[Note: The bounces/forgeries described below began on 9/21/2003 and ended 9/25/2003. The mypillsrx.com website went down on 9/26/03. I believe that the spammer decided he was getting too many complaints and too much heat, and will do this again soon, probably using the same IP address, but using a different domain name in place of mypillsrx.com, and probably forging different domains. Another person who had their domain forged convinced Wired Magazine to write an article about the problem. I disagree with some of the analysis, and the article doesn't mention mypillsrx.com, but Andy emailed me prior to the article, so I know it's the same spammer.
- Stephen Whitis]
For the past few days, I've been receiving lots of bounce messages because a spammer is forging whitis.com email addresses in the spam he sends. The spam is selling various medicines and pills, which is probably illegal. Texas state law also outlaws sending spam without ADV tags, with forged or fraudulent headers, etc, which these spammers are doing.
Specifically, the law in Texas says that I can sue in civil court. I don't want the money, so if any lawyers are interested in taking the case, I'll give them any and all profits.
The spamvertised website is http://69.60.4.240/, which is http://www.mypillsrx.com/, apparently owned by Mike Rosen of North Miami, Florida, according to the WhoIs record.
The spam seems to have been sent via several different sources, but the most common one I find is charter.net. IP address 68.116.236.155, for instance.
That IP space is owned by a spamhouse in Boca Ratan (spam capital of the US) called Internet America LLC. (www.internetamericallc.com). A quick search using groups.google.com shows that these same slimeballs have a history of forging spams, all while advertising that same IP address.
See this message archived by Google, and these messages about InternetAmericaLLC, archived by Google, and these and these for evidence that they've done this to other people as well as myself. (time passes) Also, this link .
The most complete list you can find of their spam is to search groups.Google for the IP address that they put in the spam . For more information on Internet America LLC and their scumbag owner, Eddy Marin, visit http://www.spamhaus.org/sbl/sbl.lasso?query=SBL9626 or http://www.mugshots.com/Favorites/Eddy_Marin.htm. An article is available at http://www.newtimesbpb.com/issues/2003-12-04/news.html/1/index.html
You can also try http://spews.org/ask.cgi?S373, but Spews has been under a DoS attack for some time, so it may not respond. It seems likely that the DoS attack is also being organized by Eddy Marin, as his pet lawyer, Mark Felstein, has filed a lawsuit against a number of people who he believes (wrongly, in most, possibly all, cases) may be connected to Spews. A google search on EMarketersAmerica will find more information on that SLAPP lawsuit if you are interested.
Mark Felstein applied to the NY Bar for a license to practice law in NY. Apparently, he is so slimy that even lawyers don't want to associate with him. :^)
The spams include HTML which pulls an image from http://sierra.bubb-rubb.biz/c2.jpg as shown below (this image is stored on their server, so it will no longer show up once they kill it.) (Now 404.)
Each spam is slightly different, probably as a sort of web-bug to track which email addresses viewed the mail. For instance, http://beverly.bubb-rubb.biz/c2.jpg and similar addresses show up as the jpg's URL in other bounced messages. That site (bubb-rubb.biz) is owned by someone who hides their information. (Claims to be Janice Joplin, for instance.) They appear to be related to porno spammers, which isn't a surprise considering Eddy Marin's background. View the WHOIS information for bubb-rubb.biz
I can not stop spammers from forging my address, but I damn sure won't sit quietly while they continue their abuse.
I've received almost 100 bounce messages so far (actually, I've quit counting), The bounces appeared to end on 9/25, four days after it began.
The quotes below are from some of the bounce messages I've received. I have changed everything that said "whitis.com" to "example.com" to avoid having spam harvesters start spamming those nonexistent addresses. I have many more examples if needed. You can email me at admin@whitis.com.
>Your message
>
> To: david.bello@royalbank.com
> Subject: Are you in pain?
> Sent: Sun, 21 Sep 2003 21:54:17 -0400
>
>did not reach the following recipient(s):
>
>DAVID.BELLO@ROYALBANK.COM on Sun, 21 Sep 2003 18:04:02 -0400
> The recipient name is not recognized
> The MTS-ID of the original message is: c=us;a=
>;p=gems;l=SE0010180309212204S211N887
> MSEXCH:IMS:GEMS:NTEMAIL:SE001018 0 (000C05A6) Unknown Recipient
>
>
>Message-ID: [b-t-7$7818vzn1$y-ai$-y-xok1-f1@0zzxp.b9.8irj]
>From: usqi227x@example.com
>Reply-to: usqi227x@example.com
>To: david.bello@royalbank.com
>Subject: Are you in pain?
>Date: Sun, 21 Sep 2003 21:54:17 -0400
>MIME-Version: 1.0
>X-Mailer: Internet Mail Service (5.5.2656.59)
>X-MS-Embedded-Report:
>Content-Type: text/plain;
> charset=iso-8859-1
>Content-Transfer-Encoding: 7bit
>
>Are you in pain?
>
> http://69.60.4.240/?p=6006
>To: usqi227x@example.com
>Subject: Undeliverable: Are you in pain?
>
>Your message
>
> To: david.bello@royalbank.com
> Subject: Are you in pain?
> Sent: Sun, 21 Sep 2003 21:54:17 -0400
>
>did not reach the following recipient(s):
>
>DARREN.KEATING@ROYALBANK.COM on Sun, 21 Sep 2003 18:04:02 -0400
> The recipient name is not recognized
> The MTS-ID of the original message is: c=us;a=
>;p=gems;l=SE0010180309212204S211N888
> MSEXCH:IMS:GEMS:NTEMAIL:SE001018 0 (000C05A6) Unknown Recipient
>TOMMY.WU@ROYALBANK.COM on Sun, 21 Sep 2003 18:04:02 -0400
> The recipient name is not recognized
> The MTS-ID of the original message is: c=us;a=
>;p=gems;l=SE0010180309212204S211N888
> MSEXCH:IMS:GEMS:NTEMAIL:SE001018 0 (000C05A6) Unknown Recipient
>JEFF.RUTKA@ROYALBANK.COM on Sun, 21 Sep 2003 18:04:02 -0400
> The recipient name is not recognized
> The MTS-ID of the original message is: c=us;a=
>;p=gems;l=SE0010180309212204S211N888
> MSEXCH:IMS:GEMS:NTEMAIL:SE001018 0 (000C05A6) Unknown Recipient
>
>
>Message-ID: [b-t-7$7818vzn1$y-ai$-y-xok1-f1@0zzxp.b9.8irj]
>From: usqi227x@example.com
>Reply-to: usqi227x@example.com
>To: david.bello@royalbank.com
>Subject: Are you in pain?
>Date: Sun, 21 Sep 2003 21:54:17 -0400
>MIME-Version: 1.0
>X-Mailer: Internet Mail Service (5.5.2656.59)
>X-MS-Embedded-Report:
>Content-Type: text/plain;
> charset=iso-8859-1
>Content-Transfer-Encoding: 7bit
>
>Are you in pain?
>
> http://69.60.4.240/?p=6006
>Subject: Undeliverable: Online prescriptions with free Fedex shipping
>The original message was received at Sun, 21 Sep 2003 21:01:04 -0400
Subject: Are you in pain? wants you to visit
http://69.60.4.240/?p=6062 with an image source at
http://beverly.bubb-rubb.biz/c2.jpg and an opt out link
at http://pusey.thawhistlesgowoo.biz/out.php.
Subject: Are you one of the millions that suffer from pain?
wants you to visit
http://69.60.4.240/?p=6063 with an image source at
http://riflemen.bubb-rubb.biz/c2.jpg an an opt out link at
http://bulb.thawhistlesgowoo.biz/out.php.
Subject: Online prescriptions with free Fedex shipping
http://69.60.4.240/?p=6063
http://cottrell.thawhistlesgowoo.biz/out.php
Subject: Do you suffer from pain? wants you to visit
href="http://69.60.4.240/?p=6063 with an image source at
http://nether.bubb-rubb.biz/c2.jpg and an opt out link
at http://barstow.thawhistlesgowoo.biz/out.php
Subject: Online prescriptions with free Fedex shipping
wants you to visit http://69.60.4.240/?p=6063 with an
image source at http://chalk.bubb-rubb.biz/c2.jpg
and an opt out link at http://musician.thawhistlesgowoo.biz/out.php
Subject: Pain sucks -- Want to relieve it?
wants you to visit http://69.60.4.240/?p=6063
with an opt out link at http://cottrell.thawhistlesgowoo.biz/out.php
>To:
>
>Your message
>
> To: lois@aspect.com
> Subject: Online prescriptions with free Fedex shipping
> Sent: Sun, 21 Sep 2003 09:27:10 -0700
>
>did not reach the following recipient(s):
>
>lois@aspect.com on Sun, 21 Sep 2003 15:31:01 -0700
> The e-mail address could not be found. Perhaps the recipient moved
>to a different e-mail organization, or there was a mistake in the
>address. Check the address and try again.The MTS-ID of the original
>message is:c=us;a= ;p=aspect;l=NAEMS10309212230TD0CH7GN
> MSEXCH:IMS:Aspect Telecommunications:HQ:NAEMS1 0 (000C05A6) Unknown
>Recipient
>
>Original-Envelope-ID: c=us;a= ;p=aspect;l=NAEMS10309212230TD0CH7GN
>Reporting-MTA: dns; sac1exch1.nawest.aspect.com
>
>Final-Recipient: RFC822; lois@aspect.com
>Action: failed
>Status: 5.1.2
>X-Supplementary-Info: MSEXCH:IMS:Aspect Telecommunications:HQ:NAEMS1 0
>(000C05A6) Unknown Recipient
>X-Display-Name: lois@aspect.com
>Received: from 203-195-190-186.now-india.net.in ([203.195.190.186]) by
>naems1.aspect.com with SMTP (Microsoft Exchange Internet Mail Service
>Version 5.5.2653.13) id TD0CH7GN; Sun, 21 Sep 2003 15:30:55 -0700
>Received: from [210.165.79.45] by 203-195-190-186.now-india.net.in; Sun,
>21 Sep 2003 16:27:10 -0700
>content-class: urn:content-classes:message
>Subject: Online prescriptions with free Fedex shipping
>Date: Sun, 21 Sep 2003 09:27:10 -0700
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="iso-8859-1"
>Message-ID: [3o2jfx61$3-ni0--$q$xyi$5139@31y44p388.8ij]
>X-MS-Has-Attach:
>X-MS-TNEF-Correlator:
>Thread-Topic: Online prescriptions with free Fedex shipping
>Thread-Index: AcOAkAj/qqsknex6EdemPgCgyS0Q6w==
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0
>From: "Bart Stiles" [tqruglt@example.com]
>To:
>Reply-To: "Bart Stiles" [tqruglt@example.com]
>
>Online prescriptions with free Fedex shipping
>
> http://69.60.4.240/?p=6006
>from 200-204-141-195.dialdata.net.br [200.204.141.195]
>
> ----- The following addresses had permanent fatal errors -----
>
> (reason: 550 5.1.1
>
> (reason: 550 5.1.1
>
> (reason: 550 5.1.1
>
> ----- Transcript of session follows -----
>... while talking to mail.cablenet-va.com.:
> >>> RCPT To:
><<< 550 5.1.1
>550 5.1.1
> >>> RCPT To:
><<< 550 5.1.1
>550 5.1.1
> >>> RCPT To:
><<< 550 5.1.1
>550 5.1.1
>Reporting-MTA: dns; smtp.cablenet-va.com
>Received-From-MTA: DNS; 200-204-141-195.dialdata.net.br
>Arrival-Date: Sun, 21 Sep 2003 21:01:04 -0400
>
>Final-Recipient: RFC822; eugene@cablenet-va.com
>Action: failed
>Status: 5.1.1
>Remote-MTA: DNS; mail.cablenet-va.com
>Diagnostic-Code: SMTP; 550 5.1.1
>Last-Attempt-Date: Sun, 21 Sep 2003 21:01:10 -0400
>
>Final-Recipient: RFC822; ev@cablenet-va.com
>Action: failed
>Status: 5.1.1
>Remote-MTA: DNS; mail.cablenet-va.com
>Diagnostic-Code: SMTP; 550 5.1.1
>Last-Attempt-Date: Sun, 21 Sep 2003 21:01:10 -0400
>
>Final-Recipient: RFC822; kelly@cablenet-va.com
>Action: failed
>Status: 5.1.1
>Remote-MTA: DNS; mail.cablenet-va.com
>Diagnostic-Code: SMTP; 550 5.1.1
>Last-Attempt-Date: Sun, 21 Sep 2003 21:01:10 -0400
>Return-Path: [hryl2bhquj@example.com]
>Received: from 200-204-141-195.dialdata.net.br
>(200-204-141-195.dialdata.net.br [200.204.141.195])
> by smtp.cablenet-va.com (8.11.6/8.11.6) with SMTP id h8M113w10274;
> Sun, 21 Sep 2003 21:01:04 -0400
>Received: from [141.3.201.239]
> by 200-204-141-195.dialdata.net.br id s3jN5KG9k632
> for
>Message-ID: [m-77zk$3272c1$y55-i67w0-1fdizk3@zfp.ew9ev4]
>From: "Pearlie Benjamin" [hryl2bhquj@example.com]
>Reply-To: "Pearlie Benjamin" [hryl2bhquj@example.com]
>To: eugene@cablenet-va.com
>Subject: Online prescriptions with free Fedex shipping
>Date: Sun, 21 Sep 03 21:52:11 GMT
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
> boundary=".263.CC26.25.E0ADFD1"
>X-Priority: 3
>X-MSMail-Priority: Normal
>
>Content-Type: text/html;
>
> (Some HTML stripped to leave only pertinent data for the website.)
>Online prescriptions with free Fedex shipping
>If you would like us to not mail you again, please href="http://potash.thawhistlesgowoo.biz/out.php">go here.
Without attempting to post copies of every bounced spam, I'll
show the payload information from some more.