Why is Spammy JUST LIKE "TAYLOR"???!!!
Just_Bob
aka "Taylor Jimenez" aka "Taylor Netscum" aka Sanford Wallace
HAS EXACTLY THE SAME BEHAVIORS AND PERSONALITY AS Sanford "Spamford"
Wallace!! To wit:
From: Mike Dusseault <mi...@bulwark1.ic.gc.ca>
Subject: Threats traced back to Cyber Promotions
Date: 1997/06/23
Message-ID: <33AEA220...@bulwark1.ic.gc.ca>
Organization: The Communications Research Centre
Newsgroups: news.admin.net-abuse.misc
I have recieved a few emails that have been traced right
back to one of Sanford's systems. One was also routed
though an SMTP server that is wide open at priceton.edu.
I am going to pursue getting them to ID the originating
system of that email.
Here's the messages with full headers, including the
most interesting contents.
And to Sanford Wallace: You are a useless forger. You are
also no impressing me at all. If you think threats from
an idiot like you bother me much, you're mistaken. And
the legal threats are stupid since I am in Canada, and
you are harassing me on Government property. If you think
the Canadian Government will listen to your useless crap,
you need a reality check.
Also note I will be persuing this however I can.
Without further ado, here's those messages:
--- SOM ---
Received: from bulwark.ic.gc.ca (bulwark.ic.gc.ca [142.53.1.1]) by
jewel.ic.gc.ca (8.7.1/8.7.1) with SMTP id AAA14902 for
<mi...@jewel.ic.gc.ca>; Mon, 23 Jun 1997 00:18:18 -0400
Received: from [142.53.2.241] by bulwark.ic.gc.ca via smtpd (for
jewel.ic.gc.ca [142.53.67.245]) with SMTP; 23 Jun 1997 03:52:33 UT
Received: from bulwark2.ic.gc.ca by strategis.ic.gc.ca;
(5.65v3.2/1.1.8.2/27Jun96-1159AM) id AA14936; Mon, 23 Jun 1997 00:25:41
-0400
Received: from [207.124.161.77] by bulwark2.ic.gc.ca via smtpd (for
[142.53.2.241]) with SMTP; 23 Jun 1997 03:52:32 UT
Received: from unverified source.
X-Note: Visit http://www.cyberpromo.com to read about the bulk email
saga.
Message-Id: <1997062302...@199706230223.WAA08412>
Comments: Authenticated sender is <admin@localhost>
From: "Root" <ro...@root-servers.net>
To: "Postmaster" <postm...@root-servers.net>
Date: Sun, 22 Jun 1997 22:11:03 +0000
X-Distribution: Bulk
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Subject: Account Cancellation
Reply-To: postm...@root-servers.net
X-Confirm-Reading-To: postm...@root-servers.net
X-Pmrqc: 1
Return-Receipt-To: postm...@root-servers.net
Priority: urgent
X-Mailer: Pegasus Mail for Win32 (v2.54)
X-Mozilla-Status: 0001
I regret to inform you that, due to your abuse of the Internet, we
have been forced to close your account. Effective Tuesday June,
24th, you will not be able to use the system. Please retreive all
email you wish to keep by that day. We appologize for the
inconvience, but feel that this action is necessary. Your name and
address have also been provided to the FBI who is currently
investigating the matter. Expect them to contact you by the end of
the week. We may also take legal action against you. You will
receive a certified letter with further information.
Thanks,
Harold Surreptious
System Administrator
--- EOM ---
--- SOM ---
Received: from bulwark.ic.gc.ca (bulwark.ic.gc.ca [142.53.1.1]) by
jewel.ic.gc.ca (8.7.1/8.7.1) with SMTP id JAA08256 for
<mi...@jewel.ic.gc.ca>; Mon, 23 Jun 1997 09:42:57 -0400
Received: from [142.53.2.241] by bulwark.ic.gc.ca via smtpd (for
jewel.ic.gc.ca [142.53.67.245]) with SMTP; 23 Jun 1997 13:17:06 UT
Received: from bulwark2.ic.gc.ca by strategis.ic.gc.ca;
(5.65v3.2/1.1.8.2/27Jun96-1159AM) id AA29634; Mon, 23 Jun 1997 09:50:21
-0400
Message-Id: <970623135...@strategis.ic.gc.ca>
Received: from pucc.Princeton.EDU ([128.112.129.99]) by
bulwark2.ic.gc.ca via smtpd (for [142.53.2.241]) with SMTP; 23 Jun 1997
13:17:05 UT
Received: from gs by pucc.PRINCETON.EDU (IBM VM SMTP V2R2) with TCP;
Mon, 23 Jun 97 09:37:14 EDT
Comments: Authenticated sender is <admin@localhost>
From: "Root" <ro...@root-servers.net>
To: "Postmaster" <postm...@root-servers.net>
Date: Mon, 23 Jun 1997 09:34:19 +0000
X-Distribution: Bulk
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Subject: Thee bluelist
Reply-To: postm...@root-servers.net
Priority: urgent
X-Mailer: Pegasus Mail for Win32 (v2.54)
X-Mozilla-Status: 0001
I can't believe that they haven't fixed this server yet. Oh well,
not my problem.
Note to Lorraine: You're screwed when I find out what your new email
address is.
Note to Beth: You will be screwed later, nontheless you WILL be
screwed.
Note to everyone else: (hysterical laughter) I WILL LEARN YOU GOOD
FUKERZZZZZ. Next time don't post the the net abuse newsgroups.
--- EOM ---
Forgery analysis:
Both messages originated from the same mail package with the same
version. The authenticated host (useless though it is) remains the
same on both messages (admin@localhost) so again, it's the same
person.
One was recieved directly from the IP address 207.124.161.77 (nothing
in DNS) which is likely the hacker's system. This was the IP address
that the mail message was recieved from as told by OUR SMTP server.
Let's see if we can get any hints:
[root@jewel /root]# telnet 207.124.161.77 25
Trying 207.124.161.77...
Connected to 207.124.161.77.
Escape character is '^]'.
220 auto-relay2.cybermirror1.com ESMTP Sendmail 8.8.5/8.7.3; Mon, 23
Jun 1997 11:43:42 -0400 (EDT)
Looking in the InterNIC database:
Cyber Promotions CYBERMIRROR-DOM
8001 Castor Avenue, Suite #127
Philadelphia, PA 19152
USA
Domain Name: CYBERMIRROR1.COM
Administrative Contact, Technical Contact, Zone Contact:
Wallace, Sanford SW1708 dom...@CYBERPROMO.COM
215-628-9780
Billing Contact:
Wallace, Sanford SW1708 dom...@CYBERPROMO.COM
215-628-9780
Record last updated on 25-Apr-97.
Record created on 25-Apr-97.
Database last updated on 23-Jun-97 05:35:18 EDT.
Domain servers in listed order:
NS7.CYBERPROMO.COM 205.199.2.250
NS5.CYBERPROMO.COM 205.199.212.50
NS8.CYBERPROMO.COM 207.124.161.65
NS9.CYBERPROMO.COM 207.124.161.50
So it looks like I've recieved personal attention from someone
at Cyber Promotions. Likely Sanford Wallace or a lackey.
The second message is a little harder since it was relayed through
pucc.Princeton.EDU ([128.112.129.99]) who apparently have unsecure
servers. Let's see:
[root@jewel /root]# telnet pucc.princeton.edu 25
Trying 128.112.129.99...
Connected to pucc.princeton.edu.
Escape character is '^]'.
220 pucc.PRINCETON.EDU running IBM VM SMTP V2R2 on Mon, 23 Jun 97
11:38:07
EDT
HELO blah
250 pucc.PRINCETON.EDU is my domain name.
MAIL FROM:<g...@heaven.com>
250 OK
RCPT TO:<mi...@bulwark1.ic.gc.ca>
250 OK
DATA
354 Enter mail body. End by new line with just a '.'
This is a test of this SMTP server. It looks like it's wide
open. They need to fix this !!!
250 Mail Delivered
QUIT
221 pucc.PRINCETON.EDU running IBM VM SMTP V2R2 closing connection
Connection closed by foreign host.
Indeed I later recieved that message. They need to fix their servers.
Here's the InterNIC entry:
Princeton University PRINCETON-DOM
Computing and Information Technology
87 Prospect Avenue
Princeton, NJ 08544-2007
Domain Name: PRINCETON.EDU
Administrative Contact:
Varian, Lee C. LCV lva...@PUCC.PRINCETON.EDU
(609) 258-6067 (FAX) (609) 258-3943
Technical Contact, Zone Contact:
Olenick, Peter A. PAO3 pole...@PRINCETON.EDU
1-609-258-6024 (FAX) 1-609-258-3943
Record last updated on 29-Jan-96.
Record created on 03-Apr-87.
Database last updated on 23-Jun-97 05:35:18 EDT.
PRINCETON.EDU 128.112.128.1
NS.CWRU.EDU 129.22.4.1
NISC.JVNC.NET 128.121.50.7
And here's another one that arrived when I was writing this:
--- SOM ---
Received: from bulwark.ic.gc.ca (bulwark.ic.gc.ca [142.53.1.1]) by
jewel.ic
gc.ca (8.7.1/8.7.1) with SMTP id LAA08670 for <mi...@jewel.ic.gc.ca>;
Mon,
23 Jun 1997 11:41:40 -0400
Received: from [142.53.2.241] by bulwark.ic.gc.ca
via smtpd (for jewel.ic.gc.ca [142.53.67.245]) with SMTP; 23
Jun
1997 15:15:49 UT
Received: from bulwark2.ic.gc.ca by strategis.ic.gc.ca;
(5.65v3.2/1.1.8.2/2
7Jun96-1159AM)
id AA18470; Mon, 23 Jun 1997 11:49:06 -0400
Received: from [207.124.161.77] by bulwark2.ic.gc.ca
via smtpd (for [142.53.2.241]) with SMTP; 23 Jun 1997 15:15:48
UT
Received: from unverified source.
X-Note: Visit http://www.cyberpromo.com to read about the bulk email
saga.
Message-Id: <1997062313...@199706231355.JAA17214>
Comments: Authenticated sender is <admin@localhost>
From: "Root" <ro...@root-servers.net>
To: "Postmaster" <postm...@root-servers.net>
Date: Mon, 23 Jun 1997 09:43:26 +0000
X-Distribution: Bulk
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Subject: Lawsuit
Reply-To: postm...@root-servers.net
X-Confirm-Reading-To: postm...@root-servers.net
X-Pmrqc: 1
Return-Receipt-To: postm...@root-servers.net
Priority: urgent
X-Mailer: Pegasus Mail for Win32 (v2.54)
X-Mozilla-Status: 0001
Hi, I'm Bob from the legal department. I understand that you have
been attacking our servers. I would like to let you know that we
will be taking legal action. You will receive more information by
certified letter. We plan on suing you for no more than 30,000
dollars so don't worry too much. Maybe we can settle out of court?
How about that? I think we would be willing to take $10,000.
Thanks,
Bob
--- EOM ---
Note that this one attempts blackmail.
Also note that I've never attacked their servers. I refuse
to lower myself to Sanford's level.