Monday, June 05, 2006

Response to news coverage

Please visit http://ryanpitylak.blogspot.com to read my responses to some of the news coverage about the Microsoft settlement.

After receiving some great comments in this posting, I'm revising it to explain to my visitors that there is some valuable content in this comments section. Some people have been asking me questions about spam and how they can get around some specific problems related to their spam. Herein I'm explaining my advice on how to resolve these issues.

Please post any spam-related problems you are having and and allow me to comment on them.

8 comments:

JoeChongq said...

That Guardian article was really informative. I don't keep up on email spammer news, so didn't know you "fell foul of the CAN-SPAM act in the States and had to sell [your] house, car and more to pay [your] $1 million fine and substantial legal bills."

No wonder you are turning to the other side. The law got you and it was expensive. Now to continue making money, you market your previous spamming experience as a way to help stop spam.

It is hard to believe that a major in economics and philosophy did not see the effects of his actions were far greater than cat and mouse with email administrators. We can't know if wringing the last drops of cash out of your spamming past is the main motivation for this new venture.

Whatever your motivation, I guess as long as you are improving things then we all benifit. Let us know when there is some proof that you are doing that.

Ryan Pitylak said...

Joechongq,

My main motivation is to contribute my knowledge to the anti-spam community.

I learned about the impact of my actions after thinking about the "tragedy of the commons" problem during an economics class (see posting here for more details). It made me think about how much money was being spent to stop spam and became motivated to help in the fight against spam.

Joe Maier said...

Here is a chance to put your experience to good use...

Since about 3 weeks we have been targetted by a prolific spammer - selling lifestyle meds.

Our domain email has been spoofed as the sender address, we get around 2-4000 reject email messages per day back to us. The header is either totally faked or these messages are sent out via trojan viruses from all over the world.

The websites linked in the email messages are hosted in several locations, China Ukraine and also in the US. Have closed a few sites, by threatening blacklisting their domains, but they come up with a different name again, same hosting domain. We have kept all messages.

Any suggestion ? Appreciate your or anyone else's help.

Ryan Pitylak said...

Joe Maier,

This is a wonderful opportunity for me to help. Thank you for seeking me out. I have people come to me personally in Austin with these problems, but my advice does not permeate publicly when I talk 1-to-1 with them.

I would be interested to see one of the emails you are receiving. I've posted an email before in a previous posting: Just provide the entire email in html format including the header information. It'll help me give some feedback.

You mentioned that you know of some U.S. hosts. Can you tell me what those hosts are and what the I.P. ranges are? This will help me to determine if they are sending out the email from their own hosting domain or a domain that is hosted by a spam hosting company. Based on this, we'll know how to proceed.

The point is that we need to get these guys to listen to you. Most likely, they have no idea that they're upsetting you, and you are one target of the thousands of places they're using as a spoofed location. This is a pretty slimy way to send out email, but regardless, there is a way to find these guys.

If we can't them through the hosting I.P., we will try to find them through other information in the email. Alternatively, I would suggest trying to figure out exactly who the online pharmacy is. If it's their own online pharmacy, then maybe you can figure out who they are that way. If it's not, maybe you can contact that pharmacy and explain what's going on and explain that you just want them to deliver a message to the emailer. They might deliver the message.

I hope this was of some help. Please respond to this comment and I'll move forward with helping you.

Rain said...

Ryan, Can you look at the pasted email and tell me whats going on with it. I blocked out my email address. Everywhere you see me@mywebsite.com it had my real email address. Plus, someone has been tapping into the form on my website and diverting business.





Received: (qmail 611 invoked by uid 1000); 6 Jun 2006 05:54:30 -0000
Delivered-To: me@mywebsite.com
Received: (qmail 609 invoked from network); 6 Jun 2006 05:54:30 -0000
Received: from unknown (HELO pre-smtp18-02.prod.mesa1.secureserver.net) ([64.202.166.63])
(envelope-sender me@mywebsite.com)
by smtp16-02.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for me@mywebsite.com; 6 Jun 2006 05:54:30 -0000
Received: (qmail 2643 invoked from network); 6 Jun 2006 05:54:30 -0000
Received: from unknown (HELO EFS1.net) ([195.50.134.122])
(envelope-sender me@mywebsite.com)
by pre-smtp18-02.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for me@mywebsite.com; 6 Jun 2006 05:54:30 -0000
Date: Tue, 06 Jun 2006 07:51:31 +0100
To: "Ray" me@mywebsite.com
From: "Ray" me@mywebsite.com
Subject: 455
Message-ID: xzefxdnawlqgrjuqmmj@mywebsite.com
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Nonspam: None

Rain said...

Ryan, Can you look at the pasted email and tell me whats going on with it. I blocked out my email address. Everywhere you see me@mywebsite.com it had my real email address. Plus, someone has been tapping into the form on my website and diverting business.





Received: (qmail 611 invoked by uid 1000); 6 Jun 2006 05:54:30 -0000
Delivered-To: me@mywebsite.com
Received: (qmail 609 invoked from network); 6 Jun 2006 05:54:30 -0000
Received: from unknown (HELO pre-smtp18-02.prod.mesa1.secureserver.net) ([64.202.166.63])
(envelope-sender me@mywebsite.com)
by smtp16-02.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for me@mywebsite.com; 6 Jun 2006 05:54:30 -0000
Received: (qmail 2643 invoked from network); 6 Jun 2006 05:54:30 -0000
Received: from unknown (HELO EFS1.net) ([195.50.134.122])
(envelope-sender me@mywebsite.com)
by pre-smtp18-02.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for me@mywebsite.com; 6 Jun 2006 05:54:30 -0000
Date: Tue, 06 Jun 2006 07:51:31 +0100
To: "Ray" me@mywebsite.com
From: "Ray" me@mywebsite.com
Subject: 455
Message-ID: xzefxdnawlqgrjuqmmj@mywebsite.com
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Nonspam: None

Ryan Pitylak said...

1)

The spam came from 195.50.134.122. This is in the RIPE internet ip registry (I went to ARIN.net to find this out). I looked in the spamhaus database and I don't see this ip address listed. I looked in the sorbs database and I don't see this ip address listed. I went to ripe and found the ip address listed here. Look: http://www.ripe.net/fcgi-bin/whois?form_type=simple&full_query_string=&searchtext=195.50.134.122&submit.x=0&submit.y=0

So, now you know what company ip range the person is mailing from. I would sugguest that you contact their abuse contact (abuse@arcor-ip.de). Find out if that IP address has been compromised (i.e. being used as a proxy). If it has been, then you can ask them to find out who was using that proxy (they can look in their history to find out who connected to that ip address on the proxy ports; they might not have this data available, but they might). This would let you know who was really behind it.

It could just be these guys sending out the spam, but you have to think about why it would be these guys.

Also, you should look at all the spam you receive comes from the same IP space. If it's a lot of different ip ranges, then they're probably using proxies.

2)

What is this message exactly? Is it the header of the message that the spammer was sending? I am assuming it is. If it is not, then this is just a bounceback message from the mail server of the recipient who was supposed to receive this spam. In that case, we need the actual header of the email that was sent from the spammer.

3)

If your form is being compromised, that's a big problem. I would suggest hiring a different web hosting company who can help you to resolve this problem. You probably have someone hacking into wherever you keep your data. You should change your passwords immediately. Find a service that can control the data that you receive in your form and keep it in their own database structure. This will ensure security from all sides. Also, make sure your computer, and the network that your computer is in, is behind a firewall.



I hope this helps! Let me know what happens.

Rain said...

Thanks Ryan, the subject of the email had only 5556 in it with is the last 4 digits of my toll=free number.