Welcome to the Unsolicited Commercial e-mail edition of...

Access Orlando's Funny but true Story Archive

In this episode, we're going to talk about spammers, and the people who try to get away with it. Some even have the nerve to try to seek compensation for "loss of business" when we terminate their account due to the abuse reports that start flowing in.

Generally, if someone calls us and asks, "Do you block port 25?", red flags go up, and we give them a fairly standardized answer. We tell them, "No, you are given an IP address when you connect, and there are no filters between that IP and the rest of the world. However, per our terms of service agreement, if you use our service to send out bulk, unsolicited e-mail, and we receive any abuse reports which are tracked back to your account, your account will be terminated immediately, without refund."

Our dial-up lines are set up like many other small ISP's are. We have ISDN PRI lines coming into our facility, terminated into Ascend Max 4048 Remote Access Servers. Those Maxes are plugged into an ethernet switch, one of the ethernet ports on our main border router is also plugged into that switch, and the Maxes use that router as a default gateway. That border router has several dedicated connections to the Internet and there aren't any control lists nor is there any firewalling done on any of those interfaces. Anyone connected to the Maxes has a straight, unfiltered path to the rest of the world.

Our story starts on Monday, February 4th, 2002 when we opened a new account for a man who called and asked the magic question, "Do you block port 25?". After receiving a close adaptation of the statement above by one of our support technicians, he agreed and asked to go ahead and start an account. We happily obliged and got all of the necessary accounting information. Then he came by our office with a check for the first month, and we activated his account.

A short time later, he called to speak to one of our support technicans and asked why we were blocking him from using port 25. Our technician was puzzled by the question, but assured him that between his modem connection and the outside world, there is nothing on our network that will block him from making connections to anywhere else on port 25.

He must have figured something out, because on February 12, we began receiving abuse reports from SpamCop. After investigating the reports, we determined that the person connected to the IP in which the spam originated was, indeed, this same man who had asked about port 25. Per our Acceptable Use Policy, our abuse technician disabled his account.

The man called to speak to one of our support technicians again to ask why he couldn't get connected to our dial-up lines. After looking into the notes on his account, our technician informed the man that we had received spam abuse reports that originated from that account. The man became outraged and said that he was only e-mailing people who had asked to be e-mailed, and that he had a signed statement from all of them. Our technician explained to him again that we have a zero tolerance on spam, and that since we had received abuse reports, and the account was locked out due to abusive activity, there was nothing that he could do. The man then asked to speak to a manager, so our technican passed the call over to our project manager. Our project manager was on the phone for a while, trying to explain that it's our policy to terminate without refund after receiving abuse reports. The man finally hung up out of frustration, but not before mentioning that five other ISPs have "cut him off for the same reason."

On February 14th, we received this pretty humorous letter. The links are points that we thought we'd like to highlight and explain a little bit about. Thanks to Erik Bosrup's OverLIB javascript, all you have to do is hover your mouse over the link to see the comments. If you don't have javascript capabilities, you can click on the link, and it takes you to a separate page with all of the comments.

Re: Your misdealings

Dear Access Orlando:
      I have not yet found out if you are a corporation or not. It would seem not with the way you use your name. I have been scammed before, but you people, to get so little money, sure went to a lot of trouble. Before I bought your ISP service, I told the man on the phone, it sounded like Mike, that I had commercial software, which would not work properly if Port 25 was blocked or filtered. I was assured that I would not be blocked or filtered.
      Based on your representations, I signed up for your service and had your check hand delivered on Sunday, and got connected on Monday. I had a tribal email going out, and worked to prepare it. Imagine my surprise to find out my email could not get connected, and when I ran a test, of all things, Port 50 was blocked. I called on Monday of this week, the first time I had a chance, since you are closed on the weekends. Again I was assured by Mike that my Port 25 was not blocked, and that it was my software which was defective.
      After discussing the blockage with Mike, I went back to my software, and then to it's designer. I was told if the software came out with a "blocked" result, if I wanted the soft ware to work, you would have to unblock Port 25. I called again this morning at 9:47 a. m. and again was told by Ron that there was no blockage of Port 25. After asking questions for several minutes, it turned out that Port 25 was indeed blocked by Sprint, which you use. Ron knew it, and I am sure Mike did too. And I was lied to by people who wanted to catch another sucker, thinking nothing would happen.
      After lunch today, I could not send out Yahoo e-mails, and I could not send an important letter by email to an attorney who was on the other side. I made other arrangements to get this document sent. But not before several tries on Yahoo. In addition, since I could not send my e-mails to (243 individuals) my tribe members, on this past Monday I arranged to have those 243 letters mailed, at the cost of $6.78 each or for a total of $1,647.54. I know the difference between capital and labor and when I am treated badly, like you have treated me, I am willing to be an instructor.
      This afternoon, about 2:37 p. m., I tried to get on the Internet to get some more legal research done. (I subscribe to a service, like a lot of attorneys) It would not connect. I called and Mike answered again. I asked him why I could not get on the Internet. The cheeky little bastard had the nerve to tell me that I had complaints against me for sending spam, and they had cut me off. He seems to have forgotten that I was the ass hole who called Saturday, Monday and Tuesday, because my email would not work. He could not tell me who complained, how many complaints I had, nor who could. He offered to have his boss call me, which has not happened.
      I will lose out on revenue because I was cut off your ISP for a false reason. I am sure Mike and Ron were trying to cover their ass es for telling me a lie, and then continuing to cover it up. But when someone tries to accuse me of a crime, then I am not sympathetic. As whoever runs this outfit will soon know.
      I see why Mike said that you all had a lot of trouble with Sprint. Dealing the way you all do, it is a wonder you are not all in jail. I am suffering damages because of several losses. I expect compensation for the following:
      1. My letters in the amount of $1,647.54;
      2. My $20.00 initial payment, procured by fraud;
      3. My loss of revenue from not being able to connect to the ISP for legal research; ($4.75/min x 2 = $9.50/min x 60 min. = $570/hr x 27.5 hrs = $15,675 loss of research revenues) {It could go much higher, especially if I lose or have a case thrown out. Damages can be really big then}
      4. Because you lied to me about having an open Port 25, I want you to pay for an ISP who has an open Port 25, for the next year;
      5. Be prepared to be liable for bigger losses because of your fraud, which I relied upon;
      It is bad when I have to have "dropouts" tell me that I am sending spam to my blood relatives and their friends who want to be updated. I do not know what you have put on your ISP, but I will do any reasonable deal you want, at your expense, to have my computer checked. We all know every thing we do is kept somewhere on the hard drive.
      You people may be used to dealing with teens, who you can bluff, and "tired daddies", who are not really interested in the computer so long as they get on the porno sites. But if you people want it to be called spam when I write my tribal members and their friends, we will quite soon be able to find a judge to put things in order. Someone had better get those attorneys out that Mike told me about today. I am especially interested in how I sent out spam, when only my Yahoo email works. I am soon going to find an answer.
      This will be after I have talked with Sprint. After I have talked with the Justice Department in Orlando, or failing that, with Tampa. After I talk with a couple of attorney friends of mine, to see what the take may be. You may be used to having people slither into the woodwork when you accuse them of spam, but I come out further. Just look above to see my name and address and phone number.
      You have two weeks to meet my numbered demands.


Sincerely,



[name not disclosed]

And, there you have it. No wonder there's so much spam going around out there. There are people like this that actually exist in the world who make it happen.

Here are the examples of some of the abuse reports. For the most part, they are un-doctored. We have only removed the portions that would disclose e-mail addresses or names. This is to help keep more spam from being circulated by web spiders which harvest e-mail addresses for spam lists. 

From //e-mail removed// Thu Feb 14 20:27:51 2002
Return-Path: <//e-mail removed//>
Received: from SCUACC.scu.edu (scuacc.scu.edu [129.210.8.1])
        by mail-gw.ao.net (8.12.0.Beta19/8.12.0.Beta19/Debian
    8.12.0.Beta19) with ESMTP id g1BIk8IA013108
        for <[redacted]@ao.net>; Mon, 11 Feb 2002 13:46:14 -0500
Received: from cio ([129.210.146.160]) by scuacc.scu.edu (PMDF V6.0-23
    #41421)
 with SMTP id <01KE58FKQUN8000XPU@scuacc.scu.edu> for [redacted]@ao.net; Mon,
 11 Feb 2002 10:45:59 -0800 (PST)
Date: Mon, 11 Feb 2002 10:55:55 -0800
From: //name removed// <//e-mail removed//>
Subject: Junk Mail
To: [redacted]@ao.net
Message-id: <003e01c1b32d$bc551f80$a092d281@cio>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7bit
X-Priority: 3
X-MSMail-priority: Normal

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Dear Sir/Madam,

Please follow up on the junk message belowed sent via your network.  Please
reply to us.  Otherwise, we will have no choice but to block all mail from
"mail.ao.net" on our server.

Thanks
David
System Administrator for //name removed//

Return-Path: <Johnie@mail2world.com>
Received: from mail.ao.net (mail.ao.net [205.244.242.23])
 by ceo.deltapath.com (8.11.6/8.8.7) with ESMTP id g1BIf7w15013
 for <//e-mail removed//>; Tue, 12 Feb 2002 02:41:08 +0800
Received: from mail.ao.net (port05.max1.ao.net [205.244.242.105])
        by mail.ao.net (8.12.0.Beta19/8.12.0.Beta19/Debian 8.12.0.Beta19)
with SMTP id g1BIeiIA011393
        for <//e-mail removed//>; Mon, 11 Feb 2002 13:40:58 -0500
Message-Id: <200202111840.g1BIeiIA011393@mail.ao.net>
From: "Johnie" <Johnie@mail2world.com>
Date: Mon, 11 Feb 2002 13:38:00
To: //e-mail removed//
Subject: Win $10,000 dummie
MIME-Version: 1.0
Content-Type: text/plain;charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-UIDL: bo]"!jI/!!'2l!!PL2"!


----- Original Message -----
From: "Johnie" <Johnie@mail2world.com>
To: <//e-mail removed//>
Sent: Monday, February 11, 2002 1:38 PM
Subject: Win $10,000 dummie


>                                                             MIGHTY
MOUNTAINEERS
>            COME WALK WITH THE WEST VIRGINIA HISTORICAL SOCIETY AND FIND
>                                FACTS THAT ARE MORE INTERESTING THAN
FICTION.
>
> We wish to introduce you to West Virginia Supreme Court Justice Larry V.
Staarcher, and share with you facts which showed up in our research:
>
>                                         YOU MAY WIN UP TO $10,000 FOR THE
>                                               RIGHT ANSWERS TO OUR QUIZ
>
>                   If you know the answers to the following 10 QUESTIONS,
call the numbers below to claim your Prize.
>
> In the spirit of fairness, please do not guess.  Sorry if the nmbers may
be long distance, but we wish out quiz to get the best results we can
achieve.
>
> 1.  Question:  Why has Larry V. Starcher refused to take a drug test since
1962?
>           a.  He is afraid of needles;
>           b.  He has been out of town and could not make an appointment;
>           c.  He knows what the results will be and is afraid others will
reveal this information;
>           d.  He believes sincerely drug tests do not work;
>           e.  All of the above;
>            f.  None of the above.
>
>
>
> Answer:  _________________
>
>
> 2.  Question:  When did Larry V. Starcher first become involved with  and
succumb to organized crime's wishes?
>
>           a.  1981;
>           b.  1982;
>           c.  1983;
>           d.  It hapened over a different period of time;
>           e.  All of above;
>           f.  None of above.
>
>
> Answer:  _______________
>
> 3.  Question:  Larry Starcher was best liked during what period of time?
(This one is tricky so be careful)
>           a.  His first day as judge;
>           b.  The day he wet his pants at a high school basketball game;
>           c.  The day before he was born;
>           d.  All of the above;
>           e.  None of the above;
>
>
> Answer:  ____________
>
> 4.  Question:  Did Larry Starcher ever run for any other office than judge
and fail?
>           a.  No.;
>           b.  He ran for dog catcher and won;
>           c.  He ran for Sunday School teacher with the Jehovah's Witness
Church and won;
>           d.  He ran for sheriff and lost so bad people laughed at  him
for 2 years;
>           e.  All of the above;
>           f.  None  of the above.
>
>
> Answer:  ______________
>
> 5.  Question:  Who made Larry V. Starcher join organized Crime?
>           a.  Flash Gordon and the space cadets;
>           b.  His mother and father to make sure he had retirement
security;
>           c.  His attorney, S. J. Angotti;
>           d.  All of the above;
>           e.  None of the above.
>
>
> Answer:  ________________
>
> 6.  Question:  If Larry Starcher is a judge, why would he have a lawyer?
>           a.  He was trying to learn about the law so he could be a good
judge;
>           b.  He was under a federal drug investigation;
>           c.  He was too young to get into the bar he liked;
>           d.  All of the above;
>           e.  None of the above.
>
>
> Answer:  _________________
>
> 7.  Question:  Does/has Larry V. Starcher take/taken drugs?
>           a.  No one is for sure because he refuses to take a drug test;
>           b.  His drug use was talked about on the Morgantown radio so
everyone knows;
>           c.  He can not help if his nose runs all the time;
>           d.  He has been seen using at parties with his friends;
>           e.  All of the above;
>           f.  None of the above.
>
>
> Answer:  _________________
>
> 8. Question:   Who did Larry V. Starcher buy his drugs from when he worked
at Legal Aid?
>           a.  Zorro;
>           b The 3 Stooges;
>           c.  Ex football player and known dealer, Willie Winston;
>           d.  All of the above;
>           e.  None of the above.
>
>
> Answer:  __________________
>
> 9. Question:   Why did Larry V. Starcher's first wife approve him taking
drugs?
>           a.  She thought the cocaine was gotten from his doctor's
periscription;
>           b.  She thoughtpot looked good while growing and adding oxygen
in their upstairs rooms;
>           c.  She did not approve and left him because of drugs, not
because of his philandering;
>           d.  All of the above;
>           e.  None of the above.
>
>
> Answer:  ______________
>
> 10.  Question:  Why has Larry V. Starcher not been arrested for taking
drugs?
>           a.  He has been and then he forced the cops to let him loose;
>           b.  He has been, but the records have been sealed;
>           c.   He is part of organized crime and is immune from arrest;
>           d.  All of the above;
>           e.  None of the above.
>
>
> Answer:  _________________
>
>
> WARNING:  If you think you can guess and call to annoy the people on the
other end of the line, those taking answers, please do not or you will piss
them off and they just might be bigger than you and give you a poke in the
nose.  However, if you know something else about Larry V. Starcher that you
believe is strange, wrong or you think probably is illegal, you may call
this information in and get some extra points for the questions you missed.
This contest is in fun, but folks who take advantage of fun are often
disliked by others.
>
> In Southern West Virginia call:                                         In
Northern West Virginia, call
> (304)347-5136
(304)234-0100
>
>     Ask for the person on duty who is taking answers to the Larry Starcher
questions.  These people are busy, so please only give them facts.  Thank
you.
>
> Good Luck Hillbillies.  Mountaineers are always
free!!!!!!!!!!!!!!!!!!!!!!!!
>
> This is an editorial product, which are the beliefs of the author, and
reflect the opinons or beliefs of no one other than the author, published to
promote good humor, friendship, to polk fun and stimulate hillbilly thinking
about what is going on in this great state.
>
> THIS EMAIL IS NEVER SENT OUT UNSOLICITED!  You are arreceiving this email
because you signed up through one of our selected opt-out offers.  Removal
instructions appear below.  To remove yourself from this mailing list, point
your browser to alandarlin@Juno.com   Enter your email address
(yourname@hotmail.com) in the field provided and in the subject line type
"Unsubscribe"  The mailing list ID is "theechurchlady".
>

Here's another one. The content of the spam is the same, so it was left out, but the report and headers have been left. It looks like person submitting the report left out the e-mail addresses for us. 

Return-Path: <61055084@bounces.spamcop.net>
Received: from shelob.julianhaight.com (shelob.julianhaight.com
    [64.90.162.82])
        by mail-gw.ao.net (8.12.0.Beta19/8.12.0.Beta19/Debian
    8.12.0.Beta19) with ESMTP id g1BMhRIA006945
        for <[redactec]@ao.net>; Mon, 11 Feb 2002 17:43:28 -0500
Received: from spamcop.net (shagrat.julianhaight.com [64.90.162.83])
        by shelob.julianhaight.com (8.11.1/8.11.1) with SMTP id g1BMhRp12768
        for <[redacted]@ao.net>; Mon, 11 Feb 2002 17:43:27 -0500 (EST)
        (envelope-from 61055084@bounces.spamcop.net)
Received: from [130.184.20.131] by spamcop.net
    with HTTP; Mon, 11 Feb 2002 22:43:27 GMT
From: 61055084@reports.spamcop.net
To: [redacted]@ao.net
Subject: [SpamCop (205.244.242.105) id:61055084] Win $10,000 dummie
Precedence: list
Message-ID: <61055084@spamcop.net>
Date: Mon, 11 Feb 2002 15:19:37 -0500
X-Mailer: Mozilla/4.73 [en] (Win95; U)
    via http://spamcop.net/ v1.3.3

- SpamCop V1.3.3 -
This message is brief for your comfort.  Please follow links for details.

http://spamcop.net/w3m?i=z61055084z35ee69dad594ccbfd3b965f38f1b9339z
Email from 205.244.242.105 / Mon, 11 Feb 2002 15:19:37 -0500

Offending message:
Return-Path: <Johnie@mail2world.com>
Received: from mail.ao.net ([205.244.242.23]) by mail.uark.edu
           (Netscape Messaging Server 4.15) with ESMTP id GRDXT200.VDV for
           <x>; Mon, 11 Feb 2002 14:19:50 -0600
Received: from mail.ao.net (port05.max1.ao.net [205.244.242.105])
         by mail.ao.net (8.12.0.Beta19/8.12.0.Beta19/Debian 8.12.0.Beta19) 
 with SMTP id g1BKJQIA009148
         for <x>; Mon, 11 Feb 2002 15:19:37 -0500
Message-Id: <200202112019.g1BKJQIA009148@mail.ao.net>
From: "Johnie" <Johnie@mail2world.com>
Date: Mon, 11 Feb 2002 15:16:35
To: x
Subject: Win $10,000 dummie
MIME-Version: 1.0
Content-Type: text/plain;charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

//content of message snipped//

It doesn't take rocket science to see that these two reports are plainly of spam, even if they do say that they are not unsolicited in the body of the message. I don't care how many folks ask you to send e-mail to them, they're not going to ask you to send them one with "Win $10,000 dummie" in the Subject.

There were several other reports, but they all looked fairly the same, so I'll spare you the details.

The way we determine which one of our customers is sending the unsolicited e-mail is by checking the timestamp in the e-mail from when it originally hit the outgoing e-mail server. We go through the logs and find which account was connected to that dynamic IP at the time the message was originally sent. Here is a copy of that piece of log. We've removed the name of the account and the caller ID phone number to protect the guilty, but it does, indeed, have his account name listed. 

Feb 11 12:24:33 max1 ASCEND: slot 4 port 11, LAN session up, //removed// [MBID 295; 407//removed//->1033] 
Feb 11 16:34:19 max1 ASCEND: slot 4 port 11, LAN session down, //removed// [MBID 295; 407//removed//->1033] 
Feb 11 16:34:20 max1 ASCEND: call 72 CL 0K  u=//removed// c=45 p=60 s=53333 r=26400  h=205.244.242.105

He connected at 12:24:33 and disconnected at 16:34:19. The entire time the he was connected, his assigned IP address was 205.244.242.105. This matches the time and the originating IP address that the spam reports show, and yes, we are in GMT -0500.

Here is an example of one of the 46,117 lines of log file. This one shows that the spam was originating from a different IP than above. 

Feb 11 12:19:05 mail sm-mta[23891]: g1BHIQIA023891: from=<Johnie@mail2world.com>, size=6254, class=0, nrcpts=1, msgid=<200202111718.g1BHIQIA023891@mail.ao.net>, proto=SMTP, daemon=MTA, relay=port32.max1.ao.net [205.244.242.132]

We checked through the dial-up logs, and sure enough, it's the same account connected. It looks like in trying to send out all of this data, he flooded himself off of his dial-up connection somewhere in the middle because the time he disconnected was very close to the time that the mail server received the last connection from his IP. In the minute that he was connected, he managed to send out 60 e-mails. 

Feb 11 12:18:11 max1 ASCEND: slot 5 port 1, LAN session up, //removed// [MBID 286; 407//removed//->1033] 
Feb 11 12:19:57 max1 ASCEND: slot 0 port 0, LAN session down, //removed// [MBID 286; 407//removed//->1033] 
Feb 11 12:19:57 max1 ASCEND: call 60 CL 0K  u=//removed// c=45 p=60 s=53333 r=26400 h=205.244.242.132

His activity generated 10,053,339 bytes of mail server log file alone. He had a recipient list of 11,681 individual, unique e-mail addresses. A search through the log reveals that his activity generated 11,997 individual messages to be sent, which means that some recipients probably received the spam more than once. Of the 11,997 e-mails that went out, 8,767 were actually delivered to their destination. This all means that potentially, we could receive that many abuse reports and our mail server could be put on blacklists, preventing our customers from sending legitimate e-mail. This is why we call it "abuse" and have zero tolerance for it.