{ brad brace } on Sat, 2 Oct 1999 11:53:43 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> the Tom Saylor spam operation.



        Cut and paste the letter below, and send to:

        [email protected]

        [email protected]

        [email protected]

        [email protected]

        [email protected]

If enough of us complain, this SPAMMER will be TOSsed!

        It's a NUMBERS GAME! Only a large number of complaints from a

large number of users will get any action done.

        Keep fighting!

        Kryton Rev. D

---------------------------CUT HERE------------------------------------
        CC:     

        [email protected]

        [email protected]

        [email protected]
        
        [email protected]
        
        [email protected]

        Dear abuse departments:
	
	Another @home NNTP server hiijacked? 

        (news.rdc1.ct.home.com 938662944 209.125.171.20)

        The headers of this SPAM post indicate that this USENET SPAM 

post originated from @home.net.

        This USENET SPAM was posted by the same spammer who hiijacked

two @home proxys recently- see partial messages below to refresh your

memory:

--------- Forwarded Message ---------

DATE: Sun, 26 Sep 1999 08:26:28
From: David Ritz <[email protected]>
To: [email protected]
Cc:[email protected], [email protected], [email protected],
[email protected], [email protected], [email protected], [email protected]
-----BEGIN PGP SIGNED MESSAGE-----

    [24.112.94.99] (cr799697-a.rchrd1.on.wave.home.com) is running a
    wide open proxy to NEWS1.RDC1.ON.WAVE.HOME.COM.  This WAVE server
    is being hijacked by professional spammers.  Please take immediate
    steps to ensure that this proxy is closed.

    
    [24.6.164.234] (GRATZ1.DHS.ORG)  is wide open to POST.  While
    there's a Leafnode server located at this address, there's nothing
    on spool,  GRATZ1.DHS.ORG feeds upstream, via POST, to
    NEWS.RDC1.AZ.HOME.COM. Please take immediate step to secure this
    server.  If @HOME is unable to contact there user, it is time to
    router block this box at port 119.

 usr10# telnet gratz1.dhs.org nntp
 Trying 24.6.164.234...
 Connected to gratz1.dhs.org.
 Escape character is '^]'.
 200 Leafnode NNTP Daemon, version 1.9.4 running at gratz1.dhs.org
 post
 340 Go ahead.
 
 .
 441 Formatting error, article not posted
 quit
 205 Always happy to serve!
 Connection closed by foreign host.

 usr10# getdate
 28-Sep-1999 03:43:28 GMT

    This server is currently being hijacked by Usenet's Public Enemy
    #1, the Tom Saylor spam operation.

=======================================================================

SPAM POST HEADERS:    <-------------------------------------------------

Path: 
               
news1.frmt1.sfba.home.com!newshub1.home.com!news.home.com!news.rdc1.ct.home.com.POSTED!not-for-mail
           From: 
                Umu Yasvi02 <[email protected]>
          Subject: 
                Circle Suck Wanted
      Newsgroups: 
                alt.binaries.nude.celebrities.female,
alt.binaries.photography.glamour, alt.binaries.pictures.12hr,
                alt.binaries.pictures.bigbutts,
alt.binaries.pictures.bisexuals, alt.binaries.pictures.black.erotic,
                alt.binaries.pictures.black.erotic.females,
alt.binaries.pictures.bluebird
           Lines: 
                447
       Message-ID: 
                <[email protected]>
            Date: 
                Thu, 30 Sep 1999 03:42:24 GMT
 NNTP-Posting-Host: 
                209.125.171.20
   X-Complaints-To: 
                [email protected]
         X-Trace: 
                news.rdc1.ct.home.com 938662944 209.125.171.20 (Wed, 29
Sep 1999 20:42:24 PDT)
 NNTP-Posting-Date: 
                Wed, 29 Sep 1999 20:42:24 PDT
      Organization: 
                @Work Internet powered by @Home Network
            Xref: 
                newshub1.home.com
alt.binaries.nude.celebrities.female:30638940
alt.binaries.photography.glamour:30032285
                alt.binaries.pictures.12hr:30012693
alt.binaries.pictures.bigbutts:30305767
                alt.binaries.pictures.bisexuals:30550246
alt.binaries.pictures.black.erotic:30128389
                alt.binaries.pictures.black.erotic.females:30590814
alt.binaries.pictures.bluebird:30709741 

========================================================================

        This SPAMMER even went as far as attacking an open proxy in 

Holland! Tom Saylor also used SAIX.NET in South Africa, rmi.net,

videotron.net, verio.net, intnet.net, demon.net, multiweb.nl,

news-service.com, worldonline.nl, concentric.net, insync.net,

and @home.net to flood the USENET with his spam.

        This is a true whack-a-mole spammer!

 This spammer's websites are hosted by EXODUS.NET and

FLASHHOST.com

        This particular SPAMMER is bad enough to have several web pages 

devoted to his SPAMMING. Please see text version of web pages below,

so you can get a good idea of what you are dealing with!

        Although his name is Tom Saylor, he probably used one of his

aliases to open this account. 

        In the last month, this Spammer has had accounts terminated at

several ISP's.       

        This SPAMMER is using your company as a throwaway account, and

will simply start another account at another ISP when you terminate his

account with your company. But at least you can stop the flood of

complaints YOUR company will recieve!

         
        Please take action to stop this SPAMMER.

        Thanks.

SPAMMER'S WEBSITE HOST INFORMATION:    <-------------------------------

Official name: www.flashergirl.com

Addresses: 209.67.60.25



Whois for www.flashergirl.com

.com is the global domain of USA & International Commercial

(Whois queries for .com domains can be performed at
http://rs.internic.net/cgi-bin/whois)

whois -h whois.internic.net flashergirl.com

The Data in Network Solutions' WHOIS database is provided by Network
Solutions for information purposes, and to assist persons in obtaining
information about or related to a domain name registration record.
Network Solutions does not guarantee its accuracy.  By submitting a
WHOIS query, you agree that you will use this Data only for lawful
purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail
(spam); or  (2) enable high volume, automated, electronic processes
that apply to Network Solutions (or its systems).  Network Solutions
reserves the right to modify these terms at any time.  By submitting
this query, you agree to abide by this policy.

Registrant:
Eurobahia Partners, Ltd. (FLASHERGIRL2-DOM)
   P.O. Box 11434
   Merrillville, IN 46410
   US

   Domain Name: FLASHERGIRL.COM

   Administrative Contact:
      major, ursula  (UM76)  [email protected]
      219-992-9338
   Technical Contact, Zone Contact:
      Domain Registrars  (DR619-ORG)  [email protected]
      516-847-0201
Fax- 000-000-0000
   Billing Contact:
      major, ursula  (UM76)  [email protected]
      219-992-9338

   Record last updated on 29-Jul-99.
   Record created on 04-Feb-99.
   Database last updated on 19-Sep-99 07:43:34 EDT.

   Domain servers in listed order:

   NS.FLASHHOST.COM             209.2.135.2
   NS2.FLASHHOST.COM            209.2.135.3




IP block lookup for 209.67.60.25

whois -h whois.arin.net 209.67.60

Exodus Communications Inc. (NETBLK-ECI-5)
   1605 Wyatt Dr.
   Santa Clara, CA 95054
   US

   Netname: ECI-5
   Netblock: 209.67.0.0 - 209.67.255.255
   Maintainer: ECI

   Coordinator:
      Center, Network Control  (NOC44-ARIN)  [email protected]
      (408) 486-5000 (FAX) (408) 486-5001

   Domain System inverse mapping provided by:

   NS.EXODUS.NET                206.79.230.10
   NS2..EXODUS.NET               207.82.198.150

   * Rwhois reassignment information for this block is available at:
   * rwhois.exodus.net 4321
   
   ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

   Record last updated on 27-Oct-98.
   Database last updated on 20-Sep-99 16:19:57 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and nic.mil for NIPRNET Information.

(You can find more IP address ownership info at
http://ipindex.dragonstar.net/)



Traceroute 209.67.60.25

This end is where samspade.org lives

 1  206.117.161.1 (206.117.161.1)  167.714 ms  1.788 ms
 2  isi-acg.ln.net (130.152.136.1)  2.579 ms  3.136 ms
 3  s4-1-1.lsajca1-cr3.bbnplanet.net (4.24.40.13)  5.373 ms  3.862 ms
 4  p2-0.lsanca1-ba1.bbnplanet.net (4.24.4.17)  3.232 ms  3.661 ms
 5  p7-0.lsanca1-br1.bbnplanet.net (4.24.4.2)  3.400 ms  6.279 ms
 6  p2-0.lsanca1-br2.bbnplanet.net (4.24.4.14)  5.378 ms  4.830 ms
 7  p2-3.paloalto-nbr2.bbnplanet.net (4.24.5.198)  19.928 ms  20.352 ms
 8  p1-0.paloalto-nbr1.bbnplanet.net (4.0.5.65)  22.912 ms  26.166 ms
 9  p1-0-0.paloalto-cr9.bbnplanet.net (4.0.2.214)  26.467 ms  29.616 ms
10  ibr02-h8-1-0.sntc01.exodus.net (209.1.169.233)  36.361 ms  37.541 ms
11  dcr04-p0-0.sntc01.exodus.net (216.33.147.65)  23.113 ms  19.814 ms
12  bbr01-g6-0.sntc01.exodus.net (216.33.147.82)  16.755 ms  19.985 ms
13  bbr01-p2-0.sntc02.exodus.net (209.185.249.110)  19.158 ms  18.486 ms
14  bbr02-g4-0.sntc02.exodus.net (216.33.154.132)  17.213 ms  24.028 ms
15  bbr02-p5-0.hrnd01.exodus.net (216.32.173.14)  93.593 ms  101.111 ms
16  bbr01-g4-0.hrnd01.exodus.net (216.33.203.125)  94.397 ms  93.993 ms
17  bbr01-p5-0.jrcy01.exodus.net (209.185.249.213)  100.627 ms  101.283
ms
18  dcr03-g3-0.jrcy01.exodus.net (209.67.45.97)  99.201 ms  99.579 ms
19  rsm01-vlan990.jrcy02.exodus.net (216.32.222.106)  101.027 ms 
100.376 ms
20  209.67.60.25 (209.67.60.25)  138.428 ms  100.876 ms

This end is where the people you're tracerouting to live

HEADERS AND TEXT:



TEXT OF SAYLOR'S FORGERIES FAQ:

http://howardk.moonfall.com/saylorfaq.html 

                                 Tom Saylor's Forgeries FAQ

 Q: 
    Who is Tom Saylor? 
 A: 
    Tom Saylor (a.k.a. Ursula Major) and his associates are currently
one of the most notorious Usenet (the newsgroups) spamming
    operations. It is common for this organization to flood the adult
newsgroups with ads for Mr. Saylor's adult sites. Here is a list of some
of
    Mr. Saylor's Adult web sites:

         208.2.81.58 (click-through to Saylor's other sites)
         www.acdcgirl.com
         www.amateurgynecologist.com
         www.amateursexphoto.com
         www.asian-girl-erotica.com
         www.backdoorgirl.com
         www.bi-girl.com
         www.bjgirl.com
         www.black-girl.com
         www.classic-erotica.com
         WWW.flashergirl.com
         www.female-sex.com
         www.girlgirllove.com
         www.girliegirl.com
         www.girlielesbian.com
         www.hipgirl.com
         www.interracialerotica.com
         www.lesbiansexfun.com
         www.lingeriegirl.com
         www.lipstick-lesbian.com
         www.myeroticdiary.com
         www.naturalgirl.com
         www.plumpgirl.com
         www.pregnanterotica.com
         www.prettysexygirls.com
         www.sassygirl.com
         www.sex-group.com
         www.slitlickers.com
         www.splitbeaver.com
         www.strap-ongirl.com
         www.toy-sex.com
         www.twingirlsex.com
         www.world-premiere.com

    Mr. Saylor's ads typically contain forged email addresses and/or
forged domain names in the "From" line of his posts. 

 Q: 
    Why are these people picking on me? I never did anything to them! 
 A: 
    Mr. Saylor and his associates haphazardly pick domain names and
usernames for their ads with out regard to the fact that they are
    legitimate. Do not take it personally. Basically, they do not care
who they victimize. They have been doing this for quite a while now, and
    there is no reason to believe that they will change this behavior.
That is why it is important for you to act. 

 Q: 
    Is there any way to stop these people from violating my email
address and/or domain name? 
 A: 
    Yes. Mr. Saylor receives his bandwidth connectivity from NSI Web
(NSIWEB.COM/FLASHHOST.COM) in Farmingdale, NY. NSI Web in
    turn, gets their connectivity from Exodus Communications
(EXODUS.NET) in Santa Clara, CA. Exodus has a policy that forbids its
    customers from transmitting fraudulent information. Here is an
excerpt from their acceptible use policy (
    http://www.exodus.net/about_us/policies.html ): 

         "Customer will not, and will not permit...

         Intentionally omit, delete, forge or misrepresent transmission
information, including headers, return addressing information
         and IP addresses or take any other actions intended to cloak
Customer's or its users' identity or contact information."

    Make sure to send a letter of complaint to NSI Web, and Exodus.
Include a copy of the newsgroup posting (make sure to include all of the
    headers) in your complaint. Here are the email addresses to send
your complaint to: 

         [email protected]
         [email protected]
         [email protected]
         [email protected]
         [email protected]
         [email protected]
         [email protected]

    Also, you may want to send Mr. Saylor a personal note and tell him
that forging your email address or domain name must cease and
    desist. You can contact him at: 

         [email protected]
         [email protected]
         [email protected]
         [email protected]
         [email protected]
         [email protected]


 Q: 
    Why should I bother sending a complaint? 
 A: 
    Having your email address and/or domain name forged is a serious
matter. Not only should you send a complaint to protect yourself, you
    should send it to help put an end to this organization's abuse and
to protect others (many others) from becoming victims too. 

 Q: 
    Where can I get more information on this Tom Saylor character? 
 A: 
    Ed Falk has provided information about Tom Saylor at:
http://www.rahul.net/falk/quickref.html#saylor. 
    Also, subscribe to the news.admin.net-abuse.usenet newsgroup where
Tom Saylor is often a topic of discussion. 

Saylor, Tom
                Porn spammer. Owner of World Premiere porn site. Email
[email protected]. 3572 W. State Rd. 10; Lake Village,
                IN 46349 USA; 219-992-2413, fax 219-992-2644. Aliases
include Ursula Major, [email protected],
                [email protected], [email protected],
[email protected],
                [email protected], [email protected],
[email protected], [email protected].
                "[email protected]" address is also used by Pamela
Calica (wife?). Business: Central Control Systems, 617 N. 70 E
                Valparaiso, IN 46383.
http://www.centralcontrolsystems.com/saylordesign/


__


The_12hr-ISBN-JPEG_Project                     since 1994 <<<

>     episodic          ftp://ftp.wco.com/pub/users/bbrace <
>    eccentric          ftp://ftp.netcom.com/pub/bb/bbrace <
>   continuous         ftp://ftp.teleport.com/users/bbrace <
>  hypermodern        ftp://ftp.rdrop.com/pub/users/bbrace <
> imagery online   ftp://ftp.pacifier.com/pub/users/bbrace <

Usenet News://alt.binaries.pictures.12hr/ a.b.p.fine-art.misc
Mailing-list: [email protected] / subscribe 12hr-isbn-jpeg
Reverse Solidus: http://www.teleport.com/~bbrace/bbrace.html

{ brad brace }  <<<< [email protected] >>>>  ~finger for pgp



#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: [email protected] and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: [email protected]