Less than one week after the Dean campaign terminated emailresponse.net (and apparently one other outsourced email service bureau), a new spam run started. The spam run was initially obscured by a minor power outage in the Northeast that happened the same day that the spam run started. I must confess that as a resident of Upstate New York, I was more than a little preoccupied Friday night.
The Dean campaign's internal investigation suggests that this new campaign was not their responsibility; they terminated their (spamming) contractors on 8/12/2003 and have not retained any new email contractors as of this writing (8/17/2003). The current working theory is that the Dean Campaign is being "joe jobbed". As of yet, there is no proof as to who might joe jobbing the Dean Campaign, but there are some theories. If someone actually is, then they are apparently breaking Federal Election laws. I rather expect that I'll be updating this page periodically as the story evolves.
Note that on the surface, there seem to be two different actors spamming here. Accordingly, I will break down the two spams separately -- but don't skip the punchline at the end of the page.
I am in possession of several copies of the spam in question. I have chosen to publish this one (courtesy of Dave Lugo); it is generally similar to the other samples I have received.
Return-path: <amfordeank7@netdirectpermission.com>
Received: from netdirectpermission.com
(mail.netdirectpermission.com [208.254.69.154:25])
by mc.sc1.ummail.com with SMTP id E0815-1817-2e1800;
Fri, 15 Aug 2003 22:17:12 GMT
X-DNS-OSIR-SPW: YES
X-DNS-BSSM-SPW: YES
To: <omitted>
Date: Fri, 15 Aug 2003 17:18:00 -0500
Message-ID: <1060982280.4904@netdirectpermission.com>
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32)
From:DeanforAmerica.com<amfordeank7@netdirectpermission.com>
Subject:Presidential Candidate Gov. Howard Dean, M.D.
Mime-Version: 1.0
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<img src="http://208.254.79.70/inimg.asp?mx1=1644&bt="
border=0 width=1 height=1>
<table align="CENTER" width="102" border="1" cellspacing="0"
cellpadding="0">
<tr>
<td><table width="751" height="113" border="0" cellpadding="0"
cellspacing="0">
<tr align="LEFT" valign="TOP">
<td colspan="2"><a
href="http://208.254.79.70/incom.asp?px1=1644&cx2=39588&fk=%7B%7B02%7D%7D"><img
src="http:
//www.creative-server.com/mci/us/deanforamerica/08.11.03.jpg"
width="751" height="108" border="0"></a></td>
</tr>
<tr>
<td width="164"
background="http://www.creative-server.com/mci/us/deanforamerica/08.11.03leftbanner.gif"
alig
n="LEFT" valign="TOP"><font size="2" face="Arial, Helvetica,
sans-serif"><img src="http://www.creative-server.com/mci/u
s/deanforamerica/left.jpg" width="164" height="800" border="0"
usemap="#Map">
</font></td>
<td width="587" align="LEFT" valign="TOP"><blockquote>
<p><br>
<font size="2" face="Arial, Helvetica, sans-serif">Dear
Friend,
</font></p><!--qbna^ynefpbz(pbz -->
<p><font size="2" face="Arial, Helvetica, sans-serif">Our
campaign
is about restoring the American community and our
nations traditional
role as an idealistic moral force in world affairs. Over
280,000
Americans have already joined our campaign, and these
Americans
have demonstrated again and again that the grassroots
has the
power to beat back the special interests and regain
control of
the process of self-government. In eight days in June,
our grassroots
campaign did just thathelping to raise over $7.6 million
in the
second quarter of this year and shaking the Democratic
nominating
process to the core. You can join over 280,000 other
Americans
who are taking our country back by clicking on the link
below:</font><font size="4" face="Arial, Helvet
ica, sans-serif"></font></p>
<font size="4" face="Arial, Helvetica, sans-serif"><a
href="http://208.254.79.70/incom.asp?px1=1644&cx2=3
9588&fk=%7B%7B02%7D%7D">Register
Now!</a></font>
<p><font size="2" face="Arial, Helvetica, sans-serif">This
month,
the Bush Administration has continued to make it harder
for working
families to put food on the table. While George W. Bush
takes
the entire month of August off in Texas, his
administration is
seeking to eliminate the right of more than 8 million
American
workers to receive overtime pay. </font></p>
<p><font size="2" face="Arial, Helvetica,
sans-serif">Click below
to sign a petition telling the Bush Administration that
Americans
deserve fair pay for more than a full day's work:</font></p>
<p><font size="4" face="Arial, Helvetica, sans-serif"><a
href="http://208.254.79.70/incom.asp?px1=1644&cx
2=39589&fk=55151352">Save
Overtime Now!</a></font></p>
<p><font size="2" face="Arial, Helvetica,
sans-serif"></font><font size="2" face="Arial, Helvetica, sans-
serif">I
stood against this President when too many Democrats in
Congress
were voting to give the Bush administration a blank
check to wage
pre-emptive war on Iraq. Attacking Iraq was the wrong
war at the
wrong time, and in recent days it has become obvious
that many
questions remain about the way President Bush led the
American
people to war and failed to foresee the continuing
resistance
that our military is now confronting. These questions
should have
been asked by Congress before the war, but too many in
Washington
failed to demand the truth when our nation needed it
most.</font></p>
<p><font size="2" face="Arial, Helvetica, sans-serif">Too
many in
my party have failed to stand up to this Presidents
assault on
our ideals. I am not afraid to stand up to President
Bush. I stood
against his attack on Iraq. I did not support his huge
tax cuts.
I did not support the misnamed "No Child Left Behind
Act," which
is raising property taxes all over America and
bankrupting our
public school system. Unlike all but one of my
opponents, I have
balanced a budget and I have appointed judges-- and I am
the only
candidate for the Democratic nomination who has made
health care
available to 99% of the children and 90% of the adults
in my state.
</font></p>
<p><font size="2" face="Arial, Helvetica, sans-serif">We
are going
to win this nomination and defeat George W. Bush in
2004, but
we need your help. Our campaign has shown that the
individual
actions of each of us, when united in common cause with
the actions
of thousands of others, have the power to transform our
nation.
We are leading in California, Iowa and New Hampshire. We
are tied
for the lead in the latest national poll. We are the
great grassroots
campaign of the modern era, built from mouse pads, shoe
leather
and hope. I hope you have seen one of the articles about
my candidacy
in this weeks Time, Newsweek and US News and World
Report. </font></p>
<p><font size="2" face="Arial, Helvetica,
sans-serif">Please join
us, and pass this email along to all of your friends who
believe,
as you do, that we must act now to take back America. <br>
<br>
Join us at <a
href="http://208.254.79.70/incom.asp?px1=1644&cx2=39588&fk=55151352">www.deanforamerica.c
om/deangrassroots</a></font></p>
<p><font size="2" face="Arial, Helvetica,
sans-serif">Thank you,
</font></p>
<p><font size="2" face="Arial, Helvetica, sans-serif"><br>
Governor Howard Dean, M.D.<br>
</font></p>
<table width="80%" border="1" cellspacing="0" cellpadding="0">
<tr>
<td><div align="center"><font size="2">Paid for by
Dean for
America</font></div></td>
</tr>
</table>
</blockquote>
<p align="center"><br>
</p></td>
</tr>
</table></td>
</tr>
</table>
<map name="Map">
<area shape="rect" coords="6,686,159,728"
href="http://208.254.79.70/incom.asp?px1=1644&cx2=39589&fk=55151352">
<area shape="rect" coords="7,751,157,792"
href="http://208.254.79.70/incom.asp?px1=1644&cx2=39588&fk=55151352">
<area shape="rect" coords="3,3,161,673"
href="http://208.254.79.70/incom.asp?px1=1644&cx2=39588&fk=%7B%7B02%7D%7D">
</map>
<div align="center">
<font face="Verdana, Arial, Helvetica, sans-serif" size="2" color="#000000">
--------------------------------------------------------------------------<br>
The following
message
9;as
sent to you by
SuperEmai
;lBargains.com<br><br>
Our
objective is
to only co
9;municate
with
audiences who
wou
8;d
like to hear<br>
from us and
take
advantage of
our offers
;.
If you would
like to be r&
#101;moved<br>
from
our list,
please click o
;n
the
unsubscribe
link be
low:<br>
<a href="http://www.superemailbargains.com/84567543215678.html">
http://www.superemai
8;bargains.com/unsubscr
;ibe.html</a><br><br>
To
unsubscribe
by postal m&
#97;il,
please send
your reque
15;t
to:<br>
SuperEmailBargains.co&
#109;<br>
PO
Box 522148<br>
Miami, Fl.
33152-2148<br>
Attn:
Fulfillment
Departmen&
#116;<br>
<br><font size="1">qbna^ynefpbz(pbz</font><br>
--------------------------------------------------------------------------<br>
</font>
</div>
</body>
</html>
This spam was sent with a variety of domains in the RFC 821 MAIL FROM:<> field, but they all point back to the same place in whois data:
Registrant:
Unsuscribe-Server.com
PO Box 522148
Miami, FL 33152-2148
US
Domain Name: NETDIRECTPERMISSION.COM
Administrative Contact, Technical Contact, Zone Contact:
Unsuscribe-Server.com
Domain Admin
PO Box 522148
Miami, FL 33152-2148
US
011-5255-639-8758
011-58-261-7426362 [fax]
domain@Unsuscribe-Server.com
Domain created on 30-Jul-2003
Domain expires on 30-Jul-2004
Last updated on 31-Jul-2003
Domain servers in listed order:
NS1.OPTIN-HOST.COM
NS2.OPTIN-HOST.COM
This is a Florida-based spamhaus,
but apparently not part of the
Eddy Marin/Boca Raton bunch.
The following link contains a useful summary of some
well known Florida-based spammers:
http://www.geocities.com/ip_janitor/BocaSpamGang.html.
Spam 2 is distinguished by something that is not uncommon with spammers, bad mime. I use an opensource email client named Mahogany, which is quite nice, but still alpha software, and occasionally spam shows up with bad mime that crashes Mahogany. This one certainly does. Also, it was loaded up with web bugs to allow the spammer to see if the email ever got opened with an html mail reader (note to readers: turn off html features in your email client, don't use them, they're not safe for any number of reasons.)
Return-Path: <dean@for.accomplishing.net>
Received: from 118.ts8.increments.net (69.41.70.118) by mta2.wss.scd.yahoo.com (7.0.016)
id 3F0B40DA00D6C0FB for <omitted>; Fri, 15 Aug 2003 11:22:12 -0700
To: <omitted>
Date: Fri, 15 Aug 2003 14:32:29 -0500
Message-ID: <1060972349.9969@118.ts8.increments.net>
X-Mailer: Pine.LNX.4.21
From: "DeanForAmerica.com"<dean@for.accomplishing.net>
Reply-To: "DeanForAmerica.com"<dean@for.accomplishing.net>
Subject: Presidential Candidate Gov. Howard Dean, M.D.
Mime-Version: 1.0
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META name=Ad content=LS059XI00226058GJ>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head> <body>
<img src="http://www.eScriptions.net/o.asp?SC=24298&Q=32393&EM=22605869" width=1 height=1>
<img src="http://208.254.79.70/inimg.asp?mx1=1645&bt=<omitted>" border=0 width=1 height=1>
<table align="CENTER" width="102" border="1" cellspacing="0" cellpadding="0">
<tr>
<td><table width="751" height="113" border="0" cellpadding="0" cellspacing="0">
<tr align="LEFT" valign="TOP">
<td colspan="2"><img src="http://www.creative-server.com/mci/us/deanforamerica/08.11.03.jpg" width="751" height="108"></td>
</tr>
<tr>
<td width="164" background="http://www.creative-server.com/mci/us/deanforamerica/08.11.03leftbanner.gif" align="LEFT" valign="TOP"><font size="2" face="Arial, Helvetica, sans-serif"><img src="http://www.creative-server.com/mci/us/deanforamerica/left.jpg" width="164" height="800" border="0" usemap="#Map" href="http://www.deanforamerica.com/registrese">
</font></td>
<td width="587" align="LEFT" valign="TOP"><div align="center"><br>
<img src="http://www.click-on-this.net/cimages/democrat/01.gif" width="517" height="181"><br>
<a href="http://www.eScriptions.net/c.asp?LK=43565&EM=22605869&Q=32393"><img src="http://www.click-on-this.net/cimages/democrat/02.gif" width="517" height="24" border="0"></a><br>
<img src="http://www.click-on-this.net/cimages/democrat/03.gif" width="517" height="148"><br>
<a href="http://www.eScriptions.net/c.asp?LK=43566&EM=22605869&Q=32393"><img src="http://www.click-on-this.net/cimages/democrat/04.gif" width="517" height="28" border="0"></a><br>
<img src="http://www.click-on-this.net/cimages/democrat/05.gif" width="517" height="472"><br>
<a href="http://www.eScriptions.net/c.asp?LK=43565&EM=22605869&Q=32393"><img src="images/06.gif" width="517" height="18" border="0"></a><br>
<img src="http://www.click-on-this.net/cimages/democrat/07.gif" width="517" height="125"><br>
</div></td>
</tr>
</table></td>
</tr>
</table>
<map name="Map">
<area shape="rect" coords="6,686,159,728" href="http://www.eScriptions.net/c.asp?LK=43567&EM=22605869&Q=32393">
<area shape="rect" coords="7,751,157,792" href="http://www.eScriptions.net/c.asp?LK=43568&EM=22605869&Q=32393">
</map>
<div align="center">
<p> </p>
<table width="75%" border="1" bgcolor="#FFFFFF">
<tr>
<td><div align="center">
<p> </p>
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="376"><img src="http://www.click-on-this.net/cimages/disclaimer2003/disc01.gif" width="376"
height="16" align="bottom"><br> </td>
<td width="100"><div align="center"><font size="1" face="Verdana, Arial, Helvetica, sans-serif">
<strong> eScriptions</strong></font></div></td>
<td width="158"><img src="http://www.click-on-this.net/cimages/disclaimer2003/disc02.gif" width="148"
height="16" align="bottom"><br> </td>
</tr>
</table>
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td valign="top"><img src="http://www.click-on-this.net/cimages/disclaimer2003/disc03.gif" width="599"
height="11"><br> </td>
</tr>
</table>
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="60" valign="top"><img src="http://www.click-on-this.net/cimages/disclaimer2003/disc04.gif"
width="60" height="15"></td>
<td><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><a
href="http://www.eScriptions.net/Remove.asp?E=<omitted>http://www.eScriptions.net/Remove.asp?E=<omitted"></a></font></td>
</tr>
</table>
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td valign="top"><img src="http://www.click-on-this.net/cimages/disclaimer2003/disc05.gif" width="314"
height="50"><br> </td>
</tr>
</table>
<!--/////22605869///<omitted>///11/////-->
</div></td>
</tr>
</table>
<p> </p>
</div>
</BODY>
</html>
This was one of a pair. While the RFC 821 MAIL FROM:<>s were different, they both pointed to the same place. It's in Boca Raton, but not the same as the known Eddy Marin addresses. The address seems familiar and I'm researching it further.
Registrant:
Accomplishing.net
21218 St. Andrews Blvd.
#415
Boca raton, FL 33433
US
561-892-0937
Domain Name: ACCOMPLISHING.NET
Administrative Contact:
Administrator, Network postmaster@accomplishing.net
21218 St. Andrews Blvd.
#415
Boca raton, FL 33433
US
561-892-0937
Technical Contact:
Administrator, Network postmaster@accomplishing.net
21218 St. Andrews Blvd.
#415
Boca raton, FL 33433
US
561-892-0937
Record last updated 04-02-2003 11:25:53 AM
Record expires on 03-31-2004
Record created on 03-31-2003
Domain servers in listed order:
NS0.ACCOMPLISHING.NET 69.41.69.11
NS1.ACCOMPLISHING.NET 69.41.69.12
The url "click-on-this.net" is extensively referenced in the sapm. Whois follows, guess what, it's in Florida (I'm becoming increasingly embarassed to admit that I grew up in Florida.) Looking up escriptions.net produces basically the same whois entry, I'll not waste time and space by repeating it here.
Organization:
Click-on-this.net
Network Admin
14000 Military Trail - Suite 210
Delray Beach, FL 33484
US
Phone: (561)431-0622
Fax..: (561)431-0622
Email: postmaster@click-on-this.net
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com
Domain Name: CLICK-ON-THIS.NET
Created on..............: Thu, Oct 18, 2001
Expires on..............: Mon, Oct 18, 2004
Record last updated on..: Thu, Aug 07, 2003
Administrative Contact:
Click-on-this.net
Network Admin
14000 Military Trail - Suite 210
Delray Beach, FL 33484
US
Phone: (561)431-0622
Fax..: (561)431-0622
Email: postmaster@click-on-this.net
Technical Contact:
Click-on-this.net
Network Admin
14000 Military Trail - Suite 210
Delray Beach, FL 33484
US
Phone: (561)431-0622
Fax..: (561)431-0622
Email: postmaster@click-on-this.net
Zone Contact:
Click-on-this.net
Network Admin
14000 Military Trail - Suite 210
Delray Beach, FL 33484
US
Phone: (561)431-0622
Fax..: (561)431-0622
Email: postmaster@click-on-this.net
Domain servers in listed order:
DNS29.REGISTER.COM 216.21.234.85
DNS30.REGISTER.COM 216.21.226.85
I already said that the spams looked to be from different sources, that they were in somewhat different styles. Well, while I was busy removing the email addresses of the original recipients, I noticed something.
In Spam #1, there's a web bug designed to let the spammer know when a particular email target opens the email:
<img src="http://208.254.79.70/inimg.asp?mx1=1644&bt=<omitted>" border=0 width=1 height=1>
There's one in Spam #2 as well:
<img src="http://208.254.79.70/inimg.asp?mx1=1645&bt=<omitted>" border=0 width=1 height=1>
Notice any similarities?
When I wrote the first part of this, one thing I didn't do is chase down the IP space the spam came from. Brian McNett did, and identified the source.
Spam #2 above sourced from 69.41.70.188. Arin Whois on this ip address gives the following:
$ whois 69.41.70.118@whois.arin.net
[whois.arin.net]
Fast Duck Corp. FDC-1 (NET-69-41-64-0-1)
69.41.64.0 - 69.41.79.255
Surfplex, Inc FD-SURFP1 (NET-69-41-68-0-1)
69.41.68.0 - 69.41.71.255
# ARIN WHOIS database, last updated 2003-08-17 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
$
So whois the whois pointing at?
Next stop is
Spamhaus
to see if they have any records.
And look,
they do...
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL8825
And so we find notorious spammers Steve Hardigree and Frank Bernal.
Their full ROKSO record is
here.
The interesting facet to this is that Fast Duck/Surfplex are "fake ISPs". They were setup by and are owned by Hardigree and Bernal, to provide a layer of insulation between them and their upstream providers. You can complain about spam until your face turns blue and not get anywhere with these guys, they don't care because the ISP *is* the spammer.