How To File A (Correct) Complaint About Spam

When you receive unsolicited commercial e-mail, you have to decode the message before jumping to conclusions about who sent it.

BoxedArt.com is not sending spam, but someone wants to make it look like it is. In the past three days, I have received over a dozen message that appeared, at first glance, to be from BoxedArt.com. But as BoxedArt.com points out on its website, they are not sending spam, somebody else is – and at BoxedArt.com’s expense (http://www.boxedart.com/services/spamattack.php).

Here is one of the messages that I received, with full headers:

Received: from evrtwa1-ar9-4-65-240-073.evrtwa1.dsl-verizon.net 
(evrtwa1-ar9-4-65-240-073.evrtwa1.dsl-verizon.net [4.65.240.73]) 
        by giantpeople.com (8.12.6p2/8.12.6) with SMTP id h59BSt6D093674 
        for <info@clocktowerlaw.com>; Mon, 9 Jun 2003 05:28:58 -0600 (MDT) 
Message-ID: <20030630284.12477.qmail@bigresources.com> 
Date: Mon, 9 Jun 2003 04:27:05 -0700 
From: "Jason M. DesRoches" <jason@bigresources.com> 
Subject: Daily news from www.boxedart.com 
To: <info@clocktowerlaw.com> 
MIME-Version: 1.0 
Content-Type: text/plain; charset=us-ascii 
X-UIDL: h=n"!-'l!![+U"!FDd!! 

Dear Sirs, 

We are continuing to provide you with the highest-quality graphics 
for the lowest price anywhere on the web, our business model of 
offering thousands of graphics without charging "per item fees" on 
www.boxedart.com.

If you are interested in helping us, there are several things that 
you can do, which will help us keep our prices down and our 
inventory up: 

1. Refer us to your friends and colleagues who might also be 
interested in joining our program. If you know anyone with a need 
for web design, you can help them and us by sending them over to 
the least expensive professional web design resource on the web. 

2. Don't share your account with others! If you're letting your 
friends get free access to your account, or sharing our graphics 
with others, it can have a big impact on our tier-1 bandwidth 
bill, as well as cost us revenue from sales, and is, of course, 
something we absolutely prohibit. 

3. Follow our licensing terms. If you are a web developer, please 
purchase the required additional licenses for your clients if you 
do not plan on making significant modifications to our templates 
that you are delivering to them, as stipulated is required in our 
online FAQ. 

4. Consider one of our limited edition items if you are looking 
for low distribution graphics for yourself or for your clients. 
Also keep an eye peeled for our upcoming and enhanced custom work 
area which will make purchasing customized work a snap! 

5. Spread the word around everywhere, if you belong to a forum 
community, and you see a related topic to our services, post about 
us. If you have a website, add a link, however please avoid just 
spamming our site across other communities, as it is usually 
against their policies. 

6. Tell us your needs. If you are looking for specific design 
genres or styles, for the limited or members area, let us know 
about it through the feedback link on our site, so that we may be 
the ones to fill your needs. 

Any assistance you could provide would be greatly appreciated by 
our entire staff. 

We hope you understand how committed we are to continuing to 
deliver this service to you, and will continue to expand and grow 
to meets your requests and needs with not only our efforts, but 
your help as well. We trust you will continue to enjoy your 
BoxedArt membership, and we hope this information has help shed 
some light on the recent occurrences that have taken place on 
BoxedArt. We thank all of our loyal customers for their continued 
support, and encourage you to contact us if we can be of any 
assistance. 

Sincerely, 

Jason M. DesRoches
BigResources Inc. President/CEO
jason@bigresources.com

It is difficult to decode this e-mail message because the “From:” header is apparently forged. There are also typos in the body of the message (e.g. “to meets your requests”), which suggest that it is not genuine. Many e-mail headers can be forged, and the most reliable information is going to be in the first “Received” line of the message, shown in more detail below.

Received: from evrtwa1-ar9-4-65-240-073.evrtwa1.dsl-verizon.net (evrtwa1-ar9-4-65-240-073.evrtwa1.dsl-verizon.net [4.65.240.73])
by giantpeople.com (8.12.6p2/8.12.6) with SMTP id h59BSt6D093674
for <info@clocktowerlaw.com>; Mon, 9 Jun 2003 05:28:58 -0600 (MDT)

  1. The first link shows the name of the originating computer (evrtwa1-ar9-4-65-240-073.evrtwa1.dsl-verizon.net), which appears to be a DSL connection provided by the ISP Verizon.
  2. The second link shows the IP address of the originating computer (4.65.240.73).
  3. The third link shows the address of my mail server (giantpeople.com).
  4. The fourth link shows the e-mail address the message was addressed to (info@clocktowerlaw.com).

Of these, the first two links are the best data points for identifying the source of the spam.

The short way to find out where to send your e-mail complaint is to paste the full headers of your e-mail into the form on the SpamCop website (http://www.spamcop.com/). In this case, SpamCop reports that I should send my complaint to abuse@genuity.com.

The long way to find out where to send your e-mail complaint is to lookup the IP address of the originating computer, see which ISP runs that network, and send the e-mail to the ISP’s abuse contact address. I used ARIN’s WHOIS database (http://www.arin.net/whois/index.html) to search for information about the IP address of the originating computer. ARIN is the American Registry for Internet Numbers, and their WHOIS database contains information about IP addresses and networks, not domain names. The ARIN database should not be confused with the various whois interfaces to the gTLD (generic top-level domain, i.e. “.com,” “.net,” and “.org”) domain name databases such as Verisign’s (http://www.networksolutions.com/en_US/whois/). ARIN’s database shows that the sender’s IP address is assigned to Genuity:

Search results for: 4.65.240.73

OrgName:    Genuity
OrgID:      GNTY
Address:    Genuity
Address:    225 Presidential Way
City:       Woburn
StateProv:  MA
PostalCode: 01888
Country:    US

NetRange:   4.0.0.0 - 4.255.255.255
CIDR:       4.0.0.0/8
NetName:    GNTY-4-0
NetHandle:  NET-4-0-0-0-1
Parent:
NetType:    Direct Allocation
NameServer: DNSAUTH1.SYS.GTEI.NET
NameServer: DNSAUTH2.SYS.GTEI.NET
NameServer: DNSAUTH3.SYS.GTEI.NET
Comment:
RegDate:
Updated:    2002-05-02

TechHandle: CS15-ARIN
TechName:   Soulia, Cindy
TechPhone:  +1-800-436-8489
TechEmail:  csoulia@genuity.com

OrgAbuseHandle: ABUSE23-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-800-436-8489
OrgAbuseEmail:  abuse@genuity.com

OrgNOCHandle: NOC119-ARIN
OrgNOCName:   NOC
OrgNOCPhone:  +1-800-436-8489
OrgNOCEmail:  ops@genuity.net

OrgTechHandle: CS15-ARIN
OrgTechName:   Soulia, Cindy
OrgTechPhone:  +1-800-436-8489
OrgTechEmail:  csoulia@genuity.com

OrgTechHandle: ARINC4-ARIN
OrgTechName:   ARIN Contact
OrgTechPhone:  +1-800-436-8489
OrgTechEmail:  arin-contact@genuity.com

# ARIN WHOIS database, last updated 2003-06-08 21:05
# Enter ? for additional hints on searching ARIN's WHOIS database.

Note that the value of the “OrgAbuseEmail” field is abuse@genuity.com.

Now here’s the big problem. So what that the sender sent from this network? I have received five of these messages today, and the sender or senders appear to be sending from different networks in different countries. In other words, this is a fairly sophisticated spam campaign that may be designed to cause a Denial of Service (DoS) attack (either based on responses or retaliations to the spam) on the innocent subject of the e-mail message.

Here are the first “Received” lines from the other four messages I’ve received today.

Received: from pcp03076254pcs.glst3401.nj.comcast.net 
(pcp03076254pcs.glst3401.nj.comcast.net [68.44.31.6]) ...

Received: from pcp02518650pcs.southk01.tn.comcast.net 
(pcp02518650pcs.southk01.tn.comcast.net [68.84.86.204]) ...

Received: from pD9E8C115.dip0.t-ipconnect.de 
(pD9E8C115.dip0.t-ipconnect.de [217.232.193.21]) ...

Received: from catv-128-145.tbwil.ch 
(catv-128-145.tbwil.ch [213.196.128.145]) ...

In order to complain about these messages, I’d have to send e-mail to, respectively, abuse@comcast.net, abuse@comcast.net, abuse@t-ipnet.de, and hostmaster@datapark.ch.

This morning, I attempted to unsubscribe to these messages, and, as I was writing this note, Jason DesRoches replied to my unsubscribe message. His message appears below.

From: “Jason M. DesRoches” <jason@bigresources.com>
To: “Erik J. Heels” <info@clocktowerlaw.com>
Subject: Re: unsubscribe
Date: Mon, 9 Jun 2003 20:21:01 -0400

Hello,

We apologize that you received this email. This email was not sent by us, but rather it was an attack against our website. BoxedArt.com and Big Resources, Inc. have no part in any of these spam emails being sent.

The mails that you are receiving are not meant as an advertisement of our company, but our attackers intend to frustrate and annoy hundreds of thousands, or possibly millions of Internet users world wide, such that they will each take their own actions against our site. Additionally, our mail is being flooded with thousands of emails per hour as a result. Despite all of this, we are attempting to reply to EVERY email that comes in to explain why there is so much spam that appears to be coming from us.

These attacks have not been easy to simply stop, as they are not using our servers to send this mail. Instead they are using 10’s of 1000’s of open relay servers world wide, and the number of potential servers to exploit is endless, and it is a simple task to spoof an email address. This incident, as well as numerous other attacks against our business are currently being investigated by the FBI. For further information on these attacks, please visit:

http://www.boxedart.com/services/spamattack.php

Thank you for your understanding.

The BoxedArt Team
support@boxedart.com

Kudos to Jason for his handling of this matter. And if you are a regular reader of this website, I’d encourage you to spread the word about this sort of attack, in general, and this attack, in particular. Running a small business is hard enough in today’s economy without having to deal with such issues. Good luck, Jason, and keep us posted.

Leave a Reply

Your email address will not be published. Required fields are marked *