So who sent the 'Wayne / DiamondCS' TDS spam?
Greg Samson
Could someone summarize for me who actually sent the recent TDS
spam out, why it isn't actually 'Wayne / DiamondCD' who is responsible,
and what would be a good address to complain to? I don't want
to accidentally participate in complaints due to a joe-job...
Thanks.
Kelly Adams
tenfo...@mypants.com says...
We are pretty positive that this email was not sent by the makers of the
TDS program, it is very unlike the TDS people to send a spam like this,
and is highly unlikely that they did.
At this time we are unsure as to who sent the actual email, but are
positive that the email was sent out to make the makers of TDS look bad.
Accusations have been made but no confirmations on them. I would rather
not have this debate continue in these newsgroups because of the trouble
that it has caused.
--
Kelly Adams
Gibson Research Corporation
Please Note: These words and opinions are my own, and unless otherwise
noted, are not of Gibson Research Corporation or Steve Gibson.
Milly
>
> Could someone summarize for me who actually sent the recent TDS
> spam out,
It's not provable.
> why it isn't actually 'Wayne / DiamondCD' who is responsible,
Well, they simply didn't send it.
> and what would be a good address to complain to? I don't want
> to accidentally participate in complaints due to a joe-job...
No-one as yet, I'm afraid. If a useful complaint address gets
discovered, they'll get lots of 'em. I should just bin it unless you're
really interested (in which case lurk for a while).
--
Milly
Milly
> In article <vbN1kAIz...@colossus.SMG> Greg Samson says...
> It is being looked at and here is a link that might be helpfull. Then
> again probably not. In my oppinion, looks like a joe job to me.
>
> http://groups.google.com/groups?q=tds.diamondcs.com.au&hl=en&lr=&safe=
> off&site=groups <---paste the broke link together. Gravity, grr...
Try a ">" immediately followed by a return immediately followed by the
url with no intervening spaces (with thanks to Abujamal).
Let's see:-
>
http://groups.google.com/groups?q=tds.diamondcs.com.au&hl=en&lr=&safe=of
f&site=groups
--
Milly
Milly
> Milly wrote:
>
> >
> http://groups.google.com/groups?q=tds.diamondcs.com.au&hl=en&lr=&safe=off&site=groups
>
> But using Gravity, not Netscape. Let's see ...
You mean you posted with Netscape, right? It reads, unbroken, with
Gravity. But not when I post that way with Gravity. Gravity, grrr.
--
Milly
Milly
Carlene
Sorry for the "MeToo" reply Keith, but that was immensly informative.
Thanx!
abujamal
>
http://groups.google.com/groups?q=tds.diamondcs.com.au&hl=en&lr=&safe=off&site=groups
But using Gravity, not Netscape. Let's see ...
> Milly
was-salaam,
abujamal
--
PCHelpers: Putting the "Personal" into "Personal Computers"
and closing the door on the tyranny of ignorance.
PCHelpers International: http://www.pchelpers.org/
news://news.pchelponline.org mailto:pche...@pchelpers.org
abujamal
Here are the three headers I received -- the first full, the next two
only lines that differ substantially:
Status: U
Return-Path: <T...@ns.itochu.co.in>
Received: from zcarmag.com ([216.122.137.181])by emu (EarthLink SMTP
Server) with ESMTP id te8p4k.ai3.37tiu8v.1for <mus...@earthlink.net>;
Mon, 23 Apr 2001 10:21:24 -0700 (PDT)
Received: from ns.itochu.co.in (TDS@[206.103.13.51])by zcarmag.com
(8.9.3/8.9.3) with SMTP id KAA25805for <abuj...@pchelpers.org>; Mon, 23
Apr 2001 10:21:19 -0700 (PDT)
From: T...@ns.itochu.co.in
Received: (from TDS@localhost) by ns.itochu.co.in (8.6.12/8.6.9) id
VAA31509 for abuj...@pchelpers.org; Mon, 23 Apr 2001 21:05:20 +0500
Date: Mon, 23 Apr 2001 21:05:20 +0500
Message-Id: <2001042316...@ns.itochu.co.in>
Reply-to: From:To:abuj...@pchelpers.org
Subject: Urgent we need your help.
Apparently-To: abuj...@pchelpers.org
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: te8p4k.ai3.37tiu8v.1.0
Received: from ns.itochu.co.in (TDS@[206.103.13.51])by zcarmag.com
(8.9.3/8.9.3) with SMTP id LAA08574for <abuj...@pchelpers.org>; Mon, 23
Apr 2001 11:00:32 -0700 (PDT)
Received: from ns.itochu.co.in (TDS@[206.103.13.51])by zcarmag.com
(8.9.3/8.9.3) with SMTP id LAA00984for <abuj...@pchelpers.org>; Mon, 23
Apr 2001 11:29:08 -0700 (PDT)
... the rest differing only in time and mid.
>> Received: from [206.103.13.51] by hotmail.com (3.2)
>> with ESMTP id MHotMailBCADB30F0066400431D5CE670D3307740;
>> Mon Apr 23 10:36:19 2001
Same thing, but note the "Reply-to:" header here ...
>> Reply-to: From:To:bar...@hotmail.com
> Let's dissect it, shall we?
>> Received: from [206.103.13.51] by hotmail.com (3.2)
> This is the last stop of the message just prior to reaching its
> recipient's mailbox. It shows date and time, a unique ID generated
> by a server, and the IP address of the machine that sent the message.
Same IP address.
> Unfortunately, it looks to me like a misconfigured server that allows
> relays and does not report the source IP. Therefore the trail ends
> here. Either the spammer was at 206.103.13.51 or he was at an address
> we cannot know from the information at hand, and I consider the latter
> the more likely.
This is being discussed in grc.news.feedback, where Hermital had this
to say:
> Well, BarkerJr is a regular over there at NANAS, so he should know that
> the headers have been verified as falsified by the NANAS staff.
... and this was posted as well:
> Subject: Re: Spammers *Like* GRC (looks like a very targeted "JoeJob" )
> Date: Mon, 23 Apr 2001 20:23:25 -0700
> From: "R. Asby Dragon" <ube_...@yahoo.com>
> Reply-To: "R. Asby Dragon" <ube_...@yahoo.com>
> Newsgroups: grc.news.feedback
> References: <G1sYRoFz...@colossus.SMG>
>
> As an 'oldetymer' in NANAS/NANAE (and a SPAM-L listmember as well )
> who got TWO of these turds today on my Yahoo (Usenet response)
> account....
>
> This was a well-engineered "joejob" using an open relay :
> 206.103.13.51 is in the radparker relayed spam system
> (relays.mail-abuse.org) (RSS)
>
> I was almost ready to do "standard LART" routine 'on autopilot'
> until it dawned on me :
> Something stinks here!! This looks like some of the stupid spammer
> retribution tricks that have been done to *me* !!
>
> Not sure if this was directly done by Michael Paris; but this is
> definitely something that Keith should use in the legal actions!!
>
> I'm going to contact a certain Indiacentric admin who's known to
> pack a heavy mallet to see what he can get out of the clues-deprived
> folks running itochu.co.in .
So perhaps there will be more information later.
> All in all, I consider it a 100% probability that this email was sent by
> an experienced, probably professional, spammer. He had to posess tools
> used to produce forged emails; and/or he had to know how to forge
> headers; and/or he had to know how to find open relays and use them.
> The fact that a professional was engaged in this profitless enterprise,
> clearly done solely for the purpose of causing harm to Wayne/TDS, and
> perhaps to GRC, is in my opinion very significant.
> Spammers keep carefully-secret lists of open mail servers such as the
> one utilized here, BTW. They are not common anymore, and to illegal
> spammers they are very valuable, because their abuser is almost totally
> untraceable. To USE them, however, is usually to EXPEND them because
> their existence is advertised by the very act of use; resulting most
> often in action to correct the problem, either by the owner of the
> abused server, or by those most affected by that abuse.
> I poked around a bit at the machine in question, BTW. It's running a
> lot of services, some on very odd ports. It could be an "owned" machine
> on which the spammer set up his own mail relay, or he may have
> mal-configured an existing server.
> So. Not only was an experienced spam-artist engaged, but he might also
> be a reasonably accomplished cracker. If he's not a cracker, he
> squandered a very precious asset on the project.
> Based on indications that the mail went to a huge recipient list, it
> seems certain that the spammer had to spend several hours on the job.
> Why expend such effort and resources? I can't pretend to know for sure.
> But I consider it worthy of thought.
LOL! ROFL! Nice analysis. Gee ... wonder who Wayne managed to
annoy? Duuh.
> pchelp
mc
<http://groups.google.com/groups?q=tds.diamondcs.com.au&hl=en&lr=&safe=off&site=groups>
--
_____________________________________________________________________
_ __ __ Remember the Legend - Dale Earnhardt
| ' \/ _|
|_|_|_\__| http://pchelpers.org/
--+ The only constant in the universe is change +--
<<==-- Drain the WATER from my email to reply --==>>
Milly
> > > Try a ">" immediately followed by a return immediately followed by the
> > > url with no intervening spaces (with thanks to Abujamal).
> > >
>
Yep, that's my usual method too. And when you use Netscape to do it, it
appears unbroken in Gravity,
But when I do it in Gravity ...
Milly
... it appears broken in Gravity.
Gravity, grrr ... - this is off-topic ;), I'm done!
--
Milly
Tony.P
"pchelp" <pch...@nwi.net> wrote in message
news:3ae51933...@news.grc.com...
> X-No-archive: yes
>
> "Greg Samson" <gts-grc.com...@mypants.com> has evidently
> written:
(Snipped the rest)
As a very amateur, occasional poster to GRC, I was surprised that my address
had also been harvested by this spammer.
If its of any use to anyone, the following are the headers on the message I
received:
X-Envelope-Sender: T...@ns.itochu.co.in
Return-Path: <T...@ns.itochu.co.in>
Received: from mx2.lineone.net (mx2.lineone.net [194.75.152.209])
by shaggy.lineone.net (8.10.2/8.8.8) with ESMTP id f3NKplH05204
for <tpa...@lineone.net>; Mon, 23 Apr 2001 21:51:47 +0100 (BST)
Received: from ns.itochu.co.in ([206.103.13.51])
by mx2.lineone.net (8.10.2/8.9.3) with SMTP id f3NKnfT07168
for <tpa...@lineone.net>; Mon, 23 Apr 2001 21:49:41 +0100 (BST)
Received: (from TDS@localhost) by ns.itochu.co.in (8.6.12/8.6.9) id AAA16449
for tpa...@lineone.net; Tue, 24 Apr 2001 00:35:51 +0500
Date: Tue, 24 Apr 2001 00:35:51 +0500
From: T...@ns.itochu.co.in
Message-Id: <2001042319...@ns.itochu.co.in>
Reply-to: From:To:tpa...@lineone.net
Subject: Urgent we need your help.
Apparently-To: tpa...@lineone.net
X-UIDL: 0cce054c4f4513c39aaef85b6dd0f02b
Urgent we need your help.
(snipped the rest which you already know)
Tony.P
Robert Wycoff
"Tony.P" <tpa...@lineone.net> wrote in message
news:A4zLP3Qz...@colossus.SMG...
>
> "pchelp" <pch...@nwi.net> wrote in message
> news:3ae51933...@news.grc.com...
> > X-No-archive: yes
> >
> > "Greg Samson" <gts-grc.com...@mypants.com> has evidently
> > written:
> >
> >
> > >Could someone summarize for me who actually sent the recent TDS
> > >spam out, why it isn't actually 'Wayne / DiamondCD' who is
responsible,
> > >and what would be a good address to complain to? I don't want
> > >to accidentally participate in complaints due to a joe-job...
> > >Thanks.
> >
> > What's necessary is to examine the headers of the email you received.
>
> (Snipped the rest)
>
> As a very amateur, occasional poster to GRC, I was surprised that my
address
> had also been harvested by this spammer.
>
> If its of any use to anyone, the following are the headers on the
message I
> received:
Tony,
That is a forgery. Wayne did not send it.
http://www.diamondcs.com.au/antispam.htm
--
«
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm