Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

EMP - BI>28200 - Matt Middleton's dedicated spam-feed through newsfeed.poshnet.com [2]

26 views
Skip to first unread message

use...@newssource.hostcomm.net

unread,
Oct 6, 1998, 3:00:00ā€ÆAM10/6/98
to David Ritz
David Ritz

I'm sorry I was unable to respond before today. About this
problem with poshnet,

1. We are only a bandwidth provider for them, which includes a full news
feed.
2. Who they feed with and what they do with their news box is not our
business.
3. This is the first and ONLY complaint we have ever had with them
and we will send them an email.

From what we understand they are trying to build a open news server like
Dejanews.

We are not affiliated or know who Mr. Middleton is or Empire2. Please do
not tarnish our good name, we have never had a spam problem and we have
done everything to put an end to spam on our boxes.

From what we have seen there is no nwregion.net or a newsbox associated
with it.

Thank you,
Sean Morrow
News Administrator


On Tue, 6 Oct 1998, David Ritz wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> Dear XCOM and MAZ Mikroelektronik Administrator(s),
>
> It appears you have been duped into accepting particularly egregous
> spam-feed from Matt Middleton's Empire2 spam operation. I, too,
> was apparently fooled into thinking newsfeed.poshnet.com and
> newssource.hostcomm.net were part of legitimate operations. This
> is why you did not receive my original report on this matter.
>
> "Newsgroups: news.admin.net-abuse.sightings
> "Date: Thu, 1 Oct 1998 19:07:29 -0700
> "From: David Ritz <dr...@primenet.com>
> "To: ab...@poshnet.com, webm...@POSHNET.COM, use...@poshnet.com
> "cc: ab...@hostcomm.net, use...@hostcomm.net, webm...@hostcomm.net,
> " er...@haydenisland.verio.net
> "Subject: Matt Middleton's dedicated spam-feed through newsfeed.poshnet.com
> "Message-ID: <Pine.BSI.3.96.98100...@usr10.primenet.com>
> "Followup-To: news.admin.net-abuse.usenet
>
> >>>> (see <http://www.dejanews.com/getdoc.xp?AN=396899960&fmt=raw>)
>
> While I received one message from "Mark Flower"
> <webm...@poshnet.com>, it appears he was playing dumb.
>
> - ---------- Begin forwarded message ----------
> X-Sender: webm...@poshnet.com
> Date: Fri, 02 Oct 1998 09:44:36 -0700
> To: David Ritz <dr...@primenet.com>
> From: WebMaster <webm...@poshnet.com>
> Subject: Re: Matt Middleton's dedicated spam-feed through
> newsfeed.poshnet.com
> Mime-Version: 1.0
>
> David,
>
> I don't know who nwregion.net is, and I don't feed with them. I run an
> open news server for the web. I also don't know who Mr. Middleton is, I
> will check with my news admin and see what he can tell me about people
> using my box for spam.
>
> Thank you,
>
> Mark Flower
>
>
> At 07:07 PM 10/1/98 -0700, you wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >
> >Dear Administrator(s),
> >
> > Its come to my attention that Posh Net has recently acquired a
> > fulltime spam-feed as a downstream account. While this site is
> > only identified by a bogus path entry, I have to assume that this
> > is Matt Middleton's nwregion.net or some variant of it. There are
> > several other possible names, which Middleton may be using, though
> > it is without a doubt the handy work of Middleton.
>
> [snip full quote-back of my initial report]
>
> - ----------- End forwarded message -----------
>
> HostComm has not responded.
>
> At this time, it is abundantly clear that PoshNet.com is peering
> with, and may be part of, Middleton's spam operation. It also
> appears that HostComm.net may be in the same situation.
>
> My statements are based on these facts:
>
> 1) PoshNet is accepting IHAVE or TAKETHIS from Middleton,
> allowing him to forge NNTP-Posting-Host and stamp
> whatever he pleases as a Path entry. This is a peering
> relationship which is denied and ignored.
>
> 2) While PoshNet claims to be running a web-based news
> service, there are virtually no articles being posted to
> it. While preparing this report, I was able to locate
> four (4) articles which were posted to PoshNet, this
> morning, while the rest of the feed is exclusively
> Middleton's EMP spam.
>
> 560: 1732 1.0000 newsfeed.poshnet.com
> 561: 1509 1.4142 newsfeed.poshnet.com
> 562: 2103 1.4142 newsfeed.poshnet.com
> 563: 3223 2.2361 newsfeed.poshnet.com
>
> 3) While I noted there was at least one post made to
> HostComm on Saturday, this is not the case, today. All
> traffic through newssource.hostcomm.net appears to be
> their feed from PoshNet, with its all-spam, all the time
> feed from the Middleton organization.
>
> At this time, I would request routing these feeds to /dev/null.
> Please approach any peering requests coming from within
> Structured.net cyber-turf with extreme caution. Their record, on
> matters surrounding their rogue net-abuse accounts, stinks of
> tinned processed pink pork.
>
> Please drop this spam-feed, immediately.
>
> ========================================================================
> Overall view of spam-feed through newsfeed.poshnet.com
> ========================================================================
> Posting summary for newsfeed.poshnet.com (approximately 5 days)
>
> 1: 55617 1.0000 "Herod" <Palace@Jeru 212.212.95.38
> alt.binaries.picture My Tight Wetness 6 Oct 1998 15:12:50
> 2: 74454 1.0000 dspoo...@aol.edu ( 207.139.239.62
> alt.binaries.picture Amber221.jpg - [1/1] 6 Oct 1998 15:12:39
> 3: 47627 1.0000 "xcj" <xcj@hotmail.e 194.168.237.22
> alt.binaries.picture free, radical sex pi 6 Oct 1998 15:12:49
> 4: 65700 1.0000 "NOSPAM@xswmxatlx"@a 132.203.222.171
> alt.binaries.picture MrsBreeze C8 6 Oct 1998 15:12:46
> 5: 85935 1.0000 k...@smart.org (KAZ V 207.76.102.5
> alt.bainaries.pictur 250 MWBiM inexp seek 6 Oct 1998 15:12:21
> <...>
> 29094: 45005 1.0000 newsfeed.poshnet.com
> 29095: 176994 1.0000 newsfeed.poshnet.com
> 29096: 57188 1.0000 newsfeed.poshnet.com
> 29097: 74215 1.0000 newsfeed.poshnet.com
> 29098: 40460 1.0000 newsfeed.poshnet.com
> TOTALS ------- -------
> 29098: 1931366655 29107.8053
>
> ========================================================================
> Comparison of articles received from "dawteck", PoshNet and HostComm
> ========================================================================
> Posting summary for Path element "dawteck" (1998.10.06)
>
> 1: 127077 1.0000 Str...@Erotica.org 209.3.119.94
> alt.sex.escorts.ads. !! FREE Porno LINKS 6 Oct 1998 15:11:33
> 2: 64892 1.0000 he...@ilovecelebs.edu 207.180.218.70
> alt.sex.masturbation Real GF - close-up p 6 Oct 1998 15:11:50
> 3: 127261 1.0000 "# Alicia" <zelin*no 167.79.91.99
> alt.sex.exhibitionis beastiality sex pict 6 Oct 1998 15:11:34
> 4: 40598 1.0000 sa...@hells.com (The 207.76.102.29
> alt.binaries.nude.ce grandma masturbation 6 Oct 1998 15:10:29
> 5: 311454 1.0000 darkdungeon@adultser 206.245.136.25
> alt.binaries.fetish. nude girls from mala 6 Oct 1998 15:10:29
> <...>
> 1392: 56718 1.0000 dawteck
> 1393: 39643 1.0000 dawteck
> 1394: 89667 1.0000 dawteck
> 1395: 49469 1.0000 dawteck
> 1396: 127142 1.0000 dawteck
> TOTALS ------- -------
> 1396: 92986823 1396.0000
>
> ========================================================================
> Posting summary for Path element newsfeed.poshnet.com (1998.10.06)
>
> 1: 26993 1.0000 cr...@mrnatural.net 212.254.0.113
> alt.binaries.picture visit OUR site - ann 6 Oct 1998 15:10:32
> 2: 22685 1.0000 Steve Oliver <boyceo 209.142.31.103
> alt.binaries.picture >-> J is for Jizz -S 6 Oct 1998 15:10:33
> 3: 34128 1.0000 Le...@Re.Post 155.48.90.107
> alt.binaries.picture T-Bone's Payback Par 6 Oct 1998 15:10:33
> 4: 30141 1.0000 1v5...@s73uk4iu.net 161.226.90.64
> alt.binaries.picture Legs - legs5.jpg (1/ 6 Oct 1998 15:10:32
> 5: 34151 1.0000 The 207.253.0.213
> <...>
> 1401: 56718 1.0000 newsfeed.poshnet.com
> 1402: 39643 1.0000 newsfeed.poshnet.com
> 1403: 89667 1.0000 newsfeed.poshnet.com
> 1404: 49469 1.0000 newsfeed.poshnet.com
> 1405: 127142 1.0000 newsfeed.poshnet.com
> TOTALS ------- -------
> 1405: 93723414 1407.0645
>
> ========================================================================
> Posting summary for Path element newssource.hostcomm.net (1998.10.06)
>
> 1: 25426 1.0000 9fe...@dgqby0iu.com 11111.com
> test twdyha6wj1k14h1vkko2 6 Oct 1998 05:05:16
> 2: 32035 1.0000 "oooALI-BABA!!!" <do 206.28.37.158
> alt.binaries.erotica no spam nice ass rep 6 Oct 1998 05:05:17
> 3: 25920 1.0000 tas...@earthlink.or 166.72.73.127
> alt.binaries.erotica Nice pixYs - aino35. 6 Oct 1998 05:05:17
> 4: 93214 1.0000 T-B...@TAKEAGUESS.CO 194.65.251.63
> alt.binaries.erotica Nice pixYs - cute197 6 Oct 1998 05:05:18
> 5: 131450 1.0000 "carol j." <sweethal 204.179.134.132
> <...>
> 1400: 56718 1.0000 newssource.hostcomm.net
> 1401: 39643 1.0000 newssource.hostcomm.net
> 1402: 89667 1.0000 newssource.hostcomm.net
> 1403: 49469 1.0000 newssource.hostcomm.net
> 1404: 127142 1.0000 newssource.hostcomm.net
> TOTALS ------- -------
> 1404: 93640912 1406.0645
>
> ========================================================================
> Samples of EMP
> Note: Bangs (!) have been added ahead of equals (=), to negate MIME.
> ========================================================================
> _________________________________________________________________
> Path: newstank.sol.net!ix.netcom.com!newsfeed.xcom.net!newssource.host
> comm.net!newsfeed.poshnet.com!dawteck!not-for-mail
> From: Ret...@unch.edu
> Newsgroups: alt.binaries.pictures.erotica.amateur.facials
> Subject: Horniest girls creamy big butts - r05.jpg (1/1)
> Date: 6 Oct 1998 13:12:53 GMT
> Lines: 2088
> Message-ID: <6vd5jf$ac$36...@news.dawteck.net>
> NNTP-Posting-Host: 209.142.22.114
> Mime-Version: 1.0
> Content-Type: multipart/mixed; boundary!="----------!=_907679410-31293-4
> 29"
>
> This is a multi-part message in MIME format...
>
> ------------!=_907679410-31293-429
> Content-Type: text/html
> Content-Disposition: inline
> Content-Transfer-Encoding: base64
> Content-Length: 468
>
> PGh0bWw+CjwhLS0gISE2ZiEhIC0tPgo8ZnJhbWVzZXQgY29scz0iMCwxMDAl
> IiBib3JkZXI9IjAiIGZyYW1lc3BhY2luZz0iMCIgZnJhbWVib3JkZXI9IjAi
> Pgo8ZnJhbWUgc3JjPSIiIHNjcm9sbGluZz0ibm8iIG5vcmVzaXplIG5hbWU9
> Ik1lbnUiPgo8ZnJhbWUgc3JjPSJodHRwOi8vMjA2LjU4LjIxNC43MC9pbmRu
> MS5odG1sIiBuYW1lPSJNYWluIiBzY3JvbGxpbmc9ImF1dG8iIG5vcmVzaXpl
> Pgo8bm9mcmFtZXM+Cjxib2R5IG9uTG9hZD0id2luZG93LmxvY2F0aW9uPSdo
> dHRwOi8vMjA2LjU4LjIxNC43MC9pbmRuMS5odG1sJyI+CjwvYm9keT4KPC9u
> b2ZyYW1lcz4KPC9mcmFtZXNldD4KPC9odG1sPgo!=
>
> ------------!=_907679410-31293-429
> Content-Type: image/jpeg
> Content-Disposition: inline
> Content-Transfer-Encoding: base64
> Content-Length: 125827
>
> [snip JPEG]
> ________________________________________________________
>
> Information related to this article:
> Approximate time article was received: 06-Oct-98 13:20:00 GMT
>
> _________________________________________________________________
> Path: newstank.sol.net!204.127.161.3.MISMATCH!wn3feed!worldnet.att.net
> !207.97.14.174!europa.clark.net!4.1.16.34!cpk-news-hub1.bbnplanet.com!
> news.bbnplanet.com!news-fra.maz.net!newssource.hostcomm.net!newsfeed.p
> oshnet.com!dawteck!not-for-mail
> From: ">>>>>Amber" <ambers...@ucla.dorms.net>
> Newsgroups: alt.binaries.erotica.pornstar
> Subject: [ASW]215ac mwm iso taller female
> Date: 6 Oct 1998 06:30:18 GMT
> Lines: 930
> Message-ID: <6vcdlt$ac$11...@news.dawteck.net>
> NNTP-Posting-Host: 208.2.126.193
> Mime-Version: 1.0
> Content-Type: multipart/mixed; boundary!="----------!=_907655402-13565-2
> "
>
> [snip binaries]
> ________________________________________________________
>
> Information related to this article:
> Approximate time article was received: 06-Oct-98 06:30:00 GMT
>
> _________________________________________________________________
> Path: newstank.sol.net!204.127.161.3.MISMATCH!wn3feed!worldnet.att.net
> !207.97.14.174!europa.clark.net!208.134.241.18!newsfeed.cwix.com!209.2
> 44.253.199!newsfeed.xcom.net!newssource.hostcomm.net!newsfeed.poshnet.
> com!dawteck!not-for-mail
> From: Shywife@Her_Site_Waiting_For_U_To.cum
> Newsgroups: alt.binaries.pictures.erotica.redheads
> Subject: New hot danish hardcore
> Date: 6 Oct 1998 15:11:01 GMT
> Lines: 1451
> Message-ID: <6vdcbu$ac$47...@news.dawteck.net>
> NNTP-Posting-Host: 209.17.212.127
> Mime-Version: 1.0
> Content-Type: multipart/mixed; boundary!="----------!=_907686606-4504-20
> 8"
>
> [snip binaries]
> ________________________________________________________
>
> Information related to this article:
> Approximate time article was received: 06-Oct-98 15:15:00 GMT
>
> ========================================================================
> Untitled HTML (base64 decoded - dritz)
> ========================================================================
> <html>
> <!-- !!6f!! -->
> <frameset cols="0,100%" border="0" framespacing="0" frameborder="0">
> <frame src="" scrolling="no" noresize name="Menu">
> <frame src="http://206.58.214.70/indn1.html" name="Main" scrolling="auto" noresize>
> <noframes>
> <body onLoad="window.location='http://206.58.214.70/indn1.html'">
> </body>
> </noframes>
> </frameset>
> </html>
>
> ========================================================================
> Analysis of spammed site
> ========================================================================
> usr10# nslookup 206.58.214.70
> Server: dns1.primenet.net
> Address: 206.165.5.10
>
> Name: www.123adult.com
> Address: 206.58.214.70
> Aliases: 70.214.58.206.in-addr.arpa
>
> ]traceroute to 123adult.com (206.58.214.70)
> <...>
> ]15 pdx-bordercore2-fe4-0.or.nw.verio.net (205.238.52.195) hostm...@verio.net
> ]16 pdx-core1-h1-0.or.nw.verio.net (206.163.3.54) hostm...@rain.net
> ]17 core02.hssi5.pdxfiber.net (206.58.1.26) hostm...@structured.net
> ]18 206.58.33.210 (206.58.33.210) postm...@structured.net
> ]19 206.58.214.70 (206.58.214.70) hostm...@structured.net
>
> usr10# soa 123adult.com
> Server: dns1.primenet.net
> Address: 206.165.5.10
>
> 123adult.com
> origin = ns.empire2.com
> mail addr = root.dnssource.net
> serial = 85
> refresh = 10800 (3 hours)
> retry = 3600 (1 hour)
> expire = 2952000 (34 days 4 hours)
> minimum ttl = 86400 (1 day)
> 123adult.com nameserver = ns.empire2.com
> 123adult.com nameserver = ns.dnssource.net
> ns.dnssource.net internet address = 206.58.210.97
>
> |[No name] (NS11441-HST)
> |
> | Hostname: NS.EMPIRE2.COM
> | Address: 206.58.218.10
> | System: ? running ?
> |
> | Coordinator:
> | Middleton, M (MM3141) d...@EMPIRE2.COM
> | 503.241.1091 (FAX) 503.241.1198
> |
> | Record last updated on 15-Jul-97.
> | Database last updated on 6-Oct-98 07:37:24 EDT.
>
> |[No name] (NS49352-HST)
> |
> | Hostname: NS.DNSSOURCE.NET
> | Address: 206.58.210.97
> | System: ? running ?
> |
> | Coordinator:
> | Middleton, M (MM3141) d...@EMPIRE2.COM
> | 503.241.1091 (FAX) 503.241.1198
> |
> | Record last updated on 04-Sep-98.
> | Database last updated on 6-Oct-98 07:37:24 EDT.
>
> |usr10# whois -h whois.arin.net 206.58.214.70
> |Structured Network Systems, Inc. (NETBLK-SNS-NET-5) SNS-NET-5
> | 206.58.0.0 - 206.58.255.255
> |A and M Enterprises (NETBLK-NET-AMENT) NET-AMENT 206.58.214.64 - 206.58.214.95
>
> |Structured Network Systems, Inc. (NETBLK-SNS-NET-5)
> | 15635 SE 114th Ave., Suite 201
> | Clackamas, OR 97015
> | US
> |
> | Netname: SNS-NET-5
> | Netblock: 206.58.0.0 - 206.58.255.255
> | Maintainer: SNS
> |
> | Coordinator:
> | Kozowski, Eric (EK9-ARIN) er...@HAYDENISLAND.VERIO.NET
> | +1 503 285 4125 (FAX) +1 503 283 4123
> |
> | Domain System inverse mapping provided by:
> |
> | NS.STRUCTURED.NET 206.58.0.34
> | NS.LI.NET 199.171.6.12
> |
> | ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
> |
> | Record last updated on 30-Aug-96.
> | Database last updated on 5-Oct-98 16:10:20 EDT.
>
> |A and M Enterprises (NETBLK-NET-AMENT)
> | 921 SW Washington, Suite 224
> | Portland, OR 97205
> | US
> |
> | Netname: NET-AMENT
> | Netblock: 206.58.214.64 - 206.58.214.95
> |
> | Coordinator:
> | Hostmaster, Structured (HS8-ORG-ARIN) hostm...@STRUCTURED.NET
> | +1 503 227 5665
> |Fax- +1 503 227 2945
> |
> | Record last updated on 11-Oct-97.
> | Database last updated on 5-Oct-98 16:10:20 EDT.
>
> |123 Enterprises (123ADULT2-DOM)
> | 1325 SE Oak St # 10
> | Hillsboro, OR 97123
> |
> | Domain Name: 123ADULT.COM
> |
> | Administrative Contact, Technical Contact, Zone Contact:
> | Peterson, M (MP4054) mp...@SNS-ACCESS.COM
> | 503.241.8510
> | Billing Contact:
> | Peterson, M (MP4054) mp...@SNS-ACCESS.COM
> | 503.241.8510
> |
> | Record last updated on 11-Jun-98.
> | Record created on 07-Aug-97.
> | Database last updated on 6-Oct-98 07:37:24 EDT.
> |
> | Domain servers in listed order:
> |
> | NS.EMPIRE2.COM 206.58.218.10
> | NS.DNSSOURCE.NET 206.58.210.97
>
> |usr10# whois @empire2.com
> |Middleton, M (MM3141) d...@EMPIRE2.COM503.241.1091 (FAX) 503.241.1198
> |Vilcauskas, Andrew (AV1538) dr...@EMPIRE2.COM 5036923719
> |Vilcus, andy (AV503) dr...@EMPIRE2.COM 503.299.3548
> |Vilcus, andy (AV504) dr...@EMPIRE2.COM 503.645.6757
>
> |Middleton, M (MM3141) d...@EMPIRE2.COM
> | AM Ent., Inc.
> | 921 SW Wahington, St.
> | Portland, Or 97205
> | 503.241.1091 (FAX) 503.241.1198
> |
> | Record last updated on 01-Sep-98.
> | Database last updated on 6-Oct-98 07:37:24 EDT.
>
> |Vilcauskas, Andrew (AV1538) dr...@EMPIRE2.COM
> | Andrew Vilcauskas
> | 7305 sw delaware cir
> | tualatin,, OR 97062
> | 5036923719
> |
> | Record last updated on 01-Jun-98.
> | Database last updated on 6-Oct-98 07:37:24 EDT.
>
> |Vilcus, andy (AV503) dr...@EMPIRE2.COM
> | AJV
> | 16552 NW argyle way
> | portland, OR 97229
> | 503.299.3548
> |
> | Record last updated on 24-Aug-98.
> | Database last updated on 6-Oct-98 07:37:24 EDT.
>
> |Vilcus, andy (AV504) dr...@EMPIRE2.COM
> | AJV
> | 16552 NW argyle way
> | Portland, OR 97229
> | 503.645.6757
> |
> | Record last updated on 23-Feb-97.
> | Database last updated on 6-Oct-98 07:37:24 EDT.
>
> |usr10# whois -h whois.arin.net Middleton, Matt
> |Middleton, Matt (MM3141-ARIN) ma...@EMPIRE2.COM
> | AM Enterprises of Portland, Inc.
> | 921 S.W. Washington St.
> | Suite 224
> | Portland, Or 97205
> | 503.241.1091 (FAX) 503.241.1198
> |
> | Record last updated on 08-Jul-97.
> | Database last updated on 5-Oct-98 16:10:20 EDT.
>
> |Empire Communications (NWREGION-DOM)
> | 921 sw washington street #224
> | portland, OR 97205
> |
> | Domain Name: NWREGION.NET
> |
> | Administrative Contact, Technical Contact, Zone Contact:
> | Middleton, M (MM3141) d...@EMPIRE2.COM
> | 503.241.1091 (FAX) 503.241.1198
> | Billing Contact:
> | Middleton, M (MM3141) d...@EMPIRE2.COM
> | 503.241.1091 (FAX) 503.241.1198
> |
> | Record last updated on 11-Jun-98.
> | Record created on 08-Jun-98.
> | Database last updated on 6-Oct-98 07:37:24 EDT.
> |
> | Domain servers in listed order:
> |
> | NS.EMPIRE2.COM 206.58.218.10
> | NS.DNSSOURCE.NET 206.58.210.97
>
> |Empire Communications, Inc. (EMPIRE6-DOM)
> | 2875 NW Adagio Way
> | Hillsboro, OR 97124
> |
> | Domain Name: EMPIRE2.COM
> |
> | Administrative Contact, Technical Contact, Zone Contact:
> | Mitsu, A (AM7010) trod...@HOTMAIL.COM
> | 503-299-5617
> | Billing Contact:
> | Support, Abuse (AS8740) ab...@DNSSOURCE.NET
> | 503.241.1198 (FAX) 503.241.1198
> |
> | Record last updated on 11-Jun-98.
> | Record created on 30-Jul-96.
> | Database last updated on 6-Oct-98 07:37:24 EDT.
> |
> | Domain servers in listed order:
> |
> | NS.EMPIRE2.COM 206.58.218.10
> | NS.DNSSOURCE.NET 206.58.210.97
>
> ========================================================================
> Analysis of spamfeed
> ========================================================================
> ]traceroute to poshnet.com (206.58.210.178)
> <...>
> ]15 pdx-bordercore2-fe0-0.or.nw.verio.net (205.238.52.185) hostm...@verio.net
> ]16 pdx-core1-h1-0.or.nw.verio.net (206.163.3.54) hostm...@rain.net
> ]17 core02.hssi5.pdxfiber.net (206.58.1.26) hostm...@structured.net
> ]18 206.58.33.210 (206.58.33.210) postm...@structured.net
> ]19 * 206.58.210.178 (206.58.210.178) hostm...@structured.net
>
> usr10# soa poshnet.com
> Server: dns1.primenet.net
> Address: 206.165.5.10
>
> poshnet.com
> origin = ns.poshnet.com
> mail addr = root.poshnet.com
> serial = 98
> refresh = 10800 (3 hours)
> retry = 3600 (1 hour)
> expire = 2952000 (34 days 4 hours)
> minimum ttl = 86400 (1 day)
> poshnet.com nameserver = ns.poshnet.com
> poshnet.com nameserver = ns01.hostcomm.net
> ns01.hostcomm.net internet address = 206.58.210.34
>
> |usr10# whois -h whois.arin.net 206.58.210.178
> |Structured Network Systems, Inc. (NETBLK-SNS-NET-5)
> | 15635 SE 114th Ave., Suite 201
> | Clackamas, OR 97015
> | US
> |
> | Netname: SNS-NET-5
> | Netblock: 206.58.0.0 - 206.58.255.255
> | Maintainer: SNS
> |
> | Coordinator:
> | Kozowski, Eric (EK9-ARIN) er...@HAYDENISLAND.VERIO.NET
> | +1 503 285 4125 (FAX) +1 503 283 4123
> |
> | Domain System inverse mapping provided by:
> |
> | NS.STRUCTURED.NET 206.58.0.34
> | NS.LI.NET 199.171.6.12
> |
> | ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
> |
> | Record last updated on 30-Aug-96.
> | Database last updated on 5-Oct-98 16:10:20 EDT.
>
> |usr10# whois ns.poshnet.com
> |[No name] (NS56566-HST)
> |
> | Hostname: NS.POSHNET.COM
> | Address: 206.58.210.178
> | System: ? running ?
> |
> | Record last updated on 01-Sep-98.
> | Database last updated on 6-Oct-98 07:37:24 EDT.
>
> |Posh Net (POSHNET-DOM)
> | 16100 SW Century Dr Suite #139
> | Sherwood, OR 97140
> |
> | Domain Name: POSHNET.COM
> |
> | Administrative Contact, Technical Contact, Zone Contact:
> | Admin, PoshNet (PA2888) webm...@POSHNET.COM
> | Email (FAX) Email
> | Billing Contact:
> | Admin, PoshNet (PA2888) webm...@POSHNET.COM
> | Email (FAX) Email
> |
> | Record last updated on 03-Sep-98.
> | Record created on 28-Aug-98.
> | Database last updated on 6-Oct-98 07:37:24 EDT.
> |
> | Domain servers in listed order:
> |
> | NS.POSHNET.COM 206.58.210.178
> | NS01.HOSTCOMM.NET 206.58.210.34
>
> ]traceroute to hostcomm.net (206.58.210.34)
> <...>
> ]15 pdx-bordercore2-fe4-0.or.nw.verio.net (205.238.52.195) hostm...@verio.net
> ]16 pdx-core1-h1-0.or.nw.verio.net (206.163.3.54) hostm...@rain.net
> ]17 core02.hssi5.pdxfiber.net (206.58.1.26) hostm...@structured.net
> ]18 206.58.33.210 (206.58.33.210) postm...@structured.net
> ]19 206.58.210.34 (206.58.210.34) hostm...@structured.net
>
> usr10# soa hostcomm.net
> Server: dns1.primenet.net
> Address: 206.165.5.10
>
> hostcomm.net
> origin = ns01.hostcomm.net
> mail addr = root.hostcomm.net
> serial = 100
> refresh = 10800 (3 hours)
> retry = 3600 (1 hour)
> expire = 2952000 (34 days 4 hours)
> minimum ttl = 38400 (10 hours 40 mins)
> hostcomm.net nameserver = ns01.hostcomm.net
> hostcomm.net nameserver = ns1.pdxfiber.net
> ns1.pdxfiber.net internet address = 206.58.33.211
>
> |usr10# whois ns01.hostcomm.net
> |[No name] (NS56333-HST)
> | 13215-C8 SE Mill Plain Suite # 652
> | Vancouver, Wa 98684
> |
> | Hostname: NS01.HOSTCOMM.NET
> | Address: 206.58.210.34
> | System: ? running ?
> |
> | Coordinator:
> | Services, Administrative (AS10293) webm...@HOSTCOMM.NET
> | email
> |
> | Record last updated on 08-Sep-98.
> | Database last updated on 6-Oct-98 07:37:24 EDT.
>
> |HostCom, Inc. (HOSTCOMM2-DOM)
> | 13215-C8 SE Mill Plain Suite # 652
> | Vancouver, WA 98684
> |
> | Domain Name: HOSTCOMM.NET
> |
> | Administrative Contact, Technical Contact, Zone Contact:
> | Services, Administrative (AS10293) webm...@HOSTCOMM.NET
> | email
> | Billing Contact:
> | Services, Administrative (AS10293) webm...@HOSTCOMM.NET
> | email
> |
> | Record last updated on 05-Sep-98.
> | Record created on 24-Aug-98.
> | Database last updated on 6-Oct-98 07:37:24 EDT.
> |
> | Domain servers in listed order:
> |
> | NS01.HOSTCOMM.NET 206.58.210.34
> | NS1.PDXFIBER.NET 206.58.33.211
>
> ========================================================================
>
> Thank you for your prompt attention to this matter.
>
> --
> David Ritz <dr...@primenet.com> Finger for PGP Public Keys
> Fight against spam & spammers http://spam.abuse.net
> Outlaw Junk Email. ++++++ Join CAUCE ++++++ http://www.cauce.org
> ** Be kind to animals - Kiss a shark. **
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.5.3
> Comment: Finger:dr...@primenet.com for Public Keys
>
> iQCVAwUBNhpawdzLrWGabIhRAQH/IwQArlNK6f4Hg5E1T076ZIxnKg5Rx0o1mzb2
> WD1QZS7JwIY02Th6SI34D76roGnsT2LmVG+xnNnCyKdbfvuRYboWprm3MNKUAGXh
> nu1bec9oyu/5gcx2zTVtMfuLeIPXhBnwbAh0qXC419nsg4h7d6R0YJcm8Yhic9I/
> aCsWLZLhVx0=
> =ohfw
> -----END PGP SIGNATURE-----
>

Bunny

unread,
Oct 6, 1998, 3:00:00ā€ÆAM10/6/98
to
In article <qdAS1.1605$XF2.20...@news.connectnet.com>,
how...@connectnet.com says...
>
>use...@newssource.hostcomm.net wrote:
>: David Ritz

>:
>: I'm sorry I was unable to respond before today. About this
>: problem with poshnet,
>
>Are you sorry that you were unable to respond? Or, are you sorry you
>got a pee-pee whacking from XCOM?

Inquiring minds want to know.

>: 1. We are only a bandwidth provider for them, which includes a full news
>: feed.
>
>Maybe it's time to take their feed away.

Yeah, right.

>: 2. Who they feed with and what they do with their news box is not our
>: business.
>
>Wrong. As long as poshnet lets spam flow freely via your news servers,
>it is very much your business. Shut down their news feed.

As soon as possible, like now.

>: 3. This is the first and ONLY complaint we have ever had with them


>: and we will send them an email.
>

>Get a clue. Shut down their new feed!

Ditto.

>: From what we understand they are trying to build a open news server like
>: Dejanews.
>
>99.9% of the posts from that site are Middleton's spam, the other couple
>of posts are from their web based news service. Get a clue and shut down
>their news feed!

28,200 articles = 28,200 cancels. Do you have any idea of the
time, energy, and money spent to get rid of this spam?

>: We are not affiliated or know who Mr. Middleton is or Empire2. Please do


>: not tarnish our good name, we have never had a spam problem and we have
>: done everything to put an end to spam on our boxes.
>

>Done everything? Who are you kidding? If you are so worried about your
>good name, shut down poshnet's new feed!

And tell Mr. Middleton to not spam anymore.

>Howard
>
>PS: Thank you SO much for including all 700+ lines of David's original
>post. Oh, and shut down their news feed.

I *love* David's reports, don't you?

Meow

wer...@ccwf.cc.utexas.edu

unread,
Oct 6, 1998, 3:00:00ā€ÆAM10/6/98
to
[ courtesy copied as email -- and should POSTMASTER bounce,
I guess I'd have to complain about that to someone...]

quoting use...@newssource.hostcomm.net :
:...about this problem with poshnet
: 1. We are only a bandwidth provider for them, which includes a full news feed

what? you are both ?!? what else would you have to be so that you'd
feel that they ARE your problem?!?


: 2. Who they feed with and what they do with their news box is not our business

if you are their newsfeed, the rest of the net will certainly let you
know that, in fact, who you provide connectivity to *IS* your business.


: 3. This is the first and ONLY complaint we have ever had with them and we will
: send them an email.

hmmm. when I look at your and POSHNET's NIC-record, I'm tempted to
assume that you are so much alike, that you are part of the problem,
and one needs to complain to your upstream...


: From what we understand they are trying to build a open news server like Dejanews.

<chuckle> they are waving "big bucks" within your sight?
Don't think they mean to let you have any of that...

: We are not affiliated or know who Mr. Middleton is or Empire2. Please do


: not tarnish our good name, we have never had a spam problem and we have
: done everything to put an end to spam on our boxes.

well, now that your attention has been called to the problem you are
no longer "innocently ignorant" -- and I like your decidedly anti-spam
sentiments already. This should bode ill for the spammer...
--
-----< "Free Advice and Opinions -- Refunds Available" >-----
Outlaw junk email * Support CAUCE http://www.cauce.org/

David Ritz

unread,
Oct 6, 1998, 3:00:00ā€ÆAM10/6/98
to
-----BEGIN PGP SIGNED MESSAGE-----

Ooooops!

I didn't notice that Sean posted his note. Since I've already
replied, via email, I'll forward that message to the group, with
some minor embelishment as a preface.

Sean's message received another response, which came to me from
Kai Siering - IS Internet Services. Here it was explained that
is-europe.net would take no action at this time, noting they had
insufficient evidence to demonstrate "newssource.hostcomm.net is a
major spam source or spam relay." is-europe.net requested that if
I had any more evidence to present, I should pass it along to
<ne...@is-europe.net> and <ab...@is-europe.net>.

As I consider the reports I'd filed to be fairly extensive and
detailed, I had to ask, "What, pray tell, would constitute "more
evidence", in your estimation?"

I was truly puzzled.

While I did go on to explain my position, the only "evidence" I
could think to present is included here:

========================================================================
<quote dritz>

Here's a brief history of what is now feeding through PoshNet and
HostComm. Please be aware that it takes some time, before each
_individual_ binary registers as having BI>=20 and the bots start
whacking this spew. That point was most recently reached on Sunday,
1998.10.04.

Spam Cancel Statistics, courtesy of Andrew Gierth
<http://www.stopspam.org/usenet/tracking.html>

19980227.scs: 1664 ["webserver.com"-forgery]!*
19980227.scs: 948 news.structured.net!["webserver.com"-forgery]!*
19980227.scs: 716 inetarena.com!["webserver.com"-forgery]!*
19980228.scs: 1095 ["webserver.com"-forgery]!*
19980228.scs: 1023 news.structured.net!["webserver.com"-forgery]!*
19980302.scs: 784 ["webserver.com"-forgery]!*
19980302.scs: 436 inetarena.com!["webserver.com"-forgery]!*
19980303.scs: 1864 ["webserver.com"-forgery]!*
19980303.scs: 1523 news.structured.net!["webserver.com"-forgery]!*
19980303.scs: 341 inetarena.com!["webserver.com"-forgery]!*
19980304.scs: 1892 ["webserver.com"-forgery]!*
19980304.scs: 1411 news.structured.net!["webserver.com"-forgery]!*
19980304.scs: 481 inetarena.com!["webserver.com"-forgery]!*
19980305.scs: 2089 ["webserver.com"-forgery]!*
19980305.scs: 1669 news.structured.net!["webserver.com"-forgery]!*
19980305.scs: 420 inetarena.com!["webserver.com"-forgery]!*
19980306.scs: 2154 ["webserver.com"-forgery]!*
19980306.scs: 1902 news.structured.net!["webserver.com"-forgery]!*
19980307.scs: 2106 ["webserver.com"-forgery]!*
19980307.scs: 1992 news.structured.net!["webserver.com"-forgery]!*
19980308.scs: 2081 ["webserver.com"-forgery]!*
19980308.scs: 1936 news.structured.net!["webserver.com"-forgery]!*
19980309.scs: 1704 ["webserver.com"-forgery]!*
19980309.scs: 1591 news.structured.net!["webserver.com"-forgery]!*
19980310.scs: 1940 ["webserver.com"-forgery]!*
19980310.scs: 1780 news.structured.net!["webserver.com"-forgery]!*
19980311.scs: 1963 ["webserver.com"-forgery]!*
19980311.scs: 1834 news.structured.net!["webserver.com"-forgery]!*
19980312.scs: 1794 ["webserver.com"-forgery]!*
19980312.scs: 1731 news.structured.net!["webserver.com"-forgery]!*
19980313.scs: 1518 ["webserver.com"-forgery]!*
19980313.scs: 1506 news.structured.net!["webserver.com"-forgery]!*
19980314.scs: 2297 ["webserver.com"-forgery]!*
19980314.scs: 1864 news.structured.net!["webserver.com"-forgery]!*
19980314.scs: 433 inetarena.com!["webserver.com"-forgery]!*
19980315.scs: 2154 ["webserver.com"-forgery]!*
19980315.scs: 2134 news.structured.net!["webserver.com"-forgery]!*
19980316.scs: 1640 ["webserver.com"-forgery]!*
19980316.scs: 1530 news.structured.net!["webserver.com"-forgery]!*
19980317.scs: 2062 ["webserver.com"-forgery]!*
19980317.scs: 1834 news.structured.net!["webserver.com"-forgery]!*
19980318.scs: 1908 ["webserver.com"-forgery]!*
19980318.scs: 1691 news.structured.net!["webserver.com"-forgery]!*
19980319.scs: 1777 ["webserver.com"-forgery]!*
19980319.scs: 1269 news.structured.net!["webserver.com"-forgery]!*
19980319.scs: 508 inetarena.com!["webserver.com"-forgery]!*
19980320.scs: 1504 ["webserver.com"-forgery]!*
19980320.scs: 1074 news.structured.net!["webserver.com"-forgery]!*
19980320.scs: 430 inetarena.com!["webserver.com"-forgery]!*
19980321.scs: 1855 ["webserver.com"-forgery]!*
19980321.scs: 1782 news.structured.net!["webserver.com"-forgery]!*
19980322.scs: 2177 ["webserver.com"-forgery]!*
19980322.scs: 1978 news.structured.net!["webserver.com"-forgery]!*
19980323.scs: 1524 ["webserver.com"-forgery]!*
19980323.scs: 1195 news.structured.net!["webserver.com"-forgery]!*
19980323.scs: 329 inetarena.com!["webserver.com"-forgery]!*
19980324.scs: 501 ["webserver.com"-forgery]!*
19980324.scs: 473 inetarena.com!["webserver.com"-forgery]!*
19980325.scs: 1406 ["webserver.com"-forgery]!*
19980325.scs: 1030 inetarena.com!["webserver.com"-forgery]!*
19980325.scs: 363 irc.empire2!["webserver.com"-forgery]!*
19980326.scs: 1805 ["webserver.com"-forgery]!*
19980326.scs: 1162 irc.empire2!["webserver.com"-forgery]!*
19980326.scs: 635 inetarena.com!["webserver.com"-forgery]!*
19980428.scs: 298 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980428.scs: 298 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980429.scs: 895 ["pacstar.net"/"webserver.com"-forgery]!*
19980429.scs: 895 ["pacstar.net"/"webserver.com"-forgery]!*
19980429.scs: 895 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980429.scs: 895 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980430.scs: 4230 ["pacstar.net"/"webserver.com"-forgery]!*
19980430.scs: 4230 ["pacstar.net"/"webserver.com"-forgery]!*
19980430.scs: 4230 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980430.scs: 4230 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980501.scs: 3478 ["pacstar.net"/"webserver.com"-forgery]!*
19980501.scs: 3478 ["pacstar.net"/"webserver.com"-forgery]!*
19980501.scs: 3478 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980501.scs: 3478 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980502.scs: 5199 ["pacstar.net"/"webserver.com"-forgery]!*
19980502.scs: 5199 ["pacstar.net"/"webserver.com"-forgery]!*
19980502.scs: 5199 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980502.scs: 5199 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980503.scs: 2723 ["pacstar.net"/"webserver.com"-forgery]!*
19980503.scs: 2723 ["pacstar.net"/"webserver.com"-forgery]!*
19980503.scs: 2723 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980503.scs: 2723 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980504.scs: 990 ["pacstar.net"/"webserver.com"-forgery]!*
19980504.scs: 990 ["pacstar.net"/"webserver.com"-forgery]!*
19980504.scs: 990 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980504.scs: 990 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980505.scs: 2125 ["pacstar.net"/"webserver.com"-forgery]!*
19980505.scs: 2125 ["pacstar.net"/"webserver.com"-forgery]!*
19980505.scs: 2125 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980505.scs: 2125 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980506.scs: 1242 ["pacstar.net"/"webserver.com"-forgery]!*
19980506.scs: 1242 ["pacstar.net"/"webserver.com"-forgery]!*
19980506.scs: 1242 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980506.scs: 1242 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980507.scs: 2671 ["pacstar.net"/"webserver.com"-forgery]!*
19980507.scs: 2671 ["pacstar.net"/"webserver.com"-forgery]!*
19980507.scs: 2671 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980507.scs: 2671 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980508.scs: 570 ["pacstar.net"/"webserver.com"-forgery]!*
19980508.scs: 570 ["pacstar.net"/"webserver.com"-forgery]!*
19980508.scs: 570 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980508.scs: 570 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980509.scs: 4015 ["pacstar.net"/"webserver.com"-forgery]!*
19980509.scs: 4015 ["pacstar.net"/"webserver.com"-forgery]!*
19980509.scs: 4015 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980509.scs: 4015 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980510.scs: 1742 ["pacstar.net"/"webserver.com"-forgery]!*
19980510.scs: 1742 ["pacstar.net"/"webserver.com"-forgery]!*
19980510.scs: 1742 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980510.scs: 1742 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980511.scs: 1832 ["pacstar.net"/"webserver.com"-forgery]!*
19980511.scs: 1832 ["pacstar.net"/"webserver.com"-forgery]!*
19980511.scs: 1832 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980511.scs: 1832 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980512.scs: 2324 ["pacstar.net"/"webserver.com"-forgery]!*
19980512.scs: 2324 ["pacstar.net"/"webserver.com"-forgery]!*
19980512.scs: 2324 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980512.scs: 2324 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980513.scs: 2832 ["pacstar.net"/"webserver.com"-forgery]!*
19980513.scs: 2832 ["pacstar.net"/"webserver.com"-forgery]!*
19980513.scs: 2832 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980513.scs: 2832 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980514.scs: 2586 ["pacstar.net"/"webserver.com"-forgery]!*
19980514.scs: 2586 ["pacstar.net"/"webserver.com"-forgery]!*
19980514.scs: 2586 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980514.scs: 2586 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980515.scs: 2758 ["pacstar.net"/"webserver.com"-forgery]!*
19980515.scs: 2758 ["pacstar.net"/"webserver.com"-forgery]!*
19980515.scs: 2758 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980515.scs: 2758 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980516.scs: 4321 ["pacstar.net"/"webserver.com"-forgery]!*
19980516.scs: 4321 ["pacstar.net"/"webserver.com"-forgery]!*
19980516.scs: 4321 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980516.scs: 4321 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980517.scs: 4184 ["pacstar.net"/"webserver.com"-forgery]!*
19980517.scs: 4184 ["pacstar.net"/"webserver.com"-forgery]!*
19980517.scs: 4184 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980517.scs: 4184 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980518.scs: 3125 ["pacstar.net"/"webserver.com"-forgery]!*
19980518.scs: 3125 ["pacstar.net"/"webserver.com"-forgery]!*
19980518.scs: 3125 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980518.scs: 3125 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980519.scs: 2256 ["pacstar.net"/"webserver.com"-forgery]!*
19980519.scs: 2256 ["pacstar.net"/"webserver.com"-forgery]!*
19980519.scs: 2256 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980519.scs: 2256 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980520.scs: 3243 ["pacstar.net"/"webserver.com"-forgery]!*
19980520.scs: 3243 ["pacstar.net"/"webserver.com"-forgery]!*
19980520.scs: 3243 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980520.scs: 3243 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980521.scs: 2538 ["pacstar.net"/"webserver.com"-forgery]!*
19980521.scs: 2538 ["pacstar.net"/"webserver.com"-forgery]!*
19980521.scs: 2538 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980521.scs: 2538 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980522.scs: 2431 ["pacstar.net"/"webserver.com"-forgery]!*
19980522.scs: 2431 ["pacstar.net"/"webserver.com"-forgery]!*
19980522.scs: 2431 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980522.scs: 2431 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980523.scs: 1632 ["pacstar.net"/"webserver.com"-forgery]!*
19980523.scs: 1632 ["pacstar.net"/"webserver.com"-forgery]!*
19980523.scs: 1632 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980523.scs: 1632 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980524.scs: 2758 ["pacstar.net"/"webserver.com"-forgery]!*
19980524.scs: 2758 ["pacstar.net"/"webserver.com"-forgery]!*
19980524.scs: 2758 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980524.scs: 2758 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980525.scs: 3258 ["pacstar.net"/"webserver.com"-forgery]!*
19980525.scs: 3258 ["pacstar.net"/"webserver.com"-forgery]!*
19980525.scs: 3258 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980525.scs: 3258 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980526.scs: 2709 ["pacstar.net"/"webserver.com"-forgery]!*
19980526.scs: 2709 ["pacstar.net"/"webserver.com"-forgery]!*
19980526.scs: 2709 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980526.scs: 2709 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980527.scs: 2792 ["pacstar.net"/"webserver.com"-forgery]!*
19980527.scs: 2792 ["pacstar.net"/"webserver.com"-forgery]!*
19980527.scs: 2792 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980527.scs: 2792 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980528.scs: 2203 ["pacstar.net"/"webserver.com"-forgery]!*
19980528.scs: 2203 ["pacstar.net"/"webserver.com"-forgery]!*
19980528.scs: 2203 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980528.scs: 2203 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980529.scs: 1323 ["pacstar.net"/"webserver.com"-forgery]!*
19980529.scs: 1323 ["pacstar.net"/"webserver.com"-forgery]!*
19980529.scs: 1323 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980529.scs: 1323 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980530.scs: 2610 ["pacstar.net"/"webserver.com"-forgery]!*
19980530.scs: 2610 ["pacstar.net"/"webserver.com"-forgery]!*
19980530.scs: 2610 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980530.scs: 2610 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980531.scs: 3108 ["pacstar.net"/"webserver.com"-forgery]!*
19980531.scs: 3108 ["pacstar.net"/"webserver.com"-forgery]!*
19980531.scs: 3108 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980531.scs: 3108 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980601.scs: 1967 ["pacstar.net"/"webserver.com"-forgery]!*
19980601.scs: 1967 ["pacstar.net"/"webserver.com"-forgery]!*
19980601.scs: 1967 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980601.scs: 1967 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980602.scs: 2490 ["pacstar.net"/"webserver.com"-forgery]!*
19980602.scs: 2490 ["pacstar.net"/"webserver.com"-forgery]!*
19980602.scs: 2490 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980602.scs: 2490 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980603.scs: 3528 ["pacstar.net"/"webserver.com"-forgery]!*
19980603.scs: 3528 ["pacstar.net"/"webserver.com"-forgery]!*
19980603.scs: 3528 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980603.scs: 3528 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980604.scs: 2839 ["pacstar.net"/"webserver.com"-forgery]!*
19980604.scs: 2839 ["pacstar.net"/"webserver.com"-forgery]!*
19980604.scs: 2839 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980604.scs: 2839 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980605.scs: 1347 ["pacstar.net"/"webserver.com"-forgery]!*
19980605.scs: 1347 ["pacstar.net"/"webserver.com"-forgery]!*
19980605.scs: 1347 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980605.scs: 1347 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980606.scs: 4360 ["pacstar.net"/"webserver.com"-forgery]!*
19980606.scs: 4360 ["pacstar.net"/"webserver.com"-forgery]!*
19980606.scs: 4360 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980606.scs: 4360 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980607.scs: 2465 ["pacstar.net"/"webserver.com"-forgery]!*
19980607.scs: 2465 ["pacstar.net"/"webserver.com"-forgery]!*
19980607.scs: 2465 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980607.scs: 2465 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980608.scs: 3336 ["pacstar.net"/"webserver.com"-forgery]!*
19980608.scs: 3336 ["pacstar.net"/"webserver.com"-forgery]!*
19980608.scs: 3336 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980608.scs: 3336 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980609.scs: 2939 ["pacstar.net"/"webserver.com"-forgery]!*
19980609.scs: 2939 ["pacstar.net"/"webserver.com"-forgery]!*
19980609.scs: 2939 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980609.scs: 2939 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980610.scs: 2686 ["pacstar.net"/"webserver.com"-forgery]!*
19980610.scs: 2686 ["pacstar.net"/"webserver.com"-forgery]!*
19980610.scs: 2686 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980610.scs: 2686 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980615.scs: 740 ["pacstar.net"/"webserver.com"-forgery]!*
19980615.scs: 740 ["pacstar.net"/"webserver.com"-forgery]!*
19980615.scs: 740 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980615.scs: 740 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980617.scs: 2547 ["pacstar.net"/"webserver.com"-forgery]!*
19980617.scs: 2547 ["pacstar.net"/"webserver.com"-forgery]!*
19980617.scs: 2527 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980617.scs: 2527 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980618.scs: 2327 ["pacstar.net"/"webserver.com"-forgery]!*
19980618.scs: 2327 ["pacstar.net"/"webserver.com"-forgery]!*
19980618.scs: 1947 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980618.scs: 1947 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980618.scs: 378 news.nwregion.net!["pacstar.net"/"webserver.com"-forgery]!*
19980618.scs: 378 news.nwregion.net!["pacstar.net"/"webserver.com"-forgery]!*
19980618.scs: 378 news.nwregion.net!["pacstar.net"/"webserver.com"-forgery]!*
19980619.scs: 3443 ["pacstar.net"/"webserver.com"-forgery]!*
19980619.scs: 3443 ["pacstar.net"/"webserver.com"-forgery]!*
19980619.scs: 3443 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980619.scs: 3443 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980620.scs: 6205 ["pacstar.net"/"webserver.com"-forgery]!*
19980620.scs: 6205 ["pacstar.net"/"webserver.com"-forgery]!*
19980620.scs: 3766 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980620.scs: 3766 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980620.scs: 2439 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980620.scs: 2439 news.structured.net!["pacstar.net"/"webserver.com"-forgery]!*
19980621.scs: 89 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980621.scs: 89 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980623.scs: 6250 ["pacstar.net"/"webserver.com"-forgery]!*
19980623.scs: 6250 ["pacstar.net"/"webserver.com"-forgery]!*
19980623.scs: 4895 news.nwregion.net!["pacstar.net"/"webserver.com"-forgery]!*
19980623.scs: 4895 news.nwregion.net!["pacstar.net"/"webserver.com"-forgery]!*
19980623.scs: 4895 news.nwregion.net!["pacstar.net"/"webserver.com"-forgery]!*
19980623.scs: 1355 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980623.scs: 1355 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980624.scs: 8882 ["pacstar.net"/"webserver.com"-forgery]!*
19980624.scs: 8882 ["pacstar.net"/"webserver.com"-forgery]!*
19980624.scs: 5711 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980624.scs: 5711 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980624.scs: 3171 news.nwregion.net!["pacstar.net"/"webserver.com"-forgery]!*
19980624.scs: 3171 news.nwregion.net!["pacstar.net"/"webserver.com"-forgery]!*
19980624.scs: 3171 news.nwregion.net!["pacstar.net"/"webserver.com"-forgery]!*
19980625.scs: 2441 ["pacstar.net"/"webserver.com"-forgery]!*
19980625.scs: 2441 ["pacstar.net"/"webserver.com"-forgery]!*
19980625.scs: 1837 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980625.scs: 1837 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980625.scs: 604 news.nwregion.net!["pacstar.net"/"webserver.com"-forgery]!*
19980625.scs: 604 news.nwregion.net!["pacstar.net"/"webserver.com"-forgery]!*
19980625.scs: 604 news.nwregion.net!["pacstar.net"/"webserver.com"-forgery]!*
19980626.scs: 5866 ["pacstar.net"/"webserver.com"-forgery]!*
19980626.scs: 5866 ["pacstar.net"/"webserver.com"-forgery]!*
19980626.scs: 5866 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980626.scs: 5866 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980627.scs: 2454 ["pacstar.net"/"webserver.com"-forgery]!*
19980627.scs: 2454 ["pacstar.net"/"webserver.com"-forgery]!*
19980627.scs: 2453 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980627.scs: 2453 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980629.scs: 2249 ["pacstar.net"/"webserver.com"-forgery]!*
19980629.scs: 2249 ["pacstar.net"/"webserver.com"-forgery]!*
19980629.scs: 2249 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980629.scs: 2249 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980630.scs: 5165 ["pacstar.net"/"webserver.com"-forgery]!*
19980630.scs: 5165 ["pacstar.net"/"webserver.com"-forgery]!*
19980630.scs: 5165 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980630.scs: 5165 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980701.scs: 4304 ["pacstar.net"/"webserver.com"-forgery]!*
19980701.scs: 4304 ["pacstar.net"/"webserver.com"-forgery]!*
19980701.scs: 4304 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980701.scs: 4304 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980702.scs: 495 ["pacstar.net"/"webserver.com"-forgery]!*
19980702.scs: 495 ["pacstar.net"/"webserver.com"-forgery]!*
19980702.scs: 495 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980702.scs: 495 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980703.scs: 114 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980703.scs: 114 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980704.scs: 92 ["pacstar.net"/"webserver.com"-forgery]!*
19980704.scs: 92 ["pacstar.net"/"webserver.com"-forgery]!*
19980704.scs: 92 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980704.scs: 92 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980705.scs: 103 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980705.scs: 103 news.or.nw.verio.net!["pacstar.net"/"webserver.com"-forgery]!*
19980806.scs: 4166 [nwregion.net-forgery]!*
19980806.scs: 4135 news-stl.cp.verio.net![nwregion.net-forgery]!*
19980807.scs: 4987 [nwregion.net-forgery]!*
19980807.scs: 4908 news-stl.cp.verio.net![nwregion.net-forgery]!*
19980809.scs: 1572 [nwregion.net-forgery]!*
19980809.scs: 1517 news.or.nw.verio.net![nwregion.net-forgery]!*
19980810.scs: 1882 [nwregion.net-forgery]!*
19980810.scs: 1866 news-stl.cp.verio.net![nwregion.net-forgery]!*
19980811.scs: 7711 [nwregion.net-forgery]!*
19980811.scs: 5104 news-feeder.onramp.net![nwregion.net-forgery]!*
19980811.scs: 1122 noos.hooked.net![nwregion.net-forgery]!*
19980811.scs: 973 news.or.nw.verio.net![nwregion.net-forgery]!*
19980811.scs: 510 news-stl.cp.verio.net![nwregion.net-forgery]!*
19980812.scs: 3694 [nwregion.net-forgery]!*
19980812.scs: 2393 news-feeder.onramp.net![nwregion.net-forgery]!*
19980812.scs: 1037 news.or.nw.verio.net![nwregion.net-forgery]!*
19980812.scs: 187 noos.hooked.net![nwregion.net-forgery]!*
19980813.scs: 3715 [nwregion.net-forgery]!*
19980813.scs: 2243 Gamma.RU![nwregion.net-forgery]!*
19980813.scs: 656 news.or.nw.verio.net![nwregion.net-forgery]!*
19980813.scs: 638 news.maxwell.syr.edu![nwregion.net-forgery]!*
19980813.scs: 93 news-stl.cp.verio.net![nwregion.net-forgery]!*
19980813.scs: 84 news-feeder.onramp.net![nwregion.net-forgery]!*
19980814.scs: 10787 [nwregion.net-forgery]!*
19980814.scs: 4161 Gamma.RU![nwregion.net-forgery]!*
19980814.scs: 3024 ai-lab![nwregion.net-forgery]!*
19980814.scs: 1771 news.or.nw.verio.net![nwregion.net-forgery]!*
19980814.scs: 1193 news-stl.cp.verio.net![nwregion.net-forgery]!*
19980814.scs: 577 news.maxwell.syr.edu![nwregion.net-forgery]!*
19980815.scs: 5989 [nwregion.net-forgery]!*
19980815.scs: 4096 news.or.nw.verio.net![nwregion.net-forgery]!*
19980815.scs: 932 ai-lab![nwregion.net-forgery]!*
19980815.scs: 776 news-stl.cp.verio.net![nwregion.net-forgery]!*
19980816.scs: 5127 [nwregion.net-forgery]!*
19980816.scs: 5023 news.or.nw.verio.net![nwregion.net-forgery]!*
19980817.scs: 3175 [nwregion.net-forgery]!*
19980817.scs: 2947 news.or.nw.verio.net![nwregion.net-forgery]!*
19980817.scs: 156 ai-lab![nwregion.net-forgery]!*
19980818.scs: 2338 [nwregion.net-forgery]!*
19980818.scs: 2099 news.or.nw.verio.net![nwregion.net-forgery]!*
19980818.scs: 171 ai-lab![nwregion.net-forgery]!*
19980819.scs: 168 news.or.nw.verio.net![nwregion.net-forgery]!*
- - ----=---- -
19981004.scs: 6670 [nwregion.net-forgery]!*
19981004.scs: 6670 newsfeed.poshnet.com![nwregion.net-forgery]!*
19981005.scs: 8305 [nwregion.net-forgery]!*
19981005.scs: 8305 newsfeed.poshnet.com![nwregion.net-forgery]!*

</quote dritz>
========================================================================

While Mr. Morrow chose to include such notables as
<dr...@empire2.com> and <ma...@empire2.com> (the A & M of AM
Enterprises) in his recipient list, I chose to keep my list a
little shorter. (I had included these addresses as recipients of
the report, but I see no point in _purposely_ providing them with
direct information on what's transpired since that report was
filed.)

- ---------- Begin forwarded message ----------

Mime-Version: 1.0
X-Sender: dr...@pop.primenet.com
Date: Tue, 6 Oct 1998 21:05:26 -0500
To: Sean Morrow <use...@newssource.hostcomm.net>
From: David Ritz <dr...@primenet.com>
Subject: Re: EMP - BI>28200 - Matt Middleton's dedicated spam-feed
through newsfeed.poshnet.com [2]
Cc: use...@xcom.net, ab...@xcom.net, ne...@is-europe.net, ab...@is-europe.net,
David Ritz <dr...@primenet.com>

-----BEGIN PGP SIGNED MESSAGE-----

At 15:12 -0700 1998.10.06, use...@newssource.hostcomm.net wrote:

: David Ritz


:
: I'm sorry I was unable to respond before today. About this
: problem with poshnet,
:
: 1. We are only a bandwidth provider for them, which includes a full news
: feed.
: 2. Who they feed with and what they do with their news box is not our
: business.
: 3. This is the first and ONLY complaint we have ever had with them
: and we will send them an email.
:
: >From what we understand they are trying to build a open news server like
: Dejanews.
:
: We are not affiliated or know who Mr. Middleton is or Empire2. Please do
: not tarnish our good name, we have never had a spam problem and we have
: done everything to put an end to spam on our boxes.
:
: >From what we have seen there is no nwregion.net or a newsbox associated
: with it.
:
: Thank you,
: Sean Morrow
: News Administrator

Hi, Sean,

Thanks for getting back to me.

The situation, as I see it, is one where the Middleton spam operation
is feeding an enormous volume of EMP'd binary spam through HostComm.
There may be an intermediate hop, but its all coming though you. The
report you are responding to covered a little over 1.9 Gigabytes of
posts, which are so repetitive that they're setting off the
cancel-bots. 1931366655 characters is one hell of a lot of spam.

[pause]

The numbers have grown, since I sent out my report.

34341: 40460 1.0000 newsfeed.poshnet.com
TOTALS ------- -------
34341: 2134397831 34453.7191
^^^^^^^^^^

Your upstream providers were not included in my original report,
dated Thu, 1 Oct 1998 19:07:29 -0700. When I send out a report
detailing a high-volume net-abuse incident and the abuse continues,
without reply, I move upstream. I regret that it took my doing so to
get your attention.

[pause]

So far today, here are the stats for the non-existent "dawteck":

4452: 39898 1.0000 dawteck
TOTALS ------- -------
4452: 292791896 4452.0000

These are still arriving at the monitoring site, at a rate of about 4-500/hour.

- From the looks of things, only the four posts I mentioned in my
report, this morning, were posted using PoshNet's DejaNews-like web
interface.

Allowing these nearly 4500 EMP spammed binaries, coming from this
single unidentified source (while it is forging From lines,
meaningless Message-IDs and NPH's in order to avoid detection and
misdirect complaints) to reach the news-stream, amounts to an
egregious disregard for your neighbors in Usenet. PoshNet may be
paying for a news feed, but they are not feeding news through you;
they are feeding you spam by the truckload.

No one is under any obligation to store or propagate spam. If
PoshNet and HostComm wish to provide this spam to their direct users,
that's their business. Once its been propagated beyond your servers
and domain, it becomes a more pressing issue of abuse of the net.

If you cannot convince your account, Poshnet, to cut this rogue,
dedicated spam-feed, perhaps you should consider routing their feed
to /null. Its certainly not doing you any good, if its causing your
feeds to be severed.

If you are not running spam filters on your server, this is something
its time to consider. Please refer to

_Anti-Spam Software - Tools for Admins_
<http://www.exit109.com/~jeremy/news/antispam.html>.

So far as I'm aware, HostComm is receiving auto-notifications of spam
cancels from at least one source. This would seem to indicate that
my second report is not the first "complaint" you've ever received.

Sending an email message to PoshNet falls somewhat short of the mark,
at this late date. Please drop this feed, until you can investigate
the situation more fully. I do not believe that failing to propagate
the handful of legitimate posts originating through PostNet outweighs
the overwhelming volume of EMP'd binaries they are passing to Usenet
through you.

Only PoshNet can identify the originating IP for this spew. I
requested an identification of the IP address in my first report. My
current guess for that IP address is [206.58.227.20].

usr10# nslookup news.nwregion.net
Server: dns1.primenet.net
Address: 206.165.5.10

Name: news.nwregion.net
Address: 206.58.227.20

I'd have called PoshNet, last week, but there are no phone numbers
listed in their NIC or on their site.

I'd have called HostComm, last week, but there are no phone numbers
listed in your NIC or on your site.

Please plug the dyke. Floods of this nature are not heathy for the net.

Thanks you for your prompt attention to this matter.



--
David Ritz <dr...@primenet.com> Finger for PGP Public Keys
Fight against spam & spammers http://spam.abuse.net
Outlaw Junk Email. ++++++ Join CAUCE ++++++ http://www.cauce.org
** Be kind to animals - Kiss a shark. **


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
Comment: Finger:dr...@primenet.com for Public Keys

iQCVAwUBNhrMbtzLrWGabIhRAQFOnAQAqLCkHvohpDfS3BQAQq58VXOx+o07h9bg
F0H97AIDaWyhJtYtXN4iZy6XKTrkRq2huXFzNmkrRApoUuQ4miWCqrxCYDG8HXp3
+Yg5l5xPlvOFdMUZ8clA7uOmW6c5m4M0vhX77F4rWGk/DL6p8+ybkrQQ0wIAQtG6
vTA4mh9UD7E=
=hNR5
-----END PGP SIGNATURE-----



- ----------- End forwarded message -----------

--
David Ritz <dr...@primenet.com> Finger for PGP Public Keys
Fight against spam & spammers http://spam.abuse.net
Outlaw Junk Email. ++++++ Join CAUCE ++++++ http://www.cauce.org
** Be kind to animals - Kiss a shark. **


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
Comment: Finger:dr...@primenet.com for Public Keys

iQCVAwUBNhr1V9zLrWGabIhRAQH9PQQAvVj4pY3z78+iQidk3UK6t3lGm8JqqubS
UHBihWxbKdl78A7TYzgtHLGcygRii3Vupb6b7AHTFVsbd2vzKYZydHaYC4/uK4do
3Dzckns/YVrR3Y0VhaBWiK/Ydp4eWQUX6AGgU3kErbPFgoC52txVfMLAjL5ONy8Y
rjX2AUJCFwE=
=shx8
-----END PGP SIGNATURE-----


Howard Knight

unread,
Oct 7, 1998, 3:00:00ā€ÆAM10/7/98
to
use...@newssource.hostcomm.net wrote:
: David Ritz

:
: I'm sorry I was unable to respond before today. About this
: problem with poshnet,

Are you sorry that you were unable to respond? Or, are you sorry you


got a pee-pee whacking from XCOM?

: 1. We are only a bandwidth provider for them, which includes a full news
: feed.

Maybe it's time to take their feed away.

: 2. Who they feed with and what they do with their news box is not our
: business.

Wrong. As long as poshnet lets spam flow freely via your news servers,


it is very much your business. Shut down their news feed.

: 3. This is the first and ONLY complaint we have ever had with them


: and we will send them an email.

Get a clue. Shut down their new feed!

: From what we understand they are trying to build a open news server like
: Dejanews.

99.9% of the posts from that site are Middleton's spam, the other couple


of posts are from their web based news service. Get a clue and shut down
their news feed!

: We are not affiliated or know who Mr. Middleton is or Empire2. Please do


: not tarnish our good name, we have never had a spam problem and we have
: done everything to put an end to spam on our boxes.

Done everything? Who are you kidding? If you are so worried about your


good name, shut down poshnet's new feed!

Howard

Jeffery J. Leader

unread,
Oct 7, 1998, 3:00:00ā€ÆAM10/7/98
to
use...@newssource.hostcomm.net wrote:
>From what we understand they are trying to build a open news server like
>Dejanews.

I won't bother responding to this intriguing supposition, except to
say: You're feeding a megaspammer. If you think they're salvageable;
great; but clean things up first before unleasing them on the rest of
the wrold

Are you running CleanFeed?


David Ritz

unread,
Oct 7, 1998, 3:00:00ā€ÆAM10/7/98
to
-----BEGIN PGP SIGNED MESSAGE-----

I thought I'd take a moment, to provide a short update.

The situation has become significantly worse, in regard to the
spam flowing freely from newsfeed.poshnet.com through
newssource.hostcomm.net.

XCOM has re-established the feed they severed on 1998.10.06.

is-europe.net continues to provide a route to the news-backbone
for this high-volume spew.

Several new feeds have been established, including telstra.net,
pdxfiber.net, eu.concert.net and enteract.com.

Instead of using a load of bandwidth, to rehash what I posted to
nana.sightings, today, I'll refer your attention to
<url:news:Pine.BSI.3.96.981007...@usr10.primenet.com>

I will include the results of two queries quoted in this sightings
report. I believe it provides a telling tale.

These are the result of running simultaneous queries on the Path
entries in question. The query was limited to 1998.10.07 and
represent articles received since 00:00:00 at the monitoring site,
at the time the queries were run.

3993: 81403 1.0000 newsfeed.poshnet.com
3994: 148359 1.0000 newsfeed.poshnet.com
3995: 41834 1.0000 newsfeed.poshnet.com
TOTALS ------- -------
3995: 181405539 3995.0000

3993: 81403 1.0000 newssource.hostcomm.net
3994: 148359 1.0000 newssource.hostcomm.net
3995: 41834 1.0000 newssource.hostcomm.net
TOTALS ------- -------
3995: 181405539 3995.0000

I think we have a match.

--
David Ritz <dr...@primenet.com> Finger for PGP Public Keys
Fight against spam & spammers http://spam.abuse.net
Outlaw Junk Email. ++++++ Join CAUCE ++++++ http://www.cauce.org
** Be kind to animals - Kiss a shark. **


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
Comment: Finger:dr...@primenet.com for Public Keys

iQCVAwUBNhwEDdzLrWGabIhRAQF7kQQAwpD524c0EwLW7mWBDgGS/yiffaBP2V3b
x1hfiG3Hi4SLDsW0WCVYKfZKYs8DBXjKQipGobbJOo0OCr4O2qzwxRqmRlw6Nht0
IJFD++awJo5jcQYsMiOPZ81jOGwYtx/DDEyMoHW+rbI+uiBGzeue155ng49A3d0/
sOuUfFJtIRU=
=CuSn
-----END PGP SIGNATURE-----


Cameron Kaiser

unread,
Oct 7, 1998, 3:00:00ā€ÆAM10/7/98
to
David Ritz <dr...@primenet.com> writes:

> The situation has become significantly worse, in regard to the
> spam flowing freely from newsfeed.poshnet.com through
> newssource.hostcomm.net.
> XCOM has re-established the feed they severed on 1998.10.06.
> is-europe.net continues to provide a route to the news-backbone
> for this high-volume spew.
> Several new feeds have been established, including telstra.net,
> pdxfiber.net, eu.concert.net and enteract.com.

Does no one upstream want to shut them off? Do the "new" upstreams know?

--
-------------- The Commodore 64 lives: http://computerworkshops.home.ml.org/ --
Cameron Kaiser (posting with a Commodore 128) | "When in doubt, take a pawn."
cdkaiser@concentricMUNGEnet | -- Mission: Impossible
-- personal page: http://calvin.ptloma.edu/~spectre/ ------ CBMSF Unit $EA31 --

Sean

unread,
Oct 8, 1998, 3:00:00ā€ÆAM10/8/98
to David Ritz
David and all concerned,

We have spoken with Poshnet and they promised us this spam problem will stop.
We have given them 2 weeks to fix their problems or we will cut their news
feed (as required by the contract we have with them). From what they have
told me and what I have seen their box is totally open to the world and they
are working very hard on getting their spam filters working correctly. They
have also told me they will "close" the doors to their box if they can not get
this problem solved, until they have this fixed.

About our "New" feeds, they are not new, we have had those feeds as long as
the others. Why you just now see that is beyond me. If we are under such a
microscope you should have known all the feeds we have.

I will say this again, we do not spam, we are NOT the originators of this spam
nor are we affiliated with Mr. Middleton or anything he may be doing.

I am including a email I received and would like to know who this person is
and what does he think he is doing by threatening us. We will not stand for
this nor allow it to continue. We are working on this problem and do not need
people like him to give us this type of crap.

Sean

--------- Start of Message ---------
Date: Wed, 07 Oct 1998 01:24:19 GMT
From: Lysander Spooner <buch...@cybernex.net>
To: use...@newssource.hostcomm.net


Subject: Re: EMP - BI>28200 - Matt Middleton's dedicated spam-feed through
newsfeed.poshnet.com [2]

Newsgroups: news.admin.net-abuse.usenet

> I'm sorry I was unable to respond before today. About this
>problem with poshnet,
>
>1. We are only a bandwidth provider for them, which includes a full news
> feed.

You mean "spam feed".

>2. Who they feed with and what they do with their news box is not our
> business.

It's about to _become_ your business you rogue prick.

>3. This is the first and ONLY complaint we have ever had with them
> and we will send them an email.

Yeah right. "Dear me@localhost"

>From what we understand they are trying to build a open news server like
>Dejanews.

No, you're trying to run a dedicated spamserver like Netzilla.

>We are not affiliated or know who Mr. Middleton is or Empire2. Please do
>not tarnish our good name,

If you ever get one, I'll try not to tarnish it.

>we have never had a spam problem and we have
>done everything to put an end to spam on our boxes.

Lying sack of shit. Is there anything BUT spam coming through your
server?

>From what we have seen there is no nwregion.net or a newsbox associated
>with it.

And this proves what? That it's easy to register new domains?

You know "Sean", I think I'm going to give all the rest of the
spammers a break, and devote my entire cancel arsenel to wiping you
off Usenet -- at least until all your peers cut you off.

Have a nice day.

-- Rick
--------- End of Message --------

David Ritz wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>


> I thought I'd take a moment, to provide a short update.
>

> The situation has become significantly worse, in regard to the
> spam flowing freely from newsfeed.poshnet.com through
> newssource.hostcomm.net.
>
> XCOM has re-established the feed they severed on 1998.10.06.
>
> is-europe.net continues to provide a route to the news-backbone
> for this high-volume spew.
>
> Several new feeds have been established, including telstra.net,
> pdxfiber.net, eu.concert.net and enteract.com.
>

Andrew Gierth

unread,
Oct 8, 1998, 3:00:00ā€ÆAM10/8/98
to
>>>>> "Sean" == Sean <use...@hostcomm.net> writes:

Sean> David and all concerned,

Sean> We have spoken with Poshnet and they promised us this spam
Sean> problem will stop. We have given them 2 weeks to fix their
Sean> problems

You should be giving them two *hours*, not two weeks.

Sean> or we will cut their news feed (as required by the contract we
Sean> have with them). From what they have told me and what I have
Sean> seen their box is totally open to the world

Indeed - and yet you continue to accept articles from them? This is
intolerable.

Would you prefer an active Usenet Death Penalty, or shall we just
continue the shunning/de-peering campaign against you and poshnet?

Sean> and they are working very hard on getting their spam filters
Sean> working correctly.

This isn't about spam filters; it's about accepting a feed from a known
forger and spammer. (Middleton isn't posting to poshnet's server, he's
*feeding* to it; there's a difference.)

If poshnet want to run a public-posting server, they need to realise
that it is *very hard* to secure such an installation against the
abuse that *will* be heaped on it. They need to filter out not only
spam, but also locally-posted control messages, Supersedes, flooding
attacks and forgeries, and they need to be prepared to block
*INSTANTLY* any poster who abuses their system in spite of such
filters. But that is irrelevent to the issue of Middleton's spamming.

The fact that they are not participating in this debate, and have not
replied *in any way* to any of the abuse reports which they have
received, strongly suggests that they are not competent to do this and
will remain an active hazard to the rest of Usenet.

Sean> I will say this again, we do not spam, we are NOT the
Sean> originators of this spam nor are we affiliated with
Sean> Mr. Middleton or anything he may be doing.

You are affiliated in the sense that you are the (apparently sole, or
at least key) upstream site for a site that is providing access to
Usenet for one of the worst forgers currently active, and one of the
biggist single spam sources.

--
Andrew.

Howard Knight

unread,
Oct 8, 1998, 3:00:00ā€ÆAM10/8/98
to
Andrew Gierth (and...@erlenstar.demon.co.uk) wrote:

: Sean> or we will cut their news feed (as required by the contract we

: Sean> have with them). From what they have told me and what I have
: Sean> seen their box is totally open to the world

:
: Indeed - and yet you continue to accept articles from them? This is
: intolerable.

Funny thing is, the poshnet server became open after David started
complaining about it. Before that it was secure.

Howard

Andrew Gierth

unread,
Oct 8, 1998, 3:00:00ā€ÆAM10/8/98
to
>>>>> "Howard" == Howard Knight <how...@connectnet.com> writes:

AG> Indeed - and yet you continue to accept articles from them? This is
AG> intolerable.

Howard> Funny thing is, the poshnet server became open after David
Howard> started complaining about it. Before that it was secure.

See my other post for why. The above was written and posted seconds
before I discovered the poshnet->Empire link.

--
Andrew.

Doug Mackall

unread,
Oct 8, 1998, 3:00:00ā€ÆAM10/8/98
to
In article <H7aT1.1$yb.7...@news.connectnet.com>, how...@connectnet.com
says...

>Andrew Gierth (and...@erlenstar.demon.co.uk) wrote:
>
>: Sean> or we will cut their news feed (as required by the contract we
>: Sean> have with them). From what they have told me and what I have
>: Sean> seen their box is totally open to the world
>:
>: Indeed - and yet you continue to accept articles from them? This is
>: intolerable.
>
>Funny thing is, the poshnet server became open after David started

>complaining about it. Before that it was secure.

I prefer it open myself.
It's far more effective to cancel the spew from there before it gets
flushed downstream.

--

SubGenius Police, Usenet Tactical Unit (Mobile), aka S.P.U.T.U.M.
Unit C: "Thou Shalt Not Pass Light Speed!"
The Eternally Recondite Master Interdictor, Network Attack Legion(TERMINAL)
http://www.sputum.com/

Bunny

unread,
Oct 8, 1998, 3:00:00ā€ÆAM10/8/98
to
In article <361D1BAB...@hostcomm.net>, Sean says...

[skip preliminaries]

>I am including a email I received and would like to know who this person is
>and what does he think he is doing by threatening us. We will not stand for
>this nor allow it to continue. We are working on this problem and do not need
>people like him to give us this type of crap.
>
>Sean
>
>--------- Start of Message ---------
>Date: Wed, 07 Oct 1998 01:24:19 GMT
>From: Lysander Spooner <buch...@cybernex.net>
>To: use...@newssource.hostcomm.net

>Subject: Re: EMP - BI>28200 - Matt Middleton's dedicated spam-feed through
>newsfeed.poshnet.com [2]

>Newsgroups: news.admin.net-abuse.usenet


>
>> I'm sorry I was unable to respond before today. About this
>>problem with poshnet,
>>
>>1. We are only a bandwidth provider for them, which includes a full news
>> feed.
>

>You mean "spam feed".

[snip].....

Mr. Spooner is one of several despammers who keep their homemade
cancelbots going 24/7 trying to rid Usenet of all the spam pouring
in from places like poshnet.com. It is a pretty hard job, and all
they get out of it is the satisfaction of knowing that they have
done their best to help keep the Usenet newsgroups fairly clean.

From 30 September through 6 October 1998, these guys cancelled
701,388 articles, including 33,885 which came from poshnet.com.
That is 33,885 too many articles, and 33,885 too many cancels.
You can put an end to all of this simply by taking Andrew Gierth's
advice: cut poshnet.com off NOW.

You will have to forgive Mr. Spooner for being rude to you. He
cancelled more than 167,000 articles last week, and he is kind
of tired.

Meow

Fluffy -- The Other White Meat

unread,
Oct 9, 1998, 3:00:00ā€ÆAM10/9/98
to
On 8 Oct 1998, Andrew Gierth wrote:

> If poshnet want to run a public-posting server, they need to realise
> that it is *very hard* to secure such an installation against the
> abuse that *will* be heaped on it. They need to filter out not only
> spam, but also locally-posted control messages, Supersedes, flooding
> attacks and forgeries, and they need to be prepared to block
> *INSTANTLY* any poster who abuses their system in spite of such
> filters. But that is irrelevent to the issue of Middleton's spamming.
>
> The fact that they are not participating in this debate, and have not
> replied *in any way* to any of the abuse reports which they have
> received, strongly suggests that they are not competent to do this and
> will remain an active hazard to the rest of Usenet.

And a very competently-run swerver it is, it is....

ne...@news-feed.inet.tele.dk:/news/spool/out>telnet newsfeed.poshnet.com 119
Trying 206.58.210.180...
Connected to newsfeed.poshnet.com.
Escape character is '^]'.
200 newsfeed.poshnet.com InterNetNews NNRP server INN 1.7.2 08-Dec-1997 ready (posting ok).
list active *pedo*
215 Newsgroups in form "group high low flags".
alt.sex.pedophile 0000018728 0000018721 y
alt.sex.pedophile.mike-labbe 0000084654 0000084642 y
alt.sex.pedophilia 0000284522 0000284489 y
alt.sex.pedophilia.girls 0000226239 0000226195 y
alt.sex.pedophilia.glenn.webb 0000000900 0000000896 y
alt.sex.pedophilia.jim-kennemur 0000000718 0000000713 y
alt.sex.pedophilia.linda-and-kuibob 0000000717 0000000714 y
alt.sex.pedophilia.pictures 0000230373 0000230343 y
alt.sex.pedophilia.swaps 0000206070 0000206045 y
news.pedophile.john-gilmore 0000000000 0000000001 y
talk.pedophilia.erland-sommarskog 0000000002 0000000003 y
alt.pedophile.bruce-baugh 0000000000 0000000001 y
news.pedophile.dave-barr 0000000000 0000000001 y
talk.pedophilia.ian-hayes 0000000001 0000000002 y
soc.culture.pedophile.david-bromage 0000000000 0000000001 y
alt.pedophile.gary-burnore 0000000000 0000000001 y
soc.culture.pedophile.thomas-allard 0000000000 0000000001 y
soc.culture.pedophile.grady-booch 0000000001 0000000002 y
soc.culture.pedophile.daniel-hartung 0000000000 0000000001 y
alt.pedophile.daniel-hartung 0000000000 0000000001 y
alt.pedophile.bruce-ediger 0000000000 0000000001 y
news.pedophile.tzimon-yliaster 0000000004 0000000005 y
talk.pedophilia.jan-isley 0000000001 0000000002 y
soc.culture.pedophile.craig-sherwood 0000000001 0000000002 y
news.pedophile.felix-tilley 0000000001 0000000002 y
soc.culture.pedophile.jan-isley 0000000001 0000000002 y
alt.pedophile.matthew-fields 0000000001 0000000002 y
soc.culture.pedophile.david-westebbe 0000000001 0000000002 y
soc.culture.pedophile.rick-buchanan 0000000002 0000000003 y
news.pedophile.otto-makela 0000000000 0000000001 y
news.pedophile.ronald-guilmette 0000000000 0000000001 y
.
post
340 Ok

Message has been deleted

Howard Knight

unread,
Oct 9, 1998, 3:00:00ā€ÆAM10/9/98
to
David Ritz (dr...@primenet.com) wrote:

: Please keep in mind, several of us have been dealing with the
: Middleton, (spam)Empire2 abuse for well over a year.

Almost two years! Attached is a letter I sent to xmission.com
(Middelton's first news feed) almost two years ago.

Howard

--------------------------------cut here--------------------------------
Date: Tue, 31 Dec 1996 08:58:52 -0800
From: howardk (Howard Knight)
To: ab...@elix.net, bi...@xmission.com, howardk, postm...@elix.net,
postm...@empire2.com, secu...@elix.net, sup...@elix.net
Subject: ALERT! Empire Communications, Inc. is Abusing Your Site!

Dear System's Administrator,

This letter is to inform you that your customer Empire
Communications, Inc. has been using your resources to abuse Usenet.
ECI has been spamming the newsgroups with ads for their sex web
pages. They apparently have their own news server and get their news
feed from XMISSION.COM. All complaints to EMPIRE2.COM are ignored
and unanswered. This is not surprising since they are in charge of
all of the sex web pages that are being advertised. (Please see the
attached spam article from ECI below.)

ECI is in charge of the following domains:

XXXDREAMS.NET
XXXFANTASY.NET
XXXSEX.NET
123ADULT.COM
123FANTASY.COM
ABSLT.COM
ADULT123.COM
ADULTDREAM.COM
ADULTSEX.NET
EMPIRECOM.NET
FANTASY123.COM
GAYDREAMS.COM
SEXCITY.NET
SEXFANTASY.NET
SINCITY.NET
XXXPORN.NET
CYBERPORN.NET
ADULTPLAYGROUND.NET
EMPIRE2.COM <---- site of the news server
EXXXCITE.COM

Please take action against ECI. ECI has proven itself to be one
of the biggest newsgroup abusers on the internet. ECI appears to
be a rogue company and is abusing/vandalizing Usenet.

Best regards,

Howard Knight

------------------------------cut here----------------------------
> Path: netcom.com!www.nntp.primenet.com!nntp.primenet.com!
> newspump.sol.net!howland.erols.net!newsfeed.internetmci.com!
> xmission!news.empire2.com!ne...@empire2.com
> From: Lillith (Lillith)
> Newsgroups: alt.sex.first-time,alt.sex.gangbang,alt.sex.girls,
> alt.sex.homosexual,alt.sex.marketplace,
> alt.sex.masterbation,alt.sex.masturbation,alt.sex.pictures,
> alt.sex.pictures.female,alt.sex.pictures.male,
> alt.sex.prostitution,alt.sex.services,alt.sex.spanking,
> alt.sex.stories.bondage,alt.sex.stories.d,
> alt.sex.stories.gay,alt.sex.stories.hetero,
> alt.sex.stories.incest,alt.sex.strip-clubs,
> alt.sex.swingers,alt.sex.voyeurism,
> alt.binaires.pictures.erotica.teen
> Subject: I FOUND THE BEST IN HARDCORE XXX
> Date: 30 Dec 1996 19:19:42 GMT
> Organization: News Server
> Lines: 13
> Message-ID: <5a94ke$1t...@news.empire2.com>
> NNTP-Posting-Host: matt.empire2.com
> Mime-Version: 1.0
> Content-Type: Text/Plain; charset=US-ASCII
> X-Newsreader: WinVN 0.99.8 (beta 2)
>
> If your looking for a GREAT SELECTION OF HARDCORE XXX pics and Movies,
> I found the PLACE for you! They have the largest selection of XXX HARDCORE
> pics and MOVIES I have found anywhere! They also have great XXX HOT CHAT and
> a FREE XXX SECTION for anyone that wants the pics. Go check them out, you'll
> love it!! Look for me in the chat section, I love to talk nasty!
>
> Here is the address:
>
> http://www.happytime.com/
>
> Lillith...
>
>

Lysander Spooner

unread,
Oct 9, 1998, 3:00:00ā€ÆAM10/9/98
to
On 8 Oct 1998 21:55:27 -0700, play...@newsguy.com (Bunny) wrote:

>You will have to forgive Mr. Spooner for being rude to you. He
>cancelled more than 167,000 articles last week, and he is kind
>of tired.

I appreciate the support, Bunny, but I wasn't rude because I'm tired.

I was rude because I don't like lying scumbags.

This cretin would have us believe that the spammer is a customer of
Poshnet, and that Poshnet is a customer of Hostcomm.

Bullshit.

The spammer IS Poshnet...

... and Poshnet IS Hostcomm.

Also, it seems that two layers of InterNIC sock-puppetry isn't enough
for these vandals. Hostcomm's upstream -- pdxfiber.net -- is yet
another cardboard facade. So...

...... Hostcomm IS PDXfiber. Lots of names, one gang of spammers.

Anybody care to see the evidence, or shall I leave it as an exercise
for the reader?

(BTW, upstream from PDXfiber is the first legitimate outfit, Verio.net
-- the same provider that pulled the plug on the Middleton Mafia a few
months back. I recommend that all complaints be sent there.)

-- Rick
-------------
** non illegitimi carborundum **


Lysander Spooner

unread,
Oct 9, 1998, 3:00:00ā€ÆAM10/9/98
to
On Thu, 08 Oct 1998 13:08:11 -0700, Sean <use...@hostcomm.net> wrote:

>I am including a email I received and would like to know who this person is

That would be me.

* Real name -- Rick Buchanan.

* _nom-de-guerre_ -- Lysander Spooner

* Primary email address -- buch...@cybernex.net

* Cancelbot identity and email -- lysa...@exit109.com

* Mission in Life -- Fucking with parasitic spam-scum like you.

>and what does he think he is doing by threatening us.

Er, I thought I was clear. I said I was going to retask all my
cancelbots to devote all their time to nuking the crap coming from
your sewer^H^H^Hrver.

What part has you confused?

(I am deeply frustrated that Andrew's much faster bot is nailing most
of your crap before I even see it, BTW.)

>We will not stand for this nor allow it to continue.

And what, pray tell, do you intend to do about it?

>We are working on this problem and do not need
>people like him to give us this type of crap.

You are a liar, pink-boy.

Fuck off and die.

-- Rick
-----------
** Slowly and painfully if possible **

wer...@ccwf.cc.utexas.edu

unread,
Oct 9, 1998, 3:00:00ā€ÆAM10/9/98
to
quoting use...@hostcomm.net :
..
... <snip>...
..
: About our "New" feeds, they are not new, we have had those feeds

: as long as the others.

funny you shouldn't mention how long that is.
do you feel that that's because you are "so new" that all your
newsfeeds are not "new" but (relatively) "old" rather ?!?
(is that a variation on the theme "depends what the definition
of 'is' is" ?!?)


: Why you just now see that is beyond me. If we are under such


: a microscope you should have known all the feeds we have.


well, let's see then. What evidence do we have for the jury :

Registrant:
HostCom, Inc. (HOSTCOMM2-DOM)
...


Record last updated on 05-Sep-98.
Record created on 24-Aug-98.

Registrant:
Posh Net (POSHNET-DOM)
...


Record last updated on 03-Sep-98.
Record created on 28-Aug-98.


: I will say this again, we do not spam, we are NOT the originators of this
: spam nor are we affiliated with Mr. Middleton or anything he may be doing.

one look at the HOSTCOMM and POSHNET domain NIC-records, one sniff
of what you are spouting in defense of both operations, and reading
the mounting evidence presented in this thread already...
...and there is little doubt left but that HOSTCOMM is a front for
POSHNET which is a front for...

the proof is in the pudding...

...but, on the off-chance that you are "just new here" here's one
last hint at how you can get yourself out of this mess:


: We have spoken with Poshnet and they promised us this spam problem will stop.
: We have given them 2 weeks to fix their problems or we will cut their news
: feed (as required by the contract we have with them). From what they have
: told me and what I have seen their box is totally open to the world and they
: are working very hard on getting their spam filters working correctly. They


: have also told me they will "close" the doors to their box if they can not get
: this problem solved, until they have this fixed.

now let's compare that with what a reputable USEnet site would tell
a "questionable" feed:

We have set up a peering agreement last month,
between your newsserver and our newsfeed server,

I would like to know what action you will take
to prevent further spreading of spam.

I have closed the upstream from your server to
our server to prevent that our server is used
to spread spam. The downstream from our server
to your server is left intact.

I have to close this feed when you do not respond
or when no action is taken.

oh, but that looks familiar to you, doesn't it?!?
well, why, that's because that's what you have been told by one
of your peers already, and you should expect to hear from others
shortly....

what's that? you can't do that to POSHNET? because your
contract doesn't allow for it? Well, that makes YOU the
problem, actually, and all your peers should immediately
stop accepting your feed. The Usenet-2 spirit, you know...
(nah, you probably don't, but NOW you do! :-)

P.S. actually, calling it "Usenet-2 spirit" is a misnomer, because we
felt that way in Usenet from the beginning, it's just that we didn't
have this kind of scum and slime online back then, so such sentiments
never had to be verbalized... shunning by all existing feeds would
have been instant and without any discussions.

Lysander Spooner

unread,
Oct 9, 1998, 3:00:00ā€ÆAM10/9/98
to
On 9 Oct 1998 09:55:39 -0500, wer...@ccwf.cc.utexas.edu wrote:

> well, let's see then. What evidence do we have for the jury :
>
>Registrant:
>HostCom, Inc. (HOSTCOMM2-DOM)
>...
> Record last updated on 05-Sep-98.
> Record created on 24-Aug-98.
>
>Registrant:
>Posh Net (POSHNET-DOM)
>...
> Record last updated on 03-Sep-98.
> Record created on 28-Aug-98.

> one look at the HOSTCOMM and POSHNET domain NIC-records, one sniff


> of what you are spouting in defense of both operations, and reading
> the mounting evidence presented in this thread already...
> ...and there is little doubt left but that HOSTCOMM is a front for
> POSHNET which is a front for...

And PDXFIBER.net (Hostcomm's upstream) is a front for HOSTCOMM.

>Registrant:
>PdxFiber (PDXFIBER-DOM)
>...
> Record last updated on 04-Sep-98.
> Record created on 11-Aug-98.
> Database last updated on 9-Oct-98 04:24:56 EDT.

It's like an onion. Lots of layers, and they all stink.

-- Rick

David Ritz

unread,
Oct 9, 1998, 3:00:00ā€ÆAM10/9/98
to
-----BEGIN PGP SIGNED MESSAGE-----

[posted and mailed, Bcc, to appropriate upstream contacts]

On Fri, 9 Oct 1998, Lysander Spooner wrote:

:
I'd made a mental note of some significant happenings around the
end of August. This was about the time Andrew was seriously
busting Middleton's chops. Its also the time period in which the
nwregion.net fraud, forgery and spam factory when on hiatus.

Earlier in this thread, in
<Pine.BSI.3.96.981006...@usr10.primenet.com>, I
posted some of the Spam Cancel Statistics relating to the
Middleton operation.

|19980227.scs: 1664 ["webserver.com"-forgery]!*
|19980227.scs: 948 news.structured.net!["webserver.com"-forgery]!*
|19980227.scs: 716 inetarena.com!["webserver.com"-forgery]!*
|19980228.scs: 1095 ["webserver.com"-forgery]!*
|19980228.scs: 1023 news.structured.net!["webserver.com"-forgery]!*
|19980302.scs: 784 ["webserver.com"-forgery]!*
|19980302.scs: 436 inetarena.com!["webserver.com"-forgery]!*
|19980303.scs: 1864 ["webserver.com"-forgery]!*
|19980303.scs: 1523 news.structured.net!["webserver.com"-forgery]!*
|19980303.scs: 341 inetarena.com!["webserver.com"-forgery]!*

<...>


|19980816.scs: 5127 [nwregion.net-forgery]!*
|19980816.scs: 5023 news.or.nw.verio.net![nwregion.net-forgery]!*
|19980817.scs: 3175 [nwregion.net-forgery]!*
|19980817.scs: 2947 news.or.nw.verio.net![nwregion.net-forgery]!*
|19980817.scs: 156 ai-lab![nwregion.net-forgery]!*
|19980818.scs: 2338 [nwregion.net-forgery]!*
|19980818.scs: 2099 news.or.nw.verio.net![nwregion.net-forgery]!*
|19980818.scs: 171 ai-lab![nwregion.net-forgery]!*
|19980819.scs: 168 news.or.nw.verio.net![nwregion.net-forgery]!*
|- ----=---- -
|19981004.scs: 6670 [nwregion.net-forgery]!*
|19981004.scs: 6670 newsfeed.poshnet.com![nwregion.net-forgery]!*
|19981005.scs: 8305 [nwregion.net-forgery]!*
|19981005.scs: 8305 newsfeed.poshnet.com![nwregion.net-forgery]!*

It looks like Matt and company began setting up their domains for
the next set of suckers to give them newsfeeds, just about the
time the last well ran dry.

Let's see what's trasnpired, since I first reported this in
nana.sighitngs, Thu, 1 Oct 1998 19:07:29 -0700.

19981002.scs: 9256 newsfeed.poshnet.com!
19981002.scs: 5564 newsfeed.poshnet.com!cilogic!*
19981002.scs: 3642 newsfeed.poshnet.com!datats!*
19981003.scs: 685 newsfeed.poshnet.com!
19981003.scs: 672 newsfeed.poshnet.com!datats!*


19981004.scs: 6670 [nwregion.net-forgery]!*
19981004.scs: 6670 newsfeed.poshnet.com!
19981004.scs: 6670 newsfeed.poshnet.com![nwregion.net-forgery]!*
19981004.scs: 6670 newsfeed.poshnet.com![nwregion.net-forgery]!*
19981005.scs: 8305 [nwregion.net-forgery]!*
19981005.scs: 8305 newsfeed.poshnet.com!
19981005.scs: 8305 newsfeed.poshnet.com![nwregion.net-forgery]!*
19981005.scs: 8305 newsfeed.poshnet.com![nwregion.net-forgery]!*

19981006.scs: 8276 [nwregion.net-forgery]!*
19981006.scs: 8276 newsfeed.poshnet.com!
19981006.scs: 8276 newsfeed.poshnet.com![nwregion.net-forgery]!*
19981006.scs: 8276 newsfeed.poshnet.com![nwregion.net-forgery]!*
19981007.scs: 7802 [nwregion.net-forgery]!*
19981007.scs: 7802 newsfeed.poshnet.com!
19981007.scs: 3687 @newsfeed.poshnet.com
19981007.scs: 7802 newsfeed.poshnet.com![nwregion.net-forgery]!*
19981007.scs: 7802 newsfeed.poshnet.com![nwregion.net-forgery]!*
19981008.scs: 3515 [nwregion.net-forgery]!*
19981008.scs: 3515 newsfeed.poshnet.com!
19981008.scs: 3515 newsfeed.poshnet.com![nwregion.net-forgery]!*
19981008.scs: 3515 newsfeed.poshnet.com![nwregion.net-forgery]!*

: It's like an onion. Lots of layers, and they all stink.

And here I thought it smelled of tinned, processed, pink pork
product.

--
David Ritz <dr...@primenet.com> Finger for PGP Public Keys

Fight against spam & spammers. http://spam.abuse.net


Outlaw Junk Email. ++++++ Join CAUCE ++++++ http://www.cauce.org

** Be kind to animals. - Kiss a shark. **


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
Comment: Finger:dr...@primenet.com for Public Keys

iQCVAwUBNh5ZUtzLrWGabIhRAQGsAwP9HdDMDmBcMxLZpeJ3k6OOFAyjJzunTzEh
Khimj1pw48T71Q1gKiFlfv7z5L1kRF7xZZJGZKYV5wSiqwpzyAaVtnz8wtk5I6Lg
6muVk1rUrKEb1orai/sQQwgGahw2YStx5GChghmz5Anz40Sg4BPU5W+E3VTSgJeN
eRX4xBuwxuY=
=KDoq
-----END PGP SIGNATURE-----


Bunny

unread,
Oct 9, 1998, 3:00:00ā€ÆAM10/9/98
to
In article <361fb5e9...@209.242.64.104>, buch...@cybernex.net says...

>
>On 8 Oct 1998 21:55:27 -0700, play...@newsguy.com (Bunny) wrote:
>
>>You will have to forgive Mr. Spooner for being rude to you. He
>>cancelled more than 167,000 articles last week, and he is kind
>>of tired.
>
>I appreciate the support, Bunny, but I wasn't rude because I'm tired.

Well, it you *weren't* tired, you *should* have been. That is a lot
of work, and you've been doing it a long, long time.

>I was rude because I don't like lying scumbags.

I know, but I didn't want to be quite so blunt.

>This cretin would have us believe that the spammer is a customer of

>Poshnet, and that Poshnet is a customer of Hostcomm.

The further evidence posted here shows this to not be true.

>Bullshit.

I wouldn't be quite so blunt, but it looks like you've hit the nail
right on the head.

>The spammer IS Poshnet...
>
>... and Poshnet IS Hostcomm.
>
>Also, it seems that two layers of InterNIC sock-puppetry isn't enough
>for these vandals. Hostcomm's upstream -- pdxfiber.net -- is yet
>another cardboard facade. So...
>
>...... Hostcomm IS PDXfiber. Lots of names, one gang of spammers.
>
>Anybody care to see the evidence, or shall I leave it as an exercise
>for the reader?

All of the above appears to be correct.

>(BTW, upstream from PDXfiber is the first legitimate outfit, Verio.net
>-- the same provider that pulled the plug on the Middleton Mafia a few
>months back. I recommend that all complaints be sent there.)

whois verio.net?

Registrant:
Verio, Inc. (VERIO2-DOM)
9250 East Costilla, Suite 400
Englewood, CO 80112
US

Domain Name: VERIO.COM

Administrative Contact:
Phipps, Lawrence (LP865) lph...@VERIO.NET
303 645-1900 (FAX) 303 792-3869
Technical Contact, Zone Contact:
Verio Hostmaster (VH19-ORG) hostm...@VERIO.NET
tel.: 214 290-8620
Fax- .: 214 744-0740
Billing Contact:
DNS Billing (DB350-ORG) dns-b...@VERIO.NET
303-645-1982
Fax- 303-694-1287

Record last updated on 21-Jan-98.
Record created on 07-Dec-96.
Database last updated on 21-Jun-98 03:52:29 EDT.

Domain servers in listed order:

NS0.VERIO.NET 205.238.52.46
NS1.VERIO.NET 204.91.99.140


The InterNIC Registration Services database contains ONLY
non-military and non-US Government Domains and contacts.
Other associated whois servers:
American Registry for Internet Numbers - whois.arin.net
European IP Address Allocations - whois.ripe.net
Asia Pacific IP Address Allocations - whois.apnic.net
US Military - whois.nic.mil
US Government - whois.nic.gov

Sam Hayes Merritt, III

unread,
Oct 11, 1998, 3:00:00ā€ÆAM10/11/98
to
On Fri, 09 Oct 1998 14:59:37 GMT, buch...@cybernex.net (Lysander
Spooner) wrote:

>(BTW, upstream from PDXfiber is the first legitimate outfit, Verio.net
>-- the same provider that pulled the plug on the Middleton Mafia a few
>months back. I recommend that all complaints be sent there.)

Thats pushing the use of the word 'legitimate'.
Verio is a very scattered and very rogue outfit in general.

Sam

Henrietta K. Thomas

unread,
Oct 11, 1998, 3:00:00ā€ÆAM10/11/98
to
In news.admin.net-abuse.usenet on Sun, 11 Oct 1998 04:13:13 GMT,

They're trying to set up a national network by buying up small
ISPs across the country. They have done a lot of damage on
the way, cutting corners and dumping personnel, because they
need the money for continued expansion. They just took over
WorldWide Access in Chicago, and we are having some very
serious problems right now. I don't know how it will all wash out;
old-timers are bailing out of WWA, and I may take a hike myself.
It is too bad, because WWA *was* a good outfit when I first joined
3 years ago.

In defense of Verio, let me say that they *did* cut Middleton off
once before, and I hope they will do so again. I would not consider
Verio to be a "very rogue outfit in general". It would be more realistic
(IMO) to say that they often just don't know what they're doing and
don't realize the damage that can occur if they don't keep an eye
out for spammers.

Henrietta K. Thomas
us.* hierarchy coordinator
usa...@wwa.com
---
Support the new, improved us.* hierarchy! Ask your news admin
to get the list of active groups from usa...@wwa.com.

r...@netgate.net

unread,
Oct 12, 1998, 3:00:00ā€ÆAM10/12/98
to
In <36206625...@news.wwa.com>, usa...@wwa.com (Henrietta K. Thomas) writes:

>I don't know how it will all wash out;
>old-timers are bailing out of WWA, and I may take a hike myself.
>It is too bad, because WWA *was* a good outfit when I first joined
>3 years ago.

Might as well get your boots out: I have yet to see anyone say "I'm so
glad Verio came in and bought out my ISP". Their MO is to buy up ISPs
that achieved local success because their owners gave a damn about good
service and good netizenship, then turn them into the equivalent of
fast food franchises.

>In defense of Verio, let me say that they *did* cut Middleton off
>once before, and I hope they will do so again.

Of course, the 64000 baud question is "Why?". Based on their past
(lack of) performance, I'd guess it was because they discovered that
spamming on the scale that Middleton employs has short-term economic
consequences, not just long-term ones.

>It would be more realistic
>(IMO) to say that they often just don't know what they're doing and
>don't realize the damage that can occur if they don't keep an eye
>out for spammers.

Yup. And more realistic still to say that they're just a bunch of suits
who think the Net is just a bunch of wires and boxes strung together,
and have no concept of the social fabric that constitutes the real
Internet, and makes it possible for all those wires and boxes to do
useful work, and generate value and income. It's dollars-to-donuts*
that not one person in ten with any influence on their policy even reads
Usenet on a regular basis.

Ran

* This is meant in its traditional sense. It occurs to me that this is
now perilously close -t an even-money bet. I guess we need a
replacement now...

use...@newssource.hostcomm.net

unread,
Oct 12, 1998, 3:00:00ā€ÆAM10/12/98
to David Ritz
All concerned,

I will reply by item........

On Fri, 9 Oct 1998, David Ritz wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> On Thu, 8 Oct 1998, Sean wrote:
>
> : David and all concerned,
> :

> : We have spoken with Poshnet and they promised us this spam problem
> : will stop. We have given them 2 weeks to fix their problems or we
> : will cut their news feed (as required by the contract we have with
> : them).
>

> If this "contract" was written under fraudulent pretenses, it is
> null and void already. Contact your attorney and cut this feed
> immediately
>
> If its too much to ask you to cut the feed, just route the spam to
> /dev/null. This should not be a problem, as better than 99.9995%
> of all packets being fed through you from Poshnet is spam.
>
> : From what they have told me and what I have seen their box


> : is totally open to the world and they are working very hard on
> : getting their spam filters working correctly.
>

> This has nothing to do with filters. Poshnet is the source of the
> spam. They are lying to you, in order to stall and gain
> additional time to continue this assault on Usenet.

This is not what they are doing, we have been working with them to end
this problem. That is why root access to both machines.

>
> They lied to me, after I filed my initial report over a week ago,
> when they claimed they knew nothing about the mystery peer they
> say doesn't exist. This lie was good enough to hold me back from
> going to the upstreams and requesting that newsfeeds be whacked,
> through this past weekend.
>
> No response, no change in status and I went to your newsfeeds.

They did respond to you, I have seen the email from them to you.

>
> Only after I'd taken that step, did you finally notice I mean
> business, quite litterally. Then you lied to me, when you said,
> my second report, including my analysis which I continue to stand
> by, was the only "complaint" you'd received. I now have
> confirmation from at least two other sources, that when you made
> that statement, it was not true.
>
> Why are you lying to me, if you have nothing to hide?

I am not lying, I would like to see those other two sources yours is
was ONLY one I have received until this started then I have received more
from you and andrew, just threats from Rick.

>
> : They have also told


> : me they will "close" the doors to their box if they can not get this
> : problem solved, until they have this fixed.
>

> They are in complete control of their server. This server was
> closed, when I first detected it. It was secure throughout the
> weekend. Now its opened and being heavily abused by the usual
> open-port rapists. Would you like to take credit for this
> additional spew passing through your server? If not, shut down
> this spam-feed from a rogue operation, now.

Their sever was closed till they thought they had spam filters working
correctly this is true. After they thought they had it configured they
opened it back up. It has proved they did not have it working and I have
been working with them to fix this. I am the first to admin we are not
seasoned news admins like some of you, but we are trying and learning, we
would much rather have your help then just accuse us of producing this
spam which we are not.

>
> This server was opened in order to try and disguise the Empire2
> operation. It is part of the same elaborate ruse. Rather than
> making things better, it makes Hostcomm an even lager spam conduit
> and a greater threat to Usenet.

Also not what they are tying to do. As I have told you they are trying to
build an open news server one that is better than deja news.

>
> Poshnet is accepting a newsfeed from this unnamed Empire2 server,
> the identity of which continues to morph and will continue to do
> so until it is closed down. Not one article coming from this
> Empire2 box has been POSTed to Poshnet. These are arriving
> TAKETHIS or IHAVE.

Honestly I don't know about this and I really don't know how to check
this. Again help would be appreciated.

>
> newsfeed.poshnet.com is not open to TAKETHIS or IHAVE. I checked
> and invite you to do the same.


>
> : About our "New" feeds, they are not new, we have had those feeds as

> : long as the others. Why you just now see that is beyond me. If we


> : are under such a microscope you should have known all the feeds we
> : have.
>

> The point is, I have noticed them and I will continue to request
> that they drop your feed, so long as Hostcomm continues to be the
> route this spew is taking to the news stream.

We are not the route, we are trying to end this problem.

>
> : I will say this again, we do not spam, we are NOT the originators of
> : this spam nor are we affiliated with Mr. Middleton or anything he
> : may be doing.
>

> Good. Now stop the flood and we can all go home. Until this
> happens, you are very much a part of the problem.
>
> While the folks at Poshnet may have total dominion over their box,
> you, too, are in control of what happens on your box, including
> the propagation of high volume EMP to Usenet. You may not be the
> source of it, but you damn well are responsible for it, as it
> leaves your news box.
>
> [snip Rick's "worst cop" rant]


>
> Please keep in mind, several of us have been dealing with the

> Middleton, (spam)Empire2 abuse for well over a year. We do tend
> to lose patience, quickly, when so much effort is put toward
> resiting motion along the learning curve.

We are not resiting nor are we aginst learning. We are trying here. As I
have said before I do not know who Middleton is or what he did to you
before but it has nothing to do with us.

>
> : David Ritz wrote:
> :
> : > -----BEGIN PGP SIGNED MESSAGE-----
> : >
> : > I thought I'd take a moment, to provide a short update.
> : >
> : > The situation has become significantly worse, in regard to the
> : > spam flowing freely from newsfeed.poshnet.com through
> : > newssource.hostcomm.net.
> : >
> : > XCOM has re-established the feed they severed on 1998.10.06.
> : >
> : > is-europe.net continues to provide a route to the news-backbone
> : > for this high-volume spew.
> : >
> : > Several new feeds have been established, including telstra.net,
> : > pdxfiber.net, eu.concert.net and enteract.com.
> : >
> : > Instead of using a load of bandwidth, to rehash what I posted to
> : > nana.sightings, today, I'll refer your attention to
> : > <url:news:Pine.BSI.3.96.981007...@usr10.primenet.com>
> : >
> : > I will include the results of two queries quoted in this sightings
> : > report. I believe it provides a telling tale.
>

> You know, I find it extremely interesting, that you should end your
> quote-back here. You managed to delete the strongest evidence to
> date, that Hostcomm is part and parcel of this scam. You cut out
> the part which showed that the article counts, byte counts and BI
> for all articles received from Hostcomm were identical to those
> received from Poshnet.

I ended it because last time I included everyting in my reply I was told
that was not accepable. As you can see I'm including everything.


>
> Instead of simply putting it back in, I'd rather include the data
> I posted Thu, 8 Oct 1998 12:46:30 -0700, in
> <url:news:Pine.BSI.3.96.981008...@usr10.primenet.com>.
>
> Please note, Oliver Wedel <ow[munge]linknet.com> received the
> report as a courtesy notification of the LinkNet.com domain
> forgery.
>
> |Newsgroups: news.admin.net-abuse.sightings
> |Date: Thu, 8 Oct 1998 12:46:30 -0700
> |From: David Ritz <dr...@primenet.com>
> |To: ad...@samson.enteract.com, ro...@enteract.com, g...@telstra.net,
> | postm...@telstra.net, use...@nico.telstra.net,
> | hostm...@eu.concert.net, postm...@eu.concert.net,
> | ab...@is-europe.net, ne...@is-europe.net
> |cc: ow[munge]uselink.net, David Ritz <dr...@primenet.com>
> |Subject: You are propatating a rogue newsfeed! (middleton/poshnet/hostcomm)
> |Message-ID: <Pine.BSI.3.96.981008...@usr10.primenet.com>
> |Followup-To: news.admin.net-abuse.usenet
>
> [snip]
>
> |========================================================================
> | Results for 08 Oct 1998 [approximately 11:18 (-0500)]
> |========================================================================
> |Posting summary for Path element newsfeed.poshnet.com (19981008-CDT)
> |
> | 1: 32754 1.0000 OIUY...@UYGEF.COM 131.183.88.64
> | alt.binaries.erotica f/f ct23 idx1---zip 8 Oct 1998 05:05:16
> | 2: 51310 1.0000 bre...@skirts.org 147.148.157.77
> | alt.binaries.picture tenta esta 10180 8 Oct 1998 05:05:29
> | 3: 54033 1.0000 DiXieDog@thepound 199.111.6.11
> | alt.binaries.erotica Photos From The Shac 8 Oct 1998 05:05:18
> | 4: 36683 1.0000 webm...@aicinc.org 204.130.249.143
> | alt.binaries.picture Do some serious anim 8 Oct 1998 05:05:30
> | 5: 25727 1.0000 FREE TRIAL BABE <fre 165.23.247.40
> | alt.binaries.erotica Meg Ryan pics - newm 8 Oct 1998 05:05:18
> |<...>
> | 1115: 52121 1.0000 newsfeed.poshnet.com
> | 1116: 176906 1.0000 newsfeed.poshnet.com
> | 1117: 52603 1.0000 newsfeed.poshnet.com
> | 1118: 46798 1.0000 newsfeed.poshnet.com
> | 1119: 132672 1.0000 newsfeed.poshnet.com
> | TOTALS ------- -------
> | 1119: 72276011 1119.0000
> |
> |========================================================================
> |Posting summary for Path element newssource.hostcomm.net (19981008-CDT)
> |
> | 1: 32754 1.0000 OIUY...@UYGEF.COM 131.183.88.64
> | alt.binaries.erotica f/f ct23 idx1---zip 8 Oct 1998 05:05:16
> | 2: 51310 1.0000 bre...@skirts.org 147.148.157.77
> | alt.binaries.picture tenta esta 10180 8 Oct 1998 05:05:29
> | 3: 54033 1.0000 DiXieDog@thepound 199.111.6.11
> | alt.binaries.erotica Photos From The Shac 8 Oct 1998 05:05:18
> | 4: 36683 1.0000 webm...@aicinc.org 204.130.249.143
> | alt.binaries.picture Do some serious anim 8 Oct 1998 05:05:30
> | 5: 25727 1.0000 FREE TRIAL BABE <fre 165.23.247.40
> | alt.binaries.erotica Meg Ryan pics - newm 8 Oct 1998 05:05:18
> |<...>
> | 1115: 52121 1.0000 newssource.hostcomm.net
> | 1116: 176906 1.0000 newssource.hostcomm.net
> | 1117: 52603 1.0000 newssource.hostcomm.net
> | 1118: 46798 1.0000 newssource.hostcomm.net
> | 1119: 132672 1.0000 newssource.hostcomm.net
> | TOTALS ------- -------
> | 1119: 72276011 1119.0000
>
> [snip]
>
> |========================================================================
> | Results for 07 Oct 1998 - [00:00:00 through 23:59:59 (-500)]
> |========================================================================
> |Posting summary for Path element newsfeed.poshnet.com (19981007-CDT)
> |
> | 1: 55241 1.0000 mrloo...@juno.org 207.19.142.164
> | alt.bainaries.pictur At home just put on 7 Oct 1998 05:32:32
> | 2: 136757 1.0000 xi...@hotmail.edu 199.179.164.205
> | alt.sex.fetish.tickl Nice pixYs - chao161 7 Oct 1998 05:31:37
> | 3: 43784 1.0000 julie...@aol.net ( 204.248.93.186
> | alt.bainaries.pictur BlackTeens ---- Hot 7 Oct 1998 05:32:36
> | 4: 126325 1.0000 Cor...@teen2000.COM 194.112.58.80
> | alt.sex.fetish.wet-a hot oil- flygrl103.t 7 Oct 1998 05:31:39
> | 5: 56791 1.0000 bi...@juno.edu 207.139.77.159
> | alt.binaries.picture whips and chains 7 Oct 1998 05:32:47
> |<...>
> | 5298: 66096 1.0000 newsfeed.poshnet.com
> | 5299: 99582 1.0000 newsfeed.poshnet.com
> | 5300: 558 1.0000 newsfeed.poshnet.com
> | 5301: 57333 1.0000 newsfeed.poshnet.com
> | 5302: 41144 1.0000 newsfeed.poshnet.com
> | TOTALS ------- -------
> | 5302: 242455828 5302.0000
> |
> |========================================================================
> |Posting summary for Path element newssource.hostcomm.net (19981007-CDT)
> |
> | 1: 55241 1.0000 mrloo...@juno.org 207.19.142.164
> | alt.bainaries.pictur At home just put on 7 Oct 1998 05:32:32
> | 2: 136757 1.0000 xi...@hotmail.edu 199.179.164.205
> | alt.sex.fetish.tickl Nice pixYs - chao161 7 Oct 1998 05:31:37
> | 3: 43784 1.0000 julie...@aol.net ( 204.248.93.186
> | alt.bainaries.pictur BlackTeens ---- Hot 7 Oct 1998 05:32:36
> | 4: 126325 1.0000 Cor...@teen2000.COM 194.112.58.80
> | alt.sex.fetish.wet-a hot oil- flygrl103.t 7 Oct 1998 05:31:39
> | 5: 56791 1.0000 bi...@juno.edu 207.139.77.159
> | alt.binaries.picture whips and chains 7 Oct 1998 05:32:47
> |<...>
> | 5298: 66096 1.0000 newssource.hostcomm.net
> | 5299: 99582 1.0000 newssource.hostcomm.net
> | 5300: 558 1.0000 newssource.hostcomm.net
> | 5301: 57333 1.0000 newssource.hostcomm.net
> | 5302: 41144 1.0000 newssource.hostcomm.net
> | TOTALS ------- -------
> | 5302: 242455828 5302.0000
>
> Now, just in case anyone missed that, for roughly a thirty-six (36)
> hour period, the output of Poshnet is byte-for-byte identical to
> that of the rogue Poshnet operation.
>
> Now that Andrew Gierth has presented credible and convincing
> evidence that someone at Empire2 has root access to Poshnet.com,
> there is no excuse for failing to terminate this feed immediately
> and without notice. Failing this, the only conclusion I can draw
> is that Hostcomm is part of this elaborate spam operation.
>
As I said, this ip range we were told we could use. We were told it was
unused and available. We have stoped using it.


> <aside>
> You know, I haven't seen anything quite this complex, since the
> NETZILLA forgery, fraud and pink pork factory shut down, last
> January. They went so far as operating nine (9) different
> newsboxes, in an attempt to cover their tracks.
>
I also do not know who or what they did. We have only one news box trying
to serve our clients.


> That didn't work, either.
>
> Please take a moment to realized that Jerry SpamZilla Reynolds
> managed to sweet talk his way into no fewer than twenty different
> newsfeeds and peering agreements, all of which were eventually
> queered. That took place within one six month period.
>
> Think about it. Jerry Reynolds is a professional liar.
> </aside>
>
> To date, I have seen not one shred of _evidence_ to indicate that
> this is not one big spam, forgery and fraud operation. I've only
> heard a lot of whining, and not very convincing whining at that.
> Maybe its the lies which have accompanied the whining which leaves
> so much doubt in my mind.

Whining?????????? I keep answering your posts and emails to keep you
abreast of what is going on. Where I come from that is not whining.

>
> I'm not asking anyone to prove a negative. I know it cannot be
> done.
>
> Around here, evidence goes a lot farther than any amount of
> whining.
>
> I've shown you mine. Andrew showed you his. Now its your turn.
>
> Shut down this feed.


>
> --
> David Ritz <dr...@primenet.com> Finger for PGP Public Keys

> Fight against spam & spammers. http://spam.abuse.net


> Outlaw Junk Email. ++++++ Join CAUCE ++++++ http://www.cauce.org

> ** Be kind to animals. - Kiss a shark. **


>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.5.3
> Comment: Finger:dr...@primenet.com for Public Keys
>

> iQCVAwUBNh26U9zLrWGabIhRAQHlaQP/e0d9BhdjpNL/2W5T2vKF0rw7WBtAAtQ3
> 4kcX9fD87qbmXhZw2Jt/fX8BgBJ/C/9r0YSzi59owd0QA0f5frxbowFo6uN/O8qv
> 9/opycu7bD8RdmnkdH2XN1oLaD3P1Y3nXjMKMGiY08ZAcS9dZjs6hio8DKooIQF8
> Qcf3GeU3CsQ=
> =pPAX
> -----END PGP SIGNATURE-----
>

.

use...@newssource.hostcomm.net

unread,
Oct 12, 1998, 3:00:00ā€ÆAM10/12/98
to David Ritz
Intersting bit of information I have just learned and asked to join. I
have been contacted by someone regarding a suit pending aginst David
and Andrew regarding slander. I have been asked to join this suit but
have declined for now in hopes that these two and others will stop
slandering me and my company.

I will state again we are not part of empire or middletons operation of
spam. We are working with poshnet to solve their problem. If this
slander aginst us does not stop we will take further action.

Sean
Hostcomm News Admin.


.

use...@newssource.hostcomm.net

unread,
Oct 13, 1998, 3:00:00ā€ÆAM10/13/98
to David Ritz
First I would like to say thanks for not responding to my email and post.
Second I will give you an update on poshnet.

I have worked with them last night and talked to them this morn. They
have stoped all posting to their box for good. They will still allow
reading. They will not allow posting until they have their web interface
up and running. I have told them that after they notify me of this I will
notify everyone else but I will not propagate their news till I'm sure
they have solved their recent problems.

Sean


.

Cameron Kaiser

unread,
Oct 13, 1998, 3:00:00ā€ÆAM10/13/98
to
<use...@newssource.hostcomm.net> writes:

>Intersting bit of information I have just learned and asked to join. I
>have been contacted by someone regarding a suit pending aginst David
>and Andrew regarding slander. I have been asked to join this suit but
>have declined for now in hopes that these two and others will stop
>slandering me and my company.

If you want the slander to stop, then shut down the newsfeed.

>I will state again we are not part of empire or middletons operation of
>spam. We are working with poshnet to solve their problem. If this
>slander aginst us does not stop we will take further action.

If you're transporting their junk, you're guilty by association. "Further
action" -- are you going to complain to your mother?

Rebecca Ore

unread,
Oct 13, 1998, 3:00:00ā€ÆAM10/13/98
to
<use...@newssource.hostcomm.net> writes:


>
> Their sever was closed till they thought they had spam filters working
> correctly this is true. After they thought they had it configured they
> opened it back up. It has proved they did not have it working and I have
> been working with them to fix this. I am the first to admin we are not
> seasoned news admins like some of you, but we are trying and learning, we
> would much rather have your help then just accuse us of producing this
> spam which we are not.

Symantec had a *real* problem with hijackers several weeks
ago. They asked for help. Help was given, freely. If you're
serious about shutting off your spammers, the feed could have
been cut in circa two days. Symantec's was.

I'm sure that if you really wanted to cut the spam flow, you'd
ask for help here instead of trying to hiding a spamming
operation that evident to about everyone else, including me.



> >
> > This server was opened in order to try and disguise the Empire2
> > operation. It is part of the same elaborate ruse. Rather than
> > making things better, it makes Hostcomm an even lager spam conduit
> > and a greater threat to Usenet.
>
> Also not what they are tying to do. As I have told you they are trying to
> build an open news server one that is better than deja news.

Dejanews is *not* an open news server in that way. It fights
spam rather than promotes it.

Reputable ISPs do get infected with spammers from time to
time. However, reputable ISPs *do something about it.* You
can filter, issue cancels, or drop all the posts on the floor.
Administrative cancels would look nice.

Since it hasn't been done after your songing and dancing, we
have to assume you either so greedy you overlook real evidence
or are part of the Middleton game from the get go.

--
Rebecca Ore

Cameron Kaiser

unread,
Oct 13, 1998, 3:00:00ā€ÆAM10/13/98
to
Cameron Kaiser <cdka...@delete.these.four.words.concentric.net> writes:

>>Intersting bit of information I have just learned and asked to join. I
>>have been contacted by someone regarding a suit pending aginst David
>>and Andrew regarding slander. I have been asked to join this suit but

>If you want the slander to stop, then shut down the newsfeed.

>>I will state again we are not part of empire or middletons operation of
>>spam. We are working with poshnet to solve their problem. If this
>>slander aginst us does not stop we will take further action.

>If you're transporting their junk, you're guilty by association. "Further
>action" -- are you going to complain to your mother?

After conversing with David Ritz, I'd like to retract this post and replace
it with this (except that DtR would snatch the Supersede): it's not merely
guilty by association. David has demonstrated very conclusively that it's
through and through an outright connection between the organizations, not just
a simple newsfeed carry. So it's not slander, it's a fact. He also sent me
a clip about the aforementioned "further action".

Sorry about that, David.

Sam

unread,
Oct 13, 1998, 3:00:00ā€ÆAM10/13/98
to
-----BEGIN PGP SIGNED MESSAGE-----

In article <propigation.helper.Pine.LNX.3...@newssource.hostcomm.net>,
<use...@newssource.hostcomm.net> wrote:

>Intersting bit of information I have just learned and asked to join. I
>have been contacted by someone regarding a suit pending aginst David
>and Andrew regarding slander. I have been asked to join this suit but

>have declined for now in hopes that these two and others will stop
>slandering me and my company.

That drivel right then and there is a tip off that you are an unrepentant
spambag.

>I will state again we are not part of empire or middletons operation of

Yes you are. This bullshit of yours proves it.

>spam. We are working with poshnet to solve their problem. If this

No you're not. This little slip up of yours blew your cover. You're a
spambag who's trying to sweet talk everyone into keeping his connectivity
for as long as possible.

>slander aginst us does not stop we will take further action.
>

>Sean

Free clue, "Sean": when someone in this situation starts complaining
about "slander" -- (and, by the way, you have no fucking idea what slander
even means) -- that's the tip off.

Free clue #2, "Sean": it is physically impossible to "slander" anyone on
Usenet, or in E-mail. Take all your claims of "slander", roll them up into
a tight ball, and shove them up your asshole as far as they go.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: http://www.geocities.com/SiliconValley/Peaks/5799/ for public key.

iQEVAwUBNiPopJlaALjSq209AQEv6gf+Mqkw/pOSP5Lw/GFGFjpB8+zI09cGcjjb
KDCRp89cihBYrmO6mBTJ6xUIkdD5Sl8oa4nY4upvUs5ElmOR/viYXwqOVcjK4QIv
nsaIIWhVmph2iJTfRxNiEeJqqGdZDv4j1auF9yD4+mVpmX+JfyLzgw8QhjJ16AaT
ViT0Oav4M+ndWAMM8D1KPJya0vjdTxC0SulqThrw7BGkVkdNGOXS9RrzVpcgBGrm
egm1QMpkJ6sAA6httun/Q6ORM1xPlrRTrKeH+SekXl9RVETwyWdFCjeg0GCOyKvM
kM//AFjIu7lRnNTKr64IhbF8wL2Fu33E2GHQyJazWw1k1ezgda140g==
=hPGM
-----END PGP SIGNATURE-----

Doug Mackall

unread,
Oct 13, 1998, 3:00:00ā€ÆAM10/13/98
to
In article <Pine.LNX.3.96.981013102809.4532A-
100...@newssource.hostcomm.net>, use...@newssource.hostcomm.net says...

Mm hm.
Whatever you say slick.

I see telstra turned you back on last night.
I guess they believed all that crap about poshnet.

X-Cancelled-By: and...@erlenstar.demon.co.uk
X-No-Archive: yes
X-Original-Path:
...!204.127.161.3.MISMATCH!wn3feed!worldnet.att.net!205.252.116.205!howla
nd.erols.net!worldfeed.news.gte.net!intgwlon.nntp.telstra.net!newssource.
hostcomm.net!newsfeed.poshnet.com!uselink.net!not-for-mail
X-Original-From: "pjf" <p...@execulink.net>
X-Original-NNTP-Posting-Host: 208.252.138.223
X-Original-Subject: dog west hon
X-Original-Date: 13 Oct 1998 05:05:47 GMT
X-Cancel-ID: WS,"%*W`36&XBMZB@93;/0]C,D3=\'V1Z+H.TK'$"VT_DV)T#2"MP1C


And lest anyone think that this article originated at uselink, here's one
fresh off of poshnet:

X-Cancelled-By: spam...@pacbell.net
X-Original-Subject: 1000 orientals sweet girls!!!! they will jork you off
- 21.htm (1/1)
X-Original-NNTP-Posting-Host: 12.66.120.17
X-Original-Path: newsfeed.poshnet.com!uselink.net!not-for-mail
X-Original-From: lkvn...@toocan.edu
X-Original-Date: 12 Oct 1998 20:10:37 GMT
X-Cancel-ID: SHG9QY"C`#@.>30VEJEOD_ZY"??`TS!H/JED9L;9G\,NZ3DG\`-@F&[9


Once again we have forgeries of uselink.net being posted to poshnet.
Does the new web based reader (read only, of course) allow path
preloading on the posts that can't be made to poshnet?
Or is there another explaination?

Aquiring mines and want to know.

Doug Mackall

unread,
Oct 13, 1998, 3:00:00ā€ÆAM10/13/98
to
In article <MPG.108d94145...@enews.newsguy.com>,
spam...@pacbell.net says...

>In article <Pine.LNX.3.96.981013102809.4532A-
>100...@newssource.hostcomm.net>, use...@newssource.hostcomm.net says...
>>First I would like to say thanks for not responding to my email and post.
>>Second I will give you an update on poshnet.
>>
>>I have worked with them last night and talked to them this morn. They
>>have stoped all posting to their box for good. They will still allow
>>reading. They will not allow posting until they have their web interface
>>up and running. I have told them that after they notify me of this I will
>>notify everyone else but I will not propagate their news till I'm sure
>>they have solved their recent problems.
>
>Mm hm.
>Whatever you say slick.

In all fairness I have to qualify my remarks in the previous post after a
little more digging.
newsfeed.poshnet.com is indeed read only, and I've been unable to locate
anything posted there after this afternoon (~18:00 GMT).

David Ritz

unread,
Oct 13, 1998, 3:00:00ā€ÆAM10/13/98
to
-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 13 Oct 1998, Doug Mackall wrote:

: In article <MPG.108d94145...@enews.newsguy.com>,

: spam...@pacbell.net says...
: >In article <Pine.LNX.3.96.981013102809.4532A-
: >100...@newssource.hostcomm.net>, use...@newssource.hostcomm.net says...
: >>First I would like to say thanks for not responding to my email and post.
: >>Second I will give you an update on poshnet.
: >>
: >>I have worked with them last night and talked to them this morn. They
: >>have stoped all posting to their box for good. They will still allow
: >>reading. They will not allow posting until they have their web interface
: >>up and running. I have told them that after they notify me of this I will
: >>notify everyone else but I will not propagate their news till I'm sure
: >>they have solved their recent problems.
: >
: >Mm hm.
: >Whatever you say slick.
:
: In all fairness I have to qualify my remarks in the previous post after a
: little more digging.

: newsfeed.poshnet.com is indeed read only, and I've been unable to locate
: anything posted there after this afternoon (~18:00 GMT).

Nothing has been _posted_ to Poshnet in a couple of days, including
the articles you're referring to. I don't show much of anything
being _posted_ to Poshnet, since 1998.10.07.

What was being _posted_ to Poshnet is small potatos, even when it
was a wide open spam-box, when compared to the rogue Empire2
_newsfeed_ they're accepting. In turn, Poshnet is _feeding_ the
same binary EMP through Hostcomm. There aren't any POST commands
taking place at Poshnet and there are damned few taking place at
Hostcomm.

With today's flurry of activitity, about two thousand items, I
could only find four articles which were fed from Hostcomm, which
had not come from Poshnet. All four articles are from "Sean
Morrow", which miraculously managed to make it past the Hostcomm
propagation blockade, albeit with a significant helping hand.

<hint>
Check your headers.
</hint>

Oh, I've managed to find a few hundred items, _posted_ after ~18:00
GMT. They weren't _posted_ to Poshnet, though. They were posted
to the rogue Empire2 box, which most will remember its identifying
itself as a "uselink.net" forgery, stamped into the Paths of
Gigabytes of binary spam. The last time I looked, however, it was
identifying itself simply as "bbd" or "gts!bdb" .

======================================================================
Path: newstank.sol.net!204.127.161.3.MISMATCH!wn3feed!worldnet.att.n
et!205.252.116.205!howland.erols.net!news-feed.inet.tele.dk!bofh.vsz
br.cz!intgwlon.nntp.telstra.net!newssource.hostcomm.net!newsfeed.pos
hnet.com!bbd!not-for-mail
From: motel...@noreply.edu
Newsgroups: alt.binaries.pictures.erotica.gaymen
Subject: FREE HOMEMADE TEEN VHS VIDEO PREVIEWS -- PICS AND MPEGS 972
07
Date: 13 Oct 1998 22:10:22 GMT
Lines: 44
Message-ID: <700jgp$nq$11131@bbd>
NNTP-Posting-Host: 12.78.194.44
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_908316615-5222-
576"

[snip binaries]

_______________________________________________________________
Path: newstank.sol.net!newspump.sol.net!howland.erols.net!worldfeed.
news.gte.net!intgwlon.nntp.telstra.net!newssource.hostcomm.net!newsf
eed.poshnet.com!bbd!not-for-mail
From: rocke...@earthlink.org (Rocker)
Newsgroups: alt.binaries.pictures.erotica.fetish.latex
Subject: Nice pixYs - cute222.jpg(1/1) 44050 bytes
Date: 13 Oct 1998 22:10:22 GMT
Lines: 44
Message-ID: <700jik$nq$9507@bbd>
NNTP-Posting-Host: 208.229.4.15
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_908316615-5222-
573"

[snip binaries]

_______________________________________________________________
Path: newstank.sol.net!204.127.161.3.MISMATCH!wn3feed!worldnet.att.n
et!205.252.116.205!howland.erols.net!worldfeed.news.gte.net!intgwlon
.nntp.telstra.net!newssource.hostcomm.net!newsfeed.poshnet.com!bbd!n
ot-for-mail
From: black...@die.org (BlAcKdEaTh)
Newsgroups: alt.binaries.pictures.erotica.tasteless
Subject: Nice pixYs - chao1615.jpg(1/1) 114443 bytes
Date: 13 Oct 1998 22:10:25 GMT
Lines: 39
Message-ID: <700jih$nq$36582@bbd>
NNTP-Posting-Host: 198.246.246.2
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_908316616-5222-
601"

[snip binaries]
======================================================================

All of these items continue to spam 123adult.com. All of these
items use NPH's, From and Subject lines "borrowed" from other
posts to Usenet.

In order for the NPH's to be forged, in this manner, the unnamed
Empire2 server *must* be able to _feed_ news to Poshnet, rather
than POST it.

OR

Empire2-spambox TAKETHIS => Poshnet => TAKETHIS => Hostnet TAKETHIS
=> anyone, anywhere, anytime a gap opens in the blockade.

======================================================================
Posting summary for Path element newssource.hostcomm.net (1998.10.13)

1: 4041 1.0000 <usenet@newssource.h newssource.hostcomm.
news.admin.net-abuse Re: EMP - BI>28200 - Mon, 12 Oct 1998 16:
2: 17954 1.0000 <usenet@newssource.h newssource.hostcomm.
news.admin.net-abuse Re: EMP - BI>28200 - Mon, 12 Oct 1998 14:
3: 2167 1.0000 <usenet@newssource.h newssource.hostcomm.
news.admin.net-abuse Re: EMP - BI>28200 - Mon, 12 Oct 1998 16:
4: 2181 1.0000 <usenet@newssource.h newssource.hostcomm.
news.admin.net-abuse Re: EMP - BI>28200 - Tue, 13 Oct 1998 10:
5: 63624 1.0000 scu...@hotmail.edu 212.212.95.38
alt.binaries.picture Portland, Oregon SWM 12 Oct 1998 22:10:35
<...>
1992: 70226 1.0000 newssource.hostcomm.net
1993: 151569 1.0000 newssource.hostcomm.net
1994: 131965 1.0000 newssource.hostcomm.net
1995: 33510 1.0000 newssource.hostcomm.net
1996: 801 1.0000 newssource.hostcomm.net
TOTALS ------- -------
1996: 111090482 1996.0000

======================================================================
Posting summary for Path element newsfeed.poshnet.com (1998.10.13)

1: 63624 1.0000 scu...@hotmail.edu 212.212.95.38
alt.binaries.picture Portland, Oregon SWM 12 Oct 1998 22:10:35
2: 100495 1.0000 Laura <La...@lled.if 199.82.60.63
alt.binaries.picture ABPES-Repost-(Drawin 12 Oct 1998 22:10:57
3: 87180 1.0000 horny...@home.edu 204.210.34.155
alt.binaries.picture MAW/teacher 12 Oct 1998 22:11:11
4: 23217 1.0000 "The Nelm$ter" <j-bn 12.69.34.117
alt.sex.exhibitionis Reposts - blkgl028.j 12 Oct 1998 22:11:32
5: 140379 1.0000 xi...@hotmail.edu 12.67.3.240
alt.binaries.picture FREE HOT PHONE SEX / 12 Oct 1998 22:10:41
<...>
1988: 70226 1.0000 newsfeed.poshnet.com
1989: 151569 1.0000 newsfeed.poshnet.com
1990: 131965 1.0000 newsfeed.poshnet.com
1991: 33510 1.0000 newsfeed.poshnet.com
1992: 801 1.0000 newsfeed.poshnet.com
TOTALS ------- -------
1992: 111064139 1992.0000

======================================================================

Oh, yes, it certainly looks like everything is on the up and up,
doesn't it?

--
David Ritz <dr...@primenet.com> Finger for PGP Public Keys
Fight against spam & spammers. http://spam.abuse.net
Outlaw Junk Email. ++++++ Join CAUCE ++++++ http://www.cauce.org
** Be kind to animals. - Kiss a shark. **


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
Comment: Finger:dr...@primenet.com for Public Keys

iQCVAwUBNiQ/otzLrWGabIhRAQGSLgP8CUBGeqxMqvq+veeQynHbFUXnwIeMJUhu
7O+lVgZ9MyIzPLW+s+xEEnf89rTTCLpSkiKcJBxhWWjVMPLc410PEIiCxLMwqkiJ
dFtlhv/5hHJUzBoaPmjz2SKqpbH5DMPKlxW3FETus7uqnaCrnbcwqa/UfZqAFLk8
g5UVGnH/qtc=
=nYIo
-----END PGP SIGNATURE-----


Holmey

unread,
Oct 13, 1998, 3:00:00ā€ÆAM10/13/98
to


>I am not lying, I would like to see those other two sources yours is
>was ONLY one I have received until this started then I have received more
>from you and andrew, just threats from Rick.

My original complaint to hostcomm was on Oct 1st,
Date: Thu, 01 Oct 1998 20:35:56 GMT addressed to postmaster.with the subject
"Usenet Spam" I would assume this is around the date that Dave also started
complaining. No auto-reply or anything. comments????

Holmey


Message has been deleted

Sean

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to David Ritz
That is imposiable. I have turned off their posting ability the only thing that
can be done is reading on that box. the only other feed that they have is from
Pacifier.com. I have gone through everyone of thier configs, they have nothing
else. Am I missing something???

Sean

P.S. Why did you put a stop on my box from sending news?? and whats wrong with me
being able to post to this news group to fix this problem?

Lysander Spooner

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
On Wed, 14 Oct 1998 09:45:23 -0700, Sean <use...@hostcomm.net> wrote:

>That is imposiable. I have turned off their posting ability the only thing that
>can be done is reading on that box. the only other feed that they have is from
>Pacifier.com. I have gone through everyone of thier configs, they have nothing
>else. Am I missing something???

Yes. The brains god gave the average turnip.

Your headers:

>Path: ...news.maxwell.syr.edu!newsfeed1.earthlink.net!news.pdxfiber.net!newssource.hostcomm.net!not-for-mail
>From: Sean <use...@hostcomm.net>
>Newsgroups: news.admin.net-abuse.usenet
>Subject: Re: EMP - BI>28200 - Matt Middleton's dedicated spam-feed through newsfeed.poshnet.com [2]
>Date: Wed, 14 Oct 1998 09:45:23 -0700
>Organization: HostComm
>Message-ID: <3624D523...@hostcomm.net>
>Reply-To: use...@hostcomm.net
>NNTP-Posting-Host: 206.58.218.110

Okay everybody, fire up a web-browser and connect to that address...

(ie: http://206.58.218.110/)

See? Case closed.

Sean, you are too fucking stupid to live.

-- Rick
-----------
** Now GO AWAY! **

Sean

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to David Ritz
Agin I will reply by Item....

David Ritz wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> On Mon, 12 Oct 1998 use...@newssource.hostcomm.net wrote:
>
> : All concerned,


> :
> : I will reply by item........
>

> Let 'er rip!
>

I have been very nice in my responses and I'm getting very sick of your rude bullshit.

> : On Fri, 9 Oct 1998, David Ritz wrote:
> :


> : > On Thu, 8 Oct 1998, Sean wrote:
> : >
> : > : David and all concerned,
> : > :
> : > : We have spoken with Poshnet and they promised us this spam problem
> : > : will stop. We have given them 2 weeks to fix their problems or we
> : > : will cut their news feed (as required by the contract we have with
> : > : them).
> : >
> : > If this "contract" was written under fraudulent pretenses, it is
> : > null and void already. Contact your attorney and cut this feed
> : > immediately
> : >
> : > If its too much to ask you to cut the feed, just route the spam to
> : > /dev/null. This should not be a problem, as better than 99.9995%
> : > of all packets being fed through you from Poshnet is spam.
> : >
> : > : From what they have told me and what I have seen their box
> : > : is totally open to the world and they are working very hard on
> : > : getting their spam filters working correctly.
> : >
> : > This has nothing to do with filters. Poshnet is the source of the
> : > spam. They are lying to you, in order to stall and gain
> : > additional time to continue this assault on Usenet.
> :
> : This is not what they are doing, we have been working with them to end
> : this problem. That is why root access to both machines.
>

> Why, pray tell, would the downstream need root access to their
> upstream, in attempting to fix that downstream server? Better
> yet, why would that same downstream need root access to Hostcomm's
> upstream, PDXFiber.net?
>

First, Like I have said they gave me root acceess to their boxe so I could try to help them. About PDXFiber.net this is none of your business but I will "explain" anyway. Thay have had many problems with their news box dying for no apparent reason we were working with them also to help them after all they are my
upstream.

> Puleez!
>
> ITS NOT ABOUT FILTERS.
>
> ITS ABOUT ACCEPTING AND PROPAGATING A ROGUE NEWSFEED.
>
> Is there something _I'm_ missing, here?
>

They only have two news feeds... Me and Pacifier. So yes I'm rather concerned where that shit was coming from knowning what connections they have.

> : >
> : > They lied to me, after I filed my initial report over a week ago,


> : > when they claimed they knew nothing about the mystery peer they
> : > say doesn't exist. This lie was good enough to hold me back from
> : > going to the upstreams and requesting that newsfeeds be whacked,
> : > through this past weekend.
> : >
> : > No response, no change in status and I went to your newsfeeds.
> :
> : They did respond to you, I have seen the email from them to you.
>

> Poshnet did respond, once, on 02 Oct 1998. I not only mentioned
> it, I posted that response in the report of Tue, 6 Oct 1998
> 11:02:46 -0700, which was the beginning of this particular thread.
> Hostcomm, Poshnet and even the slime at Empire2 received that
> report by email. I should hope "Sean" saw that message. I sent
> it to him.
>
> It was Hostcomm which had not responded and it was Hostcomm's
> upstreams I contacted. Only then did I begin to hear "Sean"
> whining and making excuses, rather than taking action.
>
>

I did not respond??? It seems to me I have been responding to everything you have been saying. Excuse me for not responding on friday it was my wifes birthday so I was not here.

> : > Only after I'd taken that step, did you finally notice I mean


> : > business, quite litterally. Then you lied to me, when you said,
> : > my second report, including my analysis which I continue to stand
> : > by, was the only "complaint" you'd received. I now have
> : > confirmation from at least two other sources, that when you made
> : > that statement, it was not true.
> : >
> : > Why are you lying to me, if you have nothing to hide?
> :
> : I am not lying, I would like to see those other two sources yours is
> : was ONLY one I have received until this started then I have received more
> : from you and andrew, just threats from Rick.
>

> Let's assume for a moment, that neither of my sources had contacted
> Hostcomm. Even so, I had contacted Hostcomm on Thu, 1 Oct 1998
> 19:07:29 -0700 and Tue, 6 Oct 1998 11:02:46 -0700. I do not care
> how you slice it, 2 != 1, in this reality.
>
> This may not be an outright lie. It is, at the very least a
> significant distortion of the truth.
>

Then show me the two others, It seems your the one distorting the truth.

> : > : They have also told


> : > : me they will "close" the doors to their box if they can not get this
> : > : problem solved, until they have this fixed.
> : >
> : > They are in complete control of their server. This server was
> : > closed, when I first detected it. It was secure throughout the
> : > weekend. Now its opened and being heavily abused by the usual
> : > open-port rapists. Would you like to take credit for this
> : > additional spew passing through your server? If not, shut down
> : > this spam-feed from a rogue operation, now.
> :
> : Their sever was closed till they thought they had spam filters working
> : correctly this is true. After they thought they had it configured they
> : opened it back up. It has proved they did not have it working and I have
> : been working with them to fix this. I am the first to admin we are not
> : seasoned news admins like some of you, but we are trying and learning, we
> : would much rather have your help then just accuse us of producing this
> : spam which we are not.
>

> This server was closed, until Poshnet realized they'd been outed. Then
> the flood-gates opened, in a futile attempt to "disguise" the rogue
> newsfeed Poshnet and Hostcomm _are_ propagating.
>

Again only what you wish to beleive. I have tried to tell you everthing that has been going on. You wish not to believe anything except what you wish to believe. So be it. I have done everything I have said I would.

> I certainly don't recall suggesting that Hostcomm is the source of
> either the open-port rapist floods or the Empire2 binary EMP.
> Instead, I have stated quite emphatically, Hostcomm is propagating
> both. Therein lies the, as yet, unaddressed problem.
>
> The only items being propagated _from_ Hostcomm, are what they
> accept and propagate from Poshnet. Now that Poshnet is no longer
> open to POST, the only items being propagated through both Poshnet
> and Hostcomm is EMP binary spam, from the unnamed Empire2 fraud,
> spam and forgery box, which keeps trying to change its identity,
> without anyone noticing.
>
> I'm not an admin. I'm just your average, every day, run of the
> mill user, with a couple of clues. I've tried to pass some of
> those clues along to Hostcomm and Poshnet, but the message just
> isn't getting through. This is why the big LART began to appear.
>
>

You have tried to pass nothing along. Everything I have received from you has not been actual help. Maybe a bit of instruction on how to do something would have been better?? What do ya think??

> All Poshnet and Hostcomm propagate is spam.
>
> Spam is bad. Propagating spam is bad. Do not propagate spam.
>
> Now, I'm going to attempt to spell it out, even more clearly for
> "Sean", in an attempt to give him the help he has requested.
>
> Poshnet is accepting a rogue NEWSFEED from an unnamed, unidentified
> server, in Empire2 cyber-turf.
>
> Poshnet has been asked to cut this rogue Empire2 NEWSFEED.
> Poshnet has failed to take any apparent action to cut this rogue
> NEWSFEED. This is a rogue action, in itself.
>
> Hostcomm is accepting that rogue Empire2 NEWSFEED from Poshnet,
> which is acting in the most irresponsible manner possible.
> Hostcomm has been asked to cut the Poshnet NEWSFEED, as they are
> passing the full binary EMP feed, from the rogue Empire2 newsbox,
> to Hostcomm.
>
> Hostcomm has failed at every opportunity to act responsibly, in
> this matter. Hostcomm is attempting to propagate that rogue
> NEWSFEED and NOTHING ELSE to the Usenet community.
>

We have not failed. We have tried to work with our customer. We need our customers to pay our bills therefor we have to be willing to work with them, help them and solve their problems. We have done that like we said we would. THE SPAM HAS STOPED HASN'T IT?????

> Hostcomm has been made painfully aware that the Usenet community
> finds this abuse, untennable. Every one of Hostcomm's upstream
> cut their outbound feed, in order to prevent the rogue Empire2
> NEWSFEED from propagating.
>
> This is a simple act of self defense, neccessitated by an outright
> refusal to act as a responsible member of the community.
>
> : > This server was opened in order to try and disguise the Empire2


> : > operation. It is part of the same elaborate ruse. Rather than
> : > making things better, it makes Hostcomm an even lager spam conduit
> : > and a greater threat to Usenet.
> :
> : Also not what they are tying to do. As I have told you they are trying to
> : build an open news server one that is better than deja news.
>

> Deja New does not and never has run an open NNTP server. They
> operate a highly successful WWW-to-News interface.
>
> One cannot hookup a news client to Deja News. One cannot POST
> directly to their server. One can most certainly not propagate a
> newsfeed through the Deja News servers, without _somebody_
> noticing it, as Deja News has no downstream feeds.
>
> Everything which emanates from Deja News, comes through that web
> interface. There's no way, I'm aware of, to get around it.
> Requiring all posts to go through this interface, makes it very
> difficult and horrendously time consuming, to post EMP spam there.
> One cannot post _any_ binaries through Deja News, with good
> reason.
>
> Additionally, Deja News does run some fairly aggressive spam
> filtering. More importantly, they have a tough AUP (Acceptable
> Use Policy), which they enforce firmly and unhesitatingly, when
> there are direct violations of that policy.
>
> Guess what? Deja News does not allow EMP spamming.
>

They admit what they did was stupid. They had no idea any one would even know it was open at first. After they realized that people were using it and spamming on it they shut that down installed some filters and reopened it. It still didn't work so they shut it down. People make mistakes and learn from them, and as long
as my customers are willing to let me help them I'm willing to give them the bennifit of the doubt. Take a lesson from that.

> While exploring both Poshnet and Hostcomm for non-existent phone
> numbers, I was unable to unearth any use policy statement.
>

About the phone numbers, everyone one of my upstreams that has requested my phone number I have given it to them. Why anyone would want to post a phone number on the net is beyond me. I do not believe in it and I will not do it. I'm very easy to reach by email as you have seen and I always respond.

> : > Poshnet is accepting a newsfeed from this unnamed Empire2 server,


> : > the identity of which continues to morph and will continue to do
> : > so until it is closed down. Not one article coming from this
> : > Empire2 box has been POSTed to Poshnet. These are arriving
> : > TAKETHIS or IHAVE.
> :
> : Honestly I don't know about this and I really don't know how to check
> : this. Again help would be appreciated.
>

> For "Sean's" benefit, I'll run it again.
>
> This is a rogue NEWSFEED. Details such as the forged
> NNTP-Posting-Hosts, are trademarks of the Empire2 operation.
>
> It is virtually impossible to forge these NPHs, using the NNTP
> POST command, through a legitimate box running INN 1.7.2, as the
> NPH would be stamped by the machine receiving the article.
>
> When using some other NNTP command, normally used when one server
> negotiates with another, there is just about no information which
> cannot be falsified. These are the commands being used to move
> articles from the rogue Empire2 news box, to the apparently rogue
> Poshnet machine. This is a rogue NEWSFEED.
>
> These same NNTP commands are used to move news from Poshnet to
> Hostcomm and from Hostcomm to its upstreams, should they accept
> these packets. The commands are called IHAVE, to offer and
> article which may not already be present, and TAKETHIS, to send an
> article, regardless, even if it is later rejected as a duplicate.
>
> : > newsfeed.poshnet.com is not open to TAKETHIS or IHAVE. I checked


> : > and invite you to do the same.
>

Does this tell me how to do it? NO it does not. Honestly before this problem I have never even had a desire to post news. I only read the admin stuff trying to learn about this.

> : >
> : > : About our "New" feeds, they are not new, we have had those feeds as


> : > : long as the others. Why you just now see that is beyond me. If we
> : > : are under such a microscope you should have known all the feeds we
> : > : have.
> : >
> : > The point is, I have noticed them and I will continue to request
> : > that they drop your feed, so long as Hostcomm continues to be the
> : > route this spew is taking to the news stream.
> :
> : We are not the route, we are trying to end this problem.
>

> I'm sorry, this just doesn't make any sense to me, at all.
>

Sorry wrong wording. my fault. I do understand we were the route of the spam.

> It looks like "Sean" is saying, that several Gigabytes of
> Empire2's binary EMP did not transit through Hostcomm; that
> Hostcomm is not the conduit, whereby this flood reaches the
> news-backbone.
>
> Am I confused, here, or is that what "Sean" would really have us
> to believe?
>
> If the only current route this rogue Empire2 feed has to daylight
> is through Poshnet AND if Hostcomm is the only route to the
> news-backbone from Poshnet, how is it possible for the Empire2 EMP
> to reach the news stream, without passing through Hostcomm?
>
> Did it pass through another dimension, when I wasn't looking? Has
> Poshnet suddenly found another *route*, which is capable of
> forging Hostcomm's identity, to the extent where packets coming
> from this phantom are just as blocked, at the IP level, as poor,
> maligned Hostcomm?
>
> I can only leave that to those with far greater imagination than I
> possess.
>
> : > : I will say this again, we do not spam, we are NOT the originators of


> : > : this spam nor are we affiliated with Mr. Middleton or anything he
> : > : may be doing.
> : >
> : > Good. Now stop the flood and we can all go home. Until this
> : > happens, you are very much a part of the problem.
> : >
> : > While the folks at Poshnet may have total dominion over their box,
> : > you, too, are in control of what happens on your box, including
> : > the propagation of high volume EMP to Usenet. You may not be the
> : > source of it, but you damn well are responsible for it, as it
> : > leaves your news box.
> : >
> : > [snip Rick's "worst cop" rant]
> : >
> : > Please keep in mind, several of us have been dealing with the
> : > Middleton, (spam)Empire2 abuse for well over a year. We do tend
> : > to lose patience, quickly, when so much effort is put toward
> : > resiting motion along the learning curve.
> :
> : We are not resiting nor are we aginst learning. We are trying here. As I
> : have said before I do not know who Middleton is or what he did to you
> : before but it has nothing to do with us.
>

> I don't quite see it this way. Not one byte of EMP from this
> unnamed, rogue Empire2 server has made it to the news stream,
> without transiting newsfeed.poshnet.com. Not one byte of the same
> binary EMP has made it to the news stream without taking a ROUTE
> through newssource.hostcommm.net.
>
> If Poshnet is trying to help solve this problem, they would have
> dropped the Empire2 feed, as soon as they were made aware of it.
> Instead, they feed this cock and bull story, about a WWW-to-News
> interface, which requires a wide open NNTP server (!?!?!).
>
>

Like I said the ONLY feeds they have is one from me and one from pacifier.com.

> (From this point on, very little new information has been added.
> I sense some BIG chomps, coming up.)
>
> [snip]
> : > You know, I find it extremely interesting, that you should end your


> : > quote-back here. You managed to delete the strongest evidence to
> : > date, that Hostcomm is part and parcel of this scam. You cut out
> : > the part which showed that the article counts, byte counts and BI
> : > for all articles received from Hostcomm were identical to those
> : > received from Poshnet.
> :
> : I ended it because last time I included everyting in my reply I was told
> : that was not accepable. As you can see I'm including everything.
>

> It was _what_ was ommited, which was in question. The material
> which was deleted indicated not one byte of data coming from
> Hostcomm, had not come from Poshnet. To have this happening over
> several days, is a little difficult to write off to chance.
>
> {{{{{chomp}}}}}
>
> I can get away with it. Its my damning evidence, which I've now
> presented several times, as well as noting, above.
>
>

As if I knew removing some stuff from your post would consitute me ommiting evidence. I just didn't want to get reamed again for including a ton of stuff in the message.

> : > Now, just in case anyone missed that, for roughly a thirty-six (36)


> : > hour period, the output of Poshnet is byte-for-byte identical to
> : > that of the rogue Poshnet operation.
> : >
> : > Now that Andrew Gierth has presented credible and convincing
> : > evidence that someone at Empire2 has root access to Poshnet.com,
> : > there is no excuse for failing to terminate this feed immediately
> : > and without notice. Failing this, the only conclusion I can draw
> : > is that Hostcomm is part of this elaborate spam operation.
> : >
> : As I said, this ip range we were told we could use. We were told it was
> : unused and available. We have stoped using it.
>

> Here's another item, which is more than a little difficult to
> comprehend.
>
> It appears "Sean" is saying, "someone" told him to connect to an
> IP address within a rogue Empire2 net-block, so he could could
> connect to his downstream, Poshnet, with root access, from which
> he could access his own news box. I believe all that information
> is covered pretty well, in the "Link between poshnet.com and
> Middleton/Empire Communications" thread.
>

Yes I will say again. We were told it was an unused range of ips. We used them for a couple of workstations, big deal. I don't know who had them before us or who will have them next. I needed a couple of ips and used them. I am no longer using them.


> Now, I know "Sean" is famliar with at least some of that thread,
> as I received the following from him, on Mon, 12 Oct 1998 14:09:57
> -0700 (PDT).
>
> - ---------- Begin forwarded message ----------
> Date: Mon, 12 Oct 1998 14:09:57 -0700 (PDT)
> From: news <ne...@newssource.hostcomm.net>
> To: ne...@is-europe.net
> cc: dr...@primenet.com, ad...@samson.enteract.com, ro...@enteract.com,

> ab...@is-europe.net, bri...@L3.net
> Subject: Re: Link between poshnet.com and Middleton/Empire Communications
> MIME-Version: 1.0
>
> All concerned,
>
> We gave access to poshnet and poshnet gave us access so we could work on
> this problem they are having with spam. The IP range that logged into
> poshnet was one we were told was unused and available so we used it.
>
> We are still working with poshnet to solve this problem and will continue
> to do so. I am getting very tried of David, Andrew and Rick calling me a
> liar when we are only trying to solve this problem and provide our clients
> with service.
>
> Sean
>
> On Fri, 9 Oct 1998, Kai Siering - IS Internet Services wrote:
>
> > Moin, David Ritz wrote:
> >
> > % : Hostcomm,
> > %
> > % You can remove Hostcomm from your notify list.
> > %
> > % Middleton/Empire2 == Poshnet == Hostcomm.
> > %
> > % : ----begin evidence----
> > % :
> > % : $ finger @poshnet.com
> > % : [poshnet.com]
> > % : Login Name Tty Idle Login Time Office Office Phone
> > % : root root *1 17 Sep 29 12:45
> > % : root root *p0 Oct 8 13:54 (206.58.218.52:0.0)
> > % :
> > % : So what we have here is someone logged in /as root/ on poshnet's
> > % : server, *from an Empire Communications address*.
> > % :
> > % : Note that "poshnet.com" is the same machine as "newsfeed.poshnet.com":
> > % :
> > % : $ finger @newsfeed.poshnet.com
> > % : [newsfeed.poshnet.com]
> > % : Login Name Tty Idle Login Time Office Office Phone
> > % : root root *1 1:08 Sep 29 12:45
> > % : root root *p0 23 Oct 8 14:37 (206.58.218.52:0.0)
> > % :
> > % : so the spammer has root access to the news server.
> > [...]
> > % => usr10# f @newssource.hostcomm.net
> > % => [newssource.hostcomm.net]
> > % => Login: root Name: root
> > % => Directory: /root Shell: /bin/bash
> > % => On since Wed Sep 30 18:09 (PDT) on tty1 17 hours 26 minutes idle
> > % => (messages off)
> > % => Last login Thu Oct 8 13:08 (PDT) on ttyp0 from newsfeed.poshnet.com
> > % => New mail received Tue Oct 6 21:17 1998 (PDT)
> > % => Unread since Mon Oct 5 15:34 1998 (PDT)
> > % => No Plan.
> > %
> > % Lookee here! Poshnet has root access to the Hostcomm news box.
> > %
> > % Poshnet == Hostcomm. Why am I not surprised?
> >
> > Intriguing. Since I could verify this myself ...
> >
> > wusel@rincewind:~ $ finger ro...@newssource.hostcomm.net
> > [newssource.hostcomm.net]
> > Login: root Name: root
> > Directory: /root Shell: /bin/bash
> > On since Wed Sep 30 18:09 (PDT) on tty1 20 hours 20 minutes idle
> > (messages off)
> > Last login Thu Oct 8 13:08 (PDT) on ttyp0 from newsfeed.poshnet.com
> > New mail received Tue Oct 6 21:17 1998 (PDT)
> > Unread since Mon Oct 5 15:34 1998 (PDT)
> > No Plan.
> >
> > ... and after a quick glace at the path statistics ...
> >
> > ne...@news-fra.maz.net:/var/lib/news $ gawk </var/log/news/path.log 'BEGIN {lines=0; lines2=0; lines3=0} {lines++} /newssource.hostcomm.net/{lines3++} /newssource.hostcomm.net!newsfeed.poshnet.com/{lines2++} END{printf("%ld : %ld : %ld ==> %5.2f / %5.2f\n", lines, lines3, lines2, lines2/lines*100, lines2/lines3*100)}'
> > 547736 : 3117 : 2927 ==> 0.53 / 93.90
> >
> > ... which yields to the conclusion that nearly 94% of all 3117 articles
> > which went through hostcomm before reacing us today (which is .5 percent
> > of the total amount of articles), also have been at poshnet first, we'll
> > alias out newssource.hostcomm.net for now.
> >
> > We'll reconsider this move as soon as we've found the time to update the
> > peering machines to current anti-spam software or if there will be a re-
> > sonable explanation from hostcomm.net why their alleged customer is
> > actually having root access to their news machine. This fact somewhat voids
> > the explanations given before on this matter.
> >
> > Oct 9 20:42:00.165 - newssource.hostcomm.net <6vlkbv$lpp$52...@news.internetsat.com> 437 Unwanted site newssource.hostcomm.net in path
> > Oct 9 20:42:00.246 - newssource.hostcomm.net <6vljc2$hj$1...@bashir.ici.net> 437 Unwanted site newssource.hostcomm.net in path
> > Oct 9 20:42:04.145 - newssource.hostcomm.net <6vlkfu$psv$5...@camel19.mindspring.com> 437 Unwanted site newssource.hostcomm.net in path
> >
> > Regards,
> > kai (ne...@is-europe.net)
> >
> > --
> > Kai Siering, IS Internet Services GmbH & Co Harburger SchloĀ§straĀ§e 6-12
> > "Du weisst, dass Du eine Sprache nicht kennst, 21079 Hamburg, Germany
> > wenn sie nach ROT13 immer noch aussieht wie Fon: +49 40 76629-1623
> > ROT13." -- Christian Wetzel in de.alt.arnooo Fax: +49 40 76629- 507
> >
>
> - ----------- End forwarded message -----------
>
> Is it just me, or does "Sean Morrow's" veracity take a dive, every
> time he sends a message?
>

I think not. I have stood by what I'm saying and I have done what I said I would do. If that is not truthfull I don't know what is.

> " We gave access to poshnet and poshnet gave us access so we could work on
> " this problem they are having with spam. The IP range that logged into
> " poshnet was one we were told was unused and available so we used it.
>
> WHO told "them" to use an IP address in an Empire2 net-block, to
> reach their own machines? I'll bet is was the same fairy who told
> "them" to log onto Hostcomm's upstream, news.pdxfiber.net, to fix
> "spam filters" at the wide open and heavily abused
> newsfeed.poshnet.com.
>
> => usr10# f ro...@news.pdxfiber.net
> => [news.pdxfiber.net]
> => Login: root Name: root
> => Directory: /root Shell: /bin/bash
> => Last login Thu Oct 8 14:34 (PDT) on ttyp0 from newsfeed.poshnet.com
> => No mail. ^^^^^^^^^^^^^^^^^^^^
> => No Plan.
>
> => usr10# f ro...@newssource.hostcomm.net
> => [newssource.hostcomm.net]
> => Login: root Name: root
> => Directory: /root Shell: /bin/bash
> => On since Wed Sep 30 18:09 (PDT) on tty1 19 hours 18 minutes idle
> => (messages off)
> => Last login Thu Oct 8 13:08 (PDT) on ttyp0 from newsfeed.poshnet.com
> => New mail received Tue Oct 6 21:17 1998 (PDT) ^^^^^^^^^^^^^^^^^^^^
> => Unread since Mon Oct 5 15:34 1998 (PDT)
> => No Plan.
>
> => usr10# f ro...@newsfeed.poshnet.com
> => [newsfeed.poshnet.com]
> => Login: root Name: root
> => Directory: /root Shell: /bin/bash
> => On since Tue Sep 29 12:45 (PDT) on tty1 19 hours 31 minutes idle
> => (messages off)
> => Last login Thu Oct 8 14:37 (PDT) on ttyp0 from 206.58.218.52:0.0
> => No mail. ^^^^^^^^^^^^^
> => No Plan.
>
> |usr10# whois -h whois.arin.net 206.58.218.52
> |Structured Network Systems, Inc. (NETBLK-SNS-NET-5) SNS-NET-5
> | 206.58.0.0 - 206.58.255.255
> |Empire Communications (NETBLK-NET-EMPCOMM2) NET-EMPCOMM2
> | 206.58.218.0 - 206.58.218.127
>
> At other times, the root logon at PDXFiber came from that same IP address.
>
> =| usr10# f ro...@news.pdxfiber.net
> =| [news.pdxfiber.net]
> =| Login: root Name: root
> =| Directory: /root Shell: /bin/bash
> =| Last login Fri Oct 9 17:48 (PDT) on ttyp1 from 206.58.218.52
> =| No mail. ^^^^^^^^^^^^^
> =| No Plan.
>
> Most recently, that root logon has been coming from rob.empire2.com.
>
> =) usr10# f ro...@pdxfiber.net
> =) [pdxfiber.net]
> =) Login: root Name: root
> =) Directory: /root Shell: /bin/bash
> =) Last login Mon Oct 12 10:42 (PDT) on ttyp2 from rob.empire2.com:0.0
> =) Mail last read Fri Sep 4 10:30 1998 (PDT) ^^^^^^^^^^^^^^^
> =) No Plan.
>
> Now, however, PDXFiber.net, Hostcomm.net and Poshnet.com have all,
> miraculously, disabled their finger daemons, at about the same
> time. Somehow, I don't expect this to be a temporary glitch.
> Rather, it would appear that all three of the interconnected and
> intertwined sites are attempting to cover their collective butts.
>
>

Yes I have disabled the finger daemon and so had Poshnet. I don't know about PDX, I doubt they have, all I know is that they have been having alot of problems with their news box. Why have I disabled it? Because I'm sick and tired of being accused of thing at every turn. I told you we would fix the problem and we have.
I told you we would help our client and that is excatly what we have done. Just because you don't like an ip range we used is no reason to accuse us of being the empire oragination. I resent that very much.

> Backtracking, ever so slightly ...
>
> => usr10# f ro...@news.pdxfiber.net
> => [news.pdxfiber.net]
> => Login: root Name: root
> => Directory: /root Shell: /bin/bash
> => Last login Thu Oct 8 14:34 (PDT) on ttyp0 from newsfeed.poshnet.com
> => No mail. ^^^^^^^^^^^^^^^^^^^^
> => No Plan.
>
> Huh?!
>
> This looks like someone at Poshnet, two hops downstream, was logged
> onto news.pdxfiber.net, with full root access. *Blink* What can
> this possibly mean?
>
> Anybody care to guess?
>

Like I have said I was trying to help pdx with their news server at the same time I was helping poshnet.

> : > <aside>


> : > You know, I haven't seen anything quite this complex, since the
> : > NETZILLA forgery, fraud and pink pork factory shut down, last
> : > January. They went so far as operating nine (9) different
> : > newsboxes, in an attempt to cover their tracks.
> : >
> : I also do not know who or what they did. We have only one news box trying
> : to serve our clients.
>

> Your "clients" are spammers. If you haven't figured this out by
> now, I have to believe you'll never come to this realization.
>
> Of course, there is another possibilty, isn't there?
>

My clients are not spammers. They and I have solved the problem.

> : > That didn't work, either.


> : >
> : > Please take a moment to realized that Jerry SpamZilla Reynolds
> : > managed to sweet talk his way into no fewer than twenty different
> : > newsfeeds and peering agreements, all of which were eventually
> : > queered. That took place within one six month period.
> : >
> : > Think about it. Jerry Reynolds is a professional liar.
> : > </aside>
> : >
> : > To date, I have seen not one shred of _evidence_ to indicate that
> : > this is not one big spam, forgery and fraud operation. I've only
> : > heard a lot of whining, and not very convincing whining at that.
> : > Maybe its the lies which have accompanied the whining which leaves
> : > so much doubt in my mind.
> :
> : Whining?????????? I keep answering your posts and emails to keep you
> : abreast of what is going on. Where I come from that is not whining.
>

> Whining and excuses, with an occasional denial tossed in, are about
> all I've seen to date.
>

Really?? You think so?? Has the spam not stoped?? Have I not done what I said I would do?? I think so.

> I most certainly have not seen the evidence I requested. For that
> matter, I haven't seen a shred of evidence presented by Poshnet,
> Hostcomm, PDXFiber or Empire2, which refutes a single matter
> brought up in this sordid affair.
>
> Is any evidence forthcoming?
>
> I'm still waiting, but I'm certainly not holding my breath in
> anticipation.
>

What evidence do you want? Please tell me. I feel that I have proved that I will do what I say I will. It has been done has it not?


> : > I'm not asking anyone to prove a negative. I know it cannot be


> : > done.
> : >
> : > Around here, evidence goes a lot farther than any amount of
> : > whining.
> : >
> : > I've shown you mine. Andrew showed you his. Now its your turn.
> : >
> : > Shut down this feed.

> ^^^^ ^^^^ ^^^^ ^^^^
>
> To all of Hostcomm's upstreams, you have my humble thanks.
>
> While it would have been far easier, had Poshnet cut the Empire2
> box off; while it would have been much more expedient, had
> Hostcomm cut off Poshnet, it is obvious, at this late date, these
> are not happening things.
>

Then you are obviously blind.

Sean

Lysander Spooner

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
On Wed, 14 Oct 1998 17:24:24 GMT, buch...@cybernex.net (Lysander
Spooner) wrote:

>>NNTP-Posting-Host: 206.58.218.110
>
>Okay everybody, fire up a web-browser and connect to that address...
>
>(ie: http://206.58.218.110/)

Better yet, search Altavista for that IP address:

>3. Sex Chat Empire
>Live Sex Chat! Horny Women Are Waiting Inside!
>This application requires Java suport.
>This server also available via IRC at: irc://206.58.218.110:6663/
>URL: www.empirechat.com/gay.htm
>Last modified 17-Sep-98 - page size 1K - in English [Ā TranslateĀ ]

-- Rick
-----------
** Explain this, "Sean" **

Lysander Spooner

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
On Wed, 14 Oct 1998 10:33:37 -0700, Sean <use...@hostcomm.net> wrote:

>> Why, pray tell, would the downstream need root access to their
>> upstream, in attempting to fix that downstream server? Better
>> yet, why would that same downstream need root access to Hostcomm's
>> upstream, PDXFiber.net?
>>
>
>First, Like I have said they gave me root acceess to their boxe so I could
>try to help them. About PDXFiber.net this is none of your business but I will
>"explain" anyway. Thay have had many problems with their news box dying
>for no apparent reason we were working with them also to help them

You don't know the difference between POST and IHAVE and they asked
--you-- for help? Wow!

>after all they are my upstream.

No, they are -you-.

>THE SPAM HAS STOPED HASN'T IT?????

Yup. The reason? You can't get anybody to give you an outbound
feed.

>About the phone numbers, everyone one of my upstreams that has requested my
>phone number I have given it to them. Why anyone would want to post a phone
>number on the net is beyond me.

Uh, so prospective customers can call you? You do want customers
don't you?

I know of ONLY THREE companies ostensibly involved with providing
Internet Services that _don't_ give a phone number on their webpage.


They are:

poshnet.com
hostcomm.net
pdxfiber.net

Interesting that your upstream and your downstream share your rather
unique aversion to telephony.

Even more interesting is the fact that there is no telephone directory
listing for any of the three companies. In fact, there is no
evidence ANYWHEREthat any of these three companies even existed prior
to August 1998, when all three were first registered with the NIC
within weeks of each other -- all with remarkably similar formats.

I see from the Hostcomm website that Rebecca Ore isn't the only
science fiction writer around here. I quote:

<Begin quote from http://www.hostcomm.net/company.html)

>Founded in March 1995,

HA!

>Hostcomm Internet, Inc. became one of the first Internet Service
>Providers in the Vancouver-Portland Metropolitan Area.

My sources in your area have never heard of you. There is no mention
of you _anywhere_ on the Internet prior to August 1998.

>Hostcomm Internet quickly became one of the World's
>leading web hosting facility.

And apparently the only one without a phone.

>In October of 1995 Kemper&Raymond partnered with
>Hostcomm Internet, Inc. to provide custom services to
>it's clients and in house divisions.

No such company exists, or shows signs of having ever existed.

>In June 1996, Hostcomm Internet's ISP division merged with
>Capital Marketing Communications

No such company exists, or shows signs of having ever existed.

>and Level7 New Media to form Photon Digital.

No such companies (etc etc)

<End quote from http://www.hostcomm.net/company.html)

>Like I said the ONLY feeds they have is one from me and one from pacifier.com.

Then we still have one to eliminate.

>Yes I will say again. We were told it was an unused range of ips.

Why did you need them? As the First and Best ISP in the Pacific
Northwest I'd have thought you would have addresses to burn.

Did it occur to you to check who owned that address block? If I told
you that 32.97.253.60 was unused, would you use that too?

>We used them for a couple of workstations, big deal.

How did you do that? Details, please.

>I don't know who had them before us or who will have them next.

Empire2.com has them, and has had them for quite some time.

If you aren't Empire2, and Poshnet isn't Empire2, how did you manage
to "use" these addresses. And why them in particular (the same
address block containing the websites that were spamvertised through
your server)?

>I needed a couple of ips and used them. I am no longer using them.

Yes you are, moron. You're posting from 206.58.218.110, which is an
active porn-site-server in the Empire2 netblock.

>I think not.

Descartes said that and vanished.

>If that is not truthfull I don't know what is.

That much is certain...

>Yes I have disabled the finger daemon and so had Poshnet

So has Empire2. Amaziing coincidence!

>I told you we would fix the problem and we have.

No you didn't. You just got cut off is all.

> Just because you don't like an ip range we used is no reason to
>accuse us of being the empire oragination. I resent that very much.

Do you have any -clue- how the IP protocol suite works?

>Then you are obviously blind.

FOAD

>Sean

You misspelled "Matt".

-- Rick
-----------
** or is it Drew, or Rob, or Vorp Lord? **

David Ritz

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 14 Oct 1998, Lysander Spooner wrote:

: On Wed, 14 Oct 1998 09:45:23 -0700, Sean <use...@hostcomm.net> wrote:
:
: >That is imposiable. I have turned off their posting ability the only thing that


: >can be done is reading on that box. the only other feed that they have is from
: >Pacifier.com. I have gone through everyone of thier configs, they have nothing
: >else. Am I missing something???

:
: Yes. The brains god gave the average turnip.


:
: Your headers:
:
: >Path: ...news.maxwell.syr.edu!newsfeed1.earthlink.net!news.pdxfiber.net!newssource.hostcomm.net!not-for-mail
: >From: Sean <use...@hostcomm.net>
: >Newsgroups: news.admin.net-abuse.usenet

: >Subject: Re: EMP - BI>28200 - Matt Middleton's dedicated spam-feed through newsfeed.poshnet.com [2]


: >Date: Wed, 14 Oct 1998 09:45:23 -0700
: >Organization: HostComm
: >Message-ID: <3624D523...@hostcomm.net>
: >Reply-To: use...@hostcomm.net

: >NNTP-Posting-Host: 206.58.218.110


:
: Okay everybody, fire up a web-browser and connect to that address...
:
: (ie: http://206.58.218.110/)

:
: See? Case closed.

No, I don't "see". This IP address went dead, just after you
posted your message. =(

Let's see if I can get a better handle on this, without trying to
contact an address, which would rather not be contacted. Here are
the headers of the emailed copy of the Message "Sean" sent out.

|Received: from smtp02.primenet.com (dae...@smtp01.primenet.com [206.165.6.132])
| by primenet.com (8.8.8/8.8.5) with ESMTP id JAA06956
| for <dr...@smtp-local.primenet.com>; Wed, 14 Oct 1998 09:49:26 -0700 (MST)
|Received: (from daemon@localhost)
| by smtp02.primenet.com (8.8.8/8.8.8) id JAA17577
| for <dr...@primenet.com>; Wed, 14 Oct 1998 09:49:24 -0700 (MST)
|Received: from UNKNOWN(206.58.210.40), claiming to be "newssource.hostcomm.net"
| via SMTP by smtp02.primenet.com, id smtpd017487; Wed Oct 14 09:49:17 1998
|Received: from hostcomm.net ([206.58.218.110])
| by newssource.hostcomm.net (8.8.7/8.8.7) with ESMTP id JAA12093
| for <dr...@primenet.com>; Wed, 14 Oct 1998 09:52:58 -0700
|Message-ID: <3624D523...@hostcomm.net>


|Date: Wed, 14 Oct 1998 09:45:23 -0700

|From: Sean <use...@hostcomm.net>
|Reply-To: use...@hostcomm.net
|Organization: HostComm
|X-Mailer: Mozilla 4.04 [en] (WinNT; I)
|MIME-Version: 1.0
|Newsgroups: news.admin.net-abuse.usenet
|To: David Ritz <dr...@primenet.com>


|Subject: Re: EMP - BI>28200 - Matt Middleton's dedicated spam-feed through newsfeed.poshnet.com [2]

|References: <Pine.BSI.3.96.98100...@usr10.primenet.com> <Pine.LNX.3.96.981006...@newssource.hostcomm.net> <Pine.BSI.3.96.981006...@usr10.primenet.com> <Pine.BSI.3.96.981008...@usr10.prim
|Content-Type: text/plain; charset=us-ascii
|Content-Transfer-Encoding: 7bit
|X-UIDL: d0f99e8a4b081b88a7e878424498f4ec

I'm really much better with news headers, so somebody correct me,
if I go astray.

This message was originated from [206.58.218.110], which identified
itself as "hostcomm.net". The message was then relayed through
newssource.hostcomm.net [206.58.210.40], which smtp02.primenet.com
had a little trouble verifying - UNKNOWN.

The originating IP address is in a rouge Empire2 net-block, operated
by Matt Middleton and Andy Vilcauskas (aka Andy Vilcus).

|usr10# whois -h whois.arin.net 206.58.218.110


|Structured Network Systems, Inc. (NETBLK-SNS-NET-5) SNS-NET-5
| 206.58.0.0 - 206.58.255.255
|Empire Communications (NETBLK-NET-EMPCOMM2) NET-EMPCOMM2
| 206.58.218.0 - 206.58.218.127

Now, much to my amazement, the finger daemon at pdxfiber.net is up
and proving all sorts of interesting information. (The daemons at
NEWS.pdxfiber.net, *hostcomm.net and *poshnet.com are still down.
I'm ready to lay odds that the daemon at pdxfiber.net will also be
offline, shortly after this message appears.)

]usr10# f ro...@pdxfiber.net
][pdxfiber.net]
]Login: root Name: root
]Directory: /root Shell: /bin/bash
]Last login Tue Oct 13 17:44 (PDT) on ttyp2 from rob.empire2.com:0.0
]Mail last read Fri Sep 4 10:30 1998 (PDT)
]No Plan.

]usr10# nslookup rob.empire2.com
]Server: dns1.primenet.net
]Address: 206.165.5.10
]
]Non-authoritative answer:
]Name: rob.empire2.com
]Address: 206.58.218.111

]traceroute to rob.empire2.com (206.58.218.111)
<...>
]13 pdx-bordercore2-fe4-0.or.nw.verio.net (205.238.52.195) hostm...@verio.net
]14 pdx-core1-h1-0.or.nw.verio.net (206.163.3.54) hostm...@rain.net
]15 core02.hssi5.pdxfiber.net (206.58.1.26) hostm...@structured.net
]16 206.58.33.210 (206.58.33.210) postm...@structured.net
]17 206.58.218.111 (206.58.218.111) hostm...@structured.net

]traceroute to empire2.com (206.58.218.10)
<...>
]13 pdx-bordercore2-fe4-0.or.nw.verio.net (205.238.52.195) hostm...@verio.net
]14 pdx-core1-h1-0.or.nw.verio.net (206.163.3.54) hostm...@rain.net
]15 core02.hssi5.pdxfiber.net (206.58.1.26) hostm...@structured.net
]16 206.58.33.210 (206.58.33.210) postm...@structured.net
]17 206.58.218.10 (206.58.218.10) hostm...@structured.net

As for _rob_.empire2.com, its often the case that these are vanity
machine names. brad.netzilla.net is a classic example.

=> Name: brad.netzilla.net
=> Address: 208.149.207.247

=> vrfy brad
=> 250 Bradley D. Allison <br...@netzilla.net>

Now, WTF is "Rob"?

]usr10# telnet mail.empire2.com smtp
]Trying 206.58.218.10...
]Connected to empire2.com.
]Escape character is '^]'.
]220 empire2.com ESMTP Sendmail 8.8.5/8.8.4; Wed, 14 Oct 1998 04:45:49 -0700
]helo usr10
]250 empire2.com Hello usr10.primenet.com [206.165.6.210], pleased to meet you
]VRFY doc
]250 RHS Linux User <d...@empire2.com>
]VRFY mattm
]250 Matt Middleton <ma...@empire2.com>
]VRFY drew
]250 andy vilcauskas <dr...@empire2.com>
]EXPN postmaster
]250 Rob Bloodgood <ro...@empire2.com>
]QUIT
]221 empire2.com closing connection
]Connection closed by foreign host.

Rob seems to be Empire2's <postmaster>. (How 'bout them apples?)

Someone on Empire2's postmaster's vanity machine is logged on as
<root> at PDXFiber.net.

The address which "Sean" is posting and sending email from,
[206.58.218.110], has an IP address immediately adjacent to
Empire2's postmaster's vanity machine, [206.58.218.111].

"Sean" has maintained, from the beginning, that he has no knowlege
of Empire2 or Matt Middleton. "Sean" has stated that some unnamed
"birdie" told him to use an Empire2 address to access his own
server, through Poshnet.
(see email dated Mon, 12 Oct 1998 14:09:57 -0700 (PDT), quoted in
<Pine.BSI.3.96.981013...@usr10.primenet.com>)

} We gave access to poshnet and poshnet gave us access so we could work on
} this problem they are having with spam. The IP range that logged into
} poshnet was one we were told was unused and available so we used it.

Does anyone want to guess what this is all about?

Here are today's clues.

|Middleton, M (MM3141) d...@EMPIRE2.COM
| AM Ent., Inc.
| 921 SW Wahington, St.
| Portland, Or 97205
| 503.241.1091 (FAX) 503.241.1198
|
| Record last updated on 01-Sep-98.
| Database last updated on 14-Oct-98 04:42:46 EDT.

|Middleton, Matt (MM3141-ARIN) ma...@EMPIRE2.COM
| AM Enterprises of Portland, Inc.
| 921 S.W. Washington St.
| Suite 224
| Portland, Or 97205
| 503.241.1091 (FAX) 503.241.1198
|
| Record last updated on 08-Jul-97.
| Database last updated on 13-Oct-98 16:11:04 EDT.

|usr10# whois dr...@empire2.com
|Vilcauskas, Andrew (AV1538) dr...@EMPIRE2.COM 5036923719
|Vilcus, andy (AV503) dr...@EMPIRE2.COM 503.299.3548
|Vilcus, andy (AV504) dr...@EMPIRE2.COM 503.645.6757

|Vilcauskas, Andrew (AV1538) dr...@EMPIRE2.COM
| Andrew Vilcauskas
| 7305 sw delaware cir
| tualatin,, OR 97062
| 5036923719
|
| Record last updated on 01-Jun-98.
| Database last updated on 14-Oct-98 04:42:46 EDT.

|Vilcus, andy (AV503) dr...@EMPIRE2.COM
| AJV
| 16552 NW argyle way
| portland, OR 97229
| 503.299.3548
|
| Record last updated on 24-Aug-98.
| Database last updated on 14-Oct-98 04:42:46 EDT.

|Vilcus, andy (AV504) dr...@EMPIRE2.COM
| AJV
| 16552 NW argyle way
| Portland, OR 97229
| 503.645.6757
|
| Record last updated on 23-Feb-97.
| Database last updated on 14-Oct-98 04:42:46 EDT.

: Sean, you are too fucking stupid to live.

Do you really think this guy's name is "Sean Morrow"??!

: -- Rick


: -----------
: ** Now GO AWAY! **

<AOL> M3 T00!! </AOL>

--
David Ritz <dr...@primenet.com> Finger for PGP Public Keys
Fight against spam & spammers. http://spam.abuse.net
Outlaw Junk Email. ++++++ Join CAUCE ++++++ http://www.cauce.org
** Be kind to animals. - Kiss a shark. **


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
Comment: Finger:dr...@primenet.com for Public Keys

iQCVAwUBNiT7FtzLrWGabIhRAQGM2AP/fWyc/ODtjJEzblSU4cHev6MFdmkT9Ybo
YaT6ax7iDLNufS1XCm1yJLjYqTjv986CXXFZ1rfs9h6y+JHwpzf9IvaVYP5nLHZt
39QJw6KGHgFQ9/nDRymesIo51wQwwaiuMoENwZByhKJQSPBXtffpqm2MLsCAkLdU
UjZqKk1+blA=
=mj4P
-----END PGP SIGNATURE-----


Cameron Kaiser

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
David Ritz <dr...@primenet.com> writes:

>]usr10# f ro...@pdxfiber.net
>][pdxfiber.net]
>]Login: root Name: root
>]Directory: /root Shell: /bin/bash
>]Last login Tue Oct 13 17:44 (PDT) on ttyp2 from rob.empire2.com:0.0
>]Mail last read Fri Sep 4 10:30 1998 (PDT)
>]No Plan.

>]usr10# nslookup rob.empire2.com
>]Server: dns1.primenet.net
>]Address: 206.165.5.10
>]
>]Non-authoritative answer:
>]Name: rob.empire2.com
>]Address: 206.58.218.111

Interesting (from concentric.net domain):

mariner:/U/C/Cdkaiser/% traceroute rob.empire2.com
traceroute: unknown host rob.empire2.com

From ptloma.edu domain:

calvin:/home/spectre/% traceroute rob.empire2.com
traceroute: unknown host rob.empire2.com
calvin:/home/spectre/% dig rob.empire2.com

; <<>> DiG 8.1 <<>> rob.empire2.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; rob.empire2.com, type = A, class = IN

;; Total query time: 17 msec
;; FROM: calvin to SERVER: default -- 10.1.3.102
;; WHEN: Wed Oct 14 13:26:43 1998
;; MSG SIZE sent: 33 rcvd: 33

calvin:/home/spectre/% ping 206.58.218.111
PING 206.58.218.111 (206.58.218.111): 56 data bytes
64 bytes from 206.58.218.111: icmp_seq=0 ttl=46 time=47.8 ms
64 bytes from 206.58.218.111: icmp_seq=1 ttl=46 time=81.6 ms
64 bytes from 206.58.218.111: icmp_seq=2 ttl=46 time=172.3 ms
^C
--- 206.58.218.111 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 47.8/100.5/172.3 ms

Someone is playing some games.

Lysander Spooner

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
On Wed, 14 Oct 1998 12:31:46 -0700, David Ritz <dr...@primenet.com>
wrote:

>: >NNTP-Posting-Host: 206.58.218.110
>:
>: Okay everybody, fire up a web-browser and connect to that address...
>:
>: (ie: http://206.58.218.110/)
>:
>: See? Case closed.
>
> No, I don't "see". This IP address went dead, just after you
> posted your message. =(

(Gee, that's not very suspicious, is it?)

No problem. I saved a copy of the HTML source.

============================================================
<HEAD><TITLE>EmpireChat.com</TITLE>
<META name="description" content="EmpireChat For The Hottest Chat!!">
<META name="keywords" content="adult chat, chat, ircchat, sex, pussy,
tits, boobs, lez, lesbian, fuck, fucking, gay, xxx, hardcore,
softcore, teens, teen">
<META name="author" content="d...@empire2.com">
</HEAD>

<BASE HREF="http://206.58.218.55:80/Themes/Default/">

<BODY BGCOLOR=#ffffff vlink=#000000 link=#0000aa alink=#e0e000
text=#000000>
<Center>
<H2>Chat Server</H2>
<BR>
<h3>
Access From The Web: www.empirechat.com<br>
<br>
Access From Irc Client: empirechat.com ports 6663 Through 7000<br>
<br>
<br>
It Will Take A Second For The Java To Load.
</h3>

<APPLET archive="/java/cr.zip" codebase="/java/"
code="ConferenceRoom.class" name=cr width=600 height=400>
<param name=cabbase value="/java/cr.cab">
<param name=port value="6663">
<param name=channel value="#AdultDreams">
<param name=nick value="">
<param name=fullname value="">
<param name=bg value="FFFFFF">
<param name=fg value="000000">
<CENTER>
This application requires Java suport.<BR>
This server also available via IRC at:<BR>
<A HREF="irc://206.58.210.41:6663/">irc://206.58.210.41:6663/</a>
</CENTER>
</APPLET>
<BR>
<BR>
<!-- 123ADULT CODE STARTS HERE: ALTERING CAUSES TERMINATION -->
<A HREF="http://www.123Adult.com/sex.html">
<IMG SRC="http://two.123Adult.com/cgi-bin/count?2314256.5"
HEIGHT=34 WIDTH=88 BORDER=0 ALT="123Adult Web Site
Statistics!"></A>
<!-- 123ADULT CODE ENDS HERE -->
<BR>
</center>
</BODY>
</HTML>
=========================================================

> Let's see if I can get a better handle on this, without trying to
> contact an address, which would rather not be contacted.

You can get to the same place by using www.empirechat.com
(Unless Rob is doing the Spamboy Shuffle and blocking your domain
specifically.)

>]usr10# telnet mail.empire2.com smtp
>]Trying 206.58.218.10...
>]Connected to empire2.com.
>]Escape character is '^]'.
>]220 empire2.com ESMTP Sendmail 8.8.5/8.8.4; Wed, 14 Oct 1998 04:45:49 -0700

>]EXPN postmaster
>]250 Rob Bloodgood <ro...@empire2.com>

There will now be a slight pause as the guys at Empire2 try to figure
out how to disable EXPN, and then do so for pdxfiber, hostcomm and
poshnet.

We should charge these halfwits for lessons.

>
> Rob seems to be Empire2's <postmaster>. (How 'bout them apples?)

Them apples got worms.

Rob also goes by the wArEZ-d0oD handle of "Lord Vorp".

lo...@cybernw.com (inactive)
lo...@teleport.com (inactive)
lord...@usa.net
lord...@my-dejanews.com

Right about the time that PDXliar, Hoaxcomm and Pishnet sprung forth
spontaneously into the Universe, Rob was begging for help configuring
his webservers. Observe --

>Subject: DNS Weirdness: Lookups always on?Ā 
>Author: Ā  Lord Vorp
>Email: lord...@usa.net
>Date: 1998/08/27
>Forums: comp.infosystems.www.servers.unix
>Message-ID: Ā  <35E5D1...@usa.net>
>Content-Transfer-Encoding: Ā  7bit
>Content-Type: Ā  text/plain; charset=us-ascii
>Mime-Version: Ā  1.0
>Organization: Ā  NWRegion.Net News Server
>
>--------------------------------------------------------------------------------
>
>I have two apache servers (v1.3.1) running with a custom module in a
>pretty vanilla config on RedHat Linux 5.0. In order to increase
>performance, I have set:
>HostNameLookups off
>
>However, whenever I hit the /status page, Apache shows that most of the
>requests are currently looking up dns, and I have hostnames instead of
>ip's in the transaction list below.
>
>I did a little research thru the docs, and saw mention that if
>mod_access uses any restrictions based on hostnames, all connections
>will be double-reversed. So I checked. The places it's using allow
>/deny are:
>
>#httpd.conf
>order allow,deny
>allow from all
>deny from none
>
><Location /status>
><Limit GET>
>order deny,allow
>allow from 206.58.218.0/25
>deny from all
></Limit>
>SetHandler server-status
></Location>
> --- CUT ---
>
>So I can pretty much rule that out.
>
>This is killing my server, and I would really appreciate any help.
>
>TIA,
>L V

Note the Org header and the address in the "allow from" line in the
body.

Some weeks prior to that, he posted this test.

>Subject: this is another one
>Author: Ā  Lord Vorp
>Email: lord...@usa.net
>Date: 1998/07/08
>Forums: test
>Message-ID: Ā  <35A3DB...@usa.net>
>Content-Transfer-Encoding: Ā  7bit
>Content-Type: Ā  text/plain; charset=us-ascii
>Mime-Version: Ā  1.0
>
>
>--------------------------------------------------------------------------------
>
>I am a big boy now...no spam cancel
>
>--------------------------------------------------------------------------------

Sorry Vorpy, you are a bad -little- boy...

and YES spam cancel.

>: Sean, you are too fucking stupid to live.
>
> Do you really think this guy's name is "Sean Morrow"??!

Oops! I forgot the quotes!

-- Rick
-----------
** Rob, give it up. You're embarassing yourself. **

Sam

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
-----BEGIN PGP SIGNED MESSAGE-----

In article <3624E070...@hostcomm.net>,
Sean <use...@hostcomm.net> wrote:


>> Why, pray tell, would the downstream need root access to their
>> upstream, in attempting to fix that downstream server? Better
>> yet, why would that same downstream need root access to Hostcomm's
>> upstream, PDXFiber.net?
>>
>

>First, Like I have said they gave me root acceess to their boxe so I cou=
>ld try to help them.

Ok, folks, how many times were we given root access to our *upstream's*
servers??? Let's have a show of hands, please.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: http://www.geocities.com/SiliconValley/Peaks/5799/ for public key.

iQEVAwUBNiUg4ZlaALjSq209AQFRwwf+PvI7BA8usoAUMbGEwtxV0NKSVrWuABU9
zUasH/RjRbAJzaFSrQ0jMUw3X/7MJWoKWA0qiQpx+cnurtT0lq72Xkf06DhDLB5E
lI3CWU1Fcjzp+MVZn05mmVl1hwTTX7R0nDBbvlcPY72KN3mQXghbUGhoFukOKPgQ
btIGmWOvl7tcMRKz4KZvuXniP3gtEp+dFWJo7zVWU/O8jP3eajZTMglGcdXwlYu3
QIR3hM/DsIoTDwgU/hdUroF9SjS6zFSi5i81sejyXGnvffNospwkjxYaZeQnJfgL
w4hPnsjaq25agLWjOFYCnIRZG4+APCYTf+caNeSue5A/lWunulcG2g==
=T57X
-----END PGP SIGNATURE-----

Sam

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
-----BEGIN PGP SIGNED MESSAGE-----

In article <Pine.BSI.3.96.98101...@usr10.primenet.com>,
David Ritz <dr...@primenet.com> wrote:


> No, I don't "see". This IP address went dead, just after you
> posted your message. =(

>]220 empire2.com ESMTP Sendmail 8.8.5/8.8.4; Wed, 14 Oct 1998 04:45:49 -0700
>]helo usr10
>]250 empire2.com Hello usr10.primenet.com [206.165.6.210], pleased to meet you
>]VRFY doc
>]250 RHS Linux User <d...@empire2.com>
>]VRFY mattm

.
.
.

Heh -- I'm taking bets on whether they'll shut down sendmail, instead of
figuring out how to turn off VRFY.

The documentation included with Red Hat Linux (even with the official
version) sez nuthin' about sendmail. Therefore, unless these braniacs are
familiar with sendmail-isms, they'll be scratching their butts forever,
trying to figure it out (all the while completely overlooking the obvious
solution, which I won't mention).

They must be running RH 5.0 at the latest -- it's probably RH 4.2 (can't
remember whether RH 5.0 shipped with 8.8.7 or 8.8.5).

There have been gazillions of security updates to RH packages even since
5.0 -- of course, I doubt that these rocket scientists have bothered to
install ANY of them.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: http://www.geocities.com/SiliconValley/Peaks/5799/ for public key.

iQEVAwUBNiUhGZlaALjSq209AQE7QAf9ExbaOnSuSZHocFZ6RGS7imYkRKRXHZVs
XHc/5RhwTB28avOzdaU7odYgvRBMNUi4K7NdiGFwXTIcgu0ZqbfqGp3/0X5wC0sc
HOGS7tQ7K8QnEZUHGrjhNO5f1fzGxeB4GNabYujeXZuuD2Lqs52hjDl7suEctz66
QipNTkq6Nokl/NNPaI8VUCkD8jCknBQ9XF+B05qu1Uv+QYXQI4PGqtlm6WkZ6dA0
F1pnvgcslE/EdlUb0DWVBDZOoB1IUFfMZUTTshu0O/ZWOxCEUtCOAv0BcHfpaJod
IFaaJ6Z55CxgcEbxWI6skc9e/dnsLTv0J3cfqP+FRYYPJn+bVs5Amg==
=4EWP
-----END PGP SIGNATURE-----

John Payne

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
On 14 Oct 1998 22:08:33 -0000, Sam <sam...@dpinc.ml.org> wrote:
>Ok, folks, how many times were we given root access to our *upstream's*
>servers??? Let's have a show of hands, please.

* hand raised * ... oh wait, the upstream in question is also run by
me. Hang on, I have root on another of my upstreams... doh, no thats
also run by my employer. Does that count ("Sean" obv thinks it does)
Damn, maybe I should just sit on my hands then ;-)

--
John Payne http://www.sackheads.org/jpayne jo...@sackheads.org
Sarcasm by request Fax: +44 870 0547954
My mail provider doesn't welcome UBE - http://www.sackheads.org/uce/

LMNilsson ==>

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
buch...@cybernex.net (Lysander Spooner)
said the below on Wed, 14 Oct 1998 21:33:20 GMT:

> tits, boobs, lez, lesbian, fuck, fucking, gay, xxx, hardcore,
> softcore, teens, teen

> http://206.58.218.55:80/Themes/Default/


Thank you for recommending a *great* pornsite i nanau, Rick!
Big tits, young blondes, go there, tell 'em who sent yer.

--
**RETURN OF THE DUST BUNNIES** |- L M NilssonĀ® - lar...@iname.com -
**FAWNS!** |
**THE ABOMINABLE SEA PEACH** |"in /dev/null nobody can hear you scream"

Sam

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
-----BEGIN PGP SIGNED MESSAGE-----

In article <7031bo$7...@chronicle.concentric.net>,
Cameron Kaiser <cdka...@delete.these.four.words.concentric.net> writes:

>>]Non-authoritative answer:
>>]Name: rob.empire2.com
>>]Address: 206.58.218.111
>
> Interesting (from concentric.net domain):
>
> mariner:/U/C/Cdkaiser/% traceroute rob.empire2.com
> traceroute: unknown host rob.empire2.com
>
> From ptloma.edu domain:
>
> calvin:/home/spectre/% traceroute rob.empire2.com
> traceroute: unknown host rob.empire2.com
> calvin:/home/spectre/% dig rob.empire2.com

[ snip ]

He's forward/reverse IP doesn't match. Ho-hum...

[ little digging, here and there ]

The empire2.com domain has only three IP addresses assigned to it:

empire2.com 206.58.218.10
robb.empire2.com 206.58.218.66
devel.empire2.com 206.58.218.121

Other names (mail.empire2.com, www.empire2.com, etc) are just aliases to
one of these three.

> Someone is playing some games.

Nah. Routine broken DNS. See it all the time. Here are all the domains
that empire2.com has registered. If you poke around, you'd probably find
the one that has the .111 address assigned to it. I spot-checked a few of
them, and although empire2.com has them registered, his servers no longer
carry the actually domain.

11111.com
123a.com
123abc.com
123adult.com
123cash.com
123fantasy.com
123free.com
123money.com
123news.com
123talk.com
123xxx.com
1xxx.com
aaaaaaaa.com
abslt.com
adult123.com
adultdream.com
adultplayground.net
adultsex.net
bestteen.com
bestteens.com
bigbrownbeaver.com
bimbos-r-us.com
blissfulpleasures.com
cashola.com
chromegirls.com
cyberporn.net
deluxehardcore.com
deluxeteen.com
deluxeteens.com
deluxexxx.com
dnssource.net
ecstasyworld.com
emailpower.com
empire2.com
empirechat.com
empirecom.net
exxxcite.com
fantasy123.com
fantasytrain.com
freepleasures.com
gaydreams.com
gaypics.com
happytime.com
hornynymphs.com
hornyvixens.com
iconoclastic.com
lickin.com
lovepotion9.com
megaadult.com
megahugelist.com
megateen.com
naughtylittlegirls-dom
naughtylittlegirls.com
nwregion.net
nymphobimbos.com
nymphs-r-us.com
pacstar.net
protectionplus.com
pussyfree.com
raechel.com
sex-for-less.com
sexcity.net
sexcounter.com
sexfantasy.net
sexnymphs.com
sexpicsfree.com
sexualdaydreams.com
sexualecstacy.com
sexualservices.com
sexualsolutions.com
sincity.net
siteorders.com
succulentbabes.com
succulentgirls.com
talknsave.com
teenfreaks.com
teenpatrol.com
teenwonders.com
teseract.com
thismortalcoil.com
verykinkygirl.com
vilcauskas.com
virgins-r-us.com
vixenvirgins.com
weathersatellite.com
webcounting.com
xtremeteen.com
xxxdreams.net
xxxfantasy.net
xxxpatrol.com
xxxpixs.com
xxxporn.net
xxxsex.net
xxxstasy.com
xxxswinger.com

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBNiUuZplaALjSq209AQFAcwf/Y3zXQkl//NeGHguJMG1cYbEe4tQg8qZp
rRNE9m7LITTvsWeBT3+9nAq6T7zZE/siZEht5I8Duro4zv4eB3Cmz8fvemElylLA
YHRklK67LyXurgSmy1HvRoYw6JqrZTaQgPQS/zID3s1iWsTcWEE1JCEUNnylYoSW
nC5xKfOCGLBRHpqgJEfwlCDnMJ1BY1jPfXpoTSONsIlaULL/qoXN0ZNrW5PUk6IA
ris6aB6sVOq+X7p/C2c6AXU7BshkdH4AvEn6SKCQh0pXACqvzy6PvC1q8JLZMgtQ
Nw1JdBSTIn7GQBnB4Fs7uUqEFbT05nisuMVqtba7/r1I9m3pP76JDQ==
=g6eF
-----END PGP SIGNATURE-----


Rebecca Ore

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
l...@home.se (LMNilsson ==>) writes:

> buch...@cybernex.net (Lysander Spooner)
> said the below on Wed, 14 Oct 1998 21:33:20 GMT:
>

> > tits, boobs, lez, lesbian, fuck, fucking, gay, xxx, hardcore,
> > softcore, teens, teen

> > http://206.58.218.55:80/Themes/Default/
>
>
> Thank you for recommending a *great* pornsite i nanau, Rick!
> Big tits, young blondes, go there, tell 'em who sent yer.
>

If we can't recommend great pornsites in
news.admin.net-abuse.usenet, then where can we mention them?

--
Rebecca Ore
**Write a filter on that**


Sean

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to Lysander Spooner
Of course the ip went dead after Rick kindly informed me we still hade one connected
to that ip range. I changed it like I did the other workstation. From what I have
seen empirechat is on 206.58.218.55 after talking to the people who chat there they
said it has been on that ip for over 2 years now. How Rick got empirechat from
206.58.218.110 is beyond me.

How empire or rob handles their servers is not my concern as long as their spam is
not on my server. I have not tried to hide anything from you guys and have done
everything I said I would do, quit harrassing me.

Sean

Sean

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to Rebecca Ore
It looked more like a chat site to me. How is it a porn site? Have you
talked to the people?

Rebecca Ore wrote:

> l...@home.se (LMNilsson ==>) writes:
>
> > buch...@cybernex.net (Lysander Spooner)
> > said the below on Wed, 14 Oct 1998 21:33:20 GMT:
> >

> > > tits, boobs, lez, lesbian, fuck, fucking, gay, xxx, hardcore,
> > > softcore, teens, teen

LMNilsson ==>

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
Sean <use...@hostcomm.net>
said the below on Wed, 14 Oct 1998 16:21:34 -0700:

> It looked more like a chat site to me. How is it a porn site?

I don't know, I trusted Rick. haven't seen it yet actually. But
it *did* drew visitors to the site.

This could be a whole new concept: Pretend that you are a
respected dedicated despammer for years, than you "report"
incidents in this group with full URL, contents a.s.o.

LMNilsson ==>

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
Rebecca Ore <rebec...@op.net>
said the below on 14 Oct 1998 19:27:25 -0400:

> l...@home.se (LMNilsson ==>) writes:
>
> > buch...@cybernex.net (Lysander Spooner)

> > said the below on Wed, 14 Oct 1998 21:33:20 GMT:


> >
> > > tits, boobs, lez, lesbian, fuck, fucking, gay, xxx, hardcore,
> > > softcore, teens, teen

> > > http://206.58.218.55:80/Themes/Default/
> >
> >
> > Thank you for recommending a *great* pornsite i nanau, Rick!
> > Big tits, young blondes, go there, tell 'em who sent yer.
> >
> If we can't recommend great pornsites in

> news.admin.net-abuse.usenet <...>

It is clearly shown that you can. If it's done with a little
finesse.

Sean

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to lar...@iname.com
then maybe you should check it out. I saw nothing of a porn site there.

LMNilsson ==> wrote:

> Sean <use...@hostcomm.net>
> said the below on Wed, 14 Oct 1998 16:21:34 -0700:
>
> > It looked more like a chat site to me. How is it a porn site?
>
> I don't know, I trusted Rick. haven't seen it yet actually. But
> it *did* drew visitors to the site.
>
> This could be a whole new concept: Pretend that you are a
> respected dedicated despammer for years, than you "report"
> incidents in this group with full URL, contents a.s.o.
>

Sean

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to Lysander Spooner
Alta Vista is not always correct.

nslookup show empirechat 206.58.218.55

empirechat users say this ip has been in use for that chat site for over 2
years.

go figure....


Lysander Spooner wrote:

> On Wed, 14 Oct 1998 16:21:34 -0700, Sean <use...@hostcomm.net> wrote:
>
> >It looked more like a chat site to me. How is it a porn site? Have you
> >talked to the people?
>

> AltaVista sez:
>
> >3. Sex Chat Empire
> >Live Sex Chat! Horny Women Are Waiting Inside!

> >This application requires Java suport.

> >This server also available via IRC at: irc://206.58.218.110:6663/
> >URL: www.empirechat.com/gay.htm
> >Last modified 17-Sep-98 - page size 1K - in English [ Translate ]
>
> -- Rick
> -----------

> ** An "adult-oriented" chat site? **


Rebecca Ore

unread,
Oct 14, 1998, 3:00:00ā€ÆAM10/14/98
to
l...@home.se (LMNilsson ==>) writes:

> Sean <use...@hostcomm.net>
> said the below on Wed, 14 Oct 1998 16:21:34 -0700:


>
> > It looked more like a chat site to me. How is it a porn site?
>

> I don't know, I trusted Rick. haven't seen it yet actually. But
> it *did* drew visitors to the site.
>
> This could be a whole new concept: Pretend that you are a
> respected dedicated despammer for years, than you "report"
> incidents in this group with full URL, contents a.s.o.
>

They get nineteen posts of their own and maybe one of ours
quoting before the ax goes down. Hey, we're not prudes.

Think of it as the Usenet equivalent of the second last
cigarette.

--
Rebecca Ore


Lysander Spooner

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to
On Wed, 14 Oct 1998 16:21:34 -0700, Sean <use...@hostcomm.net> wrote:

>It looked more like a chat site to me. How is it a porn site? Have you
>talked to the people?

AltaVista sez:

>3. Sex Chat Empire
>Live Sex Chat! Horny Women Are Waiting Inside!

>This application requires Java suport.

Andrew Gierth

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to
>>>>> "Sean" == Sean <use...@hostcomm.net> writes:

Sean> Alta Vista is not always correct.
Sean> nslookup show empirechat 206.58.218.55

Sean> empirechat users say this ip has been in use for that chat site
Sean> for over 2 years.

You Just Don't Get It, do you?

When every channel of investigation (finger, posting-hosts, whatever)
points back from you to Empire's addresses, you really think that
people are going to believe that you're not linked with them?

When the system you're posting from serves up a web page with Empire's
fingerprints all over it? Regardless of whether the service with that
name is running on another address now...

If all these traces lead to an uninvolved third party, it might be
coincidence. But when everything points straight back to the operation
that stands directly to benefit from the massive abuse of Usenet
perpetrated through your systems?

Pull the other one, it has got bells on.

--
Andrew.

John Payne

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to
On Wed, 14 Oct 1998 16:18:42 -0700, Sean <use...@hostcomm.net> wrote:
>Of course the ip went dead after Rick kindly informed me we still hade one connected
>to that ip range. I changed it like I did the other workstation. From what I have

Now, see, nobody would have been able to reach your workstation at that address
unless you had it *routed* to you. How would you get it routed to you? By
being the same entity that has that range officially.

Please, at least come up with some excuses that involve some brainpower to
break. Alternatively, as I'm inclined to give people the benefit of doubt,
you could always ask your employer to stop lying to you </mode naive=off>

XOXO Fluffy

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to
On 14 Oct 1998, John Payne wrote:

> >Ok, folks, how many times were we given root access to our *upstream's*
> >servers??? Let's have a show of hands, please.
>
> * hand raised * ... oh wait, the upstream in question is also run by
> me. Hang on, I have root on another of my upstreams... doh, no thats

MEE TO *waves all three hands wildly*

Er... no, waitaminnit, you asked if we were *given* r00t access, not
whether we somehow happen to have it...

*ahem*

Never mind then. Move along, nothing to see here


barry ``and you thought sendmail was bad?'' bouwsma
(oh, and John, you might want to fix your space, you look dangerously
close to throttling again; no need to thank me, the Cabal pays me well to
watch over all their news swervers)


Lysander Spooner

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to
On Wed, 14 Oct 1998 16:18:42 -0700, Sean <use...@hostcomm.net> wrote:

>Of course the ip went dead after Rick kindly informed me we still hade one connected
>to that ip range. I changed it like I did the other workstation. From what I have
>seen empirechat is on 206.58.218.55 after talking to the people who chat there they
>said it has been on that ip for over 2 years now.

I know exactly why 206.58.218.110 was deflecting HTTP connects to
www.empirechat.com (.55). I also know how you 'fixed' it.

It's the exact same reason that www.raechel.com (.90) and
www.siteorders.com (.100) and a bunch of other Empire2 addresses were
ALSO defaulting to that page.

The thing is, Rob, you have once again blundered -- this time by
'fixing' those other host/addresses at the same time as you 'fixed'
_your_ station. Why would you care about those other sites?

Now, you've given us some -spectacularly- unconvincing explanations of
why everybody in Poshnet, Hostcomm and PDXfiber has root access to
each other. I'm dying to hear why you have privileged access at
Empire2. Do tell.

>How Rick got empirechat from 206.58.218.110 is beyond me.

Apparently, telling the truth is beyond you as well.

As are the basics of the IP protocols.

>How empire or rob handles their servers is not my concern as long as their spam is
>not on my server. I have not tried to hide anything from you guys and have done
>everything I said I would do, quit harrassing me.

Are you the guy I spoke with in early July? The one who was upset
that I got Verio to whack your pee-pee?

You were a lousy liar then. You're worse now.

Go register some new domains so we can play this game again in a few
months. I'll prepare some new lesson plans.

-- Rick
-----------
** Time to lean on Verio again. (I bet you miss structured, huh?) **

John Payne

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to
On Thu, 15 Oct 1998 05:06:03 +0200, XOXO Fluffy <bo...@newsmangler.inet.tele.dk> wrote:
>barry ``and you thought sendmail was bad?'' bouwsma
>(oh, and John, you might want to fix your space, you look dangerously
>close to throttling again; no need to thank me, the Cabal pays me well to
>watch over all their news swervers)

Look, its not my fault INN won't handle my 2Gb history :-(

Cameron Kaiser

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to
Rebecca Ore <rebec...@op.net> writes:

> If we can't recommend great pornsites in

> news.admin.net-abuse.usenet, then where can we mention them?

news.admin.censorship should love it.

Ernst Zundel

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to
On 15 Oct 1998 07:08:25 PDT, Cameron Kaiser
<cdka...@delete.these.four.words.concentric.net> wrote:
-
-Rebecca Ore <rebec...@op.net> writes:
-
->If we can't recommend great pornsites in
->news.admin.net-abuse.usenet, then where can we mention them?
-
-news.admin.censorship should love it.

That's true--they are more than welcome there--in fact we
encourage sample binaries as well.

Steve
news.admin.censorship


r...@netgate.net

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to

>Of course the ip went dead after Rick kindly informed me we still hade one connected
>to that ip range. I changed it like I did the other workstation.

Oh, so you have root access at empire, too? Damn, you make friends
quickly: just a few days ago you'd never heard of them...

>From what I have
>seen empirechat is on 206.58.218.55 after talking to the people who chat there they

>said it has been on that ip for over 2 years now. How Rick got empirechat from
>206.58.218.110 is beyond me.

Interesting choice of words:

traceroute to empirechat.com (206.58.218.55), 30 hops max, 40 byte packets

1 pm3-sc-1.netgate.net (204.145.147.46) 170 ms 140 ms 160 ms
2 santaclara.netgate.net (204.145.147.5) 150 ms 160 ms 160 ms
3 rtr0-250.mainstreet.net (207.5.0.250) 180 ms 190 ms 160 ms
4 rtr0-241.mainstreet.net (207.5.0.241) 150 ms 160 ms 180 ms
5 f0.sjc1.verio.net (198.32.136.126) 160 ms 160 ms 150 ms
6 sjc1.pao5.verio.net (129.250.2.65) 160 ms 280 ms 250 ms
7 pao5.smf0.verio.net (129.250.3.14) 250 ms * 190 ms
8 smf0.smf1.verio.net (129.250.3.18) 160 ms 150 ms 160 ms
9 smf1.pdx0.verio.net (129.250.3.22) 190 ms 190 ms 180 ms
10 pdx-bordercore2-fe4-0.or.nw.verio.net (205.238.52.195) 190 ms 190 ms 190
11 pdx-core1-h1-0.or.nw.verio.net (206.163.3.54) 180 ms 190 ms 190 ms
12 core02.hssi5.pdxfiber.net (206.58.1.26) 180 ms 190 ms 180 ms
13 sfm.s03.hostcomm.net (206.58.33.210) 190 ms 190 ms 180 ms
14 empirechat.com (206.58.218.55) 190 ms 180 ms 190 ms

It does, indeed, appear that empirechat.com is just "beyond" you.

>How empire or rob handles their servers is not my concern as long as their spam is
>not on my server.

It would seem otherwise: as their bandwidth provider, you should be
very concerned.

An interesting situation, here: either you were lying when you said
you had no knowledge of empire, or you've just run out and made a deal
to sell net access to one of the most notorious abusers in the world,
*after* finding out that they're Bad Guys.

So, which are you, "Sean"? Are you:

a. a lying sack of shit?
b. a subhuman sleaze?
c. a sock puppet?
d. all of the above?

You have 5 seconds to complete this quiz. You may pick up your pencil
.. wait for it ... now.

Time's up. Turn in your paper, and I'll announce your grade next week.

Ran

Fluffy The Unstable

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to
On 15 Oct 1998, John Payne wrote:

> >(oh, and John, you might want to fix your space, you look dangerously
> >close to throttling again; no need to thank me, the Cabal pays me well to
>

> Look, its not my fault INN won't handle my 2Gb history :-(

It isn't? I'd say it is. Our INN had no problems when our history was
something like 3 and a half gigs or so, I didn't really pay attention to
the size and wouldn't have noted other than I happened to `ls' that
directory for no particular reason.

On the other hand, you're running 2.1 while we're still running 1.5 with a
few hacks, so I'm not sure if I'm ready to take the plunge with 2.1 yet
from all the peers I've seen with problems.

Note that by default, 1.5 would have problems with 1GB history files, as
Mike Hucka discovered, and a simple one-line fix with pretty much all OSen
was enough to increase the limit to 2GB, if I recall ancient history
properly.

On the other hand, if I remember, I proposed a fix for OSen with 64-bit
support which I suspect I am using (ugh, I'd have to dig around in the
dregs of the source to verify) that will successfully extend the text file
size into the terabytes, although I'm not sure if the database file code
will allow them to scale correspondingly.

Anyway, the fact remains: our INN didn't have any complaints, much less
throttling, with a history text file larger than 3 gigs, so I guess we
know who wins this DSW round.

telnet: Unable to connect to remote host: Connection refused
Unfortunately, I can't inject any gratuitous insults about your OS of
choice here, but I have my suspicions, and you have my condolences.


barry ``3 gigs ain't enuf'' bouwsma, tele danmark internet


John Payne

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to
On Thu, 15 Oct 1998 20:50:41 +0200, Fluffy The Unstable <bo...@newsmangler.inet.tele.dk> wrote:
>On 15 Oct 1998, John Payne wrote:
>> Look, its not my fault INN won't handle my 2Gb history :-(
>On the other hand, if I remember, I proposed a fix for OSen with 64-bit
>support which I suspect I am using (ugh, I'd have to dig around in the
>dregs of the source to verify) that will successfully extend the text file
>size into the terabytes, although I'm not sure if the database file code
>will allow them to scale correspondingly.

I suspect you are... now if I was a fulltime news bastard I'd ask
you for the hacks (or wait to see if the rumours of other open64
support I heard yesterday materialise).... however, I'm running
short on time nowadays :-(

>Anyway, the fact remains: our INN didn't have any complaints, much less
>throttling, with a history text file larger than 3 gigs, so I guess we
>know who wins this DSW round.

Yep, no contest really ;-)

>telnet: Unable to connect to remote host: Connection refused

That one managed to confuse our security scans for a while ;-)

>Unfortunately, I can't inject any gratuitous insults about your OS of
>choice here, but I have my suspicions, and you have my condolences.

Not a difficult guess, I thought you already knew? (I haven't changed
OS)

Aesop

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to
jayd...@geocities.com (JayDee) wrote:
-
-Rebecca Ore <rebec...@op.net> wrote:
-
->l...@home.se (LMNilsson ==>) writes:
->
->> buch...@cybernex.net (Lysander Spooner)
->> said the below on Wed, 14 Oct 1998 21:33:20 GMT:
->>
->> > tits, boobs, lez, lesbian, fuck, fucking, gay, xxx, hardcore,
->> > softcore, teens, teen
->> > http://206.58.218.55:80/Themes/Default/
->>
->>
->> Thank you for recommending a *great* pornsite i nanau, Rick!
->> Big tits, young blondes, go there, tell 'em who sent yer.

->>
-> If we can't recommend great pornsites in
-> news.admin.net-abuse.usenet, then where can we mention them?
-
-at the laundromat, of course
-
-yer such a silly...
-

JayDee wants to bop you Rebecca--it might do you some good you
know.

Steve
news.admin.censorship

David Ritz

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to
-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 14 Oct 1998 12:31:46 -0700, David Ritz went into a trance and prophesied, thusly:

{{{{{chomp}}}}}

: Now, much to my amazement, the finger daemon at pdxfiber.net is up
: and proving all sorts of interesting information. (The daemons at
: NEWS.pdxfiber.net, *hostcomm.net and *poshnet.com are still down.
: I'm ready to lay odds that the daemon at pdxfiber.net will also be
: offline, shortly after this message appears.)
:
: ]usr10# f ro...@pdxfiber.net
: ][pdxfiber.net]
: ]Login: root Name: root
: ]Directory: /root Shell: /bin/bash
: ]Last login Tue Oct 13 17:44 (PDT) on ttyp2 from rob.empire2.com:0.0
: ]Mail last read Fri Sep 4 10:30 1998 (PDT)
: ]No Plan.

{{{{{chomp}}}}}

Since I was feeling quite psychic (or is that "psycho"?), when I
predicted the PDXFiber finger daemon would take a dive, shortly
after the quoted aritcle appeared, I wanted to see just how long
it would take.

Every once in a while, I would remeber to check. After running
each finger query, I added a Date stamp, graciously provided by
PDXFiber. ([206.58.33.211]'s clock is about three minutes fast.
[206.58.33.212] is about one and a half minutes fast.)

- ----=---- -

usr10# f ro...@pdxfiber.net
[pdxfiber.net]
Login: root Name: root
Directory: /root Shell: /bin/bash
Last login Tue Oct 13 17:44 (PDT) on ttyp2 from rob.empire2.com:0.0
Mail last read Fri Sep 4 10:30 1998 (PDT)
No Plan.

usr10# telnet pdxfiber.net smtp
Trying 206.58.33.211...
Connected to pdxfiber.net.


Escape character is '^]'.

220 ns1.pdxfiber.net ESMTP Sendmail 8.8.7/8.8.7; Wed, 14 Oct 1998 13:01:02 -0700
quit
221 ns1.pdxfiber.net closing connection
Connection closed by foreign host.

- ----=---- -

usr10# f ro...@pdxfiber.net
[pdxfiber.net]
Login: root Name: root
Directory: /root Shell: /bin/bash
Last login Tue Oct 13 17:44 (PDT) on ttyp2 from rob.empire2.com:0.0
Mail last read Fri Sep 4 10:30 1998 (PDT)
No Plan.

usr10# telnet pdxfiber.net 25
Trying 206.58.33.211...
Connected to pdxfiber.net.


Escape character is '^]'.

220 ns1.pdxfiber.net ESMTP Sendmail 8.8.7/8.8.7; Wed, 14 Oct 1998 16:06:25 -0700
quit
221 ns1.pdxfiber.net closing connection
Connection closed by foreign host.

- ----=---- -

usr10# f ro...@pdxfiber.net
[pdxfiber.net]
finger: connect 206.58.33.211: Connection refused
usr10# telnet mail.pdxfiber.net 25

Trying 206.58.33.212...
Connected to mail.pdxfiber.net.


Escape character is '^]'.

220 news.pdxfiber.net ESMTP Sendmail 8.8.7/8.8.7; Wed, 14 Oct 1998 17:13:23 -0700
quit
221 news.pdxfiber.net closing connection
Connection closed by foreign host.

- ----=---- -

"Sean" must have lost interest in the thread. It took between
03:35 and 04:42 for my prophesy to be fulfilled.

--
David Ritz <dr...@primenet.com> Finger for PGP Public Keys
Fight against spam & spammers. http://spam.abuse.net
Outlaw Junk Email. ++++++ Join CAUCE ++++++ http://www.cauce.org
** Be kind to animals. - Kiss a shark. **


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
Comment: Finger:dr...@primenet.com for Public Keys

iQCVAwUBNiaIoNzLrWGabIhRAQGLAQQAks6IUXzR7YsvECmQpFDcBmOnSMtW8jVx
JRmjDoOfynFqXUSssOEdJum0v/g8J9whnzoNws2a+FgsMMjNhUl1mXkLJekPGfqM
lwF6Qw+Pqt5w++jmD54Qfs0hg/oIUqPSDjHByKM1mJcfDxwW5G3UbTFolF2Ty/C6
Ra/g8g7rl+8=
=M/iN
-----END PGP SIGNATURE-----


Rebecca Ore

unread,
Oct 15, 1998, 3:00:00ā€ÆAM10/15/98
to
ae...@fables.net (Aesop) writes:

JayDee, I *leave* my clothes at the laundry and pick them up
later.

Steve, I thought your exchanges with Fluffy were quite amusing, by
the way, and though I confess to being one with advance
knowledge, I had not realized the full deliciousness of using
a name like yours.

Just so long as it's not the boursy at alt (dot) net filter
(no, I wouldn't even make you spambot bait).

--
Rebecca Ore


Fluffy The Unstable

unread,
Oct 16, 1998, 3:00:00ā€ÆAM10/16/98
to
On 15 Oct 1998, John Payne wrote:

> >> Look, its not my fault INN won't handle my 2Gb history :-(
> >On the other hand, if I remember, I proposed a fix for OSen with 64-bit
> >support which I suspect I am using (ugh, I'd have to dig around in the

> I suspect you are... now if I was a fulltime news bastard I'd ask


> you for the hacks (or wait to see if the rumours of other open64

And not because I'm feeling generous, mind you, I went ahead and dug
around to see if I could find the hacks, in the process slightly
refreshing my memory of the situation, where it was either expire or the
makehistory step which was failing, I think.

Unfortunately I could not find any evidence here whatsoever of changes on
one machine to better support large text files, and the other machine has
virtually a complete history rewrite, somewhere between the dbz v3.2 that
is standard with 1.5 and whatever is being used nowadays in 2.1.

My fear is that the hack was applied to the other news swerver in Zrbj
which was shut down, and so is lost along with all the other hackery and
bugfixes applied only to that machine.

Typically one sees a 1GB limit when signed longs are used; replacing them
with unsigned longs increases the limit to 2GB, except on OSen where a
long is already 64 bits. Other OSen need to make use of their own 64 bit
long long or whatever they have.

Unfortunately, there's no unique standard for a universal substitution one
can make to get 64-bit support for 3G history files in, say, the lseek()
function, which can be llseek(), lseek64() (Note: The lseek64 subroutine
applies to AIX Version 4.2 and later releases.) long long, quad, %q,
%dd, %ld, all these things which have to be determined locally and
applied equally locally.


> >Unfortunately, I can't inject any gratuitous insults about your OS of
> >choice here, but I have my suspicions, and you have my condolences.
>
> Not a difficult guess, I thought you already knew? (I haven't changed
> OS)

One can never be too certain, as you might have just set up a second cheap
box to run the newer code while keeping the old reliable stable box up,
and just redirected the name in DNS. Isn't that what our spammers (see
original topic drift) were doing, or something like it? With the
difference being that at least we know what we're doing, or if we don't,
we're not broadcasting bogus routing information to the whole world. At
least, not intentionally. Most of the time. Sometimes. I think. Maybe.

Naturally I see that this code is going to require some serious going-over
in order to make it multi-terabyte-history-file safe, or I'm going to have
to expect to be on call to unwedge it anytime a new article arrives. Ugh.
Sadly, my specific hacks required (to llseek() ) will not be identical to
the lseek64() hacks you need, as I doubt I'd be doing any 2.1-related work
on our AIX box, instead sticking with traditional spool and history due to
the plans I have to add other goodies that are probably quite incompatible
with these major changes without a lot of work.

Oh well.


LMNilsson ==>

unread,
Oct 16, 1998, 3:00:00ā€ÆAM10/16/98
to
Rebecca Ore <rebec...@op.net>
said the below on 14 Oct 1998 20:29:14 -0400:

> They get nineteen posts of their own and maybe one of ours
> quoting before the ax goes down. Hey, we're not prudes.

Huh, the 'worst' spamming sites out there remain untouched, they
have become immune, too powerful. No one reads these groups they
spam the most to anyway. However, they get famous the very minute
they're reported here, a far more popular newsgroup than
alt.sex.carpetbanging.
Spam on alt.* is dead as Florence Griffith-Joyner, no one
cares, new no-spam groups are out there, it's a pointless "war".
Pack your bags. Go home.

> Think of it as the Usenet equivalent of the second last
> cigarette.

No, think of it as the cigarette you have after jerking off to
the the GREAT sexsites advertized in news.admin.net-abuse.usenet.

Andrew Gierth

unread,
Oct 16, 1998, 3:00:00ā€ÆAM10/16/98
to
>>>>> "LMNilsson" == LMNilsson ==> <l...@home.se> writes:

LMNilsson> Huh, the 'worst' spamming sites out there remain
LMNilsson> untouched, they have become immune, too powerful.

And your evidence for this is?

--
Andrew.

Rebecca Ore

unread,
Oct 16, 1998, 3:00:00ā€ÆAM10/16/98
to
jayd...@geocities.com (JayDee) writes:

> On 15 Oct 1998 20:23:23 -0400, Rebecca Ore <rebec...@op.net> wrote:

>
> > JayDee, I *leave* my clothes at the laundry and pick them up
> > later.
>

> my stepsister was doing that, at her apartment's laundry room
>
> some creep started mutilating her underwear...
>
> ...sounds a lot like some of the icky Internet shit I've heard-about

I pay $5 to have it guarded and washed.

--
Rebecca Ore
Distractor of Boursy

John the Baptist

unread,
Oct 17, 1998, 3:00:00ā€ÆAM10/17/98
to
jayd...@geocities.com (JayDee) wrote:
-
-ae...@fables.net (Aesop) wrote:
-

-> JayDee wants to bop you Rebecca--it might do you some
->good you know.
-
-
-what is it with UseNet, ferchreissakes? caveman-style?

Well in my defense Ms. Ore spends most of her usenet
energies netcopping the porn groups.

-
-kittystyle is a lot nicer, and all-good, even

She's a strong preference for doggystyle.

Steve
news.admin.censorship


Rebecca Ore

unread,
Oct 18, 1998, 3:00:00ā€ÆAM10/18/98
to
JayDee wrote:
> I think by that time, I'd move away from the city
>
> I don't do well with the extortion cities demand

Yes, but I drop it off any time before 3 and pick it up any time after 5
or the next day after 8 and I don't have to do it myself and it's all
neatly folded. I hate sitting around laundromats and have paid as much
as $7.50 not to do so.

If I did it myself with sitting around to watch it, it would be $3.75
and my time is more valuable than the $1.75 additional.

We are way off topic by this point. All further discussion in email
(with cc. to Steve so he can keep up).

--
Rebecca Ore

Athena

unread,
Oct 18, 1998, 3:00:00ā€ÆAM10/18/98
to
Rebecca Ore <rebec...@op.net> wrote:
-
-sain...@purify.org (John the Baptist) writes:
-
->
-> She's a strong preference for doggystyle.
->
-
- Steve would never know. He thinks sexual harrassment
- is funny.


You certainly are touchy this morning Ms. Ore.

Now we've back and forth many times and you've engaged
in more than your fair share of sexual inuendo and banter (in
fact you started it) but given that you're all in a huff at the moment
let the record show that Ms. Ore is quite correct--I've no idea if
she prefers it doggy style or not and that it's highly unlikely that
I'll ever really find out.

Steve
news.admin.censorship

Rebecca Ore

unread,
Oct 18, 1998, 3:00:00ā€ÆAM10/18/98
to

Mr. Boursy! I threatened to *bite* you. If you find that sexually
stimulating, I am ever so sorry.


--
Rebecca Ore

Tim Thorne

unread,
Oct 18, 1998, 3:00:00ā€ÆAM10/18/98
to
ath...@fem.gr (Athena) wrote:
>Rebecca Ore <rebec...@op.net> wrote:
[...]

> - Steve would never know. He thinks sexual harrassment
> - is funny.
>
> You certainly are touchy this morning Ms. Ore.
>
> Now we've back and forth many times and you've engaged
>in more than your fair share of sexual inuendo and banter (in
>fact you started it) but given that you're all in a huff at the moment
>let the record show that Ms. Ore is quite correct--I've no idea if
>she prefers it doggy style or not and that it's highly unlikely that
>I'll ever really find out.

Be thankful for small mercies.

-
--------========>>>>>>>Special Forces<<<<<<<========--------
www.users.globalnet.co.uk/~thorne www.hell-flame-wars.org

"Dog eat dog, every day, on our fellow men we prey" Offspring


0 new messages