FC: Confirmed: Calif. gov wannabe Bill Jones is a recidivist spammer

From: Declan McCullagh (declanat_private)
Date: Thu Feb 28 2002 - 09:22:38 PST

  • Next message: Declan McCullagh: "FC: Query from politico: How can I get the word out without spamming?"

    Previous Politech message:
    
    "Calif. governor candidate, DNC chairman turn to political spam"
    http://www.politechbot.com/p-03199.html
    
    *********
    
    Date: Thu, 28 Feb 2002 08:42:10 -0800
    From: Laura Atkins <lauraat_private>
    To: Neil Schwartzman <neilat_private>
    Cc: declanat_private
    Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political spam
    
    On Thu, Feb 28, 2002 at 10:45:27AM -0500, Neil Schwartzman wrote:
    
     > Hi Declan,
     >
     > My colleague Laura Atkins (who is the newly appointed President of an
     > influential anti-spam group (shh! That's a scoop!), spoke with Mr.
     > Jones' campaign workers and it has been confirmed that this was
     > indeed not a "joe job" i.e. a forged spam to set him up. She's been
     > copied in on this - perhaps she can confirm or deny, as appropriate.
    
    Hi, Declan,
    
    I did get the Bill Jones spam (3 times, actually). I called the Bill
    Jones campaign after receiving the first one and talked to the woman
    who answered the phone. I asked for the person in charge of their
    email campaign and she asked me if I'd gotten the recent email. I said
    yes. She explained that they had gotten a number of phone calls about
    it but that they didn't know who actually sent it. Furthermore, since
    the mail didn't come through their servers (it came through an open
    proxy in Korea) that it was obvious they were not responsible, and
    they would never do anything so unpopular right next to a campaign.
    
    By this time, my business partner was also on the phone. We run a
    consulting / software business that helps people track email
    (word-to-the-wise.com). At this point believing the woman on the
    phone, we provided her with all the information we had about the spam,
    including the Korean open proxy and the website hosted on terra.es. We
    hang up the phone and send a copy of our analysis by email.
    
    Meanwhile, I dropped a note to a Wired reporter who had recently
    interviewed Steve about the abuse of Korean relays. She was very
    interested and asked for all the details. I then provided the gist of
    my conversation with the Bill Jones campaign worker. She responded
    that he had spammed before.
    
    At that point, we started digging a little deeper. And, yes, he
    appears to have spammed around December 11 and around January
    21. Given that we'd been outright lied to by the campaign worker,
    Steve called back. He then spoke to Darren Ng (Press Secretary) who
    admitted to him that they were responsible for the spam. Another
    individual, Bill Carton, has confirmed he talked with the same person
    and got the same admission.
    
    The interesting bit is that Bill Jones' numbers start to tank in
    December and are still falling. Cause and effect are hard to judge,
    but it would be interesting to see if his numbers were falling before
    the first December spam, or after.
    
    For the record, I actually received 3 of his spams to two separate
    addresses.
    
    Laura
    
    -- 
    Laura Atkins
    lauraat_private
    
    *********
    
    Date: Thu, 28 Feb 2002 10:45:27 -0500
    To: declanat_private
    From: Neil Schwartzman <neilat_private>
    Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political
      spam
    Cc: Laura Atkins <lauraat_private>
    
    At 2:07 -0500 2/28/02, Declan McCullagh wrote:
    >Kevin Poulsen sends email asking the real question: "Is this 
    >indiscriminate spamming actually the work of candidate Jones, or a wily 
    >opponent?" I invite Bill Jones to reply.
    
    Hi Declan,
    
    My colleague Laura Atkins (who is the newly appointed President of an 
    influential anti-spam group (shh! That's a scoop!), spoke with Mr. Jones' 
    campaign workers and it has been confirmed that this was indeed not a "joe 
    job" i.e. a forged spam to set him up. She's been copied in on this - 
    perhaps she can confirm or deny, as appropriate. Failing that, or 
    supporting it, there has been media coverage about Jones doing this before 
    (December being the last time):
    <http://www.msnbc.com/news/671170.asp>
    <http://www.latimes.com/news/local/politics/cal/la-022002jones.story>
    
    But what has not been reported are the ironies in this latest spew:
    
    Apart from the most obvious one for me, personally, that this bozo is 
    spamming the chair of the Coalition Against Unsolicited Commercial Email - 
    Canada [CAUCE.ca] (moi) is the fact that a) whoever sent this spam on his 
    behalf used an open relay in Korea (essentially exploiting a security 
    vulnerability, tantamount to hacking of a computer located in another 
    country) and b) his website is HOSTED IN SPAIN - a tactic used increasingly 
    by spammers who know that North American webhosts will not tolerate sites 
    touted on their systems as the "payload" in spam - they usually kill them 
    off pretty quickly. So much for being a proud American.
    
    What is obvious and apparent to me is that whomever did this was a fairly 
    sophisticated spammer, and that this is the last gasp effort of someone 
    well into the decline of his  political career. I hope the coverage you 
    afford this will be the last nail in the coffin, quite frankly; we need 
    personal and  moral leadership from our politicians; not the type who would 
    consort with the purveyors of Penis & Breast enlargement schemes.
    -- 
    Neil Schwartzman - Editor & Publisher
    Pete Moss Publications, Industry & Trade Journals
    <http://spamNEWS.com><http://virus-news.com>
    <http://spamFLAMES.com><http://petemoss.com>
    
    *********
    
    Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political spam
    Date: Thu, 28 Feb 2002 08:00:51 -0800
    From: David Lawrence <david@online-today.com>
    To: "Declan McCullagh" <declanat_private>
    
    Declan,
    
    We covered this on Online Tonight last night. Lili and I got over a dozen
    ourselves, all from different variations on the KatieXXXXXXX/MSN address,
    and all with circuitous routes between the originating IP and me, taking
    the message through the Netherlands and Korea.
    
    We have a call in to Bill Jones' office to find out who he pissed off and
    would try to spamframe him, or who among his supporters is misguided and
    overzealous, as the natural conclusion is that the Secretary of one of
    the more spam-conscious state legislatures couldn't be stupid enough to
    actually do this.
    
    He is, after all, a Republican, and we are much smarter than that...we'd
    have Liddy do it.
    
    I'll keep you posted.
    
    David
    
    *********
    
    Date: Thu, 28 Feb 2002 03:21:05 -0800
    From: Lewis McCarthy <pseudonymat_private>
    To: declanat_private
    Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political spam
    
    Declan,
    
    I'd be surprised if these messages turn out to be official Jones for Governor
    campaign materials. In addition to the discrepancies observed by others,
    consider this paragraph from one of the messages:
    
         "So while other candidates for Governor are spending over $10,000,000
         dollars on 30 second TV ads, I am trying something new. What's new is this
          I am only going to provide you with the facts on my record. Please go to
         my <http://195.235.97.200/personal8/inacct48/>web site and check it out
         for yourself."
    
    According to Bill Jones' candidate statement in the Official Voter Information
    Guide mailed out by the state -- which incidentally bears his signature on the
    certificate of correctness on the front, as Secretary of State -- his campaign
    website is www.billjones.org. That site is much more extensive than
    http://195.235.97.200/personal8/inacct48/ , which consists of little more than
    the text of a half-dozen press releases.
    
    Furthermore, while these messages attempt to position Jones on some sort of
    moral high ground w.r.t. the use of TV ads, his real campaign adopts quite a
    different tone. In fact, there's a prominent link on the front page of 
    billjones.org
    inviting visitors to "See the new campaign commercials!" at
    http://www.billjones.org/Home/HomeList.cfm?c=19 .
    
    -Lewis
    "just another registered Libertarian voter in California"
    
    *********
    
    From: Charlie Oriez <coriezat_private>
    Organization: Lumber Cartel [tinlc]
    To: declanat_private, politechat_private
    Subject: Analysis of alleged Bill Jones spam
    Date: Thu, 28 Feb 2002 08:21:59 -0700
    
    Spam sent from billjonesat_private is posted here:
    
    http://groups.google.com/groups?q=+%22bill+jones%22+group:news.admin.net-abuse.*&hl=en&scoring=r&as_drrb=b&as_mind=1&as_minm=2&as_miny=2002&as_maxd=28&as_maxm=2&as_maxy=2002&selm=nans20020215200252%245890%40news.killfile.org&rnum=3
    
    An NSlookup for the IPA and domain name shown in the spam shows an A
    record:
    
    mail.wiredwebsites.com  86398   IN      A       64.7.197.9
    
    Wired Websites might want to confirm or deny that the Bill Jones
    campaign is a customer of theirs or that the address was a forgery.
    The message ID would tell them who sent the spam if they do not have
    an open relay.
    
    A relay test run thru John Levine's abuse.net shows that IPA is
    posssibly open to third party relay (confirm at
    <http://www.abuse.net/relay.html> by entering the IPA) but Osirusoft
    has it in a list of IPAs that have specifically tested clean and are
    not to be retested.  Either they have since fixed their relay, or
    someone with that Bill Jones address is a customer.  His web site is
    NOT hosted by them, or by any other California ISP.  His web site is
    hosted by a Maryland ISP, VirtualSprockets, LLC in a fine display of
    his support  for California businesses.
    
    Contact info for both Virtual Sprockets and Wired Websites, from a
    whois:
    
    Registrant:
              Bill Jones Campaign (BILLJONES2-DOM)
                 1801 I St.
                 Sacramento, CA 95814
                 US
    
                 Domain Name: BILLJONES.ORG
    
                 Administrative Contact, Billing Contact:
                    VirtualSprockets, LLC  (G16821-OR)
    no.valid.emailat_private
                    VirtualSprockets, LLC
                    20010-G Fisher Avenue, Ste 205
                    Poolesville, MD 20837
                    US
                    3019727415 fax: 3014070394
    
                 Technical Contact:
                    Kittleman, Laura  (LK614)  lauraat_private
                    Virtual Sprockets, Inc.
                    P.O. Box 450
                    Barnesville, MD 20838
                    301 972-7415 (FAX) 301 972-7415
    
    
    
                   Administrative, Technical Contact:
                      Griffiths, Jason  jasonat_private
                      Wired Websites
                      3340 E. Collins Ave #53
                      Orange, CA  92867
                      US
                      714.538.5016
    
    Incidentally, a from address of someaddrat_private with a bogus
    excite.com address in the reply-to header is a common forgery in one
    of the spam tools.  The sample you posted didn't have complete
    headers, so I can't tell for sure that this was the case in that
    specific instance.  However, that particular forgery is so common in
    spam, and non existent in legitimate mail, that some filter tools
    automatically block on that combination.  I'm not aware of any
    examples where mail with that combination actually goes thru an
    msn.com server.  Your original correspondent can probably confirm
    that, since I see that he copied his mail to the msn address and
    almost certainly got a '550 user unknown' error message for his
    trouble.  I'm not a fan of Microsoft (see sig), but they aren't to
    blame here.
    
    Spamcop shows purported Bill Jones spam also coming thru
    211.251.245.66 and 211.114.51.233   Both IPAs are identified by a
    number of the anti-spam lists as open relays registered to the Korean
    ISP kornet and they are now blocked.   The first one is ultimately
    assigned to a Korean Middle School mail server and spamcop says that
    92% of the traffic coming through it is from known spammers.  Great
    demonstration of someone's respect for private property, in my view.
    
    A usenet post of a reject log showing those IPAs on alleged Bill
    Jones spam:
    http://groups.google.com/groups?hl=en&threadm=a5keou%246v2%40hearye.mlb.semi.harris.com&rnum=2&prev=/groups%3Fas_q%3D%26num%3D100%26as_scoring%3Dr%26btnG%3DGoogle%2BSearch%26as_epq%3Dbill%2Bjones%26as_oq%3D%26as_eq%3D%26as_ugroup%3Dnews.admin.net-abuse.*%26as_usubject%3D%26as_uauthors%3D%26as_umsgid%3D%26lr%3D%26as_qdr%3D%26as_drrb%3Db%26as_mind%3D1%26as_minm%3D2%26as_miny%3D2002%26as_maxd%3D28%26as_maxm%3D2%26as_maxy%3D2002
    
    Osirusoft whois showing the Korean data:
    http://relays.osirusoft.com/cgi-bin/addressblock.cgi?addr2=211.251.245.66
    http://relays.osirusoft.com/cgi-bin/addressblock.cgi?addr2=211.114.51.233
    
    
    -- 
    Charles Oriez, coriezat_private
    39  34' 34.4"N / 105 00' 06.3"W
    
    *********
    
    Date: Thu, 28 Feb 2002 08:14:45 -0500
    From: Rich Kulawiec <rskat_private>
    To: Declan McCullagh <declanat_private>
    Subject: Re: FC: Calif. governor candidate, DNC chairman turn to political spam
    
    On Thu, Feb 28, 2002 at 02:07:40AM -0500, Declan McCullagh wrote:
     > Kevin Poulsen sends email asking the real question: "Is this indiscriminate
     > spamming actually the work of candidate Jones, or a wily opponent?"
    
    Several contributors to Spam-L have posted information that indicates that
    they've spoken to someone at billjones.org, and that they (billjones.org)
    are deliberately doing this.  From the mail headers I've seen analyzed
    so far, it looks like they've hijacked open relays in Korea and Spain
    to send this spam.  See the two notes enclosed below for some additional
    info.  I also note in passing that billjones.org fails to comply with
    RFC 2142 -- apparently they like sending spam, but don't wish to receive any.
    
    ---Rsk
    
    ==========
    Item 1:
    ==========
     > From: Laura Atkins <lauratat_private>
     > Date:         Wed, 27 Feb 2002 18:15:06 -0500
     > Sender: Spam Prevention Discussion List <SPAM-Lat_private>
     > Subject:      Re: SPAM, HELP: Bill Jones for California Governor 
    6785nXjP1-362LAhl15
     > To: SPAM-Lat_private
     >
     > [...]
     >
     > 
    http://www.latimes.com/news/politics/la-022002jones.story?coll=la-headlines-politics
     >
     > http://www.lugod.org/mailinglists/archives/vox/2002-01/msg00189.html
     >
     > http://stacks.msnbc.com/news/671170.asp?cp1=1
     >
     > And, Darrel Ng at the Bill Jones for Governor office just admitted
     > sending it while we were on the phone with him.
     >
     > laura
    
    ==========
    Item 2:
    ==========
    
     > From: Joe Wagner <joepublics-lat_private>
     > Date:         Wed, 27 Feb 2002 19:20:04 -0500
     > Sender: Spam Prevention Discussion List <SPAM-Lat_private>
     > Subject:      Re: SPAM, HELP: Bill Jones for California Governor 
    6785nXjP1-362LAhl15
     > To: SPAM-Lat_private
     >
     > When the story originally broke  a while ago about Bill Jones campaign
     > admitting sending spam, I proactively sent via a fax and via the contact
     > form on their website a formal notice to not sent any  Unsolicited email to
     > any of our users.  Funnily enough the  Billjones.org's website only offers a
     > webform for email...I guess they don't want spammers finding _their_ email
     > addresses and spamming them. How classy. Even their web contact form, when
     > it sends a confirmation copy of your message back to you, they use _your_
     > address as the sender.  Check out the headers at the bottom.  I sent a
     > followup webform comment about that.
     >
     > Both messages of course were never answered. However, the Bill Jones folks
     > promptly started spamming the abuseat_private email address that we
     > provided on the webform.  It's clear now that they're not clueless, they've
     > chosen to act this way.
     >
     > I wonder if I should send them an invoice...
     >
     > Joe
     >
     > --
     > Hello,
     >  I understand that Bill Jones has ill-advisedly begun to use
     > Unsolicited Bulk Email (UBE or "spam") to advertise his political campaign
     > and drive voters to his website.  According to a story on MSNBC
     > (http://www.msnbc.com/news/671170.asp  "California candidate spams voters")
     > this has been confirmed by a spokesperson of the campaign,Beth Pendexter.  I
     > will not reiterate the many, many reasons why this is wrong, both legally
     > and morally.  It is clear from Ms. Pendexter's  quote in the MSNBC article
     > that the Bill Jones campaign has considered the implications of it actions
     > and has willfully chosen to pursue the practice.
     >
     >  The missive is a FORMAL NOTICE to the Bill Jones campaign that it is
     > not permitted to send _ANY_ unsolicited email messages to any of the
     > accounts serviced by Hypertouch's mail servers.  We host a number of domains
     > on our servers and you are not permitted to send messages through our
     > servers to ANY account of ANY domain name. Hypertouch Inc. servers are
     > located in the state of California which has a number of laws prohibiting
     > spam... The sending of any unsolicited email advertising messages,
     > unsolicited bulk email advertising messages and all other forms of email
     > abuse to Hypertouch.com, reasonabledoubt.com or other domains owned, hosted
     > or managed by Hypertouch Inc. is expressly forbidden. Our mail servers are
     > mail.hypertouch.com, mail2.hypertouch.com, mail3.hypertouch.com and
     > mail4.hypertouch.com. It is your responsibility to clean your email lists.
     > It is a simple matter to look up the IP addresses of our servers and make
     > sure that the domains you are sending to do not use any of our servers.
     > Furthermore, if any of a domain's DNS servers are one of Hypertouch's
     > servers, e.g. dns1.hypertouch.com, then it is also pretty obvious we own,
     > host or manage that domain.
     >
     >  Finally, having received this formal notice on December 13, 2001, if
     > the Bill Jones campaign, or any contractor, supporter, or otherwise directed
     > third party does send any email messages to Hypertouch's servers, that shall
     > constitute agreement by the Bill Jones campaign to pay Hypertouch Inc a fee
     > $1000 per email address used per message. This is in addition to any civil
     > or criminal penalties imposed by law. To repeat:
     >
     > THE SENDING OF ANY UNSOLICITED EMAIL TO OR THROUGH ANY HYPERTOUCH SERVER
     > CONSTITUTES AGREEMENT TO PAY HYPERTOUCH INC. $1000 PER EMAIL ADDRESS USED
     > PER MESSAGE.
     >
     >  The sole exception to this fee agreement is for email sent to
     > abuse1at_private, to which you may send freely without penalty for the
     > purposes of constructive discussion.
     >
     >  The Bill Jones campaign has chosen an incredibly irresponsible
     > manner in which to conduct itself. It of course removes any chance of
     > support Bill Jones might have engendered had he not forced others to bear
     > the cost of advertising for his campaign.  I urge you to reconsider.
     >
     > Thank you,
     >
     > James Joseph Wagner
     > President, Hypertouch Inc
     > 235 Belmont Ave
     > Redwood City, CA 94061
     > 650-367-6664 (voice/FAX)
     >
     > --
     > A copy of this OPT-OUT/Fee notice was submitted to the Bill Jones Campaign
     > via the www.billjones.org website.
     > --
     > Here's the lame confirmation copy you get from their website's contact from,
     > note they do not provide a return address, they just use yours.  Nice...
     > --
     > Received: from [207.188.212.40] (HELO elroy) by mail.hasit.com (Stalker SMTP
     > Server 1.8b8) with ESMTP id S.0000006950 for <abuse1at_private>; Thu,
     > 13 Dec 2001 01:53:24 -0800
     > Received: from 207.188.212.40 ([207.188.212.40]) by elroy with Microsoft
     > SMTPSVC(5.0.2195.2966);
     >   Thu, 13 Dec 2001 04:54:23 -0500
     > Content-type: text/plain
     > Date: Thu, 13 Dec 2001 04:53:51 -0500
     > From: abuse1at_private
     > Subject: Your message to Bill Jones for Governor
     > To: abuse1at_private
     > X-mailer: mailerat_private
     > Return-Path: abuse1at_private
     > Message-ID: <ELROYKRfcjcMzfoV1qd00001152@elroy>
     > X-OriginalArrivalTime: 13 Dec 2001 09:54:23.0562 (UTC)
     > FILETIME=[24AEF2A0:01C183BC]
     >
     >
     > Hello,
     >  I understand that Bill Jones has ill-advisedly begun to use
     > Unsolicited Bulk Email (UBE or "spam") to advertise his political campaign
     > and drive voters to his website.
     > [...snip the copy of the rest of my message...]
     >
    
    *********
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 09:54:08 PST