Date: Sun, 18 May 1997 13:33:17 -0400 (EDT)
From: Matt Kirschenbaum <firstname.lastname@example.org>
Subject: spam wars (fwd)
Given the recent discussions of spam here, this ought to be of
> From root Sun May 18 06:07:48 1997
> Resent-Date: Sat, 17 May 1997 22:34:16 -0700 (PDT)
> Date: Sat, 17 May 1997 22:31:52 -0700 (PDT)
> From: Phil Agre <email@example.com>
> Message-Id: <199705180531.WAA22373@weber.ucsd.edu>
> To: firstname.lastname@example.org
> > Resent-Message-ID: <"titNND.A.xdF.JRpfz"@weber>
> Resent-From: email@example.com
> Reply-To: firstname.lastname@example.org
> X-URL: http://communication.ucsd.edu/pagre/rre.html
> X-Mailing-List: <email@example.com> archive/latest/1604
> X-Loop: firstname.lastname@example.org
> Precedence: list
> [A new form of extortion: shut up your mouth, and/or contribute to our
> benevolent fund, or we'll forge *your* address on our next giant spam.
> Spam is theft. For more anti-spam action, see http://www.cauce.org/ ]
> This message was forwarded through the Red Rock Eater News Service (RRE).
> Send any replies to the original author, listed in the From: field below.
> You are welcome to send the message along to others but please do not use
> the "redirect" command. For information on RRE, including instructions
> for (un)subscribing, send an empty message to email@example.com
> Date: Sat, 17 May 1997 12:53:10 -0700 (PDT)
> From: firstname.lastname@example.org
> Subject: RISKS DIGEST 19.16
> Date: Thu, 15 May 1997 20:01:52 -0400
> From: Jim Youll <email@example.com>
> Subject: newmediagroup.com headers were forged in junk e-mailing;
> retaliation against my public anti-SPAM activities
> We are a very small company. We are being attacked electronically, because
> of my public anti-spam stance:
> (A) Our server was subjected to an inbound bombing from the hijacked
> servers into our mailserver last night (14 May 1997).
> (B) Thousands of messages were sent OUT today (15 May) from the same
> hijacked servers, resulting in a torrent of complaining, hostile, violent
> mail to our mailboxes. Some people began to mailbomb us with large
> I have 99.9% confidence that the hostile messages were injected into the net
> from a computer dialed into enterprise.net, a UK ISP, and have the
> corroborating records to prove it, at least everything I can get without
> cooperation from enterprise.net. I am unable to reach anyone at
> enterprise.net who will assist in this investigation.
> The messages were relayed off nevwest.com and freenet.carleton.ca SMTP servers.
> The administrators at these sites have not been terribly supportive, though
> they claim to be working on it. They have also received quite a bit of
> inbound mail, but appear somewhat unsure about what to do or ``how that
> happened''. They've asked me if *I* sent the messages.
> Complete details of the attack and my anti-junkmail posting which started
> all this appear here:
> The message I have sent out follows. I need support from the UK. I am
> prepared to do whatever it takes to get a prosecution.
> -- quoted message follows --
> My domain newmediagroup.com is under attack by someone who doesn't like my
> MILITANT, PUBLIC ANTI-SPAM stance. To date, their actions have included
> sending apparently several thousand e-mail messages, forged showing my name
> as the sender. In addition, this same party or someone working with them
> conducted a denial-of-service attack on our system last night, 14 May. See
> http://www.agentzero.com/junkmail, including system logs clearly showing the
> terrorists' use of third-party unsecured SMTP servers as relays (which you
> will also see by looking at the headers of the messages that were sent).
> Their attack has also included threats of harm against me.
> PLEASE let people know this did not originate at newmediagroup.com. It is a
> complete forgery. We are TRYING to investigate and at the moment have a
> number of backbone carriers and MCI security, involved. I am doing all I
> can. PLEASE tell people to stop writing to complain. This did not come
> from us. We don't spam. I am FIGHTING spam and that is why I was targeted
> in this manner. When you see their mail-bomb messages to me, you will
> I am seeking cooperation from the sites that were used as relays. Sheila,
> apparently an administrator at freenet.carleton.ca. (office@ is their e-mail
> address; if you have received junk that bounced off their mailer, I STRONGLY
> suggest you contact them and demand the holes be closed.) Carleton Freenet
> has notified me (15 May 1997, 1600 EDT by e-mail) that they will not release
> their SMTP logs, which would show the origin of the message injected into
> their mailer. A man reached at nevwest.com said he had ``one technician
> working on it'' but really didn't understand the specifics, and was not very
> excited about helping. This is all very exciting for electronic terrorists,
> I am sure.
> New Media Group (and I in particular!) do not send or generate commercial
> e-mail. Ever. We are a small Internet presence provider working closely
> and on-site with clients in the Midwestern US. Only. We do not seek,
> service, or advertise to anyone outside that area, and we do not use e-mail
> for advertising.
> Copies of all logs and the threatening messages which came here have been
> forwarded to security officers at all ISPs we could identify, and at the
> security offices of backbone providers involved in this. We're trying, but
> it will be difficult to identify who did this. We're trying. I fully
> intend to press criminal and civil charges at the very moment an indictment
> becomes feasible.
> The reason we have been targeted is that I (personally, not this company)
> have been leading a campaign AGAINST junk e-mail. Please help me find out
> who did this.
> If you look at the headers, you will see that the messages did not come from
> here. The incoming messages threatened more attacks unless I stop my
> campaign to free people from unwanted junk e-mail. This is terrorism, plain
> and simple and I call on the entire Internet community to help track down
> the responsible parties. I will appreciate any assistance you can provide.
> I am offering a reward of $1,000 for information leading to the arrest and
> conviction of the perpetrators of this crime.
> NOTE ADDED 16 May 1997:
> We were hit again overnight 15 to 16 May. This time messages were sent to
> many addresses in the U.S. Primarily the incoming has been bouncing due to
> bogus or no-longer-in-use names at these locations. The nature of the
> addressing suggests that the names were culled from newsgroups and other
> public sources, and that the system doing the gathering went back some
> distance in time to get them, as many were expired.
> ... It's been a busy couple of days. We have received approximately 2,500
> undeliverable messages in the last few hours. (Normal is 20-50 per day.)
> The incoming complaints and attacks are slowing, because I think people are
> learning that firstname.lastname@example.org is ANTI-junk. Word is getting out, and
> hopefully that will help in the future.
> End of RISKS-FORUM Digest 19.16
> generic Risks reuse disclaimer:
> Reused without explicit authorization under blanket
> permission granted for all Risks-Forum Digest materials.
> The author(s), the RISKS moderator, and the ACM have no
> connection with this reuse.