An open letter to free webmail providers

June 24, 2005

Dear free webmail providers: I have a simple request for you that will help the spam problem. Please stop allowing people to send out mail through your systems from IP addresses that are well known as heavy spam sources, especially of things such as advance fee fraud.

I got yet another '419' advance fee fraud spam today, sent through a free webmail provider. Selected headers are:

Received: from dbmail-mx1.orcon.net.nz ([219.88.242.3]) [...]
Received: from webmail.orcon.net.nz ([172.16.100.200])
   by dbmail-mx1.orcon.net.nz (8.13.2/8.13.2/Debian-1) [...]
[...]
From:   Ed Bahir <edbahir@orcon.net.nz>
Subject: Your Kind Attention Required Please!
X-DBMAIL-Originating-IP: 81.199.85.121

The IP address 81.199.85.121 is in the CBL, in the SBL, in SORBS, in Spews, in the AHBL, indeed it's somewhat hard to find a DNSbl that it's not in. One its two SBL listings is from January 2004, more than a year old by now.

Yet orcon.net.nz didn't bother to do anything, and blithely let this spammers send his email out. As a result, I (and likely a bunch of other people) got spammed. Also as a result, orcon.net.nz will not be able to send us any email any time soon.

Orcon.net.nz is far from alone in behaving with such little regard for other people. Major webmail providers also blithely allow CBL and SBL listed IP addresses to send out email through them, to the extent that I've made our antispam system do the checks for them. (Amazingly, all of it is advance fee fraud spam. Who would have thought?)

It's really past time that this stopped. That it doesn't stop makes me feel rather angry, and also feel that free webmail providers don't actually give much of a rat's ass about spam (whatever their public statements).

Dear free webmail software authors:

A lot of people just installed your webmail software without thinking about it. Maybe they haven't gotten '419' spam from free webmail providers themselves and can be excused for not thinking about it, but frankly I can't imagine that you have that excuse.

So please make your webmail software default to refusing to send out mail from IP addresses on the CBL and the SBL at least. You can do it with one DNS query to the XBL, so it's real easy. You can make it only a default, so someone who wants to can turn it off. But that way, at least your software would put some obstacles in the way of '419' spammers by default.

Comments on this page:

From 65.78.91.83 at 2005-11-02 17:11:15:

I also just received a fraud e-mail from this source here is the letter:

X-AOL-UID: 229.525749494 X-AOL-DATE: Mon, 31 Oct 2005 11:41:31 AM Eastern Standard Time Return-Path: <service@paypal.com> Received: from rly-ya04.mx.aol.com (rly-ya04.mail.aol.com [172.18.141.86]) by air-ya04.mail.aol.com (v107.13) with ESMTP id MAILINYA44-1584366492e229; Mon, 31 Oct 2005 11:41:30 -0400 Received: from dbmail-mx1.orcon.net.nz (loadbalancer1.orcon.net.nz [219.88.242.3]) by rly-ya04.mx.aol.com (v107.13) with ESMTP id MAILRELAYINYA44-1584366492e229; Mon, 31 Oct 2005 11:41:19 -0500 Received-SPF: none Received: from User (cdma-3g1x-184-155.zappmobile.ro [80.97.184.155] (may be forged)) 

(authenticated bits=0)
by dbmail-mx1.orcon.net.nz (8.13.2/8.13.2/Debian-1) with ESMTP id j9VGfPnG002544;
Tue, 1 Nov 2005 05:41:28 +1300

Message-Id: <200510311641.j9VGfPnG002544@dbmail-mx1.orcon.net.nz> From: <service@paypal.com> Subject: Important Notification Date: Mon, 31 Oct 2005 08:41:11 -0800 MIME-Version: 1.0 Content-Type: text/plain; 

charset="Windows-1251"

Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 To: undisclosed-recipients:; X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on dbmail-mx1.orcon.net.nz X-Virus-Status: Clean X-AOL-IP: 219.88.242.3

Dear PayPal Customer,

You have received this email because we have strong reason to believe that your PayPal account had been recently compromised. In order to prevent any fraudulent activity from occurring we are required to open an investigation into this matter. To speed up this process, you are required to verify your PayPal account by following the link below.

http://www.paypal.com.verify-account2.info (To complete the verification process you must fill in all the required fields)

Please Note: If your account informations are not updated within the next 72 hours, then we will assume this account is fraudulent and your account may be restricted.

We apologize for this inconvenience, but the purpose of this verification is to ensure that your Paypal account has not been fraudulently used and to combat fraud.

Please do not reply to this e-mail. Mail sent to this address cannot be answered.

PayPal Account Department

This orcon.net.nz web site buy not doing anything they can be held accountable for what is going on!

Written on 24 June 2005.
« An unchanging system should be stable
Some spam stats at June 25th, 2005 »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Fri Jun 24 16:14:18 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.