From: buchanan@cybernex.net (Lysander Spooner)
Newsgroups: news.admin.net-abuse.usenet
Subject: Binary flooding attack on Usenet (Austin Adult Services/Web877.com)
Date: Mon, 20 Jul 1998 20:51:32 GMT
Organization: Sisyphus Systems
Lines: 1232
Message-ID: <35b8abeb.55066581@news.newsguy.com>
Reply-To: buchanan@cybernex.net
NNTP-Posting-Host: p-183.newsdawg.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Newsreader: Forte Agent 1.5/32.451

Preface

Over the past few days, Usenet has been subjected to a flood of binary
spam that goes well beyond EMP, and (IMO) constitutes an attempted DOS
attack on the adult-oriented newsgroups   I've been watching these
particluar spammers get gradually worse for about a month, but they
have now gone totally apeshit.  Jeez, at his pinkest, even the
Baltimore Blaster was never this flagrant!  Thiis is the worst
spamming I have _ever_ seen.

I think I found a new "special friend."

<aside>
If you work for an ISP or news-provider, and you're all too aware of
what you are paying for bandwidth, you might want to pull up a
calculator and do a little cost figuring as you read along.

OTOH, If you pay an ISP or news-provider for Usenet service,  ask your
favorite admin what numbers he came up with -- assuming he is still
coherent after seeing them.   Make no mistake -- YOU are paying that.
Even if your monthly bill doesn't increase, these costs represent the
improvements you'll never see.   It's tough to upgrade servers and
disk-arrays at the same time that you're subsidizing a major
advertising budget for a pack of parasitic spammers.
</aside>


Part One -- The Damage

If there's one thing that bothers me more than an abused open server,
it's a dedicated spamserver.   There's no ambiguity in these cases --
someone is buying a newsfeed for the sole purpose of ripping off the
rest of Usenet.   And more to the point, someone is _selling_ it to
him.  That pisses me off.

Today's case in point is "news.web877.com".   As far as I can tell,
not a single legitimate (BI < 20) article has ever come from this
server.    Let's look at the Spam Hippo stats for the last few weeks:

-=-=-=-
Ultra Hippo - Top 100 Spam News Sites - 6/30/98
                                        Total    Spam   %Spam   KBytes
  7 news.web877.com                      7660    7660     100   322468

Ultra Hippo - Top 100 Spam News Sites - 7/1/98
                                        Total    Spam   %Spam   KBytes
 29 news.web877.com                      1740    1740     100    37791

Ultra Hippo - Top 100 Spam News Sites - 7/2/98
                                        Total    Spam   %Spam   KBytes
  6 news.web877.com                      6240    6240     100   280475

Ultra Hippo - Top 100 Spam News Sites - 7/3/98
                                        Total    Spam   %Spam   KBytes
 20 news.web877.com                      2524    2524     100    55187

Ultra Hippo - Top 100 Spam News Sites - 7/4/98
                                        Total    Spam   %Spam   KBytes
 17 news.web877.com                      2100    2100     100    45445

Ultra Hippo - Top 100 Spam News Sites - 7/5/98
                                        Total    Spam   %Spam   KBytes
  2 news.web877.com                      6903    6903     100   300239

Ultra Hippo - Top 100 Spam News Sites - 7/6/98
                                        Total    Spam   %Spam   KBytes
  3 news.web877.com                      9644    9644     100   521900

Ultra Hippo - Top 100 Spam News Sites - 7/7/98
                                        Total    Spam   %Spam   KBytes
 28 news.web877.com                      1883    1883     100    44091

Ultra Hippo - Top 100 Spam News Sites - 7/8/98
                                        Total    Spam   %Spam   KBytes
  4 news.web877.com                      9425    9425     100   363551

Ultra Hippo - Top 100 Spam News Sites - 7/9/98
                                        Total    Spam   %Spam   KBytes
  2 news.web877.com                     11778   11778     100   424191

Ultra Hippo - Top 100 Spam News Sites - 7/10/98
                                        Total    Spam   %Spam   KBytes
  1 news.web877.com                     12927   12927     100   470915

Ultra Hippo - Top 100 Spam News Sites - 7/11/98
                                        Total    Spam   %Spam   KBytes
  8 news.web877.com                      4276    4276     100   114078

Ultra Hippo - Top 100 Spam News Sites - 7/12/98
                                        Total    Spam   %Spam   KBytes
  6 news.web877.com                      4965    4965     100   190626

Ultra Hippo - Top 100 Spam News Sites - 7/13/98
                                        Total    Spam   %Spam   KBytes
  3 news.web877.com                     10959   10959     100   411773

Ultra Hippo - Top 100 Spam News Sites - 7/14/98
                                        Total    Spam   %Spam   KBytes
  4 news.web877.com                      7188    7188     100   283080

Ultra Hippo - Top 100 Spam News Sites - 7/15/98
                                        Total    Spam   %Spam   KBytes
  2 news.web877.com                     10586   10586     100   409817

Ultra Hippo - Top 100 Spam News Sites - 7/16/98
                                        Total    Spam   %Spam   KBytes
  2 news.web877.com                     10305   10305     100   310650

Ultra Hippo - Top 100 Spam News Sites - 7/17/98
                                        Total    Spam   %Spam   KBytes
  3 news.web877.com                      9130    9130     100   277810

Ultra Hippo - Top 100 Spam News Sites - 7/18/98
                                        Total    Spam   %Spam   KBytes
  8 news.web877.com                      5223    5223     100   212604

Pure, unadulterated pork-by-product.  Five, ten thousand articles a
day.  Say, oh, a quarter-GIGAbyte a day of crap being spewed.   Crap
that is being dropped on receipt by any service with a clue (and being
promptly canceled at any service with a  half a clue.)   Pretty
egregious, huh?

Too bad it's just the tip of the iceberg...

As soon as I started wading through the sewage gushing forth from the
kind folks at web877, I got that deja vu "I've seen this spammer
before" kinda feeling.   They were all adverts for websites in the
Adultserv spamglomerate (typical cheesey third-rate spam-sites, all.)

Back in February of this year I was calling him "The Annoying Netcom
Binary Spammer".   I posted an article detailing the level of his
abuse, which seemed pretty serious at the time.   I quote myself:

(Snip)
>>42	244.0	244	1.00	15,058,512	61,715	lmw21@netcom.com (Christine Wojtowicz)
>>34	411.0	411	1.00	28,772,633	70,006	lmw21@netcom.com (Christine Wojtowicz)
>>5	804.0	804	1.00	40,226,825	50,033	lmw21@netcom.com (Christine Wojtowicz)
>>Totals		8,496 posts		337,970,821 bytes
>
>Out of those 24 four-hour periods, lmw21@ix.netcom.com made the list
>of Top-Posters 21 times.   lmw21@netcom.com (actually an ix.netcom
>account, almost certainly the same one, as you'll see shortly) made it
>7 times.
>
>That's an average of about 2000 post/day, for roughly 85 MB/day.

Shortly after that expose', Netcom booted him, he moved to MCI, and
cut back significantly.  I always meant to follow up on it, but I
became embroiled in a UDP, a mortemtorium, a betrayal by a rat-bastard
SCAB, and an extended sabatical from the spam-trenches.   I lost track
of the pinkster before I even positively ID'ed him (them?), and I
_hate_ leaving loose ends.   Fear not, for part two of this missive
("Who the fuck ARE these guys?")  ties them up quite neatly.

We've already seen that the output from news.web877.com is _triple_
what adultserv was spewing just five months ago, but when I set my
cancelbot upon the dreck and looked at the logs, I couldn't believe my
eyes.   

They're also spamming _massively_ from MCI.

And Onramp.

And CCSI, and KDI, and DBCity!!

Rather than quote those logs, I'm going to refer to an independent
source of data that is readily verifiable for accuracy -- Joe Greco's
Posting Summaries.   Here are some extracts from approximately three
(3) days worth of reports, given in reverse chronological order:

>Subject: Usenet Posting Summary (Sun, 19 Jul 1998 00:00:58 CDT)
>   1   1196.000    1196    30755038 lonestar@adultserv.net
>   3   1030.000    1030    30704721 harold@adult2000.net (Dr. Harold Beaver)
>   7    568.000     568     9544248 marilou@adultserv.com
>   8    568.000     568    37941723 sexjourney@adultserv.net
>  38    264.000     264    12772847 lapicia@adultserv.net
>  85    113.000     113     8740857 smutlord@adultserv.net
>
>Subject: Usenet Posting Summary (Sat, 18 Jul 1998 20:01:06 CDT)
>   1   1806.000    1806   110353018 boobs@adultserv.net
>  18    525.000     525    12602251 lonestar@adultserv.net
>  28    341.000     341     8867805 harold@adult2000.net (Dr. Harold Beaver)
>  36    294.000     294     8291080 therscowboy@adultserv.net
>  61    175.000     175    13153959 smutlord@adultserv.net
>  63    171.000     171    11102868 laura@adultserv.net
> 178     67.000      67     5576823 Brandiana@adultserv.net
>
>Subject: Usenet Posting Summary (Sat, 18 Jul 1998 16:01:45 CDT)
>   3   1032.000    1032    22392094 harold@adult2000.net (Dr. Harold Beaver)
>  11    552.000     552    17271661 lolo@adultserv.net
>  27    303.000     303    19746080 laura@adultserv.net
>  40    244.000     244     3927878 marilou@adultserv.com
>  45    238.000     238     5753602 lonestar@adultserv.net
> 122    109.000     109     9029873 Brandiana@adultserv.net
> 161     89.000      89     6655085 smutlord@adultserv.net
> 446     32.000      32      447688 pierre@adult2000.net (Pierre LeMutt)
> 502     27.000      27     2291713 Kiki@adultserv.net
>
>Subject: Usenet Posting Summary (Sat, 18 Jul 1998 12:01:15 CDT)
>   9    695.000     695    17900747 molly@adultserv.net
>
>Subject: Usenet Posting Summary (Sat, 18 Jul 1998 08:00:43 CDT)
>  11    337.000     337    10800650 molly@adultserv.net
>  17    239.000     239    15116779 dominated@adultserv.net
>
>Subject: Usenet Posting Summary (Sat, 18 Jul 1998 04:00:50 CDT)
>  14    446.000     446    13239751 lolo@adultserv.net
>
>Subject: Usenet Posting Summary (Sat, 18 Jul 1998 00:02:56 CDT)
>   4   2781.000    2781    75732943 dungeon@adultserv.net
>   6   2637.000    2637    98313654 smuttywhutyy@adultserv.net
>  11   1017.000    1017    39295706 dominated@adultserv.net
>  12    916.000     916    27990828 lolo@adultserv.net
>  15    646.000     646    14031684 wiely@adult2000.net (Wiely Rock)
>  24    288.000     288    22137943 smutlord@adultserv.net
>  49    175.000     175    14282826 Kiki@adultserv.net
>  63    141.000     141     9760023 kinggeorge@adultserv.net
>  88    105.000     105     3412858 molly@adultserv.net
> 146     66.000      66     1353772 lonestar@adultserv.net
> 222     45.000      45      783670 harold@adult2000.net (Dr. Harold Beaver)
>
>Subject: Usenet Posting Summary (Fri, 17 Jul 1998 20:02:06 CDT)
>   9    669.000     669     7194881 amber@adultserv.net
>  11    525.000     525    17049207 smuttywhutyy@adultserv.net
>  16    451.000     451    31537459 kinggeorge@adultserv.net
>  18    430.000     430    36430981 Kiki@adultserv.net
>  22    406.000     406    15089103 molly@adultserv.net
>  33    289.000     289    21768616 smutlord@adultserv.net
>  50    227.000     227     6996427 lolo@adultserv.net
> 187     67.000      67     4735327 poonking@adultserv.net
> 247     54.000      54     2859629 francis@adultserv.net
> 275     49.000      49     4043884 Brandiana@adultserv.net
> 310     43.000      43      911139 sales@adult2000.net (Pat Myass)
>
>Subject: Usenet Posting Summary (Fri, 17 Jul 1998 16:02:02 CDT)
>  17    580.000     580    39849970 kinggeorge@adultserv.net
>  18    558.000     558    38582582 poonking@adultserv.net
>  19    523.000     523    38247870 Kiki@adultserv.net
>  50    276.000     276    20816673 smutlord@adultserv.net
> 154    110.000     110     9209538 Brandiana@adultserv.net
> 195     85.000      85     2899730 molly@adultserv.net
> 541     30.000      30     2370545 wenedy@adultserv.net
>
>Subject: Usenet Posting Summary (Fri, 17 Jul 1998 12:01:37 CDT)
>  38    318.000     318    21973728 kinggeorge@adultserv.net
>  81    178.000     178    14983799 Kiki@adultserv.net
>  97    153.000     153    11606175 smutlord@adultserv.net
> 307     46.000      46     2848137 smut@adultserv.net
> 347     39.000      39     2151282 darkdungeon@adultserv.net
>
>Subject: Usenet Posting Summary (Fri, 17 Jul 1998 08:00:42 CDT)
>
>Subject: Usenet Posting Summary (Fri, 17 Jul 1998 04:00:47 CDT)
>   4   1135.000    1135    30714261 cowboy@adultserv.net
>   7    690.000     690    17905611 Clitorita@adultserv.net
> 255     28.000      28     2013039 poonking@adultserv.net
>
>Subject: Usenet Posting Summary (Fri, 17 Jul 1998 00:00:53 CDT)
>   2   2550.000    2550    64658060 darkdungeon@adultserv.net
>   3   2361.000    2361    67567282 smut@adultserv.net
>   4   1348.000    1348    98041218 sexjourney@adultserv.net
>   6    769.000     769    19406234 Clitorita@adultserv.net
>   9    625.000     625    16439332 cowboy@adultserv.net
>  12    493.000     493     1028382 titties@adultserv.net
>  18    372.000     372    25876839 poonking@adultserv.net
>  28    228.000     228    17639137 smutlord@adultserv.net
>  37    180.000     180     1831015 winnie@adultserv.net
> 261     30.000      30     2400295 wenedy@adultserv.net
>
>Subject: Usenet Posting Summary (Thu, 16 Jul 1998 20:01:37 CDT)
>   5    816.000     816    30717166 dominated@adultserv.net
>   9    666.000     666    17407393 Clitorita@adultserv.net
>  13    557.000     557    14117683 susana@adultserv.net
>  17    522.000     522    15509562 heretittytitty@adultserv.net
>  29    313.000     313    23756933 smutlord@adultserv.net
>  32    305.000     305    21390402 poonking@adultserv.net
>  87    146.000     146    12109797 titties@adultserv.net
> 401     34.000      34     1794135 darkdungeon@adultserv.net
>
>Subject: Usenet Posting Summary (Thu, 16 Jul 1998 16:01:36 CDT)
>   3   1188.000    1188    34947978 heretittytitty@adultserv.net
>  16    409.000     409     6731470 lisa@adultserv.net
>  19    380.000     380    11098030 susana@adultserv.net
>  54    213.000     213    15811160 wenedy@adultserv.net
> 230     58.000      58     3987591 poonking@adultserv.net
> 469     28.000      28      225748 babe@adultserv.net
>
>Subject: Usenet Posting Summary (Thu, 16 Jul 1998 12:01:44 CDT)
>  13    670.000     670    10685375 lisa@adultserv.net
>  43    325.000     325     9713820 heretittytitty@adultserv.net 
>  51    267.000     267     6422470 susana@adultserv.net
> 104    129.000     129     6264183 sassy@adultserv.net
> 290     48.000      48     3721978 sexjourney@adultserv.net
>
>Subject: Usenet Posting Summary (Thu, 16 Jul 1998 08:00:49 CDT)
>  88     73.000      73     5945006 sexjourney@adultserv.net
> 145     44.000      44     1958512 darkdungeon@adultserv.net
> 170     38.000      38     2364355 smut@adultserv.net
> 184     35.000      35     2042398 Tina@adultserv.net
>
>Subject: Usenet Posting Summary (Thu, 16 Jul 1998 04:01:12 CDT)
>   4   1372.000    1372    11781412 tonya@adultserv.net
>   8    953.000     953    76136396 sexjourney@adultserv.net
>   9    771.000     771    40801837 Tina@adultserv.net
> 187     50.000      50      423773 rosie@adultserv.net
> 314     32.000      32     2037600 sassy@adultserv.net
> 384     31.000      31     1827470 smut@adultserv.net
> 399     30.000      30     2530564 titties@adultserv.net
> 538     28.000      28     1261299 darkdungeon@adultserv.net
>
>Subject: Usenet Posting Summary (Thu, 16 Jul 1998 00:01:15 CDT)
>   3   1552.000    1552    38959030 darkdungeon@adultserv.net
>  18    370.000     370    19023815 Tina@adultserv.net
>  19    367.000     367    25939130 poonking@adultserv.net
>  21    326.000     326    16580456 sassy@adultserv.net
>  52    188.000     188    14192300 sexjourney@adultserv.net
>
>   Total:	50527  articles	
>              1981972360   bytes

Whoa!   That number needs some comas...

>	1,981,972,360   bytes

Yes folks, in round numbers, TWO GIGABYTES in three days!

(probably more, since I only extracted the large and obvious entries
from the reports.)

[Are those calculators whizzing?]

And just what _are_ these fifty thousand pink offerings?  Exactly what
I described in February --

>Let there be no confusion -- these are small, low-res, miserable
>quality JPG images lacking any artistic merit (or even any erotic
>appeal) which have been plastered, encrusted and defaced with
>advertising copy and URLs, then strewn about in great heaps,
>occasionally minimally customized for the topic of the groups to which
>they are multi-posted, with the same crappy pics being recycled and
>regurgitated often enough for each one to _independently_ exceed a BI
>(Briedbart Index) of 20, even if they weren't all substantively
>identical, which of course they are.

Rather than bore you with details of how many times "adult1.jpg" was
posted, I would just point out that Andrew Gierth's binary-spam
auto-cancelbot, Annihilator, has been killing this stuff wholesale.

(Okay, okay!  "adult1.jpg" represents about 2% of the articles from
this outfit -- about 1,000 copies of it in those three days.   I can't
WAIT to hear the Spammer's Lament about how people really _want_ this
stuff.)

So how do we get this nonsense stopped?   

First, we find out who their upsteam news-source and we ask what the
HELL they are doing providing a newsfeed to these guys.  Like, Duh!

Then we go after their webhosts and bandwidth providers.   More on
both of these shortly.

And of course we play Whack-a-Weasel with the accounts that are being
used to spam.   I took a sample 5000 spamules and summarized on
NNTP-Posting-Host (masking the non-NIC-assigned octets of the address
or stripping the beginning of the FQDN in order to collapse the list.)

>166.55.0.0 		2349

Assorted Sacramento and Bloomington MCI POPs.   These things have wide
areas of coverage and aren't especially useful for geographic
investigation.

>207.193.127.0 		1062

This is the Class-C where web877.com lives.   Almost all of these came
from 207.193.127.1 -- merlin.web877.com.   Some had the server itself
as posting host.

>209.75.131.0 		1020

RTD.com dial-ups.

>RTD Systems & Networking, Inc. (RTD-DOM)
>   177 N. Church Ave. Suite 310
>   Tucson, AZ 85701
>
>   Domain Name: RTD.COM

====> Note:   Tucson ISP.

>ccsi.com  		437

More dial-ups.

>COMMUTER COMMUNICATION SYSTEMS (CCSI-DOM)
>   13706 Research Blvd. Suite 203
>   AUSTIN, TX 78750
>   USA
>
>   Domain Name: CCSI.COM

====> Note:    Austin ISP.   (HUH?)

>dbcity.com  		362

Another local ISP.  NIC sez :

>Database City (DBCITY-DOM)
>   700 Rocky River Road
>   Austin, TX 78746
>
>   Domain Name: DBCITY.COM

Austin.

>kdi.com  		35

Ditto.  NIC sez:

>King Dinosaur, Inc (KDI-DOM)
>   6303 Chesterfield
>   Austin, Tx 78752
>
>   Domain Name: KDI.COM

Austin.

>onr.com  		421

Onramp.   Regional ISP.  NIC sez:

>Onramp Access, Inc. (ONR2-DOM)
>   612 Brazos, Suite 103
>   Austin, TX 78701
>
>   Domain Name: ONR.COM

Austin, but they have POPs elsewhere in Texas.

Whew!   Reports are being sent to all of the above.  If _you'd_ like
to drop any of them a line as well, that'd be fine with me.

BTW, The  Great Tucson/Austin Mystery is solved in section 2.

Onward.


Part Two  --  Who the fuck ARE these guys?


A sample header is usually a good place to start...

>From: titties@adultserv.net 
>Newsgroups: alt.binaires.pictures.erotica.teen 
>Subject: Wet Pussy and Hot Erotica!!! only @ Titty.com - !!!cg01.jpg (0/1) 
>Date: Fri, 17 Jul 1998 00:50:06 GMT 
>Message-ID: <35ae9bb2.96104431@207.193.127.7> 
>X-Newsreader: Forte Free Agent 1.1/32.230 
>NNTP-Posting-Host: 207.193.127.1 
>X-Trace: 16 Jul 1998 20:02:11 -600, 207.193.127.1 
>Lines: 28 
>Path: ...howland.erols.net!sunqbc.risq.qc.ca!newsfeed.quebectel.com!Pollux.Teleglobe.net!uunet!in5.uu.net!news.web877.com!207.193.127.1 
>
>
>CUM TO WWW.DARKDUNGEON,COM 
-=-=-=-


[[Margin note #1 -- path shows newsfeed is provided by UUNET.]]


As for web877, according to the NIC:

>[Query: web877.com, Server: whois.internic.net]
>
>Registrant:
>WEB 877 (WEB157-DOM)
>   6705 Hwy 290 West Suite 502-212
>   Austin, TX 78735
>
>   Domain Name: WEB877.COM
>
>   Administrative Contact, Technical Contact, Zone Contact, Billing Contact:
>      DNS ADMIN.  (DA5041-ORG)  dns@WEB877.COM
>      512-891-5972   Fax- 512-891-5716
>
>   Record last updated on 15-Apr-98.
>   Record created on 09-Feb-98.
>   Database last updated on 18-Jul-98 04:13:39 EDT.
>
>   Domain servers in listed order:
>
>   DNS1.WEB877.COM		207.193.127.200
>   DNS2.WEB877.COM		207.193.127.201


Gee, that wasn't very helpful, was it?   (Except for the Austin part.)
I don't want a "DNS Admin."  I want the name of a _person_ I can
blame!

Let's try adultserv.net...

>[Query: adultserv.net, Server: whois.internic.net]
>
>Registrant:
>Austin Adult Services (ADULTSERV3-DOM)
>   6705 Hwy 290 West Suite 502-212
>   Austin, TX 78735
>   US
>
>   Domain Name: ADULTSERV.NET
>
>   Administrative Contact:
>      AAS Content Manager  (AC792-ORG)  webmaster@ADULTSERV.NET
>      512-891-5972 Fax- 512-891-5716
>   Technical Contact, Zone Contact:
>      AAS DNS Manager  (AD2310-ORG)  dns@ADULTSERV.NET
>      512-891-5972  Fax- 512-891-5716
>   Billing Contact:
>      AAS Content Manager  (AC792-ORG)  webmaster@ADULTSERV.NET
>      512-891-5972   Fax- 512-891-5716
>
>   Record last updated on 15-Apr-98.
>   Record created on 15-Apr-98.
>   Database last updated on 18-Jul-98 04:13:39 EDT.
>
>   Domain servers in listed order:
>
>   DNS1.ADULTSERV.NET		207.193.127.202
>   DNS2.ADULTSERV.NET		207.193.127.203

Still no name, but doesn't that address look familiar?   Now we know
-- Web877 IS Austin Adult Services.

Checking the records of every site-domain yields the same (lack of)
results.   Time for a traceroute.

>TraceRoute: 48 data bytes to news.web877.com [207.193.127.7]
>
>...
>5:Rcvd pkt type 11: [198.32.130.66] ord1-core1-a10-0.atlas.digex.net in 271 msec.
>6:Rcvd pkt type 11: [165.117.52.74] ord1-core1-fa4-1-0.atlas.digex.net in 184 msec.
>7:Rcvd pkt type 11: [165.117.52.42] stl1-core1-h0-0.atlas.digex.net in 183 msec.
>8:Rcvd pkt type 11: [165.117.52.46] mci1-core1-h0-0.atlas.digex.net in 220 msec.
>9:Rcvd pkt type 11: [165.117.52.50] okc1-core1-h0-0.atlas.digex.net in 198 msec.
>10:Rcvd pkt type 11: [165.117.52.54] dfw2-core1-pt4-0-0.atlas.digex.net in 250 msec.
>11:Rcvd pkt type 11: [165.117.52.102] dfw2-core2-fa9-1-0.atlas.digex.net in 238 msec.
>12:Rcvd pkt type 11: [165.117.52.33] aus1-core2-h4-0.atlas.digex.net in 234 msec.
>13:Rcvd pkt type 11: [165.117.53.25] aus1-core1-fa3-0-0.atlas.digex.net in 256 msec.
>14:Rcvd pkt type 11: [206.181.161.30] ? in 233 msec.
>15:Rcvd pkt type 11: [151.164.20.3] ded1.austtx.swbell.net in 349 msec.
>16:Rcvd pkt type 11: [151.164.22.6] ? in 401 msec.
>17:Rcvd pkt type 0:  [207.193.127.7] news.web877.com, 48 bytes in 495 msec.

[[Margin Note #2 -- SWBell is the bandwidth provider. CC 's to them.]]

...and to find out who owns the adress-space...

>[Query: 207.193.127., Server: whois.arin.net]
>
>Southwestern Bell Internet Services (NETBLK-SBIS-BLK-1)	SBIS-BLK-1
>						 207.193.0.0 - 207.193.255.255
>LCI Internet (NETBLK-LCI1)	LCI1	       207.193.127.0 - 207.193.127.255

LCI Internet.   Could be the host provider, could be another name for
"web877" and "Austin Adult Service."

>[Query: lci-internet.com, Server: whois.internic.net]
>
>
>Registrant:
>LCI INTERNET (LCI-INTERNET-DOM)
>   6626 Silvermine Dr Ste 700
>   AUSTIN, TX 78736
>
>   Domain Name: LCI-INTERNET.COM
>
>   Administrative Contact, Technical Contact, Zone Contact:
>      McCreary, James  (JM12044)  jrm@LCI-INTERNET.COM
>      512-301-4955 (FAX) 512-301-4916
>   Billing Contact:
>      McCreary, James  (JM12044)  jrm@LCI-INTERNET.COM
>      512-301-4955 (FAX) 512-301-4916
>
>   Record last updated on 15-Nov-97.
>   Record created on 20-May-97.
>   Database last updated on 19-Jul-98 04:05:18 EDT.
>
>   Domain servers in listed order:
>
>   DNS1.LCI-INTERNET.COM	207.193.127.5
>   DNS2.LCI-INTERNET.COM	207.193.127.7

Finally, a name!    But we're far from any proof that he's the perp.

D'you suppose he might have any other NIC records in his name?

>[Query: mccreary, james, Server: rs.internic.net]
>
>McCreary, James (JM12044)	jrm@LCI-INTERNET.COM
>					       512-301-4955 (FAX) 512-301-4916
>McCreary, James (JM7581)	webmaster@DOMINATED.COM		  888-856-2612
>McCreary, James (JM7919)	webmaster@SMUTFILES.COM		  888-856-2612
>McCreary, James (JM8117)	webmaster@TITTY.COM		  888-856-2612
>McCreary, James (JM8672)	james@DOMINATED.COM
>					     (520)791-9054 (FAX) (520)791-9033
>McCreary, James (JM10438)	webmaster@DRBEAVER.COM		  888-856-2612

>McCreary, James (JM3753)	jrm@TAMU.EDU			(713) 445-0301

Lookee there!   McCreary isn't mentioned in the records for those
domains, at least not anymore.  It looks like he's tried to get his
name disassociated from those sites, but the famed NIC efficiency only
got half the job done (or he screwed up...).   Jimmy is looking a bit
pink, but it's not unheard of for a legit web host to serve as domain
contact for their customers,and then regret it if the customers start
spamming.  We'll keep looking around the NIC..

>McCreary, James (JM12044)		jrm@LCI-INTERNET.COM
>   LCI Internet
>   6626 Silvermine Dr. Suite 700
>   Austin, TX 78736
>   512-301-4955 (FAX) 512-301-4916
>
>   Record last updated on 31-Oct-97.
>   Database last updated on 18-Jul-98 04:13:39 EDT.

Nothing  new or  exciting there.

>McCreary, James (JM7581)		webmaster@DOMINATED.COM
>   Dominated
>   P.O. Box 3212
>   Bryan, TX 77805
>   888-856-2612
>
>   Record last updated on 26-Mar-97.
>   Database last updated on 18-Jul-98 04:13:39 EDT.

Webmaster@dominated.com?  Exhibit A for the persecution.
(And _Bryan_ Texas?)

>McCreary, James (JM8672)		james@DOMINATED.COM
>   LCI INTERNET, INC
>   515 E. Grant Rd. Suite 141-255
>   TUCSON, AZ 85705
>   (520)791-9054 (FAX) (520)791-9033
>
>   Record last updated on 20-May-97.
>   Database last updated on 18-Jul-98 04:13:39 EDT.

There's Tucson.   It seems James lived there at one time.  Guess he
still knows people there, huh?   I wonder if we can find out who?
(hehehe)

One more: 

>McCreary, James (JM3753)		jrm@TAMU.EDU
>   L M W  Consultants, Inc
>   838 East Greens Road, Suite 110
>   Houston, TX 77060
>   (713) 445-0301
>
>   Record last updated on 29-Jun-96.
>   Database last updated on 18-Jul-98 04:13:39 EDT.

This is the oldest record, and it's for Texas A&M University.  Is
James an Aggie?   And what is "LMW Consultants"?   (LMW?  why does
that ring bells?)   This gets set aside.  We'll come back to it.

Hell, let's find that smoking gun and get it over with!

Deja News was nice enough to hold onto one of Brian Antoine's cancels:

>Subject:      cmsg cancel <32aaf9ec.4493404@news.tcac.com>
>From:         briana@tau-ceti.isc-br.com
>Date:         1996/12/08
>Message-ID:   <cancel.32aaf9ec.4493404@news.tcac.com>
>Newsgroups:   alt.binaries.pictures.erotica.cartoons 
>control:      cancel <32aaf9ec.4493404@news.tcac.com>
>sender:       jrm@xratedfiles.com (James McCreary)
>x-cancelled-by: briana@tau-ceti.isc-br.com
>[Fewer Headers]
>[Subscribe to alt.binaries.pictures.erotica.cartoons]
>Original Subject: come get your nads off at xratedfiles.com - xrated2.jpg (1/1)

Jimmy-boy, your're busted.

So in 1996, he was using:

>TCA Communications, Inc. (TCAC-DOM)
>   700 University Drive East, #108
>   College Station TX 77840, TX 77840
>   US
>
>   Domain Name: TCAC.COM

which is right next to Texas A&M.  The dates fit.  So, Jim spammed his
way through college, eh?  _That_ I could probably overlook.  I still
remember being a broke college student.  [But even so, those were
still the best seven years of my life! :-)  ]

However, when you leave school you're supposed to find _honest_ work.

Unfortunately for Usenet, we find him prominently featured in some of
Joe Greco's posting summaries...

>Subject:      Usenet Posting Summary (Sat, 20 Dec 1997 00:02:40 CST)
>From:         Joe Greco <jgreco@ns.sol.net>
>Date:         1997/12/20
>Message-ID:   <19971220000240.4005@ns.sol.net>
>Newsgroups:   news.admin.net-abuse.usenet 
>[Subscribe to news.admin.net-abuse.usenet]
>Article segment 12 of 23 - Get Previous / Next Segment - Get All 23 Segments 
>Rank  Posts     Bytes        BI         Data    
>---- ------- ----------- ---------- ------------
>   1    6149     4370601   6149.000 lucy@cyberzone.net
>   2    2053     1912365   5521.238 "Hot, Jennifer" <hotjennifer@hotmail.com>
>   3    2000     1262534   2000.000 MIC@HOTMAIL.COM
>   4     742      489506    742.000 star@apc.net
>   5     681      475986    681.000 miyamoto98@usa.net
>   6     625     1379705    669.369 SlideShowMan@theadultstore.com
>   7     621    44298677    621.000 lmw21@netcom.com (Christine Wojtowicz)
>   8     431      569158    431.000 richards@enterprisesoftware.com
>   9     384      755756    950.307 nospam@net-temps.com (Business Logic, Inc)
>  10     319      175144    319.000 Mandy<tanner44@hotmail.com>
>  11     314    54367487    314.000 sdsailor@home.com
>  12     312      198460    312.000 mic@hotmail.com
>  13     284     8722618    284.000 jrm@lci-internet.com (James McCreary)

HEY!  What's that in the number 7 slot?  lmw21@netcom.com was The
Annoying Netcom Binary Spammer!  LMW?   You ever get the feeling
somebody's trying to tell you something?  (LMW,  LMW...  hmmm.)

So what else would ya'll like to know about Jim?   Apparently his love
life took a turn for the worse in '95...

>Subject:      Trade .33 carat engaugement ring for Hard Drive
>From:         James McCreary <jrm>
>Date:         1995/07/28
>Message-ID:   <3va9lp$ri8@news.tamu.edu>
>Newsgroups:   houston.forsale 
>[More Headers]
>[Subscribe to houston.forsale]
>I have a .33 carat engaugement ring that I would be willing to trade for 
>a Hard Drive over 500 mb.  Paid 600 dollars for it.
>
>James McCreary

Who needs a woman when you've got 500 mb of smut!

If you're artistically inclined (or even if you're not) and you'd like
to deface a picture of Jim, you can find one at:

http://www.infomercialexperts.com/james.htm

Along with:

>James McCreary (Picture taken in Cyberspace)
>Internet Operations Manager
>--------------------------------------------------------------------------------
> James has developed and continuously updated Web Sites 
>for various companies for 2 1/2 years before becoming a 
>team member of MPS in 1995. Various computer experience includes:
>Computer Programmer and Technician, Computing and 
>Information Services -Texas A&M University.

TAMU.  Check.

>Wide Area Network Analyst, Network Availability Center - Texas 
>A&M University.
>
>System Analyst, Field's Financial Services - Bryan TX

Bryan.  Check.

>As of Fall 1996, James is a Senior Marketing Student, 
>at Texas A&M University. 
>
>Media Placement Services (MPS), a Houston Based Advertising Corporation, 

Read "Spamhaus".

>is a full-service advertising agency offering a wide range of services 

yada yada yada...     Whatta ya say?  Has Jim had enough?    

NAHHH!  Let's drag his family into it!

On the staff page of that site,  I found:

> Christine McCreary // christine@buymall.com
>Staff Supervisor

And Deja News says Chris was a bad girl.  This is one of hundreds.

>Subject:      Sell your product here
>From:         christine@buymall.com (Chris McCreary)
>Date:         1997/01/13
>Message-ID:   <32da8a90.2634129@news.myriad.net>
>Newsgroups:   alt.alien.vampire.flonk.flonk.flonk 
>[More Headers]
>[Subscribe to alt.alien.vampire.flonk.flonk.flonk]
>Dear Usenet Subscriber,
>
>Thank you for taking time to view  this message.  We are about to
>offer you a way to make some money selling anything from your old
>junk, to airplanes.  This is the chance you have been waiting for.
>You will have the opportunity to  advertise your product for free.
>There are no strings attached, and you can leave your classified ad up
>for as long as you may need to.  Please feel free to observe our site
>at www.buymall.com.
>
>Again, thank you for taking the time to read this message.
> 
>Christine McCreary
>Webmaster
>www.buymall.com
>Christine@buymall.com
  
Myriad is another TAMU-local ISP.  1997?  My guess is younger sister
(though it could be his wife, if she married him without the ring.)
Also, buymall is another lci-internet website.  The family that  spams
together...

I'd say that about wraps it up for Jim.

Now on to my favorite part -- the Tucson/LMW connection.

Remember "LMW Consultants"? 

>Registrant:
>L M W  Consultants, Inc. (T-I-P-S-DOM)
>   838 East Greens Road, Suite 110
>   Houston, TX 77060
>   USA
>
>   Domain Name: T-I-P-S.COM
>
>   Administrative Contact:
>      McCreary, James  (JM3753)  jrm@TAMU.EDU
>      (713) 445-0301
>   Technical Contact, Zone Contact:
>      Hostmaster, Rapidsite Inc  (BN63)  hostmaster@RAPIDSITE.NET
>      (561)994-6684 (FAX) (561)994-6617
>
>   Record last updated on 19-Nov-96.
>   Record created on 29-Jun-96.
>   Database last updated on 18-Jul-98 04:13:39 EDT.
>
>   Domain servers in listed order:
>
>   NS.NAMESERVERS.NET		207.158.192.40
>   NS2.NAMESERVERS.NET		209.41.31.13

The infomercialexperts site has a link to LMW's website:

>http://rampages.onramp.net/~lmwauct/

It lists a Houston address, but also mentions:

>
>THE TUCSON AMIGOS!
>LMW Consultants, INC is the proud owner of the 
>Tucson Amigos Professional Soccer team

Tucson?  Texas?  I love it when a work-up comes together!

>
>We serve the World at Home Real Estate  Auctions 
>Liquidations  Fund Raising  Internet Marketing
>and Business Promotions 

Read: "Megaspamming".

It turns out "LMW" is one Lawrence (Larry) M. Wojtowicz.

Wojtowicz?  Where have I seen that...    YOW!

>>   7     621    44298677    621.000 lmw21@netcom.com (Christine Wojtowicz)

At last!   The Annoying Netcom Binary Spammer, unmasked!  No _wonder_
I couldn't find him before  -- he used his real last name and real
email address!!  Who'da figured?

 Fiendishly clever, these spammers.

Anyhoo, 

http://rampages.onramp.net/~lmwauct/

has his resume, and a (brrrr) picture.

He lists both the TX and AZ addresses at:

http://www.adult2000.net/lmw/

along with another (shudder) photograph.

(Okay guys, fire up those PhotoShops!)

There is a mailto: link to lmw@mci2000.com, which I will be _certain_
to mention in my reports to MCI.   Less work for the guys who have to
whack the account.

Larry signed a guestbook at:

http://www.azstarnet.com/~eclipse/guestbk.html

with the following:

>Name : Lawrence (Larry) M. Wojtowicz
>Email : lmwauct@onramp.net 
>I Live In : Houston, TX
>Get to the Tucson Amigos Games. We're in first place and need your support!

Address noted for the report to onramp, to ease their burden.

Alas, the other ISPs that Larry and Jim have been (ab)using will have
to check their logs to identify the offending accounts.

Saving the best for last, the icing on the cake may be found at:

http://www.cyber-tec.com/pdate/azadsm.html

Quoted without comment...

>My name is Lawrence (Larry) M. Wojtowicz and don't 
>let the last name scare you. I'm a young 56, 6.0 ft. tall and 
>weigh 193 lbs. Enjoy good low fat food, good liquor in 
>moderation, good tobacco, long walks, good music and 
>good movies. As an educated business and real estate 
>consultant (My own Business), comminications and 
>reasonableness are keys. Have Gary Smalley's 
>18 video series. After 9.5 years of traveling, I'm home in 
>Tucson, AZ. and would like to meet a woman, age not 
>important, who enjoys similar interests and wants a 
>relationship that she is able to communicate fully. 
>Any interested  woman may e-mail me at . 
>E-mail me by<a href="mailto:lmw@lci-internet.com"> Clicking Here</a>Tucson, AZ<br>
>7/12/97<br clear=left>

###########################################

Bonus Section -- Correspondences With Larry!!

It seems that when I posted my report in February, Larry took issue
with it.   I started getting the most amusing emails!   At first I
wasn't sure if it was the "ANBS" (I didn't know his name then) or one
of Tom Bridges' stooges.   I ruled out the latter, and I'm so _happy_
that I now know the identity of my old pen-pal.

Note:  It is my policy to publically post any flames I get via email,
if they're amusing enough.   I think these qualify.   I'm going to
quote his emails along with the replies I sent back.   (It's my
work-over.  I get to have the last word.)

Enter "Danappyguy" Round One--

-=-

On Wed, 28 Jan 1998 02:32:03 EST, Danappyguy@aol.com wrote:

>Rick:
>
>I would like to inform you that I am going to keep posting to usenet servers
>that I pay a monthly fee to use. If you continue to fuck with me, you will be
>in some deep shit. Not only do I know the vice-pres of MCI personally, I can
>have your entire internet connection closed for good (a change for the
>better). I personally think you have no life, are a looser with nothing better
>to do with his time, need to get laid, and most of all, need to mind your own
>business. One of these days you're going to fuck with the wrong person, and
>you won't be waking up in the morning.

Spammer:

Gee, I've never ever gotten a nasty threatening email before!  What
shall I do?   I'm soooo scared!   I'm gonna go delete my cancelbot and
hide under my bed, and never complain about anybody ever again!

Nah.  On second thought, I think I'll just keep fucking with you.

BTW, who the hell are you?  

-- Rick   

###############
### Round Two ###


On Wed, 28 Jan 1998 17:01:35 EST, Danappyguy@aol.com wrote:

>What I'd really like to know is why the hell you are so obsessed with
>spammers? 

Everybody needs a hobby.  Mine used to be Usenet.  Now it's trying to
save Usenet from parasites like you.

>Do you even have a fucking life? 

Yes.   Quite a nice one, actually.

>Do you sit in your house all day
>and do nothing buy screw around with people online? 

Nope.  I just start up the ol' cancelbot and let IT screw around with
people all day.  

Do YOU sit in your house all day and do nothing but post useless crap
as "Mistress Stacy"?   Have you considered finding an honest job?

>Why, if a person is paying
>a fee for the use of a news server, do you make it your point to delete their
>spams...they are PAYING for the use of that server. 

The person should read the "Terms and Conditions" of the contract he
signed with the owner of that news server.  Spamming is usually
grounds for immediate termination.   Try spamming with this AOL
account and see how long it lasts.

You are NOT paying the thousands of server-owners who are sick of
paying to store and transmit spam like yours.

>I have your upstate NY
>address, and me and some friends may just pay you a visit and you can explain
>to us in person.

I recommend that you wear lots of kevlar and come in large numbers.
Trespassers are shot on sight.  Survivors are shot again.  Most don't
make it past the dogs, though.  I hear Texans are tough.  Wanna try?

-- Rick  (College Small-bore Rifle Varsity team,  NCAA 2nd place 1983)


############
##  Round Three -- 

On Thu, 29 Jan 1998 02:06:49 EST, Danappyguy@aol.com wrote:

>So let me get this straigh...large backbone providers hire you to kill
>messages from particular users that spam...

Nope.  I don't give a shit about large backbone providers, and nobody
pays me to cancel spam.   In fact, doing it _costs_ me money.

>doesn't seem fair, 

It doesn't seem fair to me that your 100 MB/day of repetitive crap
makes legitimate articles age off the spool faster than they need to.

>and really isn't your business. 

I've been on Usenet a while.   Fuckers like you are killing it to make
a few bucks.   That MAKES it my business.

>Why don't you just go after huge spammers. 

I do.   And if you are who I think you are, then you ARE a huge
spammer.

>I think you are a real mental case, 

Perhaps.  But I'm a mental case with a cancelbot. 

-- Rick


##############
## Round Four --


On Sat, 14 Feb 1998 08:31:31 EST, Danappyguy@aol.com wrote:

>Gee you idiot, now you've done it...harassed one of my friends by leaving a
>message on their answering machine. That's ok...that threat gave us the right
>to get a court order to get your personal info from Cybernex and Bell
>Atlantic.  And to think you left a message like that on a Bell voice mail
>system; you should know they keep records of it.  Within 7 days we'll have all
>your personal info and we are going to drag you through the legal process
>until you lear to mind your own business! YOU LOOSER!!!

I left no messages, and you need to learn how to spell.   Do you think
I'm the only person who hates spammers?

Besides, by "harassment" and "threats", do you mean things like: 

>
>Rick:
>
>I would like to inform you that I am going to keep posting to usenet servers
>that I pay a monthly fee to use. If you continue to fuck with me, you will be
>in some deep shit. Not only do I know the vice-pres of MCI personally, I can
>have your entire internet connection closed for good (a change for the
>better). I personally think you have no life, are a looser with nothing better
>to do with his time, need to get laid, and most of all, need to mind your own
>business. One of these days you're going to fuck with the wrong person, and
>you won't be waking up in the morning.

"won't be waking up in the morning."?   Hmmmm. 

>What I'd really like to know is why the hell you are so obsessed with
>spammers? Do you even have a fucking life? Do you sit in your house all day
>and do nothing buy screw around with people online? Why, if a person is paying
>a fee for the use of a news server, do you make it your point to delete their
>spams...they are PAYING for the use of that server. I have your upstate NY
>address, and me and some friends may just pay you a visit and you can explain
>to us in person.

Pay me a visit?   Hmmmm.

>HA HA Buchanan you fuckface. I'm gonna spam and it's none of your fucking
>business! You fucking nigger dick licker! Just try to cancel my spams you
>fuckhead!

Nigger dick licker?  Your eloquence and verbal skill overwhelms me!

Even if I HAD threatened you (which I didn't) those would prove you
started it.   So go for it.

I repeat:


Spammer:

Gee, I've never ever gotten a nasty threatening email before!  What
shall I do?   I'm soooo scared!   I'm gonna go delete my cancelbot and
hide under my bed, and never complain about anybody ever again!

Nah.  On second thought, I think I'll just keep fucking with you.

BTW, who the hell are you?  

-- Rick

###############
##  A few last excerpts.   (He got boring quickly...)


> I know everyone in the industry, 

What industry?   The spam industry?

Ooooh  I'm _so_ impressed!   Do you guys meet at the unemployment
office?

>many who are my friends 

You have friends?   I mean besides your dog and your right hand?

>and who you harass.  

I don't harass.   I "deter" parasitic scum (like you) from their
assault on Usenet.

>You bother my friends, 

Thank you.  It's good to get confirmation that I'm accomplishing my
goal.

>you get bothered. Simple.  

Bothered?   ME?   In case you haven't noticed, you've offered me no
end of amusement.   Your spelling alone is worth the price of
admission.

If you were bothering me, I would have had your AOLuser account pulled
after your first threat.  No, I'm enjoying the spectacle of you
proving what a phony half-wit you are.

>Every move you make, I know about it. 

Gee, considering that everything I do is right out in the open, and
how I publicly POST the details, that must make you quite the
detective!   What do you do for an encore, Sherlock?   Identify the
person buried in Grant's Tomb?   Face it Pink-boy, you couldn't find
your ass with both hands even if your chair was on fire.

>No matter where I am in the world and no matter what
>time, your electronic moves I know about. 

Time to take your medicine Pinky,  you're raving.

>Hell, your home phone may even be bugged by now...or maybe not,
>depends what kind of mood I'm in.  

If you believe this, it means it depends on what illicit drugs you're
taking.

>You see, you are just some looser with a
>computer and a twisted mind, and me, I'm God in an industry that you are
>causing disruptions in. 

Lord of the Dung Beetles!   I beg your pardon, oh great Turd King!

>Well, I'm off to vacation in Sweden for a while; going to do some skiing.

Translation:   You're going to go sweep the part of the trailer park
surrounding your "mansion".

>Maybee I'll be nice and give you my phone number.  Sure, why not...of course
>it will be a number that is unlisted and won't appear in any phone co database
>or even appear in the FCC logs as being valid, then we can talk.  I'll think
>about it.

Can you afford to put the strain on both of those brain cells?

I've got to admit, you _are_ good for some laughs.  Every time I think
you can't get any more delusional, you prove me wrong.

You're an insignificant worm slithering behind an AOLuser account
because it's the only kind you can figure out.   You probably think a
"subnet mask" is something you wear on Halloween.  You think a
datagram is something Western Union delivers.

Go crawl back under your rock.

Oh, I forgot!  You know the vice-president of MCI!

HAHAHAH!!

Please write back.  This is good stuff!

#####################

After that he just kept repeating the same threats and vulgarity.  I'm
kinda curious what he's going to have to say about today's little
document.   Time will tell.   I know what _I'm_ gonna say....

"Buh-BYE!"

-- Rick
-----------
** So many spammers, so few hot-lead-enemas **