Spamford Getting Service From Cable & Wireless?

Spamford Getting Service From Cable & Wireless?

Post by Babu Mengelepout » Tue, 27 May 1997 04:00:00



Spamford appears to be multi-homed, if the research I have done is any
indication.

I took the novel approach of looking up who owns the IP blocks that his
nameservers run on.  His nameservers are easily obtainable by a simple
whois:

Cyber Promotions, Inc (CYBERPROMO-DOM)

   8001 Castor Avenue  Suite #127

   Philadelphia, PA 19152

   US

   Domain Name: CYBERPROMO.COM

   Administrative Contact, Technical Contact, Zone Contact:

      Wallace, Sanford  (SW1708)  dom...@CYBERPROMO.COM

      215-628-9780

   Billing Contact:

      Wallace, Sanford  (SW1708)  dom...@CYBERPROMO.COM

      215-628-9780

   Record last updated on 24-Jan-97.

   Record created on 26-Apr-96.

   Database last updated on 25-May-97 04:56:34 EDT.

   Domain servers in listed order:

   NS7.CYBERPROMO.COM           205.199.2.250

   NS5.CYBERPROMO.COM           205.199.212.50

   NS8.CYBERPROMO.COM           207.124.161.65

   NS9.CYBERPROMO.COM           207.124.161.50

Well, starting with ns7.cyberpromo.com, it's no surprise:

Whois: net 205.199.2
AGIS/Net99 (NETBLK-NET99-BLK4)  NET99-BLK4         205.198.0.0 -
205.199.255.0
Cyber Promotions  Inc (NETBLK-CYBERPROMO-205-199B) CYBERPROMO-205-199B
                                                   205.199.2.0 -
205.199.2.255

And the same for ns5.cyberpromo.com...

Whois: whois net 205.199.212
AGIS/Net99 (NETBLK-NET99-BLK4)  NET99-BLK4         205.198.0.0 -
205.199.255.0
Cyber Promotions  Inc (NETBLK-CYBERPROMO-205-199) CYBERPROMO-205-199
                                               205.199.212.0 -
205.199.212.255

But wait?  Is spamford multihoming? A Cable & Wireless Class C block!  

Whois: net 207.124.161
Cable & Wireless, Inc. (NETBLK-NET3-CWI-NET) NET3-CWI-NET
                                                 207.124.0.0 -
207.124.255.255
IDCI (NETBLK-CWI-IDCI2)         CWI-IDCI2      207.124.160.0 -
207.124.164.255
IDCI (NETBLK-IDCI-BLK-11)       IDCI-BLK-11    207.124.161.0 -
207.124.162.255

But strangely, it doesn't resolve...

  1  2427 ms  2135 ms  2716 ms  Max18.Seattle.WA.MS.UU.NET [207.76.5.24]
  2  1235 ms   929 ms   477 ms  Ar1.Seattle.WA.MS.UU.NET [207.76.5.3]
  3   175 ms   167 ms   623 ms  Fddi0-0.CR1.SEA1.Alter.Net
[137.39.33.41]
  4   213 ms   263 ms   265 ms  110.Hssi4-0.CR1.TCO1.Alter.Net
[137.39.69.121]
  5   271 ms   264 ms   597 ms  313.atm1-0.gw1.tco1.alter.net
[137.39.21.153]
  6   258 ms   990 ms   244 ms  cwix2-gw.customer.ALTER.NET
[137.39.184.82]
  7   739 ms   482 ms   655 ms  nyd-7513-1-h4-0.cwix.net
[207.124.104.50]
  8   581 ms   257 ms   490 ms  ny1-7000-02-f0/0.cwi.net
[205.136.191.228]
  9   634 ms  1044 ms  1183 ms  ny1-7000-01-f4/0.cwi.net
[205.136.191.227]
 10   580 ms   358 ms   297 ms  idci-cwi.cwi.net [205.136.226.210]
 11   232 ms   731 ms   302 ms  phl-bcn1-client-router.idci.net
[205.136.21.3]
 12  1267 ms  1197 ms   899 ms  146.145.254.62
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.

And another!

Whois: net 207.124.161
Cable & Wireless, Inc. (NETBLK-NET3-CWI-NET) NET3-CWI-NET
                                                 207.124.0.0 -
207.124.255.255
IDCI (NETBLK-CWI-IDCI2)         CWI-IDCI2      207.124.160.0 -
207.124.164.255
IDCI (NETBLK-IDCI-BLK-11)       IDCI-BLK-11    207.124.161.0 -
207.124.162.255
^^^^^^^^^^^^^^^^^^^^^^^^^
What is IDCI, I wonder?

This one doesn't resolve either.

  1   532 ms   188 ms   168 ms  Max18.Seattle.WA.MS.UU.NET [207.76.5.24]
  2  1284 ms  2128 ms  2321 ms  Ar1.Seattle.WA.MS.UU.NET [207.76.5.3]
  3  3037 ms  2575 ms   453 ms  Fddi0-0.CR1.SEA1.Alter.Net
[137.39.33.41]
  4   634 ms   475 ms   241 ms  110.Hssi4-0.CR1.TCO1.Alter.Net
[137.39.69.121]
  5   887 ms  1357 ms   929 ms  313.atm1-0.gw1.tco1.alter.net
[137.39.21.153]
  6   508 ms   447 ms   260 ms  cwix2-gw.customer.ALTER.NET
[137.39.184.82]
  7   284 ms   275 ms   270 ms  nyd-7513-1-h4-0.cwix.net
[207.124.104.50]
  8   610 ms   495 ms     *     ny1-7000-02-f0/0.cwi.net
[205.136.191.228]
  9   300 ms   264 ms   683 ms  ny1-7000-01-f4/0.cwi.net
[205.136.191.227]
 10   621 ms   233 ms   275 ms  idci-cwi.cwi.net [205.136.226.210]
 11   275 ms   250 ms   767 ms  phl-bcn1-client-router.idci.net
[205.136.21.3]
 12   648 ms   954 ms   647 ms  146.145.254.58
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.

Could Spamford have another provider up his sleeve?  I wonder if Cable
& Wireless is planning to give him a link when Agis finally bites the
bullet and drops him.

I could drop a couple of suggestions.  Performing traceroutes into
random addresses in his class C blocks revealed some very interesting
results.  And finally, even though he has disabled nslookup on most of
his machines, he forgot one ...

So here ya go.  nslookups on his most infamous domains...

 answerme.com.                  SOA   answerme.com
hostmaster.cyberpromo.com. (1
17 172800 3600 1728000 172800)
 answerme.com.                  NS    ns7.cyberpromo.com
 answerme.com.                  NS    ns9.cyberpromo.com
 answerme.com.                  MX    5    answerme.com
 answerme.com.                  A     205.199.212.8
 localhost                      A     127.0.0.1
 ftp                            CNAME answerme.com
 news                           CNAME answerme.com
 www                            CNAME cybermirror1.com
 answerme.com.                  SOA   answerme.com
hostmaster.cyberpromo.com. (1
17 172800 3600 1728000 172800)

 cybermirror1.com.              SOA   cybermirror1.com
hostmaster.cyberpromo.com
 . (117 172800 3600 1728000 172800)
 cybermirror1.com.              NS    ns7.cyberpromo.com
 cybermirror1.com.              NS    ns9.cyberpromo.com
 cybermirror1.com.              MX    5    cybermirror1.com
 cybermirror1.com.              A     205.199.2.248
 answerme                       A     205.199.212.8
 news                           CNAME cybermirror1.com
 localhost                      A     127.0.0.1
 www                            CNAME cybermirror1.com
 auto1                          A     205.199.212.36
 auto2                          A     207.124.161.91
 auto3                          A     207.124.161.78
 ftp                            CNAME cybermirror1.com
 cybermirror1.com.              SOA   cybermirror1.com
hostmaster.cyberpromo.com
 . (117 172800 3600 1728000 172800)

 cyberpromo.com.                SOA   cyberpromo.com
hostmaster.cyberpromo.com.
(126 172800 3600 1728000 172800)
 cyberpromo.com.                NS    ns7.cyberpromo.com
 cyberpromo.com.                NS    ns9.cyberpromo.com
 cyberpromo.com.                MX    5    cyberpromo.com
 cyberpromo.com.                MX    10   cyberpromo.com
 cyberpromo.com.                A     205.199.212.36
 news                           CNAME cyberpromo.com
 ns5                            A     205.199.212.50
 ns5                            MX    10   ns5.cyberpromo.com
 ns7                            MX    10   cyberpromo.com
 ns7                            A     205.199.2.250
 ns8                            A     207.124.161.65
 ns8                            MX    10   ns8.cyberpromo.com
 localhost                      A     127.0.0.1
 localhost                      A     205.199.212.36
 localhost                      MX    10   cyberpromo.com
 ns9                            A     207.124.161.51
 ns9                            MX    10   ns9.cyberpromo.com
 www                            A     205.199.2.247
 ftp                            CNAME cyberpromo.com
 cyberpromo.com.                SOA   cyberpromo.com
hostmaster.cyberpromo.com.
(126 172800 3600 1728000 172800)

 ispam.net.                     SOA   ispam.net
hostmaster.cyberpromo.com. (113
172800 3600 1728000 172800)
 ispam.net.                     NS    ns7.cyberpromo.com
 ispam.net.                     NS    ns9.cyberpromo.com
 ispam.net.                     A     205.199.212.34
 ispam.net.                     MX    5    ispam.net
 localhost                      A     127.0.0.1
 ftp                            CNAME ispam.net
 news                           CNAME ispam.net
 www                            CNAME cyberpromo.com
 ispam.net.                     SOA   ispam.net
hostmaster.cyberpromo.com. (113
172800 3600 1728000 172800)

 keepmailing.com.               SOA   keepmailing.com
hostmaster.cyberpromo.com.
 (111 172800 3600 1728000 172800)
 keepmailing.com.               NS    ns7.cyberpromo.com
 keepmailing.com.               NS    ns9.cyberpromo.com
 keepmailing.com.               MX    5    keepmailing.com
 keepmailing.com.               A     205.199.212.30
 localhost                      A     127.0.0.1
 ftp                            CNAME keepmailing.com
 news                           CNAME keepmailing.com
 www                            CNAME keepmailing.com
 keepmailing.com.               SOA   keepmailing.com
hostmaster.cyberpromo.com.
 (111 172800 3600 1728000 172800)

Happy umm ... exploring.  Of course, I would NEVER want ANYONE to even
THINK of doing anything malicious with this information.  HACKING IS
ILLEGAL!  I love Jeff Slaton.  I love Spamford.  They help the economy.
AGIS is our friend.

   .
  /|\
 //|\\ Welcome to the rainforest...
///|\\\ dialt...@vcn.bc.ca

[TELECOM Digest Editor's Note: Thank you very much for passing that
information along. Anyone from Cable & Wireless want to look into
things from that side and give us a followup?   PAT]

 
 
 

Spamford Getting Service From Cable & Wireless?

Post by jfmeze » Wed, 28 May 1997 04:00:00


Interesting that you couldn't traceroute all the way to the end: For me,
it works fine:

Find route to: *promo.com. (205.199.212.36), Max 30 hops, 40 byte
packets (local hops omitted for brevity)

 6 sl-pen-2-f3/0-100m.sprintlink.net. (144.232.0.122):  716 ms  861 ms
911 ms
 7 f1-0.pennsauken1.agis.net. (192.157.69.19):  911 ms  873 ms  901 ms
 8 a0.58.philadelphia1.agis.net. (206.185.158.9):  1044 ms  935 ms  893
ms
 9 *promo.philadelphia1.agis.net. (206.185.158.2):  1230 ms  954 ms
850 ms
10 spamford.com. (205.199.212.36):  1028 ms  653 ms  384 ms
Trace completed

savetrees.com also points to spamford.com

 
 
 

Spamford Getting Service From Cable & Wireless?

Post by Jim You » Wed, 28 May 1997 04:00:00



> Spamford appears to be multi-homed, if the research I have done is any
> indication.
> But wait?  Is Spamford multihoming? A Cable & Wireless Class C block!

Well, yes. There is no mystery there.

Quote:> Whois: net 207.124.161
> Cable & Wireless, Inc. (NETBLK-NET3-CWI-NET) NET3-CWI-NET
>                                                  207.124.0.0 -
> 207.124.255.255
> IDCI (NETBLK-CWI-IDCI2)         CWI-IDCI2      207.124.160.0 -
> 207.124.164.255
> IDCI (NETBLK-IDCI-BLK-11)       IDCI-BLK-11    207.124.161.0 -
> 207.124.162.255
> What is IDCI, I wonder?

IDCI is an internet provider based in New Jersey that gets is backbone
link from Cable & Wireless. Plug in NETBLO-IDCI-BLK-11 on your whois and
learn the rest.

Quote:> This one doesn't resolve either.

>   1   532 ms   188 ms   168 ms  Max18.Seattle.WA.MS.UU.NET [207.76.5.24]
>   2  1284 ms  2128 ms  2321 ms  Ar1.Seattle.WA.MS.UU.NET [207.76.5.3]
>   3  3037 ms  2575 ms   453 ms  Fddi0-0.CR1.SEA1.Alter.Net
> [137.39.33.41]
>   4   634 ms   475 ms   241 ms  110.Hssi4-0.CR1.TCO1.Alter.Net
> [137.39.69.121]
>   5   887 ms  1357 ms   929 ms  313.atm1-0.gw1.tco1.alter.net
> [137.39.21.153]
>   6   508 ms   447 ms   260 ms  cwix2-gw.customer.ALTER.NET
> [137.39.184.82]
>   7   284 ms   275 ms   270 ms  nyd-7513-1-h4-0.cwix.net
> [207.124.104.50]
>   8   610 ms   495 ms     *     ny1-7000-02-f0/0.cwi.net
> [205.136.191.228]
>   9   300 ms   264 ms   683 ms  ny1-7000-01-f4/0.cwi.net
> [205.136.191.227]
>  10   621 ms   233 ms   275 ms  idci-cwi.cwi.net [205.136.226.210]
>  11   275 ms   250 ms   767 ms  phl-bcn1-client-router.idci.net
> [205.136.21.3]
>  12   648 ms   954 ms   647 ms  146.145.254.58
>  13     *        *        *     Request timed out.
>  14     *        *        *     Request timed out.
>  15     *        *        *     Request timed out.
>  16     *        *        *     Request timed out.

This route from phl-bcn1...  is the path that was used in another
fraudulent multi-thousand-message run which happened 5/26. My name
appeared on tens of thousands (apparently) of messages, and as well, the
server at the end of your trace above (the machine that's not showing on
the trace) started hitting our system with > 6 messages/second nonstop.

Can't say much more about that just now.

 
 
 

Spamford Getting Service From Cable & Wireless?

Post by Robert A. Pier » Thu, 29 May 1997 04:00:00


Hello!

I recently received this junk mail:


> Date sent:        Wed, 14 May 1997 20:55:22 -0700

> Subject:          Hi
> Robert,
> Hi,
> How would you like to advertise over the internet to thousands and thousands
> of people?
> It is VERY EASY AND VERY CHEAP. Our Prices are very low (around $25
> per 10-15 thousand people.)

> You will get your info via email within 2 minutes depending on how
> fast your mail server is.



that Mr. Wallace's company was involved -- I thought answerme.com
might be a 'vanity url.'  I also don't know why the message used my
first name -- are they sorting these things manually or automatically?

        I have two questions:  One, did that cause PAYPHONE to send

prevent that?

        Two, if they haven't set up a filter to prevent looping, would
it make sense to send e-mail to one junk mailer's autoresponder with a
reply-to of another autoresponder?  Are there other autoresponders or
other interesting addresses at the domains listed below?

Rob Pierce

[TELECOM Digest Editor's Note: An excellent idea! Let's get the
various autoresponders started going after each other. Take any
two spammers and create a set of mail headers showing each of
them as the 'From:' and 'Reply-To:' on the other set of headers.
Now each time you get any spam at all, just toss it to a script
which places the above headers on the mail and sends it back out.
It would help if you are (for sendmail purposes) a trusted user
in the sendmail.cf; this will let you totally remove any reference
to yourself at all, thus preventing the autoresponders from finding
out about you and getting you back in the loop somehow. Be sure to
do cc: to a few postmasters, Spamford and whoever else you feel
should receive the message several thousand times during the over-
night hours.

Typically when my autoreply gets caught in a loop with someone else's,
I get anywhere from two to three thousand transactions before I
catch it and kill the jobs. See how many pieces of mail you can
cause to happen (in a loop which involves them -- not yourself!)
before they notice it and have to clean up a mess.  PAT]

 
 
 

Spamford Getting Service From Cable & Wireless?

Post by John R. Levi » Thu, 29 May 1997 04:00:00


Quote:> Spamford appears to be multi-homed, if the research I have done is any
> indication.

* Promo seems to be doing most of their spamming at this point via
their "bandwidth partner" IDCI, who is a CWI customer.

If you complain to IDCI, you'll get a sanctimonous form letter about
how they don't censor their customers, freedom of speech, etc.

Speaking of sanctimonious, check out AGIS new press release at
http://www.veryComputer.com/
spam customers have agreed to stop spamming until the IEMMC's opt-out
system is running.

Lest you confuse their statements with the truth, you might want to
consider that I've logged 27 spam attempts today from Integrated
Media, one of the spam havens that is allegedly going to stop.

John R. Levine, IECC, POB 640 Trumansburg NY 14886 +1 607 387 6869

Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4  2D AC 1E 9E A6 36 A3 47

 
 
 

1. Cable & Wireless 800 Service (MCI and Telecom*USA, too)

Steve Forrette mentioned that Cable & Wireless provides 800 service
for rates comparable to U.S. Sprint before they jacked up the price
$5/month.  Plus, they optionally provide remote programming of the
forwarding number for your 800 calls.  I checked C&W out when I was
originally looking into the 800 LDCs, and unfortunately, they only
offer it in certain area codes.  Mine is not one of them. :-( I called
them again today and confirmed this is still the case.  (If anyone is
interested, it is 517; Lansing, MI.)

I also called MCI about their "Follow Me 800" service, but the
representatives did not have any information available at this time,
and said "you will be hearing more about it."  I guess we'll see about
that.  I wonder if this too, will be a "shared" 800 number, or if they
will finally assign you your own number.

Finally, our Moderator's 800 carrier, Telecom*USA, has been consumed
by MCI, and will not allow new customers to add 800 service at the
incredible monthly rate of only $2.75/month.  They direct all your
calls to MCI, where they try to sell you MCI Personal (Shared) 800
with the infamous "personal security code".  I guess Pat is just lucky
he jumped on the bandwagon when he did! :-)

So the search continues for an 800 LDC besides U.S. Sprint.  Any more
suggestions?

I'll keep everyone posted.


[Moderator's Note: Except that *existing* customers of Telecom*USA at
the time of the MCI merger are still being serviced through
Telecom*USA customer service, and they still let us add/delete or
change around our 800 numbers as desired for $2.75 each.   PAT]

2. Learn C++ in 21 Days

3. Cable & Wireless 800 Service

4. United Kingdom Subscriber Downloads : Problem Windows Server 2003 RTM disks

5. Cable & Wireless 800 Service (MCI and Telecom*USA, too)

6. cps in com programs...

7. Cable & Wireless 800 Service

8. FS/FT: Network Laser Printers

9. Cable & Wireless customer service

10. More on Cable & Wireless 800 Service

11. Utter incompetance of AT&T Wireless Pocketnet/CDPD Service & Repair

12. AT&T Local Service Can't Call AT&T Wireless

13. Qwest,Global Crossing,AT&T, UUNet, Cable & Wireless, Sprint??