|
Spammers take revenge – "Joe jobs" against joewein.de
We don't send spam, we fight spam. Obviously this does't make us very popular with spammers whose websites get listed on our spam domain list. As a result, one or more spammers have done a total of four "Joe jobs" on us so far. That is, a spam run with a message using a fake sender address and or content "advertising" the "Joe job" victim, making it look like an innocent person was the originator of the mail. The intention is to cause trouble for that person (more info about "Joe Jobs" here). The most recent batch went out on 2005-07-23 and (as of 2005-07-28) seems to be continuing. The spam was sent using a bulk email software called DMS ("Direct Mail Sender"), written by Alexey Panov who ranks in the top ten of the Spamhaus ROKSO list. Here is an example of this spam:
From: "Stagger I. Unhooked" <autoconf@kyokofukada.net>Below are some message headers from spam forwarded to us, which list the infected hosts from which the spam was sent. You can see that some are addressed to address a1aaa1azzzz1zaaaaa@domain, an address that is unlikely to exist on those mailservers. These mails will be delivered to the "catch all" account on the server, if enabled. This is normally read by the administrator of the host. It is as if the spammer was specifically trying to get administrators upset about our website, maybe because he thought they would know how to contact the abuse handling department of our webhoster. Normal users, if they send any complaints at all, tend to either write directly to a contact address listed the advertised website or they tend to complain to the abuse department for the sender address (which is fake in this case). Therefore I think the spammer was trying to get our website suspended. The more likely outcome however is that the spam gang will lose many of the DMS proxies via which the spam was sent, as the admins report the DMS proxies to the abuse departments in charge of the abused hosts. A number of other anti-spam sites or personal sites of anti-spam activists were targetted by Joe jobs during the last couple of months. These include:
c51449b22.cable.wanadoo.nl (Netherlands): Received: from crewstart.com (c51449b22.cable.wanadoo.nl [81.68.155.34]) by hostname (8.9.3-A/8.9.3) with SMTP id VAA08519.37078 for <emailaddress> sent by <greenwood@evafan.com>; Sun, 24 Jul 2005 21:13:14 -0500 (CDT) X-Authentication-Warning: hostname: Host c51449b22.cable.wanadoo.nl [81.68.155.34] claimed to be crewstart.com Received: from evafan.com (evafan.com [216.152.252.58]) by crewstart.com (Postfix) with ESMTP id 817C6687AA for <emailaddress>; Sat, 23 Jul 2005 23:16:23 -0500 From: "Crucifixes U. Ampler" Lt;greenwood@evafan.com> To: Username <emailaddress> Subject: Hi dear Date: Sat, 23 Jul 2005 23:16:23 -0500 Message-ID: <001001c59006$2931d486$fa5b060c@evafan.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2605 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 X-Virus-Scanned: by Ameriserv.net Anti-Virus E-Gateway
200-171-190-136.dsl.telesp.net.br (São Paulo, Brasil): Received: from 200-171-190-136.dsl.telesp.net.br ([200.171.190.136]) by mail.powerviewsystems.com (Merak 8.2.2) with SMTP id KME38518 for
222.96.121.165: (KORNET, South Korea) Return-Path: <tanghus@mail.com> Received: from futbolamericano.com ([222.96.121.165]) by mailserver4.nebula.fi (8.12.10/8.12.10) with SMTP id j6P5Id5T023332 for <a1aaa1azzzz1zaaaaa@domain>; Mon, 25 Jul 2005 08:18:42 +0300 Received: from mail.com (mail-com-bk.mr.outblaze.com [64.71.166.194]) by futbolamericano.com (Postfix) with ESMTP id 2C32445668 for <a1aaa1azzzz1zaaaaa@domain>; Sun, 24 Jul 2005 19:21:40 -0500 From: "Ransomed I. Jason" <tanghus@mail.com> To: A <a1aaa1azzzz1zaaaaa@domain> Subject: Hi dear Date: Sun, 24 Jul 2005 19:21:40 -0500 Message-ID: <101101c590ae$3fe02c44$fb6e1c3c@mail.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 X-Virus-Scanned: Norton
cpc2-ruth1-5-0-cust111.renf.cable.ntl.com: Return-Path: <fliptop@guanajuato.com> Received: from cpc2-ruth1-5-0-cust111.renf.cable.ntl.com ([80.5.137.111] verified) by X (CommuniGate Pro SMTP 4.3.5) with SMTP id 8636265 for X; Sun, 24 Jul 2005 02:15:58 +0200 Received: from guanajuato.com (guanajuato-com-bk.mr.outblaze.com [64.62.181.94]) by cpc2-ruth1-5-0-cust111.renf.cable.ntl.com (Postfix) with ESMTP id 0B142AA183 for <X>; Sat, 23 Jul 2005 14:18:49 -0500 From: "Preteen V. Slathering" <fliptop@guanajuato.com> To: X <X> Subject: Hi dear Date: Sat, 23 Jul 2005 14:18:49 -0500 Message-ID: <101101c58fbb$98272312$1adaa87e@guanajuato.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2605 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 X-RAV-Antivirus: This e-mail has been scanned for viruses on host: cpc2-ruth1-5-0-cust111.renf.cable.ntl.com X-Antivirus: AVG for E-mail 7.0.338 [267.9.4]
ip-sv.66.249.195.124.telefonica-ca.net: Return-path: <amck@google.com> Envelope-to: emailaddress Delivery-date: Mon, 25 Jul 2005 01:44:43 +0100 Received: from [66.249.195.124] (helo=ip-sv.66.249.195.124.telefonica-ca.net) by emailhost with smtp (Exim 4.24) id 1Dwr5G-000C1h-Vq for emailaddress; Mon, 25 Jul 2005 01:44:43 +0100 Received: from google.com (smtp3.google.com [216.239.57.26]) by ip-sv.66.249.195.124.telefonica-ca.net (Postfix) with ESMTP id 8F46B44695 for <emailaddress>; Sat, 23 Jul 2005 21:48:26 -0500 From: "Rebuff I. Naturalists" <amck@google.com> To: Freespirit <emailaddress> Subject: Hi dear Date: Sat, 23 Jul 2005 21:48:26 -0500 Message-ID: <101101c58ffa$1c0211ef$463fe251@google.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000 X-RAV-Antivirus: This e-mail has been scanned for viruses on host: ip-sv.66.249.195.124.telefonica-ca.net
68-112-75-197.dhcp.jcsn.tn.charter.com (USA): Received: from 68-112-75-197.dhcp.jcsn.tn.charter.com (HELO 68-112-75-197.dhcp.jcsn.tn.charter.com) [68.112.75.197] by mx0.gmx.net (mx057) with SMTP; 25 Jul 2005 02:45:18 +0200 Received: from prodigy.com (prodigy.com [207.115.61.104]) by 68-112-75-197.dhcp.jcsn.tn.charter.com (Postfix) with ESMTP id 6814B3F431 for xxxxx@gmx.xx; Sat, 23 Jul 2005 21:49:01 -0500 From: "Carcinomata C. Villainous" rdkeys@prodigy.com To: xxxxx@gmx.xx Subject: Hi dear Date: Sat, 23 Jul 2005 21:49:01 -0500 Message-ID: <010001c58ffa$29dbf7ff$c89abb55@prodigy.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000 X-RAV-Antivirus: This e-mail has been scanned for viruses on host: 68-112-75-197.dhcp.jcsn.tn.charter.com
j28107.upc-j.chello.nl (j28107.upc-j.chello.nl: X-Envelope-From: <msingh@queretaro.com> X-Envelope-To: <a1aaa1azzzz1zaaaaa@domain> X-Delivery-Time: 1122490519 Received: from j28107.upc-j.chello.nl (j28107.upc-j.chello.nl [24.132.28.107]) by mailin.webmailer.de (8.13.1/8.13.1) with SMTP id j6RItFSk026883 for <a1aaa1azzzz1zaaaaa@domain>; Wed, 27 Jul 2005 20:55:18 +0200 (MEST) Received: from queretaro.com (queretaro-com.mr.outblaze.com [205.158.62.181]) by j28107.upc-j.chello.nl (Postfix) with ESMTP id 0BF3DCF2F9 for <a1aaa1azzzz1zaaaaa@domain>; Wed, 27 Jul 2005 08:58:01 -0500 From: "Bleakly P. Newsstands" <msingh@queretaro.com> To: A <a1aaa1azzzz1zaaaaa@domain> Subject: Hi dear Date: Wed, 27 Jul 2005 08:58:01 -0500 Message-ID: <100101c592b3$912f5799$3971bd76@queretaro.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 X-Virus-Scanned: by Ameriserv.net Anti-Virus E-Gateway Hi Try jwSpamSpy, our spam filter for POP3 mailboxes. We use it to track spammers and scammers. Free full featured 30 day evaluation version available! https://joewein.de/ static61.17.27-203.vsnl.eth.net (India): Received: from [61.17.27.203] (helo=static61.17.27-203.vsnl.eth.net) by mailhost with smtp (Exim 4.52) id 1Dy52u-0006c3-Hg for a1aaa1azzzz1zaaaaa@domain; Thu, 28 Jul 2005 11:51:22 +0200 Received: from norika-fujiwara.com (norika-fujiwara-com-bk.mr.outblaze.com [208.36.123.75]) by static61.17.27-203.vsnl.eth.net (Postfix) with ESMTP id 25950A25A4 for <a1aaa1azzzz1zaaaaa@domain>; Wed, 27 Jul 2005 23:54:06 -0500 From: "Smiths D. Authorship" <tug@norika-fujiwara.com> To: A <a1aaa1azzzz1zaaaaa@domain> Subject: Hi dear Date: Wed, 27 Jul 2005 23:54:06 -0500 Message-ID: <110001c59330$2a9feddb$f088b5b5@norika-fujiwara.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2605 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 X-Virus-Scanned: Symantec AntiVirus Scan Engine
Joe job on 2004-02-27 Previous emails were sent by (as yet) unknown person(s) to thousands of recipients on 16 December 2003 at 07:55 UTC, trying to make us look like spammers. Another batch, with a different message body and a different sender was sent on 19 December 2003. Both a provider in Argentina and in Hong Kong were used for the first spam. The second batch was sent via Comcast, a provider in the USA. This last mail used as a fake sender address the mail abuse handler of the company that hosts our website. Therefore all error messages for undeliverable spam ended up going to our web hoster. If I really was a spammer I'd have to be pretty stupid to dump all spam bounces onto my own webhoster... The bulk mailer employed in all these spams is quite rare - in fact, we only have five previous specimens of it in our 100,000-odd item spam archive, all five sent in November or December of 2003. We suspect that the sender of the "Joe job" and the sender of one or more of these these spam mails is the same person. If you have received any spams using this bulk emailer, send us a copy! Return-Path: <joewein@pobox.com> Received: (qmail 29016 invoked from network); 27 Feb 2004 02:34:39 -0000 Received: from dhcp0062.hse.resnet.group.upenn.edu (HELO 604-740-3744) (165.123.166.142) by ############### with SMTP; 27 Feb 2004 02:34:39 -0000 From: joewein@pobox.com To: #####@######## Date: Thu, 26 Feb 2004 18:39:22 -0800 MIME-Version: 1.0 (produced by Synapse) x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer Content-type: text/html; charset=UTF-8 Content-Transfer-Encoding: Quoted-printable Content-Disposition: inline Content-Description: HTML text =3Chtml=3E =3Cbody=3E Kostspieliger Webhosting Kosten Sie unten erhalten=3F Habe ich erhielt= einer L=C3=B6sung f=C3=BCr Sie freies Webhosting gerechtes email ich an joewein=40pobox=2Ecom=2E Oder besuchen Sie meine Webseite an http=3A=2F= =2Fwww=2Ejoewein=2Ede! Sie k=C3=B6nnen nicht von dieser verschickenden Liste entfernt werden=2E Sie werden email von mir einmal t=C3=A4glich f=C3= =BCr die folgenden 3 Monate wie pro unsere Vereinbarung erhalten=2E Bester Respekt=2C Joe Wein =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fizu=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fshig1=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fyukiko1=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fsab1=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fgue2=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fgue1=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Furoma2=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fneuschwanstein= =2Ejpg=22 border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Faftca2=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Frunning=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fjumbo=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fshin5=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fmax=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fmax6=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fmax7=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Ffritz=2Ejpg=22= border=3D=220=22=3E=3C=2Fa=3E =3C=2Fbody=3E =3C=2Fhtml=3E Version #3 (19-Dec-2003): Return-Path: <abuse@schlund.de> X-Flags: 0000 Delivered-To: GMX delivery to ####@gmx.net Received: (qmail 767 invoked by uid 65534); 20 Dec 2003 09:11:13 -0000 Received: from c-24-9-163-244.client.comcast.net (EHLO shawmail-cg-shawcable-net) (24.9.163.244) by mx0.gmx.net (mx024-rz3) with SMTP; 20 Dec 2003 10:11:13 +0100 From: abuse@schlund.de To: #####@gmx.net Subject: Visit my Anti-spam site Date: Fri, 19 Dec 2003 18:53:33 -0800 MIME-Version: 1.0 (produced by Synapse) x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer Content-type: text/html; charset=UTF-8 Content-Transfer-Encoding: Quoted-printable Content-Disposition: inline Content-Description: HTML text Message-ID: <20031220091114.826gmx1@mx024-rz3.gmx.net> X-GMX-Antivirus: -1 (not scanned, may not use virus scanner) X-GMX-Antispam: -2 (not scanned, spam filter disabled) =3Chtml=3E =3Chead=3E =3Ctitle=3EUse my site=3C=2Ftitle=3E =3C=2Fhead=3E =3Cbody=3E =3Cp=3E=3Cfont face=3D=22Microsoft Sans Serif=22=3E =3B =3B = =3B How this list is compiled=3A Every email sent to our mailboxes is analyzed by our spam filter software= =2E It extracts and inspects the domain names in all mail sent to us that meets a sufficient number of criteria that are typical for spam=2E= We then perform whois-lookups =28see whois log=29 and Google searches on these domains=2C as we seek to minimize the risk of missing= legitimate mail from legitimate domains=2E Updates If you want to be automatically notified about additions to this list=2C= send an e-mail to=3A dbl-update-subscribe=40yahoogroups=2Ede You can unsubscribe at any time=2E We won't share your address with anyone= or use it for any other purpose=2E Notice=3A A listing here does not imply that we recommend anyone to block any mail= involving these domains=2C only that we at joewein=2Ede chose to filter all such mail=2E If you find the following list useful=2C please= add a link to it on your website=2E Thanks! Spam filtering software We are currently developing a product to help prevent spam from reaching= your email intray=3A jwSpamSpy - email spam filter for POP3 mailboxes Links=3A Whois-Details of recently blacklisted domains 419-Scam Hall of Shame =28=22Nigerian Scam=22=29 =3C=2Ffont=3E =3C=2Fp=3E =3Cp=3E=3Cfont face=3D=22Microsoft Sans Serif=22=3EI have a great deal for= you on all CK Tommy and all great designer clothing at bargain prices! =3C=2Ffont=3E=3C=2Fp=3E =3Cp=3E=3Cfont face=3D=22Microsoft Sans Serif=22=3EBest Regards=2C Joe=3C= =2Ffont=3E=3C=2Fp=3E =3Ca href=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=22 target=3D=22=5Fblank=22= onmouseover=3D=22window=2Estatus=3D'http=3A=2F=2Fwww=2Ejoewein=2Ede'= =3Breturn true=3B=22 onmouseout=3D=22window=2Estatus=3D' '=3Breturn true=3B=22=3E =3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fweinfam=2Ejpg=22= width=3D=22250=22 height=3D=22250=22 alt=3D=22http=3A=2F=2Fwww=2Ejoewein= =2Ede=22 border=3D=220=22=3E=3C=2Fa=3E =3C=2Fbody=3E Version #2 (16-Dec-2003): Received: from [218.253.48.203] (helo=shawmail-cg-shawcable-net) by mx22.web.de with esmtp (WEB.DE 4.99 #566) id 1AWHtM-0007Y4-00 for xxxxxxxx@web.de; Tue, 16 Dec 2003 17:17:49 +0100 From: postmaster@joewein.de To: xxxxxxx@web.de Subject: Visit our site Date: Tue, 16 Dec 2003 05:42:53 -0800 MIME-Version: 1.0 (produced by Synapse) x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer Content-type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: Quoted-printable Content-Disposition: inline Content-Description: Message text Message-Id: Version #1 (16-Dec-2003): Received: from mta3-rme.xtra.co.nz ([210.86.15.143]) by mta205-rme.xtra.co.nz with ESMTP id <20031216075509.IDBN7964.mta205-rme.xtra.co.nz@mta3-rme.xtra.co.nz> for <#########@team.xtra.co.nz>; Tue, 16 Dec 2003 20:55:09 +1300 Received: from shawmail-cg-shawcable-net ([200.63.144.121]) by mta3-rme.xtra.co.nz with ESMTP id <20031216075507.CJWR4025.mta3-rme.xtra.co.nz@shawmail-cg-shawcable-net> for <#########@team.xtra.co.nz>; Tue, 16 Dec 2003 20:55:07 +1300 From: webmaster@joewein.de To: #########@team.xtra.co.nz Subject: Visit our site Date: Mon, 15 Dec 2003 23:52:52 -0800 MIME-Version: 1.0 (produced by Synapse) x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer Content-type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: Quoted-printable Content-Disposition: inline Content-Description: Message text Message-Id: <20031216075507.CJWR4025.mta3-rme.xtra.co.nz@shawmail-cg-shawcable-net> We are getting bigger and better visit our site today! http=3A=2F=2Fwww=2Ejoewein=2Ede
% Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations % By submitting a whois query, you agree to use this data % only for lawful purposes. % 2003-12-16 07:50:28 (BRST -02:00) inetnum: 200.63.144/23 status: reallocated owner: Telefonica de Argentina ownerid: AR-TEAR7-LACNIC responsible: Marcelo A. Mu�oz address: Defensa, 390, Piso 5 address: 1065 - Buenos Aires - CF country: AR phone: +54 11 4-3335509 [] owner-c: TEA tech-c: TEA created: 20030916 changed: 20030916 inetnum-up: 200.63.128/18 nic-hdl: TEA person: TELEFONICA DE ARGENTINA e-mail: tasamail@TELEFONICA.COM.AR address: H. Yrigoyen 1556 - 8th floor, 1556, address: 1089 - Capital Federal - BA country: AR phone: +54 11 4332-2364 [] created: 20030618 changed: 20030915 % whois.lacnic.net accepts only direct match queries. % Types of queries are: POCs, ownerid, CIDR blocks, IP % and AS numbers.
inetnum: 218.252.0.0 - 218.255.255.255 netname: HKCABLE-HK descr: HK Cable TV Ltd descr: Cable Multi-Media Services country: HK admin-c: AD23-AP tech-c: AD23-AP mnt-by: APNIC-HM mnt-lower: MAINT-HK-ICABLE remarks: include previous allocations changed: hm-changed@apnic.net 20030922 status: ALLOCATED PORTABLE source: APNIC person: administrator dns address: 12/F., Cable TV Tower, address: 9 Hoi Shing Road, address: Tsuen Wan, address: N.T., address: HK country: HK phone: +852-2112-7516 fax-no: +852-2112-7977 e-mail: dnsadmin@cms.hkcable.com nic-hdl: AD23-AP mnt-by: MAINT-HK-ICABLE changed: dnsadmin@cms.hkcable.com 20000811 source: APNIC
OrgName: University of Pennsylvania OrgID: UNIVER-8 Address: 3401 Walnut Street Address: Suite 221A City: Philadelphia StateProv: PA PostalCode: 19104-6228 Country: US NetRange: 165.123.0.0 - 165.123.255.255 CIDR: 165.123.0.0/16 NetName: UPENN-LANSUB NetHandle: NET-165-123-0-0-1 Parent: NET-165-0-0-0-0 NetType: Direct Assignment NameServer: NOC3.DCCS.UPENN.EDU NameServer: NOC2.DCCS.UPENN.EDU NameServer: DNS1.UDEL.EDU NameServer: DNS2.UDEL.EDU Comment: RegDate: 1993-05-28 Updated: 2001-04-30
A Google search found the same IP address already listed for spamming on a Japanese website on February 26, 2004 i.e. the day before the Joe job against us was sent: The most recent Joe Job tried to display 16 pictures from our website in order to drive up our web hosting bill. We responded by moving those pictures and replacing one of the images with a file that includes the following message:
Anti-Spam Resources: |