contact for the world etc (nanog)

David A.Ulevitch davidu at everydns.net
Tue Dec 14 19:29:20 UTC 2004 

> The text the guy cites isn't from our staff, we don't even have an
> auto-ack system. Maybe it's from some customer or maybe entirely
> forged, he doesn't include any headers and seems to just want to vent.
>

Barry, we can follow up offlist.

Here's the full text of the email (one of a quite a few just yesterday).

I'm unsure how abuse desks are supposed to even deal with things like 
this.  We've plonked the user but we have no way to let you know.  We 
also have no way of getting you to actually email abuse at everydns.net 
instead of my personal email address.

-davidu

---EOF---
Received: (qmail 25489 invoked by uid 114); 14 Dec 2004 06:15:37 -0000
Received: from 192.74.137.144 by fiona (envelope-from 
<roky at TheWorld.com>, uid 106) with qmail-scanner-1.24
  (clamdscan: 0.80/614. spamassassin: 3.0.1.
  Clear:RC:0(192.74.137.144):SA:0(4.4/5.0):.
  Processed in 3.873291 secs); 14 Dec 2004 06:15:37 -0000
X-Spam-Status: No, hits=4.4 required=5.0
X-Spam-Level: ++++
Received: from pcls4-e.std.com (HELO TheWorld.com) (192.74.137.144)
   by secure.perfectemail.net with SMTP; 14 Dec 2004 06:15:33 -0000
Received: (from roky at localhost)
	by TheWorld.com (8.12.8p1/8.12.8) id iBE6ACu2008864;
	Tue, 14 Dec 2004 01:10:12 -0500
Date: Tue, 14 Dec 2004 01:10:12 -0500
Message-Id: <200412140610.iBE6ACu2008864 at TheWorld.com>
To: lkioexiomixfu at beograd.every1.net
References: <7972491103005094 at CPE-65-27-11-91.kc.rr.com>
In-Reply-To: <7972491103005094 at CPE-65-27-11-91.kc.rr.com>
From: MAILER-DAEMON at theworld.com (Mail Delivery Subsystem)
Subject: EVERYDNS piracy spams not allowed
X-Mailer: SpamStopper
Cc: uce at ftc.gov, security at level3.net, davidu at everydns.net


This is an automated mailing in response to your spamvertisement for
pirated software - and porn websites purporting to depict images of 
rape.

If you are receiving this message it is likely because you are a 
spammer.

Perhaps you host the site of the spammer, last seen at 147.45.35.145
(APPZPLANET.COM; APPZPLA.NET).  Then, you are a spammer.

DNS for this netblock is owned by free.net/run.net, administered by 
hobot.ru,
and zone-transferred by hobot.ru (possibly illegally) to EV1.NET's 
spammer-
service subsidiary "EVERYDNS.NET" - also known as freelooklist.com,
perfectemail.net, stayoff.org, etc.

domain:     HOBOT.RU
type:       CORPORATE
nserver:    ns1.everydns.net.
nserver:    ns2.everydns.net.
nserver:    ns3.everydns.net.
nserver:    ns4.everydns.net.
state:      REGISTERED, DELEGATED
person:     MAXIM N PONIZOVTSEV
phone:      +7 095 7967750
e-mail:     ripn at hobot.ru
registrar:  RUCENTER-REG-RIPN
created:    2000.04.03
paid-till:  2005.05.01
source:     TC-RIPN

ns1.everydns.net has address 64.158.219.3
ns2.everydns.net has address 216.218.240.206
ns3.everydns.net has address 80.84.249.169
ns4.everydns.net has address 63.219.183.200

EVERYDNS.NET however is currently aliased to fiona.everybox.com at 
64.158.219.9.

64.158.219.0/24 is the responsible party for these and a huge number of 
other
recent spams that tout illegal and fraudulent products, services and 
content.

OrgName:    Co-Location.com Inc.
OrgID:      COLOC-1
Address:    333 S. Beverly Drive
Address:    Suite 207
City:       Beverly Hills
StateProv:  CA
PostalCode: 90212
Country:    US

NetRange:   64.158.219.0 - 64.158.219.255
CIDR:       64.158.219.0/24
NetName:    COLOC1-LVLT-64-158-219
NetHandle:  NET-64-158-219-0-1
Parent:     NET-64-152-0-0-1
NetType:    Reassigned
Comment:
RegDate:    2004-05-24
Updated:    2004-05-24

OrgTechHandle: TECHN143-ARIN
OrgTechName:   Technical
OrgTechPhone:  +1-310-286-1107
OrgTechEmail:  Support at co-location.com


This spammer has been scanning networks worldwide in order to exploit
any found "open SMTP proxies".  He is also documented to have broken
into zombied machines to use their DSL connections for spam transmission
and, as previously stated, transferring DNS zones to mask the origins of
both his spams and websites.

Thus a spammer, a software pirate AND a burglar.

A criminal, in any event.

The unread message which you just sent to an unassigned address on our
network, and which follows, has already been sent to law enforcement
authorities.

Hopefully you will be sent to them as well, shortly.


[Administrators and legal/investigative officials reading this:
We urge you to consider a course of action which will result in
termination of all services to the above-referenced hosts and
netblocks as soon as administratively possible - a more permanent
solution pending completion of any additional investigation.

Regarding those investigations we may be counted upon to furnish
any additional documentation we can offer to assist in prosecution,
and to ensure civil liability.]

    ----- Original message follows, unread -----

 From lkioexiomixfu at beograd.every1.net Tue Dec 14 01:10:11 2004
Received: from CPE-65-27-11-91.kc.rr.com (CPE-65-27-11-91.kc.rr.com 
[65.27.11.91])
	by TheWorld.com (8.12.8p1/8.12.8) with ESMTP id iBE69kja005923
	for <roky at world.std.com>; Tue, 14 Dec 2004 01:09:47 -0500
Received: from unknown (HELO localhost) (127.0.0.1)
     by localhost.edit.com with SMTP; Tue, 14 Dec 2004 06:18:14 +0000
Received: from 149.55.161.220 (149.55.161.220[149.55.161.220])
        by CPE-65-27-11-91.kc.rr.com (IMP) with HTTP
        for <roky at world.std.com>; Tue, 14 Dec 2004 06:18:14 +0000
Message-ID: <7972491103005094 at CPE-65-27-11-91.kc.rr.com>
From: "Mike" <lkioexiomixfu at beograd.every1.net>
To: "Benny" <roky at world.std.com>
Subject: Any software backups for lowest pricest.
Date: Tue, 14 Dec 2004 06:18:14 +0000
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.2.2
X-Originating-IP: 149.55.161.220

<HTML><html>
<body>
<P>2005 is just a few days away. Start the new year with a much needed 
software
upgrade:</P>
<P>Tired of your old Windows system? Get XP Professional here for only 
$33 ($170
cheaper than stores):<BR><A 
href="http://down.cd/">http://down.cd/</A></P>
<P>Your old Office program no longer state of the art? Get the superb 
Office
2003 here for $38 less than retail:<BR><A
href="http://down.cd/">http://down.cd/</A></P>
<P>View our full software selection. Whether you need new virus 
software, art
and graphical software or anything else,<BR>we have it - and so much 
cheaper
than the stores. =)</P>
<P><A href="http://down.cd/">http://down.cd/</A> or <A
href="http://backups.cd/">http://backups.cd/</A></P>
</body>
</html>
</HTML>


!DSPAM:41be850e33244928411552!

More information about the NANOG mailing list