From: David Ritz <dritz@primenet.com>
Subject: Re: EMP - BI>28200 - Matt Middleton's dedicated spam-feed through newsfeed.poshnet.com [2]
Date: 1998/10/14
Message-ID: <Pine.BSI.3.96.981014111851.409A-100000@usr10.primenet.com>
X-Deja-AN: 401088350
References: <Pine.BSI.3.96.981006212333.12841C-100000@usr10.primenet.com>
	 <Pine.BSI.3.96.981008215946.26217A-100000@usr10.primenet.com> 
	<Pine.LNX.3.96.981012142234.8371A-100000@newssource.hostcomm.net> 
	<Pine.LNX.3.96.981013102809.4532A-100000@newssource.hostcomm.net> 
	<MPG.108d94145239faf79896f9@enews.newsguy.com> 
	<MPG.108da8ceba9c47829896fa@enews.newsguy.com> 
	<Pine.BSI.3.96.981013215035.27562A-100000@usr10.primenet.com> 
	<3624D523.21B86D5C@hostcomm.net> <3629d94c.48555915@209.242.64.104>
X-Pgp-0x9A6C8851: 7E72 E815 8EE0 CAC7  1CFB 5CCB A490 984A
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Complaints-To: abuse@globalcenter.net
Organization: SpamBusters!
X-Comment-1: Spam is bad.  <http://spam.abuse.net/others/simplespam.html>
X-Comment-2: LART a spammer for Dobbs.
Mime-Version: 1.0
Reply-To: David Ritz <dritz@primenet.com>
X-Posted-By: dritz@206.165.6.210 (dritz)
X-Meow: yes
Newsgroups: news.admin.net-abuse.usenet

-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 14 Oct 1998, Lysander Spooner wrote:

: On Wed, 14 Oct 1998 09:45:23 -0700, Sean <usenet@hostcomm.net> wrote:
: 
: >That is imposiable.  I have turned off their posting ability the only thing that
: >can be done is reading on that box.  the only other feed that they have is from
: >Pacifier.com.  I have gone through everyone of thier configs, they have nothing
: >else.  Am I missing something???
: 
: Yes.  The brains god gave the average turnip.
: 
: Your headers:
: 
: >Path: ...news.maxwell.syr.edu!newsfeed1.earthlink.net!news.pdxfiber.net!newssource.hostcomm.net!not-for-mail
: >From: Sean <usenet@hostcomm.net>
: >Newsgroups: news.admin.net-abuse.usenet
: >Subject: Re: EMP - BI>28200 - Matt Middleton's dedicated spam-feed through newsfeed.poshnet.com [2]
: >Date: Wed, 14 Oct 1998 09:45:23 -0700
: >Organization: HostComm
: >Message-ID: <3624D523.21B86D5C@hostcomm.net>
: >Reply-To: usenet@hostcomm.net
: >NNTP-Posting-Host: 206.58.218.110
: 
: Okay everybody, fire up a web-browser and connect to that address...
: 
: (ie: http://206.58.218.110/)
: 
: See?  Case closed.

    No, I don't "see".  This IP address went dead, just after you
    posted your message.  =(

    Let's see if I can get a better handle on this, without trying to
    contact an address, which would rather not be contacted.  Here are
    the headers of the emailed copy of the Message "Sean" sent out.

|Received: from smtp02.primenet.com (daemon@smtp01.primenet.com [206.165.6.132])
|    by primenet.com (8.8.8/8.8.5) with ESMTP id JAA06956
|    for <dritz@smtp-local.primenet.com>; Wed, 14 Oct 1998 09:49:26 -0700 (MST)
|Received: (from daemon@localhost)
|    by smtp02.primenet.com (8.8.8/8.8.8) id JAA17577
|    for <dritz@primenet.com>; Wed, 14 Oct 1998 09:49:24 -0700 (MST)
|Received: from UNKNOWN(206.58.210.40), claiming to be "newssource.hostcomm.net"
| via SMTP by smtp02.primenet.com, id smtpd017487; Wed Oct 14 09:49:17 1998
|Received: from hostcomm.net ([206.58.218.110])
|    by newssource.hostcomm.net (8.8.7/8.8.7) with ESMTP id JAA12093
|    for <dritz@primenet.com>; Wed, 14 Oct 1998 09:52:58 -0700
|Message-ID: <3624D523.21B86D5C@hostcomm.net>
|Date: Wed, 14 Oct 1998 09:45:23 -0700
|From: Sean <usenet@hostcomm.net>
|Reply-To: usenet@hostcomm.net
|Organization: HostComm
|X-Mailer: Mozilla 4.04 [en] (WinNT; I)
|MIME-Version: 1.0
|Newsgroups: news.admin.net-abuse.usenet
|To: David Ritz <dritz@primenet.com>
|Subject: Re: EMP - BI>28200 - Matt Middleton's dedicated spam-feed through newsfeed.poshnet.com [2]
|References: <Pine.BSI.3.96.981006104928.8762D-100000@usr10.primenet.com> <Pine.LNX.3.96.981006142927.21954A-100000@newssource.hostcomm.net> <Pine.BSI.3.96.981006212333.12841C-100000@usr10.primenet.com> <Pine.BSI.3.96.981008215946.26217A-100000@usr10.prim
|Content-Type: text/plain; charset=us-ascii
|Content-Transfer-Encoding: 7bit
|X-UIDL: d0f99e8a4b081b88a7e878424498f4ec

    I'm really much better with news headers, so somebody correct me,
    if I go astray.

    This message was originated from [206.58.218.110], which identified
    itself as "hostcomm.net".  The message was then relayed through
    newssource.hostcomm.net [206.58.210.40], which smtp02.primenet.com
    had a little trouble verifying - UNKNOWN.

    The originating IP address is in a rouge Empire2 net-block, operated
    by Matt Middleton and Andy Vilcauskas (aka Andy Vilcus).

|usr10# whois -h whois.arin.net 206.58.218.110
|Structured Network Systems, Inc. (NETBLK-SNS-NET-5) SNS-NET-5
|                                                   206.58.0.0 - 206.58.255.255
|Empire Communications (NETBLK-NET-EMPCOMM2) NET-EMPCOMM2
|                                                 206.58.218.0 - 206.58.218.127

    Now, much to my amazement, the finger daemon at pdxfiber.net is up
    and proving all sorts of interesting information.  (The daemons at
    NEWS.pdxfiber.net, *hostcomm.net and *poshnet.com are still down. 
    I'm ready to lay odds that the daemon at pdxfiber.net will also be
    offline, shortly after this message appears.)

]usr10# f root@pdxfiber.net
][pdxfiber.net]
]Login: root                             Name: root
]Directory: /root                        Shell: /bin/bash
]Last login Tue Oct 13 17:44 (PDT) on ttyp2 from rob.empire2.com:0.0
]Mail last read Fri Sep  4 10:30 1998 (PDT)
]No Plan.

]usr10# nslookup rob.empire2.com
]Server:  dns1.primenet.net
]Address:  206.165.5.10
]
]Non-authoritative answer:
]Name:    rob.empire2.com
]Address:  206.58.218.111

]traceroute to rob.empire2.com (206.58.218.111)
<...>
]13  pdx-bordercore2-fe4-0.or.nw.verio.net (205.238.52.195) hostmaster@verio.net
]14  pdx-core1-h1-0.or.nw.verio.net (206.163.3.54) hostmaster@rain.net
]15  core02.hssi5.pdxfiber.net (206.58.1.26) hostmaster@structured.net
]16  206.58.33.210 (206.58.33.210) postmaster@structured.net
]17  206.58.218.111 (206.58.218.111) hostmaster@structured.net

]traceroute to empire2.com (206.58.218.10)
<...>
]13  pdx-bordercore2-fe4-0.or.nw.verio.net (205.238.52.195) hostmaster@verio.net
]14  pdx-core1-h1-0.or.nw.verio.net (206.163.3.54) hostmaster@rain.net
]15  core02.hssi5.pdxfiber.net (206.58.1.26) hostmaster@structured.net
]16  206.58.33.210 (206.58.33.210) postmaster@structured.net
]17  206.58.218.10 (206.58.218.10) hostmaster@structured.net

    As for _rob_.empire2.com, its often the case that these are vanity
    machine names.  brad.netzilla.net is a classic example.

    =>  Name:    brad.netzilla.net
    =>  Address:  208.149.207.247

    =>  vrfy brad
    =>  250 Bradley D. Allison <brad@netzilla.net>

    Now, WTF is "Rob"?

]usr10# telnet mail.empire2.com smtp
]Trying 206.58.218.10...
]Connected to empire2.com.
]Escape character is '^]'.
]220 empire2.com ESMTP Sendmail 8.8.5/8.8.4; Wed, 14 Oct 1998 04:45:49 -0700
]helo usr10
]250 empire2.com Hello usr10.primenet.com [206.165.6.210], pleased to meet you
]VRFY doc
]250 RHS Linux User <doc@empire2.com>
]VRFY mattm
]250 Matt Middleton <mattm@empire2.com>
]VRFY drew
]250 andy vilcauskas <drew@empire2.com>
]EXPN postmaster
]250 Rob Bloodgood <robb@empire2.com>
]QUIT
]221 empire2.com closing connection
]Connection closed by foreign host.

    Rob seems to be Empire2's <postmaster>.  (How 'bout them apples?)

    Someone on Empire2's postmaster's vanity machine is logged on as
    <root> at PDXFiber.net.

    The address which "Sean" is posting and sending email from,
    [206.58.218.110], has an IP address immediately adjacent to
    Empire2's postmaster's vanity machine, [206.58.218.111].

    "Sean" has maintained, from the beginning, that he has no knowlege
    of Empire2 or Matt Middleton.  "Sean" has stated that some unnamed
    "birdie" told him to use an Empire2 address to access his own
    server, through Poshnet.
    (see email dated Mon, 12 Oct 1998 14:09:57 -0700 (PDT), quoted in
    <Pine.BSI.3.96.981013231203.27562B-100000@usr10.primenet.com>)

} We gave access to poshnet and poshnet gave us access so we could work on
} this problem they are having with spam.  The IP range that logged into
} poshnet was one we were told was unused and available so we used it.

    Does anyone want to guess what this is all about?

    Here are today's clues.

|Middleton, M (MM3141)           doc@EMPIRE2.COM
|   AM Ent., Inc.
|   921 SW Wahington, St.
|   Portland, Or 97205
|   503.241.1091 (FAX) 503.241.1198
|
|   Record last updated on 01-Sep-98.
|   Database last updated on 14-Oct-98 04:42:46 EDT.

|Middleton, Matt (MM3141-ARIN)           mattm@EMPIRE2.COM
|   AM Enterprises of Portland, Inc.
|   921 S.W. Washington St.
|   Suite 224
|   Portland, Or 97205
|   503.241.1091 (FAX) 503.241.1198
|
|   Record last updated on 08-Jul-97.
|   Database last updated on 13-Oct-98 16:11:04 EDT.

|usr10# whois drew@empire2.com
|Vilcauskas, Andrew (AV1538)     drew@EMPIRE2.COM                    5036923719
|Vilcus, andy (AV503)            drew@EMPIRE2.COM                  503.299.3548
|Vilcus, andy (AV504)            drew@EMPIRE2.COM                  503.645.6757

|Vilcauskas, Andrew (AV1538)             drew@EMPIRE2.COM
|   Andrew Vilcauskas
|   7305 sw delaware cir
|   tualatin,, OR 97062
|   5036923719
|
|   Record last updated on 01-Jun-98.
|   Database last updated on 14-Oct-98 04:42:46 EDT.

|Vilcus, andy (AV503)            drew@EMPIRE2.COM
|   AJV
|   16552 NW argyle way
|   portland, OR 97229
|   503.299.3548
|
|   Record last updated on 24-Aug-98.
|   Database last updated on 14-Oct-98 04:42:46 EDT.

|Vilcus, andy (AV504)            drew@EMPIRE2.COM
|   AJV
|   16552 NW argyle way
|   Portland, OR 97229
|   503.645.6757
|
|   Record last updated on 23-Feb-97.
|   Database last updated on 14-Oct-98 04:42:46 EDT.

: Sean, you are too fucking stupid to live.

    Do you really think this guy's name is "Sean Morrow"??!

: -- Rick
: -----------
: ** Now GO AWAY! **

    <AOL> M3 T00!! </AOL>

 --
 David Ritz <dritz@primenet.com>           Finger for PGP Public Keys
 Fight against spam & spammers.                 http://spam.abuse.net
 Outlaw Junk Email.  ++++++  Join CAUCE  ++++++  http://www.cauce.org
               ** Be kind to animals. - Kiss a shark. **


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
Comment: Finger:dritz@primenet.com for Public Keys

iQCVAwUBNiT7FtzLrWGabIhRAQGM2AP/fWyc/ODtjJEzblSU4cHev6MFdmkT9Ybo
YaT6ax7iDLNufS1XCm1yJLjYqTjv986CXXFZ1rfs9h6y+JHwpzf9IvaVYP5nLHZt
39QJw6KGHgFQ9/nDRymesIo51wQwwaiuMoENwZByhKJQSPBXtffpqm2MLsCAkLdU
UjZqKk1+blA=
=mj4P
-----END PGP SIGNATURE-----