Nor sending you a virus... Last Tuesday Commission Junction (a useless advertising company now owned by ValueClick) sent me a virus (the WORM_BAGLE.GEN-1) which purported to come from myself! (my reply to them at bottom). The email address used had only been released to themselves. It took 7 emails & 3 national-rate telephone calls before someone would even pay attention, so I doubt that action will follow very swiftly. If I ever get some time I`ll set out their sorry advertising story (hundreds of thousands of web page-impressions, thousands of clicks, no payment - avoid them) but for now let`s concentrate on spam.

Came to download my email on Friday afternoon & discovered several thousand messages waiting for me on modem-help.freeserve.co.uk, and even more on modem-help.co.uk. Most were “message failed” auto-return from mail daemons across the known universe. Both domains (strictly a sub-domain with Freeserve) leaked from the internet onto spammers’ mailing lists some time ago, and I have been receiving spam + virii addressed to ‘modems@modem-help.freeserve.co.uk’ and ‘webmaster@modem-help.co.uk’ for years & years. All a waste of their time - every one is deleted at the pop-server without being read (see POP3 Scan Mailbox for an easy way to do this yourself).

In the last few months a new feature appeared: spam emails to completely invented email addresses: ‘fred@modem-help.freeserve.co.uk’, ‘alice@modem-help.freeserve.co.uk’, and so on. This made no difference to myself, as my system is set to only download specific email addresses, and all these invented email addresses were deleted from the server just like all the others. Then came last Friday...

The spammers have discovered that they can put anything that they like as a username in front of the domain part of a Freeserve email address, and it will be a valid address. They have used this knowledge to forge unique, false, return-addresses for their spam emails. A return address which comes to me. And they have many bad addresses within their mass-mailing lists. Each one of which is returning to me. You may well have been affected by this spam but, believe me, not as bad as I have. My Freeserve email address is now completely unusable, and Freeserve, of course, just put the phone down on me.

21 March update: UKLinux finally woke up & set my modem-help.co.uk mail account so that all emails on this account are rejected (“A message that you sent could not be delivered to one or more of its recipients. This is a permanent error”). Problems with that account have now vapourised. Freeserve did not bother to get back to me, in spite of their promises. Nevertheless, the mailbox filled up on Thursday, Mar 18 2004, 10:36 PM at 26,780 emails (this MHT screen shot was taken on Sunday) and emails are now rejected (“5.2.2 Over quota”). You know, in the jungle it is the fit that survive, and there is no doubt that Freeserve are indolent. This is not the same as being fit.

16 March update: As quickly as it started, the spam returns stopped yesterday (Monday). Evidently the spam is mailed across the weekend--a good call, I think, as all the server staff go home early on Friday. Mark George (see below) replied immediately he got in on Monday - he deals with DNS for the company & cannot help, but suggested mailing abuse@energis.com (duly done).

I was left with 11,700+ emails (just 24 hours worth, a previous 23,000 having already been removed) in the Freeserve POP3 server, which is now 1/3 full. It took about 20 minutes just to download the mail headers; this was on 576 kbps Broadband, but the Freeserve server is much slower than my own. My mail program is written in an old version of Visual Basic, and even on a 2 Gig machine, by the time it had found & marked the messages for deletion the Freeserve server had timed out & cut the connection.

Next, I tried telnet. The idea is:

• Telnet to the server on port 110 (instructions here)
• Log in & use the POP3 commands to administrate the mail (simple list here) (RFC1939)
• Press ‘quit’ at the end, and mail marked as deleted will be removed.

The problem is that Freeserve has recently (still in the Google cache) removed it’s non-standard “xdele” command from the server. With xdele I could type ‘xdele 1 11700’. Without it I am expected to type ‘dele 1’, ‘dele 2’ (etc.) 11,700 times!

Next, I tried mail2web, which is what Freeserve recommends. I was quite tempted to press the “List all messages” link, but chose “Delete all messages” instead. After confirmation + a long timeout, this gave “Error : Access denied. Please re-logon.”. 3 times.

I flirted with FSMail (top right on the Freeserve Home Page) for a little while, but this can only delete 20 at a time & is useless. So, my Freeserve email account is finished.

The way that Freeserve is set up (for .freeserve.co.uk, .fsnet.co.uk, etc.), it will deposit in the sub-domain mailbox any email that arrives with the domain-part of the email address set to the Freeserve sub-domain. Perhaps I had better define some terms first, for those that do not know:

For an internet FQDN--Fully Qualified Domain Name--address, such as www.modem-help.co.uk:

• uk is the top-level-domain (the .uk network)
• co is a sub-domain of uk (the .co.uk network)
• modem-help is a hostname within the .co.uk network
• modem-help is also a sub-net within the .co.uk network
• modem-help.co.uk is referred to as a domain
• www is a sub-domain of modem-help.co.uk

Confusingly, “www.modem-help.co.uk” is also referred to as the hostname.

For an email address, such as webmaster@modem-help.co.uk:

• modem-help.co.uk is the domain
• webmaster is the username

You can find more info about these two from the DNS Resource Directory; DNS--Domain Name Service--is what links FQDNs & IP-addresses together.

For a Freeserve account such as modem-help.freeserve.co.uk:

• freeserve.co.uk is the Freeserve domain
• modem-help is the Freeserve username
• modem-help is also a sub-domain of freeserve.co.uk

I signed up to Freeserve--with a username of modem-help--back in November 1998, and currently also obtain my Broadband connection via Freeserve. I thus have free webspace at www.modem-help.freeserve.co.uk (it is used to provide some free downloads - see the Links page). I also have an email address, which is anything_whatsoever@modem-help.freeserve.co.uk. This address was previously used to receive messages from users of this site (below) but now--sorry--I cannot receive them.

In desperation I have sent an email to Mark George (the highly-efficient hostmaster for Freeserve, see below) but I doubt that even he will be able to assist. Even worse, UKLinux--who run an otherwise excellent hosting situation that administrates my mail for me--are dragging their feet in sorting out the modem-help.co.uk problem. My current situation is the Slough of Despond.

This is the email I sent to Mark George today at 07:01am:

Subject: modem-help.freeserve.co.uk mail compromised by spammers

Spammers have recognised that Freeserve sub-domains can have any username on
mail, and are auto-generating unique return-addresses for their spam using
my modem-help.freeserve.co.uk sub-domain name. This is resulting in a
5-figure number of emails from failed-address return emails ***each day***,
starting Friday 12 March 2004. Headers & body of a typical example is copied
below.

I am happy for *all* external mail for my sub-domain to be failed & returned
with a message such as "550 failed: sub-domain compromised by spammers; no
mail accepted". There is one--and one only--email address that I use with
Freeserve. This is `(removed)@modem-help.freeserve.co.uk` & is sent via the
CGI-bot used via Freeserve webspace. All other addresses may fail.

Freeserve Broadband support refused to act on this on Friday evening, and
put the phone down on me when I declared that I would wait for the manager
to come out of her meeting.

It is clearly important for you to have this information--if you do not
already know that spammers have cottoned on to this. It is new-to-me.
Freeserve mail will rapidly become unusable if you do not quickly take steps
to block such actions across the board (though I confess that I do not know
what those actions could be and still keep an unlimited number of email
addresses for Freeserve sub-domains).

Will you action the second paragraph above, please? My Freeserve mail is now
unusable, and I will simply let your servers fill up with it. A few MB every
hour will add up across the weeks, methinks. Freeserve is indifferent to
this, of course, but may act as other sub-domains also become compromised.

Spam is blossoming because of the collective lack of will of those that
could act. I am trusting--from our brief previous exchanges--that you do
*not* fall into that camp.

I can be contacted on 0??? ??? ???? - afternoons, evenings, early morning.

Header & body of one of the returned emails follows:

-- returned email begins ---
Hi. This is the qmail-send program at prdmailbe6.nwk.iwon.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.



<bgm.cashmasters.2000@prdmailbe.nwk.iwon.com>:
The users mailfolder (user=bgm.cashmasters.2000) is over the allowed quota
(size).

--- Below this line is a copy of the message.

Return-Path: <daren.clemons_tv@modem-help.freeserve.co.uk>
Received: (qmail 12700 invoked from network); 13 Mar 2004 17:06:14 -0000
Received: from prdsearch2.nwk.iwon.com (HELO prdmx8.nwk.iwon.com)
([10.50.30.74]) (envelope-sender
<daren.clemons?tv@modem-help.freeserve.co.uk>)
by 0 (qmail-ldap-1.03) with SMTP
     for <bgholson@prdmailbe.nwk.iwon.com>; 13 Mar 2004 17:06:14 -0000
Return-Path: <daren.clemons_tv@modem-help.freeserve.co.uk>
Received: from stanserhorn.ch (unknown [211.59.8.162])
by prdmx8.nwk.iwon.com (Postfix) with SMTP
id 32D2034026; Sat, 13 Mar 2004 11:56:42 -0500 (EST)
Message-ID: <02eb01c4099b$d1971a7a$db6804bc@stanserhorn.ch>
From: "Daren Clemons" <daren.clemons_tv@modem-help.freeserve.co.uk>
To: bgholson@iwon.com, bgm.cashmasters.2000@iwon.com
Subject: 42-Refinance to 2.96%
Date: Sun, 14 Mar 2004 08:11:32 +0000
MIME-Version: 1.0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 8bit
X-FII-Tracking: 0.710110

<html>
Hello<p>

Would you re-fina<jwkovthcupp>nce if you knew you'd S<jmmizimbmskden>AVE
TH0US<jwisulhcego>ANDS?<p>

We'll get you rat<jmcjlkndgjxd>es as low as 2.9%.<p>

Don't believe me? Fill out our small online form and we'll show you how.<p>

Get the house and/or car you always wanted, it only takes 2 minutes of your
time:<br>
<a
href="http://entheltgxta.polimardo.info/index.php?a=3">http://glwmitbbixif.p
olimardo.info</a>
<p><br><br><br><br><br>
<a href="http://gqzzfodxmbcbdp.polimardo.info/tt.htm">Stop promos.</a>
</html>

-- returned email ends ---
		

This is the email I sent to Commission Junction on 07:50 9 March to inform them that their USA server sent me a virus:

Subject: Your system is compromised
(it is being used to distribute a virus, in *my* name)

The email address "(removed)" was only given to yourself. It is now
being used to send a virus, apparently from myself (in this instance
addressed to myself!). I shall keep a copy of this email, plus my reply, and
forward it to anyone that complains to me.

I today downloaded an email (headers below) with an envelope address as
above - it contains an attachment with a virus. This address can *only* have
been leaked via yourselves. You will notice that the received-address is
yourselves (gw.cj.com).

Check your system - it is compromised.

Apart from a very few addresses such as the one above, I delete *all*
emails, due to the very large amount of spam & virii that I receive on other
email addresses that have leaked in the past.

From today the email address you have for me is no longer valid.

--- email headers follow ---
Return-Path: <dave@webclothes.com>
Received: from cteaguedell1 (gw.cj.com [207.71.241.81])
 by s1.uklinux.net (8.11.6/8.11.6) with SMTP id i23KCUi10645
 for <(removed)>; Wed, 3 Mar 2004 20:12:30 GMT
Envelope-To: <(removed)>
Date: Wed, 03 Mar 2004 12:12:28 -0800
To: (removed)
Subject: Notify about using the e-mail account.
From: management@modem-help.com
Message-ID: <vkisnuejceevetkvhdv@modem-help.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------bburxgjvtebilabpkqwq"
X-UIDL: U$1"!$PA"!U&8"!@lE"!
Status: U

----------bburxgjvtebilabpkqwq
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dear user of Modem-help.com,

We warn you about some attacks on your  e-mail account. Your computer may
contain  viruses, in order to keep  your  computer and e-mail account  safe,
please, follow the instructions.

For  details see  the attached file.

For security purposes the attached file is password  protected.  Password is
"83006".

Cheers,
   The Modem-help.com team
http://www.modem-help.com

----------bburxgjvtebilabpkqwq
Content-Type: application/octet-stream; name="Information.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Information.zip"

--- email headers end ---