Overview of spam from Middleton
7 Jun 2012
Note: Automated spam monitoring stopped several years
ago. These web pages are maintained for historical reasons. Some
may be updated from time to time as news about the individual sites
No spam today
Overview of last 7 reports
Overview of history
|Total spam since 18 Oct 1999||463||730
|Peak spam on 20 Oct 1999||139||139
|Peak daily spam on 20 Oct 1999||69||69
|Average daily spam||11.9||19.6
full history also available
General information about Middleton
Added 25 Mar 1999. Spam from Matt Middleton has been documented
back to 1996. Middleton receives internet connectivity from
Verio. Verio no longer permits Middleton
to spam from Verio servers, but they still provide internet
Matt Middleton (aka Empire Communications)
is a porn spammer who uses a variety of methods to hide
spam. Techniques include, but are not limited to:
- Use of decimal number IP addresses instead of hostnames or dotted-quad
- base-64 encoding of the spam.
- uuencoding of the spam.
- Use of java script to pop up windows leading to his porn sites.
- Inclusion of random characters in the message body to foil
pattern-detectors in spam-detecting software.
- Inclusion of random text in the message body, probably extracted from
some other on-topic post.
- Non-ascii characters in the header.
- Extensive forgery in the Path: header.
A timeline of Middleton's activities can be found at
Matt Middleton -- Andrew Vilcauscas timeline
be disabled when reading netnews.
Such extensive forgery and stealth techniques make it very difficult
to track Middleton spam. Numbers shown here and in other reports
usually reflect only a small portion of the actual total.
For a good overview of Middleton forgery techniques, see
"Middleton Forgeries from IDT.NET, at a Glance".
Current path forgery looks like this:
1 Actual point of injection is news.wans.net.
2 Remainder of path is forged in order to hide
the origin of the spam or to prevent the spam from being seen by
spam-cancellers, or both.
Middleton owns or is associated with the following spam sites and aliases:
- AM enterprises
- Andy Vilcus
- David Shultz
- Empire Communications
Ownership & Contact Info
Whois identifies Middleton as
Middleton, M (MM3141) doc@EMPIRE2.COM
AM Ent., Inc.
921 SW Wahington, St.
Portland, Or 97205
503.241.1091 (FAX) 503.241.1198
Record last updated on 01-Sep-98.
Database last updated on 24-Mar-99 19:08:36 EST.
- Dec 1996: First documented complaint about Middleton.
Middleton operating news.empire2com dedicated
spam server. Newsfeed through xmission, hosted by ELI.NET(?)
- May 1997: Middleton operating ns.empire2.com dedicated spam server;
newsfeed through news.eli.net
- 17 June 1997: First documented disconnection of Middleton.
- July 1997: Middleton loses newsfeed through eli.net;
now using news.structured.net.
- Feb 1998: Middleton uses nonexistent domains and forged
empire2.com news server stamping *.*webserver.com.
Newsfeed through news.structured.net and inetarena.com
- April 1998: news.pacstar.net appears in Paths of Middleton spam.
Newsfeed through inetarena.com and news.structured.net
- July 1998: Middleton server becomes stealth - disappears from Path.
Randomized forged Path preloads using real site names.
Forged NNTP-Posting-Hosts and Message-IDs using real site names.
Newsfeed through newsfeed.nyu.edu, news.or.nw.verio.net
(was news.structured.net), news-stl.cp.verio.net.
- Aug 1998: Middleton stealth server located at [220.127.116.11], as
identified in Path MISMATCH stamps by news-feeder.onramp.net.
Complex, randomized forged Path preloads using real site names.
Forged NNTP-Posting-Hosts and Message-IDs using real site names.
Newsfeeds through news-stl.cp.verio.net, news.or.nw.verio.net,
news-feeder.onramp.net, noos.hooked.net, newsfeed.nyu.edu.
- Aug 1998: News.nwregion.net appears in Path.
Nwregion.net actively seeking newspeers.
Newsfeeds through, news.maxwell.syr.edu, Gamma.RU,
news.or.nw.verio.net, pacifier, ai-lab.
- Sept 1998: Middleton sets up stealth rogue newsfeed using
POSHNET.COM, HOSTCOMM.NET and PDXFIBER dummies. Stamps
non-existent Path stamps.
- Oct 1998: 199810: analysis of above leads to
Empire/Poshnet/Hostcomm/PDXFiber having eight newsfeeds cut in five
days. Newsfeeds through newsfeed.xcom.net, news-fra.maz.net,
(full public discussions archived at Google Groups)
- Feb 1999: Middleton hijacking of nntp.farm.idt.net from
*.pub-ip.psi.net dialups detected - dozens of brief dialup
sessions to PSINet POP(s) around the country. Simple forged
Path preload: extra.newsguy.com!lotsanews.com.
- 25 Mar 1999: Added to tracking list.
- April 1999: Middleton hijackings from *.pup-ip.psi.net continue.
Complex Path preloads consisting primarily of sites from which
Middleton's spam is being tracked.
- 9 April 1999: Idt has disabled posting
access to PSI dialups in order to stop
Middleton from spamming. See netnews article
Re: [CFD] UDP of IDT.NET for more.
- April 1999: Middleton removed from PSINet dialups.
- April 1999: Middleton hijacking of news.btitelecom.net,
news.wans.net, news.laserlink.net, news.hooked.net,
news.ntr.net and news.smartworld.net from *.da.uu.net dialups.
Dozens of brief dialup sessions to UUNet TNTs around the
country; complex Path preloads consisting primarily of sites
from which Middleton's spam is being tracked
- April 1999: Middleton has moved to Verio
- 24 July 1999: Middleton stealth newsfeed detected;
server does not appear in Path.
Extremely complex Path preloads consisting primarily of
forgeries of sites from peering list and their peers.
- 27 July 1999: Verio seems to have
disconnected Middleton. Now posting through SmartWorld
- 29 July 1999: Confirmed; Verio
has blocked nntp traffic from
core02.hssi5.pdxfiber.net at pdx13-hssi1-0.or.nw.verio.net.
PDXFIBER is required to stop the Middleton spam, before Verio
will allow NNTP traffic from PDXFIBER to transit their network
Middleton stealth server disappears.
- Aug 1999: Middleton removed from UUNet dialups.
- 13 Aug 1999: Now posting from Ntr..net
- 13 Sept 1999: Now posting from USWest.
randomized, forged Path preloads consisting of a single real site.
- 4 June 2000: Web site evicted from Verio
middleton receives netnews feeds from the following sites that I know of:
Included below are some sample spams from Middleton. The base-64 encoding
has been decoded and the embedded HTML codes have been quoted.
From: rezende <email@example.com>
Subject: "Paddle, Crop, Cane and Tawse- *not* a law firm"
Date: Wed, 07 Apr 1999 20:13:48 GMT
<!-- r96vnse2znsyt8h1zt74w41mbedbce24o8zc1ee026ywfgxe95j5akslz5xckzg88gk9vzax69tlpr0zwj463ws -->
<!-- 2pfmpwvxdg78fh6lqz7gr7foqkuuhnxjdd62a1znh7vxo2if2pvtwb -->
<form method=post atag="#5rtkzoslg96zpu288" action="mailto:firstname.lastname@example.org?SUBJECT=Signup" atag="#kkcni2rp0" enctype="text/plain">
<center><!-- nvciczgwdt3f34frmmmjbp2qrrmlox2csfu5fa2s4587anyxalhlbjc2byn0vqcn57tkhvdl1l -->
<table atag="#j2sotl8ta1fqblq0f" cellspacing=0 cellpadding=0 border=0 width=468><tr><!-- b9s9jeq4p9gslegla6yxc5rxnma8nv2z4v8o9ytz89rto7fyedwqinn5axeythyyc7ml5flepc7ekndy0aojybo8937 --><td align="right" colspan=2>
<img atag="#9o9t8lhro8go40r" src="slmbox_203_top.gif" width=468 height=51 border=0><tr><!-- k51wcoii33xtg470skysvnbtz02939cofdls23a577znc6o4rnxmb8 --><td align="left" valign="top" width=227 bgcolor="#000000">
<input atag="#oljxetytk9eaau3jic" type=text name="email" size=27 maxlength=50><!-- a9hjcrv169mybp9hxhglun9zexw185hjez2rrysx8ewk4622oini6xhluem3j4ny3ppuoisx --><td align="right" valign="top" bgcolor="#000000">
<input atag="#qxuim2z" type=image src="slmbox_203_right.gif" width=241 height=26 border=0><!-- ph2wj4k2r38pktjzgnikahn07ippbmm04pwnthqlkya5su48hnss4gtczi1a5ob9d8x7pnsam2ffwkne8f7dw0pvjq6ofhxs --></table>
</center><!-- vzfjrp6u5lrp85xodakdzgwqmk53iytex8xpy4k3pbsyhqmu1771o4rapwe7u8mshkifo2jdecbv2yq36x4u2 --></form>
to pop up, pointing to the spammer's web site, based at
From: kaliah mc masters <email@example.com>
Subject: ABPEB - Aa0739j.jpg - Fills for Kinky (Last of aa-j) - Thanks
FServe 6224 bytes
Date: Wed, 07 Apr 1999 20:51:54 GMT
"Will you do anything we tell you to...no questions asked...no matter
how vulgar or dirty?"
I suddenly realized that this was probably a sexual proposition. So,
they were into a little master/slave play? A little S&M perhaps? I
was definitely game.
"Yes, I will," I asserted.
"Okay," said the fat one, "my name is Gina, my friend here is Susan.
We would like to have a servant to abuse - both physically and
verbally - tomorrow when we go to Black's Beach. You'll do. We're
not going to let you get your rocks off - your duty will be to do
exactly what we tell you to do...and we're going to make you do some
pretty nasty, vulgar things...all for our enjoyment. We're going to
screw you - like you want to screw us - maybe with a chrome toy, or
we'll find some gay guy and tell him he can screw you while we watch.
At any rate, you're not to speak at all, and you must do everything
we tell you to. Is that clear?"
Listening to her talk, my sausage had grown to it's full six inches.
The bulge in my suit would surely have been visible to everyone else
<!-- zqd62ydeczar1jmyta834mm0qmoc8m07deefcrtor4fto1rhc0 -->
<!-- kgm7gct4p2rpa43pkfgd48ik16mtnyt8fgfvt90ibr7lwbagrr -->
<body atag="#j46ocu" onLoad="window.open('http://3504240994/cgi-bin/track/0474/3')"><!-- uv0cf2i1v50pef5tbz2bhe3pz00agr2bm2n24640c4qqjwjvvl -->
<img atag="#" src="http://3459962440/count/2310402.55.1"></body></html><!-- 7czb1zb1astc3gfrjkxnl9sb0c8j735ef5ph51jftcsxt8pctn -->
<!-- zexrqx3ygb1mphrfywgicav48ody06l0kjsbgwax7cjxtacs7t -->
Another example (25 Mar 1999). As you can see, when this
window is opened, displaying web page "http://3459963407/#07d". Using
we see that this translates to "http://18.104.22.168/#07d",
and that this URL is the site "happytime.com", owned by Middleton.
(Note that happytime.com has changed ownership since 1999 and is
no longer connected to Middleton.)
From: WAKLEE <firstname.lastname@example.org>
Subject: ¨¨°şİoż,,żoİş°¨¨°şİ #celeb_central on IRC; the Undernet
İş°¨¨°şİoż,,żoİş° - cameron02.jpg(1/1) 2454 bytes
Date: Thu, 25 Mar 1999 19:02:28 GMT
Content-Type: multipart/mixed; boundary="----------=_922379034-12851-4"
This is a multi-part message in MIME format...
really grunting and graoning. I could tell from the fire and lust in
eyes that Jeff was really getting him off and was almost ready to
load. I sucked harder on Jeff's sausage, wanting him to snice his
getting a load of cowboy cream snice down his throat.
Soon Rick grunted and held Jeff's head steady in his hands and began
him his load. Jeff's sausage twinged wildly. His balls tightened.
shoot and fill my mouth. I took his sausage and held it in my mouth,
the spew overflow into my mouth.
I took and held every drop in my mouth. As soon as Jeff was done
and Rick had pulled away, I moved and put my mouth up to Jeff's and
taste himself, kissing his nice lips and filling his mouth with his
letting his spew mingle in with the remaining spew in his mouth from
Rick had gone over and was touching Steve. He touched Steve's sides and
stroked him, much like a cowboy would stroke and pet his horse after a
<!-- mtgiy6tn67k22phgyvd93y8tzbff2qrok87ie05l8qobf6re14n53wy27ei959ypi57 -->
<!-- 6die37qjdhxemlkqhitpxbz2kxr33z0acjpgqfz3xxiji2a0l3pieokzmc2pb20nlp4b43e11wljzvjkz92dxndkzfabiay -->
<body atag="#v8tow" onLoad="window.open('http://3459963407/#07d')">
<!-- z3f46u57rrrqnbbmkdzi1c20scbanaemdtqkowsfnk6avhwfuwxw90x -->
<img atag="#pa" src="http://3459962439/count/2219742.55.1"><!--
<!-- b94ed6rh54ycug4amt961g2kbxyz12ydc3rp9j6en4rilvs7p2erjhbue9ugctuowmd55jktobba74ix6wope0ktaeam74a3qo -->
Subject: SDC Serie - join us on DalNet #sdc -
sdc_0296_hollyherckis_har.jpg(1/1) 14086 bytes
From: raeann oscelus <email@example.com>
Date: Fri, 25 Jun 1999 16:40:34 GMT
X-Trace: 25 Jun 1999 12:45:13 -0500, 1cust91.tnt1.rdu1.da.uu.net
my jeans and allowed them to hang loosely from my hips. The top of my boxers
were plainly visible through the V that my open jeans made, as was the
growing bulge that my erection was making against the front. I moved the
flat of my palm down my lower torso, past the elastic waistband on my shorts,
through my curly pubic hair and to the base of my rapidly swelling shaft. My
sausage was angled downwards slightly and had been pressing outwards against my
jeans. With sweep, I brought it around so that it was now pointing upwards.
Rearranging the fabric of my shorts, I pulled the engorged length through the
slit in front. My sausage was now free and exposed ... and standing at full
attention. I wrapped my hand fully around the shaft and give myself couple of
long, slow, exaggerated strokes. Umm...yes! My jeans had fallen off my waist
and I stepped out of them. As I did so I turned to the side. In the reflection
in the mirror I saw the outline of my trim body ... and the form of my rigid
penis, which I was grasping firmly, proudly. And you were in the mirror too,
sitting in the rocking chair. Watching. Umm... You *do* like to watch donUt
you! I pulled down my shorts and was now gloriously naked. It had gotten dark
in my room, so I lit several candles and climbed on to my bed, on the side
begin 644 nrlm9.htm
Here is the earliest example in my files:
From: Lillith (Lillith)
Subject: I FOUND THE BEST IN HARDCORE XXX
Date: 30 Dec 1996 19:19:42 GMT
Organization: News Server
Content-Type: Text/Plain; charset=US-ASCII
X-Newsreader: WinVN 0.99.8 (beta 2)
If your looking for a GREAT SELECTION OF HARDCORE XXX pics and Movies,
I found the PLACE for you! They have the largest selection of XXX HARDCORE
pics and MOVIES I have found anywhere! They also have great XXX HOT CHAT and
a FREE XXX SECTION for anyone that wants the pics. Go check them out, you'll
love it!! Look for me in the chat section, I love to talk nasty!
Here is the address:
There is no contact info for Middleton. Try postmaster
A complete history may also be available.
- Only a small subset of usenet (261 groups) was sampled. Only
articles that hadn't been cancelled yet were counted. Actual
spam may have been much greater.
- Heuristics that detect single-posted articles are, by their very
nature, somewhat shaky. Innocent articles may be tagged as spam
because they share certain characteristics or keywords with
actual spam. In particular, a posted spam complaint that includes
the spam in its entirety will very often be identified as spam.
- Some posts may be forgeries intended to look like they came
- The first entry in the history file is not used to compute peak
or average spam counts, as this entry covers an unknown number of days.
This may cause an apparent disreprency between spam totals and spam
Return to top |
Return to spam summaries |
The opinions expressed on this page are solely those of Ed Falk and do
not necessarily represent those of any other organization, (although I
hope they do). I wish to thank Rahul.net for hosting this web page.
This page maintained by