Newsgroups: news.admin.net-abuse.usenet
      From: buchanan@cybernex.net (Rick Buchanan)
   Subject: 100 Hours with the Baltimore Blaster, IDT & PSI
Message-ID: <353940f0.747985406@news2.new-york.net>

(posted to n.a.n-a.u and a few other newsgroups.  E-mailed to
interested parties.)

Hi-dee-ho troops!

It's time for another dip into Joe Greco's fascinating "Usenet Posting
Summaries" to see what we can find out about how fairly the resources
of the Usenet Community are being allocated and consumed.


Preface --

Some months back, a few of us who track open-server abusers noticed a
new mega-spammer who was hijacking every vulnerable server from
AdisAbbaba to Zimbabwe to splatter an incredible volume of binary porn
spam for his website -- hotsexnow.com.   At first, it was all coming
from Netcom's Baltimore  MD POPs, so we nicknamed the guy "The
Baltimore Blaster".   Later, some Wilmington DE POPs were the source
of the same spew.   To Netcom's credit, they stomped on the accounts
pretty efficiently (thanks Matt!), and the BB moved to other Baltimore
and Wilmington ISPs.   We chased him down and got him toasted at all
of them.

Then, suddenly, there was none of the Blaster's spam to be found on
ANY open servers!    Did he retire?  Find honest work?  Get killed?

Nope, he found a nice safe haven with an account at IDT.NET, where
he's been spamming freely for many weeks now, accessing their server
via PSI POPs in Baltimore and Wilmington.

Here is a snapshot-summary of data taken from 25 consecutive Posting
Summaries starting at 12:01 AM February 4, 1998.  This represents just
100 hours, or roughly FOUR DAYS.


The Amazing Numbers --

Let's start with the address that's at (or near) the top of the stats
in almost every one of the reporting periods -- temp@prodigy.net
(Of course it's forged, and never went anywhere near prodigy.  The
actual souce is IDT/PSI, as I'll detail below.)

Legend:

Rpt -	Reporting period (1 - 25)
Rank - 	Poster's rank in that report, sorted by BI
BI -	Briedbart index of all articles from poster in this period
ng/p - 	Average number of crossposted newsgroups per post
Posts - 	Number of articles posted in this period
Bytes -	Number of bytes posted in this period
b/p -	Average bytes/post
From -	The particular forged email address used


>Rpt	Rank	BI		ng/p	Posts	Bytes		b/p	From
>-----	--------	---		-------	--------	------------------	----------	--------	
>1	1	3,020.00	25	604	22,473,778	37,208	temp@prodigy.net
>2	1	1,660.00	25	332	16,271,180	49,010	temp@prodigy.net
>3	1	5,435.00	25	1,087	39,843,854	36,655	temp@prodigy.net
>4	1	2,987.00	10	949	38,687,426	40,767	temp@prodigy.net
>5	1	3,264.00	9	1,088	39,840,456	36,618	temp@prodigy.net
>6	1	3,057.00	9	1,019	34,472,534	33,830	temp@prodigy.net
>7	11	1,230.00	4	597	24,866,411	41,652	temp@prodigy.net
>8	5	1,128.00	4	564	22,355,105	39,637	temp@prodigy.net
>9	36	198.00		4	99	4,244,900	42,878	temp@prodigy.net
>12	13	656.00		4	328	12,829,606	39,115	temp@prodigy.net
>13	3	1,870.00	4	935	38,671,177	41,360	temp@prodigy.net
>14	7	1,766.00	4	883	30,547,326	34,595	temp@prodigy.net
>15	2	2,404.00	4	1,202	39,722,985	33,047	temp@prodigy.net
>16	5	2,073.58	12	610	22,490,703	36,870	temp@prodigy.net
>17	19	497.37		12	144	6,333,758	43,984	temp@prodigy.net
>20	7	1,174.33	12	339	15,515,482	45,768	temp@prodigy.net
>21	2	2,986.06	12	862	34,090,756	39,548	temp@prodigy.net
>22	2	3,651.17	12	1,054	32,937,549	31,250	temp@prodigy.net
>23	7	1,174.33	12	339	15,515,482	45,768	temp@prodigy.net
>24	2	2,986.06	12	862	34,090,756	39,548	temp@prodigy.net
>25	2	3,651.17	12	1,054	32,937,549	31,250	temp@prodigy.net
>		---------		------	-----------
>Totals		46,869.08		14,951	558,738,773

A few observations:

Fifteen THOUSAND articles.    Five HUNDRED MEGABYTES.   In 100 hours.

He made 21 of the 25 reports.  And he made the top-five 14 times. 

All articles are _advertisements_ for the same website, and are
therefore "substantively identical" (and cancellable spam)

The JPG attachments are small, lo-res, inferior pics added SOLELY to
evade cancelbots.   They never exceed 100kb, so they fall under the
commonly-used bin-cancel threshold.

Here's a sample header:

-=-=-
Subject: CHECK THESE KNOCKERS OUT!!! - 0155picr.jpg(1/1) 22740 bytes
From: temp@prodigy.net
Date: 4 Feb 1998 14:27:04 GMT
Msg-ID: <6b9tro$8ov@nnrp3.farm.idt.net>
NNTP-Posting-Host: ip251.baltimore10.md.pub-ip.psi.net
Newsgroups:
alt.binaries.pictures.erotica.pornstars,alt.binaries.pictures.erotica.redheads,
alt.binaries.pictures.erotica.teen.female,alt.binaries.pictures.erotica.teen.fuck,
alt.binaries.pictures.groupsex,alt.binaries.pictures.nude,
alt.binaries.pictures.nude.celebrities,alt.sex.pictures,alt.sex.pictures.female
-=-=-

Nice cross-posts, huh?  Maybe these are thousands of pictures of nude,
female, redheaded, teenaged celebrity pornstars having group sex?

Ah....  no.


If that was where the story ended, it would still be network abuse of
incredible magnitude.   But it doesn't end there.  Not by a longshot.

I checked to see who else was spamming for hotsexnow from PSI POPs to
IDT's news-server.  tightass@hsn.biz was one.

>Rpt	Rank	BI		ng/p	Posts	Bytes		b/p	From
>-----	--------	---		-------	--------	------------------	----------	--------	
>1	16	519.62		12	150	5,687,011	37,913	tightass@hsn.biz
>2	4	883.35		12	255	9,221,994	36,165	tightass@hsn.biz
>3	8	699.75		12	202	7,731,915	38,277	tightass@hsn.biz
>7	15	789.82		12	228	8,762,637	38,433	tightass@hsn.biz
>8	27	297.91		12	86	3,486,693	40,543	tightass@hsn.biz
>9	20	318.70		12	92	3,770,438	40,983	tightass@hsn.biz
>12	7	1,039.23	12	300	11,900,010	39,667	tightass@hsn.biz
>16	3	2,765.00	25	553	21,290,711	38,500	tightass@hsn.biz
>17	2	1,874.24	25	375	17,264,977	46,040	tightass@hsn.biz
>20	16	380.00		25	76	2,739,056	36,040	tightass@hsn.biz
>23	16	380.00		25	76	2,739,056	36,040	tightass@hsn.biz
>		--------			-----	----------
>		9,947.62		2,393	94,594,498

Another TWO THOUSAND posts.  Another HUNDRED MEGABYTES.  Same spam.
Same spammer.  Same four days.   

Sample header:

-=-=-
Subject: Fuck till you hurt!!!! 94c.jpg (1/1) 18006 bytes
From: tightass@hsn.biz
Date: 2 Feb 1998 14:05:34 GMT
Msg-ID: <6b4jre$8p6@nnrp4.farm.idt.net>
NNTP-Posting-Host: ip93.baltimore10.md.pub-ip.psi.net
Newsgroups:
alt.binaries.erotica,alt.binaries.erotica.female.plumpers,alt.binaries.erotica.fetish,
alt.binaries.erotica.fettish,alt.binaries.erotica.pornstar,
alt.binaries.erotica.sex.in.the.morning,alt.binaries.erotica.teen,
alt.binaries.pictures.erotic.centerfolds,alt.binaries.pictures.erotica,
alt.binaries.pictures.erotica.amateur,alt.binaries.pictures.erotica.amateur.female,
alt.binaries.pictures.erotica.blondes,alt.binaries.pictures.erotica.bondage,
alt.binaries.pictures.erotica.breasts,alt.binaries.pictures.erotica.breasts.small,
alt.binaries.pictures.erotica.brunette,alt.binaries.pictures.erotica.butts,
alt.binaries.pictures.erotica.cheerleaders
-=-=-

Obviously pictures of all those plump, blond-brunette, teen,
amateur-pornstar-cheerleader-centerfolds' butts and breasts in
bondage.   Sounds on-topic to me!


Is that it?   Nope.   I'll just combine some of the others I found.   

>Rpt	Rank	BI		ng/p	Posts	Bytes		b/p	From
>-----	--------	---		-------	--------	------------------	----------	--------	
>2	62	329.09		12	95	6,526,294	68,698	kelly@teenpussy.org
>3	4	1,385.64	12	400	33,029,732	82,574	kelly@teenpussy.org
>4	7	755.18		12	218	12,014,745	55,114	kelly@teenpussy.org
>15	135	55.43		12	16	637,426		39,839	suzy@teensncum.org
>18	26	287.52		12	83	5,425,866	65,372	suzy@teensncum.org
>19	263	51.96		12	15	602,926		40,195	suzy@teensncum.org
>20	23	270.20		12	78	5,762,885	73,883	suzy@teensncum.org
>22	29	384.52		12	111	7,946,349	71,589	suzy@teensncum.org
>23	23	270.20		12	78	5,762,885	73,883	suzy@teensncum.org
>25	29	384.52		12	111	7,946,349	71,589	suzy@teensncum.org
>12	117	193.99		12	56	3,492,477	62,366	traci@wetpussy.org
>9	21	263.27		12	76	5,014,043	65,974	tracy@eatmypussy.net
>10	4	942.24		12	272	21,341,093	78,460	tracy@eatmypussy.net
>11	33	356.80		12	103	9,485,397	92,091	tracy@eatmypussy.net
>12	61	241.50		5	108	3,810,977	35,287	susan@wetteens.com
>13	26	330.94		5	148	5,331,301	36,022	susan@wetteens.com
>12	63	240.05		6	98	5,833,540	59,526	jennifer@teensluts.org
>13	15	711.71		5	316	24,023,095	76,022	jennifer@teensluts.org
>		---------			------	-------------
>		7,454.74		2,382	163,987,380

Remember -- same spammer, same spam.   (Some of these came from the
Willmington POPs, but it's still all posted to IDT's news-server.)

What's the Grand Total for our Hundred Hours with the Baltimore
Blaster? 

19,726 separate posts

817,320,651  bytes

Eight hundred and seventeen megabytes of stuff nobody wants to see,
posted in just over four days by one spammer.   IDT and PSI have
ignored complaints.   They don't seem to see any problem with ONE of
their users generating this much spam. 

Just for giggles, I added up the NNTP-Posting-Host entries in those
twenty five Posting Summaries for ALL the Baltimore and Wilmington PSI
POPs.    Care to guess how much came out of them in those four day?


19,215 posts,    840,871,854  bytes

Either there are actually some legitmate users on those POPs producing
a tiny percentage of the output, or I missed some of the other forged
she-male names advertising that same website.   I tend to think it's
the latter.  (Divide the number of missing posts by the number of
missing bytes, and you come out right around the size of the average
Baltimore Blaster spam-turd.)


Epilogue -- (or "Who is this prick, and what can we do about him?")

Well, according the the NIC, the domain info for the site is:

-=-=-=-
HotSexNow (HOTSEXNOW-DOM)
   537 Bonnie Meadow
   New York, NY 10056
   US

   Domain Name: HOTSEXNOW.COM

   Administrative Contact:
      Lambert, Harvey  (HL979)  sexxxx@ROCKETMAIL.COM
      212-654-5984
   Technical Contact, Zone Contact:
      XXXstorage Staff  (XS3-ORG)  hostmaster@XXXSTORAGE.COM
      (918) 686-8166
Fax- (918) 686-8166
   Billing Contact:
      Lambert, Harvey  (HL979)  sexxxx@ROCKETMAIL.COM
      212-654-5984

   Record last updated on 16-Dec-97.
   Record created on 02-Jul-97.
   Database last updated on 8-Feb-98 04:14:24 EDT.

   Domain servers in listed order:

   HOTDOG.XXXSTORAGE.COM	198.247.219.1
   NS1.XXXSTORAGE.COM		198.247.219.2
-=-=-=-

A copy of the article is being sent to Mr. Lambert and the hostmaster
at XXXstorage.com, as a courtesy.

I'm also sending copies to abuse@idt.net and abuse@psi.net.

Prodigy.net is being notified of the forgery of their domain name.

Notes to the parties involved:

IDT -- put a _stop_ to this, according to your AUP.

PSI -- If IDT won't do it, you should.

XXXstorage -- If you continue to provide web services to this person,
your reputation (if you have any left) is going to go right down the
toilet.

Prodigy -- take a clue from AOL and Hotmail  --  SUE!

Mr. Lambert -- have a nice day.

---------------------------------------------------

Respectfully submitted,

Rick "Lysander Spooner" Buchanan