From: David Ritz Newsgroups: news.admin.net-abuse.policy Subject: Re: UUNet Allows the Destruction of Usenet Date: 11 Nov 1997 09:55:36 GMT -----BEGIN PGP SIGNED MESSAGE----- In article <346381FB.B23D0ED@spinne.com>, Jeff Garzik wrote: :Edward A. Falk wrote: :> Fluffy wrote: :> >Now that isc.org has redundant newsfeeds, there's no pressing reason not :> >to simply alias UUnet out of existence. : :> Agreed. Anybody have a list of UUNet news peers? We should contact :> all of them and suggest they drop their UUNet feeds and peer with :> each other. : :That might be construed as harrassment in some lawyers' eyes. I doubt it. UUnet has become the single greatest threat to the continued existence of Usenet, today. Its certainly not from lack of trying, on their part. If another UDP action is to be initiated against UUnet, it is only appropriate to notify those peers, who's Usenet traffic through UUnet may be dropped on the floor. Personally, I'd much prefer that a second, much tougher UDP against UUnet be avoided. Its why I've invested so much time and energy in bringing UUnet into view of a clue, so that they would not be a such direct threat to Usenet. :I really doubt UUnet is this evil behemoth everyone makes it out to be. I don't know of anyone, who feels that UUnet is 'evil'. I'd like to think they were just clueless, but I'm affraid that their greed is the real source of the problem. While much was made of UUnet's press release, dated August 5 of 1997, in private, this was taken as a very bad joke and attempt to save face, on the part of UUnet: . UUNET TOUGHENS ANTI-SPAMMING POLICY Largest ISP Re-Affirms Zero-Tolerance Policy Toward Spammers FAIRFAX, Va., August 5, 1997 - UUNET Technologies, Inc., the world's largest Internet Service Provider (ISP) and a subsidiary of WorldCom, Inc., today announced it will take additional measures against the growing tide of mail and newsgroup spammers. The new measures will make it much more difficult for spammers to post messages through UUNET, and are designed to enable UUNET to identify the origin of a specific spam. "Spamming" is the sending of unsolicited material to a wide list of recipients, either through the mail or the news systems of the Internet. UUNET has a zero-tolerance policy toward spamming and understands that it is a widespread problem for Internet users. The spamming problem does not originate with UUNET or its resellers, but with a small number of end users, who are typically customers of those resellers. More than 99 percent of the spamming investigations conducted by UUNET involve a reseller. UUNET actively assists in identifying the spammer, and the reseller then follows its own policies, which typically include warnings to its customers and eventual termination. [snippage of more great b.s. and nonsense (Pardon me, while I puke.)] I suppose, my first question deals with, how does one go about toughening a policy which exist solely in the mind of a copywriter? It never existed prior to the release of this statement. From my experiences with UUnet, following the release of this statement, I can say with some certainty, that no such policy exists at this time. While the disabling of POST to the Alterdial servers, did have an immediate effect on the numbers of spam aritcles flowing through these machines, it does not mean the the spam flowing directly to the NEWS-IN*.UU.NET servers has decreased appreciably. This is a point, I shall return to, in a bit, since it is the crux of the current source of friction. :If I was a UUnet exec and random net.people started hounding me about :spam, I would be pissed off at the anti-spammers, not the spammers... When the UDP against UUnet was lifted, last August, I set out on a course, designed from helping to prevent a set of circumstances, which _would_ lead to another UDP action. My plan, which I initiated on my own, consisted of three parts: 1) Better handling of abuse complaints - from nothing to something - especially in the handling of complaints against their POP users 2) Cutting off the direct spam feeds from UUnet's dedicated bandwidth customers - Andrew Chandler 3) Holding UUnet's dedicated bandwidth customer's accountable for their abuses, even when such abuse was victimizing non-UUnet customers - AdultSights I began, by opening a pair of tickets, one dealing with the spam-feed >from Andrew 'The Greatest' Chandler's net-block: The Greatest Inc. (NETBLK-UU-208-223-162-GREAT) UU-208-223-162-GREAT 208.223.162.0 - 208.223.162.255 The Greatest Inc. (NETBLK-UU-208-223-162-GREAT) 499 E. Palmetto Park Rd Boca Raton, FL 33496 US Netname: UU-208-223-162-GREAT Netblock: 208.223.162.0 - 208.223.162.255 Coordinator: Metson, Mark (MM339) aa332@CHEBUCTO.NS.CA +1 (902) 454-1615 Record last updated on 18-Aug-97. Database last updated on 9-Nov-97 04:54:23 EDT. Chandler, who has run a string of spam sites, prior to being granted this full Class C block, is better known as EscortGuide: CLASS ACT PERFORMANCES (ESCORTGUIDE-DOM) 22783 South St. Rd. 7 Ste. 43 Boca Raton, FL 33428 Domain Name: ESCORTGUIDE.COM Administrative Contact, Technical Contact, Zone Contact, Billing Contact: Domain Administrator (DA1293-ORG) hostmaster@ESCORTGUIDE.COM 800-659-0550 Fx 1 templa Record last updated on 25-Sep-97. Record created on 22-Mar-96. Database last updated on 9-Nov-97 04:54:23 EDT. Domain servers in listed order: NS.ESCORTGUIDE.COM 208.223.162.2 NS.SPECIAL-FX.COM 208.195.253.2 How, you might ask, does a reputable operation, like UUnet, end up granting full Class C blocks to notorious spamming operations? Well, they have to start out by making sure they check into these operations, no further than whether or not the check clears. Well, that may be a sight exageration. They may have been bamboozled by the smarmy Mr. Chandler, who told them he was setting up a new ISP in the Boca Ratan, Ft. Lauderdale area: Florida Internet Service Providing (FLORIDA-ISP-DOM) 22783 South St. Rd. 7 Ste. 43 Boca Raton, FL 33428 Domain Name: FLORIDA-ISP.COM Administrative Contact, Technical Contact, Zone Contact, Billing Contact: Domain Administrator (DA1293-ORG) hostmaster@ESCORTGUIDE.COM 800-659-0550 Fx 1 templa Record last updated on 25-Sep-97. Record created on 28-Jul-97. Database last updated on 9-Nov-97 04:54:23 EDT. Domain servers in listed order: NS.ESCORTGUIDE.COM 208.223.162.2 NS.SPECIAL-FX.COM 208.195.253.2 When the spamming began in earnest, just as soon as the record was created, it was all being fed directly out of the 'florida-isp.com' news server. Where was it all going? Directly into the news stream, though UUnet. This was not a question of a reseller of POP access. This was, and remains, a direct spam-feed to Usenet. The servers located in this net-block, have used ESCORTGUIDE, FLORIDA-ISP and are currently spewing pink turds, as METROSUPPORT: Andrew Chandler (METROSUPPORT-DOM) 6503 North Military Trail Boca Raton, FL 33496 Domain Name: METROSUPPORT.COM Administrative Contact, Technical Contact, Zone Contact, Billing Contact: Domain Administrator (DA1293-ORG) hostmaster@ESCORTGUIDE.COM 800-659-0550 Fx 1 templa Record last updated on 26-Sep-97. Record created on 18-Apr-97. Database last updated on 9-Nov-97 04:54:23 EDT. Domain servers in listed order: NS.ESCORTGUIDE.COM 208.223.162.2 NS.SPECIAL-FX.COM 208.195.253.2 Now, I'll admit, that Chandler's numbers are down, slightly, from the roughly 30,000 spamlettes he was unleashing on Usenet, daily: Top 25 Sites identified by Spam Hippo Despam as of Nov 8, 1997 - NNTP Posting Host 1 metrosupport.com 18867 Top 25 Sites identified by Spam Hippo Despam as of Nov 8, 1997 - Originating News Server 1 news.metrosupport.com 18867 Yep, Andy was number one on the hit parade, again. Its a really unusual day when these numbers drop below 10,000 articles and Andy's ranking as top spam-dog fall out of the top five sources of spam in Usenet. This was ticket number one. I filed a report. I added one follow report to the original. I waited a day or so, and gave UUnet's support desk a call. You have to realize, that after years of fully ignoring all complaints of net-abuse, UUnet had developed a well earned reputation of not lifting a finger, unless someone went to the bother of following up and making sure that the report in question was even looked at, rather than simply being added to a database, where it could be ignored. The general feeling about UUnet's handling of net-abuse could be summed up with the statement, "If you ignore the problem long enough, they'll forget what they were complaining about in the first place." I began by introducing myself as one of the indivduals who was directly involved in the designing of the UDP, which had just been lifted. I went over my analysis of the Chandler spam feed, tossing in a few statistic, along the way, to support my case. As is normally the case, I was told that UUnet would be looking into the situation. Additionally, I was asked to be patient. About once per week, I would send along some of the newest examples of thickly spread pink manure, coming from the Chandler spam-feed. About once per week, I would call to see what the scoop was with this ticket. Since things were moving nowhere fast, I was eventually put into contact with John Bradshaw, UUnet's security manager, who oversees the operation of the , and desks. We had a fairly lengthy conversation, which I found very stressful and unsettling. I could tell it was going to be a major uphill battle. To begin with, Bradshaw had been thouroughly primed by Chandler. He had every cliche about freedom of speech, censorship and the rest of the pink drivel which serves as an excuse for massive net-abuse: "But these 'rooms' are all full of nothing but ads for sex sites. Why do you feel that its inappropriate for _our_ accounts to do what everyone else is doing?" "You don't own these 'rooms'. What gives you the right to complain about what someone else is doing in them?" "I thought the purpose of these groups was for advertising sex-sites. After all, the 'rooms' where these items are being posted are 'adult' in nature. What's wrong with posting adult advertising in these adult orirented 'rooms'?" Well, I took him through each of these questions, answering them in turn. As entirely frustrating as this excercise was, I did manaage to make a couple of points, noting, for example, that one of the "adult oriented 'rooms'" Mr. Chandler had chosen to spread his fresh pink manure in, every single day, was alt.sexual.abuse.recovery. (Mr. Bradshaw did recognize that this was inappropriate.) I gave Mr. Bradshaw a couple of references, which he said he'd look up. He promised to look into the matter and get back to me, after a thorough investigation. True to his word, Mr. Bradshaw did call me back. He explained that he had checked with his downstream news feeds and that: 1) it wasn't spam, and 2) everyone wanted it When I pointed out that the downstreams he had checked with were the spammers, he remained addament, insisting the the 20-30,000 substantively identical articles being posted, to a few hundred newsgroups, on a daily basis, were not spam. (I was not having a good time.) After going balistic, finding this the most rediculous line of illogic I'd encountered in some time, Mr. Bradshaw did ask me how _I_ defined spam. I could tell it was still a long way to that clue.... I tried to point Mr. Bradshaw toward the appriate FAQ: FAQ: Current Usenet spam thresholds and guidelines I mentioned that this widely accepted document went farther than just defining spam. It defined spam which was considered, by a vast concensus of news administrators, to be cancelable, as net-abuse. Chandler is an EMP specialist, normally posting to one group at a time. Just to make sure your drivel gets noticed, at least by the despammers, Chandler makes a regular point, of posting the identical article number one, anywhere from a dozen to twenty times, before doing the same thing with article number two. That article number two is substantively identical to number one, appears to be irrelevent, as it, too, must be posted in the same fashion. On a whim, I deceided to see just exactly what Mr. Chandler felt was so important, that it required saying quite so often as he does. I did an analysis of the two hundred seventy three articles, which were straight EMPed to a single newsgroup. With a little crunching, I found that this spam was for only two URLs. At one point, I was told that the recommendation was being passed up the ladder, to pull the plug on Chandler's spam-block. Needless to say, I was pleased with this information. Too bad it wasn't true. No matter how much effort I put into dragging the folks at UUnet into the same room as the clue, it was not a happening thing. I was not a happy camper. OK. Thats where we stand. Its UUnet position, that they will take no action against this spam factory. Since it was UUnet's spineless legal department who did the most sabre rattling back in August, I requested to speak to someone over there, about the possible ramifications of UUnet's "...zero-tolerance policy toward spamming..." (You remember that crock, from paragraph two of the August press release. Interestingly, this release remains the only referrence to spam or net-abuse on the entire UUnet web site.) This leaves little hope for point number three, which I'll address much more briefly, here. I attempted to explain that the events which led to the August UDP being issued, were a direct result of another group of spam-sites, hosted by UUnet. When the Westerlind brothers, Noel and Rich, began spamming in earnest from New Jersey and Ft. Lauderdale area *.ms.uu.net POPs, to Alterdial, the UUnet numbers shot through the roof. An UDP action, againt BellAtlantic, had been narrowly averted. The Westerlinds jumped from BA to UUnet and the numbers took off. With a long standing history of doing nothing, what so ever, about spam, UUnet became the immediate focus of the despammer's attention. Rather than continuing to clean up after UUnet's mess, for the next six months, it was deceided to take the drastic measure of declaring a Usenet Death Penalty against the spew to the Alterdial machines. Note, this is completely contrary to UUnet's public statements, that all traffic being _carried_ by UUnet was being targetted by those imposing the UDP. Great care was taken, to only target items which were being posted to Alterdial. When the numbers were crunched, it was found that better than 99% of the articles being canceled under this active UDP, would have been cancelled as spam, even without the UDP action. This is when an important milestone was reached: UUnet took its first ever step to curb their abusive customers. They disallowed POST, from any of their _own_ POPs. Now, you have to keep in mind, that its been these very same POPs, which have been used by spammers to spew through Earthlink, GTE and IDT, to name a few, for months on end, without UUnet so much as lifting a finger to trace the source of the spam, unless some meanoldbadnastyBOFHadministrator, at one of these victimized ISPs, took the time to squeeze the pertinent information out of the one place where modem logs could be located. Still, it worked. The brother's Westerlind moved on to greener pastures, terrorizing ISPs in the Monmouth, New Jersey, and Dade, Florida areas. The only problem is, that UUnet doesn't feel that there should be any accountability, for the actions their customers perpetrate on anyone else they can find. Most of these sites lie within the [208.208.223.*] block. This is the *short*list*, covering the bulk of the spam sites in question: UUNET Technologies, Inc. (NETBLK-UUNET1996B) 3060 Williams Drive, Suite 601 Fairfax, Virginia 22031 Netname: UUNET1996B Netblock: 208.192.0.0 - 208.228.255.255 Maintainer: UU Coordinator: Uunet, AlterNet - Technical Support (OA12) help@UUNET.UU.NET +1 (800) 900-0241 Domain System inverse mapping provided by: AUTH03.NS.UU.NET 198.6.1.83 AUTH50.NS.UU.NET 198.6.1.161 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE Record last updated on 15-Sep-97. Database last updated on 17-Sep-97 04:59:10 EDT. W.E.D. Enterprises (ADULTSIGHTS-DOM) ADULTSIGHTS.COM W.E.D. Enterprises (PSILUVYOU-DOM) PSILUVYOU.COM Kevin Freeman (HARDCORESEXJUNKIES-DOM) HARDCORESEXJUNKIES.COM Kevin Freeman (XXXSEXJUNKIE-DOM) XXXSEXJUNKIE.COM Kevin Freeman (SEXJUNKY-DOM) SEXJUNKY.COM Kevin Freeman (HARDSEXJUNKIES-DOM) HARDSEXJUNKIES.COM WCD Enterprises (WCDENT-DOM) WCDENT.COM WCD Enterprises (PARTY8-DOM) PARTY123.COM WCD Enterprises (ASN-WCD-AS) WCD-AS 7744 WCD Enterprises (WCD2-DOM) WCD.NET WCD Enterprises Inc. (XCHAT-DOM) XCHAT.COM WCD Enterprises Inc. (ADULTWORLD2-DOM) ADULTWORLD.NET WCD Enterprises Inc. (FOCUSPRO-DOM) FOCUSPRO.COM WCD Enterprises Inc. (UNSIGNED3-DOM) UNSIGNED.NET WCD Enterprises Inc. (PURSUITMIC-DOM) PURSUITMIC.COM WCD Enterprises Inc.. (BRADLEYBEACH-DOM) BRADLEYBEACH.COM WCD Enterprises Inc.. (QUALITYFENCE-DOM) QUALITYFENCE.COM WCD Enterprises Inc.. (XXXLIVEVIDEO2-DOM) XXXLIVEVIDEO.COM WCD Enterprises Inc.. (MONMOUTHCOUNTY-DOM) MONMOUTHCOUNTY.COM WCD Enterprises Inc.. (AUDIOSCAPE2-DOM) AUDIOSCAPE.COM WCD Enterprises Inc.. (OCEANPORT-DOM) OCEANPORT.COM WCD Enterprises Inc.. (SEAGIRT-DOM) SEAGIRT.COM WCD Enterprises Inc.. (MANASQUAN-DOM) MANASQUAN.COM WCD Enterprises Inc.. (NJONLINE2-DOM) NJONLINE.COM WCD Enterprises Inc.. (UNIONBEACH-DOM) UNIONBEACH.COM WCD Enterprises Inc.. (ATLANTICHIGHLANDS-DOM) ATLANTICHIGHLANDS.COM WCD Enterprises Inc.. (SEABRIGHT2-DOM) SEABRIGHT.COM WCD Enterprises Inc.. (KEANSBURG-DOM) KEANSBURG.COM WCD Enterprises Inc.. (POINTPLEASANT2-DOM) POINTPLEASANT.COM WCD Enterprises Inc.. (MANSIGHTS-DOM) MANSIGHTS.COM WCD Enterprises, Inc (CCROCKS-DOM) CCROCKS.COM WCD Enterprises, Inc (EVENT-SCAPE2-DOM) EVENT-SCAPE.COM WCD Enterprises, Inc. (SPRING-BREAK3-DOM) SPRING-BREAK99.COM WCD Enterprises, Inc. (SPRING-BREAK4-DOM) SPRING-BREAK97.COM WCD Enterprises, Inc. (SPRING-BREAK5-DOM) SPRING-BREAK2000.COM WCD Enterprises, Inc. (SPRING-BREAK6-DOM) SPRING-BREAK98.COM WCD Enterprises, Inc. (GIRL-NEXT-DOOR-DOM) GIRL-NEXT-DOOR.COM WCD Enterprises, Inc. (NETBLK-UU-208-224-136) UU-208-224-136 208.224.136.0 - 208.224.136.255 WCD Enterprises, Inc.. (ADULTSITES4-DOM) ADULTSITES.NET WCD Enterprises, Inc.. (ADULTSIGHTS2-DOM) ADULTSIGHTS.NET WCD Enterprises, Inc.. (ALLENHURST-DOM) ALLENHURST.COM WCD Enterprises, Inc.. (AVONBYTHESEA-DOM) AVONBYTHESEA.COM WCD Enterprises, Inc.. (BRADLEY-BEACH-DOM) BRADLEY-BEACH.COM WCD Enterprises, Inc.. (FAIR-HAVEN-DOM) FAIR-HAVEN.COM WCD Enterprises, Inc.. (MANALAPANTWP-DOM) MANALAPANTWP.COM WCD Enterprises, Inc.. (LONG-BRANCH-DOM) LONG-BRANCH.COM WCD Enterprises, Inc.. (LITTLE-SILVER-DOM) LITTLE-SILVER.COM WCD Enterprises, Inc.. (MONMOUTH-BEACH-DOM) MONMOUTH-BEACH.COM WCD Enterprises, Inc.. (OCEAN-TOWNSHIP-DOM) OCEAN-TOWNSHIP.COM WCD Enterprises, Inc.. (OLD-BRIDGE2-DOM) OLD-BRIDGE.COM WCD Enterprises, Inc.. (RED-BANK-DOM) RED-BANK.COM WCD Enterprises, Inc.. (TINTON-FALLS-DOM) TINTON-FALLS.COM WCD Enterprises, Inc.. (SPRING-LAKE-DOM) SPRING-LAKE.COM WCD Enterprises, Inc.. (SEA-BRIGHT-DOM) SEA-BRIGHT.COM WCD Enterprises, Inc.. (ABERDEENTWP-DOM) ABERDEENTWP.COM WCD Enterprises, Inc.. (ATLANTIC-HIGHLANDS-DOM) ATLANTIC-HIGHLANDS.COM WCD Enterprises, Inc.. (ASBURY-PARK-DOM) ASBURY-PARK.COM WCD Enterprises, Inc.. (COLTS-NECK-DOM) COLTS-NECK.COM WCD Enterprises, Inc.. (MARLBOROTWP-DOM) MARLBOROTWP.COM WCD Enterprises, Inc.. (OCEAN-GROVE-DOM) OCEAN-GROVE.COM WCD Enterprises, Inc.. (SPRING-LAKE-HEIGHTS-DOM) SPRING-LAKE-HEIGHTS.COM WCD Enterprises, Inc.. (WALL-TOWNSHIP-DOM) WALL-TOWNSHIP.COM WCD Enterprises, Inc.. (ADULT--DOM) ADULT-411.COM WCD Enterprises, Inc.. (UNSIGNED-BANDS2-DOM) UNSIGNED-BANDS.COM WCD Enterprises, Inc.. (SEXFLORIDA-DOM) SEXFLORIDA.COM WCD Enterprises, Inc.. (FLORIDA-UNSIGNED-DOM) FLORIDA-UNSIGNED.COM WCD Enterprises, Inc.. (ALTERNATIVE-ROCK2-DOM) ALTERNATIVE-ROCK.COM WCD Enterprises, Inc.. (WHTG-DOM) WHTG.COM MMD Communications, LLC (GEZA-DOM) GEZA.COM MMD Communications, LLC (WEBPEEPGAY-DOM) WEBPEEPGAY.COM MMD Communications, LLC (XPRESS3-DOM) XPRESS.ORG MMD Communications, LLC (WEBFRIEND-DOM) WEBFRIEND.COM MMD Communications, LLC (PLAYCASH-DOM) PLAYCASH.COM MMD Communications, LLC (GAMECARD-DOM) GAMECARD.COM MMD Communications, LLC (KIDCASH-DOM) KIDCASH.COM MMD Communications, LLC (WEBSPEND-DOM) WEBSPEND.COM MMD Communications, LLC (FLASHING-DOM) FLASHING.COM MMD Communications, LLC (SEXCASH-DOM) SEXCASH.COM MMD Communications, LLC (FETISHTIMES-DOM) FETISHTIMES.COM MMD Communications, LLC (LIVESPASS-DOM) LIVESPASS.COM MMD Communications, LLC (FORRAWSEX-DOM) FORRAWSEX.COM MMD Communications, LLC (MAGAZINEMALL-DOM) MAGAZINEMALL.COM MMD Communications, LLC (MAGMALL-DOM) MAGMALL.COM MMD Communications, LLC (VDNS-DOM) VDNS.COM MMD Communications, LLC (AMERICANHARDCORE2-DOM) AMERICANHARDCORE.COM MMD Communications, LLC (AMERICANLUST-DOM) AMERICANLUST.COM MMD Communications, LLC (AMERICANLOVE-DOM) AMERICANLOVE.COM MMD Communications, LLC (LIVEGAY-DOM) LIVEGAY.COM MMD Communications, LLC (GAYLUST-DOM) GAYLUST.COM MMD Communications, LLC (GAYDECADENCE-DOM) GAYDECADENCE.COM MMD Communications, LLC (USAHARDCORE-DOM) USAHARDCORE.COM MMD Communications, LLC (MANACTION-DOM) MANACTION.COM MMD Communications, LLC (EASYMAN-DOM) EASYMAN.COM MMD Communications, LLC (SLUTZONEVIDEO-DOM) SLUTZONEVIDEO.COM MMD Communications, LLC (ASIANWHORE-DOM) ASIANWHORE.COM MMD Communications, LLC (ASIANWHORES-DOM) ASIANWHORES.COM MMD Communications, LLC (POWERSEX-DOM) POWERSEX.COM MMD Communications, LLC (MONKEYBUTTSEX-DOM) MONKEYBUTTSEX.COM MMD Communications, LLC (4USTV-DOM) 4USTV.COM MMD Communications, LLC (XPRESS4-DOM) XPRESS.NET MMD Communications, LLC (XPRESS5-DOM) XPRESS.COM MMD Communications, LLC (SLUTMACHINE-DOM) SLUTMACHINE.COM MMD Communications, LLC (BITCHWATCH-DOM) BITCHWATCH.COM MMD Communications, LLC (FOOTFANATIC-DOM) FOOTFANATIC.COM MMD Communications, LLC (DATE7-DOM) DATE.NET MMD Communications, LLC (DATE8-DOM) DATE.COM MMD Communications, LLC (VIVIDGIRLS-DOM) VIVIDGIRLS.COM MMD Communications, LLC (DECADENCE3-DOM) DECADENCE.ORG MMD Communications, LLC (EUROCHICKS-DOM) EUROCHICKS.COM MMD Communications, LLC (AWESOMESEX-DOM) AWESOMESEX.COM MMD Communications, LLC (KINKYSLUTS-DOM) KINKYSLUTS.COM MMD Communications, LLC (CYBERPORNO-DOM) CYBERPORNO.COM MMD Communications, LLC (EUROSLUT-DOM) EUROSLUT.COM MMD Communications, LLC (EUROPUSSY-DOM) EUROPUSSY.COM MMD Communications, LLC (TIGHTTWAT-DOM) TIGHTTWAT.COM MMD Communications, LLC (4CYBERSEX-DOM) 4CYBERSEX.COM MMD Communications, LLC (EASYSEX-DOM) EASYSEX.COM MMD Communications, LLC (4SEXSLUTS-DOM) 4SEXSLUTS.COM MMD Communications, LLC (SEXYCHICKS-DOM) SEXYCHICKS.COM MMD Communications, LLC (4RAWSEX-DOM) 4RAWSEX.COM MMD Communications, LLC (EUROSLUTS-DOM) EUROSLUTS.COM MMD Communications, LLC (SLUTZONE-DOM) SLUTZONE.COM MMD Communications, LLC (ASIANLOVE-DOM) ASIANLOVE.COM MMD Communications, LLC (SEXCHICKS-DOM) SEXCHICKS.COM MMD Communications, LLC (SEX4FREE-DOM) SEX4FREE.COM MMD Communications, LLC (MBSPRODUCTIONS-DOM) MBSPRODUCTIONS.COM MMD Communications, LLC (BONDAGE4-DOM) BONDAGE.NET MMD Communications, LLC (SOAPY2-DOM) SOAPY.COM MMD Communications, LLC (ELOD-DOM) ELOD.COM MMD Communications, LLC (YOUNGNTENDER-DOM) YOUNGNTENDER.COM MMD Communications, LLC (YOUNGANDTENDER-DOM) YOUNGANDTENDER.COM MMD Communications, LLC (WILDBITCH-DOM) WILDBITCH.COM MMD Communications, LLC (PERVERTS4-DOM) PERVERTS.NET MMD Communications, LLC (LIVEPUSSY3-DOM) LIVEPUSSY.NET MMD Communications, LLC (UNDERWEAREXPRESS-DOM) UNDERWEAREXPRESS.COM MMD Communications, LLC (PUSSYPLANET-DOM) PUSSYPLANET.COM MMD Communications, LLC (EXOTICROMANCE-DOM) EXOTICROMANCE.COM MMD Communications, LLC (SSOTD-DOM) SSOTD.COM MMD Communications, LLC (SCREWLIVE-DOM) SCREWLIVE.COM MMD Communications, LLC (EXOTICLOVE-DOM) EXOTICLOVE.COM MMD Communications, LLC (SUBMISSION-DOM) SUBMISSION.COM MMD Communications, LLC (PARTYLINEUSA-DOM) PARTYLINEUSA.COM MMD Communications, LLC (DECADENCE-DOM) DECADENCE.COM MMD Communications, LLC (LOVEDATE-DOM) LOVEDATE.COM MMD Communications, LLC (EASYDATE-DOM) EASYDATE.COM MMD Communications, LLC (QUICKDATE-DOM) QUICKDATE.COM MMD Communications, LLC (EASYLOVE-DOM) EASYLOVE.COM MMD Communications, LLC (FREEPARTYUSA-DOM) FREEPARTYUSA.COM MMD Communications, LLC (WEBPEEPSHOW-DOM) WEBPEEPSHOW.COM MMD Communications, LLC (WEBPEEP-DOM) WEBPEEP.COM MMD Communications, LLC (ASIASEX-DOM) ASIASEX.COM MMD Communications, LLC (THAILANDLIVE-DOM) THAILANDLIVE.COM MMD Communications, LLC (EROTICWEB2-DOM) EROTICWEB.COM MMD Communications, LLC (AMATEURSLUTS-DOM) AMATEURSLUTS.COM MMD Communications, LLC (AMATEURXXX-DOM) AMATEURXXX.COM MMD Communications, LLC (AMATEURKINK-DOM) AMATEURKINK.COM MMD Communications, LLC (GIRLSINT-DOM) GIRLSINT.COM MMD Communications, LLC (XXXDUNGEON-DOM) XXXDUNGEON.COM MMD Communications, LLC (PERVERSIONS-DOM) PERVERSIONS.COM MMD Communications, LLC (XXXFETISH-DOM) XXXFETISH.COM MMD Communications, LLC (PERVERSION-DOM) PERVERSION.COM MMD Communications, LLC (RESTRAINT-DOM) RESTRAINT.COM MMD Communications, LLC (FREEPARTY-DOM) FREEPARTY.COM MMD Communications, LLC (PORNOTV-DOM) PORNOTV.COM MMD Communications, LLC (XXXMALL-DOM) XXXMALL.COM Wet Nose Enterprises (PORNGODESS-DOM) PORNGODESS.COM Wet Nose Enterprises (PORNKING-DOM) PORNKING.COM Wet Nose Enterprises (NUDESIGHTS-DOM) NUDESIGHTS.COM Wet Nose Enterprises (WHOISNAKED-DOM) WHOISNAKED.COM Wet Nose Enterprises (NUDE-GIRLZ-DOM) NUDE-GIRLZ.COM Wet Nose Enterprises (LITTLE-WOMEN-DOM) LITTLE-WOMEN.COM Wet Nose Enterprises (NAKED-GIRLZ-DOM) NAKED-GIRLZ.COM Wet Nose Enterprises (HORNY-BABES-DOM) HORNY-BABES.COM Wet Nose Enterprises (FREENUDEPICS-DOM) FREENUDEPICS.COM Wet Nose Enterprises (REALSLUTZ-DOM) REALSLUTZ.COM Wet Nose Enterprises (PUSSY-PIX-DOM) PUSSY-PIX.COM Wet Nose Enterprises (SCHOOL-GIRLS2-DOM) SCHOOL-GIRLS.COM Wet Nose Enterprises (NUDE-BEACH2-DOM) NUDE-BEACH.COM Wet Nose Enterprises (WHORES-R-US-DOM) WHORES-R-US.COM Wet Nose Enterprises (CUMHERE2-DOM) CUMHERE.COM Wet Nose Enterprises (SLUT-EXPRESS-DOM) SLUT-EXPRESS.COM Wet Nose Enterprises (BEAVER-LAND-DOM) BEAVER-LAND.COM Wet Nose Enterprises (TITCENTER-DOM) TITCENTER.COM Wet Nose Enterprises (ROUGH-SEX-DOM) ROUGH-SEX.COM Wet Nose Enterprises (SLUTEXPRESS-DOM) SLUTEXPRESS.COM Wet Nose Enterprises (BIGPRICK-DOM) BIGPRICK.COM Wet Nose Enterprises (PHUKTOWN-DOM) PHUKTOWN.COM Wet Nose Enterprises (PHUKFACE-DOM) PHUKFACE.COM Wet Nose Enterprises (CUMFACES-DOM) CUMFACES.COM Wet Nose Enterprises (PHUKCITY-DOM) PHUKCITY.COM Wet Nose Enterprises (NAKED-CANDY-DOM) NAKED-CANDY.COM Wet Nose Enterprises (PHUKEMPIRE-DOM) PHUKEMPIRE.COM Wet Nose Enterprises (CUM-FACE-DOM) CUM-FACE.COM Wet Nose Enterprises (NAKED-KELLY-DOM) NAKED-KELLY.COM Wet Nose Enterprises (NUDE-CANDY-DOM) NUDE-CANDY.COM Wet Nose Enterprises (YES4SEX-DOM) YES4SEX.COM Wet Nose Enterprises (PHUKFRIEND-DOM) PHUKFRIEND.COM Wet Nose Enterprises (SEXFACE-DOM) SEXFACE.COM Wet Nose Enterprises (PHUKPALACE-DOM) PHUKPALACE.COM Wet Nose Enterprises (PHUKFRIENDS-DOM) PHUKFRIENDS.COM Wet Nose Enterprises (ANALFANTASIES-DOM) ANALFANTASIES.COM Wet Nose Enterprises (MANSMAN-DOM) MANSMAN.COM Wet Nose Enterprises (MORE-SEX-DOM) MORE-SEX.COM Wet Nose Enterprises (XXXGAYWEBSITE-DOM) XXXGAYWEBSITE.COM Wet Nose Enterprises (AMATEURARCHIVES2-DOM) AMATEURARCHIVES.COM Wet Nose Enterprises (XLIFE-DOM) XLIFE.COM Wet Nose Enterprises (69SEXPLACE-DOM) 69SEXPLACE.COM Wet Nose Enterprises (XXXHEAVEN2-DOM) XXXHEAVEN.COM Wet Nose Enterprises (PHUKZONE-DOM) PHUKZONE.COM Wet Nose Enterprises (XTREMEBABES-DOM) XTREMEBABES.COM Wet Nose Enterprises (XXXLUNCHBREAK-DOM) XXXLUNCHBREAK.COM Wet Nose Enterprises (XXXWOW-DOM) XXXWOW.COM Wet Nose Enterprises (XXXGAYMEN-DOM) XXXGAYMEN.COM Wet Nose Enterprises (GAY-MEN-DOM) GAY-MEN.COM Wet Nose Enterprises (PHUKMANIA-DOM) PHUKMANIA.COM Wet Nose Enterprises (XXXLIFE-DOM) XXXLIFE.COM Wet Nose Enterprises (NET-WEDDINGS-DOM) NET-WEDDINGS.COM Wet Nose Enterprises (CYBER-WEDDINGS-DOM) CYBER-WEDDINGS.COM Wet Nose Enterprises (WHY-KNOT-DOM) WHY-KNOT.COM Wet Nose Enterprises (ACCESS-DENIED-DOM) ACCESS-DENIED.COM Wet Nose Enterprises (PHUKTOY-DOM) PHUKTOY.COM Wet Nose Enterprises (GETCRAZY-DOM) GETCRAZY.COM Wet Nose Enterprises (TOLIETPAPER-DOM) TOLIETPAPER.COM Wet Nose Enterprises (LEGALCONTENT-DOM) LEGALCONTENT.COM Wet Nose Enterprises (SICKBASTARD2-DOM) SICKBASTARD.COM Wet Nose Enterprises (BOOBY-TRAP-DOM) BOOBY-TRAP.COM Wet Nose Enterprises (IMPURETHOUGHTS-DOM) IMPURETHOUGHTS.COM Wet Nose Enterprises (MORNING-WOOD-DOM) MORNING-WOOD.COM Wet Nose Enterprises (DIRTY-DOG-DOM) DIRTY-DOG.COM Wet Nose Enterprises (COOL-KAT-DOM) COOL-KAT.COM Wet Nose Enterprises (BOOBYTIME-DOM) BOOBYTIME.COM Wet Nose Enterprises (BEAUTIFUL-GIRLS-DOM) BEAUTIFUL-GIRLS.COM Wet Nose Enterprises (COOLKAT-DOM) COOLKAT.COM Wet Nose Enterprises (NUDESECRETARIES-DOM) NUDESECRETARIES.COM Wet Nose Enterprises (ALCOHOLICSANONYMOUS2-DOM) ALCOHOLICSANONYMOUS.COM Wet Nose Enterprises (SEXUALLY-EXPLICIT-DOM) SEXUALLY-EXPLICIT.COM Wet Nose Enterprises (GOTAWOODY-DOM) GOTAWOODY.COM Wet Nose Enterprises (SEXUALLYEXPLICIT-DOM) SEXUALLYEXPLICIT.COM Since it isn't UUnet's concern, what these accounts do, so long as it isn't from their equipment, this merry band of net terrorist is free to continue their efforts against Usenet. Kevin 'SpamJunky' Feeman, through several open NNTP ports around the world: Top 25 Sites identified by Spam Hippo Despam as of Nov 8, 1997 - NNTP Posting Host <....> 2 mix2.boston.mci.net 10870 8 superlink.net 5519 Other POPs being abused by Kevin's operation, include: 163.middletown-01.nj.dial-access.att.net 176.new-york-07.ny.dial-access.att.net which have shown some extremely high numbers, over the past couple of days. As far as I can tell, they're still plugged into Pontificia Universidade Catolica do Parana, [beta.pucpr.br], and spamming the living daylights out of this machine. Top 25 Sites identified by Spam Hippo Despam as of Nov 8, 1997 - Originating News Server <...> 2 vorlon44 17960 12 ns1.autonet.net 2761 (These servers are not abused, exclusively by Kevin, but its a high enough percentage to be worth taking note.) This only addresses one of the spamming operations, which have found refuge in a UUnet net-block, which allows them to abuse the net with impunity. When one considers the volume of spam produced by just these two UUnet hosted net-blocks, you are looking at nearly twenty to twenty five percent of all the spam in China, er, Usenet. I haven't addressed the POPs, which continue to be a plague. Right now, the Chicago POPs remain an ongoing problem. Please, consider, when I say ongoing, we're talking about the past year, with no action or reaction on the part of UUnet. 11 max12.chicago.il.ms.uu.net 2994 The same is true or L.A., S.F. Philly, Atlanta and Minneapolis, which continue to be under a limited UDP in some hierarchies. So far as _anyone_ has been able to determine, no one at UUnet has ever lifted a finger to curb this abuse. In the past, I've recommended to Earthlink and GTE, that they block access to ports 25 and 119 of all of their machines, from any of these heavily abused POPs. (Personally, I think they should block access to any of their machines, from any UUnet operated POP. Of course, the problem is they depend on these communally accessable, but UUnet controlled POPs, for their legitimate customers.) OK, here comes another biggie. One which can easily account for another 5-7% of all Usenet traffic. [Double those figures, when you factor in the cancels issued on everything origination within this net-block.] These guys have been number one on _my_ hit parade, since they began their assault on Usenet, just about a year ago. This is, of course, NetZilla, the ITC [207.70.214.*] block. Nope, they're not direct customer's of UUnet's. This rogue spam factory, which has long employed forgery to gain fraudulent access to news feeds, recently appears to have become one or more of UUnet's best customers. New paths started appearing, a few weeks ago, with all to great frequency. When NETZILLA got directly into Sprint's, UUnet's, MCI's and CRL's news feeds, I suspected that the folks at NETZILLA were up to no good. I was able to verify this with CRL's newsmaster, Karl Mehloff. Karl was able to determine just exactly where the feed was coming from, by looking up the histories of any of the thousands of unautorized accesses to the CRL servers, coming from the SpamZilla factory. When I first picked up the NETZILLA spew flowing through CRL, it was coming >from the NETZILLA block. Within minutes of verfication of this unauthorized accesss, all packets from [207.70.214.*] were being routed to null. Now, since I'm really tired, I'll just take you to the conclusion of this part of the story. As of last week, the SpamZilla was flowing. Their numbers were again in the top three to five. In terms of BI, they were the hands down most abusive source of manure in Usenet, since they've always relied on heavy cross posting. There were occassional items moving through MCI and GreenNet, but roughly 98% of what I was seeing, was entering the news stream through either Sprint or NEWS-IN*.UU.NET. The Sprint paths don't lie. They accuratedly identify the IP address of the machine which feeds any article to these news-in machines. In all paths I examined, the IP addresses belonged to various *.tnt23.chi5.da.uu.net POPs. This accounted for roughly half of the SpamZilla traffic. The other half of the traffic looked like Path: ...!uunet!in*.uu.net!207.70.214.202!feed.newsfeeds.com!(forged) Name: newsfeeds.com Address: 207.70.214.202 usr04% whois newsfeeds.com newsfeeds corp (NEWSFEEDS2-DOM) PO Box 954 Moorhead, MN 56561 Domain Name: NEWSFEEDS.COM Administrative Contact, Technical Contact, Zone Contact: Rodney, Allison (AR1896) rodney@NETZILLA.NET 701-233-8788 Billing Contact: Rodney, Allison (AR1896) rodney@NETZILLA.NET 701-233-8788 Record last updated on 20-Oct-97. Record created on 21-May-97. Database last updated on 9-Nov-97 04:54:23 EDT. Domain servers in listed order: NS1.NETZILLA.NET 207.70.214.2 NS1.CORPCOMM.NET 199.165.217.101 This became the crux of great friction, between the staff at UUnet and myself. While insisting that neither NETZILLA, nor NETZILLA d/b/a NEWSFEEDS.COM, were accounts of UUnet's, the paths said otherwise. Since the folks at NETZILLA are noted path forgers, and knowing how they'd been able to gain access to the CRL, Sprint and MCI servers, I requested confirmation of the IP addresses, which were feeding into the UUNET news-in machines. While every other victimized network was willing to share information, in order to cut this rogue news feed off from news backbone, I found myself being stonewalled by UUnet. I was told that the IP address shown in the path was blocked from accessing the news-in machines, but the stuff was obviously moving through these machines. It wasn't quite like I was asking for the name, bank card acounts and Social Security numbers of the accounts. I just wanted to know what addresses needed to be IP blocked by the *responsible* prividers I was dealing with. Well, on Thursday, I received a very huffy call from John Bradshaw's immediate superior, stating that John had taken a look at some of my reports, which he had called me angrily about, earlier in the week. (To say that he was extremely rude is vast understatement.) I was then told, by Michele Pohlmann, that action was being taken on two matters. [No, she couldn't tell me what, when, where, why or who, but action was being taken.] A couple of hours later, I received the following messge, which appeared on one of the mailing lists I subscribe to: => This message was sent to tech support from John Bradshaw today, wanted => to let you all know: => => Wanted to let you know that we cutoff 2 newsfeed => customers today: => netzilla => xxxxxxxx [blocked out to protect the guilty] => => Can someone please copy this to the email folders => for these 2 sites and don't turn them back on. Imagine my surprise, to suddenly realize that UUnet had been lying to me about their peering arrangment with the number one net-abusers of Usenet. (How can your cut off a feed, which you insist never existed?) :It really saddens me, though, to see UUnet being dragged through the :mud. No one is dragging UUnet through the mud. UUnet is having far too much myopic fun, wallowing in the pig-pen with their pink porker bretheren. Usenet has always been built on trust. This trust is where the entire concept of peering originates, and while some of the mega-providers have reduced the need of knowing ones neighbors, Usenet still requires that providers trust one another. Currently, I see little reason to trust UUnet. They have consistently shown that they will do little or nothing, in curbing rampent net-abuse by their customers. At this time, UUnet remains the single greatest facilitator of net-abuse in Usenet, and they're not far behind in email abuses. (How many administrators, out there, are currently IP blocking all email traffic orignating from most or all of the UUNet POPs, because they remain a major source of UCE and UBE?) That banner headline, which I quoted at the beginning of this 'short' article, might better read: UUNET TOUGHENS NON-EXISTENT ANTI-SPAMMING POLICY Largest ISP Re-Affirms Zero-Clue Policy Toward Spammers :UUnet: it doesn't have to be this way. At least post on Usenet (or on :a Web page) that UUnet is aware of the problem, and is working on it. :Any sort of public statement beats stone cold silence. I began requesting that Mr. Bradshaw at least begin taking a look, at how UUnet is perceived, by the online community at-large, just after the UDP was lifted prematurely, back in August. So far as I've been able to figure it, he didn't take me up on my recommendation until the last week or so. When he did, I don't think he liked what was being said about poor, abused, picked on little UUnet. He even told me that something I had said, at some point, was untrue, but he wouldn't tell me what it was. All he could say, for all the effort I put forth, in trying to prevent the current climate from leading to a major LARTing of the worlds largest, clue free, ISP, is, "Don't send us any more reports or complaints. Do not call. You are not an administrator. You are not an UUnet customer. You do not subscribe to the rooms you are complaining about. UUnet will take no action on anything you provide us with. Good bye. (click)" As has been said by some of my associates, if I can't bring UUnet within reach of a clue, no one can. I'm sorry, guys. I tried. I just hope it isn't too late for yoUU. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= David Ritz Be kind to animals: Kiss a shark. Finger for PGP Public Keys Anti-spam resources: Make Junk Email Illegal. Join at =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBNGgpm9zLrWGabIhRAQFzMQQAhjaxiExqqjhnHvvvzBAKpcjSco91a9aL T5BJCo0hppH6ZYTewHm/QHv4Jg91mRudkzgJpmRht+bomxC/W8nssoJcLcyoDgl1 0qWQDmYBEv5Jtb9ASHa1pp8TCaBdoJNj3Ll9CrVmorki9MmMREhPuXxAI042pqTi WpipmiQ3z3k= =+62t -----END PGP SIGNATURE-----