Fun_People Archive
24 Oct
The ongoing net war -- the Spam King battle


Date: Tue, 24 Oct 95 21:21:38 -0700
From: Peter Langston <psl>
To: Fun_People
Subject: The ongoing net war -- the Spam King battle

Forwarded-by: bostic@bsdi.com (Keith Bostic)
From: Wendell Craig Baker <wbaker@splat.baker.com>

There seems to be a major war under way over this guy known as `The Spam
King.'  His modus operendi is to hide his identity in various ways.
Seems however that some folks have found out who he is, what his numbers
are and where he works and all that.

A summary is at: http://www.emerald.net/soren/spamking/

Then there's these three CuD pieces.
					W.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
From: Computer underground Digest (excerpted)
      Sun  Oct 22, 1995
      Volume 7 : Issue 82
      ISSN  1004-042X

Cu Digest Homepage: http://www.soci.niu.edu/~cudigest

File 1--Do Not Visit This Address or Call This Phone Number
File 2--Attention Spammers: The War Has Started

---------------------------------------------------------------------

From: TELECOM Digest (Patrick Townson) <telecom@DELTA.EECS.NWU.EDU>
Subject: File 1--Do Not Visit This Address or Call This Phone Number

((MODERATORS' NOTE: Pat Townson, editor of TELECOM Digest, and the one
responsible for the birth of CuD in March, 1990, wins "Net-warrior of
the week" award for his marvelous job of outing the "Spam King")).


A nemesis of many on the Internet in recent weeks is a fellow known as
Spam King. He has trashed hundreds of newsgroups with his messages, and
this includes comp.dcom.telecom recently. I spent some time Thursday
locating him.

Spam King is Jeffrey A. Slaton of Albuquerque, NM as he admitted to me in
a phone conversation this evening.

Here is what I know for a fact:

According to the phone company in Albuquerque, NM, the phone number

505-821-1945 is listed to  'J.A. Slaton'
             address withheld at the customer's request.

When you dial that number which *always* goes to voice mail, try this
little technique ...

   The instant it answers, press the * key.  The voicemail
   system will respond saying,

      "We are having a problem right now, please do not hang up.
       To leave a message, enter the number of the person you are
       calling. To listen to your messages, press the # key."

   When you press the # key, another voice asks you to enter your
   telephone number (meaning of course, Jeff's phone number) ...
   so you enter once again 505-821-1945. Of course, since you are
   not Jeff, don't do this.

   You immediatly hear the name of the mailbox owner stated:

                    "Jeff Slaton"   (pronounced Slay - ton)

   And you are then asked to enter your (meaning his) password
   to pick up your messages.      grin ....

   I really have to wonder who he thinks he is messing around
   with ....

   Now would someone be so stupid as to use SPAM KING as thier
   password?  (using the associated digits on the dial). Well
   no, he did not use that, but I am not going to say what
   password he *is* using.  That might be illegal and might be
   construed as me encouraging others to loot and destroy his messages.

      I'll let others of you figure it out, since after
      all it is against the law to hack someone's voicemail.

   This appears to be just your typical phone company voicemail
   system. It is NOT a 'D.I.D.' (direct inward dial) number to
   a voicemail system ... it *is* a number in his home that is
   just always left to go to voicemail.

              ================================

Speaking of homes, were *does* Jeffrey A. Slaton live?  Well, I located
him as follows:

                Jeff A. Slaton
                6808 Truchas Drive NE
                Albuquerque, NM  87109

The phone number he actually answers on is 505-822-8919. He gets a
woman who lives there to answer the phone; he hides behind her skirt.
I got him to come to the phone and speak to me with some persistence.

Naturally when dialing, if one wishes to preserve one's privacy one
will prepend *67 to the dialing string, or do as the phreaks did years
ago before the new-fangled phone system was invented and just run
through a few loop-arounds or a couple of MCI dialups or whatever.

Of course, readers are reminded that phone harassment is illegal and
ransacking and looting of other people's voicemail is also quite
illegal. Nor is it recommended that visitors without appointments
drop in to see him at his home or try anything violent like smashing
or busting up computers, modems, etc.  That sort of thing just will
never, never do ... not in a civilized America or on a civilized net.
I mean, we are still pretending that we have a modicum of civility
here, right?

I don't want to hear any reports back about people trashing that
telephone number (505-822-8919) so badly that the phone company is
never able to re-assign it to anyone or about how someone went out
there to 6808 Truchas Drive NE and busted up little Jeffy's toy computer.

When he spammed my newsgroup, and rode express right through my
mailing list a couple days ago, he got me ... well, let's say
'annoyed'.


PAT
TD Editor

PS: You might want to let others know about this fellow so that when
they are confronted with messages from Spam King they'll know who to
see about it.  Of course, in the process of posting this around, do
not start spamming yourself.  <grin> ... none the less, when you see
some of Spam King's work, let Jeff know how you feel about it, and
be sure to mention the newsgroup(s) where you saw his stuff. He'll
appreciate that.

------------------------------

From: TELECOM Digest (Patrick Townson) <telecom@DELTA.EECS.NWU.EDU>
Subject: File 2--Attention Spammers: The War Has Started

I don't know about the rest of you, but all this spamming in recent months
has really started to get me irritated. I think one solution worth looking
into is that of *spamming back at the spammers*.

Since *they* do not seem to care what sort of irrelevant junk they sent
out to every newsgroup and mailing list they can find, I see no reason
why netters can't simply return the courtesy, armed with such details
as:

     home address,
     home phone number,
     social security number of the spammer when known,
     banking information of the spammer when known,
     other personal details, etc.

Then, I'll leave it to your imaginations as to how to best deal with
the inconsiderate boobs who have trashed the net to the point of it being
almost useless in recent months.

Listen to them squeal like stuck pigs when the place *they* get *thier*
messages and mail gets loaded with spam ... listen and watch how they
carry on when their telephone number becomes so polluted they have to
have it changed time and time again ... smile ... oh, there are people
who can make those things happen. You can even be taught how if you
don't already know the techniques used.

And imagine the fun to be had by all with Jeff 'Spam King' Slaton's
social security number and banking information ... <even bigger grin> ...
Jeff sees nothing wrong with invading *your* privacy does he?  You are
gonna worry about his?

Here is the data on Jeff once again in case you missed it, and then we
will move on to a new assignment:

Jeff A. Slaton
6808 Truchas Drive NE
Albuquerque, NM  87109
Phone: (505)822.8919   personal answer, but lately on an answering
                       machine. press '2' for Jeff, do not bother
                       the rest of the family.

Voicemail: (505)821.1945    once it answers, press * and listen to
                       the voicemail system's response. Enter the
                       proper numbers, etc as required.

I'm doing a social security number trace on him now, and trying to
find out where he banks. I'm not certain, but I think he has some
other employment as well. If so, spam will be needed there also.
Details provided when available. In the meantime, let's get busy with
letters and phone calls to Jeff, letting him know how concerned we are
about his attitude. When you write or call Jeff, be sure to let him
know the newsgroup and site where you saw *his* spam. He'll appreciate
knowing you are concerned about him as a net citizen.

               --------------------------------

Now let us direct our attention to the magazine club ... you know, the
one all the 'international students' are raving about ... the one that
Janet Dove introduced us to and Patricia Eng (president of the
international students association) has been reminding us about with
30,000 byte, thousand line messages recently posted in dozens of
newsgroups. Here is a header from a recent spam sent to me for my
list -- thank God I still maintain telecom manually, else this crap
would have gone out.


This first part merely says that it arrived at our site, was delivered
to my mail filter, processed through the filter according to my
instructions, then remailed to me !absolutely!, bypassing the filter.
Can't just drop things in the mail spool after filtering them, it may
cause race conditions, file overwriting, etc.

         From telecom Sat Oct 21 17:50:45 1995
        Received: by delta.eecs.nwu.edu (8.6.12/8.6.12) id RAA24689 for  
\telecom; Sat,
 21 Oct 1995 17:50:44 -0500
        Date--Sat, 21 Oct 1995 17:50:44 -0500
        From--TELECOM Digest (Patrick Townson) <telecom@delta.eecs.nwu.edu>
        Message-Id: <199510212250.RAA24689@delta.eecs.nwu.edu>
        To: \telecom@delta.eecs.nwu.edu
        Status: R

Now, here is where the fun starts. Notice how the sender of the mail
used certain flags in sendmail to diddle up the ' From ' and 'From:'
lines, thinking they could avoid detection.

Essentially what we see is, my site (delta) got it from our network
mail machine (zeta) which got it from cornell. Cornell got it from
ixc.net who in turn got it from 205.230.67.30.  Hmmm ... well that
turns out to be something called ppp30.ingress.com. Now maybe it
came from there or maybe the person just put that there.

          From  
For.a.prompter.reply.please.fax@If.you.do.not.have.a.fax.smail.is.ok  Sat
 Oct 21 17:50:41 1995
        Received: from zeta.eecs.nwu.edu by delta.eecs.nwu.edu (8.6.12/8.6.12)  
with
 ESMTP id RAA24676 for <telecom@delta.eecs.nwu.edu>; Sat, 21 Oct 1995 17:50:38
 -0500
        Received: from cornell.edu by zeta.eecs.nwu.edu (8.6.12/8.6.12) with  
ESMTP id
 RAA09521; Sat, 21 Oct 1995 17:50:36 -0500
        Received: from [205.230.67.30] (pm1-41.ixc.net [198.70.48.41]) by  
cornell.edu
 (8.6.12/8.6.12) with SMTP id QAA01200; Sat, 21 Oct 1995 16:12:29 -0400

Note that when you trick the mail network by using certain sendmail 'flags'
which allow you to diddle up your 'name' into something goofy like
this, if you are not considered a 'trusted user' at your site -- that
is, your name is in a certain file -- then the (unverified) comment
will appear; sometimes it will be shown as 'authentication warning'.

        X-Sender:  
For.a.prompter.reply.please.fax@If.you.do.not.have.a.fax.smail.is.ok
 (Unverified)

Let's assume for now the message ID number was generated by the site.
Let's also assume that the person who dumped this load on the net
is NOT the postmaster there. I know, even that is a big assumption
these days; but let's assume the postmaster is straight ...

        Message-Id: <v01530526acaf0267262c@[205.230.67.30]>

We now need to send a note to 'postmaster@ppp30.ingress.com' and ask
that person if s/he will be so kind as to check the site logs and
see if it can be detirmined WHO is the actual user who accessed
sendmail at 16:48 on Saturday, October 21 to send mail with the
Message-ID shown above. You might want to cc 'postmaster@ixc.net'
at the same time. Sendmail should have logs of who accesses it,
regardless of what that person makes sendmail say to the outside world
later on.

        X-Priority: 1 (Highest)

Yeah, right. The highest priority my dear. You *will* be given close
attention in the next few days, believe me you ...

        Date--Sat, 21 Oct 1995 16:48:12 -0500

Note although ppp30.ingress sent it out at 16:48, Cornell says they
got it at 16:12. That's because Cornell is on a different time zone
than ingress apparently. In effect, they got it 24 minutes after it
was sent out.

Now notice TO WHOM it was written and FROM WHOM it was sent ...

        To:  
For.a.prompter.reply.please.fax@If.you.do.not.have.a.fax.smail.is.ok
 (Patricia Eng, President, Association of International Students,  
Australia-New
 Zealand Chapter)
         
From--For.a.prompter.reply.please.fax@If.you.do.not.have.a.fax.smail.is.ok
 (Patricia
         Eng, President, Association of International Students, Australia-New
         Zealand Chapter)

Bogus  From and Bogus (identical) To -- so with a 'To' line like the
above, how did I get a copy over here, and how did you get one (if you
did)?

Well this tells us there must have been one or more bcc's ... 'blind
courtesy copy'  or do you say 'carbon copy' like me, the old fart that
I am going back to carbon paper and typewriter days?

Anyway, there is a bcc involved. It is a great way to send out mail to
a huge list of people (or LISTS of people) without any of them knowing
who the others are. I do it all the time with my mailing list to keep
the names on the list from seeing the other names: I send it from
myself to myself with a bcc that has a few thousand names!


        Subject--*** ===>> World's *Cheapest* Way to get USA Magazine  
Subscriptions
 delivered to
         *any* country (1,500+ USA titles to choose from).

Mercifully, we shall skip most of this tripe; we all know what Janet
Dove and now Patricia Eng have done: recently they joined a magazine
subscription club in the USA.

Janet Dove told us that she was 'a busy student' and would have no
time for replies, so please do not write to her.

Well, unfortunatly for her, a lot of you did write. Flames and more
flames. Obscene letters, hate letters, you name it.  Janet got the
good trashing she deserved. It got so bad the magazine people had
to change their address, phone and fax number.

        ---> PLEASE NOTE THE NEW FAX # AND NEW SMAIL ADDRESS, AS SHOWN BELOW.  
 
TO
        RETURN THE "REQUEST FOR MORE INFO" FORM TO.  THE OLD ADDRESS AND FAX #  
ARE
        NO LONGER FUNCTIONAL. <---

        You will get a quick reply via email within 1 business day of receipt  
of
        the info request form below.


This time, they got smart ... but they're not as smart as you, are
they folks?   Grin ... they say, 'our fax machine is set up to only
accept one page, and then disconnect.'

Gee, I wonder why?   Is it because so many of you folks last time
around set your fax up with a mobious loop of paper which went round
and round all night causing Janet's machine to waste all its paper?
They say, "gotcha!  it won't work this time, internet dudes ... this
time we take one sheet of paper only from you ... and we cut you off!"

        ----> IMPORTANT NOTICE FOR THOSE FAXING IN THEIR REPLY:
        (*please* make sure there is *no* cover page and your fax is only  
1-page, as
        their fax is set-up to receive only 1-page faxes.  Your fax goes  
directly onto
        their 4.2 gigabyte computer hard drive, not paper, and  all incoming  
fax
        calls are set-up to
        be auto-terminated at the start of the 2nd page, in order to allow  
space for
        everyone's replies to be received.. <----

*** No, what they mean is, 'in order for your hostile reply to not
clog our machine and run us out of paper every few minutes all night
long ... ***    <grin>

So a new approach will be needed.  Read on .....

        Hi fellow 'netters,

        My name is Patricia Eng and I recently started using a magazine
        subscription club in the USA that has a FREE 1 yr. magazine  
subscription
        deal with your first paid order- and I have been very pleased with  
them.
        They have over 1,500 different USA titles that they can ship to any  
country
        on a subscription basis.   As for computer magazines from the USA,  
they
        more of a selection than I ever knew even existed.  They have  
magazines for
        most every area of interest in their list of 1,500 titles.


(Several hundred lines deleted; I am sure you are angry with me for
cutting them out ... grin ...)

And guess what!  Patsy Eng is the same way as Janet Dove ... 'just a
happy customer and a busy student' ... no time to answer flames ...
and to make sure she does not have to answer flames, she thoughtfully
screwed up her email address, as we saw above.

        Please do not email me as I am just a happy customer and a *busy*  
student.
        I don't have time to even complete my thesis in time, let alone run my
        part-time software business!  Please fill out the below form and

                             fax it to them in the USA at:    718-967-1550

        (Fax line is open 24 hrs. per day, 7 days a week, but the *easiest*  
time
        to get your fax through is Mon-Fri, 9 am - 5 pm EST, due to the least  
# of
        faxes coming through during those hours.).


We will discuss that phone number in just a minute.

        ----> IMPORTANT NOTICE FOR THOSE FAXING IN THEIR REPLY:
        (*please* make sure there is *no* cover page and your fax is only  
1-page, as
        their fax is set-up to receive only 1-page faxes.  Your fax goes  
directly onto
        their 4.2 gigabyte computer hard drive, not paper, and  all incoming  
fax
        calls are set-up to
        be auto-terminated at the start of the 2nd page, in order to allow  
space for
        everyone's replies to be received.. <----


She stresses this again; you see last time the magazine people
unloaded their commode here on the net, many of you responded
vigorously, you damn near wrecked their fax machine ... good!

And they would like you to fax to them during the business day ... not
so much because that is 'when it is slowest and easiest to get through'
but more because that's the time of day when they are there to
monitor what is happening ... naturally, you will want to send
your faxes at night and on weekends .... grin ....

        or smail it to them at the following address:
                                               Magazine Club Inquiry Center
                                               Att. FREE Catalogue-by-email  
Dept.
                                               PO Box 990
                                               Staten Island NY  10312-0990

We will discuss this post office box in a minute also.


        NOTE:  for the fastest reply, please fax in the below form.  If you do  
not
        have access to a fax at work or at home, then please send it in by  
smail
        (airmail).  They will email you their FREE catalogue and complete info  
on
        how their club works within 1 business day of receiving your form.
        Replying does not mean you are committed to joining, only that you
        are seriously interested in receiving more info by email and then have  
a
        quick friendly, no obligation phone call made to you to answer your
        questions and explain how they work.

Only a complete FOOL would supply them with any information at all about
themselves or their email address or snail mail address, etc.


        Sorry, but incomplete forms *will not* be acknowledged.  If you do not
        have an email address, or access to one, they will not be able to help  
you
        until you do have one.  If you saw this message, then you should have  
one.  :)


*** Snicker ****

      (About a thousand more lines deleted ... I do not intend to
      advertise their magazines for them.)


Now here is where YOU come in ... here are some things YOU can do to
help expose the vermin who, like Slaton, have managed to damn near
wreck Usenet ...

I.  Write postmaster@ppp30.ingress.com (with a copy to)
          postmaster@pm1-41.ixc.net

Text: "Please check your log of outgoing mail for 16:12 on October 21
and see if it is possible to detirmine which user sent the mail with
the above referenced message-ID and give me that name. Thank you."

Once the postmaster responds, see to it the rest of the net gets the
correct user name. Finger the user if possible for more details as
to real name, etc. Naturally, most vermin do not have .plan files in
thier directory, but put together what data you can.


II. That phone number: 718-967-1550. It is a working number in Staten
Island, NY  but it is non-pub. A fax machine is answering. I am running
into dead ends at present finding out any more. I'll keep working on
it, but in the meantime, if you have a fax that is a hundred pages
long, you may need to call them a hundred times and send your fax
page by page. Are there some pictures you want them to see, or a
magazine article?  Maybe they should get copies of other spams like
their own ... but long distance is cheap these days (nights) ... so
if you have to send several to get it all delivered, then do it.
People in the local NY/NJ area may have a lot of faxing they need
to do.    <grin>


III. That box number:  PO Box 990, Staten Island, NY 10312

Send a short polite letter addressed as follows:

         Postmaster
         Staten Island, NY 10312

  ATTN: Lock Box Rental Supervisor

Text:

"Post Office Box 990 is being used for business purposes, to solicit
the public. Therefore, according to postal regulations, I am entitled
to know the name and address of the box holder.

"Please supply me with the name and address of the renter of Box 990,
also a phone number if you have one. Please supply me with the name(s)
of the person(s) authorized to sign for certified/registered mail and
the name(s) of persons authorized to collect mail from the box or who
are in possession of the keys to the box if they are different than
the renter.

"I am enclosing a self addressed stamped envelope for your convenience
in making a speedy reply. If there is a fee for your service, please
advise me. Thank you."

    If you want, just for a little fun, send a cc of the letter
    to the postmaster to the box itself  <grin>  just to let the
    boxholder know inquiries are being made about him.  Nothing
    better than a little paranoia on his part. Naturally you do
    not send him a self addressed stamped envelope. Since he *is*
    running a business box, he will be powerless to stop you from
    inquiring of the postmaster.

IV. Finally, once again in reference to Box 990, you may wish to
send him LOTS of mail ... why not send printouts of his own spams
back to him along with print outs of every other spam you can find.
Naturally, no return address on the envelope, and don't worry if
you short the postage a little .. the post office will tell him to
pick up his mail at the call counter and pay the postage due.
Send a few 'Jesus Saves' tracts, assorted treatises, etc. You are
doing this to follow up on the fax message you sent earlier -- all
five hundred pages of it!

                ---------------------------

Be courteous and polite with postmasters, electronic or otherwise.  It
is not thier fault that they have idiots and con-artists as customers.
Whether it is ingress.com, or the postmaster at Staten Island, they
WILL get the point and understand the purpose of your POLITE inquiry.

                    -----------------------

So ... now please finish your assignment with Jeff, and then begin
this new assignment with the magazine people. Bear in mind the junk
mail spam sent to the magazine people is only until we have more
detailed information about who they are and where they are.

Good luck on your mission!  Keep their mailbox full and their fax
machine humming ... each time a new spam appears, in addition to
cancelling it as soon as possible mitigating its influence, let's
hit them hard in return with as much personal data as we can dig
up.  Should there possibly be a Digest or mailing list devoted to
a 'clearing house' function, identifying the vermin and coordinating
return attacks, etc?

War has been declared!

PAT

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Subject: Magazine Salesman and His Driver's Record and Convictions
From: TELECOM Digest Editor <telecom@eecs.nwu.edu>

Seriously, I have to get back to doing other work soon ... these spammer
people can take up loads of time.

But I wanted to give just a little more news of interest about Kevin
Lipsitz, magazine peddler to the net. Here is his driver's record,
as recorded in New York State, along with a record of his convictions
and bond forfeitures.


                        - ENTER SEARCH ARGUMENTS BELOW -

** LICENSED DRIVER FILE SEARCH **

MOTORIST IDENTIFICATION NUMBER:
       **** OR ****
NAME: lipsitz,kevin,j      DATE OF BIRTH:        SEX:
******************************************************************************* 
*

** VEHICLE REGISTRATION AND PLATE FILE SEARCH **

PLATE NUMBER:          TYPE:
       **** OR ****
NAME:                      DATE OF BIRTH:        SEX:
******************************************************************************* 
*

** VEHICLE IDENTIFICATION NUMBER FILE SEARCH **

VEHICLE IDENTIFICATION NUMBER:                   YEAR:    MAKE:
******************************************************************************* 

TO SIGN OFF OF YOUR ACCOUNT, PLEASE ENTER AN 'X' HERE: _
FOR PASSWORD MODIFICATION TRANSACTION PLEASE ENTER AN 'X' HERE: _

 TODAY'S DATE: (removed to make log tracing more difficult)
           *RECORD EXPANSION FOR: LIPSITZ,KEVIN,J

 MI #: L09598 52366 171218-59                       CLIENT ID#: deleted
 LIPSITZ,KEVIN,J                           DOB: 01/29/1959   SEX: M
 431 THORNYCROFT AV                     HEIGHT: 6-0    EYE COLOR: HAZEL
 STATEN ISLAND NY  10312                COUNTY: RICH

 LICENSE CLASS: *D*               STATUS: VALID    EXPIRATION: 01/29/1996

 ********************************** ACTIVITY  
**********************************
 ACCIDENT PREVENTION COURSE COMPLETED ON: 03/11/1992
 N/A - NON 19-A DRIVER OR COURSE PRIOR TO 01/01/94

 ACCIDENT PREVENTION COURSE COMPLETED ON: 04/02/1995
 POINT REDUCTION ELIGIBLE FOR VIOLATIONS OCCURRING FROM 10/02/1993 -  
04/02/1995
 N/A - NON 19-A DRIVER OR COURSE PRIOR TO 01/01/94



 *** ENTER NEXT FUNCTION CODE NEXT  *** ( RECORD CONTINUED ON FOLLOWING PAGE )
[  A ][   ]


 ************************ CONVICTIONS/BAIL FORFEITURES  
************************
 CONVICTION: NO SEAT BELT DRIVER
  VIOLATION: 08/24/1994       CONVICTED ON: 09/07/1994
 LOCATION: ALBANY COUNTY, TOWN OF COLONIE
 PENALTY: FINE- $10
 COMM VEH: UNKNOWN   HAZMAT: UNKNOWN

 CONVICTION: PASSED RED LIGHT
  VIOLATION: 09/30/1993       CONVICTED ON: 04/14/1994
 LOCATION: RICHMOND COUNTY, STATEN ISLAND ADMINISTRATIVE ADJ
 PENALTY: FINE- $50                  POINTS: 3
 COMM VEH: UNKNOWN   HAZMAT: UNKNOWN

      -------------------------------------------------------

So Kevin, don't forget to renew your license in the next couple months
or so, okay?  It expires in January.

And is 431 Thornycroft still your correct address?  Are you really
going to be 37 in January?  Gosh ... how time flies. Is that the
rest of your family that lives at 350 Richmond Terrace #5-P?

Netters: There is no reason to call up Kevin at 718-967-1234 to
remind him to renew his driver's license. I'm sure he will remember
on his own.

PAT



[=] © 1995 Peter Langston []