|Frames||Modems||Help||Home Page||Chipsets||Search||No Frames|
|Diary Entries||See also Site Info & Diary.|
|14 March 2004||It`s not me spamming you, honest...|
Nor sending you a virus... Last Tuesday Commission Junction (a useless advertising company now owned by ValueClick) sent me a virus (the WORM_BAGLE.GEN-1) which purported to come from myself! (my reply to them at bottom). The email address used had only been released to themselves. It took 7 emails & 3 national-rate telephone calls before someone would even pay attention, so I doubt that action will follow very swiftly. If I ever get some time I`ll set out their sorry advertising story (hundreds of thousands of web page-impressions, thousands of clicks, no payment - avoid them) but for now let`s concentrate on spam.
Came to download my email on Friday afternoon & discovered several thousand messages waiting for me on modem-help.freeserve.co.uk, and even more on modem-help.co.uk. Most were “message failed” auto-return from mail daemons across the known universe. Both domains (strictly a sub-domain with Freeserve) leaked from the internet onto spammers’ mailing lists some time ago, and I have been receiving spam + virii addressed to ‘firstname.lastname@example.org’ and ‘email@example.com’ for years & years. All a waste of their time - every one is deleted at the pop-server without being read (see POP3 Scan Mailbox for an easy way to do this yourself).
In the last few months a new feature appeared: spam emails to completely invented email addresses: ‘firstname.lastname@example.org’, ‘email@example.com’, and so on. This made no difference to myself, as my system is set to only download specific email addresses, and all these invented email addresses were deleted from the server just like all the others. Then came last Friday...
The spammers have discovered that they can put anything that they like as a username in front of the domain part of a Freeserve email address, and it will be a valid address. They have used this knowledge to forge unique, false, return-addresses for their spam emails. A return address which comes to me. And they have many bad addresses within their mass-mailing lists. Each one of which is returning to me. You may well have been affected by this spam but, believe me, not as bad as I have. My Freeserve email address is now completely unusable, and Freeserve, of course, just put the phone down on me.
21 March update: UKLinux finally woke up & set my modem-help.co.uk mail account so that all emails on this account are rejected (“A message that you sent could not be delivered to one or more of its recipients. This is a permanent error”). Problems with that account have now vapourised. Freeserve did not bother to get back to me, in spite of their promises. Nevertheless, the mailbox filled up on Thursday, Mar 18 2004, 10:36 PM at 26,780 emails (this MHT screen shot was taken on Sunday) and emails are now rejected (“5.2.2 Over quota”). You know, in the jungle it is the fit that survive, and there is no doubt that Freeserve are indolent. This is not the same as being fit.
16 March update: As quickly as it started, the spam returns stopped yesterday (Monday). Evidently the spam is mailed across the weekend--a good call, I think, as all the server staff go home early on Friday. Mark George (see below) replied immediately he got in on Monday - he deals with DNS for the company & cannot help, but suggested mailing firstname.lastname@example.org (duly done).
I was left with 11,700+ emails (just 24 hours worth, a previous 23,000 having already been removed) in the Freeserve POP3 server, which is now 1/3 full. It took about 20 minutes just to download the mail headers; this was on 576 kbps Broadband, but the Freeserve server is much slower than my own. My mail program is written in an old version of Visual Basic, and even on a 2 Gig machine, by the time it had found & marked the messages for deletion the Freeserve server had timed out & cut the connection.
Next, I tried telnet. The idea is:
The problem is that Freeserve has recently (still in the Google cache) removed it’s non-standard “xdele” command from the server. With xdele I could type ‘xdele 1 11700’. Without it I am expected to type ‘dele 1’, ‘dele 2’ (etc.) 11,700 times!
Next, I tried mail2web, which is what Freeserve recommends. I was quite tempted to press the “List all messages” link, but chose “Delete all messages” instead. After confirmation + a long timeout, this gave “Error : Access denied. Please re-logon.”. 3 times.
I flirted with FSMail (top right on the Freeserve Home Page) for a little while, but this can only delete 20 at a time & is useless. So, my Freeserve email account is finished.
The way that Freeserve is set up (for .freeserve.co.uk, .fsnet.co.uk, etc.), it will deposit in the sub-domain mailbox any email that arrives with the domain-part of the email address set to the Freeserve sub-domain. Perhaps I had better define some terms first, for those that do not know:
For an internet FQDN--Fully Qualified Domain Name--address, such as www.modem-help.co.uk:
Confusingly, “www.modem-help.co.uk” is also referred to as the hostname.
For an email address, such as email@example.com:
You can find more info about these two from the DNS Resource Directory; DNS--Domain Name Service--is what links FQDNs & IP-addresses together.
For a Freeserve account such as modem-help.freeserve.co.uk:
I signed up to Freeserve--with a username of modem-help--back in November 1998, and currently also obtain my Broadband connection via Freeserve. I thus have free webspace at www.modem-help.freeserve.co.uk (it is used to provide some free downloads - see the Links page). I also have an email address, which is firstname.lastname@example.org. This address was previously used to receive messages from users of this site (below) but now--sorry--I cannot receive them.
In desperation I have sent an email to Mark George (the highly-efficient hostmaster for Freeserve, see below) but I doubt that even he will be able to assist. Even worse, UKLinux--who run an otherwise excellent hosting situation that administrates my mail for me--are dragging their feet in sorting out the modem-help.co.uk problem. My current situation is the Slough of Despond.
This is the email I sent to Mark George today at 07:01am:
Subject: modem-help.freeserve.co.uk mail compromised by spammers Spammers have recognised that Freeserve sub-domains can have any username on mail, and are auto-generating unique return-addresses for their spam using my modem-help.freeserve.co.uk sub-domain name. This is resulting in a 5-figure number of emails from failed-address return emails ***each day***, starting Friday 12 March 2004. Headers & body of a typical example is copied below. I am happy for *all* external mail for my sub-domain to be failed & returned with a message such as "550 failed: sub-domain compromised by spammers; no mail accepted". There is one--and one only--email address that I use with Freeserve. This is `(removed)@modem-help.freeserve.co.uk` & is sent via the CGI-bot used via Freeserve webspace. All other addresses may fail. Freeserve Broadband support refused to act on this on Friday evening, and put the phone down on me when I declared that I would wait for the manager to come out of her meeting. It is clearly important for you to have this information--if you do not already know that spammers have cottoned on to this. It is new-to-me. Freeserve mail will rapidly become unusable if you do not quickly take steps to block such actions across the board (though I confess that I do not know what those actions could be and still keep an unlimited number of email addresses for Freeserve sub-domains). Will you action the second paragraph above, please? My Freeserve mail is now unusable, and I will simply let your servers fill up with it. A few MB every hour will add up across the weeks, methinks. Freeserve is indifferent to this, of course, but may act as other sub-domains also become compromised. Spam is blossoming because of the collective lack of will of those that could act. I am trusting--from our brief previous exchanges--that you do *not* fall into that camp. I can be contacted on 0??? ??? ???? - afternoons, evenings, early morning. Header & body of one of the returned emails follows: -- returned email begins --- Hi. This is the qmail-send program at prdmailbe6.nwk.iwon.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <email@example.com>: The users mailfolder (user=bgm.cashmasters.2000) is over the allowed quota (size). --- Below this line is a copy of the message. Return-Path: <firstname.lastname@example.org> Received: (qmail 12700 invoked from network); 13 Mar 2004 17:06:14 -0000 Received: from prdsearch2.nwk.iwon.com (HELO prdmx8.nwk.iwon.com) ([10.50.30.74]) (envelope-sender <email@example.com>) by 0 (qmail-ldap-1.03) with SMTP for <firstname.lastname@example.org>; 13 Mar 2004 17:06:14 -0000 Return-Path: <email@example.com> Received: from stanserhorn.ch (unknown [188.8.131.52]) by prdmx8.nwk.iwon.com (Postfix) with SMTP id 32D2034026; Sat, 13 Mar 2004 11:56:42 -0500 (EST) Message-ID: <firstname.lastname@example.org> From: "Daren Clemons" <email@example.com> To: firstname.lastname@example.org, email@example.com Subject: 42-Refinance to 2.96% Date: Sun, 14 Mar 2004 08:11:32 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 8bit X-FII-Tracking: 0.710110 <html> Hello<p> Would you re-fina<jwkovthcupp>nce if you knew you'd S<jmmizimbmskden>AVE TH0US<jwisulhcego>ANDS?<p> We'll get you rat<jmcjlkndgjxd>es as low as 2.9%.<p> Don't believe me? Fill out our small online form and we'll show you how.<p> Get the house and/or car you always wanted, it only takes 2 minutes of your time:<br> <a href="http://entheltgxta.polimardo.info/index.php?a=3">http://glwmitbbixif.p olimardo.info</a> <p><br><br><br><br><br> <a href="http://gqzzfodxmbcbdp.polimardo.info/tt.htm">Stop promos.</a> </html> -- returned email ends ---
This is the email I sent to Commission Junction on 07:50 9 March to inform them that their USA server sent me a virus:
Subject: Your system is compromised (it is being used to distribute a virus, in *my* name) The email address "(removed)" was only given to yourself. It is now being used to send a virus, apparently from myself (in this instance addressed to myself!). I shall keep a copy of this email, plus my reply, and forward it to anyone that complains to me. I today downloaded an email (headers below) with an envelope address as above - it contains an attachment with a virus. This address can *only* have been leaked via yourselves. You will notice that the received-address is yourselves (gw.cj.com). Check your system - it is compromised. Apart from a very few addresses such as the one above, I delete *all* emails, due to the very large amount of spam & virii that I receive on other email addresses that have leaked in the past. From today the email address you have for me is no longer valid. --- email headers follow --- Return-Path: <firstname.lastname@example.org> Received: from cteaguedell1 (gw.cj.com [184.108.40.206]) by s1.uklinux.net (8.11.6/8.11.6) with SMTP id i23KCUi10645 for <(removed)>; Wed, 3 Mar 2004 20:12:30 GMT Envelope-To: <(removed)> Date: Wed, 03 Mar 2004 12:12:28 -0800 To: (removed) Subject: Notify about using the e-mail account. From: email@example.com Message-ID: <firstname.lastname@example.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------bburxgjvtebilabpkqwq" X-UIDL: U$1"!$PA"!U&8"!@lE"! Status: U ----------bburxgjvtebilabpkqwq Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Dear user of Modem-help.com, We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions. For details see the attached file. For security purposes the attached file is password protected. Password is "83006". Cheers, The Modem-help.com team http://www.modem-help.com ----------bburxgjvtebilabpkqwq Content-Type: application/octet-stream; name="Information.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Information.zip" --- email headers end ---