Michigan Connect: spammers-infested network, and no way to contact
admins - they deliberately bounce role accounts e-mails!

Update 29-Jan-2003: They do know about this spammer spamming, yet still
keep the abuser connected.

Update 27-Feb-2003: Michigan Connect is just a spamhaus operation, moves
their numerous spammers around their IPs, but never disconnecting them.
Also listed in SPEWS (S1457):
http://www.spews.org/html/S1457.html

Update 1-Mar-2003: Michigan Connect *IS* a dedicated spamhaus operation.
Bullet-proof hosting of spammers is what they do (from the phone conversation).

Update 18-Apr-2003: AT&T has *FINALLY* kicked them off, after at least
4 months of providing the bullet-proof support to these spammers.

Update 25-Apr-2003: Michigan Connect also does the repeating web harvesting.

Update 3-Oct-2003: Michigan Connect is still on Cable & Wireless.

Update 7-Oct-2003: Michigan Connect speaks up: "Yes, we were knowingly hosting
spammers until our ISPs couldn't turn blind eyes at it anylonger because of the
massive blockade".



michiganconnect.com, e-mich.com, velocitynet.net, webgate2000.com,
host-help.com, mojo-cs.com, fast-net-usa.com,
[12.148.56.0 - 12.148.59.255],
[64.186.52.0 - 64.186.52.255],
[204.188.76.0 - 204.188.79.255]: Access denied!



=== My complaint ===
Content-Type: text/plain;
  charset="iso-8859-1"
From: Admin <abuse@2003.dolphinwave.org>
Reply-To: abuse@2003.dolphinwave.org
Organization: Private person
Subject: [email] Multiple spams (Usenet harvest: cjlinc.net/vacplanners@cs.com)! [Fwd: We Can Fix Your Credit..... ####]
Date: Mon, 20 Jan 2003 13:53:11 +0200
User-Agent: KMail/1.4.3
X-KMail-Link-Message: 559399
X-KMail-Link-Type: forward
X-Complaints-To: abuse@dolphinwave.org (live person)
X-PGP-key: 0xAAE2A579
X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133  FA87 000B 0FB6 AAE2 A579
X-No-Confirm: Yes
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Status: RO
X-Status: S
To: <abuse@2002.dolphinwave.org>,
 uce@ftc.gov,
 nanas-sub@cybernothing.org,
 abuse@cms.hkcable.com,
 dnsadmin@cms.hkcable.com,
 abuse@bestnet.net,
 postmaster@bestnet.net,
 abuse@aol.com,
 abuse@cs.com,
 abuse@compuserve.com,
 helpesk@michiganconnect.com,
 abuse@att.net,
 postmaster@att.net,
 postmaster@att.com,
 abuse@cw.net,
 spamcomplaints@cw.net,
 ing_multi.net@EMTELCO.COM.CO,
 postmaster@emtelco.com.co,
 abuse@verizon.net
Message-Id: <200301201353.11549@2002.dolphinwave.org>

Multiple spams on my e-mail address, used on the Usenet newsgroup
news.admin.net-abuse.sightings only once, and harvested from there!
My primary mailserver also has rejected spamming attempts from the
same spammer later today (Sendmail logs are below the spam).
Please, terminate the spammer's accounts as soon as possible!
Thanks!
=======

Refusing to deal with your abusers will lead your whole IP range to be
blocked from accessing of my mailservers ever again, and this info will
be shared with other admins and public blocklists!


Spammer: cm61-18-82-71.hkcable.com.hk [61.18.82.71]

Mail from: Credit_Doctor_149@bestnet.net

Remove box: custblast@cs.com

Spammer's e-mail (registration data): vacplanners@cs.com

Spamvertised web page: http://www.cjlinc.net/signup.html


www.cjlinc.net [12.148.59.95]
==============
Registrant:
 Sorenson And Ass.
 4412 S Main Str.
 Flint, MI 48007
 US
 208-695-2487

Domain Name: CJLINC.NET

Administrative Contact:
 Sorenson, Steve vacplanners@cs.com
 4412 S Main Str.
 Flint, MI 48007
 US
 208-695-2487

Technical Contact:
 Sorenson, Steve vacplanners@cs.com
 4412 S Main Str.
 Flint, MI 48007
 US
 208-695-2487

Record last updated 01-10-2003 12:57:51 AM
Record expires on 01-10-2005
Record created on 01-10-2003

Domain servers in listed order:
        NS1.CJLINC.NET  12.148.59.95
        NS2.CJLINC.NET  12.148.59.95

MICHIGAN CONNECT IP block [12.148.56.0 - 12.148.59.255]
 which is in the AT&T IP range [12.0.0.0 - 12.255.255.255].
Upstream: Cable & Wireless (velocity-net.Cleveland.cw.net).
Nameserver: ns.cjlinc.net [12.148.59.99].


----------  Forwarded Message  ----------

Received: from =MY-SECONDARY-MX= (=MY-SECONDARY-MX=)
	by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id h0K0fhp18712
	for <###>; Mon, 20 Jan 2003 02:41:44 +0200
Received: from 194.186.146.42 (cm61-18-82-71.hkcable.com.hk [61.18.82.71])
	by =MY-SECONDARY-MX= (8.12.6/8.12.6) with SMTP id h0K0fw0k006137
	for <###>; Mon, 20 Jan 2003 01:42:03 +0100 (CET)
	(envelope-from Credit_Doctor_149@bestnet.net)
Message-Id: <200301200042.h0K0fw0k006137@=MY-SECONDARY-MX=>
X-MDaemon-Deliver-To: <###>
X-Spam-Header: Spam.site.61.18.82.71;-.see:http://www.blars.org/block.html
X-Authentication-Warning: =MY-SECONDARY-MX=: Host cm61-18-82-71.hkcable.com.hk 
[61.18.82.71] claimed to be 194.186.146.42
Received: from [176.244.234.14] by smtp-server6.tampabay.rr.com with local; 
Jan, 19 2003 6:32:56 PM +0600
Received: from unknown (149.89.93.47) by rly-xr02.mx.aol.com with NNFMP; Jan, 
19 2003 5:24:58 PM +0600
Received: from smtp-server1.cfl.rr.com ([5.151.138.187]) by 
rly-xl04.mx.aol.com with esmtp; Jan, 19 2003 4:24:00 PM -0800
From: Maximus <Credit_Doctor_149@bestnet.net>
To: Karlik@=MY-SECONDARY-MX=
Cc: 
Subject: We Can Fix Your Credit..... ####
Sender: Maximus <Credit_Doctor_149@bestnet.net>
Mime-Version: 1.0
Content-Type: text/html;
  charset="iso-8859-1"
Date: Sun, 19 Jan 2003 18:41:21 -0600
X-Mailer: MIME-tools 5.503 (Entity 5.501)
Status: R 
X-Status: N

We can fix your credit.  We are very successful at getting
bankruptcies, judgments, tax liens, foreclosures, late payments, charge-offs,
repossessions, and even student loans removed from a persons credit report. 
 To find out more go to <a
 href="http://www.cjlinc.net/signup.html">http://www.cjlinc.net/signup.html</
a>.<p> If you no longer want to receive information from us just go to
<a href="mailto:custblast@cs.com">custblast@cs.com</a>.<p>
&nbsp;

##############################

-------------------------------------------------------



======= Another spamming attempt (Sendmail logs, GMT+0200) =======
Jan 20 09:29:12 orca sendmail[21100]: h0K7T9p21100: ruleset=check_rcpt, 
arg1=<###>, relay=[200.31.207.202], reject=553 5.3.0 <###>... E-mail from 
200.31.207.202 refused using the Unsecured Proxies List @ Monkeys.Com - see 
<http://www.monkeys.com/upl/macro.cgi?page=listed-ip-1.html&ip_address=200.31.207.202>

Jan 20 09:29:13 orca sendmail[21100]: h0K7T9p21100: 
from=<Credit_Doctor_438@gte.net>, size=0, class=0, nrcpts=0, proto=SMTP, 
daemon=MTA, relay=[200.31.207.202]



Spammer: [200.31.207.202]
EMTELCO IP block [200.31.192/20].

Mail from: Credit_Doctor_438@gte.net



=== Bounce from helpesk@michiganconnect.com (abuse.net advice for e-mich.com) ===
Received: from velocity.velocitynet.net (velocity.velocitynet.net [204.188.78.105])
	by mail.dolphinwave.org (8.11.6/8.11.6) with SMTP id h0KBsdp22944
	for <abuse@2003.dolphinwave.org>; Mon, 20 Jan 2003 13:54:41 +0200
Message-Id: <200301201154.h0KBsdp22944@mail.dolphinwave.org>
Received: (qmail 14380 invoked for bounce); 20 Jan 2003 12:05:06 -0000
Date: 20 Jan 2003 12:05:06 -0000
From: MAILER-DAEMON@velocity.velocitynet.net
To: abuse@2003.dolphinwave.org
Subject: failure notice
Status: R
X-Status: N

Hi. This is the qmail-send program at velocity.velocitynet.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<helpesk@michiganconnect.com>:
This address no longer accepts mail.

--- Below this line is a copy of the message.

<MY SPAM COMPLAINT SNIPPED>



=== Resent to postmaster@michiganconnect.com, bernie@e-mich.com ===
Content-Type: text/plain;
  charset="iso-8859-1"
From: Admin <abuse@2003.dolphinwave.org>
Reply-To: abuse@2003.dolphinwave.org
Organization: Private person
Subject: [email] Multiple spams (Usenet harvest: cjlinc.net/vacplanners@cs.com)! [Fwd: We Can Fix Your Credit..... ####]
Date: Mon, 20 Jan 2003 14:02:07 +0200
User-Agent: KMail/1.4.3
X-KMail-Link-Message: 559399
X-KMail-Link-Type: forward
X-Complaints-To: abuse@dolphinwave.org (live person)
X-PGP-key: 0xAAE2A579
X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133  FA87 000B 0FB6 AAE2 A579
X-No-Confirm: Yes
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Status: RO
X-Status: S
To: <abuse@2002.dolphinwave.org>,
 postmaster@michiganconnect.com,
 bernie@e-mich.com
Message-Id: <200301201353.11549@2002.dolphinwave.org>

Multiple spams on my e-mail address, used on the Usenet newsgroup
news.admin.net-abuse.sightings only once, and harvested from there!
My primary mailserver also has rejected spamming attempts from the
same spammer later today (Sendmail logs are below the spam).
Please, terminate the spammer's accounts as soon as possible!
Thanks!
=======

Refusing to deal with your abusers will lead your whole IP range to be
blocked from accessing of my mailservers ever again, and this info will
be shared with other admins and public blocklists!


Spammer: cm61-18-82-71.hkcable.com.hk [61.18.82.71]

Mail from: Credit_Doctor_149@bestnet.net

Remove box: custblast@cs.com

Spammer's e-mail (registration data): vacplanners@cs.com

Spamvertised web page: http://www.cjlinc.net/signup.html


www.cjlinc.net [12.148.59.95]
==============
Registrant:
 Sorenson And Ass.
 4412 S Main Str.
 Flint, MI 48007
 US
 208-695-2487

Domain Name: CJLINC.NET

Administrative Contact:
 Sorenson, Steve vacplanners@cs.com
 4412 S Main Str.
 Flint, MI 48007
 US
 208-695-2487

Technical Contact:
 Sorenson, Steve vacplanners@cs.com
 4412 S Main Str.
 Flint, MI 48007
 US
 208-695-2487

Record last updated 01-10-2003 12:57:51 AM
Record expires on 01-10-2005
Record created on 01-10-2003

Domain servers in listed order:
        NS1.CJLINC.NET  12.148.59.95
        NS2.CJLINC.NET  12.148.59.95

MICHIGAN CONNECT IP block [12.148.56.0 - 12.148.59.255]
 which is in the AT&T IP range [12.0.0.0 - 12.255.255.255].
Upstream: Cable & Wireless (velocity-net.Cleveland.cw.net).
Nameserver: ns.cjlinc.net [12.148.59.99].


----------  Forwarded Message  ----------

Received: from =MY-SECONDARY-MX= (=MY-SECONDARY-MX=)
	by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id h0K0fhp18712
	for <###>; Mon, 20 Jan 2003 02:41:44 +0200
Received: from 194.186.146.42 (cm61-18-82-71.hkcable.com.hk [61.18.82.71])
	by =MY-SECONDARY-MX= (8.12.6/8.12.6) with SMTP id h0K0fw0k006137
	for <###>; Mon, 20 Jan 2003 01:42:03 +0100 (CET)
	(envelope-from Credit_Doctor_149@bestnet.net)
Message-Id: <200301200042.h0K0fw0k006137@=MY-SECONDARY-MX=>
X-MDaemon-Deliver-To: <###>
X-Spam-Header: Spam.site.61.18.82.71;-.see:http://www.blars.org/block.html
X-Authentication-Warning: =MY-SECONDARY-MX=: Host cm61-18-82-71.hkcable.com.hk 
[61.18.82.71] claimed to be 194.186.146.42
Received: from [176.244.234.14] by smtp-server6.tampabay.rr.com with local; 
Jan, 19 2003 6:32:56 PM +0600
Received: from unknown (149.89.93.47) by rly-xr02.mx.aol.com with NNFMP; Jan, 
19 2003 5:24:58 PM +0600
Received: from smtp-server1.cfl.rr.com ([5.151.138.187]) by 
rly-xl04.mx.aol.com with esmtp; Jan, 19 2003 4:24:00 PM -0800
From: Maximus <Credit_Doctor_149@bestnet.net>
To: Karlik@=MY-SECONDARY-MX=
Cc: 
Subject: We Can Fix Your Credit..... ####
Sender: Maximus <Credit_Doctor_149@bestnet.net>
Mime-Version: 1.0
Content-Type: text/html;
  charset="iso-8859-1"
Date: Sun, 19 Jan 2003 18:41:21 -0600
X-Mailer: MIME-tools 5.503 (Entity 5.501)
Status: R 
X-Status: N

We can fix your credit.  We are very successful at getting
bankruptcies, judgments, tax liens, foreclosures, late payments, charge-offs,
repossessions, and even student loans removed from a persons credit report. 
 To find out more go to <a
 href="http://www.cjlinc.net/signup.html">http://www.cjlinc.net/signup.html</
a>.<p> If you no longer want to receive information from us just go to
<a href="mailto:custblast@cs.com">custblast@cs.com</a>.<p>
&nbsp;

##############################

-------------------------------------------------------



======= Another spamming attempt (Sendmail logs, GMT+0200) =======
Jan 20 09:29:12 orca sendmail[21100]: h0K7T9p21100: ruleset=check_rcpt, 
arg1=<###>, relay=[200.31.207.202], reject=553 5.3.0 <###>... E-mail from 
200.31.207.202 refused using the Unsecured Proxies List @ Monkeys.Com - see 
<http://www.monkeys.com/upl/macro.cgi?page=listed-ip-1.html&ip_address=200.31.207.202>

Jan 20 09:29:13 orca sendmail[21100]: h0K7T9p21100: 
from=<Credit_Doctor_438@gte.net>, size=0, class=0, nrcpts=0, proto=SMTP, 
daemon=MTA, relay=[200.31.207.202]



Spammer: [200.31.207.202]
EMTELCO IP block [200.31.192/20].

Mail from: Credit_Doctor_438@gte.net



=== Another bounce, from postmaster@michiganconnect.com ===
Received: from velocity.velocitynet.net (velocity.velocitynet.net [204.188.78.105])
	by mail.dolphinwave.org (8.11.6/8.11.6) with SMTP id h0KC2hp23137
	for <abuse@2003.dolphinwave.org>; Mon, 20 Jan 2003 14:02:47 +0200
Message-Id: <200301201202.h0KC2hp23137@mail.dolphinwave.org>
Received: (qmail 14873 invoked for bounce); 20 Jan 2003 12:13:19 -0000
Date: 20 Jan 2003 12:13:19 -0000
From: MAILER-DAEMON@velocity.velocitynet.net
To: abuse@2003.dolphinwave.org
Subject: failure notice
Status: R
X-Status: N

Hi. This is the qmail-send program at velocity.velocitynet.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<postmaster@michiganconnect.com>:
This address no longer accepts mail.

--- Below this line is a copy of the message.

<MY SPAM COMPLAINT SNIPPED>




=== bernie@e-mich.com was delivered, though ===
Jan 20 14:02:52 orca sendmail[23114]: h0KC27p23108: to=<bernie@e-mich.com>,
delay=00:00:45, xdelay=00:00:20, mailer=esmtp, pri=94202,
relay=mail.e-mich.com. [204.188.78.105], dsn=2.0.0, stat=Sent (ok 1043064819
qp 14877)




=== People report the same spammer spamming for other domains, and ===
=== abuse@michiganconnect.com also bounced ===

abuse.rfc-ignorant.org
michiganconnect.com (Submitted, Pending Addition)

Submitted by: cls@pk.greens.org (cesarchavez.cagreens.org [205.158.174.206])

Evidence:

cls@pk.greens.org (cesarchavez.cagreens.org [205.158.174.206])



From MAILER-DAEMON Thu Jan 09 20:09:38 2003
Date: 9 Jan 2003 20:18:47 -0000
From: MAILER-DAEMON@velocity.velocitynet.net
To: cls@pk.greens.org
Subject: failure notice

Hi. This is the qmail-send program at velocity.velocitynet.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<abuse@michiganconnect.com>:
This address no longer accepts mail.

--- Below this line is a copy of the message.

Return-Path: <cls@pk.greens.org>
Received: (qmail 10475 invoked from network); 9 Jan 2003 20:18:47 -0000
Received: from cesarchavez.cagreens.org (HELO pk.greens.org) (205.158.174.206)
  by boxturtlesite.org with SMTP; 9 Jan 2003 20:18:47 -0000
Received: (qmail 28078 invoked by uid 1000); 9 Jan 2003 20:09:09 -0000
Date: 9 Jan 2003 20:09:09 -0000
Message-ID: <20030109200909.28077.qmail@pk.greens.org>
From: cls@pk.greens.org
To: abuse@cw.net, helpesk@michiganconnect.com
Subject: www.marketingnewsletter.net (12.148.59.89) spammer
Cc: abuse@michiganconnect.com


$ whois 12.148.59.89
AT&T WorldNet Services ATT (NET-12-0-0-0-1) 
                                  12.0.0.0 - 12.255.255.255
MICHIGAN CONNECT MICHIGAN31-56 (NET-12-148-56-0-1) 
                                  12.148.56.0 - 12.148.59.255


Tracing the path to www.marketingnewsletter.net (12.148.59.89)
11  bar7-loopback.Cleveland.cw.net (208.172.210.13)  93.658 ms  122.311 ms  277.597 ms
12  velocity-net.Cleveland.cw.net (208.175.28.150)  164.885 ms  173.882 ms
    velocity-net.Cleveland.cw.net (208.175.28.146)  135.737 ms
13  12.148.59.89 (12.148.59.89) [open]  141.516 ms  148.661 ms  252.422 ms



Please terminate your service to this criminal.
Thanks.



::: From Nasdaq_Newsdesk_51@swbell.net Thu Jan 09 19:13:08 2003
Return-Path: <Nasdaq_Newsdesk_51@swbell.net>
Delivered-To: [garbage address]
Received: (qmail 23314 invoked by uid 0); 9 Jan 2003 19:12:59 -0000
Received: from 218.red-80-33-64.pooles.rima-tde.net (HELO 213.93.146.99) (80.33.64.218)
  by cesarchavez.cagreens.org with SMTP; 9 Jan 2003 19:12:59 -0000
Received: from [63.85.85.236] by smtp-server6.tampabay.rr.com with SMTP; Jan, 09 2003 12:57:03 PM +1100
Received: from unknown (28.35.188.67) by rly-xl04.mx.aol.com with esmtp; Sun, 07 Apr 2002 13:26:58 +1000; Jan, 09 2003 12:04:10 PM -0800
Received: from 184.244.108.80 ([184.244.108.80]) by rly-xr02.mx.aol.com with SMTP; Jan, 09 2003 10:57:25 AM +0700
Received: from [121.102.119.231] by a231242.upc-a.chello.nl with NNFMP; Jan, 09 2003 9:49:03 AM +1200
From: Nasdaq Newsdesk 28 <Nasdaq_Newsdesk_51@swbell.net>
To: Subscriber 98545
Cc: 
Subject: NASDAQ ALERT - NATK Revenues UP 1594% - Signs $55 Million Deal................... pibcs
Sender: Nasdaq Newsdesk 28 <Nasdaq_Newsdesk_51@swbell.net>
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Date: Thu, 9 Jan 2003 13:12:26 -0600
X-Mailer: Internet Mail Service (5.5.2650.21)
X-Priority: 1

<html>
<head>
</head>
<body>
<p align="center"><font style="font-size: 11pt" face="Courier">NATK Revenues UP 1594% For 2001- Signs $55 Million Deal%</font></p>
<p align="center"><font style="font-size: 11pt" face="Courier">Get the whole story from "Live From the Street"</font></p>
<p align="center"><b><a href="http://www.marketingnewsletter.net/Live_From_the_Street_NATK.htm">ENTER HERE</a></b></p>
<p align="center"><img border="0" src="http://www.marketingnewsletter.net/bm01.gif"></p>
<p align="left"> </p>
<p align="left"> </p>
<p align="center"><font size="2"><A href="http://www.beenteresting.com/remove/cstremove.htm">Click here to unsubscribe</A>
</body>
</html>

queybqbffnmjjyipsvb



=== Phone conversation with Bernie Johnson results ===
From: Frank Nospam <yahoo_com@francis.uy>
Newsgroups: news.admin.net-abuse.email
Subject: Re: [BLOCK] Michigan Connect
Date: Thu, 23 Jan 2003 12:38:00 -0500
Organization: &nbsp;
Lines: 30
Message-ID: <yahoo_com-15124A.12380023012003@news.hcf.jhu.edu>
References: <slrnb2nrko.mon.usenet-Jan+nanae@orca.dolphinwave.org>
NNTP-Posting-Host: jmurray.cty.jhu.edu
X-Trace: news.hcf.jhu.edu 1043342844 29564 128.220.149.205 (23 Jan 2003 17:27:24
  GMT)
X-Complaints-To: usenet@news.jhu.edu
NNTP-Posting-Date: Thu, 23 Jan 2003 17:27:24 +0000 (UTC)
User-Agent: MT-NewsWatcher/3.3b1 (PPC Mac OS X)
X-Face: ,J*4:A`k_n&wtM<$0.8=#68G[NQ(iepi"6[M{\$5ca3"9}5'|qi$:L5?N*=,`
  J}[V&zocIR,yNOs&cil~c&+Zq
Path: uni-berlin.de!fu-berlin.de!news-peer.gip.net!news.gsl.net!gip.net
 !nntp1.roc.gblx.net!nntp.gblx.net!nntp.gblx.net!vienna7.his.com!news.cs.jhu.edu
 !news.jhu.edu!yahoo_com
Xref: uni-berlin.de news.admin.net-abuse.email:1905951

 Dolphin <usenet-Jan+nanae@2003.dolphinwave.org> wrote:
> Today I was spammed twice by cjlinc.net (Steve Sorenson) spammers. Tried
> to send complaints to the abuse.net adviced e-mail address for the spammers'
> host, Michigan Connect (for e-mich.com: helpesk@michiganconnect.com). Got

Following some whois lookups I actually spoke to Bernie Johnson
 (bernie@e-mich.com, the host registrant). He answered the phone
 by saying "Network Support". I asked if this was e-mich, or
 velocitynet, or whoever, and he immediately got defensive.

After we finally exchanged greetings I said cjlinc was spamming.
 "Never heard of them". After spelling out IP addresses and
 netblocks in crayon for him, he says "They're not sending mail
 from my domain. You should contact the sender."

FWIW, the sender was the Shenjun China gang. He tells me I don't
 know how to read mail headers. Spam from China? "It's spoofed".

I ask him if he has a policy against hosting customers who send
 spam through 3rd parties. Again he gets defensive. "Who are you?
 Why should I even listen to you?" Eventually he claims to take
 my abuse report, and we hang up.

> Advice to block:
> michiganconnect.com, e-mich.com, velocitynet.net, webgate2000.com,
> [12.148.56.0 - 12.148.59.255], [204.188.76.0 - 204.188.79.255].

Don't forget host-help.com, also part of Bernie's group.

-F.



=== My reply ===
Path: uni-berlin.de!cust-62-219-88-92.cust.bezeqint.NET!not-for-mail
From: Dolphin <usenet-Jan+nanae@2003.dolphinwave.org>
Newsgroups: news.admin.net-abuse.email
Subject: Re: [BLOCK] Michigan Connect
Date: 23 Jan 2003 18:31:23 GMT
Organization: Private person
Lines: 90
Sender: Alexander Sheremet <usenet-Jan+nanae@2003.dolphinwave.org>
Message-ID: <slrnb30d7i.4ta.usenet-Jan+nanae@orca.dolphinwave.org>
References: <slrnb2nrko.mon.usenet-Jan+nanae@orca.dolphinwave.org>
  <yahoo_com-15124A.12380023012003@news.hcf.jhu.edu>
NNTP-Posting-Host: cust-62-219-88-92.cust.bezeqint.net (62.219.88.92)
X-Trace: fu-berlin.de 1043346683 28877847 62.219.88.92 (16 [104765])
X-SPEWS: I am not
X-newsgroup: news.admin.net-abuse.email
X-PGP-key: 0xAAE2A579
X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133  FA87 000B 0FB6 AAE2 A579
User-Agent: slrn/0.9.7.4 (Linux)
Xref: uni-berlin.de news.admin.net-abuse.email:1906021

On Thu, 23 Jan 2003 12:38:00 -0500 Frank Nospam <yahoo_com@francis.uy>
 wrote in message <yahoo_com-15124A.12380023012003@news.hcf.jhu.edu>:
>  Dolphin <usenet-Jan+nanae@2003.dolphinwave.org> wrote:
>> Today I was spammed twice by cjlinc.net (Steve Sorenson) spammers. Tried
>> to send complaints to the abuse.net adviced e-mail address for the spammers'
>> host, Michigan Connect (for e-mich.com: helpesk@michiganconnect.com). Got
>
> Following some whois lookups I actually spoke to Bernie Johnson
>  (bernie@e-mich.com, the host registrant). He answered the phone
>  by saying "Network Support". I asked if this was e-mich, or
>  velocitynet, or whoever, and he immediately got defensive.
>
> After we finally exchanged greetings I said cjlinc was spamming.
>  "Never heard of them".

Either he does not read his bernie@e-mich.com, or he lied. My complaint
was resent to bernie@e-mich.com and postmaster@michiganconnect after his
helpdesk@michiganconnect has bounced. And it got through to bernie@ while
bouncing from postmaster@ (GMT+0200):

Jan 20 14:02:52 orca sendmail[23114]: h0KC27p23108: to=<bernie@e-mich.com>,
delay=00:00:45, xdelay=00:00:20, mailer=esmtp, pri=94202,
relay=mail.e-mich.com. [204.188.78.105], dsn=2.0.0, stat=Sent (ok 1043064819
qp 14877)

> After spelling out IP addresses and
>  netblocks in crayon for him, he says "They're not sending mail
>  from my domain. You should contact the sender."
<SNIP>

Well, one doesn't need to know anything else to see the obvious spam-support
service.

>> Advice to block:
>> michiganconnect.com, e-mich.com, velocitynet.net, webgate2000.com,
>> [12.148.56.0 - 12.148.59.255], [204.188.76.0 - 204.188.79.255].
>
> Don't forget host-help.com, also part of Bernie's group.

$ whois host-help.com
<...>
Registrant:
   Hositng Support
   5427 Mancleona Dr.
   Grand Blanc, MI 48439
   USA

Domain Name: host-help.com

Administrative Contact, Billing Contact:
   B Johnson (RJPK6) bernie@e-mich.com
   Hositng Support
   5427 Mancleona Dr.
   Grand Blanc, MI 48439
   USA
   Phone: 810-694-8677

Technical Contact:
   Bernie Johnson (EY6BL) velocity@velocitynet.net
   Velocity Net Hosting
   5427 Mancelona Dr.
   Grand Blanc, MI 48439
   United States
   Phone: 810-694-8677, Fax: 810-694-871`2

Record last updated on 2003-01-15 06:24:13.950
Record created on 2002-09-12 18:03:01.180
Record expires on 2003-09-12 18:03:01.180

Domain servers in listed order:
   ns2.webgate2000.com   204.188.76.2
   ns.webgate2000.com   204.188.77.136

Registration Service Provider: VelocityNet
     velocity@velocitynet.net
     (810) 6948677


Registrar: NAMES4EVER, http://www.names4ever.com


Thanks, added to the list.

Dolphin.

--
 URL: http://www.DolphinWave.org
Mail: on the web page (no spam)
 ICQ: 6615461


 
=== Michigan Connect *knows* about the spamming - the spammer is still there ===
Path: uni-berlin.de!fu-berlin.de!headwall.stanford.edu!newsfeed.stanford.edu
 !postnews1.google.com!not-for-mail
From: bernie@michiganconnect.com (Bernie)
Newsgroups: news.admin.net-abuse.email
Subject: Re: [BLOCK] Michigan Connect
Date: 28 Jan 2003 14:30:32 -0800
Organization: http://groups.google.com/
Lines: 43
Message-ID: <da239e0c.0301281430.5fd2bca1@posting.google.com>
References: <slrnb2nrko.mon.usenet-Jan+nanae@orca.dolphinwave.org>
  <yahoo_com-15124A.12380023012003@news.hcf.jhu.edu>
NNTP-Posting-Host: 204.188.78.197
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1043793032 17431 127.0.0.1 (28 Jan 2003 22:30:32
  GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: 28 Jan 2003 22:30:32 GMT
Xref: uni-berlin.de news.admin.net-abuse.email:1909441

Frank,

You got the response that you did from me, due to the fact that you
would not identify yourself, and gave me a bogus ISP name.  If you had
identified yourself, before asking all of the questions you were
firing at me during the conversation, I would have not been so
defensive.

My two cents,

Bernie---

Frank Nospam <yahoo_com@francis.uy> wrote in message
  news:<yahoo_com-15124A.12380023012003@news.hcf.jhu.edu>...
> Dolphin <usenet-Jan+nanae@2003.dolphinwave.org> wrote:
> > Today I was spammed twice by cjlinc.net (Steve Sorenson) spammers. Tried
> > to send complaints to the abuse.net adviced e-mail address for the spammers'
> > host, Michigan Connect (for e-mich.com: helpesk@michiganconnect.com). Got
>
> Following some whois lookups I actually spoke to Bernie Johnson
>  (bernie@e-mich.com, the host registrant). He answered the phone
>  by saying "Network Support". I asked if this was e-mich, or
>  velocitynet, or whoever, and he immediately got defensive.
>
> After we finally exchanged greetings I said cjlinc was spamming.
>  "Never heard of them". After spelling out IP addresses and
>  netblocks in crayon for him, he says "They're not sending mail
>  from my domain. You should contact the sender."
>
> FWIW, the sender was the Shenjun China gang. He tells me I don't
>  know how to read mail headers. Spam from China? "It's spoofed".
>
> I ask him if he has a policy against hosting customers who send
>  spam through 3rd parties. Again he gets defensive. "Who are you?
>  Why should I even listen to you?" Eventually he claims to take
>  my abuse report, and we hang up.
>
> > Advice to block:
> > michiganconnect.com, e-mich.com, velocitynet.net, webgate2000.com,
> > [12.148.56.0 - 12.148.59.255], [204.188.76.0 - 204.188.79.255].
>
> Don't forget host-help.com, also part of Bernie's group.
>
> -F.



=== cjlinc.net is *still* connected to the same Michigan Connect ===
Path: uni-berlin.de!cust-62-219-88-92.cust.bezeqint.NET!not-for-mail
From: Dolphin <usenet-Jan+nanae@2003.dolphinwave.org>
Newsgroups: news.admin.net-abuse.email
Subject: Re: [BLOCK] Michigan Connect
Date: 29 Jan 2003 23:05:22 GMT
Organization: Private person
Lines: 41
Sender: Alexander Sheremet <usenet-Jan+nanae@2003.dolphinwave.org>
Message-ID: <slrnb3gne9.c9i.usenet-Jan+nanae@orca.dolphinwave.org>
References: <slrnb2nrko.mon.usenet-Jan+nanae@orca.dolphinwave.org>
  <yahoo_com-15124A.12380023012003@news.hcf.jhu.edu>
  <da239e0c.0301281430.5fd2bca1@posting.google.com>
NNTP-Posting-Host: cust-62-219-88-92.cust.bezeqint.net (62.219.88.92)
X-Trace: fu-berlin.de 1043881522 34269277 62.219.88.92 (16 [104765])
X-SPEWS: I am not
X-newsgroup: news.admin.net-abuse.email
X-PGP-key: 0xAAE2A579
X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133  FA87 000B 0FB6 AAE2 A579
User-Agent: slrn/0.9.7.4 (Linux)
Xref: uni-berlin.de news.admin.net-abuse.email:1910139

On 28 Jan 2003 14:30:32 -0800 Bernie <bernie@michiganconnect.com>
 wrote in message <da239e0c.0301281430.5fd2bca1@posting.google.com>:
> Frank,
>
> You got the response that you did from me, due to the fact that you
> would not identify yourself, and gave me a bogus ISP name.  If you had
> identified yourself, before asking all of the questions you were
> firing at me during the conversation, I would have not been so
> defensive.
>
> My two cents,
>
> Bernie---
>
> Frank Nospam <yahoo_com@francis.uy> wrote in message
  news:<yahoo_com-15124A.12380023012003@news.hcf.jhu.edu>...
>> Dolphin <usenet-Jan+nanae@2003.dolphinwave.org> wrote:
>> > Today I was spammed twice by cjlinc.net (Steve Sorenson) spammers. Tried
>> > to send complaints to the abuse.net adviced e-mail address for the
  spammers'
>> > host, Michigan Connect (for e-mich.com: helpesk@michiganconnect.com). Got
<SNIP>

$ host www.cjlinc.net
www.cjlinc.net is an alias for cjlinc.net.
cjlinc.net has address 12.148.59.95

$ whois 12.148.59.95@whois.arin.net
[whois.arin.net]
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
                                  12.0.0.0 - 12.255.255.255
MICHIGAN CONNECT MICHIGAN31-56 (NET-12-148-56-0-1)
                                  12.148.56.0 - 12.148.59.255

Need there anything else to be said?..

Dolphin.

--
 URL: http://www.DolphinWave.org
Mail: on the web page (no spam)
 ICQ: 6615461



=== Frank's reply ===
From: Frank Nospam <yahoo_com@francis.uy>
Newsgroups: news.admin.net-abuse.email
Subject: Re: [BLOCK] Michigan Connect
Date: Thu, 30 Jan 2003 10:07:57 -0500
Organization: &nbsp;
Lines: 26
Message-ID: <yahoo_com-6CB46D.10075730012003@news.hcf.jhu.edu>
References: <slrnb2nrko.mon.usenet-Jan+nanae@orca.dolphinwave.org>
  <yahoo_com-15124A.12380023012003@news.hcf.jhu.edu>
  <da239e0c.0301281430.5fd2bca1@posting.google.com>
NNTP-Posting-Host: jmurray.cty.jhu.edu
X-Trace: news.hcf.jhu.edu 1043938516 6578 128.220.149.205 (30 Jan 2003 14:55:16
  GMT)
X-Complaints-To: usenet@news.jhu.edu
NNTP-Posting-Date: Thu, 30 Jan 2003 14:55:16 +0000 (UTC)
User-Agent: MT-NewsWatcher/3.3b1 (PPC Mac OS X)
X-Face: ,J*4:A`k_n&wtM<$0.8=#68G[NQ(iepi"6[M{\$5ca3"9}5'|qi$:L5?N*=,`
  J}[V&zocIR,yNOs&cil~c&+Zq
Path: uni-berlin.de!fu-berlin.de!newspeer.monmouth.com
 !news-peer-east1.sprintlink.net!news.sprintlink.net!nntp1.roc.gblx.net
 !nntp.gblx.net!nntp.gblx.net!vienna7.his.com!news.cs.jhu.edu!news.jhu.edu
 !yahoo_com
Xref: uni-berlin.de news.admin.net-abuse.email:1910538

 bernie@michiganconnect.com (Bernie) wrote:
> You got the response that you did from me, due to the fact that you
> would not identify yourself, and gave me a bogus ISP name.  If you had
> identified yourself, before asking all of the questions you were
> firing at me during the conversation, I would have not been so
> defensive.

1: Every REPUTABLE hosting company that I have ever called has been
 perfectly willing to answer questions before asking for identifying
 information from the caller. It's a necessary step to keep personal
 details out of the hands of spam gangs.

2: I did not tell you any bogus information. I am indeed at JHU.
 Please see this posting on news.announce.net-abuse.sightings:
 Message-ID: <yahoo_com-532B4B.08590830012003@news.hcf.jhu.edu>

3: It is never Never NEVER acceptable to deny responsibility when
 one of your hosted domains sends adverts through a 3rd party.

> Frank Nospam <yahoo_com@francis.uy> wrote in message
> > After we finally exchanged greetings I said cjlinc was spamming.
> >  "Never heard of them". After spelling out IP addresses and
> >  netblocks in crayon for him, he says "They're not sending mail
> >  from my domain. You should contact the sender."

-F.




=== And here is the same Michigan Connect spammer, Steve Sorenson again ===
Content-Type: text/plain;
  charset="iso-8859-1"
From: Admin <abuse@2003.dolphinwave.org>
Reply-To: abuse@2003.dolphinwave.org
Organization: Private person
Subject: [email] Long-time AT&T spammer (WHOIS harvest, stock: cjlinc.net)! [Fwd: abuse, LIVE FROM WALL STREET: VICC Test Results Are In..........]
Date: Wed, 19 Feb 2003 22:24:46 +0200
User-Agent: KMail/1.4.3
X-KMail-Link-Message: 735098
X-KMail-Link-Type: forward
To: <abuse@2003.dolphinwave.org>,
 uce@ftc.gov,
 nanas-sub@cybernothing.org,
 <enforcement@sec.gov>,
 cyberfraud@nasaa.org,
 abuse@interbusiness.it,
 postmaster@interbusiness.it,
 network@cgi.interbusiness.it,
 conrm-ip@telecomitalia.it,
 abuse@wp.pl,
 abuse@wp-sa.pl,
 bernie@e-mich.com,
 postmaster@michiganconnect.com,
 helpesk@michiganconnect.com,
 abuse@att.net,
 postmaster@att.net,
 postmaster@att.com,
 hostmaster@att.com,
 hostmaster@att.net,
 abuse@cw.net,
 spamcomplaints@cw.net,
 abuse@aol.com,
 abuse@cs.com,
 abuse@compuserve.com
X-Complaints-To: abuse@dolphinwave.org (live person)
X-PGP-key: 0xAAE2A579
X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133  FA87 000B 0FB6 AAE2 A579
X-No-Confirm: Yes
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <200302192224.46720@2003.dolphinwave.org>
Status: RO
X-Status: S

Spam on my e-mail address, used on the WHOIS database for my domain
registration only, and harvested from there! My previous complaints
on this spammer are archived on news.admin.net-abuse.sightings:
http://groups.google.com/groups?selm=200301201353.11549%402002.dolphinwave.org

Please, terminate the spammer's accounts as soon as possible!
Thanks!
=======

Refusing to deal with your abusers will lead your whole IP range to be
blocked from accessing of my mailservers ever again, and this info will
be shared with other admins and public blocklists!


Spammer: host24-31.pool62110.interbusiness.it [62.110.31.24]

Abused mailserver: smtp.wp.pl [212.77.101.161]

Mail from: incomingforward@cs.com

Remove box: tallrhe@cs.com

Spamvertised web page: http://12.148.59.67


Previously spamvertised web page: www.cjlinc.net, is still on AT&T
(a different IP in the same Michigan Connect IP space: [12.148.59.64]).

cjlinc.net [12.148.59.64]
==========
Registrant:
 Sorenson And Ass.
 142 S. Semoran Blvd. #147
 casselberry, FL 32707
 US
 407-650-3437

Domain Name: CJLINC.NET

Administrative Contact:
 Sorenson, Steve vacplanners@cs.com
 142 S. Semoran Blvd. #147
 casselberry, FL 32707
 US
 407-650-3437

Technical Contact:
 Sorenson, Steve vacplanners@cs.com
 142 S. Semoran Blvd. #147
 casselberry, FL 32707
 US
 407-650-3437

Record last updated 01-10-2003 12:57:51 AM
Record expires on 01-10-2005
Record created on 01-10-2003

Domain servers in listed order:
        NS1.CJLINC.NET  12.148.59.64
        NS2.CJLINC.NET  12.148.59.64

MICHIGAN CONNECT IP block [12.148.56.0 - 12.148.59.255]
 which is in the AT&T IP range [12.0.0.0 - 12.255.255.255].
Upstream: Cable & Wireless (velocity-net.Cleveland.cw.net).



----------  Forwarded Message  ----------

Received: from smtp.wp.pl (smtp.wp.pl [212.77.101.161])
        by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id h1J5rfa30665
        for <abuse@###>; Wed, 19 Feb 2003 07:53:42 +0200
Message-Id: <200302190553.h1J5rfa30665@mail.dolphinwave.org>
Received: (WP-SMTPD 8931 invoked from network); 19 Feb 2003 05:53:18 -0000
Received: from unknown (HELO smtp0000.mail.yahoo.com) (abc@[62.110.31.24])
          (envelope-sender <incomingforward@cs.com>)
          by smtp.wp.pl (wp-smtpd) with SMTP
          for <abuse@discoveryimp.###>; 19 Feb 2003 05:53:17 -0000
Date: Wed, 19 Feb 2003 05:53:19 GMT
From: incomingforward@cs.com
X-Priority: 3
To: abuse@discoveryimp.###
Subject: abuse, LIVE FROM WALL STREET: VICC Test Results Are In..........
Mime-Version: 1.0
Content-Type: text/html;
  charset=us-ascii
Content-Transfer-Encoding: 7bit
X-AntiVirus: skaner antywirusowy poczty Wirtualnej Polski S. A.
X-WP-ChangeAV: 0
Status: R 
X-Status: N

abuse@discoveryimp.###
<p>If you bought into our last recommendation (CIMG) early enough you had an
 excellent opportunity to make substantial gains (from .90 to 1.65 in just
 the first day).  Now is your chance to do the same with our newest pick:
 VICC.  To find out more go to <a href="http://12.148.59.67">Live From the
 Street</a>.</p> <p align="center"><img border="0"
 src="http://12.148.59.67/bm01.gif"></p> <p>If you no longer want to receive
 information from us just go to
<a href="mailto:tallrhe@cs.com">tallrhe@cs.com</a>.<p>
&nbsp;

-------------------------------------------------------



======= PREVIOUS SPAMS WERE =======
<PREVIOUS SPAMS QUOTES SNIPPED>




=== And yet another spam from this spammer, my 3rd complaint ===
Content-Type: text/plain;
  charset="iso-8859-1"
From: Admin <abuse@2003.dolphinwave.org>
Reply-To: abuse@2003.dolphinwave.org
Organization: Private person
Subject: [email] [BLOCK] Persistent AT&T/Michigan Connect spammer: Steve Sorenson! [Fwd: dolphin, WALL STREET LIVE: TGYC Announces Revised Revenues and Earnings...]
Date: Thu, 20 Feb 2003 14:40:42 +0200
User-Agent: KMail/1.4.3
X-KMail-Link-Message: 739024
X-KMail-Link-Type: forward
To: <abuse@2003.dolphinwave.org>,
 uce@ftc.gov,
 nanas-sub@cybernothing.org,
 <enforcement@sec.gov>,
 cyberfraud@nasaa.org,
 bernie@e-mich.com,
 postmaster@michiganconnect.com,
 helpesk@michiganconnect.com,
 abuse@att.net,
 postmaster@att.net,
 postmaster@att.com,
 hostmaster@att.com,
 hostmaster@att.net,
 hostmaster@attmail.com,
 postmaster@attmail.com,
 help@ip.att.net,
 custaddress@ip.att.net,
 abuse@cw.net,
 spamcomplaints@cw.net,
 abuse@aol.com,
 abuse@cs.com,
 abuse@compuserve.com,
 abuse@hosteurope.de,
 postmaster@hosteurope.de,
 vertrieb@hosteurope.de,
 support@hosteurope.de,
 abuse@iarna.com,
 abuse@easynet.net,
 abuse@novaone.net
X-Complaints-To: abuse@dolphinwave.org (live person)
X-PGP-key: 0xAAE2A579
X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133  FA87 000B 0FB6 AAE2 A579
X-No-Confirm: Yes
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <200302201440.42542@2003.dolphinwave.org>
Status: RO
X-Status: S

This is already the THIRD complaint on the same AT&T/Michigan Connect spammer,
Sorenson And Ass., spamming my multiple accounts, harvested from my Usenet
posts and WHOIS database! My previous complaints are archived on the Usenet
newsgroup news.admin.net-abuse.sightings, and can be reached using the Google
Groups archive:
http://groups.google.com/groups?selm=200301201353.11549%402002.dolphinwave.org
http://groups.google.com/groups?selm=200302192224.46720%402003.dolphinwave.org

ATTN: AT&T!
Now you know why your multiple IP ranges are being blocklisted in SPEWS and
other public and private blocklists, right? This complaint will also be
archived, and I will point your "AT&T Dedicated AUP Enforcement Team" on it
every time they will decide to appear on news.admin.net-abuse.email to discuss
the removal of your IP ranges from SPEWS or any other blocklist. I hope you
will enjoy your long stay in the various blocklists, you well earned that.


Spammer: ds80-237-200-67.dedicated.hosteurope.de

Abused mailserver: mail.iarna.com [212.135.143.136]

Mail from: Live_From_the_Street_99971@novaone.net

Remove box: tallrhe@cs.com

Spamvertised web page: http://www.sorensonandassociates.com

Previously spamvertised web pages, still up on AT&T/Michigan Connect:
http://www.cjlinc.net
http://12.148.59.67


www.sorensonandassociates.com [12.148.59.61]
=============================
Registrant:
 Sorenson And Ass.
 142 S. Semoran Blvd. #147
 casselberry, FL 32707
 US
 407-650-3437

Domain Name: SORENSONANDASSOCIATES.COM

Administrative Contact:
 Sorenson, Steve vacplanners@cs.com
 142 S. Semoran Blvd. #147
 casselberry, FL 32707
 US
 407-650-3437

Technical Contact:
 Sorenson, Steve vacplanners@cs.com
 142 S. Semoran Blvd. #147
 casselberry, FL 32707
 US
 407-650-3437

Record last updated 02-07-2003 10:14:07 PM
Record expires on 02-07-2004
Record created on 02-07-2003

Domain servers in listed order:
        NS1.SORENSONANDASSOCIATES.COM   12.148.59.61
        NS2.SORENSONANDASSOCIATES.COM   12.148.59.61

MICHIGAN CONNECT IP block [12.148.56.0 - 12.148.59.255]
 which is in the AT&T IP range [12.0.0.0 - 12.255.255.255].
Upstream: Cable & Wireless (velocity-net.Cleveland.cw.net).


www.cjlinc.net [12.148.59.64]
==============
Registrant:
 Sorenson And Ass.
 142 S. Semoran Blvd. #147
 casselberry, FL 32707
 US
 407-650-3437

Domain Name: CJLINC.NET

Administrative Contact:
 Sorenson, Steve vacplanners@cs.com
 142 S. Semoran Blvd. #147
 casselberry, FL 32707
 US
 407-650-3437

Technical Contact:
 Sorenson, Steve vacplanners@cs.com
 142 S. Semoran Blvd. #147
 casselberry, FL 32707
 US
 407-650-3437

Record last updated 01-10-2003 12:57:51 AM
Record expires on 01-10-2005
Record created on 01-10-2003

Domain servers in listed order:
        NS1.CJLINC.NET  12.148.59.64
        NS2.CJLINC.NET  12.148.59.64

MICHIGAN CONNECT IP block [12.148.56.0 - 12.148.59.255]
 which is in the AT&T IP range [12.0.0.0 - 12.255.255.255].
Upstream: Cable & Wireless (velocity-net.Cleveland.cw.net).


----------  Forwarded Message  ----------

Received: from iarnagroup.co.uk (mail.iarna.com [212.135.143.136])
        by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id h1K6pQa17243
        for <###>; Thu, 20 Feb 2003 08:51:31 +0200
Received: from smtp0592.mail.yahoo.com [80.237.200.67] by iarnagroup.co.uk 
with ESMTP
  (SMTPD32-7.13) id AA4C61C013C; Thu, 20 Feb 2003 06:48:44 +0000
Date: Thu, 20 Feb 2003 06:55:29 GMT
From: "Milissa"<Live_From_the_Street_99971@novaone.net>
X-Priority: 3
To: dolphin@dolphcom.###
Subject: dolphin, WALL STREET LIVE: TGYC Announces Revised Revenues and 
Earnings...
Mime-Version: 1.0
Content-Type: text/html;
  charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <200302200649396.SM02156@smtp0592.mail.yahoo.com>
Status: R 
X-Status: N

dolphin@dolphcom.###
<p>If you bought into our last recommendation (CIMG) early enough you had an
 excellent opportunity to make substantial gains (from .90 to 1.65 in just
 the first day).  Now is your chance to do the same with our newest pick:
 TGYC.  To find out more go to <a
 href="http://www.sorensonandassociates.com">Live From the Street</a>.</p> <p
 align="center"><img border="0"
 src="http://www.sorensonandassociates.com/bm01.gif"></p> <p>If you no longer
 want to receive information from us just go to
<a href="mailto:tallrhe@cs.com">tallrhe@cs.com</a>.<p>
&nbsp;

-------------------------------------------------------



======= PREVIOUS SPAMS WERE =======
<PREVIOUS SPAMS QUOTES SNIPPED>




=== Another spammer is being hosted at Michigan Connect ===
Path: uni-berlin.de!fu-berlin.de!news.maxwell.syr.edu!sn-xit-03!sn-xit-01
 !sn-post-01!supernews.com!news.supernews.com!not-for-mail
From: adam brower <adam@disadvantagesofexcessiveverbosity.com>
Newsgroups: news.admin.net-abuse.email
Subject: [SPEWS] [SBL] more reintersen/ev1 bestoffered
Date: Thu, 27 Feb 2003 10:15:13 -0600
Organization: wait...i've got it here somewhere...
Message-ID: <3E5E3991.B965B4D9@disadvantagesofexcessiveverbosity.com>
Reply-To: adam@disadvantagesofexcessiveverbosity.com
X-Mailer: Mozilla 4.77C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; U; PPC)
X-Accept-Language: en,zh,zh-CN
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Complaints-To: abuse@supernews.com
Lines: 69
Xref: uni-berlin.de news.admin.net-abuse.email:1929909

bestoffered spamming from ev1 207.44.212.119...banners
as rackshack. note that mx for bestoffered.us
points to ev1:

; <<>> DiG 8.3 <<>> @DNS1.NAME-SERVICES.COM bestoffered.us mx +norec
; (3 servers found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36325
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 6
;; QUERY SECTION:
;;      bestoffered.us, type = MX, class = IN

;; ANSWER SECTION:
bestoffered.us.         30M IN MX       10 mail.bestoffered.us.

;; ADDITIONAL SECTION:
mail.bestoffered.us.    30M IN A        207.44.212.119

ev1 is obviously complicit in this:

% nslookup -norec mail.bestoffered.us ns1.ev1.net
Server:  ns1.ev1.net
Address:  216.88.76.6

Non-authoritative answer:
Name:    mail.bestoffered.us
Address:  207.44.212.119

plainly ev1 are in bed with reinertsen on this,
as is fast-rising spamhaus att/michigan connect,
host of inkjetbuy.com referenced in the spam

  http://groups.google.com/groups?q=%22MICHIGAN+CONNECT%22+group:news.admin.net-abuse.*&scoring=d

% host inkjetbuy.com
inkjetbuy.com has address 12.148.59.93

% whois 12.148.59.93
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
                                  12.0.0.0 - 12.255.255.255
MICHIGAN CONNECT MICHIGAN31-56 (NET-12-148-56-0-1)
                                  12.148.56.0 - 12.148.59.255

Received: from plesk.rackshack.net ([207.44.212.119]) by [redacted].com
(8.12.6/8.11.2) with SMTP id h1RE1J2a097460 for <[redacted]@[trap].com>;
Thu, 27 Feb 2003 08:01:20 -0600 (CST)
To: [redacted]@[trap].com
Date: Thu, 27 Feb 2003 22:16:29 -0600
Message-ID: <1046405789.8400@plesk.rackshack.net>
X-Mailer: Trade-Navigator 4.0 [CN]
From: "Your Info Offers"<info-hlhtcb@bestoffered.us>
Subject: The lowest inkjet cartridge prices on the Internet are here.

Content-Type: text/html
Mime-Version: 1.0

[snip]
Check out some of our deals:</font></strong>
<a href="http://inkjetbuy.com/datafeb21.htm">
[snip]
However, if you wish to unsubscribe, <a
href="http://www.bestoffered.com/opt_out.htm">Press here</a>
[snip]


adam

--



=== Michigan Connect is a spamhaus operation, moving their spammers around, ===
=== but never terminating them ===
Path: uni-berlin.de!cust-62-219-88-50.cust.bezeqint.NET!not-for-mail
From: Dolphin <usenet-Feb+nanae@2003.dolphinwave.org>
Newsgroups: news.admin.net-abuse.email
Subject: Re: [SPEWS] [SBL] more reintersen/ev1 bestoffered
Date: 27 Feb 2003 19:12:18 GMT
Organization: Private person
Lines: 100
Sender: Alexander Sheremet <usenet-Feb+nanae@2003.dolphinwave.org>
Message-ID: <slrnb5sok8.rke.usenet-Feb+nanae@orca.dolphinwave.org>
References: <3E5E3991.B965B4D9@disadvantagesofexcessiveverbosity.com>
NNTP-Posting-Host: cust-62-219-88-50.cust.bezeqint.net (62.219.88.50)
X-Trace: fu-berlin.de 1046373138 58225611 62.219.88.50 (16 [104765])
X-SPEWS: I am not
X-newsgroup: news.admin.net-abuse.email
X-PGP-key: 0xAAE2A579
X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133  FA87 000B 0FB6 AAE2 A579
User-Agent: slrn/0.9.7.4 (Linux)
Xref: uni-berlin.de news.admin.net-abuse.email:1930023

On Thu, 27 Feb 2003 10:15:13 -0600 adam brower
  <adam@disadvantagesofexcessiveverbosity.com>
 wrote in message <3E5E3991.B965B4D9@disadvantagesofexcessiveverbosity.com>:

<SNIP>
> plainly ev1 are in bed with reinertsen on this,
> as is fast-rising spamhaus att/michigan connect,
> host of inkjetbuy.com referenced in the spam
>
> http://groups.google.com/groups?q=%22MICHIGAN+CONNECT%22+group:news.admin.net-abuse.*&scoring=d
>
> % host inkjetbuy.com
> inkjetbuy.com has address 12.148.59.93
>
> % whois 12.148.59.93
> AT&T WorldNet Services ATT (NET-12-0-0-0-1)
>                                   12.0.0.0 - 12.255.255.255
> MICHIGAN CONNECT MICHIGAN31-56 (NET-12-148-56-0-1)
>                                   12.148.56.0 - 12.148.59.255

Note also another long-time spammer, Steve Sorenson, was sitting just 2 IPs
apart, and all over the 12.148.59.0/24 space:

$ host cjlinc.net
cjlinc.net has address 12.148.59.64
(on January 20th it was 12.148.59.95)

Also, www.sorensonandassociates.com was 12.148.59.61

Another spamvertised web site by Steve Sorenson: http://12.148.59.67

Another reported spammer: www.marketingnewsletter.net was 12.148.59.89.


And talking about inkjetbuy.com (Krause, Michael). The tigerhosting.com
is another Michael's domain, who now occupies the ex-Steve Sorenson's
12.148.59.95 IP:

$ telnet 12.148.59.95 25
Trying 12.148.59.95...
Connected to 12.148.59.95.
Escape character is '^]'.
220 ns1.tigerhosting.com ESMTP

$ host ns1.tigerhosting.com
ns1.tigerhosting.com has address 12.148.59.99


$ whois inkjetbuy.com
[whois.crsnic.net]
<...>
Registrant:
 Krause International
 570 Church Street East # 818
 Brentwood, TN 37027
 US
 615-533-2230

Domain Name: INKJETBUY.COM

Administrative Contact:
 Krause, Michael info@casinotiger.com
 570 Church Street East # 818
 Brentwood, TN 37027
 US
 615-533-2230

===

$ whois tigerhosting.com
[whois.crsnic.net]
<...>
Registrant:
 Krause International
 570 Church Street East # 818
 Brentwood, TN 37027
 US
 615-533-2230

Domain Name: TIGERHOSTING.COM

Administrative Contact:
 Krause, Michael info@casinotiger.com
 570 Church Street East # 818
 Brentwood, TN 37027
 US
 615-533-2230


It is obvious that Michigan Connect is a spamhaus operation, moving their
spammers all around, but never disconnecting them.

http://www.DolphinWave.org/spam/MichiganConnect.txt

Dolphin.

--
 URL: http://www.DolphinWave.org
Mail: on the web page (no spam)
 ICQ: 6615461




=== SPEWS listing: S1457 ===
=== http://www.spews.org/html/S1457.html ===
webgate2000
|--------------------
2, 65.168.29.213, webgate2000.com
2, 65.168.29.0 - 65.168.29.255, webgate2000.com (sprint.net) (dead?)
2, 198.88.106.0 - 198.88.107.255, webgate2000.com (Verio)
1, 204.188.78.152, webgate2000.com
1, 204.188.77.136, ns.webgate2000.com
1, 204.188.76.2, ns2.webgate2000.com
1, 204.188.76.0 - 204.188.79.255, webgate2000.com (C&W)
1, 12.148.59.0/24, webgate2000.com / e-mich.com (Angelo Tirico / metamax4life.us / NS2.TIGERHOSTING.COM)
1, 12.148.56.0 - 12.148.59.255, webgate2000.com / e-mich.com (ATT)
1, 12.148.49.0 - 12.148.66.255, ATT (webgate2000.com / e-mich.com)
---------------------|

Spammer hosts.  Old Ralsky pals, back in the spammer hosting business?

See:  <http://groups.google.com/groups?q=WEBGATE2000>
      <http://groups.google.com/groups?hl=en&q=65.168.29.213>

AlRal taught Bernie well it seems:
<http://groups.google.com/groups?selm=yahoo_com-15124A.12380023012003%40news.hcf.jhu.edu>
==========================================================
1, 12.148.59.93, inkjetbuy.com

1, 12.148.59.191, cheap-trips.org
1, 12.148.59.193, aircourier.org
==========================================================
http://65.168.29.213/freevip/
http://65.168.29.213/specials
==========================================================
Web Gate 2000 (WEBGATE6-DOM)
   1 North Saginaw suite 202
   Pontiac, MI 48342
   US

   Domain Name: WEBGATE2000.COM

   Administrative Contact, Technical Contact:
      Johnson, Bernie  (BJ3881)		webmaster@MICHIGANCONNECT.COM
      Michigan Connect
      1 N. Saginaw Suite 202
      Pontiac, MI 48342
      248.334.7885 (FAX) 248.334.0763

   Record expires on 21-Mar-2003.
   Record created on 21-Mar-1999.

   Domain servers in listed order:
   NS.WEBGATE2000.COM           198.88.106.18
   NS2.WEBGATE2000.COM          65.168.29.107

==========================================================
webgate2000.com	A	204.188.78.152
webgate2000.com	NS	ns.webagte2000.com
webgate2000.com	NS	ns2.webgate2000.com
webgate2000.com	SOA
    origin = ns.webagte2000.com
    mail addr = admin@cobalt.michiganconnect.com
    serial = 2002081423
    refresh = 1200 (20 mins)
    retry = 1200 (20 mins)
    expire = 1222 (20 mins 22 secs)
    minimum ttl = 1200 (20 mins)
webgate2000.com	NS	ns.webagte2000.com
webgate2000.com	NS	ns2.webgate2000.com
ns2.webgate2000.com	A	204.188.76.2

Old:
----
webgate2000.com	NS	ns.webgate2000.com
webgate2000.com	NS	ns2.webgate2000.com
webgate2000.com	SOA
    origin = ns.webgate2000.com
    mail addr = velocity@velocitynet.net
    serial = 2002050819
    refresh = 1200 (20 mins)
    retry = 1200 (20 mins)
    expire = 1200 (20 mins)
    minimum ttl = 1200 (20 mins)
webgate2000.com	NS	ns.webgate2000.com
webgate2000.com	NS	ns2.webgate2000.com
ns.webgate2000.com	A	198.88.106.18
ns2.webgate2000.com	A	65.168.29.107
==========================================================
Michigan Connect, LLC
   359 Nelson
   Pontiac, MI  48342
   United States -- US

   Domain Name: velocitynet.net

   Administrative Contact:
      Michigan Connect, LLC  (LM153-AWR)  bernie@michiganconnect.com
      359 Nelson
      Pontiac, MI  48342
      United States -- US
      Ph: 248-334-7885      FAX: 
   Technical Contact:
      Johnson, Bernie  (BJ172-AWR)  bernie@michiganconnect.com
      1.N Saginaw
      Pontiac, MI  48342
      United States -- US
      Ph: 248-334-7885      FAX: 

   Record last updated on Tue Oct 02 13:47:37 2001 MDT.
   Record created on Thu Sep 28 19:56:55 2000 MDT.
   Record expires on Sun Sep 28 19:56:55 2003 MDT.

   Domain servers in listed order:
   ns.webgate2000.com              198.88.106.18
   ns2.webgate2000.com             198.88.106.6

   Record last updated on Thu Aug 08 21:44:20 2002 MDT.
   Domain servers in listed order:
   ns.webgate2000.com              198.88.106.18
   ns2.webgate2000.com             204.188.76.2
   ns.velocitydns.net              204.188.78.101
==========================================================
   Beesky Consulting (NETBLK-VERIO-OH-0483-2)
   812 Chapin
   Birmingham, MI 48009
   Netname: VERIO-OH-0483-2
   Netblock: 198.88.106.0 - 198.88.106.255
   Maintainer: A029
   Coordinator:  Machesky, Dan  (DM170-ARIN)  paradis@rust.net
   810-642-6343 Fax- 0
   Domain System inverse mapping provided by:
   BEESKY.BEESKY.COM               198.88.0.2
   LUCAS.BEESKY.COM               198.88.0.6
   DAN.BEESKY.COM               198.88.0.3
   ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
   Record last updated on 07-Nov-2000.
==========================================================
OrgName: VELOCITY NET
OrgID:   VELOCI-13
Address: 5427 Mancelona Drive Grand Blanc MI 48439
Country: US
Comment: 
RegDate: 2001-12-04
Updated: 2001-12-04

NetRange:   204.188.76.0 - 204.188.79.255 
CIDR:       204.188.76.0/22 
NetName:    CW-204-188-76
NetHandle:  NET-204-188-76-0-1
Parent:     NET-204-188-0-0-1
NetType:    Reassigned
Comment:    
RegDate:    2001-12-04
Updated:    2002-09-13

TechHandle: BJ460-ARIN
TechName:   Johnson, Bernie 
TechPhone:  +1-810-694-8677
TechEmail:  bernie@e-mich.com 

TechHandle: UIAA-ARIN
TechName:   US IP Address Administration 
TechPhone:  +1-800-977-4662
TechEmail:  ipadmin@clp.cw.net 

TechHandle: GIAA-ARIN
TechName:   Global IP Address Administration 
TechPhone:  +1-919-465-4096
TechEmail:  ip@gnoc.cw.net 
==========================================================
OrgName: MICHIGAN CONNECT
OrgID:   MICHIG-22
Address: 5427 MANCELONA DRIVE GRAND BLANC MI 48439
Country: US
Comment: 
RegDate: 2002-08-21
Updated: 2002-08-21

NetRange:   12.148.56.0 - 12.148.59.255 
CIDR:       12.148.56.0/22 
NetName:    MICHIGAN31-56
NetHandle:  NET-12-148-56-0-1
Parent:     NET-12-0-0-0-1
NetType:    Reassigned
Comment:    
RegDate:    2002-08-21
Updated:    2002-08-21

TechHandle: BJ460-ARIN
TechName:   Johnson, Bernie 
TechPhone:  +1-810-694-8677
TechEmail:  bernie@e-mich.com 
==========================================================
1 Global ICS, LLC (E-MICH-DOM)
   1 N. Saginaw Suite 202
   Pontiac
   MI,48342
   US

   Domain Name: E-MICH.COM

   Administrative Contact, Technical Contact:
      Johnson, Bernie  (BJ3881)		webmaster@MICHIGANCONNECT.COM
      Michigan Connect
      1 N. Saginaw Suite 202
      Pontiac, MI 48342
      248.334.7885 (FAX) 248.334.0763

   Record expires on 21-May-2003.
   Record created on 21-May-1999.

   Domain servers in listed order:
   NS.WEBGATE2000.COM           204.188.77.136
   NS2.WEBGATE2000.COM          204.188.76.2
==========================================================
1 Global ICS, LLC (MICHIGANCONNECT2-DOM)
   1 N. Saginaw Suite 202
   Pontiac
   MI,48342
   US

   Domain Name: MICHIGANCONNECT.COM

   Administrative Contact, Technical Contact:
      Johnson, Bernie  (BJ3881)		webmaster@MICHIGANCONNECT.COM
      Michigan Connect
      1 N. Saginaw Suite 202
      Pontiac, MI 48342
      248.334.7885 (FAX) 248.334.0763

   Record expires on 08-May-2003.
   Record created on 08-May-1999.

   Domain servers in listed order:
   NS.WEBGATE2000.COM           204.188.77.136
   NS2.WEBGATE2000.COM          204.188.76.2
==========================================================
   Hositng Support
   5427 Mancleona Dr.
   Grand Blanc, MI 48439
   USA

Domain Name: host-help.com

Administrative Contact, Billing Contact:
   B Johnson (RJPK6) bernie@e-mich.com
   Hositng Support
   5427 Mancleona Dr.
   Grand Blanc, MI 48439
   USA
   Phone: 810-694-8677

Technical Contact:
   Bernie Johnson (EY6BL) velocity@velocitynet.net
   Velocity Net Hosting
   5427 Mancelona Dr.
   Grand Blanc, MI 48439
   United States
   Phone: 810-694-8677, Fax: 810-694-871`2

Record last updated on 2003-01-15 06:24:13.950
Record created on 2002-09-12 18:03:01.180
Record expires on 2003-09-12 18:03:01.180

Domain servers in listed order:
   ns2.webgate2000.com   204.188.76.2
   ns.webgate2000.com   204.188.77.136

Registration Service Provider: VelocityNet
     velocity@velocitynet.net
     (810) 6948677
==========================================================




=== Michigan Connect *IS* the spamhaus operation - phone conversation ===
Path: uni-berlin.de!fu-berlin.de!nntp.infostrada.it!xmission!snoopy.risq.qc.ca
 !newsfeed.news2me.com!newsfeed2.easynews.com!newsfeed1.easynews.com
 !easynews.com!easynews!pln-w!spln!dex!extra.newsguy.com!newsp.newsguy.com
 !enews2
From: "Cameron L. Spitzer" <spambait@merde.greens.org>
Newsgroups: news.admin.net-abuse.email
Subject: e-mich conversation, Re: SPEWS: 12.148.64.250
Date: 28 Feb 2003 23:11:00 GMT
Organization: http://extra.newsguy.com
Lines: 52
Message-ID: <slrnb5vr4a.b89.spambait@petra-k.cagreens.org>
References: <4554dc8c.0302272110.5510f221@posting.google.com>
  <ktC7a.994$Xu.549302@news1.news.adelphia.net>
  <slrnb5uu1o.qdv.nanae@ns.valuemedia.com>
  <slrnb5ve7u.g22.usenet-Feb+nanae@orca.dolphinwave.org>
NNTP-Posting-Host: p-783.newsdawg.com
X-Warning: I take time to damage spammers.
User-Agent: slrn/0.9.7.4 (Linux)
Xref: uni-berlin.de news.admin.net-abuse.email:1930881

In article <slrnb5ve7u.g22.usenet-Feb+nanae@orca.dolphinwave.org>, Dolphin
  wrote:
> $ whois 12.148.59.64@whois.arin.net
> [whois.arin.net]
> AT&T WorldNet Services ATT (NET-12-0-0-0-1)
>                                   12.0.0.0 - 12.255.255.255
> MICHIGAN CONNECT MICHIGAN31-56 (NET-12-148-56-0-1)
>                                   12.148.56.0 - 12.148.59.255
>
> http://www.DolphinWave.org/spam/MichiganConnect.txt

Secure your beverage and distract your felines.

I called Michigan Connect a while ago when I first started
noticing their spam, and spoke to Bernie Johnson.  He told me:

1.  He's running co-location for spammers.  They pay $2000/month
per server for complaint-proof multihomed connectivity.
He's housing 53 servers.  He's making tons of money.
He owns the whole operation, there are no other investors.
2.  He's multihomed, with circuits to three tier-1 providers
at any time.  The circuits are bigger than T-1 and the tier-1s
ignore spam complaints when you pay that much for a circuit;
it doesn't take a pink contract or extra payment to get spam
tolerance.  He mentioned C&W, AT&T, and Verio.
3.  All the tier-1s think spamming is just fine and they're gonna
out SPEWS and destroy it in court for tortious interference
with a business Real Soon Now.  Whoever SPEWS is will be ruined
financially.  SPEWS doesn't inconvenience spammers at all
because rotating connections due to fake terminations is part
of the game, but it is beginning to annoy the tier-1s.
4.  He doesn't care that he's in SPEWS because all his customers
send through dedicated servers overseas.  Only chickenboners bother
with open proxies, the big boys have bullet-proof co-location in
Russia and all over Asia to send from.  Spam is not a US problem;
it comes from overseas.
5.  He's a spam supporter because it's a freedom of speech thing,
block lists are censorship.  The money is secondary.
6.  He's got my number now and knows who I am so I better
watch my back.

Same personality as Ralsky and pre-spanking Wallace, smug as hell and
sure he's right.  He's the serious, practical, ethical businessman
and we're the irrational, unscrupulous fanatics.

I didn't have any idea when I called that I would be talking to
a major spam house.  I just had to yell at the guy and he
volunteered all this stuff.


Cameron




=== And the same Sorenson And Ass still spams from there ===
Path: uni-berlin.de!fu-berlin.de!cox.net!border3.nntp.aus1.giganews.com
 !nntp.giganews.com!nntp3.aus1.giganews.com!nntp.comcast.com
 !news.comcast.com.POSTED!not-for-mail
NNTP-Posting-Date: Tue, 04 Mar 2003 13:47:55 -0600
From: "McWebber" <mcwebber@my-deja.com>
Newsgroups: news.admin.net-abuse.email
Subject: RR.com Clueless
Date: Tue, 4 Mar 2003 14:46:35 -0500
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Message-ID: <ALqcncySSMN2n_ijXTWc2Q@comcast.com>
Lines: 39
NNTP-Posting-Host: 68.56.248.3
X-Trace:
  sv3-mSIcyPdiSmMm8BLbnoqn5L559i+cGPoSSWf0uXNDjOrqbrtnzE9gNxpY6sm0HWVltQppNNR0oK
 zZKeK!W3tygQfqBC7+738diNm31jhpocQMy902U46QqmO/hCyYIRGKVVfJCVhmTjM=
X-Complaints-To: abuse@comcast.net
X-DMCA-Complaints-To: dmca@comcast.net
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint
  properly
X-Postfilter: 1.1
Xref: uni-berlin.de news.admin.net-abuse.email:1932748

Subject implies possible C&C and  Dept. of Redundancy Deptartment warning.

Says this spam didn't come from RR.com:

Return-Path: <incomingforward@cs.com>
Received: from spf2.us4.outblaze.com (205-158-62-24.outblaze.com
[205.158.62.24])
 by spf12.us4.outblaze.com (8.12.7/8.12.7) with ESMTP id h1N0I7QD009729
 for <snip @hilarious.com>; Sun, 23 Feb 2003 00:18:07 GMT
Received: from ms-smtp-01.texas.rr.com (ms-smtp-01.texas.rr.com
[24.93.36.229])
 by spf2.us4.outblaze.com (8.12.7/8.12.7) with ESMTP id h1N0JQld099827
 for <snip @hilarious.com>; Sun, 23 Feb 2003 00:19:27 GMT
Received: from mail.satx.rr.com (mcis-03.texas.rr.com [24.93.36.33])
 by ms-smtp-01.texas.rr.com (8.12.5/8.12.2) with ESMTP id h1J85hIJ000421;
 Wed, 19 Feb 2003 03:10:50 -0500 (EST)
Received: from smtp0000.mail.yahoo.com ([200.33.156.37]) by mail.satx.rr.com
with Microsoft SMTPSVC(5.5.1877.757.75);
  Wed, 19 Feb 2003 00:45:45 -0600
Date: Wed, 19 Feb 2003 06:46:12 GMT
From: incomingforward@cs.com
X-Priority: 3
To: snip @gostei.com.br
Subject: dan, LIVE FROM WALL STREET: VICC Test Results Are In..........
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <0c6b94545061323MCIS-03@mail.satx.rr.com>
X-UIDL: oBK"!e;:"!#Aj"!;be!!



--
McWebber
No email replies read
If someone tells you to forward an email to all your friends
please forget that I'm your friend.



=== Yes, that's these spammers ===
Path: uni-berlin.de!fu-berlin.de!cox.net!border3.nntp.aus1.giganews.com
 !nntp.giganews.com!nntp3.aus1.giganews.com!nntp.comcast.com
 !news.comcast.com.POSTED!not-for-mail
NNTP-Posting-Date: Tue, 04 Mar 2003 16:19:22 -0600
From: "McWebber" <mcwebber@my-deja.com>
Newsgroups: news.admin.net-abuse.email
References: <ALqcncySSMN2n_ijXTWc2Q@comcast.com>
  <slrnb6a6qu.fcs.usenet-Mar+nanae@orca.dolphinwave.org>
Subject: Re: RR.com Clueless
Date: Tue, 4 Mar 2003 17:18:03 -0500
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Message-ID: <ZQWdnYHxn9P3u_ijXTWcqw@comcast.com>
Lines: 29
NNTP-Posting-Host: 68.56.248.3
X-Trace:
  sv3-YhLe/svcYWevalf7JiDbyfTI6Z96auM4d0riTQwBR3/T8Sxn0h5bmUrwskA6xd8q4ZPOMXVAkv
 YoL33!/i6ZxxtEYmIpJ3yYh6foA9Zsvv00+FeQ2OHM5Nlz5DW/RqCaLMX4sy0JbrA=
X-Complaints-To: abuse@comcast.net
X-DMCA-Complaints-To: dmca@comcast.net
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint
  properly
X-Postfilter: 1.1
Xref: uni-berlin.de news.admin.net-abuse.email:1932829

"Dolphin" <usenet-Mar+nanae@2003.dolphinwave.org> wrote in message
news:slrnb6a6qu.fcs.usenet-Mar+nanae@orca.dolphinwave.org...
> On Tue, 4 Mar 2003 14:46:35 -0500 McWebber <mcwebber@my-deja.com>
>  wrote in message <ALqcncySSMN2n_ijXTWc2Q@comcast.com>:
> > Subject implies possible C&C and  Dept. of Redundancy Deptartment
warning.
> >
> > Says this spam didn't come from RR.com:
> >
> > Return-Path: <incomingforward@cs.com>
> <...>
> > Subject: dan, LIVE FROM WALL STREET: VICC Test Results Are In..........
> <SNIP>
>
> Let me guess: Sorenson And Ass (could be named Ass And Ass, too) spam
> on Michigan Connect spamhaus operation? Strange that after 3 spams I
> haven't seen any since February 20th:
> http://www.DolphinWave.org/spam/MichiganConnect.txt
>

Dunno, it pointed to http://12.148.59.67

--
McWebber
No email replies read
If someone tells you to forward an email to all your friends
please forget that I'm your friend.




=== The spammer is on the move to NOC ===
Path: uni-berlin.de!cust-62-219-88-50.cust.bezeqint.NET!not-for-mail
From: Dolphin <usenet-Mar+nanae@2003.dolphinwave.org>
Newsgroups: news.admin.net-abuse.email
Subject: Re: RR.com Clueless
Date: 5 Mar 2003 04:49:59 GMT
Organization: Private person
Lines: 43
Sender: Alexander Sheremet <usenet-Mar+nanae@2003.dolphinwave.org>
Message-ID: <slrnb6b0fj.fcs.usenet-Mar+nanae@orca.dolphinwave.org>
References: <ALqcncySSMN2n_ijXTWc2Q@comcast.com>
  <slrnb6a6qu.fcs.usenet-Mar+nanae@orca.dolphinwave.org>
  <ZQWdnYHxn9P3u_ijXTWcqw@comcast.com>
NNTP-Posting-Host: cust-62-219-88-50.cust.bezeqint.net (62.219.88.50)
X-Trace: fu-berlin.de 1046839799 62075226 62.219.88.50 (16 [104765])
X-SPEWS: I am not
X-newsgroup: news.admin.net-abuse.email
X-PGP-key: 0xAAE2A579
X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133  FA87 000B 0FB6 AAE2 A579
User-Agent: slrn/0.9.7.4 (Linux)
Xref: uni-berlin.de news.admin.net-abuse.email:1933020

On Tue, 4 Mar 2003 17:18:03 -0500 McWebber <mcwebber@my-deja.com>
 wrote in message <ZQWdnYHxn9P3u_ijXTWcqw@comcast.com>:

<SNIP>
> Dunno, it pointed to http://12.148.59.67

Yep, that's the Michigan Connect guys:
http://groups.google.com/groups?selm=200302192224.46720%402003.dolphinwave.org

This one replies as hites2.tigerhosting.com on the port 25:

$ telnet 12.148.59.67 25
Trying 12.148.59.67...
Connected to 12.148.59.67.
Escape character is '^]'.
220 hites2.tigerhosting.com ESMTP
QUIT
221 hites2.tigerhosting.com
Connection closed by foreign host.

Michael Krause. I saw Sorenson And Ass was occupying those IPs, but
then took a bit lower IPs, leaving these for Michael Krause.

Whoah, the Sorenson And his Ass got a space at hostnoc.net now:

$ host cjlinc.net
cjlinc.net has address 64.191.48.239

Network Operations Center Inc. [64.191.0.0 - 64.191.127.255].

Just a week ago it was sitting on 12.148.59.64, and in the last
month - on 12.148.59.95.

Need to send heads up to NOC (just so they wouldn't claim that they
didn't know whom they've got).

Dolphin.

--
 URL: http://www.DolphinWave.org
Mail: on the web page (no spam)
 ICQ: 6615461




=== More data on Michigan Connect ===
Path: uni-berlin.de!fu-berlin.de!news-peer.gip.net!news.gsl.net!gip.net
 !c03.atl99!cyclone2.usenetserver.com!newsfeeds-atl1!newsfeeds-atl2
 !news.webusenet.com!news03.bloor.is.net.cable.rogers.com
 !news02.bloor.is.net.cable.rogers.com.POSTED!not-for-mail
From: David Ramalho <earthscibbs@rogers.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b)
  Gecko/20030210
X-Accept-Language: en-us, en, ar, zh, fr, de-de, en-gb, es-es, ja, ko-kr, ko
MIME-Version: 1.0
Newsgroups: news.admin.net-abuse.email
Subject: Sneideraitis / Johnson and MICHIGAN CONNECT, LLC
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Lines: 192
Message-ID: <I589a.146621$UXa.16712@news02.bloor.is.net.cable.rogers.com>
Date: Tue, 04 Mar 2003 20:34:48 GMT
NNTP-Posting-Host: 24.101.155.214
X-Complaints-To: abuse@rogers.com
X-Trace: news02.bloor.is.net.cable.rogers.com 1046810088 24.101.155.214 (Tue, 04
  Mar 2003 15:34:48 EST)
NNTP-Posting-Date: Tue, 04 Mar 2003 15:34:48 EST
Xref: uni-berlin.de news.admin.net-abuse.email:1932771

Good afternoon

  My, my, my... It can be amusing what is uncovered when searching through
the UseNet archives.

  Here is the Christopher Sneideraitis and Bernie Johnson connection.

    Subject: Is This Spammer a DIM BULB or What?
    Date: 1998/12/28

  http://groups.google.ca/groups?selm=36886A39.C1E%40mail.rancho.cc.ca.us&oe=UTF-8


Christopher F Sneideraitis
  248-338-6229
  2576 Silver Lake Rd, Waterford, MI 48328

===============================

  Michigan Corporation Division Business Entity Search
    - Searched for: MICHIGAN CONNECT, LLC

                   Name: MICHIGAN CONNECT, LLC
                 ID Num: B49424
                   Type: Domestic Limited Liability Company
         Formation Date: 5-13-1999
             Managed by: Members
                 Status: ACTIVE
Jurisdiction of Origin: MICHIGAN

                  Agent: CHRISTOPHER SNEIDERAITIS
                         1 NORTH SAGINAW STE 202
                         PONTIAC   MI  48342

  Assumed Names
All Names:                 Id:       Begin Date:     End Date:
FITNESS STARS U.S.A.      B49424      6-22-1999      12-31-2004
MICH.CONNECT              B49424      5-25-1999      12-31-2004
MICHIGAN CONNECT          B49424      5-14-1999      12-31-2004
===========================================

  1 NORTH SAGINAW
http://www.jdskeyclub.com/images/map-pontiac.gif

  And even more....

<Quote>
 > Further investigation shows that this site is the spamhaus identified as
 > "WebGate 2000".  They say they are
 >          "a division of 1 Global ICS, LLC
 >           1 North Saginaw, Suite 202
 >           Pontiac, MI 48342
 >           248.334.7885 Office
 >           248.334.0763 Fax
 >           1.888.276.8052 Toll Free"
</Quote>
Reference:
http://groups.google.ca/groups?selm=379E1F37.646817BC%40no_spam_is_good_spam.com&oe=UTF-8
===========================================

  Michigan Corporation Division Business Entity Search
   - Searched for: 1 GLOBAL ICS, LLC

                   Name: 1 GLOBAL ICS, LLC
                 ID Num: B45619
                   Type: Domestic Limited Liability Company
         Formation Date: 4-21-1999
             Managed by: Members
                 Status: ACTIVE
Jurisdiction of Origin: MICHIGAN

                  Agent: BERNARD JOHNSON
                         1 N SAGINAW STE 202
                         PONTIAC   MI  48342
===============================

  So Bernie is really Bernard.

   Searching on the Ph: 248-334-7885
      Michigan Connect,
      (248) 334-7885,
      5427 Mancelona Dr, Grand Blanc, MI 48439

      Michigan Connect.com
      (248) 334-7885
      1 N Saginaw St, Pontiac, MI 48342

  Ok now searching on: 5427 Mancelona
       Mojo Creative Solutions,
       located at 5427 Mancelona Dr., Grand Blanc, MI 48439
   Reference: http://www.mojo-cs.com/standardagreement.html

    Michigan Corporation Division Business Entity Search
      - Searched for: Mojo Creative Solutions
          NO such company
      - Searched for: Mojo Creative
          NO such company

  Host name: www.mojo-cs.com
IP address: 204.188.78.105
      Alias: velocity.velocitynet.net

  Whois: mojo-cs.com

    Registrant:
               5427 Mancelona Dr.
               Grand Blanc, MI 48439, USA
Administrative Contact, Billing Contact:
         Bernie Johnson (PMXCX) velocity@velocitynet.net
         5427 Mancelona Dr., Grand Blanc, MI 48439, USA
         Phone: 810-694-8677
Technical Contact:
          Bernie Johnson (EY6BL) velocity@velocitynet.net
          Velocity Net Hosting
          5427 Mancelona Dr., Grand Blanc, MI 48439, United States
          Phone: 810-694-8677, Fax: 810-694-871`2
   Record last updated on 2002-04-01 18:57:58.093
   Record created on 2002-04-01 18:57:58.093
   Record expires on 2003-04-01 18:57:58.093
Domain servers in listed order:
      ns.velocitydns2.net   204.188.76.252
     ns2.velocitydns2.net   204.188.76.253
Registration Service Provider: VelocityNet
      velocity@velocitynet.net
      (810) 6948677
----------------------------------------------------------

  Host name: velocitynet.net
IP address: 204.188.78.151

  Whois: velocitynet.net

Registrant: Michigan Connect, LLC  (XM2373-AWR)
             359 Nelson, Pontiac, MI  48342, United States -- US
             Ph:       FAX:
Administrative and Billing Contact:
            Michigan Connect, LLC  (LM153-AWR)  bernie@michiganconnect.com
            359 Nelson, Pontiac, MI  48342, United States -- US
            Ph: 248-334-7885      FAX:
    Technical Contact:
          Johnson, Bernie  (BJ172-AWR)  bernie@michiganconnect.com
          1.N Saginaw, Pontiac, MI  48342, United States -- US
          Ph: 248-334-7885      FAX:
    Record last updated on Wed Jan 15 2003.
    Record created on Thu Sep 28 2000.
    Record expires on Sun Sep 28 2003.
Domain servers in listed order:
    ns.webgate2000.com              204.188.77.136
    ns2.webgate2000.com             204.188.76.2

  Johnson, Bernard
    359 Nelson St
     Pontiac, MI, USA 48342-1545
    Phone: 248-332-6526

From: "bjohnson" <bjohnson000@oakland-info.com>
Subject: fraud by using my pin number
Date: Tue, 15 Dec 1998 00:29:15 -0500
<Quote>
Bernard R. Johnson
1-248-332-6526
P. S. thank you for the leads it did generate, but CEASE and DESIST!
</Quote>
Reference: http://www-2.cs.cmu.edu/~dst/ATG/bjohnson-email.txt

From: "bjohnson" (bjohnson000@oakland-info.com)
Subject: Mark Yarnell Starts New Networking Company!
Newsgroups: alt.business.home
Date: 1998/11/22
http://groups.google.ca/groups?selm=bX062.1883%24Ey.3034490%40WReNphoon2&oe=UTF-8

=========================================

  Host name: webgate2000.com
IP address: 204.188.78.152

  Whois: webgate2000.com

Registrant: Web Gate 2000 (WEBGATE6-DOM)
             1 North Saginaw suite 202
             Pontiac, MI 48342, US
Administrative Contact, Technical Contact:
            Johnson, Bernie  (BJ3881)      webmaster@MICHIGANCONNECT.COM
            Michigan Connect
            1 N. Saginaw Suite 202, Pontiac, MI 48342
            248.334.7885 (FAX) 248.334.0763
    Record expires on 21-Mar-2004.
    Record created on 21-Mar-1999.
    Database last updated on 4-Mar-2003 14:54:35 EST.
Domain servers in listed order:
    NS.WEBGATE2000.COM           204.188.77.136
    NS2.WEBGATE2000.COM          204.188.76.2




=== Michigan Connect got more spammers onboard ===
Path: uni-berlin.de!fu-berlin.de!nf3.bellglobal.com!sjc70.webusenet.com
 !news.webusenet.com!news03.bloor.is.net.cable.rogers.com
 !news04.bloor.is.net.cable.rogers.com.POSTED!not-for-mail
From: David Ramalho <earthscibbs@rogers.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b)
  Gecko/20030210
X-Accept-Language: en-us, en, ar, zh, fr, de-de, en-gb, es-es, ja, ko-kr, ko
MIME-Version: 1.0
Newsgroups: news.admin.net-abuse.email
Subject: bullet-proof bulk ISPs
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Lines: 18
Message-ID: <sErba.91358$em1.73371@news04.bloor.is.net.cable.rogers.com>
Date: Tue, 11 Mar 2003 20:27:04 GMT
NNTP-Posting-Host: 24.101.155.214
X-Complaints-To: abuse@rogers.com
X-Trace: news04.bloor.is.net.cable.rogers.com 1047414424 24.101.155.214 (Tue, 11
  Mar 2003 15:27:04 EST)
NNTP-Posting-Date: Tue, 11 Mar 2003 15:27:04 EST
Xref: uni-berlin.de news.admin.net-abuse.email:1937529

Good afternoon

So much for "bullet-proof bulk ISPs".

Host name: www.coldmedia.com
Host name: coldmedia.com
IP address: Error: Try again

  Simon Wong is now fully over at IP: 12.148.59.98
madwebextractor.com
1desktopserver.com
bulkemail.ca
1bulkemailsoftware.com
  etc.. etc...

  Regards
  David Ramalho

  
  
=== AT&T has finally kicked them, after their SPEWS listing was increased ===
=== to include the whole [12.148.45.0 - 12.148.70.255] IP range. ===
Path: uni-berlin.de!fu-berlin.de!news.maxwell.syr.edu!wn14feed!worldnet.att.net
 !bgtnsc04-news.ops.worldnet.att.net.POSTED!not-for-mail
From: AT&T Dedicated AUP Enforcement Team <abuse@att.net>
Newsgroups: news.admin.net-abuse.email
Subject: SPEWS S1457
Message-ID: <4e30av0tqhnii8vujfgeicghrpb7ivf2qa@4ax.com>
X-Newsreader: Forte Free Agent 1.92/32.572
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Lines: 14
Date: Fri, 18 Apr 2003 14:42:08 GMT
NNTP-Posting-Host: 12.1.231.121
X-Complaints-To: abuse@worldnet.att.net
X-Trace: bgtnsc04-news.ops.worldnet.att.net 1050676928 12.1.231.121 (Fri, 18 Apr
  2003 14:42:08 GMT)
NNTP-Posting-Date: Fri, 18 Apr 2003 14:42:08 GMT
Organization: AT&T Worldnet
Xref: uni-berlin.de news.admin.net-abuse.email:1963960

Please remove the following from S1457.

Michigan Connect has been removed from our network!

1, 12.148.59.0/24, webgate2000.com / e-mich.com (Angelo Tirico /
metamax4life.us / NS2.TIGERHOSTING.COM)
1, 12.148.56.0 - 12.148.59.255, webgate2000.com / e-mich.com (ATT)
1, 12.148.45.0 - 12.148.70.255, ATT (webgate2000.com / e-mich.com)

Your time is appreciated!

Have a GREAT DAY!

AT&T Dedicated AUP Enforcement Team



=== My reply ===
Received: (from dolphin@localhost)
by mail.dolphinwave.org (8.11.6/8.11.6) id h3IG7DY31169;
Fri, 18 Apr 2003 19:07:13 +0300
To: usenet-Apr+nanae@2003.dolphinwave.org
Message-Id: <slrnba08lh.u4m.usenet-Apr+nanae@orca.dolphinwave.org>
Posted-To: news.admin.net-abuse.email
From: Dolphin <usenet-Apr+nanae@2003.dolphinwave.org>
Subject: Re: SPEWS S1457
References: <4e30av0tqhnii8vujfgeicghrpb7ivf2qa@4ax.com>
Organization: Private person
Sender: Alexander Sheremet <usenet-Apr+nanae@2003.dolphinwave.org>
X-SPEWS: I am not
X-newsgroup: news.admin.net-abuse.email
X-PGP-key: 0xAAE2A579
X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133 FA87 000B 0FB6 AAE2 A579
Date: Fri, 18 Apr 2003 19:07:13 +0300
X-Loop: dev.null@dolphinwave.org
Status: R 
X-Status: N

On Fri, 18 Apr 2003 14:42:08 GMT AT&T Dedicated AUP Enforcement Team <abuse@att.net>
wrote in message <4e30av0tqhnii8vujfgeicghrpb7ivf2qa@4ax.com>:
> Please remove the following from S1457.
> 
> Michigan Connect has been removed from our network!

You was warned about this spamhaus operation numerous times as long
as 4 months ago!
http://www.DolphinWave.org/spam/MichiganConnect.txt

And I have a special pleasure to remind you about this:
http://groups.google.com/groups?selm=200302201440.42542%402003.dolphinwave.org

Personally, I would like to hear a really serious reason as on why you
did not remove the proved spammer, whose whole network operation is
providing the spam-hosting to spammers, before I would even think of
removing the [12.148.56.0 - 12.148.59.255] from my personal deny lists.

> 1, 12.148.59.0/24, webgate2000.com / e-mich.com (Angelo Tirico /
> metamax4life.us / NS2.TIGERHOSTING.COM)
> 1, 12.148.56.0 - 12.148.59.255, webgate2000.com / e-mich.com (ATT)
> 1, 12.148.45.0 - 12.148.70.255, ATT (webgate2000.com / e-mich.com)
> 
> Your time is appreciated!

If I was SPEWS, you would be stuck there for at least the next 4
months, too, for *knowingly* providing your services to the spam
operation, and *refusing* to deal with it in a timely manner. But
I'm not SPEWS, so you probably will be luckier, after this would
also be fixed, I believe:

$ jwhois 12.148.59.0
[Querying whois.arin.net]
[whois.arin.net]
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
                 12.0.0.0 - 12.255.255.255
MICHIGAN CONNECT MICHIGAN31-56 (NET-12-148-56-0-1)
                 12.148.56.0 - 12.148.59.255

# ARIN WHOIS database, last updated 2003-04-17 20:10

> Have a GREAT DAY!

Wet, I do, for sure!

> AT&T Dedicated AUP Enforcement Team

Dolphin.

-- 
URL: http://www.DolphinWave.org
Mail: on the web page (no spam)
ICQ: 6615461
 

 
=== Michigan Connect also does the web harvesting ===
Path: uni-berlin.de!cust-62-219-88-74.cust.bezeqint.NET!not-for-mail
From: Dolphin <usenet-Apr+nanae@2003.dolphinwave.org>
Newsgroups: news.admin.net-abuse.email
Subject: [SPEWS] S945, S1457: Michigan Connect: web harvesting.
Date: 25 Apr 2003 12:25:45 GMT
Organization: Private person
Lines: 75
Sender: Alexander Sheremet <usenet-Apr+nanae@2003.dolphinwave.org>
Message-ID: <slrnbaia85.d0d.usenet-Apr+nanae@orca.dolphinwave.org>
NNTP-Posting-Host: cust-62-219-88-74.cust.bezeqint.net (62.219.88.74)
X-Trace: fu-berlin.de 1051273545 8591317 62.219.88.74 (16 [104765])
X-SPEWS: I am not
X-PGP-key: 0xAAE2A579
X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133  FA87 000B 0FB6 AAE2 A579
User-Agent: slrn/0.9.7.4 (Linux)
Xref: uni-berlin.de news.admin.net-abuse.email:1968961

Today I've accidentally noticed these spammers'-hosters harvesting through
all my web pages, using several of their IPs in the different IP ranges
simultaneously (which means that it was not one of their "customers", but
rather them doing the harvest, themselves). Well, I hope they were enjoying
the web-poison harvest.

They also were using a new (for me) IP 64.186.52.244 in the US Signal
IP range [64.186.32.0 - 64.186.63.255]. 64.186.52.244 resloves as
host-244-32-186-64.e-mich.com. Interesting that 64.186.53.244 and
64.186.51.244 (and around the /24s) resolve to the similar-named one:
host-244-32-186-64.ussignalcom.net. At least the 64.186.52.128-255
has .e-mich.com rDNS, and should be blocked. I will send the US Signal
a headsup about these abusers (but according to SPEWS records, I don't
hold my breath).
http://www.DolphinWave.org/spam/MichiganConnect.txt

At this moment the 64.186.52.128/25 IP range is in SPEWS S945 for
npag.net / executive-level.com:
1, 64.186.52.128/25, npag.net / executive-level.com (ussignalcom.net)

And in the Michigan Connect own SPEWS listing: S1457:
1, 64.186.52.0/24, e-mich.com (ussignalcom.net).


======= Web harvesting examples =======
204.188.77.180 - - [21/Apr/2003:02:31:12 +0300] "GET
  /Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:17 +0300] "GET /guestbook.php HTTP/1.1"
  404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:21 +0300] "GET /spam/opt-in_network.txt
  HTTP/1.1" 200 12285 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:22 +0300] "GET / HTTP/1.1" 200 5307 "-"
  "Mac Finder 1.0.43"
<...>
204.188.77.180 - - [21/Apr/2003:02:32:05 +0300] "GET /cgi-bin/leads.html
  HTTP/1.1" 200 2745 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:07 +0300] "GET /Dolphin-pgp.asc HTTP/1.1"
  200 8138 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:12 +0300] "GET
  /Media/Video/SpringGames.asf HTTP/1.1" 200 12282 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:18 +0300] "GET /cgi-bin/leads.html/aspen
  HTTP/1.1" 200 3416 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:25 +0300] "GET /cgi-bin/leads.html/Shmuel
  HTTP/1.1" 200 993 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:32 +0300] "GET
  /cgi-bin/leads.html/welcomed HTTP/1.1" 200 1318 "-" "Mac Finder 1.0.43"
<...>
204.188.77.180 - - [21/Apr/2003:02:33:07 +0300] "GET /aim:goim?screenname=SurizX
  HTTP/1.1" 404 290 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:08 +0300] "GET / HTTP/1.1" 200 5307 "-"
  "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:11 +0300] "GET /main.html HTTP/1.1" 200
  13757 "-" "Mac Finder 1.0.43"
<...>
204.188.78.197 - - [21/Apr/2003:03:14:24 +0300] "GET
  /Dolphin-Ring/DolphinRing.wav HTTP/1.1" 200 16474 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:05:50:56 +0300] "GET
  /Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:05:52:06 +0300] "GET /guestbook.php HTTP/1.1"
  404 295 "-" "Mac Finder 1.0.43"
<...>
204.188.78.196 - - [21/Apr/2003:06:22:23 +0300] "GET
  /guestbook.php?act=show&page=3 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:18:26 +0300] "GET
  /Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:18:36 +0300] "GET /guestbook.php HTTP/1.1"
  404 295 "-" "Mac Finder 1.0.43"
<...>
204.188.77.145 - - [21/Apr/2003:09:21:26 +0300] "GET /aim:goim?screenname=SurizX
  HTTP/1.1" 404 290 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:25:59 +0300] "GET
  /Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:26:08 +0300] "GET /guestbook.php HTTP/1.1" 404
  295 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:26:20 +0300] "GET /spam/opt-in_network.txt
  HTTP/1.1" 200 12285 "-" "Mac Finder 1.0.43"
<...>
Here goes the multi-IP harvesting:
64.186.52.244 - - [25/Apr/2003:12:30:26 +0300] "GET /cgi-bin/leads.html/punched
  HTTP/1.1" 200 3289 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:30:39 +0300] "GET /cgi-bin/leads.html/appear
  HTTP/1.1" 200 2309 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:30:49 +0300] "GET /cgi-bin/leads.html/redneck
  HTTP/1.1" 200 2240 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:30:50 +0300] "GET
  /Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:31:01 +0300] "GET /guestbook.php HTTP/1.1"
  404 295 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:31:06 +0300] "GET /Guestbook/guestbook.php
  HTTP/1.1" 200 18367 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:31:14 +0300] "GET /spam/opt-in_network.txt
  HTTP/1.1" 200 12285 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:31:22 +0300] "GET / HTTP/1.1" 200 5307 "-"
  "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:31:39 +0300] "GET /guestbook.php?act=show
  HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
<...>

And so on...

Dolphin.

--
 URL: http://www.DolphinWave.org
Mail: on the web page (no spam)
 ICQ: 6615461

 

=== Web server logs ===
204.188.77.180 - - [21/Apr/2003:02:31:12 +0300] "GET /Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:17 +0300] "GET /guestbook.php HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:21 +0300] "GET /spam/opt-in_network.txt HTTP/1.1" 200 12285 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:22 +0300] "GET / HTTP/1.1" 200 5307 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:29 +0300] "GET /main.html HTTP/1.1" 200 13757 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:31 +0300] "GET /S-trap/mail.html HTTP/1.1" 200 1565 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:32 +0300] "GET /about-me.html HTTP/1.1" 200 9435 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:38 +0300] "GET /phins.html HTTP/1.1" 200 7208 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:42 +0300] "GET /cet-link.html HTTP/1.1" 200 5891 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:45 +0300] "GET /ocean.html HTTP/1.1" 200 4785 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:47 +0300] "GET /PhotoGallery/index.html HTTP/1.1" 200 1346 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:49 +0300] "GET /show.html HTTP/1.1" 404 291 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:50 +0300] "GET /thumbs.html HTTP/1.1" 404 293 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:51 +0300] "GET /fun.html HTTP/1.1" 200 10449 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:56 +0300] "GET /Sounds/index.html HTTP/1.1" 200 1355 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:58 +0300] "GET /Dolphin-Ring/DolphinRing.wav HTTP/1.1" 200 16474 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:05 +0300] "GET /cgi-bin/leads.html HTTP/1.1" 200 2745 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:07 +0300] "GET /Dolphin-pgp.asc HTTP/1.1" 200 8138 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:12 +0300] "GET /Media/Video/SpringGames.asf HTTP/1.1" 200 12282 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:18 +0300] "GET /cgi-bin/leads.html/aspen HTTP/1.1" 200 3416 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:25 +0300] "GET /cgi-bin/leads.html/Shmuel HTTP/1.1" 200 993 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:32 +0300] "GET /cgi-bin/leads.html/welcomed HTTP/1.1" 200 1318 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:37 +0300] "GET /Guestbook/guestbook.php HTTP/1.1" 200 18367 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:40 +0300] "GET /guestbook.php?act=show HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:41 +0300] "GET /guestbook.php?act=search HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:43 +0300] "GET /guestbook.php?act=new HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:44 +0300] "GET /guestbook.php?act=show&page=2 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:45 +0300] "GET /guestbook.php?act=show&page=3 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:46 +0300] "GET /guestbook.php?act=show&page=4 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:47 +0300] "GET /guestbook.php?act=show&page=5 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:49 +0300] "GET /Guestbook/guestbook.php?act=show HTTP/1.1" 200 18367 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:58 +0300] "GET /Guestbook/guestbook.php?act=show&page=2 HTTP/1.1" 200 16715 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:33:04 +0300] "GET /guestbook.php?act=show&page=1 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:33:05 +0300] "GET /aim:goim?screenname=Ikiri HTTP/1.1" 404 290 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:33:07 +0300] "GET /aim:goim?screenname=SurizX HTTP/1.1" 404 290 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:08 +0300] "GET / HTTP/1.1" 200 5307 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:11 +0300] "GET /main.html HTTP/1.1" 200 13757 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:12 +0300] "GET /S-trap/mail.html HTTP/1.1" 200 1565 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:13 +0300] "GET /about-me.html HTTP/1.1" 200 9435 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:15 +0300] "GET /phins.html HTTP/1.1" 200 7208 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:16 +0300] "GET /cet-link.html HTTP/1.1" 200 5891 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:17 +0300] "GET /ocean.html HTTP/1.1" 200 4785 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:19 +0300] "GET /PhotoGallery/index.html HTTP/1.1" 200 1346 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:20 +0300] "GET /show.html HTTP/1.1" 404 291 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:20 +0300] "GET /thumbs.html HTTP/1.1" 404 293 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:21 +0300] "GET /fun.html HTTP/1.1" 200 10449 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:23 +0300] "GET /Sounds/index.html HTTP/1.1" 200 1355 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:24 +0300] "GET /Dolphin-Ring/DolphinRing.wav HTTP/1.1" 200 16474 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:05:50:56 +0300] "GET /Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:05:52:06 +0300] "GET /guestbook.php HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:05:53:41 +0300] "GET /spam/opt-in_network.txt HTTP/1.1" 200 78968 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:05:54:40 +0300] "GET / HTTP/1.1" 200 5307 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:05:55:47 +0300] "GET /main.html HTTP/1.1" 200 13757 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:05:59:44 +0300] "GET /S-trap/mail.html HTTP/1.1" 200 1565 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:00:53 +0300] "GET /about-me.html HTTP/1.1" 200 9435 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:01:43 +0300] "GET /phins.html HTTP/1.1" 200 7208 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:02:46 +0300] "GET /cet-link.html HTTP/1.1" 200 5891 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:03:41 +0300] "GET /ocean.html HTTP/1.1" 200 4785 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:04:26 +0300] "GET /PhotoGallery/index.html HTTP/1.1" 200 1346 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:05:20 +0300] "GET /show.html HTTP/1.1" 404 291 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:06:41 +0300] "GET /thumbs.html HTTP/1.1" 404 293 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:07:26 +0300] "GET /fun.html HTTP/1.1" 200 10449 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:08:16 +0300] "GET /Sounds/index.html HTTP/1.1" 200 1355 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:09:31 +0300] "GET /Dolphin-Ring/DolphinRing.wav HTTP/1.1" 200 30474 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:10:40 +0300] "GET /cgi-bin/leads.html HTTP/1.1" 200 2664 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:11:39 +0300] "GET /Dolphin-pgp.asc HTTP/1.1" 200 8138 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:12:45 +0300] "GET /Media/Video/SpringGames.asf HTTP/1.1" 200 16482 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:13:44 +0300] "GET /cgi-bin/leads.html/tubs HTTP/1.1" 200 2327 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:14:55 +0300] "GET /cgi-bin/leads.html/tailed HTTP/1.1" 200 1502 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:16:12 +0300] "GET /cgi-bin/leads.html/imbibe HTTP/1.1" 200 1463 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:17:22 +0300] "GET /Guestbook/guestbook.php HTTP/1.1" 200 18367 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:18:25 +0300] "GET /guestbook.php?act=show HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:19:26 +0300] "GET /guestbook.php?act=search HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:20:19 +0300] "GET /guestbook.php?act=new HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:21:11 +0300] "GET /guestbook.php?act=show&page=2 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:06:22:23 +0300] "GET /guestbook.php?act=show&page=3 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:18:26 +0300] "GET /Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:18:36 +0300] "GET /guestbook.php HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:18:39 +0300] "GET /spam/opt-in_network.txt HTTP/1.1" 200 12285 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:18:41 +0300] "GET / HTTP/1.1" 200 5307 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:18:49 +0300] "GET /main.html HTTP/1.1" 200 13757 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:18:53 +0300] "GET /S-trap/mail.html HTTP/1.1" 200 1565 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:18:55 +0300] "GET /about-me.html HTTP/1.1" 200 9435 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:19:16 +0300] "GET /phins.html HTTP/1.1" 200 7208 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:19:21 +0300] "GET /cet-link.html HTTP/1.1" 200 5891 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:19:25 +0300] "GET /ocean.html HTTP/1.1" 200 4785 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:19:29 +0300] "GET /PhotoGallery/index.html HTTP/1.1" 200 1346 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:19:31 +0300] "GET /show.html HTTP/1.1" 404 291 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:19:33 +0300] "GET /thumbs.html HTTP/1.1" 404 293 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:19:35 +0300] "GET /fun.html HTTP/1.1" 200 10449 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:19:40 +0300] "GET /Sounds/index.html HTTP/1.1" 200 1355 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:19:44 +0300] "GET /Dolphin-Ring/DolphinRing.wav HTTP/1.1" 200 12274 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:19:52 +0300] "GET /cgi-bin/leads.html HTTP/1.1" 200 1509 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:19:55 +0300] "GET /Dolphin-pgp.asc HTTP/1.1" 200 8138 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:20:08 +0300] "GET /Media/Video/SpringGames.asf HTTP/1.1" 200 12282 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:20:16 +0300] "GET /cgi-bin/leads.html/launch HTTP/1.1" 200 1174 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:20:22 +0300] "GET /cgi-bin/leads.html/drawbridges HTTP/1.1" 200 1950 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:20:30 +0300] "GET /cgi-bin/leads.html/bystander HTTP/1.1" 200 1881 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:20:40 +0300] "GET /Guestbook/guestbook.php HTTP/1.1" 200 18367 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:20:43 +0300] "GET /guestbook.php?act=show HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:20:45 +0300] "GET /guestbook.php?act=search HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:20:47 +0300] "GET /guestbook.php?act=new HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:20:49 +0300] "GET /guestbook.php?act=show&page=2 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:20:51 +0300] "GET /guestbook.php?act=show&page=3 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:20:54 +0300] "GET /guestbook.php?act=show&page=4 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:20:56 +0300] "GET /guestbook.php?act=show&page=5 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:20:58 +0300] "GET /Guestbook/guestbook.php?act=show HTTP/1.1" 200 18367 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:21:07 +0300] "GET /Guestbook/guestbook.php?act=show&page=2 HTTP/1.1" 200 16715 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:21:19 +0300] "GET /guestbook.php?act=show&page=1 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:21:24 +0300] "GET /aim:goim?screenname=Ikiri HTTP/1.1" 404 290 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:21:26 +0300] "GET /aim:goim?screenname=SurizX HTTP/1.1" 404 290 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:25:59 +0300] "GET /Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:26:08 +0300] "GET /guestbook.php HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:26:20 +0300] "GET /spam/opt-in_network.txt HTTP/1.1" 200 12285 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:26:46 +0300] "GET /main.html HTTP/1.1" 200 13757 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:27:11 +0300] "GET /S-trap/mail.html HTTP/1.1" 200 1565 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:27:13 +0300] "GET /about-me.html HTTP/1.1" 200 9435 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:27:17 +0300] "GET /phins.html HTTP/1.1" 200 7208 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:27:28 +0300] "GET /cet-link.html HTTP/1.1" 200 5891 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:28:03 +0300] "GET /ocean.html HTTP/1.1" 200 4785 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:28:08 +0300] "GET /PhotoGallery/index.html HTTP/1.1" 200 1346 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:28:10 +0300] "GET /show.html HTTP/1.1" 404 291 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:28:19 +0300] "GET /thumbs.html HTTP/1.1" 404 293 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:28:34 +0300] "GET /fun.html HTTP/1.1" 200 10449 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:29:42 +0300] "GET /Sounds/index.html HTTP/1.1" 200 1355 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:29:52 +0300] "GET /Dolphin-Ring/DolphinRing.wav HTTP/1.1" 200 12274 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:30:00 +0300] "GET /cgi-bin/leads.html HTTP/1.1" 200 2901 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:30:05 +0300] "GET /Dolphin-pgp.asc HTTP/1.1" 200 8138 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:30:11 +0300] "GET /Media/Video/SpringGames.asf HTTP/1.1" 200 12282 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:30:26 +0300] "GET /cgi-bin/leads.html/punched HTTP/1.1" 200 3289 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:30:39 +0300] "GET /cgi-bin/leads.html/appear HTTP/1.1" 200 2309 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:30:49 +0300] "GET /cgi-bin/leads.html/redneck HTTP/1.1" 200 2240 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:30:50 +0300] "GET /Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:31:01 +0300] "GET /guestbook.php HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:31:06 +0300] "GET /Guestbook/guestbook.php HTTP/1.1" 200 18367 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:31:14 +0300] "GET /spam/opt-in_network.txt HTTP/1.1" 200 12285 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:31:22 +0300] "GET / HTTP/1.1" 200 5307 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:31:39 +0300] "GET /guestbook.php?act=show HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:31:44 +0300] "GET /guestbook.php?act=search HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:31:46 +0300] "GET /guestbook.php?act=new HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:31:49 +0300] "GET /guestbook.php?act=show&page=2 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:31:50 +0300] "GET /guestbook.php?act=show&page=3 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:31:54 +0300] "GET /guestbook.php?act=show&page=4 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:31:57 +0300] "GET /guestbook.php?act=show&page=5 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:31:58 +0300] "GET /main.html HTTP/1.1" 200 13757 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:32:08 +0300] "GET /S-trap/mail.html HTTP/1.1" 200 1565 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:32:19 +0300] "GET /about-me.html HTTP/1.1" 200 9435 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:32:41 +0300] "GET /Guestbook/guestbook.php?act=show HTTP/1.1" 200 18367 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:32:43 +0300] "GET /phins.html HTTP/1.1" 200 7208 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:32:58 +0300] "GET /cet-link.html HTTP/1.1" 200 5891 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:33:04 +0300] "GET /ocean.html HTTP/1.1" 200 4785 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:33:09 +0300] "GET /PhotoGallery/index.html HTTP/1.1" 200 1346 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:33:15 +0300] "GET /show.html HTTP/1.1" 404 291 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:33:22 +0300] "GET /Guestbook/guestbook.php?act=show&page=2 HTTP/1.1" 200 16715 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:33:27 +0300] "GET /thumbs.html HTTP/1.1" 404 293 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:33:30 +0300] "GET /fun.html HTTP/1.1" 200 10449 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:33:42 +0300] "GET /Sounds/index.html HTTP/1.1" 200 1355 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:33:50 +0300] "GET /Dolphin-Ring/DolphinRing.wav HTTP/1.1" 200 12274 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:33:57 +0300] "GET /guestbook.php?act=show&page=1 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:33:59 +0300] "GET /aim:goim?screenname=Ikiri HTTP/1.1" 404 290 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:34:01 +0300] "GET /aim:goim?screenname=SurizX HTTP/1.1" 404 290 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:34:07 +0300] "GET /cgi-bin/leads.html HTTP/1.1" 200 2259 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:34:18 +0300] "GET /Dolphin-pgp.asc HTTP/1.1" 200 8138 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:34:37 +0300] "GET /Media/Video/SpringGames.asf HTTP/1.1" 200 12282 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:34:47 +0300] "GET /cgi-bin/leads.html/emulators HTTP/1.1" 200 2531 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:34:56 +0300] "GET /cgi-bin/leads.html/enclosure HTTP/1.1" 200 2714 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:35:06 +0300] "GET /cgi-bin/leads.html/Hickok HTTP/1.1" 200 2671 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:35:24 +0300] "GET /Guestbook/guestbook.php HTTP/1.1" 200 18367 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:35:50 +0300] "GET /guestbook.php?act=show HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:35:53 +0300] "GET /guestbook.php?act=search HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:35:55 +0300] "GET /guestbook.php?act=new HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:35:57 +0300] "GET /guestbook.php?act=show&page=2 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:35:59 +0300] "GET /guestbook.php?act=show&page=3 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:36:08 +0300] "GET /guestbook.php?act=show&page=4 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:36:15 +0300] "GET /guestbook.php?act=show&page=5 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:37:06 +0300] "GET /Guestbook/guestbook.php?act=show HTTP/1.1" 200 18367 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:37:26 +0300] "GET /Guestbook/guestbook.php?act=show&page=2 HTTP/1.1" 200 16715 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:37:38 +0300] "GET /guestbook.php?act=show&page=1 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:37:42 +0300] "GET /aim:goim?screenname=Ikiri HTTP/1.1" 404 290 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:37:57 +0300] "GET /aim:goim?screenname=SurizX HTTP/1.1" 404 290 "-" "Mac Finder 1.0.43"



=== My complaint ===
Content-Type: text/plain;
 charset="us-ascii"
From: Admin <abuse@2003.dolphinwave.org>
Reply-To: abuse@2003.dolphinwave.org
Organization: Private person
To: <abuse@2003.dolphinwave.org>,
nanas-sub@cybernothing.org,
postmaster@ussignalcom.net,
abuse@ussignalcom.net,
jvanslyke@rvpdevelopment.com,
spamcomplaints@cw.net,
abuse@cw.net,
trouble@cw.net
Subject: [email] Michigan Connect: web harvesting.
Date: Sat, 26 Apr 2003 17:25:02 +0300
User-Agent: KMail/1.4.3
X-Complaints-To: abuse@dolphinwave.org (live person)
X-PGP-key: 0xAAE2A579
X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133 FA87 000B 0FB6 AAE2 A579
X-No-Confirm: Yes
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <200304261725.02364@2003.dolphinwave.org>
Status: RO
X-Status: S

Today I've accidentally noticed these spammers'-hosters and persistent
abusers repeatedly harvesting through all my web pages, using several of
their IPs in the different IP ranges simultaneously (which means that it
was not one of their "customers", but rather them doing the harvest,
themselves).

At this moment the 64.186.52.128/25 IP range is in SPEWS S945 for
npag.net / executive-level.com:
http://www.spews.org/html/S945.html
<QUOTE>
1, 64.186.52.128/25, npag.net / executive-level.com (ussignalcom.net).
</QUOTE>

And in the Michigan Connect own SPEWS listing, S1457:
http://www.spews.org/html/S1457.html
<QUOTE>
1, 64.186.52.0/24, e-mich.com (ussignalcom.net).
</QUOTE>

The 204.188.76.0-204.188.79.255 IP range is in SPEWS S1457 listing, as well:
<QUOTE>
1, 204.188.76.0 - 204.188.79.255, webgate2000.com (C&W).
</QUOTE>

The history of the spam-operations of Michigan Connect is archived:
http://www.DolphinWave.org/spam/MichiganConnect.txt


======= Web server logs =======
204.188.77.180 - - [21/Apr/2003:02:31:12 +0300] "GET 
/Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:17 +0300] "GET /guestbook.php HTTP/1.1" 
404 295 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:21 +0300] "GET /spam/opt-in_network.txt 
HTTP/1.1" 200 12285 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:31:22 +0300] "GET / HTTP/1.1" 200 5307 "-" 
"Mac Finder 1.0.43"
<...>
204.188.77.180 - - [21/Apr/2003:02:32:05 +0300] "GET /cgi-bin/leads.html 
HTTP/1.1" 200 2745 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:07 +0300] "GET /Dolphin-pgp.asc 
HTTP/1.1" 200 8138 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:12 +0300] "GET 
/Media/Video/SpringGames.asf HTTP/1.1" 200 12282 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:18 +0300] "GET /cgi-bin/leads.html/aspen 
HTTP/1.1" 200 3416 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:25 +0300] "GET 
/cgi-bin/leads.html/Shmuel HTTP/1.1" 200 993 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [21/Apr/2003:02:32:32 +0300] "GET 
/cgi-bin/leads.html/welcomed HTTP/1.1" 200 1318 "-" "Mac Finder 1.0.43"
<...>
204.188.77.180 - - [21/Apr/2003:02:33:07 +0300] "GET 
/aim:goim?screenname=SurizX HTTP/1.1" 404 290 "-" "Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:08 +0300] "GET / HTTP/1.1" 200 5307 "-" 
"Mac Finder 1.0.43"
204.188.78.197 - - [21/Apr/2003:03:14:11 +0300] "GET /main.html HTTP/1.1" 200 
13757 "-" "Mac Finder 1.0.43"
<...>
204.188.78.197 - - [21/Apr/2003:03:14:24 +0300] "GET 
/Dolphin-Ring/DolphinRing.wav HTTP/1.1" 200 16474 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:05:50:56 +0300] "GET 
/Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [21/Apr/2003:05:52:06 +0300] "GET /guestbook.php HTTP/1.1" 
404 295 "-" "Mac Finder 1.0.43"
<...>
204.188.78.196 - - [21/Apr/2003:06:22:23 +0300] "GET 
/guestbook.php?act=show&page=3 HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:18:26 +0300] "GET 
/Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
204.188.77.145 - - [21/Apr/2003:09:18:36 +0300] "GET /guestbook.php HTTP/1.1" 
404 295 "-" "Mac Finder 1.0.43"
<...>
204.188.77.145 - - [21/Apr/2003:09:21:26 +0300] "GET 
/aim:goim?screenname=SurizX HTTP/1.1" 404 290 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:25:59 +0300] "GET 
/Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:26:08 +0300] "GET /guestbook.php HTTP/1.1" 
404 295 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:26:20 +0300] "GET /spam/opt-in_network.txt 
HTTP/1.1" 200 12285 "-" "Mac Finder 1.0.43"
<...>

Here goes the multi-IP harvesting:

64.186.52.244 - - [25/Apr/2003:12:30:26 +0300] "GET 
/cgi-bin/leads.html/punched HTTP/1.1" 200 3289 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:30:39 +0300] "GET /cgi-bin/leads.html/appear 
HTTP/1.1" 200 2309 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:30:49 +0300] "GET 
/cgi-bin/leads.html/redneck HTTP/1.1" 200 2240 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:30:50 +0300] "GET 
/Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:31:01 +0300] "GET /guestbook.php HTTP/1.1" 
404 295 "-" "Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:31:06 +0300] "GET /Guestbook/guestbook.php 
HTTP/1.1" 200 18367 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:31:14 +0300] "GET /spam/opt-in_network.txt 
HTTP/1.1" 200 12285 "-" "Mac Finder 1.0.43"
204.188.77.180 - - [25/Apr/2003:12:31:22 +0300] "GET / HTTP/1.1" 200 5307 "-" 
"Mac Finder 1.0.43"
64.186.52.244 - - [25/Apr/2003:12:31:39 +0300] "GET /guestbook.php?act=show 
HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
<...>

204.188.78.196 - - [26/Apr/2003:10:54:09 +0300] "GET 
/Guestbook/guestbook.php?act=new HTTP/1.1" 200 8850 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [26/Apr/2003:10:56:25 +0300] "GET /guestbook.php HTTP/1.1" 
404 295 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [26/Apr/2003:10:58:48 +0300] "GET /spam/opt-in_network.txt 
HTTP/1.1" 200 15085 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [26/Apr/2003:11:01:01 +0300] "GET / HTTP/1.1" 200 5307 "-" 
"Mac Finder 1.0.43"
204.188.78.196 - - [26/Apr/2003:11:03:14 +0300] "GET /main.html HTTP/1.1" 200 
13757 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [26/Apr/2003:11:07:26 +0300] "GET /S-trap/mail.html 
HTTP/1.1" 200 1565 "-" "Mac Finder 1.0.43"
<...>
204.188.78.196 - - [26/Apr/2003:11:45:25 +0300] "GET /cgi-bin/leads.html 
HTTP/1.1" 200 3018 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [26/Apr/2003:11:47:57 +0300] "GET /Dolphin-pgp.asc 
HTTP/1.1" 200 8138 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [26/Apr/2003:12:16:55 +0300] "GET 
/Media/Video/SpringGames.asf HTTP/1.1" 200 19282 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [26/Apr/2003:12:18:12 +0300] "GET /Guestbook/guestbook.php 
HTTP/1.1" 200 18367 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [26/Apr/2003:12:19:02 +0300] "GET /guestbook.php?act=show 
HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
204.188.78.196 - - [26/Apr/2003:12:20:05 +0300] "GET /guestbook.php?act=search 
HTTP/1.1" 404 295 "-" "Mac Finder 1.0.43"
<...>

And so on...



=== Bernie of Michigan Connect tries to put a dirt on the Spamhaus and Steve ===
From: spamkill3r@yahoo.com (Richard Randolph)
Newsgroups: news.admin.net-abuse.email
Subject: SPAM HAUS DOUBLE STANDARDS
Date: 21 Sep 2003 12:06:25 -0700
Organization: http://groups.google.com/
Lines: 55
Message-ID: <820d4a19.0309211106.345fa682@posting.google.com>
NNTP-Posting-Host: 204.188.78.197
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1064171186 20378 127.0.0.1 (21 Sep 2003 19:06:26 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: 21 Sep 2003 19:06:26 GMT


To whom may be interested,
 
It seems that Mr. Steve Linford of Spam Haus, has been trying to make
deals with spammers and spam hosters.  He has been offering complete
removal from the SBL and Rosko in exchange for information on who has
been DDOS attacking the DNSBL, and for information on spammers.
 
We have emails given to us by an anonymous spam hosters attorney, that
claim he is done with spam and is willing to help the fight against
spam any way he can, in these emails Mr. Steve Linford actually
threatens to keep a certain spammer on the SBL and Rosko "for years"
if they do not give up information, on the people responsible for the
DDOS attacks.
 
Mr. Linford goes on further to tell the spammer, after he promised not
to divulge the spammers identity, that  he will publicly show the
correspondence between Mr. Linford and the spammer, if he does not
cooperate.
 
According to this spammers attorney, he told Spam Haus that he might
be willing to offer up some info on the DDOS attacks, in exchange for
removal from the Spam Haus SBL and their Rosko listings.
 
When this spammer declines to give up the information, Mr. Linford
then accuses him of being part of the DOS attacks and threatens to
continue the Black Listing for years and also his Bandwidth provider,
if the spammer does not co-operate.
 
We find this repulsive, that Mr. Linford would try and make deals with
spammers in exchange for information, and then when the spammer tells
him that the information he has may be unreliable, and not supported
by valid verification, Mr. Linford privately threatens him, to
pressure him into giving the information, or else.  Here is a quote of
Mr. Steve Linford:
 
"You forget who's holding the 
cards here, we will keep you blocked for years."
 

If you would be interested in seeing these emails, contact me off
list, and after we have provided them to the online and offline news
sources, we will gladly supply you with a copy.
 
There seems to be a double standard going on at Spam Haus according to
these emails and logs we have obtained.
 
I for one am not going to have my clients mail filtered by an
organization that is willing to let a spammer off inexchange for
information.  I feel that the only time a spammer should be removed
from an SBL is if they prove they have completely dis-associated
themselves from spam altogether.
 
This is obviously not the feelings of Spam Haus.
 
Richard



=== Let's see what IP this post came from ===
$ jwhois 204.188.78.197
[Querying whois.arin.net]
[whois.arin.net]
Cable & Wireless CW-02-BLK (NET-204-188-0-0-1)
                                  204.188.0.0 - 204.189.255.255
VELOCITY NET CW-204-188-76 (NET-204-188-76-0-1)
                                  204.188.76.0 - 204.188.79.255

Yeah, Velocity.net - Michigan Connect



=== Steve Linford responds, providing more info ===
From: Steve Linford <linford@spamhaus.org>
Newsgroups: news.admin.net-abuse.email
Subject: Re: SPAM HAUS DOUBLE STANDARDS
Date: Sun, 21 Sep 2003 21:28:35 +0100
Organization: The Spamhaus Project
Message-ID: <linford-CA5934.21283521092003@news.supernews.com>
References: <820d4a19.0309211106.345fa682@posting.google.com>
User-Agent: MT-NewsWatcher/3.3b1 (PPC Mac OS X)
X-Complaints-To: abuse@supernews.com
Lines: 129


In article <820d4a19.0309211106.345fa682@posting.google.com>,
 spamkill3r@yahoo.com (really Bernie Johnson of Michigan Connect, LLC 
pretending to be "Richard Randolph") wrote:

> It seems that Mr. Steve Linford of Spam Haus, has been trying to make
> deals with spammers and spam hosters.  He has been offering complete
> removal from the SBL and Rosko in exchange for information on who has
> been DDOS attacking the DNSBL, and for information on spammers.

(Predictably, Bernie Johnson goes on to contradict himself, revealing 
that the offer was actually the other way round)...

> According to this spammers attorney, he told Spam Haus that he might
> be willing to offer up some info on the DDOS attacks, in exchange for
> removal from the Spam Haus SBL and their Rosko listings.

i.e: Bernie Johnson contacts Spamhaus and offers to fess up the names 
and locations of the spammers conducting the DDoS attacks... if we take 
him off the SBL/ROKSO...

----------------------------------------------------------------------

    Received: from velocity.velocitynet.net ([204.188.78.105] verified)
    by sentinel.ultradesign.net (CommuniGate Pro SMTP 4.1)
    with SMTP id 2857444 for sbl-removals@spamhaus.org@blacklisted; 
        Tue, 16 Sep 2003 19:20:24 +0100
    From: "Bernie Johnson" <bernie@e-mich.com>
    To: <sbl-removals@spamhaus.org>
    Cc: "Legal Department MC" <legal@michiganconnect.com>
    Subject: SBL listing SBL7077 204.188.76.0/22
    Date: Tue, 16 Sep 2003 14:19:57 -0400
    
    Gentlemen,
    
    We did have a domain hosted on a Bullet Proof hosting server
    for a two week period, but was removed after our last contact
    with you, that was in India.
    
    We request again that you remove us from your SBL and Rosko,
    as we are un-justly being accused of condoning this type of
    activity.
    
    I will also provide the names and domain names of several
    spammers and where they host in the US and out of the US.
    
    After this has been done I may also be willing to provide the
    names and where abouts of the networks that are DDOS attacking
    your network.

----------------------------------------------------------------------

Bernie Johnson of Michigan Connect LLC, says he has the names and 
locations of the spammers conducting criminal DDoS activity and is 
willing to send his spammers friends to jail, if we take him out of 
ROKSO/SBL. 

When told that we do not make deals where criminal information is 
concerned and that he can either give us the DDoS information or give it 
to the Feds, Bernie panicks. He is further told by me that his offer 
will be made public today, so here he is trying to make it public 
himself hoping to spin it a different way.

Among other things I did tell Bernie Johnson that we will keep him 
blocked for years, and I mean it, as Bernie also said:

----------------------------------------------------------------------

   (mailed from Yahoo because velocitynet.net was blocked by SBL)
    Received: from web60210.mail.yahoo.com ([216.109.118.105] verified)
    by sentinel.ultradesign.net (CommuniGate Pro SMTP 4.1)
    with SMTP id 2855267 for linford@spamhaus.org; 
      Tue, 16 Sep 2003 04:02:26 +0100
    Message-ID: <20030916030228.53443.qmail@web60210.mail.yahoo.com>
    Received: from [204.188.78.197] by web60210.mail.yahoo.com via HTTP;
    Mon, 15 Sep 2003 20:02:28 PDT
    Date: Mon, 15 Sep 2003 20:02:28 -0700 (PDT)
    From: B Johnson <blast4cash2003@yahoo.com>
    Subject: Michigan Connect, LLC

    I have no choice but to go back into this type of business, as
    I will continue to loose legitimate business due the the now
    re-listed black listing that you removed earlier today, and
    after we notified our client base, and even did a press
    re-lease to the effect that we will not longer condone this
    type of activity on our network and have joined the fight
    against spam.

    Since we will now look like liars to all of our clients, we
    might as well go back into the business, and at least be able
    to make a living, as you know our providers could care less
    what we do as long as we pay our bills, and continue to pay
    twice the going rate for bandwidth.  No wonder you get ddos
    attacked, you have an Spam hoster who voluntarily gets out of
    the business because he see the problems it causes on the
    internet, and has bandwidth providers who could care less what
    we do with our pipes as long a we pay our bills, and you still
    harass them and make it difficult to stop doing this type of
    business.

    So you have succeeded in once again stopping a legitimate
    business , and forcing us to make money on spam due to the
    fact you will not even stand by your own policies.

    We may not be a big company, but I can assure you of this,
    since you have harassed us and made us out to be liars, we
    will do what ever in our power to show the internet that you
    are not people of your word, and you have succeeded in putting
    us out of legitimate hosting and forced us back into spam
    hosting.

----------------------------------------------------------------------

> Here is a quote of
> Mr. Steve Linford:
>  
> "You forget who's holding the 
> cards here, we will keep you blocked for years."

Yup, and we will Bernie. I strongly advise you to quit the spam business 
for real if you want to communicate with SBL users. Plus you need to 
consult a lawyer now about the implications of withholding information 
on criminal DDoS activities, which makes you an accessory to crime.
I'd advise you to turn that info over to your lawyer now who will turn 
it over to the FBI.

-- 
  Steve Linford
  The Spamhaus Project
  http://www.spamhaus.org



=== Michigan Connect is still on Cable & Wireless ===
Newsgroups: news.admin.net-abuse.blocklisting
Path: uni-berlin.de!fu-berlin.de!nntp.cs.ubc.ca!newsfeed.stanford.edu!zorac
 !blocklisting.com!robomod!not-for-mail
From: Claes T <nanabl@nejtillspam.cjb.net>
Subject:  Re: Request Remove of IP Block 204.188.100/24 from spews.
Approved: NANAB Moderators <moderators@blocklisting.com>
Content-Type:  text/plain; charset=us-ascii
X-Newsreader: Forte Agent 1.9/32.560
X-Complaints-To: abuse@abc.se
Sender: nanab@zorch.sf-bay.org (Scott Hazen Mueller)
Nntp-Posting-Date: Thu, 2 Oct 2003 22:06:33 +0000 (UTC)
Content-Transfer-Encoding:  7bit
NNTP-Posting-Host: h95n3c1o299.bredband.skanova.com
Organization:  DoNotSpam, eventhough e-address IS valid
Message-ID:  <un7pnvodgap2j4fde4nvs2br5437mhfaae@4ax.com>
References:  <b65a2b9a.0310021225.1fed8217@posting.google.com>
X-Trace: oden.abc.se 1065132393 23177 217.208.174.95 (2 Oct 2003 22:06:33 GMT)
Mime-Version:  1.0
Date: Thu, 2 Oct 2003 21:15:08 GMT
X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting
Lines: 44
Xref: uni-berlin.de news.admin.net-abuse.blocklisting:1959

On Thu, 2 Oct 2003 19:51:06 GMT, chas@warp8.com (Chuck Schick) wrote:

>I discovered that our Class C (204.188.100/24) is listed in Spews
>under S1457.  I believe this to either be a mistaken listing or an old
>listing.
>
>When I go to http://www.spews.org/html/S1457.html it shows the
>following
>
>204.188.40.0 - 204.188.115.255, C&W (webgate2000.com)

So, C&W is listed because of webgate2000.com...

Let's have a dig:
Dig webgate2000.com@NS2.webgate2000.com (204.188.76.2)
Authoritative Answer
Recursive queries supported by this server
 Query for webgate2000.com type=255 class=1
  webgate2000.com A (Address) 204.188.78.152
...

Yes, still on C&W.

>Rockynet has confirmed they
>do not host webgate2000.com nor have they ever.

Rockynet is not the issue. Rockynets upstream is:

Cable & Wireless CW-02-BLK (NET-204-188-0-0-1)
                                  204.188.0.0 - 204.189.255.255
Rockynet.com, Inc CW-204-188-96-A (NET-204-188-96-0-1)
                                  204.188.96.0 - 204.188.111.255

>I respectfully request removal from spews of this IP Block.

I respectfully hint you to aim Rockynet in the specific direction of
C&W and have them ask C&W nicely to *stamp* *out* *webgate2000.com*
and other spammer preventing Rockynets customers getting full net
access. Access in the range 204.188.40.0 - 204.188.115.255 should be
sold at a discount until cleaned up, jm2ps.

Hope this helps,
Claes T



=== Michigan Connect speaks up, acknowleges the willful spammers hosting ===
Newsgroups: news.admin.net-abuse.blocklisting
Path: uni-berlin.de!fu-berlin.de!headwall.stanford.edu!newsfeed.stanford.edu
 !zorac!blocklisting.com!robomod!not-for-mail
From: bernie@michiganconnect.com (Bernie)
Subject:  Re: Request Remove of IP Block 204.188.100/24 from spews.
Approved: NANAB Moderators <moderators@blocklisting.com>
Content-Type:  text/plain; charset=ISO-8859-1
X-Complaints-To: groups-abuse@google.com
Sender: nanab@zorch.sf-bay.org (Scott Hazen Mueller)
Nntp-Posting-Date: Mon, 6 Oct 2003 18:57:24 +0000 (UTC)
Content-Transfer-Encoding:  8bit
NNTP-Posting-Host:  204.188.78.197
Organization: http://groups.google.com
Message-ID:  <da239e0c.0310061057.252b7efb@posting.google.com>
References:  <b65a2b9a.0310021225.1fed8217@posting.google.com>
  <slrnbnpmrh.sq0.nanae@bill.heins.net>
X-Trace: posting.google.com 1065466644 23421 127.0.0.1 (6 Oct 2003 18:57:24 GMT)
Date: Mon, 6 Oct 2003 18:50:44 GMT
X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting
Lines: 96
Xref: uni-berlin.de news.admin.net-abuse.blocklisting:2001

Perusion Hostmaster <nanae@bill.perusion.com> wrote in message
  news:<slrnbnpmrh.sq0.nanae@bill.heins.net>...
> In article <b65a2b9a.0310021225.1fed8217@posting.google.com>, Chuck Schick
  wrote:
> > I discovered that our Class C (204.188.100/24) is listed in Spews
> > under S1457.  I believe this to either be a mistaken listing or an old
> > listing.
> >
> > When I go to http://www.spews.org/html/S1457.html it shows the
> > following
> >
> > 204.188.40.0 - 204.188.115.255, C&W (webgate2000.com) - but when I
> > check Arin for our netblock it shows 204.188.96.0/20 to be registered
> > to Rockynet.com (our upstream provider).  Rockynet has confirmed they
> > do not host webgate2000.com nor have they ever.
> >
> > We have used this Class C since 2001 and have never had a spam
> > complaint.  Spamming is against our acceptable use policy which we
> > strictly enforce.
>
> I am glad to hear that, but in this case you are not the problem. Your
> upstream provider, Cable and Wireless, is refusing to terminate dyed-in-the-
> wool longterm spammer e-mich.com, webgate2000, and velocity.net.
>
> These folks hosted the operations of Alan Ralsky, convicted
> felon and one of the world's largest spammers. They did so for
> a long time, and pleas to C&W to remove them have been met with
> no action.
>
> So more and more of C&W space gets listed until such time as
> they get the message. Perhaps you can give them the message
> that you don't appreciate being hosted in the same neighborhood
> as criminals.
>
> >
> > I respectfully request removal from spews of this IP Block.
> >
>
> Probably won't happen until Bernie Johnson, e-mich.com, webgate2000,
> and velocity.net are gone off C&W.

Well let me please set the record straight,

I am Bernie Johnson, the owner of Webgate2000 and VelocityNet.  We
have never hotsed Alan Ralsky on our Cable and wireless feed, not our
ATT, or Cogent feeds.

We did 6 years ago allow Alan Ralsky to use a few of our dial ups to
send spam, but when we realized that we were not going to be able to
stay in business with Alan Ralsky as a customer we removed him from
our network, which at the time was Teligent, with who we had a
contract that allowed us to host spammers.

We have not nor have we ever hosted Alan Ralsky on any of our hosting
networks.

NEVER !!!!

This is not accurate information, and you are being mis-lead by
whomever wrote this posting.

We did get back into the spam hosting business back in January of 2003
as we again had a provider ATT that was turning their heads to that
type of activity, but we NEVER HOSTED Alan Ralsky.

ATT finally did call us and tell us after 4 months of this type of
activity that we along with a handfull of others that were listed in
Spews, that we would be having our lines terminated, due the the fact
that Spews had over 50% of ATT's IP addresses listed and this was the
only way that they could get their IP's removed from SPEWS.

We have since that point, completely erradicated spammers from our
network, under the warning from Cable and Wirless that we would loose
our connectivity if we didnt remove all spam hosting from our network.

We have since the end of July been clean of all spammers, and plan on
keeping our network this way, due to the fact that it cost us a great
deal of money and reputation.

I understand completely that we were part of a large problem with spam
on the internet, and us trying to make some quick cash, cost alot of
people to be indulged with spam advertisements, and that was
definately wrong for us to try and benefit from the misery of others,
and for this we publicly apologize, and assure you we will never be
part of that problem again.

We have offerd to help in this fight against spam and to offer our
assistance from the knowledge we gained while in that business.

If you are going to publicly defame us, please atlest have the
courtesy to atleast speak the truth and not fabricate stories in order
to get your point accross.

My apologies again,

Bernie Johnson
Michigan Connect, LLC



=== And another one ===
Newsgroups: news.admin.net-abuse.blocklisting
Path: uni-berlin.de!fu-berlin.de!headwall.stanford.edu!newsfeed.stanford.edu
 !zorac!blocklisting.com!robomod!not-for-mail
From: bernie@michiganconnect.com (Bernie)
Subject:  PUBLIC APOLOGY AND SET RECORD STRAIGHT
Approved: NANAB Moderators <moderators@blocklisting.com>
Content-Type:  text/plain; charset=ISO-8859-1
X-Complaints-To: groups-abuse@google.com
Sender: nanab@zorch.sf-bay.org (Scott Hazen Mueller)
Nntp-Posting-Date: Tue, 7 Oct 2003 00:12:00 +0000 (UTC)
Content-Transfer-Encoding:  8bit
NNTP-Posting-Host:  204.188.78.197
Organization: http://groups.google.com
Message-ID:  <da239e0c.0310061612.1ca9fae4@posting.google.com>
X-Spamscanner: mailbox3.ucsd.edu  (v1.2 May 26 2003 01:55:38, 1.1/5.0 2.55)
X-Spam-Level: Level *
X-Trace: posting.google.com 1065485520 6204 127.0.0.1 (7 Oct 2003 00:12:00 GMT)
X-Mailscanner: PASSED (v1.2.8 6801 h970C0kF039292 mailbox3.ucsd.edu)
Date: Mon, 6 Oct 2003 23:28:21 GMT
X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting
Lines: 77
Xref: uni-berlin.de news.admin.net-abuse.blocklisting:2012

Well let me please set the record straight,

I am Bernie Johnson, the owner of Webgate2000 and VelocityNet.  We
have never hotsed Alan Ralsky on our Cable and Wireless feed, or our
ATT, or Cogent feeds, or any feeds from any provider.  That was not
our association with Alan Ralsky.

We did 6 years ago, allow Alan Ralsky to use a few of our dial ups to
send spam, and we did colocate two servers at the same place as Alan
Ralsky, at Extractor Pro, but when we realized that we were not going
to be able to
stay in business with Alan Ralsky as a customer of our dial up
service, due to the intense heat, we removed him from our dial up
network, which at the time was we used Teligent for our bandwidth for
dial up and hosting, with whom we had a contract that allowed us to
host spammers.

We have not nor have we ever hosted Alan Ralsky on any of our hosting
networks.

NEVER !!!!

This is not accurate information, and you are being mis-lead by
whomever wrote this posting, stating that we hosted Alan Ralsky on our
network.

We did get back into the spam hosting business back in January of 2003
as we again had a provider ATT that was turning their heads to that
type of activity, but we NEVER HOSTED Alan Ralsky.

ATT finally did call us and tell us after 4 months of this type of
activity that we along with a handfull of others that were listed in
Spews, that we would be having our lines terminated, due the the fact
that Spews had over 50% of ATT's IP addresses listed and this was the
only way that they could get their IP's removed from SPEWS.

We have since that point, completely erradicated spammers from our
network, under the warning from Cable and Wirless that we would loose
our connectivity if we didnt remove all spam hosting from our network.

We have since the end of July been clean of all spammers, and plan on
keeping our network this way, due to the fact that it cost us a great
deal of time, money, credit card charge backs by spammers to the tune
of over $15,000.00, and reputation.

I understand completely that we were part of a large problem with spam
on the internet, and us trying to make some quick cash, cost alot of
people to be indulged with spam advertisements, and that was
definately wrong for us to try and benefit from the misery of others,
and for this we publicly apologize, and assure you we will never be
part of that problem again.

We have offerd to help in this fight against spam and to offer our
assistance from the knowledge we gained while in that business.

If you are going to publicly defame us, please atlest have the
courtesy to at least speak the truth and not fabricate stories in
order
to get your point accross. like the story about Alan Ralsky.

My apologies again, to any of the people who were obviously abused and
or effected, by our method of operation, we wrongly got back into the
spam hosting business, under the assumption that it would not do any
harm to others around us in the Internet community.  We made a foolish
decision and have definately learned from this past 7 months, that
having anything to do with clients whom even smell of spam and UCE, is
nothing but one bug headache and can cost you alot more than money in
the long run.

Please accept this as a public apology and chance to show we are
sincere when we say we are out of this business for good.  We made a
big mistake and we are sorry fro all those effected by it.

Bernie Johnson
CEO
Michigan Connect, LLC



=== Michigan Connect requests a delisting from SPEWS ===
Newsgroups: news.admin.net-abuse.blocklisting
Path: uni-berlin.de!fu-berlin.de!headwall.stanford.edu!newsfeed.stanford.edu
 !zorac!blocklisting.com!robomod!not-for-mail
From: bernie@michiganconnect.com (Bernie)
Subject:  SPEWS REMOVAL REQUEST S1457
Approved: NANAB Moderators <moderators@blocklisting.com>
Content-Type:  text/plain; charset=ISO-8859-1
X-Complaints-To: groups-abuse@google.com
Sender: nanab@zorch.sf-bay.org (Scott Hazen Mueller)
Nntp-Posting-Date: Mon, 6 Oct 2003 23:56:01 +0000 (UTC)
Content-Transfer-Encoding:  8bit
NNTP-Posting-Host:  204.188.78.197
Organization: http://groups.google.com
Message-ID:  <da239e0c.0310061556.65a82311@posting.google.com>
X-Spamscanner: mailbox3.ucsd.edu  (v1.2 May 26 2003 01:55:38, 1.1/5.0 2.55)
X-Spam-Level: Level *
X-Trace: posting.google.com 1065484561 5386 127.0.0.1 (6 Oct 2003 23:56:01 GMT)
X-Mailscanner: PASSED (v1.2.8 6801 h96Nv1Hs031084 mailbox3.ucsd.edu)
Date: Tue, 7 Oct 2003 02:20:25 GMT
X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting
Lines: 16
Xref: uni-berlin.de news.admin.net-abuse.blocklisting:2017

I ask that you please remove our IP addresses from your SBL, we have
completely cleaned our network of all spammers, ALL SPAMMERS, and have
not hosted any spammers for two and 1/2 months now.  Please do your
usual testing and you will see our network is completely erradicated,
and we will not be hosting any more of this type of hosting ever
again, as it cost us reputation, money and we no longer wish to be
part of the problem.

We have been clean since the end of July 2003 and respectfully ask
that you remove us.  Please let us know if there is somthing else we
need to do to be in compliance with your removal requirements, and we
will comply.

B. Johnson
Michigan Connect, LLC



=== My reply ===
Newsgroups: news.admin.net-abuse.blocklisting
Path: uni-berlin.de!fu-berlin.de!headwall.stanford.edu!newsfeed.stanford.edu
 !zorac!blocklisting.com!robomod!not-for-mail
From: Dolphin <usenet-Oct+nanabl@2003.dolphinwave.org>
Subject: Re: PUBLIC APOLOGY AND SET RECORD STRAIGHT
Approved: NANAB Moderators <moderators@blocklisting.com>
X-Orig-X-Trace: news.uni-berlin.de 1065490206 16342615 217.22.112.146 (16
  [104765])
X-Pgp-Key: 0xAAE2A579
User-Agent: slrn/0.9.7.4 (Linux)
X-Pgp-Key-Fingerprint: 5B8E 3B28 7199 8CD3 4133  FA87 000B 0FB6 AAE2 A579
Sender: nanab@zorch.sf-bay.org (Scott Hazen Mueller)
X-Spews: I am not
Organization: Private person
Message-ID: <slrnbo457j.fgl.usenet-Oct+nanae@orca.dolphinwave.org>
X-Newsgroup: news.admin.net-abuse.blocklisting
References: <da239e0c.0310061612.1ca9fae4@posting.google.com>
X-Orig-Nntp-Posting-Host: 217.22.112.146
Date: Tue, 7 Oct 2003 01:37:24 GMT
X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting
Lines: 42
Xref: uni-berlin.de news.admin.net-abuse.blocklisting:2016

#begin  bernie@michiganconnect.com.exe (or was it Bernie.com)
 message <da239e0c.0310061612.1ca9fae4@posting.google.com> reply:
> Well let me please set the record straight,
>
> I am Bernie Johnson, the owner of Webgate2000 and VelocityNet.  We

<SNIP>
> My apologies again, to any of the people who were obviously abused and
> or effected, by our method of operation, we wrongly got back into the
> spam hosting business, under the assumption that it would not do any
> harm to others around us in the Internet community.  We made a foolish
> decision and have definately learned from this past 7 months, that
> having anything to do with clients whom even smell of spam and UCE, is
> nothing but one bug headache and can cost you alot more than money in
> the long run.
<SNIP>

And you, of course, are ready to compensate all those spam victims,
whom your spammers were abusing to no end, with you helping them to,
right?

> Please accept this as a public apology and chance to show we are
> sincere when we say we are out of this business for good.  We made a
> big mistake and we are sorry fro all those effected by it.
>
> Bernie Johnson
> CEO
> Michigan Connect, LLC

...until we find another provider, who is willing to turn blind eyes on
the spam-hosting? You've said two times that you only have disconnected
your spammers cause you was forced to by your upstream, or you would
have been disconnected, yourself. First - by AT&T, and then - by C&W,
no?

Dolphin.

--
 URL: http://www.DolphinWave.org
Mail: on the web page (no spam)
 ICQ: 6615461



=== Bernie replies ===
Newsgroups: news.admin.net-abuse.blocklisting
Path: uni-berlin.de!fu-berlin.de!headwall.stanford.edu!newsfeed.stanford.edu
 !zorac!blocklisting.com!robomod!not-for-mail
From: bernie@michiganconnect.com (Bernie)
Subject:  Re: PUBLIC APOLOGY AND SET RECORD STRAIGHT
Approved: NANAB Moderators <moderators@blocklisting.com>
Content-Type:  text/plain; charset=ISO-8859-1
X-Complaints-To: groups-abuse@google.com
Sender: nanab@zorch.sf-bay.org (Scott Hazen Mueller)
Nntp-Posting-Date: Tue, 7 Oct 2003 05:31:14 +0000 (UTC)
Content-Transfer-Encoding:  8bit
NNTP-Posting-Host:  204.188.78.197
Organization: http://groups.google.com
Message-ID:  <da239e0c.0310062131.356b402d@posting.google.com>
References:  <da239e0c.0310061612.1ca9fae4@posting.google.com>
  <slrnbo457j.fgl.usenet-Oct+nanae@orca.dolphinwave.org>
X-Trace: posting.google.com 1065504674 20349 127.0.0.1 (7 Oct 2003 05:31:14 GMT)
Date: Tue, 7 Oct 2003 11:57:09 GMT
X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting
Lines: 55
Xref: uni-berlin.de news.admin.net-abuse.blocklisting:2022

Dolphin <usenet-Oct+nanabl@2003.dolphinwave.org> wrote in message
  news:<slrnbo457j.fgl.usenet-Oct+nanae@orca.dolphinwave.org>...
> #begin  bernie@michiganconnect.com.exe (or was it Bernie.com)
>  message <da239e0c.0310061612.1ca9fae4@posting.google.com> reply:
> > Well let me please set the record straight,
> >
> > I am Bernie Johnson, the owner of Webgate2000 and VelocityNet.  We
>
> <SNIP>
> > My apologies again, to any of the people who were obviously abused and
> > or effected, by our method of operation, we wrongly got back into the
> > spam hosting business, under the assumption that it would not do any
> > harm to others around us in the Internet community.  We made a foolish
> > decision and have definately learned from this past 7 months, that
> > having anything to do with clients whom even smell of spam and UCE, is
> > nothing but one bug headache and can cost you alot more than money in
> > the long run.
> <SNIP>
>
> And you, of course, are ready to compensate all those spam victims,
> whom your spammers were abusing to no end, with you helping them to,
> right?
>
> > Please accept this as a public apology and chance to show we are
> > sincere when we say we are out of this business for good.  We made a
> > big mistake and we are sorry fro all those effected by it.
> >
> > Bernie Johnson
> > CEO
> > Michigan Connect, LLC
>
> ...until we find another provider, who is willing to turn blind eyes on
> the spam-hosting? You've said two times that you only have disconnected
> your spammers cause you was forced to by your upstream, or you would
> have been disconnected, yourself. First - by AT&T, and then - by C&W,
> no?
>
> Dolphin.


Oh and Dolphin,

No we have not been diconnected from Cable and Wireless or Cogent, so
we have not stopped due to us loosing two different providers.  You
can read into what I said however you like, I was making a public
apology for those we may have wronged, I was not looking for your
approval, in any fashion way or form.

I could personally care less what you think of me, I was doing what I
felt was needed and was right, due to the damage we caused others.

Oh yeah why dont you un-edit my orginal post, and let people see the
whole message, not sure why you edited it, but I have a good idea.

Bernie---



=== My responce ===
Newsgroups: news.admin.net-abuse.blocklisting
Path: uni-berlin.de!fu-berlin.de!headwall.stanford.edu!newsfeed.stanford.edu
 !zorac!blocklisting.com!robomod!not-for-mail
From: Dolphin <usenet-Oct+nanae@2003.dolphinwave.org>
Subject: Re: PUBLIC APOLOGY AND SET RECORD STRAIGHT
Approved: NANAB Moderators <moderators@blocklisting.com>
X-Orig-X-Trace: news.uni-berlin.de 1065538811 17410047 217.22.112.131 (16
  [104765])
X-Pgp-Key: 0xAAE2A579
User-Agent: slrn/0.9.7.4 (Linux)
X-Pgp-Key-Fingerprint: 5B8E 3B28 7199 8CD3 4133  FA87 000B 0FB6 AAE2 A579
Sender: nanab@zorch.sf-bay.org (Scott Hazen Mueller)
X-Spews: I am not
Organization: Private person
Message-ID: <slrnbo5l3q.j2l.usenet-Oct+nanae@orca.dolphinwave.org>
X-Spamscanner: mailbox7.ucsd.edu  (v1.2 Sep 26 2003 11:14:44, 0.0/5.0 2.60)
X-Newsgroup: news.admin.net-abuse.blocklisting
References: <da239e0c.0310061612.1ca9fae4@posting.google.com>
  <slrnbo457j.fgl.usenet-Oct+nanae@orca.dolphinwave.org>
  <da239e0c.0310062131.356b402d@posting.google.com>
X-Spam-Level: Level
X-Orig-Nntp-Posting-Host: 217.22.112.131
X-Mailscanner: PASSED (v1.2.8 944 h97F0Eub014762 mailbox7.ucsd.edu)
Date: Tue, 7 Oct 2003 15:08:14 GMT
X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting
Lines: 44
Xref: uni-berlin.de news.admin.net-abuse.blocklisting:2027

#begin  bernie@michiganconnect.com.exe (or was it Bernie.com)
 message <da239e0c.0310062131.356b402d@posting.google.com> reply:

<SNIP>
> No we have not been diconnected from Cable and Wireless or Cogent, so
> we have not stopped due to us loosing two different providers.

And where did I say that you was disconnected by those? You *was*
disconnected by AT&T in April, though. That's the fact:
<http://groups.google.com/groups?selm=4e30av0tqhnii8vujfgeicghrpb7ivf2qa%404ax.com>

> You
> can read into what I said however you like, I was making a public
> apology for those we may have wronged, I was not looking for your
> approval, in any fashion way or form.

So, what was that apology about, a formal "x" on the "to-do" list?
You don't really think that people will believe you that you are being
sincere with your apologizes, right?

> I could personally care less what you think of me, I was doing what I
> felt was needed and was right, due to the damage we caused others.

By the way, if you did not notice, I am one of those "others".

> Oh yeah why dont you un-edit my orginal post, and let people see the
> whole message, not sure why you edited it, but I have a good idea.
> 
> Bernie---

This is called "snipping" - removing the unnecessary parts from the
previous message, leaving only ones that are relevant to the reply.
People have already seen the original message in your original post,
there is no need to keep it whole just to answer to a part of it.
This is considered to be a good behaviour while posting to the Usenet
newsgroups.

Dolphin.

-- 
 URL: http://www.DolphinWave.org
Mail: on the web page (no spam)
 ICQ: 6615461



=== Another call for delisting ===
Path: uni-berlin.de!fu-berlin.de!postnews1.google.com!not-for-mail
From: tech@fast-net-usa.com (Admin)
Newsgroups: news.admin.net-abuse.email
Subject: SPEWS S1457 REMOVAL PLEASE
Date: 14 Feb 2004 06:10:27 -0800
Organization: http://groups.google.com
Lines: 6
Message-ID: <3afd92df.0402140610.3a2e46d9@posting.google.com>
NNTP-Posting-Host: 204.188.77.197
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1076767827 2125 127.0.0.1 (14 Feb 2004 14:10:27 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Sat, 14 Feb 2004 14:10:27 +0000 (UTC)
Xref: uni-berlin.de news.admin.net-abuse.email:2167512

AS most of you should be aware we have not been involved in spam in
over 7 months, please remove us from your listings, as we have updated
our terms of service and have immediately terminated all people
attempting to buy hosting accounts for spam, for over 7 months now.

Bernie--



=== And here is the true face of Bernie yet again ===
Path: uni-berlin.de!fu-berlin.de!postnews1.google.com!not-for-mail
From: tech@fast-net-usa.com (Admin)
Newsgroups: news.admin.net-abuse.email
Subject: Re: SPEWS S1457 REMOVAL PLEASE
Date: 15 Feb 2004 08:09:42 -0800
Organization: http://groups.google.com
Lines: 19
Message-ID: <3afd92df.0402150809.1476a8b9@posting.google.com>
References: <3afd92df.0402140610.3a2e46d9@posting.google.com>
  <92rXb.8305079$Id.1376914@news.easynews.com>
  <3afd92df.0402141354.62d7bee7@posting.google.com>
  <9b55104d.0402142249.2e3df393@posting.google.com>
NNTP-Posting-Host: 204.188.77.197
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1076861382 1163 127.0.0.1 (15 Feb 2004 16:09:42 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Sun, 15 Feb 2004 16:09:42 +0000 (UTC)
Xref: uni-berlin.de news.admin.net-abuse.email:2167837

ROTFLMFAO !!!!!!!!!!!!!!!!!!!!!

I see the same mentality still exist, no wonder no one uses SPEWS anymore.


bulk_trap@yahoo.com (bulk_trap) wrote in message
  news:<9b55104d.0402142249.2e3df393@posting.google.com>...
> tech@fast-net-usa.com (Admin) wrote in message
  news:<3afd92df.0402141354.62d7bee7@posting.google.com>...
> > We is Michigan Connect, LLC and Bernie Johnson, that was told that
> > after a period of as long as we werer involved in hosting spammers
> > that we would be removed from SPEWS.
> >
> > We have been removed from every other public black list as we do not
> > condone that type of activty any longer and have redone our terms and
> > denied service or turned off anyone who even smells like spam.
> >
> > Bernie--
>
> Try again in about 7 years, not 7 months. Maybe by then some people will
> have forgotten how slimy you are.



=== Bernie Johnson applies for SPEWS removal ===
Path: uni-berlin.de!fu-berlin.de!postnews1.google.com!not-for-mail
From: bernie@michiganconnect.com (Bernie)
Newsgroups: news.admin.net-abuse.email
Subject: S1457 removal or lower to 2
Date: 13 May 2004 17:34:04 -0700
Organization: http://groups.google.com
Lines: 9
Message-ID: <da239e0c.0405131634.172655e5@posting.google.com>
NNTP-Posting-Host: 204.188.77.197
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1084494844 27878 127.0.0.1 (14 May 2004 00:34:04
  GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Fri, 14 May 2004 00:34:04 +0000 (UTC)
Xref: uni-berlin.de news.admin.net-abuse.email:2198154

Can someone please tell me what else we need to do to get de-listed
from Spews or atleast dropped to a 2 instead of 1.  We have done many
things to try and loose the spammer name tag, and have even worked
with many of you to resolve issues with others.

If your going to respond with smart ass comments, please act like an
adult and keep them to yourself.

B. Johnson ---



=== And here is that attitude appears again ===
Path: uni-berlin.de!fu-berlin.de!postnews1.google.com!not-for-mail
From: bernie@michiganconnect.com (Bernie)
Newsgroups: news.admin.net-abuse.email
Subject: Re: S1457 removal or lower to 2
Date: 15 May 2004 17:57:19 -0700
Organization: http://groups.google.com
Lines: 35
Message-ID: <da239e0c.0405151657.6bbe6063@posting.google.com>
References: <da239e0c.0405131634.172655e5@posting.google.com>
  <1d2da0djgrvbsa33n9veb4ef8e1ev4vqh3@4ax.com>
NNTP-Posting-Host: 204.188.77.197
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1084669039 21191 127.0.0.1 (16 May 2004 00:57:19
  GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Sun, 16 May 2004 00:57:19 +0000 (UTC)
Xref: uni-berlin.de news.admin.net-abuse.email:2198700

ROTFLMFAO,

Nothing else clever to say???

You must be one of those PHD anti-spammers.

B.Johnson

Wm James <wrjames.remove@spamreaper.com> wrote in message
  news:<1d2da0djgrvbsa33n9veb4ef8e1ev4vqh3@4ax.com>...
> On 13 May 2004 17:34:04 -0700, bernie@michiganconnect.com (Bernie)
> wrote:
>
> >Can someone please tell me what else we need to do to get de-listed
> >from Spews or atleast dropped to a 2 instead of 1.  We have done many
> >things to try and loose the spammer name tag, and have even worked
> >with many of you to resolve issues with others.
> >
> >If your going to respond with smart ass comments, please act like an
> >adult and keep them to yourself.
> >
> >B. Johnson ---
>
> I hope there is no way in some cases.
>
> Should you ever start a legitimate business in a field where people
> don't know you, perhaps you will consider the long term effects of
> stealing from and harassing those you want to peer with before you do
> it.
>
> Inplug your server and go get a job testing swamp gas or something.
> Eventually, the world might unblock the IPS in question once they are
> no longer associated with a long term habitual scumbag who has proven
> willing to abuse them.
>
> William R. James



=== And here is another "you don't have a clue" post of his ===
Path: uni-berlin.de!fu-berlin.de!postnews1.google.com!not-for-mail
From: bernie@michiganconnect.com (Bernie)
Newsgroups: news.admin.net-abuse.email
Subject: Re: S1457 removal or lower to 2
Date: 15 May 2004 08:18:44 -0700
Organization: http://groups.google.com
Lines: 37
Message-ID: <da239e0c.0405150718.219796c5@posting.google.com>
References: <da239e0c.0405131634.172655e5@posting.google.com>
NNTP-Posting-Host: 204.188.77.197
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1084634324 16635 127.0.0.1 (15 May 2004 15:18:44
  GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Sat, 15 May 2004 15:18:44 +0000 (UTC)
Xref: uni-berlin.de news.admin.net-abuse.email:2198595

ok,

But this only solidifies that you really have no clue what is turly
going on.

Thanks for letting me know that most of you are really clueless as to
what is taking place in the fight against spam, and will still resort
to the same old tatics, which of course, is your right.  Is what your
doing really stopping the spam, or just causing more issues and
problems, for the ones who are.

Can you even decipher the white hats from the black hats or is the
shotgun approach all you really have in your tool bag, and know.  If
you really had a clue what was going on behind the scenes you would
never make some of the comments that 99% of you make, towards me, as
you would know that I have no affiliaton with spammers or the the
like, to say the least.  But all this really shows, is your lack of
knowledge of the real situation.

So if it makes you feel more at ease to load the 12 gauge feel free,
trust me your not hitting your target.  Please atleast get educated
before making comments, that show your lack of true inside info.  You
have no idea where the government has people working right now, or who
they are really after.

B. Johnson

bernie@michiganconnect.com (Bernie) wrote in message
  news:<da239e0c.0405131634.172655e5@posting.google.com>...
> Can someone please tell me what else we need to do to get de-listed
> from Spews or atleast dropped to a 2 instead of 1.  We have done many
> things to try and loose the spammer name tag, and have even worked
> with many of you to resolve issues with others.
>
> If your going to respond with smart ass comments, please act like an
> adult and keep them to yourself.
>
> B. Johnson ---



=== So, did he really change? I don't think so ===
Path: uni-berlin.de!fu-berlin.de!postnews1.google.com!not-for-mail
From: bernie@michiganconnect.com (Bernie)
Newsgroups: news.admin.net-abuse.email
Subject: Re: S1457 removal or lower to 2
Date: 15 May 2004 17:58:51 -0700
Organization: http://groups.google.com
Lines: 60
Message-ID: <da239e0c.0405151658.2aeac8e5@posting.google.com>
References: <da239e0c.0405131634.172655e5@posting.google.com>
  <da239e0c.0405150718.219796c5@posting.google.com>
  <c85jtu$gs$1@puck.litech.org>
NNTP-Posting-Host: 204.188.77.197
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1084669132 21276 127.0.0.1 (16 May 2004 00:58:52
  GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Sun, 16 May 2004 00:58:52 +0000 (UTC)
Xref: uni-berlin.de news.admin.net-abuse.email:2198701

hehe,

You fools fall for it every time.

B.Johnson

mikea@mikea.ath.cx (Mike Andrews) wrote in message
  news:<c85jtu$gs$1@puck.litech.org>...
> Bernie <bernie@michiganconnect.com> wrote:
> > ok,
>
> > But this only solidifies that you really have no clue what is turly
> > going on.
>
> > Thanks for letting me know that most of you are really clueless as to
> > what is taking place in the fight against spam, and will still resort
> > to the same old tatics, which of course, is your right.  Is what your
> > doing really stopping the spam, or just causing more issues and
> > problems, for the ones who are.
>
> > Can you even decipher the white hats from the black hats or is the
> > shotgun approach all you really have in your tool bag, and know.  If
> > you really had a clue what was going on behind the scenes you would
> > never make some of the comments that 99% of you make, towards me, as
> > you would know that I have no affiliaton with spammers or the the
> > like, to say the least.  But all this really shows, is your lack of
> > knowledge of the real situation.
>
> > So if it makes you feel more at ease to load the 12 gauge feel free,
> > trust me your not hitting your target.  Please atleast get educated
> > before making comments, that show your lack of true inside info.  You
> > have no idea where the government has people working right now, or who
> > they are really after.
>
> > B. Johnson
>
> > bernie@michiganconnect.com (Bernie) wrote in message
  news:<da239e0c.0405131634.172655e5@posting.google.com>...
> > > Can someone please tell me what else we need to do to get de-listed
> > > from Spews or atleast dropped to a 2 instead of 1.  We have done many
> > > things to try and loose the spammer name tag, and have even worked
> > > with many of you to resolve issues with others.
> > >
> > > If your going to respond with smart ass comments, please act like an
> > > adult and keep them to yourself.
> > >
> > > B. Johnson ---
>
> Bernie,
>
> I'm including the entire post to which I'm responding, to show that
> you failed to include any context -- none of the post to which you
> are responding appears in your response. This makes your remarks at
> least somewhat opaque, although it's clear that you're lashing out at
> _someone_.
>
> Do your management know the hole you're digging for yourself and
> them? If they don't, then you're failing in two duties:
> o     to keep them informed of adverse circumstances; and
> o     to not make things worse than they have to be.
>
> You're already in a hole, Bernie. _STOP_ Digging!