On 7/1/2003 I received a bounce message from hotmail, being sent to a nonexistent address at whitis.com. The reason I am receiving the bounce is because a spammer has been forging made-up whitis.com addresses into their spam. I have emailed complaints to abuse@qwest.net and abuse@qwestip.net, but other than auto-responses, I have received no response.

Several days after I sent my first complaint about this domain forgery, I received another bounce message. (I received that one on 7/5/2003). The spammer is continuing to spam, and their site is still live. And they are still forging whitis.com email addresses. (They continued through July, and then stopped.)

That means that QWest has no intention of stopping the spammer who is falsely implicating me when they send their spam.

Both spams originated in Qwest netspace, at 65.114.31.158.

Both spams want the recipient to click-through to a website at http://65.114.31.5/members/freetrip, and attempt to show a .gif located at http://65.114.31.5/members/freetrip/vm628.gif. Again, this is QWest netspace. The spammer claims to be giving away free vacations.

Hotmail is sending me bounce messages, but they are in no way involved in sending the spam. They should, however, be aware that a spammer in QWest netspace is sending forged email spam to Hotmail users from IP address 65.114.31.158.

I am considering legal action. This page will remain up until QWest assures me that they have removed the spammer from their system, and the spamvertised website no longer resolves.

Using groups.google.com to search, I can see that other domains have also been forged by this same spammer. FahQ2.com, trippin.com, and livius.net for instance.

QWest seems to be ignoring them, just as they are ignoring me.

Using spam reports and groups.google.com, I find one spam that leads to a very similar website (free vacations, etc) at http://65.114.31.5/members/tickets/. That site gives a contact email address, questions@travelpromo.us. That would seem to indicate that travelpromo.us is the culprit. However, that domain no longer resolves. There are several spam complaints which mention that domain name available via groups.google.com.

To contact me, send an email to "abuse@" and add my domain, whitis.com.

The email bounces that I received are shown below.

First email bounce.

Return-path: <>
Envelope-to: annabella_reed@whitis.com
Delivery-date: Tue, 01 Jul 2003 08:02:12 -0400
Received: from [65.54.165.17] (helo=mc9-s8.bay6.hotmail.com)
by JustThe.net with esmtp (Exim 4.14)
id 19XJps-0005Uo-0A
for annabella_reed@whitis.com; Tue, 01 Jul 2003 08:02:12 -0400
Received: from mc9-f22.bay6.hotmail.com ([65.54.166.29]) by mc9-s8.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Tue, 1 Jul 2003 05:01:41 -0700
From: postmaster@mail.hotmail.com
To: annabella_reed@whitis.com
Date: Tue, 1 Jul 2003 05:01:41 -0700
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="9B095B5ADSN=_01C33F45C33BA6D9000125ABmc9?f22.bay6.hot"
Message-ID: [hDy5P7LHm00010b5f@mc9-f22.bay6.hotmail.com]
Subject: Delivery Status Notification (Failure)
X-OriginalArrivalTime: 01 Jul 2003 12:01:41.0539 (UTC) FILETIME=[88AA7F30:01C33FC8]
X-Spam-Score: 4.4 (++++)
 
This is an automatically generated Delivery Status Notification.
 
Delivery to the following recipients failed.
 
annabella_reed@hotmail.com
 
 
Reporting-MTA: dns;mc9-f22.bay6.hotmail.com
Received-From-MTA: dns;mail51.whitis.com
Arrival-Date: Tue, 1 Jul 2003 05:01:40 -0700
 
Final-Recipient: rfc822;annabella_reed@hotmail.com
Action: failed
Status: 5.2.3
Received: from mail51.whitis.com ([65.114.31.158]) by mc9-f22.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Tue, 1 Jul 2003 05:01:40 -0700
Importance: Normal
Date: Tue, 01 Jul 2003 07:56:10 -0500
Message-Id: [3cqa4ncx.xr0vu.annabella_reed@whitis.com]
To: annabella_reed@hotmail.com
Received: from mail51.whitis.com [65.114.31.158] by 50ys9w7tf0ao6.mail51.whitis.com with SMTP; Tue, 01 Jul 2003 07:56:10 -0500
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook IMO, Build 9.0.89 (9.0.2910.0)
Subject: congrats
Return-Path: annabella_reed@whitis.com
From: DONG[annabella_reed@whitis.com]
Content-Type: text/html; charset="us-ascii"
X-OriginalArrivalTime: 01 Jul 2003 12:01:41.0217 (UTC) FILETIME=[88795D10:01C33FC8]
 
 

The second email bounce.

Return-path: <>
Envelope-to: jsteer@whitis.com
Delivery-date: Fri, 04 Jul 2003 22:31:59 -0400
Received: from [65.54.165.23] (helo=mc9-s14.bay6.hotmail.com)
by JustThe.net with esmtp (Exim 4.14)
id 19YcqE-00053k-Pq
for jsteer@whitis.com; Fri, 04 Jul 2003 22:31:58 -0400
Received: from mc9-f19.bay6.hotmail.com ([65.54.166.26]) by mc9-s14.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Fri, 4 Jul 2003 19:31:27 -0700
From: postmaster@mail.hotmail.com
To: jsteer@whitis.com
Date: Fri, 4 Jul 2003 19:31:03 -0700
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="9B095B5ADSN=_01C34269F14095DB00005677mc9?f19.bay6.hot"
Message-ID: [r1LfVOBqA00004c07@mc9-f19.bay6.hotmail.com]
Subject: Delivery Status Notification (Failure)
X-OriginalArrivalTime: 05 Jul 2003 02:31:27.0359 (UTC) FILETIME=[8913F0F0:01C3429D]
 
This is an automatically generated Delivery Status Notification.
 
Delivery to the following recipients failed.
 
jsteer@hotmail.com
 
 
 
Reporting-MTA: dns;mc9-f19.bay6.hotmail.com
Received-From-MTA: dns;mail22.whitis.com
Arrival-Date: Fri, 4 Jul 2003 19:31:02 -0700
 
Final-Recipient: rfc822;jsteer@hotmail.com
Action: failed
Status: 5.2.3
Received: from mail22.whitis.com ([65.114.31.158]) by mc9-f19.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Fri, 4 Jul 2003 19:31:02 -0700
Date: Fri, 04 Jul 2003 22:25:25 -0500
X-Mailer: Microsoft Outlook IMO, Build 9.0.52 (9.0.2910.0)
Return-Path: jsteer@whitis.com
Received: from mail22.whitis.com [65.114.31.158] by vv6t9y07475jk.mail22.whitis.com with SMTP; Fri, 04 Jul 2003 22:25:25 -0500
From: IONA[jsteer@whitis.com]
X-Sender: IONA[jsteer@whitis.com]
Content-Transfer-Encoding: 7BIT
Content-Type: text/html; charset=us-ascii
X-Priority: 3 (Normal)
To: jsteer@hotmail.com
Importance: Normal
Subject: get rested
Message-Id: [08p62k7y776efpum9r.uc7pkposir4l2mbg.jsteer@whitis.com]
X-OriginalArrivalTime: 05 Jul 2003 02:31:02.0819 (UTC) FILETIME=[7A736F30:01C3429D]
 

Both emails contained HTML attempting to direct people to http://65.114.31.5/members/freetrip, and displaying a graphic (if you allow your email program to do such silly and risky things) at http://65.114.31.5/members/freetrip/vm628.gif.

That code is shown below, between the "clips". Be aware that if you click on the link below, you will be taken to the spammers website. Don't do that unless you are sure your system is secure.

BEGIN CLIP

WCRTOHKWTWBXISEKGNQ:8CAE5284A041E91BC5648CBA6588A3AE5587B46682A959CA6C9849:63409071342106130250

DBRRLWYOWDGSKFHX:8CAE5284A041E91BC5648CBA6588A3AE5587B46682A959CA6C9849:6817396247283174596