Results of Experiment to ferret out the true dumbasses

  • Thread starter Thread starter Dumbass Detector
  • Start date Start date
D

Dumbass Detector

With a new mail address, I posted a single message yesterday
(September 28th) to a single newsgroup, alt.idiots.

Here is the list of email addresses and IP's from which I received the
SWEN worm through email: (In other words, here's a list of TOTAL
dumbasses):

(e-mail address removed) 195.130.225.150
(e-mail address removed) 212.166.64.98
(e-mail address removed) 159.134.118.16
(e-mail address removed) 209.29.198.119
(e-mail address removed) 205.152.59.72
(e-mail address removed) 212.216.176.222

It is rare that a chance to expose true dumbasses comes along, don't
thank me - It was my pleasure. The above users should 1) put down the
crack pipe 2) step away from the keyboard 3) UNPLUG the computer and
never plug it in again!

Thanks.
 
Dumbass Detector said:
With a new mail address, I posted a single message yesterday
(September 28th) to a single newsgroup, alt.idiots.

Here is the list of email addresses and IP's from which I received the
SWEN worm through email: (In other words, here's a list of TOTAL
dumbasses):

(e-mail address removed) 195.130.225.150
(e-mail address removed) 212.166.64.98
(e-mail address removed) 159.134.118.16
(e-mail address removed) 209.29.198.119
(e-mail address removed) 205.152.59.72
(e-mail address removed) 212.216.176.222

It is rare that a chance to expose true dumbasses comes along, don't
thank me - It was my pleasure. The above users should 1) put down the
crack pipe 2) step away from the keyboard 3) UNPLUG the computer and
never plug it in again!

....at least until such time as they install anti-virus software and make
sure they update their software with the latest virus definitions and check
out the whole system with the updated anti-virus software!!!
 
<<<my response is at the end of this>>>

With a new mail address, I posted a single message yesterday
(September 28th) to a single newsgroup, alt.idiots.
Here is the list of email addresses and IP's from which I received the
SWEN worm through email: (In other words, here's a list of TOTAL
dumbasses):
(e-mail address removed) 195.130.225.150
(e-mail address removed) 212.166.64.98
(e-mail address removed) 159.134.118.16
(e-mail address removed) 209.29.198.119
(e-mail address removed) 205.152.59.72
(e-mail address removed) 212.216.176.222
It is rare that a chance to expose true dumbasses comes along, don't
thank me - It was my pleasure. The above users should 1) put down the
crack pipe 2) step away from the keyboard 3) UNPLUG the computer and
never plug it in again!

Since I believe the last word I saw from Symantec was that the From is
forged on these, I don't think it is the case that these individuals are
the ones at fault for flushing this to the planet. (I get a dozen or
two bounces a day claiming they couldn't deliver my virus mail to a now
non-existant destination. And I ONLY use an ancient mail language called
ASCII, so I KNOW I've never been infected with this Windows virus)

However, the hosts are certainly irresponsible for allowing forged
virus spam to be flushed to the world.

Here is my morning's list of virus spewing hosts, with all the
duplicates eliminated.

012.net.il repeated requests, no sign of action
BHost.bilei2.bilei.co.jp variety of hosts in japan, no sign of action
KPNQwest.pt new one this morning, will see what happens
MH-Hannover.DE can't remember if this is new today or not
altitudetelecom.fr repeated requests, no sign of action
btfusion.com repeated requests, no sign of action
charter.net repeated requests, no sign of action
davisson.uni2.net can't remember if this is new today or not
hetnet.nl repeated requests, no sign of action
iprimus.net.au repeated requests, no sign of action
japan.japanfood.com.au variety of hosts in japan, no sign of action
optusnet.com.au repeated requests, no sign of action
rhenium.btinternet.com repeated requests, no sign of action
richardson.uni2.net can't remember if this is new today or not
rio.gov.pl repeated requests, no sign of action
rr.com repeated requests, no sign of action
singnet.com.sg dozens of requests, no sign of action
teikal.gr repeated requests, no sign of action
telenet.net.au repeated requests, no sign of action
telepac.pt repeated requests, no sign of action
tin.it ha ha ha ha... expecting tin.it to act!

and it is still early.

In a few minutes I'll drop each of these into the report tool
and ask them to:

STOP spewing virus to the world
Find your virus spewing customers and STOP them
Then fix your mailer so you refuse to pass this virus spam
Thank you
(virus binary has been cut out of this message)

I'll send this, and the de-fanged complete original message and headers
off to the abuse address for each host. On a good day I'm getting as
many as three or four host admins who realize this is a problem and
track down the real person responsible for spewing this to the world
and cut them off or clean them up.

For example, tm.net.my found and stopped their spew and thanked me.
That almost made me faint. prserv (the old spam toilet now owned by
AT&T) pulled the plug on theirs and told me, I had to have a party
for that one. Earthlink appears to have actually acted, haven't seen
spew from them in a day or two. Videotron.ca, spam toilet for western
Canada was so pissed off at my repeated requests that they stop this
that they dropped me into a blocklist, but the spew from them may have
stopped. Btconnect didn't send me a dozen today, even netvigator might
have fixed their problem.

It seems that what we are left with are the hosts that aren't going
to do anything to stop spewing this to the world unless they get an
overwhelming show of support.

If you would like to help then I suggest that everyone:

sign up with abuse.net or some other reporting aid to make it easier for you,

strip the big binary virus out of the email you send to the abuse address
at each of these hosts, that way you can't be blamed for spewing the same
virus AND we can have lots more 10kbyte complaints not fill up the inbox
than we do with 160kbyte complaints,

be brief, blunt and polite, asking them to track this down and stop it.

Maybe if enough of us do this we can get back to the usual chaos.

Thank you all for helping combat fraud and spam on the net.
(email address IS valid, been "dont" on the net since BEFORE there was spam)
and this posting should let me harvest a few hundred more of these :)
 
With a new mail address, I posted a single message yesterday
(September 28th) to a single newsgroup, alt.idiots.

Here is the list of email addresses and IP's from which I received the
SWEN worm through email: (In other words, here's a list of TOTAL
dumbasses):

(e-mail address removed) 195.130.225.150
(e-mail address removed) 212.166.64.98
(e-mail address removed) 159.134.118.16
(e-mail address removed) 209.29.198.119
(e-mail address removed) 205.152.59.72
(e-mail address removed) 212.216.176.222

I happened to be on the RIPE WHOIS when I read both posts and those
are appear to be valid email addys.

He can simply use the Samspade application or site for US. and
European lookups and report them to their ISPs.

Sponge
Sponge's Anti-Spyware Source
www.geocities.com/yosponge
 
[Posted & Mailed, just to make the point -- I half expect the mailed copy to
bounce as "Unknown User".]

On 29 Sep 2003 22:10:48 -0700, in four completely unrelated newsgroups,
With a new mail address, I posted a single message yesterday
(September 28th) to a single newsgroup, alt.idiots.

Here is the list of email addresses and IP's from which I received the
SWEN worm through email: (In other words, here's a list of TOTAL
dumbasses):
[snip]

Wrong. The only thing you've "proven" is that YOU are a bigger "dumbass"
than any of the folks you accuse.

The "From:" header on any message generated by any variant of the Gibe worm
(including W32.Swen.A) is *always* forged, and is gleaned from the same
sources as the addresses it sends itself to (this is usually done by
scraping the infected host's Windows Address Book; in the specific case of
the Swen.A variant, it scrapes Usenet postings). It bears *NO* relationship
to the actual source of the worm-infected message.

Here is a spot-check, to prove the point (I've lightly munged the address
you quoted, in an effort to keep it from being further harvested):
malev[at]selamer.com 209.29.198.119
[snip]

A quick search of the <alt.privacy.spyware> newsgroups shows that the
following sources for messages posted by "malev":

--> NNTP-Posting-Host: acbed4c2.ipt.aol.com (172.190.212.194)
--> NNTP-Posting-Host: acbf45fa.ipt.aol.com (172.191.69.250)
--> NNTP-Posting-Host: acbed4a5.ipt.aol.com (172.190.212.165)
--> NNTP-Posting-Host: acbaa55b.ipt.aol.com (172.186.165.91)
--> NNTP-Posting-Host: acb9fa70.ipt.aol.com (172.185.250.112)
--> NNTP-Posting-Host: acba4ad3.ipt.aol.com (172.186.74.211)

IOW, he is a standard-issue dial-up AOL user. Hold that thought.

The IP you claim for "malev" has no rDNS (PTR record) configured; but as
shown at:

<http://www.dnsstuff.com/tools/whois.ch?ip=209.29.198.119>

the netblock it belongs to is:

--> OrgName: TELUS Communications Inc.
--> OrgID: TACE
--> Address: #2600 4720 Kingsway Avenue
--> City: Burnaby
--> StateProv: BC
--> PostalCode: V5N-4N2
--> Country: CA
-->
--> NetRange: 209.29.0.0 - 209.29.255.255
--> CIDR: 209.29.0.0/16
--> NetName: TELUS-209-29-0-0
--> NetHandle: NET-209-29-0-0-1
--> Parent: NET-209-0-0-0-0
--> NetType: Direct Allocation
--> NameServer: PRI3.DNS.CA.TELUS.COM
--> NameServer: PRI4.DNS.CA.TELUS.COM
--> Comment:
--> RegDate:
--> Updated: 2002-03-27

Exactly where do you se a tie-in to AOL there?

Now you, OTOH...
From: (e-mail address removed) (Dumbass Detector)
[snip]

Using a Yahoo drop-box address.
Newsgroups: alt.idiots,
soc.culture.greek,
comp.periphs.printers,
alt.privacy.spyware,
alt.stop.spamming
[snip]

Posting to several clearly off-topic newsgroups.
Subject: Results of Experiment to ferret out the true dumbasses
Date: 29 Sep 2003 22:10:48 -0700
Organization: http://groups.google.com/
Lines: 20
Message-ID: <[email protected]>
[snip]

Posting to Usenet via the web-based "Google Groups", proably in a lame
attempt at "anonymity".
NNTP-Posting-Host: 130.94.107.164
[snip]

But actually coming from Verio, one of the top half-dozen (or less) chronic
spam sewers on the Internet. And indeed, a couple of quick lookups via:

<http://openrbl.org/ip/130/94/107/164.htm>
<http://moensted.dk/spam/?addr=130.94.107.164&Submit=Submit>

show that your posting IP is currently listed in no less than a half-dozen
different DNSbl zones.
It is rare that a chance to expose true dumbasses comes along, don't
thank me - It was my pleasure.
[snip]

So then, you're saying you *like* exposing your limitless ignorance in
public?
The above users should 1) put down the
crack pipe 2) step away from the keyboard 3) UNPLUG the computer and
never plug it in again!
[snip]

You should take your own advice, Dumbass.

On that note, there is only one thing left to say...


.:\:/:.
+-------------------+ .:\:\:/:/:.
| PLEASE DO NOT | :.:\:\:/:/:.:
| FEED THE TROLLS | :=.' - - '.=:
| | '=(\ 9 9 /)='
| Thank you, | ( (_) )
| Management | /`-vvv-'\
+-------------------+ / \
| | @@@ / /|,,,,,|\ \
| | @@@ /_// /^\ \\_\
@x@@x@ | | |/ WW( ( ) )WW
\||||/ | | \| __\,,\ /,,/__
\||/ | | | jgs (______Y______)
/\/\/\/\/\/\/\/\//\/\\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\


--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
[Posted & Mailed, just to make the point -- I half expect the mailed copy
to bounce as "Unknown User".]
[snip]

Well, I was *almost* right on that one...

--> With reference to your message with the subject:
--> "Re: Results of Experiment to ferret out the true dumbasses"
-->
--> The local mail transport system has reported the following problems
--> it encountered while trying to deliver your message:
-->
--> -------------------------------------------------------------------
--> *** (e-mail address removed)
--> 554 delivery error: dd Sorry, your message to
--> (e-mail address removed) cannot be delivered.
--> This account is over quota. - mta206.mail.scd.yahoo.com
--> -------------------------------------------------------------------

;-)


--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
Back
Top