Spam Cop responses
from users and admins.
User feedback
Return to Spam Cop
Subject: Thanks
Date: Mon, 27 Dec 1998
Julian I just wanted to drop you a line to thank you for spam cop. I have
used it and it works great. I've tried Spam Hater but it just doesn't work
for the trickier spammers. I know you must get a ton of mail just wanted
you to know your work is appreciated.
Administrator Feedback
Subject: Spam Cop - THANK YOU!
Date: Wed, 02 Dec 1998
Julian - since I've started using SpamCop instead of parsing the
headers by hand, my "kill rate" has doubled (which tells me that
I wasn't parsing them correctly!). My "incoming" rate hasn't
dropped noticeably, yet, however. Thanks for a useful and
apparently effective tool!
Subject: [Fwd: Spam from address 209.214.98.3]
Date: Wed, 23 Sep 1998 08:51:48 -0400
Thank you for a wonderful web site! When I first submitted
one of my spam messages to your "Spam Cop" I thought.."yeah
right", but it worked!! I've forwarded my first reply to
you with MANY thanks!
[name witheld]
Date: 9/18/98
Subject: Cudos on Spam Cop!!
Julian,
I want to thank you for making Spam Cop available through your web site. For a
long long time, I have tried and tried to fight the mountain of spam I would get,
by attempting to figure out each and every piece of email and send a complaint to
the appropriate domain... your program makes this so easy, and I'm sure it is far
more accurate than I have ever been. One interesting thing I've noticed since
using Spam Cop... after using it to handle all my spam for only a short time, I
notice that for the past few days, I haven't received ANY SPAM. I don't know if
it's even possible that there could be a connection there, but I'd like to think
there MUST be, because that is the only thing I am now doing differently.
Thanks.
Cheers.
jb
Julian - With your engine, justice is swift and sure.
You are indeed the King Spamasaurus! Now they never know what hit them
and it's fast, simple and easy. If you don't mind, I will begin to steer
all others to your site and accelerate the assault. IF THERE IS EVER A
SPAMKILLER HALL OF FAME, YOU'VE GOT MY VOTE. My kill ratio has increased
dramatically. The only recommendation that I could make is that repeat
visitors be recognized, so entering e-mail addresses each time would be
unnecessary. Of course some do not wish to do so, but I get a certain
satisfaction from knowing the missiles have been launched and then
receiving confirmation of kills a little later.
I LOVE THE SMELL OF SMOLDERING SPAM IN THE MORNING.............JH
[ Part 2: "Included Message" ]
Date: Tue, 18 Aug 1998 12:28:21 -0700
From: policy@hotmail.com
To: [name witheld]
Subject: Re: [Fwd: Now View Amazing World Record Sex!!!]
We have closed the account that you reported.
Hotmail does not condone or support the sending of junk email (aka "spam")
through our system. The Hotmail Terms of Services (TOS)
[SNIP]
Julian's note: The feature requested here was added soon after. If you
allow spam cop's cookie, you'll be recognized when you return.
Date: 11/6/1998
Subject: Re: Spam from address 204.177.81.109
Customer account is toast, web page is no more, user bank account will be
minus $500 from our clean-up fee, and the spammer is looking for his 50
Free Hours AOL cd.
Michael Rawls - System Administrator for Dancris Telecom
Date: 10/21/1998
Subject: Re: Spam from address 209.122.210.234
We've recently tested the Orbital Anvil Bombardment System on this
spammer. The results were promising. We had to hire the folks at
http://www.asepsistechnology.com to clean up the mess.
Yours,
Afterburner
RCN Abuse Guy
Date: Wed, 21 Oct 1998 10:10:08 +0930 (ACST)
Subject: Response: your spam query
This message is being sent to you because of your recent
complaint regarding a spamming incident. The message in
question had the subject line:
$14000 Per Month Income
and appeared to come from usa.net.
The spam originated on this system (cobweb.com.au). We
are an ISP in Adelaide, South Australia. We do not
condone spam.
The user who originated this spam has had his account
terminated, and other ISPs in our local area have been
warned about this person.
I apologise on behalf of Cobweb for the irritation that
this person has caused.
On the up side, it's good to know that at least 60 people
are doing the right things to fight spam. Keep on sending
those complaints! I assure you, I (and most sysadmins)
hate spammers as much as you do.
Liz Raymond
System Administrator
Cobweb Internet Services Pty Ltd
Subject: Re: Spam from address 199.179.188.102
Date: Sun, 27 Sep 1998 20:19:57 -0500 (CDT)
From: abuse
Just had to post this one because it just proves my theory that the
people who talk the loudest are the ones who know the least:
Date: Sun, 27 Sep 1998 21:48:52 -0700
Subject: RE: Spam from address 209.133.29.125
There is no evidence that the message "originated from IP address"
209.133.29.125. The headers suggest that that IP was an intermediary.
Ntserver2.manage.com is not a mail relay. The headers suggest an origin
inside AOL's network. So I'm not sure what it is your automated spam bot
wants me to do.
Your email touched a serious nerve with me. In fact, right now I'm
borderline furious. You are complaining to me about a spam using a tool that
sends automated commercial emails -- that is, a spamming tool. This 'spam
cop' is itself a spamming tool as it sends unsolicited commercial mails
intended to direct traffic to www.julianhaight.com. So, you are not just a
spam victim, but a spam accomplice as well.
Have a nice day, your spamming tool is now in my killfile.
[name witheld]
> Network administrator,
>
> Recently, I received unsolicited email (spam) from a system on
> your network.
> Please find enclosed the entire message, including headers. The message
> originated from ip address:
>
> 209.133.29.125 at Sat, 26 Sep 1998 20:50:05 -0400 (EDT).
>
> ----------------------- Headers --------------------------------
> Return-Path:
> Received: from rly-zd03.mx.aol.com (rly-zd03.mail.aol.com
> [172.31.33.227])
> by air-zd03.mail.aol.com (v50.15) with SMTP; Sat, 26 Sep 1998
> 20:50:36 -0400
> Received: from NTSERVER2.manage.com ([209.133.29.125])
> by rly-zd03.mx.aol.com (8.8.8/8.8.5/AOL-4.0.0)
> with ESMTP id UAA16932;
> Sat, 26 Sep 1998 20:50:05 -0400 (EDT)
> Date: Sat, 26 Sep 1998 20:50:05 -0400 (EDT)
> From: harryshoes@worldnet.att.net
> Message-Id:
> Received: from det-mi19-42.ix.netcom.com by NTSERVER2.manage.com with SMTP
> (Microsoft Exchange Internet Mail Service Version 5.0.1458.49)
> id TQRA54QS; Sat, 26 Sep 1998 17:56:12 -0700
> To: harryshoes@worldnet.att.net
> Subject: Invite Yourself to the "XXX Teen Station"
I guess that touched a nerve with me, so my response...
I don't know why I bother, but I have to respond to this one...
You have no idea what you are talking about, sir. I appreciate your anger
- nobody likes to recieve unsolicted email, but I think you have to have
some indulgence toward complaints of this type - you are a "system
administrator", although I don't know who gave you that job - you are
obviously unqualified.
First of all - the issue at hand - this spam. If you know anything about
reading headers, you will see that your lame, NT server at least *touched*
this mail, even if it was not the server where it originated. That much at
least we can see from the headers that AOL's system appended. The headers
certainly DO NOT suggest that the mail originated inside AOL's system - the
victim was an AOL customer.
There is *some* evidence that your machine acted mearly as a relay, however
it does a very bad job of recording the information, making it impossible
to tell the difference between it's shabby excuse for a "Received:" line
and 'flack' that spammers use to throw off tools like SpamCop.
This is nonsense, even without the headers. First you say "that IP was an
intermediary."; Then you say "ntserver2.manage.com is not a mail relay" !
Which is it? I don't usually bug relay admins, but you are running a relay
that dosn't even record the IP address of incomming email. Even AOL isn't
that lame. Anyway, I ran a test on your server and it DOES in fact relay
email. Now, I'll *blatantly advertise* another URL:
http://maps.vix.com/tsi/ar-test.html This is the site I used to confirm that
you DO relay.
Oh, yes, and I benefit so much from all the advertising! You see, there is
one key difference between the email I send and the mail that comes from
spammers. I GIVE A CRAP about the person on the other end. I'm trying to
help everyone here. I don't disguise the origin of my mail. I even take the
time to answer <bites tounge> like yours.
Do what you want - I hope you get black-holed (that's another one of those
pesky URLs again: http://maps.vix.com/rbl/ ). Your problems are going to
continue until you face them instead of denying they exist. Try getting a
real mail server for a start.
I'll spare you the resulting flame-war.
A notice sent to a spammer and CCed to one of SpamCop's regular users:
Subject: SPAM and your account is canceled.
Date: Fri, 25 Sep 1998 09:49:28 -0400
Mr. [Evil (I didn't go to Evil medical school for 6 years to be called Mr!)],
We are NOT an ISP friendly Bulk Mail house, nor do we support hosting of
SPAM sites. You have tarnished our reputation with you actions.
I will supply every complaint your contact information. You did not read the
Dial ISDN, Inc. User Acceptance Policy: http://www.dialisdn.net/policy.html
We are a respectable Company. You UCE will never be tolerated by us or
others. Your account has been canceled. The account you set up and that was
active for less than 5 hours has caused all of this work.
Albert Churba, President
Dial ISDN, Inc.
Date UserName FramedAddress SecsOn BytesIn BytesOut Total
-------------------- --------- ---------------- ----------- ----------- ----------- -----------
Sep 24 1998 4:01PM jim456 209.118.208.115 (null) (null) (null) (null)
Sep 24 1998 8:12PM jim456 209.118.208.115 15058 23193147 14369885 37563032
A couple of notes on this one:
First, I'm hiding the spammer's name here mainly to protect Dial ISDN from
a possible lawsuit.
Second, the dialup report here is very interesting - notice the BytesIn /
BytesOut on the second line. Normal internet usage is mostly downstream;
here, it is mostly upstream. This is a telltale sign of spammer. 23Mb of
spam in 4 hours...
Date: Tue, 15 Sep 1998 14:27:59 -0400
To: spambait@julianhaight.com
Subject: Re: Spam from address 156.73.254.2
Thank you for bringing this matter to our attention. Boston Edison is
aware that it is being victimized and would like to assure you that
every effort is being made to identify the perpetrator and have this
activity cease. We are also in the process of installing equipment to
prevent further illegal invasion of our systems. When we have
identified the sender of this material we plan to prosecute to the
full extent of both Federal and State law. We appreciate your
understanding of the situation.
Date: Tue, 15 Sep 1998 17:06:01 -0400
To: spambait@julianhaight.com
Subject: Re: [ABUSE] Spam from address 209.167.196.236
Please continue to send complaints to 'abuse@uunet.ca', we
need to know what's happening. But please know we are doing
everything we can, and involved federal law enforcement, to
get this guy. We've cancelled dozens of accounts. It's just
taking some time due to various red tape issues.
If this guy was a direct UUNET Canada customer, he would
have been instantly and permanently removed. The ONLY
reason it's taking this long is a) we're dealing through
another company who doesn't share information much and b)
we are trying to gather criminal evidence.
Date: Fri, 11 Sep 1998 11:27:03 -0400 (EDT)
To: spambait@julianhaight.com
Subject: Re: Spam from address 141.218.249.189
We will be turning this student over to the Deam of Students on a second
offense.
----------
[name witheld]
Manager, Computing Resources
University Computing Services
Western Michigan University
Kalamazoo, MI 49008-5154