WIRE via COMTEX) = Directly Quoted in Spam
    “Because of the potential collateral damage”
    SBRX – Apr 30, 2006 10:26AM ET (PRIMEZONE via COMTEX) = Directly Quoted in Spam
    “has executed its first Memorandum of Understanding”
    PGCN – Apr 28, 2006 1:14PM ET (M2 PRESSWIRE via COMTEX) = Directly Quoted in Spam
    “is an integrated pharmaceutical company located … and traditional Chinese medicine.”
    IKMA – Apr 26 2006 5:08PM ET, (MARKET WIRE via COMTEX) = Directly Quoted in Spam
    “specializes in providing reputation and customer feedback systems”
    SIKY – Apr 25 2006 8:23AM ET, (MARKET WIRE via COMTEX) = Directly Quoted in Spam
    “corporate purpose is to … and pending patent applications”
    MDBF – Apr 7 2006 4:00PM ET, (MARKET WIRE via COMTEX) = Directly Quoted in Spam
    “announced today its shares … and ultimately enhance shareholder value.”
    ### spam received on 4/20, maybe a slow news day?
    CWTD – Apr 19 2006 7:55AM ET, (Xinhua-PRNewswire via COMTEX) = Directly Quoted in Spam
    “today announced its results … going forward in 2006”
    SWNM – Apr 17 2006 4:00PM ET, (MARKET WIRE via COMTEX) = Directly Quoted in Spam
    “has learned that the specimen sampling/testing … enhanced diagnostic tool.”
    LBWR – Apr 13 2006 10:47AM ET, (PRIMEZONE via COMTEX) = somewhat quoted in Spam and scrapes earlier press releases saying “world’s largest offshore drilling company” “revenues of $2.6 million dollars for its 2005 fiscal year”
    BDWT – Apr 10 2006 4:07PM ET, (PRIMEZONE via COMTEX) = Directly Quoted in Spam
    “a premier full service waste hauling … and support for their current fleet.”
    WNCP – No clear news trigger for this spam as far as I can tell, but spam summarises two earlier news releases: Mar 24 2006 2:04PM ET (BUSINESS WIRE) “Letter of Intent with Mineral Reclamation Corp.” and Mar 17 2006 1:28PM ET (BUSINESS WIRE) “Acquisition of Mine Tailings from World Wide Consulting”

    And today we come to De Greko – DGKO.  This one is interesting as it deviates a little from the norm.

    DGKO – Triggered I believe by a News Release today May 5 2006 7:56AM ET (MARKET WIRE via COMTEX)  [My Bounces started around 9:20AM PT, nothing before then]  Obviously the news release wasn’t exciting enough, so the spam directs back to an earlier news release: Mar 28 2006 8:45AM ET, (MARKET WIRE) = Directly Quoted in Spam – “company is currently developing a campaign that will launch … all the other developments De Greko have in mind.”

    Now, there’s a 2nd paragraph added onto this spam which interested me.  “De Greko’s team was inundated with requests for the new Clixme product … the service to businesses nationwide.”  This text didn’t seem to appear in the main press releases on Yahoo, Pink Pages, MarketWire.  It only appeared on the De Groeko website (release dated March 21), and in a TEXT-BASED spam sent dated Sat, 28 Apr 2006 23:21:17 (see http://rjohara.net/money/stocks/2006-dgko-de-greko-inc)

    So here we have our spammer regurgitating verbatim a text spam (not sent in our spammers style) that was sent days earlier and wasn’t triggered by any specific news release as far as I can tell. Just laziness I guess?

    Where am I going with all this?  Well – if there’s a predictable pattern to be found in all this then there’s the opprtunity to set a trap, or for the authorities to carefully monitor a specific
    avenue of activity. And the Pattern of a) news release b) spam passes on news release c) spammer uses momentum to make a fast buck is very predictable indeed.  So much so that I’ve started checking COMDEX before and after market trading to see if I can spot the company that will be spammed the next day.  You should try it too!

    Other key things I’ve been looking out for:-
    1) an instance where the spam quotes the p.r. but is released before the official release = A specific PR company could then get nailed (no instances of this yet found)

    2) Timings of press releases.  Many are *after* the close of trading, so does the spammer have inside knowledge about company press releases (e.g. works at PrimeZone, Market Wire or COMTEX?) Buys shares before close, spams overnight and sells the next day? (could be easy to trace)  Or does he buy massively on the opening of trading, then sell after a couple of hours? *How is this guy making big money on this? – or is he just getting momentum money?*

    3) The spread of companies being spammed = I think this might have ruled out any individual company spammed as being the spammer.  Though some of the companies are *exceptionally* suspicious in their history and personnel (as has been pointed out here already), I think sadly that’s just the norm as far as these small-cap companies go.

    4) *** Frequency of spamming.  We’re getting a new spam sent out identically in the same format *every* day.  To me that doesn’t suggest a single company hired to spin their customers. That would actually take a lot of scheduling and effort, much of which would be traceable.  Instead it suggests opportunistic individual(s) who’s picking on the “story du jour” daily and trying to ride that momentum to make the quick buck (an individual however that has an entire botnet at their disposal).  Seeing how I’ve now received a couple scam website e-mails mixed in with the stock spams, they’re not averse to trying to pump their other illegal activities.  That’s probably the only new angle to track these clowns.

    5) Indications of geographical location – East Coast is a possiblity since so many spams coincide closely with US market times.  Could easily be Russia too though (as market times aren’t too bad for that time zone, and the scam website e-mails mentioned in (4) track back to russian e-mail addresses).

    Gah.  That’s my thoughts to date.  But my way of thinking now is to try and avoid the specific obvious people (DiStefano et al.) but instead look at the big picture and the less obvious threads.

    Anyone else see any other big patterns in this that I haven’t mentioned?  Who knows anything about COMTEX?  That’s common in every case here.

    Thanks for reading!

  179. Steve says:

    I found an interesting site that posts pump-and-dump spam at < http://rjohara.net/money/stocks/ >.  They list some companies that I haven’t gotten bounces for (I guess I should be grateful).

    One thing I wonder about is how he gets the spam text in his list.  I don’t think I’ve gotten any original spam from him, but all of the bounces had images in them.  Maybe he’s using some OCR and combining it with the E-mail headers….

    Or could this spammer be receiving somebody else’s pump-and-dump spam, creating an image of the original and then sending that out to his bot net?

  180. Adam Watkins says:

    Steve in #179 said “Or could this spammer be receiving somebody else’s pump-and-dump spam, creating an image of the original and then sending that out to his bot net?”

    Exactly.  Complete with spelling mistakes too.

  181. Neil Jackson says:

    Good post, Adam. Thanks.

    Not sure where it leaves us – but in terms of patterns, all I’ve noticed (in the few minutes I’ve been paying attention to the companies spammed-about, on my own financial tools), all I can add is that all of the companies are on either the Pink Sheets market, or the OTC (Over-the-counter) Bulletin Board market.

    Both of these markets are infamous for their danger – in terms of illiquid stocks and occasional extreme volatility. They are the true ‘penny stocks’ and generally avoided by all but the most hardcore risk-taker. We used to get spammed about these markets all the time on the UK financial boards where I used to hang out – and similarly, it was the devil’s own job trying to get them stopped.

    Who’s behind it? Hmm – could be anything from a lone trader who believes he can ‘move the market’ – (and to some extent that IS possible in the OTC/PK markets, which is why they’re so dangerous) to a band of money-laundering criminals looking for was to clean funds via the marketplaces without attracting too much attention. Again, the OTC markets are not nearly as well regulated or policed as the ‘proper’ markets (NASDAQ, NYSE and the UK’s LSE, etc), and this kind of stunt is, sadly, commonplace.

    In terms of proving or disproving any direct company involvement, look for directors issuing or selling portions of their own holdings at any point after a ‘ramp’. Personally, I doubt you’ll find any (if indeed, directors dealings are even required to be notified on these markets!) I think I agree with your view in your point (4) – it would be too much risk for our spammer to be working directly with these companies, and generate too much paper-trail.

    Your information IS certainly worth passing over to the authorities that are responsible for the PinkSheets Market (sorry, I have no idea if that’s the FTC or the SEC or whoever). They may have the ability to look for suspicious block trades and other activity, which (given that you’ve pinpointed all the appropriate stocks) should stick out like a sore thumb on the trading tools they’ll have at their disposal.

    If I get time, I’ll try and examine them in my own Metastock charting software – I can already see, just on Yahoo, that some of these HAVE experienced increases in trading volume over the affected periods, but I’d like to look at it more closely.

    Thing is, the Pink Sheet ‘regulator’ will have access to the actual trading information (ie, who bought, who sold), and be far more capable at pinpointing ‘unusual suspects’ than we can.

    Thanks again – useful stuff, neatly collected into one handy resource – and it’s given me food for thought. I’ll pass on anything I discover from your starting point!

  182. I just got bounces for a new stock—Riverbank Investment Corp. (RRBK).

    I also got a bounce for non-stock spam.  This was for devicefield.com, a site apparently selling electronics.  I say “apparently” because the site seems to be down now.

  183. Kim says:

    I also got a non-stock spam bounce back. It was offering recruitment for a travel business. I sent an email to the recruitment address, and got a reply (info about where they are recruiting and a bit of info about this business). I haven’t looked into it yet – but the business is:

    Ryan F Garcia
    Sales Department
    Supervisor
    [email protected]
    World & Countries Co.
    Phone/Fax: +1 (603)
    462-9127
    393 Broadway, San Francisco, CA 94133 USA

    Although this is unrelated to the stock-spam, they are probably using the same spammer/bots.

    Does anyone thing it is worth following up this lead?

    Kim

  184. Neil Jackson says:

    Kim – depends… I think it’s worth finding out first, whether the ‘fingerprints’ of the recruitment spam match those of the rest of the pump-and-dump stuff, and that it isn’t just some other random spam attempt from another source that’s happened to reach you at the same time.

    What was the HELO prompt used in the initial contact? (this should should up in the lowest ‘Received From’ line, in the SMTP headers of the original message). Look for a short random sequence of characters, or two short random sequences separated by a single dot. (eg: dfseo.fdij or giufgi or something of that ilk).

    Does the injecting IP address match any address that you’ve also seen used by the stock stuff?

    Did the message contain the actual spam-message as GIF image showing a piece of scanned-in, non-selectable text?

    Was there a separate block of plain, selectable text with random sentences and phrases designed to fool anti-spam heuristic filters?

    Was the (faked) sender email address created from a random sequence of characters forming a username, prepended to a (joe-jobbed) domain-name? Eg, [email protected] or [email protected] (and not less than three characters in the username)?

    If ALL of those match, then I’d be tempted to agree there’s a high chance of it being the same underlying system (and probably, therefore, same botnet). But if there’s no similarity in these areas at all, then I’d have to say I would not be convinced its from the same lot.

  185. Piet says:

    1. Imade Positiv Filter
    2. In Spam I can control the spam
    3. I dislike to waste muchtime about them
    4. No Spam from 26 April
    5. Goverment will got them – I send them all
    6. There not legal
    7. Don’t talk about your results
    8. You like to let them know ?

    Greetings Piet

  186. I. G. Farben says:

    There is secret information embedded in the .gif images.  Look for individual pixels that are not the color they should be.  Also look for abnormal variations in the spacing between lines of text.

  187. Dewy says:

    186,

    This is interesting if it is in fact embedded information.  I remember a while back when the whole Terror War thing started that the FBI was saying that Al Qaeda was using pictures with embedded information in them to pass details of stuff.

    I found a few links, the first one here:
    http://www.softpedia.com/get/Security/ Encrypting/Encrypt-Text-in-Picture.shtml

    That allows you to do this.  If you found the right program, perhaps one could “Decode” the jpg and see what is really up? (Conspiracy Theory anyone??)

    Cheers!

  188. Dewy says:

    One more thing….

    Am I the only one that is wondering if this turd is reading Mr. Turner’s site??

    I bring this up because the last five E-mails I have received are from a different company, (RRBK), and they seem to be missing the familiar PR Cut & Paste.

    There were a few other times as well that when something was brought up on here, the e-mail seemed to mysteriously change.

    Other examples to my mind are:
    When Mr. Turner first posted about tententwelvecorp.com, I found it on google, I wonder if the Spammer did as well, because he omitted that part of the e-mail and the phone number shortly after it started being discussed here.

    ALSO, when someone brought up the legality of what he is doing and mentioned the SEC, he started putting in the disclaimer at the bottom of his mail shortly after that…

    Just my thoughts on that…

  189. Kim says:

    Neil – the non stock-related email I got did not use the embedded GIF images, it is selectable text. The subject and sender name were specific to the content of the spam (not random names/wierd subjects). The address use was random letters though (the same as the stock spam) – eg: [email protected]. Anyway, given that –  maybe they are not related. I might still follow it up though.

    Dewy – I have been wondering that as well. Do you think we should take this discussion to a forum? (requiring registration). Or even a yahoo group?

    I.G Farben – good pick up with the hidden information! Some have quite a lot of coloured pixels. Hmm!

  190. Hi Folks
    This is the text of my most recent bounced message:
    ==============
    This is the Postfix program at host mail.phr.ch.

    I’m sorry to have to inform you that your message could not be be delivered to one or more recipients. It’s attached below.

    For further assistance, please send mail to

    If you do so, please include this problem report. You can delete your own text from the attached returned message.

    The Postfix program

    <[email protected]>: host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
      content rejected, UBE, id=23797-14 (in reply to end of DATA command)
    ==============

    The attached details.txt contains this:

    ==============
    Reporting-MTA: dns; mail.phr.ch
    X-Postfix-Queue-ID: 71E122A000A
    X-Postfix-Sender: rfc822; [email protected]
    Arrival-Date: Mon,  8 May 2006 00:20:36 +0200 (CEST)

    Final-Recipient: rfc822; [email protected]
    Action: failed
    Status: 5.0.0
    Diagnostic-Code: X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
      content rejected, UBE, id=23797-14 (in reply to end of DATA command)
    ==============

    127.0.0.1 is the local machine isn’t it?  And it’s not – this machine has been powered off for three days while I was out of town.

    Is there anything in this text I can look up to report it?
    Rich

  191. Is this I. G. Farben for real?  He has provided us with two pieces of very interesting information—that Johnson Eddisson is actually Thomas DiStefano and now that there is secret information in the images.  Unfortunately, neither of these claims had much information to back those assertions up.

    Also, I notice that Farben hasn’t claimed to be getting the bounces.  So who are you, Mr. (or Ms.) Farben, and how did you discover these items?

    Regarding the secret information, the images I’ve gotten have had different widths and background colors, even for the same stock spam.  If the text was actually printed from other spam and then scanned in as an image, I would expect miscellaneous spots (called “speckles” in the OCR world) and maybe even slightly different line spacing.  I wouldn’t assume there was any secret information there without more details.

  192. Adam says:

    Just a quick comment this morning.  Riverbank has broken the continued pattern I commented on in #178 above – no press release THEN pump spam.  Dewy in #188 has a good point – maybe the pattern has finally been broken because of our comments?  Maybe our botnetter is just hiring out to whoever stumps up the cash?

    HOWEVER – the turnabout is this time the spam stock was launched on FRIDAY, then (suprise, surprise) – Rivebank launched their press release this morning (see “Riverbank Enters Oil and Gas Industry” http://www.pinksheets.com/quote/news.jsp?symbol=RRBK

    This is pretty clear evidence of fraudulent activity in relation to this company (reported it to SEC already).  Trading in it should be suspended immediately and the SEC should go talk to CEO Mr. John Crasta.  Maybe he should be offered immunity if he discloses who he got to pump his stock?  Just a thought.

    Jeez, this is all so fricking timewasting!

  193. Neil Jackson says:

    @Rich (post 190) – the localhost (127.0.0.1) address referred to in the message will not be YOUR localhost… it’ll be the localhost address of the mailserver ITSELF. Don’t forget, localhost just means ‘this machine’ (in internet terms)… but like most uses of the word ‘this’, it’s all relative to where you happen to be at the time!

    Basically, the mailserver at mail.phr.ch is saying “I, myself, responded (to an incoming SMTP mail-transfer connection) no, I’m not accepting this because it looks like SPAM”, and the same mailserver has conveniently bundled that up in a message and returned it to you.

    Alas, it does NOT record which machine was making the connection to mail.phr.ch – at least, not in the extract you’ve posted. I’m curious.. were there any other attachments apart from the ‘details.txt’ thing? Another email, for example? If so – THAT is the item which should show the connnecting IP address ‘as-received’ by mail.phr.ch, prior to them deciding not to send it on. The connecting IP address would be in the bottom ‘received from’ line of that original spam attempt.

    If they haven’t included that, then frankly, it’s useless. We can’t derive (from the information given by mail.phr.ch) which IP connected to them, because their report is incomplete and therefore largely useless.

    Hate to say it, but that’s often a common state of affairs! Not every system admin knows how to configure their system for best usefulness in times like this, I’m afraid.

    Of course, if there IS a full copy of the original spam included, get us the SMTP headers of THAT message – because the original (infected) IP address would certainly be listed (well… it will if mail.phr.ch is not set up ‘broken’ in other ways, too!)

    But in any case – no, you don’t have to worry about YOUR machine having been switched off. It’s not referring to your machine in this case.

    @Steve (post 191) – Personally, I don’t think that the ‘speckles’ in the GIF images are really data, per se – at least, probably not in the way that IG Farben suggests. In my experiences in the past with steganography (the method of burying textual data in bitmap-images), the whole point is that the data is HIDDEN in the image! That is, you wouldn’t see obvious dots… the dots are meant to blend into the colour in the relevant area of the picture, so that they are not noticed! The encoding system would either pick areas of the image that could be used without being spotted, or they are colour-matched to the area they’re going to be placed in.

    Besides, what logical reason would there be for burying a secret message into a stock spam? I can’t really think of one…

    No, I think the reason behind it is either like you suggest – OCR or scanning glitches (though I’m less and less happy with that explanation by the minute)… or (more likely) it’s a simple ‘trick’ to try and randomize the exact data in the attached GIF file, without massively changing the look of the file. If the file is slightly different for EVERY outgoing spam, (and by that I mean every individual outgoing email, not just per spam-subject), then it makes it an order of magnitude more difficult for an Anti-Spam filter to ‘recognise’ the image as a known ‘nasty’. The GIF image will presumably end up with a different filename, file-length, and internal contents on EVERY outgoing message, and thus be very hard to ‘teach’ to a spam-filter (beyond the more basic-but-dangerous rule of ‘it’s a GIF attachment’).

    And logically, that’s probably a much more likely reason for a spammer to be doing this, I think, than any sort of ‘hidden message’.

    I could be wrong, though – but alas, cracking steganographic images is hard, hard, hard, so I’ll never be entirely sure!

    @Adam (post 192)… interesting development… so you’re saying the Spam hit the streets BEFORE the official corporate Press Release? Hmm… that does indicate either the company itself is involved in hyping their stock, and the spammer got the release date muddled, or there is some dodgy person at either the PR company that the announcing company used, or some other organisation to whom they send their official press-releases for publication.

    Good find! Let us know how that develops. I’m particularly interested in whether there’s a suspension, because that would at least let us know someone at the SEC gives a damn!

  194. Kim says:

    Neil – I think you are spot on with the coloured dots in the GIF images – I guess it is simply a way to trick spam software that looks for text-type patterns in images. The GIF images are definately not OCR – as a close inspection of the image in Photoshop shows that each particular character is identical wherever it appears in the image (eg: the pixels/anti-aliasing for “a” is always the same, and so on).

    Adam – keep us posted with your Riverbank press release thing. Do you have a direct contact at the SEC?

    Cheers,
    Kim

  195. It makes sense that the colored dots are just another means of making the image look different, as that would probably generate a different MIME encoding.

    However, as I mentioned, the images seem to have different widths (and probably lengths) and background colors.  I’d think varying the background colors (with 255 or so variations) and image size would be enough to generate different MIME encodings, but maybe the loser is just being ultra-careful.

    Steve

  196. Rob says:

    This one really doesn’t seem to be going away. 🙁

    I’ve toyed with simply turning off the “catchall” e-mail function for my domain – which is pretty effective – but I’m not happy about losing e-mails that I’ve forgotten to set up a redirection for, not to mention losing visibility of how my domain is being abused.  My current interim solution is to redirect all such e-mails to a special account I set up to catch them without it clogging up my regular e-mail.  I report a few, but it just seems to get more out of control every day.

    I wonder why the spammer can’t just use random domains that don’t even exist instead of hijacking ours.  Are we no closer to discovering the bot/script behind the botnet itself so it can be added to the signatures of the various virus scanners?  OK OK… I know it’s probably not that simple… how annoying this whole thing is. 🙁

  197. Adam Watkins says:

    Rob – I am so on the same wavelength its not even funny.  You put it so perfectly with the whole “Losing visibility” thing – I don’t want to monitor the situation but at the same time I have too without fail in case it goes some whole other sinister direction.  Grrrr.

    To Kim in #194 – hard copies to the SEC snail mail address in #140 above.  Hey, it’s harder to avoid physical mail than it is e-mail.

    FWIW I’ve been following the developments regarding bluesecurity.com – an anti-spam resource (look it up in Wiki).  Seems all well and good for dealing with any spammer with a web-based presence but USELESS for dealing with blind spamming like our situation.  These stock spams should really be dealt with as a whole seperate sub-class of spam IMO.

  198. Picking fake domain names might not work well.  Some E-mail servers seem to back-check the From address to ensure that it exists and reject the E-mail if it doesn’t.  (There’s a long story about why I switched my domain registrar because of this issue, but that’s not relevant here.)  So, if the spammer picked a fake domain name, the back-check would be guaranteed to fail, and some percentage of his spam wouldn’t be delivered.

    Now the question becomes, is he somehow picking domains that he knows are using a catch-all E-mail address, which means pretty much any E-mail back-check will succeed?  If so, how did he find that out?  Did he probe our domains with an E-mail address that most domains wouldn’t have (xxyzzzplugh, for example)?  I don’t know.

    I got hammered over the weekend with spam bounces (60 total on Saturday and Sunday), but only got 9 Monday and only one so far today (Tuesday).  Could this mean they caught the loser?  I hope so, but I’m not holding my breath.  Even if he just moved to a different domain, that would be a welcome relief for me (although bad news for some other poor guy).

  199. Neil Jackson says:

    Steve, can I make a couple of corrections to your first bit, which might answer your second bit? smile

    You’re right in that some SMTP servers will perform checks on the sender – but usually it’s one of two methods, rarely both, though (and usually the former):

    1 – the ‘HELO’ announcement that is given by the sending MTA is looked up using reverse-DNS, to ensure that the hostname given as the HELO actually corresponds to the IP address of the machine that has connected. eg, if an infected bot says ‘HELO mail.wibble.com’ and is on IP address 193.182.12.3 (say), then the SMTP server will rDNS 192.182.12.3 – if it comes up as ‘mail.wibble.com’ (and is a class A record, not a CName or alias), then the SMTP server can act in good faith that at least THAT bit of the conversation is honest so far. You can usually tell an SMTP server is rDNSing, by the fact that in the ‘Received From’ headers of the eventual message, it will have reported the helo hostname, and then usually in brackets BOTH the IP address, and the looked-up rDNS name that came back. Some do, some don’t, and yet others mess it up, but that’s basically the deal.

    2 – at the ‘Mail From’ part of the SMTP sequence, when the bot is attempting to spoof the sender-name, some (few) servers again will look up the DOMAIN part of the address, to find out whether an SOA (start of authority) record exists. That’s usually a good sign that the sender’s domain is real, and thus not a complete fake. Of course, this is precisely WHY Joe-Jobbing happens!!

    Now… the wrinkles…

    Most SMTP servers are, for a variety of reasons, not likely to utterly block a message on the basis of a HELO prompt HOSTNAME not resolving. It’s too dangerous, because too many mailservers don’t conform to the relevant RFCs, and in many cases, they’re set up without proper rDNS pointers, or using aliases, or in some cases are ‘multi-homed’ (and may thus even come back with a completely different hostname, usually at an ISP’s ‘mailserver-farm’ when rDNSed).

    Usually, all they do THIS check for, is so that they can mention the fact in the Received From headers (sometimes, you’ll see rude messages in there about hosts not resolving, etc). Other times, I’m sure, if this aspect fails, the message is subjected to more stringent tests later, perhaps. But rarely do they actually force a block on this bit. Our spammers constant use of two forms of totally randomised ‘hostname’ in his HELO prompts is visible in the Received From headers that we’ve seen – so we know that this usually isn’t being blocked at all, by all the servers we’re getting bounces from, at the very least!

    To do a full ‘email address’ lookup these days, is virtually impossible – which is why SMTP servers don’t bother. There USED to be a command called ‘VRFY’ (verify) which (when the internet was still all fields) we could use to ask an authorative mailserver for a given domain whether it agreed user ‘fred’ existed. However, spammers learned fast, and routinely abused this cooperative ‘feature’ to harvest email addresses – so largely, you won’t find an SMTP server that doesn’t turn you down if you ask, nowadays. Beyond that, there are NO other automated ways to determine whether an email address exists… the only way you can really be sure is by having a personal email conversation with someone! (Read-Receipts are unreliable and can be overriden, and Delivery-Receipts prove nothing most of the time). This is why AT BEST, SMTP servers could only check the SOA existence of a DOMAIN (not a host, and not a user) in the ‘Mail From’, and nothing more. But that COULD be used to make an ‘anti-spam’ decision more effectively than step 1, so this IS sometimes used for that purpose.

    So… to your original hypothesis. Frankly, I don’t think the spammer gives a damn whether we have catch-all addresses or not. He’s not TARGETING us… he’s targeting some other random recipient, and if we happen to end up with a JJ-bounce-message, well that’s just tough titty. Maybe we’ll even see his message and join in the fun too, maybe. But certainly, I don’t think he’s actually wanting nor caring of us seeing the backscatter caused by his spoofing random usernames at our domain-name as his senders.

    Consequently, I really don’t think he would’ve (nor could have, given what I’ve said about about checking for that type of mail-handling in an automated way) tested our systems to see whether addresses existed or whether we were ‘catch-all’. And it really makes no difference to his operation, really (except that we are slightly more likely to notice, and therefore do something – but as we’ve seen, we’re pretty powerless here, and he will know that).

    Nope, I’m confident he’s just harvesting email addresses (and thence, domains to which he can prepend a made-up username) from infected bot PCs. He may also be pooling them, or the bots may perhaps just use the ones THEY know about. Haven’t worked that bit out yet. But the dynamics are pretty evident – he’s using all sorts of domains to joe-job, and they appear to be random (if you see the folks affected in this thread). There’s no commonality of person, job, or anything that I can see – we’re all just ‘innocent victims’.

    And of course – those that DON’T have catch-all addresses, simply don’t KNOW this is going on ‘in their name’… so they never see it to get bothered by it, therefore they never look it up on Google and end up here! wink

    Hope that helps a bit!

  200. Adam says:

    Here’s another tack I’ve taken.  I’ve tried looking up the bots profile in the various databases provided by anti-virus suppliers.  If I do manage to get a match, then I’ve got an old laptop here that I’m ready to sacrifice – try to get it infected with the virus in order to do tracing work with it. 

    How would people classify this virus?  I was thinking keywords along the lines of “trojan irc spam e-mailer”.  And some virus or variant thats appeared within the last 5-6 months.

  201. I don’t know, Neil.  I was just trying to describe something in layman’s terms to explain why the spammer might be using real domains.  I suspect that your really LOOOONG explanation would only be understood by Internet geeks (I didn’t even understand half of it). smile

    However, I thought that some ISPs actually read the From address and started a send conversation back to that domain to check if the E-mail address resolved.  Maybe I’m completely wrong or maybe one of your explanations basically said that (like I said, I honestly don’t know).  Even if I’m right, maybe only a few ISPs do it, so the spammer wouldn’t worry about it.

    But if some ISPs do check for valid From addresses, that would be one reason to try to pick domains with catch-all addresses.

    I do generally agree that he’s not targeting us with the spam, and I didn’t claim he was.  I also agree that he probably doesn’t care if we get bounces or not, but I wasn’t arguing that, either.  I was merely saying that IF a lot of ISPs do E-mail validation checking, THEN he might care about trying to ensure the domains he was spoofing had catch-all E-mail addresses.  Otherwise his random From addresses wouldn’t make it to his target at all, which he WOULD care about.

    The point may well be moot if ISPs don’t really block E-mail with From addresses that don’t resolve as you said, though.  However, now may be a good time to explain why I switched domain registrars and see what you think.

    I used to have my domain registered with a company (MyDomain/NamesDirect) that provided free DNS services (URL forwarding, mail forwarding, etc.).  I used them to forward my domain to my ISP’s less-than-nice URL. 

    However, I ran into problems after a while.  MyDomain kept blocking my E-mail saying they were getting too many failures from my ISP.  As far as I could tell, my ISP wasn’t rejecting any mail that I expected to get through, so I was at a loss to explain why MyDomain was saying they were getting bounces.

    I talked with my ISP and they said they did some sort of E-mail back-checking.  So my hypothesis was that MyDomain was seeing my ISP bouncing spam with spoofed (unresolvable) From addresses and interpreting them as my E-mail address not being available.

    This happened pretty much every night for a month, MyDomain couldn’t or wouldn’t fix the problem, and I eventually got so sick of having to reinstate my forwarding addresses every day that I decided to move my domain forwarding somewhere else. 

    Because MyDomain was free, that wouldn’t really affect them (in fact, it would lower their bandwidth, which could be a net win for them).  However, because I was grateful for the free DNS services, I had also registered my domains with their sister company, NamesDirect, so I moved the domains to GoDaddy (which also offered domain forwarding).

    Anyway, the point of that long story is to ask if my hypothesis could be correct.  If it is, then at least some ISPs are rejecting E-mail based on unresolvable From addresses.  If not, I have no idea what was going on.  smile

    (Wow, I guess one overly long explanation deserves another.  smile)

  202. China World Trade (CWTD) made another comeback yesterday, and I’m seeing De Greko (DGKO) reprised today.  I’d think repeatedly pumping and dumping the same stock wouldn’t be as effective as doing it with different stocks, would it?

    Of course, if he’s spamming new people, maybe it would.

  203. Kim says:

    After following up one of the ‘non-stock’ spam emails I had recieved a bounce-back to , I have been put in contact with someone at a recruitment business. I asked if they could provide me with the information of their email marketer – and they said “I’m sorry but it isn’t a public information. We can not spread information about our partners”

    I wonder if I should press them any harder….

  204. China World Trade (CWTD) made another comeback Monday, and I saw De Greko (DGKO) reprised yesterday.  I’d think repeatedly pumping and dumping the same stock wouldn’t be as effective as doing it with different stocks, would it?

    Of course, if he’s spamming new people, maybe it would.

    The latest stock seems to be inZon Corp. (IZON).  Is that a new one or a repeat?

  205. I fixed the comment limit (again) and deleted an online gambling spam comment.

  206. Neil Jackson says:

    Steve (p201) – sorry about the length and complexity of my last post. I was just trying to explain as completely as possible so that you (or indeed anyone) could check up on what I wrote (if interested), and thus prove the situation clearly for yourself.

    Anyway – let me put it another way, more succinctly.

    No.

    smile

    ISP’s don’t (and nowadays mostly can’t) do ‘from address’ resolving, verification or anything of that nature. The most you can usually verify is a DOMAIN (the bit after the @ symbol). It is virtually impossible to verify the existance of a FULL email address, without actually sending it email and having someone write back and say “Yup, I got that mate!” smile

    The MyDomain problem you describe is more akin to a situation where the forwarded email arrives at the intended destination, with either a wrongly-spelt destination address at your other (main) ISP, or some munged version of the ‘alias’ address at MyDomain. Net result, your main ISP declares it undeliverable, and sends back a Non-Delivery-Report (NDR) to MyDomain, and after a few of these, MyDomain stops bothering, believing there’s a permanent problem. Such is life with the free services on the net, alas. You’ll find similar things happening with Yahoo Groups: if some buffoon injects SPAM into a Yahoo Groups list, and your ISP receives that message and bounces it (because of their anti-spam filter) back to Yahoo, Yahoo will remove you from the Group you were a member of! Clever, no? It’s basically the same thing as you describe, only worse, I guess!

  207. Matthew Goeckner says:

    Very strange – the dump and dump WAS NOT A GIF….

    I have it

  208. Dewy says:

    Sorry this doesn’t contribute directly, but WTF is wrong with people??  These dudes that send SPAM in the first place are bad enough, but then they have to violate other peoples sites to post thier crap all over the place???  (Ref: Post 207 as long as it lasts)

  209. Matthew Goeckner says:

    Very strange – the dump and dump I just got WAS NOT A GIF….

    I still have it

  210. Matthew Goeckner says:

    Sorry about the second copy of my message – I got a message from the first saying that there was an error and that it could not be posted…..

  211. Kim says:

    over the last 2 days I have recieved close to 25 bounces per day! And that’s with SPF implemented. Don’t think I will bother with SPF!

    Kim

  212. Dewy,

    I’ve been doing battle with comment spammers for quite a while now.  It got so bad at one point that I banned the entire “.info” TLD, since all I was getting from there were spam comments and spam referrers.  But with this whole discussion about the TenTenTwelveCorp spams, I removed the block, since there were some legitimate comments from people using domains in “.info”. 

    Since then, a few have been filtering through and I have to keep adding them one-by-one to the blacklist. 

    The real damage is done by the idiot referrer spammers, though.  Not content with simply getting their info in the referrer logs, they want to get them in there multiple times and they use botnets to do it.  If I don’t block them in .htaccess they chew up huge amounts of CPU on the server, since each request requires invoking PHP and establishing a database connection.  At one point I was logging over 20,000 denied referrers per day.  Now it’s down to 1700-1800 per day, as they’re slowly learning that a) I don’t display referrers at all and b) most of their crap gets a 403 (not that they’re checking).

  213. Kim says:

    Aubrey – do you have access to your .htaccess file? I have a custom .htaccess file that blocks referrer spam (by keyword) as well as blocking certain countries (Ukraine, China, Russia). Let me know if you want it.

  214. Kim,

    Thanks for the offer, but I’ve already got a pretty extensive set of .htaccess filters.  pMachine maintains a master blacklist that I can download through the Expression Engine Blacklist Module.  Further, the Blacklist Module will write the blacklist to .htaccess for me. 

    So I regularly download the pMachine list as well as adding other offenders as I encounter them.  Like you, I’ve added several entire countries to avoid some of the worst offenders.

    While there are a lot of keywords in the blacklist, I’ve come to conclude that keywords don’t do much good anymore, as the spammers constantly change spellings.  Mostly these days I just filter on domain.  I have a daily referrer report that I examine to find sites that have hit mine an excessive number of times and/or with an excessive number of variations (a trick they use to try to avoid showing up as an abusive referrer).  The other trick they use is to create innocent sounding domains and then put redirects to their sites, thereby avoiding all clues as to their actual purpose in the referrer.

    The problem, though, with the last one to get through, is that it used fairly common words in the URL and used text stolen from elsewhere.  If I were to ban the keywords “gambling” or “casino”, for example, that would make it difficult to talk about legitimate topics.  So I just banned the URL.

  215. Kim says:

    those blacklist modules sound good. As my website is basically html and php (dont have a blog engine or anything) I can’t have any automated lists like that. I basically have to check the referrals manually (using a php stat page) and add them one by one manually. You’re right – there are a few normal sounding referrers that still get through 🙁

    *sigh* It’s just another annoyance – like this pump/dump spam bounce backs 🙁  (sorry, getting back on topic) smile

  216. Neil wrote:  “It is virtually impossible to verify the existance of a FULL email address, without actually sending it email and having someone write back and say “Yup, I got that mate!”“

    If that were true, why are we getting bounces for addresses that don’t exist?  Clearly the ISP or E-mail host must know whether an E-mail address is valid at the domain, right?  So why can’t it be taken the next step and have the back-check?

    For reference, here’s a block comment from a program that I worked on:

    //
    // SMTP Simplified.
    //
    // Basically SMTP consists of making a tcp/ip connection to an SMTP server, sending some ASCII command
    // lines, collecting ASCII responses, and disconnecting the tcp/ip connection.
    //
    // for the most part, SMTP servers will accept connections from anyone, but finding the morally correct
    // server is your own problem.
    //
    // Responses from the server are ASCII strings similar to modem responses, starting with a 3 digit number
    // followed by some human readable description.  In fact, the code below doesn’t really bother to
    // parse the result strings, coz this isn’t a fancy schmancy mail program.
    //
    // The overall protocol for simply sending a message is:
    //
    // 1.) connect to server
    //
    // 2.) wait for it’s greeting
    //“xxx This is a server”
    //
    // 3.) send HELO with your domain name
    //
    //    “HELO mpath.com[crlf]
    //
    // 4.) wait for an OK
    //“250 OK”
    //
    // 5.) Tell the server you want to send a letter and your return address (in angle brackets)
    //and wait for OK.
    //
    //“MAIL FROM:<[email protected]>[crlf]”
    //“250 OK”
    //
    // 6.) Tell the server to whom the mail should go (repeat for each recipient, in angle brackets)
    //
    //“RCPT TO:<[email protected]>[crlf]”
    //“250 OK”  (or 550 failure, 251 will forward, 551 pls fwd)
    //
    // 7.) Send the body of the letter as ascii lines, ending with line containing only a period.  Special
    //  tags are recognized for subject, to: cc: and other fields
    //
    //    “DATA[crlf]”
    //“354 go ahead with your letter”
    //    “Subject: my optional subject[crlf]”
    //    “hi there, this is my mail.  It is “
    //    “possible that I should not include angle”
    //    “brackets or some other characters in the”
    //    “body of the letter, but I didn’t read the”
    //    “spec that far”
    //    [crlf].[crlf]
    //“250 OK your mail will be sent”
    //
    //8.)Disconnect the tcp/ip session.  you’re done!

    So why can’t an ISP read the From address from incoming E-mail and run steps 1-6 using that address back to the From domain?  If the domain SMTP server responds that the From address is legal, terminate the connection and deliver the E-mail; if the SMTP server responds with an error, bounce the E-mail.

    If the domain doesn’t respond, the E-mail is queued until it does respond.  After a while, if the domain doesn’t respond, give up and bounce it.  Some of the bounces I’ve gotten have messages saying “I’ve tried to deliver the E-mail, but couldn’t so I’ve given up.”  This sounds like the other side of the same coin.

    I’m sure the above “simplified” explanation glossed over something that I’m missing.  Although I’m an experienced programmer, I’m not an Internet protocol expert, so feel free to let me know what I’m missing (but in relatively jargon-free English).  smile

  217. Matthew, I also got several De Greko bounces that didn’t contain GIFs.  Those are easy to filter, though.

    I’m now up to 415 bounces/challenges/etc. since April 13.  This is the worst I’ve been hit since I got my own domain about three years ago.  There were some idiots sending me two spams every 30-45 minutes for a day or so, but I was able to bounce them because they were all sent from the same two domains.  I don’t know where to start with these.

  218. Anonymous says:

    Steve #216: the strategy you’re describing is a bad idea from the late 1990s called “SMTP callback.”  You can read about it in this thread: http://groups.google.com/[email protected]

  219. Tacie says:

    Greetings and thank you for all of your information – I’ve learned alot.  Many thanks to Aubrey for turning this into an open forum. It looks like we – I say we because it’s actually my Beloved’s site and computer – are on the receiving end of all forms of this abuse.  We get the spam and his name has been hijacked and we’re getting the bounce backs.  On the downside (yes, it gets worse) he thinks his computer has become a slave on the botnet.  It has all the classic symptoms – degraded performance, hard drive chugging away when no one is using the computer.  And the BEST part is the Java.Trojans that are being tenacious in our cleaning efforts (like that piece of string on the carpet that just WON’T get sucked up).

    He’s going to reimage the PC, but I convinced him to wait a bit to see if Neil could use any of the viruses have contaminated our computer.  We are being prevented from updating Trend to get rid of the buggers.  Here’s the list.  This is form bitdefender.com

    Starting with Java.Trojan.
    Exploit.Bytverify
    ClassLoader.K
    Femad.A
    Femad.B

    Staring with Trojan.
    LowZones
    Fakealert.AW
    Mitglideder.AB
    PWS.Sinowal.K
    PWS.Sinowal.M
    PWS.Sinowal.N

    MemScan:Trojan.Small.W
    Exploit:Win32.MS05-002.Gen

    Maybe one of these will help.  Lesson learned the hard way.
    Have a great day!  Tacie

  220. Thanks for that link Anonymous #218.  It sounds like it would have been a good idea a few years ago, but now many mail servers lie at first and say the E-mail address exists to foil dictionary attacks by spammers trying to harvest real E-mail addresses.  <sigh>

    Spammers should be castrated, then drawn and quartered.  Phishers should be castrated, set on fire, then drawn and quartered.

  221. Anonymous says:

    Steve, I don’t think “SMTP callback” ever would have been a good idea.  Even if it could work perfectly, exactly as intended… the intention was to require every sender to give SOMEONE’s real address, but not necessarily his OWN real address.  It’s just peudo-security, and an incentive for identity fraud.  A similar kind of pseudo-security, using DNS instead of SMTP (explained by Neil in part #2 of post #199) is what encouraged this criminal to forge our domains.

  222. Unknown says:

    Ive given up all hope now.

    Catch-All is now disabled. I’m also bouncing the bouces – Might as well give someone else a problem – Hehehehe