![[Home]](/wiki.gif)
Billion Dollar Spam Award In December 2004Billion Dollar Spam Award In December 2004
| |
| The Bush Survival Guide - 250 Ways to Make It Through The NExt Four Years Without Misunderestimating the Dangers Ahead, and Other Subliminable Stategeries |
|
Links:
| |
Subjects > Internet > Email > Spam Email
I received an (unsolicited) email today about the following default judgments granted in a case against some spammers... What do I think about this? Read on....
http://www.cnn.com/2004/LAW/12/18/spam.lawsuit.ap/index.html
DAVENPORT, Iowa (AP) -- A federal judge has awarded an Internet service provider more than $1 billion in what is believed to be the largest judgment ever against spammers.
Robert Kramer, whose company provides e-mail service for about 5,000 subscribers in eastern Iowa, filed suit against 300 spammers after his inbound mail servers received up to 10 million spam e-mails a day in 2000, according to court documents.
U.S. District Judge Charles R. Wolle filed default judgments Friday against three of the defendants under the Federal Racketeer Influenced and Corrupt Organizations Act and the Iowa Ongoing Criminal Conduct Act.
AMP Dollar Savings Inc. of Mesa, Arizona, was ordered to pay $720 million and Cash Link Systems Inc. of Miami, Florida, was ordered to pay $360 million. The third company, Florida-based TEI Marketing Group, was ordered to pay $140,000.
"It's definitely a victory for all of us that open up our e-mail and find lewd and malicious and fraudulent e-mail in our boxes every day," Kramer said after the ruling.
Kramer's attorney, Kelly Wallace, said he is unlikely to ever collect the judgment, which was made possible by an Iowa law that allows plaintiffs to claim damages of $10 per spam message. The judgments were then tripled under RICO.
"We hope to recover at least his costs," Wallace said.
There were no telephone listings in Arizona and Florida for the any of the three companies. An e-mail sent Saturday to Cash Link Systems went unanswered.
According to court documents, no attorneys for the defendants were present during a bench trial in November. The lawsuit continues against other named defendants.
Laura Atkins, president of SpamCon?Create Foundation, an anti-spamming organization based in Palo Alto, California, said she believed it was the largest judgment ever in an anti-spam lawsuit.
"This is just incredible," she said. "I'm not aware of anything that's been over $100 million."
For people trying to track down NY-NY based "PEXICOM, Inc." or related operations, PEXICOM, PEXICAST, PEXIMED, read on...
Although company founder Douglas Field (who works and lives in NYC and is even an FCC licensed Ham Radio operator who graduated from Yale) might be hard to track down, the company controller -- Teri McRae -- actually lives up in Portland, Maine. She is bust, too... she's also an elected public official - on the local school committee AND is the register of probate (whatever that is !?!) It seems she and Douglas Fields both like to play cards and are bridge contest champions... Hmmm...........
Current Entity Name: PEXICOM, INC. Initial DOS Filing Date: OCTOBER 02, 2001 County: NEW YORK Jurisdiction: DELAWARE Entity Type: FOREIGN BUSINESS CORPORATION Current Entity Status: ACTIVE
DOS Process (Address to which DOS will mail process if accepted on behalf of the entity) PEXICOM, INC. C/O KANTOR DAVIDOFF WOLFE RABINO MANDELKER & KASS, PC 51 E 42ND ST NEW YORK, NEW YORK 10017
Chairman or Chief Executive Officer DOUGLAS P. FIELDS, JR. 122 E 42ND ST / SUITE 1618 NEW YORK, NEW YORK 10168
Principal Executive Office PEXICOM, INC. 122 E 42ND ST / SUITE 1618 NEW YORK, NEW YORK 10168
(847) 919-7916 (866) PEXI-FAX Toll-Free
Pexicom is a developer and provider of unique secure messaging solutions meeting the needs of targeted niche markets. By developing proprietary applications and implementing innovative secure technologies as well as stringent business rules, Pexicom has created unique web enabled tools that help specific industries achieve high levels of security and privacy while streamlining the convergence of various electronic communications via well-defined portals.
County boards attract contests By MARK PETERS, Portland Press Herald Writer <http://www.mainetoday.com>;
REGISTER OF PROBATE
NAME: Teri McRae
POLITICAL PARTY: Republican AGE: 48 ADDRESS: 619 Allen Ave., Portland, Maine PERSONAL: Married, one son and one stepson EDUCATION: Graduate, George Washington High School, Denver, Colo.; bachelor's degree in economics, Brandeis University, Waltham, Mass.; master's degree in business administration, Massachusetts Institute of Technology
EMPLOYMENT: Controller, Pexicom Inc.
POLITICAL EXPERIENCE: Portland School Committee, 2002-present
Terri E. McRae , Register of Probate
Cumberland County Courthouse 142 Federal Street, Portland, Maine 04101 (207) 871-8382 email: mcrae@cumberlandcounty.org <http://www.cumberlandcounty.org>;
2004/2005 ( Last updated: 01/21/2005 )
<http://www.portlandschools.org>;
Teri McRae , 2005 619 Allen Ave. Portland, Maine 04103 (h) (207) 797-8633 e-mail: mcraet@portlandschools.org
http://www.senderbase.org/search?searchString=64.124.100.148
This stuff if worthy of deletion, in fact, it's not even close. While there is often good reason to think twice about what SORBS might list, don't think twice about what SBL lists, and if you feel compelled to do so, at least look at their evidence file. http://www.spamhaus.org/sbl/sbl.lasso?query=SBL13718
Pexicom is definitely ROKSO-bound. They have address blocks all over the place and have been tracked by SenderBase?Create sending volumes of spam that exceed 1 million messages a day from a single IP address.
I did a little more checking around those IP blocks and found that I only had a small portion of this guy's network tagged. He has about 600 IP's and over 30 domains spread across 5 concurrent blocks of addresses. Naturally this isn't necessarily all of it, but you can identify more blocks by searching the headers of a spam capture for occurrences of "X-JLH:" in the headers, which is unique to this guy at the moment. This is what I have thus far:
208.184.54.0/25
208.184.58.0/25
209.249.21.128/25
209.249.55.128/25
216.200.60.16/28
216.200.60.32/27
216.200.60.64/26
I also listed the domains that come up in reverse DNS as comments in the filter file, though you probably don't need to be filtering for them.
I rewrote the filter to work as an "ipfile" in Declude, which means that it will work on Standard as well as Pro versions. This one block of addresses sends a piece of spam to my server once every 10 minutes or less on a volume of about 4,000 a day currently. This means that he is responsible for about 3.6% of my total mail volume, and of course, 3.6% of my mail filtering processing power. He also isn't listed consistently on any RBL's with these addresses and only fails most of the time on my server because he also has a problem with BADHEADERS. So I think it definitely makes sense to add the attached filter (note the slight configuration change to reflect the "ipfile" type instead of "filter" type). It should be very easy on resources, but kill it when SBL picks up the block.
Considering the volume of spam from this one guy, and SBL's claim for instance that 90% of the spam is sent from a core group of 200 spammers (which this guy doesn't yet belong to), I think it makes sense to maybe start blocking either at the router, or at IMail's Access Control configuration option. You would get the rejection logged in IMail with the second choice, and it would hardly use any resources to do so. For servers handling many tens of thousands of messages a day, this might make a lot of sense to do, and maybe use SBL as a reference for what's block worthy at a given space in time (I don't think they change much).
Matt
Matthew Bramble wrote: Very interesting. Looks like the @b. thing is a standard in some piece of VERP software. BTW, unless you (generally) are extremely agressive (sans FiveTen?Create), this would be a very bad idea to implement as a filter. So please ignore my initial filter submission...but I've got something bulletproof to replace it.
This spammer that we were trying to identify with that string was probably Douglas Fields of Pexicom, Inc.
His old network is in SBL (SBL5185), but it appears that he went out and registered some new blocks of addresses, and got others through Above.net, from which he also get's bandwidth. If anyone knows how to report him to SBL, it might help a lot of people. I couldn't figure out how to report during a cursory search of their site.
With the help of your file, a bunch of data from past spam captures, that header clue that exposed his software, and a little DNS work...I came up with 9 new blocks not in SBL with reverse DNS names with 9 addresses each (ns1, ns2, www and mail1 through mail6). I won't assume for a second that is all, but it's a lot and considering the age of many of the domains, he hasn't yet exposed all of his servers to the RBL's (less than 1/4 were in a multi-week 150 MB capture that found all of this stuff). If he wasn't failing BADHEADERS, some of this would have gotten through on my server, so I wrote it as a filter just for this one guy and attached it to this note. Implement safely with the following line, and kill the filter after SBL picks it up.
My guess is that this guy was approaching 1% of my total E-mail volume, which is pretty serious, though one of the crud spammers is currently doing about 5%
64.124.165.0/25 [64.124.165.0] - [64.124.165.127] 64.124.165.128/26 [64.124.165.128] - [64.124.165.191] 64.124.165.192/27 [64.124.165.192] - [64.124.165.223]
64.125.181.0/24 [64.125.181.0] - [64.125.181.255]
Re: [Declude.JunkMail?Create] Comments on this ?
Matthew Bramble Fri, 07 Nov 2003 11:17:46 -0800
Is it possible that he was exposed by a dictionary attack? Or maybe, could it be that his system allows the nobody alias so that anything can be delivered and they are hammering on fake addresses. I've started shutting that down wherever it was configured in order to protect from these things.
The idea though that you are getting hammered primarily by 2,000 IP addresses isn't surprising IMO. That Pexicom spammer that I tracked down the other day has 1,000 IP's at his disposal, and he uses many of these addresses in order to prevent himself from a perma-listing on the RBL's. SBL has a lot of similar addresses, though their ranges can be incomplete. It might be very effective to try and get the SBL listing configured in your router as a block list. I don't think that I've ever seen a FP from SBL, and they claim that 90% of spam comes from just their ROSCO list alone (which is incomplete so actual effectiveness will be much lower regardless of the claim).
I think that normal spam traffic would probably be on the order of 500 per user per month on average, so this seems way out of hand (by a factor of 10). Topic in news.admin.net-abuse.sightings
Check out [Facts About Trees]
Search for books about:
|
Interested in The Mating Of Animals?