Demon Internet joins the webmail hall of shame

September 17, 2005

Selected headers of a just-received advance fee fraud spam:

Received: from lon1-mail-2.visp.demon.net
  ([193.195.70.5])
  by <redacted> ...
Received: from lon1-mailstore-2.visp.demon.net
  (lon1-mailstore-2-port0.visp.demon.net
  [192.168.217.133])
  by lon1-mail-2.visp.demon.net (MOS 3.5.8-GR)
  with ESMTP id CTM15721;
  Sat, 17 Sep 2005 04:55:21 +0100 (BST)
Received: from 216.139.176.61
  by lon1-mailstore-2.visp.demon.net
  (MOS 3.5.8-GR)
  with HTTP/1.1;
  Sat, 17 Sep 2005 04:55:21 +0100
From: Queensley Rhoda <adswinning@beeb.net>
Subject: CONGRATULATION,YOU ARE A WINNER!!
X-Mailer: Mirapoint Webmail Direct 3.5.8-GR

216.139.176.61 has been listed as part of SBL16836 since June 1st, 2004 as an advance fee fraud spam source. It's also in a number of other DNS blocklists. In September of 2005, more than a year later, Demon is still perfectly willing to accept outgoing webmail from it and as a result be part of spamming us.

I am especially angered and saddened at Demon Internet joining the webmail hall of shame because there once was a time when Demon was a shining example of high quality, geek friendly, clued in ISP. If there is any ISP that should know better, I would have thought it was Demon Internet.

Time to teach our mail scanner how to determine IP origin information for yet another webmail source that is making us do their work for them. (I am not ready to refuse all email from Demon, which is my default reaction to webmail providers who make me do their work for them these days. It's tempting, though.)


Comments on this page:

From 62.232.55.188 at 2005-09-19 10:26:38:

Started my own hall of shame

http://chris-linfoot.net/d6plinks/CWLT-6GDJN4

This one is dedicated to Microsoft. I especially like the part about NAT. It does appear that they are now NATting the originating IP address, so we can't see the true source.

By cks at 2005-09-20 02:04:07:

Hotmail has been doing that sort of source-obscuring for quite a while now. The best data from Usenet's news.admin.net-abuse.email has been that it seems to vary on an account to account basis; some accounts (often old ones) do that, but most have the proper source address.

I believe it is (still) fairly uncommon, although it definitely does happen periodically with Hotmail (spam) mail to us.

Written on 17 September 2005.
« Getting a list of all objects in Python
Weekly spam summary on September 17th, 2005 »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Sep 17 01:17:33 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.