Re: Administrative Overheads Arising from UCE
- Date: Tue, 16 Feb 1999 09:51:20 +0100 (MET)
A week ago someone used "From cs_marketnews1now@localhost".
"Received:" showed "mut-53-0969.direct.ca [216.66.136.69]" but neither
bounces nor upset people reads that... Needless to say, math's mail
server hung a few times just by the load from returned bounces (some
100 mail/s for several hours), not to mention to human pressure to
them and to Postmaster@localhost (I know him...).
Now, I'm telling this because some of you may have seen it and it's
important to tell it's not from here, because it's another real life
example but also because I'm seeking advice on leagal actions.
If I write a note on a pice of paper, sign it "Bill Gates, Microsoft"
and put it on a billboard, that clearly must be illegal some way(?).
This guy did very much the same and question is how to trace him and
nail him. There are 4 countries involved:
o ".ca" where the dialup is,
o ".XX" where the Mail Relay was,
o ".YY" where the angry recipients live
o ".se" where chalmers.se is.
Anyone tried this? All advice is wellcome.
Gunnar Lindberg, Postmaster@localhost
PS
In the aftermath, I've gone through who was Mail Relay for this
bastard. Several are in Europe and most of them are in the "naive"
category. There are, however and to my great disapointment, some
fairly large and well known European ISPs - probably even active
RIPE members - that accepted to be Mail Relay for *.direct.ca.
No response from them yet.
Folks, as long as this is so, we might as well shut up.
DS
>From owner-anti-spam-wg@localhost Mon Feb 15 19:40:33 1999
>Date: Mon, 15 Feb 1999 19:39:53 +0100
>From: Lars Marowsky-Br�e lmb@localhost
>To: "G.W. Mills Beebit" tmills@localhost
>Subject: Re: Administrative Overheads Arising from UCE
>Message-ID: <19990215193953.H368@localhost>
>On 1999-02-15T18:05:28,
> "G.W. Mills Beebit" tmills@localhost said:
>> As we gather material to present to Parliamentary committees, etc. there
>> are a few issues which ought to be clarified. Among them, just what are
>> the overheads associated with what is sometimes known as a "massmail"
>> incident?
>>
>> Scenario 2 - Forged (but deliverable) from:, using any mailserver
>> Mailserver (over)loaded
>> Bounces returned to from:
>> Complaints to from: delivered
>> Complaints to admin?? admin of from: domain has little to say, admin of
>> originating IP can handle, admin of open relay likewise
>I can confirm this is a real problem. A customer of us has been the designated
>"blackhole" for quite a few spams now. The spammer put an address from within
>their domain into the "Reply-to:" line. The UCE never touches our systems for
>relaying or anything.
>Every time a spam happens, their mailserver first gets a load of immediate
>bounces. Then they get hammered by the lemmings who reply to the spam
>directly. Then the complains start and we get a ton of those too.
>The problem is we are almost completely helpless here. We forward the
>complaints to the ISP from which the spam really originated, but we are
>wasting tons of time on this.
>And, whats worse, people have threatened to put the customers domains into the
>blacklists.
>Spamming is a serious DoS attack for everyone but the "clever" spammer.
>> ISPs who fail to "rein in" their most obnoxious customers are currently
>> subjected to peer pressure. Most times it is gentle persuasion, some times
>> via blocking (MAPS RBL, ORBS, individual blocks and filters). There could,
>> however, be legislative moves to impose "common carrier" obligations on
>> ISPs, which would be the other side of the coin by which ISPs are not
>> liable for material stored or transported on their networks, as long as
>> certain conditions are fulfilled.
>>
>> What say ye all?
>This "peer pressure" should make sure it is pressing down on the right guys,
>thats what I am saying.
>Sincerely,
> Lars Marowsky-Brie
>
>--
>Lars Marowsky-Brie
>Network Management
>teuto.net Netzdienste GmbH - DPN Verbund-Partner