From: bmattocks@comp-sol.com (Bill Mattocks) Newsgroups: news.admin.net-abuse.email Subject: Princess Di T-Shirt spammer found! Date: Tue, 30 Sep 1997 22:08:08 GMT Some of you may recall that I posted a message some weeks back about a "Princess Di" T-shirt spammer who was using a PO Box in Schaumburg, IL, in order to do his spamming, while pretending to be in England. At that time, I sent e-mail to the ISP, and asked that the guy's web page be given the boot. I got back a nice letter from the ISP, and he indicated that he hates spam, too, and that he had indeed given the spammer the boot. The web page went down. Here's the nice letter he sent me: > I appreciate your note. We have cracked down on this individual as > you sent this e-mail out. Otginc.com is a customer of ours and they > are strictly an order processing center. We are the secure server for > that order processing. The spammer has been using our e-mail address > as a return address and is not actually sending the mail from our > server. You are right, he seems to not really know what he is doing > and was warned before we took on the account about spamming. > Obviously did not heed the warnings. > I apologize for the inconvenience this may have caused and I promise > you we have taken care of the situation already. > Believe me, we do not like spammers any more than you. > Steve Fejes > AlphaSoft, Inc. > http://www.alpha-soft.com Well, that turned out to be nothing but lies, as I will prove... I also called the Post Office in Schaumburg to find out who owned the PO Box. The postmaster there told me that the person who had taken out the box had checked off the little box on his application form indicating that he was NOT doing business with the public. That's a no-no. The postmaster said that if I mailed him a copy of the spam in question, and it turned out that this guy IS doing business with the public, he'd release the information to me about who owns the PO Box. Now...it turns out that apparently, a lot of lies were told to me. The ISP who swore he nuked the page has it going again, but now it has a different URL, a *.UK one. Doesn't matter, still goes to the same place, still the same spam, the same spammer. I got the spammer's name, address, and telephone number from the post office. I also called the phone number for one of the ISPs involved, and found that the number was incorrect - BUT, it IS the correct number where the spammer USED to be employed, and they confirmed for me that he is indeed our little spammer friend. So, that's all background. On with the show, this one was challenging: Here's the spam (a newer one reported by someone else, not my original - doesn't matter, they're the same): ***************************************************************************** >Return-Path: >Received: from relay-6.mail.demon.net ([194.217.242.6]) > by canis-major.demon.co.uk with SMTP > id > for ; Tue, 30 Sep 1997 18:42:41 +0100 >Received: from punt-2.mail.demon.net by mailstore > for canis-major.demon.co.uk id 875641316:05:13499:9; > Tue, 30 Sep 97 18:41:56 BST >Received: from [205.254.167.31] ([205.254.167.31]) by punt-2.mail.demon.net ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ AGIS NETBLOCK!!! I believe this belongs to: Softfacts, Inc. (NETBLK-SOFTFACTS-BLK-205-254) PO Box 93026 Las Vegas, NV 89193-3026 USA Netname: SOFTFACTS-BLK-205-254 Netblock: 205.254.164.0 - 205.254.167.0 Maintainer: SFTF Coordinator: Martin, Scott (SM681) inic@LLV.COM 702-631-4147 (FAX) 702-631-4147 > id aa0621195; 30 Sep 97 18:41 BST >Received: by qlink2info.qlink2info.com (8.8.4/8.8.5) with SMTP id MAA00237; ^^^^^^^^^^^^^^^^^^^^^^^^^ LLV.COM!!! whois: Quick Link 2 Info (QLINK2INFO-DOM) 5960 Vista Ridge Point Dallas, Tx 75240 Domain Name: QLINK2INFO.COM Administrative Contact, Technical Contact, Zone Contact: Peacock, Sam (SP3046) ts@QLINK2INFO.COM 800-324-0394 Billing Contact: Peacock, Sam (SP3046) ts@QLINK2INFO.COM 800-324-0394 Record last updated on 14-Aug-97. Record created on 17-Apr-97. Database last updated on 30-Sep-97 05:07:43 EDT. Domain servers in listed order: SAHARA.LLV.COM 205.254.164.2 MOJAVE.LLV.COM 205.254.164.3 > Tue, 30 Sep 1997 12:59:59 -0400 (EDT) >From: diana@anywhere.com >X-Advertisement: Visit http://www.iemmc.org for name removal information. ^^^^^^^^^^^^^^^^^^^^ BWAHAHAHAHA!!! >Received: from mailhost.anywhere.com (alt1.anywhere.com(208.9.77.65)) by >anywhere.com (8.8.5/8.6.5) with SMTP id GAA07887 for ; Sun, >27 Jul 1997 19:44:06 -0600 (EST) >Date: Sun, 27 Jul 97 19:44:06 EST >To: diana@anywhere.com >Subject: Diana, Princess of Wales, Let's Give Something Back!! >Message-ID: <199702170025.GAA08056@anywhere.com> >Reply-To: diana@anywhere.com >X-PMFLAGS: 34078858 0 >X-UIDL: 2610431056a78aeb1b128fda426c9a5e >Comments: Authenticated sender is >Diana, Princess of Wales was a remarkable person whose love will >live on in our hearts forever. Diana did so much to raise our >awareness of those in need and campaigned tirelessly on their behalf >to get them the help they deserved, often in the form of >charitable donations. >Following her death, many of us would like to give a little to the >causes she supported as a mark of respect and admiration, and have >something to remind us of her to keep forever. >We have produced two special limited edition T-shirts, in tribute to >this truly unique person who will always live on as Queen of our >Hearts. >All the proceeds from the sale of these shirts will be donated in your >name and presented to the Diana, Princess of Wales Memorial Fund, >the charity set up to take donations from all those around the world >who would like to help the people she would still be helping, were >she alive. >Let's give something back http://www.amber-marketing.co.uk THIS IS NOT IN THE UK !!! IT IS HERE: traceroute to www.amber-marketing.co.uk (209.12.181.84) 1 156.46.104.254 (156.46.104.254) 2 alpha-nomad.alpha.net (206.190.31.149) 3 mke-1.alpha.net (156.46.1.1) 4 chicago2-cr2.bbnplanet.net (204.167.132.9) 5 chicago1-br1.bbnplanet.net (199.92.131.11) 6 washdc1-br1.bbnplanet.net (4.0.1.6) 7 vienna1-br1.bbnplanet.net (4.0.1.90) 8 maeeast.bbnplanet.net (4.0.1.94) 9 maeeast.acsi.net (192.41.177.108) 10 columb-sc-1-a12-0.acsi.net (206.222.97.1) 11 greenv-sc-1-a12-0.acsi.net (206.222.97.5) 12 atlant-ga-1-a12-0.acsi.net (206.222.97.3) 13 tampa-fl-a12.acsi.net (206.222.99.5) 14 alphasoft.com.tampa-fl-1.acsi.net (206.222.99.30) 15 209.12.181.84 (209.12.181.84) The upstream provider is ACSI.NET - the web page is hosted on a computer belonging to ALPHA-SOFT.COM (the ones who said they hated spam and terminated the spammer) whois 209.12.181.0 Alpha Soft (NETBLK-ALPHASOFT1) ALPHASOFT1 209.12.181.0 - 209.12.181.255 You recall the nice letter I got from the contact at alpha-soft.com, about how he hates spam? Hmmm? He's a liar. >PLEASE FORWARD THIS MESSAGE TO THE PEOPLE WHO YOU FEEL WOULD >APPRECIATE IT. >Thank You for your time >David Mann >Managing Director >Amber Marketing >London, England ***************************************************************************** So, who is the spammer? Who is this mysterious "David Mann" and is he really in the UK? There is no David Mann. On information and belief, I suspect that the entire operation is the work of this person: ------------------------------------------------------------ Melvin Sleight, Webmaster - Octagon Technology Group, Inc. "Worldwide Internet Commerce Services" email:sleight@otginc.com web: http://www.otginc.com phone:708.413.9890 mail:917C N.Plum Grove Road fax: 708.413.9891 Schaumburg, IL 60173-4755 ------------------------------------------------------------ Octagon Technology Group, Inc. 1340 Remington Road, Suite E Schaumburg, Illinois 60173 United States of America Telephone: 800-OTGINC-1 (684-4621) 847-843-7400 Fax: 847-843-7676 http://homepage.interaccess.com/~sleight/ sleight@otginc.com Melvin Sleight 646 Amber Ln #201 Carol Stream,IL 60188-2559 (630)462-9154 How do I know this? Three reasons - the US Post Office drop box that he lists on his web page to send money to: AMBER MARKETING ORDER PROCESSING CENTER P.O. Box 59614 Schaumburg, IL 60159-0614 USA Taken from URL: http://amber-marketing.co.uk/97049/order.htm and the spammer's name and address given to me by the US Postal Service. Two, he used his former employer's telephone number on his domain registration for his website, OTGINC.COM: Octagon Technology Group, Inc. (OTGINC-DOM) 917C N. Plum Grove Road Schaumburg, IL 60173-4755 Domain Name: OTGINC.COM Administrative Contact: Sleight, Melvin (MS871) sleight@INTERACCESS.COM (708) 462-8800 The phone number (now area code 630, but the same number) belongs to: Prince Castle (PRINCECASTLE-DOM) 355 East kehoe Blvd Carol Stream, IL 60188 Domain Name: PRINCECASTLE.COM And those people were very nice and told me that Mr. Sleight used to work for them, and in fact he is a spammer by reputation. Three, he is hosting the "secure payment" part of the spam web page on his own server, OTGINC.COM. There it is, that's all I have. Now, to send out those complaint letters and see if we can get this SICK BASTARD shut down... Best Regards, Bill Mattocks *************************************************************** * * * "My sense of personal integrity is none of your concern." * * -thus spake Walt "Pickle Jar" Rines * * * * "I'm going to pound your balls flat with a wooden mallet." * * -thus respondeth Bill Mattocks * * * ***************************************************************