Previous Politech message: "Calif. governor candidate, DNC chairman turn to political spam" http://www.politechbot.com/p-03199.html ********* Date: Thu, 28 Feb 2002 08:42:10 -0800 From: Laura Atkins <lauraat_private> To: Neil Schwartzman <neilat_private> Cc: declanat_private Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political spam On Thu, Feb 28, 2002 at 10:45:27AM -0500, Neil Schwartzman wrote: > Hi Declan, > > My colleague Laura Atkins (who is the newly appointed President of an > influential anti-spam group (shh! That's a scoop!), spoke with Mr. > Jones' campaign workers and it has been confirmed that this was > indeed not a "joe job" i.e. a forged spam to set him up. She's been > copied in on this - perhaps she can confirm or deny, as appropriate. Hi, Declan, I did get the Bill Jones spam (3 times, actually). I called the Bill Jones campaign after receiving the first one and talked to the woman who answered the phone. I asked for the person in charge of their email campaign and she asked me if I'd gotten the recent email. I said yes. She explained that they had gotten a number of phone calls about it but that they didn't know who actually sent it. Furthermore, since the mail didn't come through their servers (it came through an open proxy in Korea) that it was obvious they were not responsible, and they would never do anything so unpopular right next to a campaign. By this time, my business partner was also on the phone. We run a consulting / software business that helps people track email (word-to-the-wise.com). At this point believing the woman on the phone, we provided her with all the information we had about the spam, including the Korean open proxy and the website hosted on terra.es. We hang up the phone and send a copy of our analysis by email. Meanwhile, I dropped a note to a Wired reporter who had recently interviewed Steve about the abuse of Korean relays. She was very interested and asked for all the details. I then provided the gist of my conversation with the Bill Jones campaign worker. She responded that he had spammed before. At that point, we started digging a little deeper. And, yes, he appears to have spammed around December 11 and around January 21. Given that we'd been outright lied to by the campaign worker, Steve called back. He then spoke to Darren Ng (Press Secretary) who admitted to him that they were responsible for the spam. Another individual, Bill Carton, has confirmed he talked with the same person and got the same admission. The interesting bit is that Bill Jones' numbers start to tank in December and are still falling. Cause and effect are hard to judge, but it would be interesting to see if his numbers were falling before the first December spam, or after. For the record, I actually received 3 of his spams to two separate addresses. Laura -- Laura Atkins lauraat_private ********* Date: Thu, 28 Feb 2002 10:45:27 -0500 To: declanat_private From: Neil Schwartzman <neilat_private> Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political spam Cc: Laura Atkins <lauraat_private> At 2:07 -0500 2/28/02, Declan McCullagh wrote: >Kevin Poulsen sends email asking the real question: "Is this >indiscriminate spamming actually the work of candidate Jones, or a wily >opponent?" I invite Bill Jones to reply. Hi Declan, My colleague Laura Atkins (who is the newly appointed President of an influential anti-spam group (shh! That's a scoop!), spoke with Mr. Jones' campaign workers and it has been confirmed that this was indeed not a "joe job" i.e. a forged spam to set him up. She's been copied in on this - perhaps she can confirm or deny, as appropriate. Failing that, or supporting it, there has been media coverage about Jones doing this before (December being the last time): <http://www.msnbc.com/news/671170.asp> <http://www.latimes.com/news/local/politics/cal/la-022002jones.story> But what has not been reported are the ironies in this latest spew: Apart from the most obvious one for me, personally, that this bozo is spamming the chair of the Coalition Against Unsolicited Commercial Email - Canada [CAUCE.ca] (moi) is the fact that a) whoever sent this spam on his behalf used an open relay in Korea (essentially exploiting a security vulnerability, tantamount to hacking of a computer located in another country) and b) his website is HOSTED IN SPAIN - a tactic used increasingly by spammers who know that North American webhosts will not tolerate sites touted on their systems as the "payload" in spam - they usually kill them off pretty quickly. So much for being a proud American. What is obvious and apparent to me is that whomever did this was a fairly sophisticated spammer, and that this is the last gasp effort of someone well into the decline of his political career. I hope the coverage you afford this will be the last nail in the coffin, quite frankly; we need personal and moral leadership from our politicians; not the type who would consort with the purveyors of Penis & Breast enlargement schemes. -- Neil Schwartzman - Editor & Publisher Pete Moss Publications, Industry & Trade Journals <http://spamNEWS.com><http://virus-news.com> <http://spamFLAMES.com><http://petemoss.com> ********* Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political spam Date: Thu, 28 Feb 2002 08:00:51 -0800 From: David Lawrence <david@online-today.com> To: "Declan McCullagh" <declanat_private> Declan, We covered this on Online Tonight last night. Lili and I got over a dozen ourselves, all from different variations on the KatieXXXXXXX/MSN address, and all with circuitous routes between the originating IP and me, taking the message through the Netherlands and Korea. We have a call in to Bill Jones' office to find out who he pissed off and would try to spamframe him, or who among his supporters is misguided and overzealous, as the natural conclusion is that the Secretary of one of the more spam-conscious state legislatures couldn't be stupid enough to actually do this. He is, after all, a Republican, and we are much smarter than that...we'd have Liddy do it. I'll keep you posted. David ********* Date: Thu, 28 Feb 2002 03:21:05 -0800 From: Lewis McCarthy <pseudonymat_private> To: declanat_private Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political spam Declan, I'd be surprised if these messages turn out to be official Jones for Governor campaign materials. In addition to the discrepancies observed by others, consider this paragraph from one of the messages: "So while other candidates for Governor are spending over $10,000,000 dollars on 30 second TV ads, I am trying something new. What's new is this I am only going to provide you with the facts on my record. Please go to my <http://195.235.97.200/personal8/inacct48/>web site and check it out for yourself." According to Bill Jones' candidate statement in the Official Voter Information Guide mailed out by the state -- which incidentally bears his signature on the certificate of correctness on the front, as Secretary of State -- his campaign website is www.billjones.org. That site is much more extensive than http://195.235.97.200/personal8/inacct48/ , which consists of little more than the text of a half-dozen press releases. Furthermore, while these messages attempt to position Jones on some sort of moral high ground w.r.t. the use of TV ads, his real campaign adopts quite a different tone. In fact, there's a prominent link on the front page of billjones.org inviting visitors to "See the new campaign commercials!" at http://www.billjones.org/Home/HomeList.cfm?c=19 . -Lewis "just another registered Libertarian voter in California" ********* From: Charlie Oriez <coriezat_private> Organization: Lumber Cartel [tinlc] To: declanat_private, politechat_private Subject: Analysis of alleged Bill Jones spam Date: Thu, 28 Feb 2002 08:21:59 -0700 Spam sent from billjonesat_private is posted here: http://groups.google.com/groups?q=+%22bill+jones%22+group:news.admin.net-abuse.*&hl=en&scoring=r&as_drrb=b&as_mind=1&as_minm=2&as_miny=2002&as_maxd=28&as_maxm=2&as_maxy=2002&selm=nans20020215200252%245890%40news.killfile.org&rnum=3 An NSlookup for the IPA and domain name shown in the spam shows an A record: mail.wiredwebsites.com 86398 IN A 64.7.197.9 Wired Websites might want to confirm or deny that the Bill Jones campaign is a customer of theirs or that the address was a forgery. The message ID would tell them who sent the spam if they do not have an open relay. A relay test run thru John Levine's abuse.net shows that IPA is posssibly open to third party relay (confirm at <http://www.abuse.net/relay.html> by entering the IPA) but Osirusoft has it in a list of IPAs that have specifically tested clean and are not to be retested. Either they have since fixed their relay, or someone with that Bill Jones address is a customer. His web site is NOT hosted by them, or by any other California ISP. His web site is hosted by a Maryland ISP, VirtualSprockets, LLC in a fine display of his support for California businesses. Contact info for both Virtual Sprockets and Wired Websites, from a whois: Registrant: Bill Jones Campaign (BILLJONES2-DOM) 1801 I St. Sacramento, CA 95814 US Domain Name: BILLJONES.ORG Administrative Contact, Billing Contact: VirtualSprockets, LLC (G16821-OR) no.valid.emailat_private VirtualSprockets, LLC 20010-G Fisher Avenue, Ste 205 Poolesville, MD 20837 US 3019727415 fax: 3014070394 Technical Contact: Kittleman, Laura (LK614) lauraat_private Virtual Sprockets, Inc. P.O. Box 450 Barnesville, MD 20838 301 972-7415 (FAX) 301 972-7415 Administrative, Technical Contact: Griffiths, Jason jasonat_private Wired Websites 3340 E. Collins Ave #53 Orange, CA 92867 US 714.538.5016 Incidentally, a from address of someaddrat_private with a bogus excite.com address in the reply-to header is a common forgery in one of the spam tools. The sample you posted didn't have complete headers, so I can't tell for sure that this was the case in that specific instance. However, that particular forgery is so common in spam, and non existent in legitimate mail, that some filter tools automatically block on that combination. I'm not aware of any examples where mail with that combination actually goes thru an msn.com server. Your original correspondent can probably confirm that, since I see that he copied his mail to the msn address and almost certainly got a '550 user unknown' error message for his trouble. I'm not a fan of Microsoft (see sig), but they aren't to blame here. Spamcop shows purported Bill Jones spam also coming thru 211.251.245.66 and 211.114.51.233 Both IPAs are identified by a number of the anti-spam lists as open relays registered to the Korean ISP kornet and they are now blocked. The first one is ultimately assigned to a Korean Middle School mail server and spamcop says that 92% of the traffic coming through it is from known spammers. Great demonstration of someone's respect for private property, in my view. A usenet post of a reject log showing those IPAs on alleged Bill Jones spam: http://groups.google.com/groups?hl=en&threadm=a5keou%246v2%40hearye.mlb.semi.harris.com&rnum=2&prev=/groups%3Fas_q%3D%26num%3D100%26as_scoring%3Dr%26btnG%3DGoogle%2BSearch%26as_epq%3Dbill%2Bjones%26as_oq%3D%26as_eq%3D%26as_ugroup%3Dnews.admin.net-abuse.*%26as_usubject%3D%26as_uauthors%3D%26as_umsgid%3D%26lr%3D%26as_qdr%3D%26as_drrb%3Db%26as_mind%3D1%26as_minm%3D2%26as_miny%3D2002%26as_maxd%3D28%26as_maxm%3D2%26as_maxy%3D2002 Osirusoft whois showing the Korean data: http://relays.osirusoft.com/cgi-bin/addressblock.cgi?addr2=211.251.245.66 http://relays.osirusoft.com/cgi-bin/addressblock.cgi?addr2=211.114.51.233 -- Charles Oriez, coriezat_private 39 34' 34.4"N / 105 00' 06.3"W ********* Date: Thu, 28 Feb 2002 08:14:45 -0500 From: Rich Kulawiec <rskat_private> To: Declan McCullagh <declanat_private> Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political spam On Thu, Feb 28, 2002 at 02:07:40AM -0500, Declan McCullagh wrote: > Kevin Poulsen sends email asking the real question: "Is this indiscriminate > spamming actually the work of candidate Jones, or a wily opponent?" Several contributors to Spam-L have posted information that indicates that they've spoken to someone at billjones.org, and that they (billjones.org) are deliberately doing this. From the mail headers I've seen analyzed so far, it looks like they've hijacked open relays in Korea and Spain to send this spam. See the two notes enclosed below for some additional info. I also note in passing that billjones.org fails to comply with RFC 2142 -- apparently they like sending spam, but don't wish to receive any. ---Rsk ========== Item 1: ========== > From: Laura Atkins <lauratat_private> > Date: Wed, 27 Feb 2002 18:15:06 -0500 > Sender: Spam Prevention Discussion List <SPAM-Lat_private> > Subject: Re: SPAM, HELP: Bill Jones for California Governor 6785nXjP1-362LAhl15 > To: SPAM-Lat_private > > [...] > > http://www.latimes.com/news/politics/la-022002jones.story?coll=la-headlines-politics > > http://www.lugod.org/mailinglists/archives/vox/2002-01/msg00189.html > > http://stacks.msnbc.com/news/671170.asp?cp1=1 > > And, Darrel Ng at the Bill Jones for Governor office just admitted > sending it while we were on the phone with him. > > laura ========== Item 2: ========== > From: Joe Wagner <joepublics-lat_private> > Date: Wed, 27 Feb 2002 19:20:04 -0500 > Sender: Spam Prevention Discussion List <SPAM-Lat_private> > Subject: Re: SPAM, HELP: Bill Jones for California Governor 6785nXjP1-362LAhl15 > To: SPAM-Lat_private > > When the story originally broke a while ago about Bill Jones campaign > admitting sending spam, I proactively sent via a fax and via the contact > form on their website a formal notice to not sent any Unsolicited email to > any of our users. Funnily enough the Billjones.org's website only offers a > webform for email...I guess they don't want spammers finding _their_ email > addresses and spamming them. How classy. Even their web contact form, when > it sends a confirmation copy of your message back to you, they use _your_ > address as the sender. Check out the headers at the bottom. I sent a > followup webform comment about that. > > Both messages of course were never answered. However, the Bill Jones folks > promptly started spamming the abuseat_private email address that we > provided on the webform. It's clear now that they're not clueless, they've > chosen to act this way. > > I wonder if I should send them an invoice... > > Joe > > -- > Hello, > I understand that Bill Jones has ill-advisedly begun to use > Unsolicited Bulk Email (UBE or "spam") to advertise his political campaign > and drive voters to his website. According to a story on MSNBC > (http://www.msnbc.com/news/671170.asp "California candidate spams voters") > this has been confirmed by a spokesperson of the campaign,Beth Pendexter. I > will not reiterate the many, many reasons why this is wrong, both legally > and morally. It is clear from Ms. Pendexter's quote in the MSNBC article > that the Bill Jones campaign has considered the implications of it actions > and has willfully chosen to pursue the practice. > > The missive is a FORMAL NOTICE to the Bill Jones campaign that it is > not permitted to send _ANY_ unsolicited email messages to any of the > accounts serviced by Hypertouch's mail servers. We host a number of domains > on our servers and you are not permitted to send messages through our > servers to ANY account of ANY domain name. Hypertouch Inc. servers are > located in the state of California which has a number of laws prohibiting > spam... The sending of any unsolicited email advertising messages, > unsolicited bulk email advertising messages and all other forms of email > abuse to Hypertouch.com, reasonabledoubt.com or other domains owned, hosted > or managed by Hypertouch Inc. is expressly forbidden. Our mail servers are > mail.hypertouch.com, mail2.hypertouch.com, mail3.hypertouch.com and > mail4.hypertouch.com. It is your responsibility to clean your email lists. > It is a simple matter to look up the IP addresses of our servers and make > sure that the domains you are sending to do not use any of our servers. > Furthermore, if any of a domain's DNS servers are one of Hypertouch's > servers, e.g. dns1.hypertouch.com, then it is also pretty obvious we own, > host or manage that domain. > > Finally, having received this formal notice on December 13, 2001, if > the Bill Jones campaign, or any contractor, supporter, or otherwise directed > third party does send any email messages to Hypertouch's servers, that shall > constitute agreement by the Bill Jones campaign to pay Hypertouch Inc a fee > $1000 per email address used per message. This is in addition to any civil > or criminal penalties imposed by law. To repeat: > > THE SENDING OF ANY UNSOLICITED EMAIL TO OR THROUGH ANY HYPERTOUCH SERVER > CONSTITUTES AGREEMENT TO PAY HYPERTOUCH INC. $1000 PER EMAIL ADDRESS USED > PER MESSAGE. > > The sole exception to this fee agreement is for email sent to > abuse1at_private, to which you may send freely without penalty for the > purposes of constructive discussion. > > The Bill Jones campaign has chosen an incredibly irresponsible > manner in which to conduct itself. It of course removes any chance of > support Bill Jones might have engendered had he not forced others to bear > the cost of advertising for his campaign. I urge you to reconsider. > > Thank you, > > James Joseph Wagner > President, Hypertouch Inc > 235 Belmont Ave > Redwood City, CA 94061 > 650-367-6664 (voice/FAX) > > -- > A copy of this OPT-OUT/Fee notice was submitted to the Bill Jones Campaign > via the www.billjones.org website. > -- > Here's the lame confirmation copy you get from their website's contact from, > note they do not provide a return address, they just use yours. Nice... > -- > Received: from [207.188.212.40] (HELO elroy) by mail.hasit.com (Stalker SMTP > Server 1.8b8) with ESMTP id S.0000006950 for <abuse1at_private>; Thu, > 13 Dec 2001 01:53:24 -0800 > Received: from 207.188.212.40 ([207.188.212.40]) by elroy with Microsoft > SMTPSVC(5.0.2195.2966); > Thu, 13 Dec 2001 04:54:23 -0500 > Content-type: text/plain > Date: Thu, 13 Dec 2001 04:53:51 -0500 > From: abuse1at_private > Subject: Your message to Bill Jones for Governor > To: abuse1at_private > X-mailer: mailerat_private > Return-Path: abuse1at_private > Message-ID: <ELROYKRfcjcMzfoV1qd00001152@elroy> > X-OriginalArrivalTime: 13 Dec 2001 09:54:23.0562 (UTC) > FILETIME=[24AEF2A0:01C183BC] > > > Hello, > I understand that Bill Jones has ill-advisedly begun to use > Unsolicited Bulk Email (UBE or "spam") to advertise his political campaign > and drive voters to his website. > [...snip the copy of the rest of my message...] > ********* ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 09:54:08 PST