Webair.com - Porno spammers and web harvesters! Their upstream is Level 3 - no way to get actions. Update: 3-Nov-2004: New IP blocks, new spams. And the old pr0n spammers? Still connected after more than 2 years since the complaints were sent! webair.com, webair.net, [4.43.119.0 - 4.43.119.127], [69.42.64.0 - 69.42.79.255], [209.200.0.0 - 209.200.31.255], [216.27.155.144 - 216.27.155.159], [216.130.160.0 - 216.130.191.255]: Access denied! === My complaint === Content-Type: text/plain; charset="iso-8859-1" From: Admin Reply-To: abuse@2002.dolphinwave.org Organization: Private person Subject: [email] Spam (pr0n, web harvest: webair.com/xponsor.com/sex-office.com)! [Fwd: Photos de sex gratuit !!!] Date: Sun, 2 Jun 2002 07:22:57 +0300 User-Agent: KMail/1.4.1 X-KMail-Link-Message: 19525 X-KMail-Link-Type: forward To: Abuse reports , postmaster@webair.com, antispam@webair.com, domains@WEBAIR.COM, Spamtool@level3.com, abuse@level3.com, postmaster@caramail.com, cs@caramail.fr, abuse@colt.net X-Complaints-To: abuse@dolphinwave.org (live person) X-PGP-key: 0xAAE2A579 X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133 FA87 000B 0FB6 AAE2 A579 X-No-Confirm: Yes MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200206020722.57106@2002.dolphinwave.org> Status: RO X-Status: S Spam on my webmaster@ role address, used on my web pages only, and harvested from there! Please, terminate the spammer's accounts as soon as possible! Thanks! ======= Refusing to deal with your persistent spammers will lead your whole IP range to be blocked from accessing my mailservers ever again, and info about it will be shared with other admins and public blocklists! Spammer: purple2.webair.com [216.130.161.209] Mail from: silverstarz@caramail.com Spamvertised web pages: ======================= http://www.xponsor.com http://www.sex-office.com purple2.webair.com [216.130.161.209] ================== Registrant: WEBAIR INTERNET DEVELOPMENT INC (WEBAIR4-DOM) 116 E Fairview Ave. Valley Stream, NY 11580 US Domain Name: WEBAIR.COM Administrative Contact, Technical Contact: Christopher, Michael (MC9034) domains@WEBAIR.COM Webair 40 East Merrick Rd. Suite 110 Valley Stream, NY 11580 US (516) 256-0821 Record expires on 24-Feb-2005. Record created on 24-Feb-1999. Database last updated on 2-Jun-2002 00:17:33 EDT. Domain servers in listed order: NS.WEBAIR.NET 216.130.161.1 NS2.WEBAIR.NET 216.130.161.6 Webair Internet Development IP block [216.130.160.0 - 216.130.191.255]. Upstream: Level 3 (pos11-0.hsipaccess1.GardenCity1.Level3.net). www.xponsor.com [216.130.163.22] =============== N/A (template COCO-553832) andrei@manitiu.com 30, chemin des Maraichers BAT. G176 TOULOUSE, 31 31400 FR Domain Name: xponsor.com Status: production Admin Contact, Technical Contact, Zone Contact: Andrei Manitiu (COCO-553832) andrei@manitiu.com 33-6-61 53 50 13 CORE Registrar: CORE-11 Record last modified: 2001-04-24 06:10:18 UTC by CORE-11 Record created: 2001-02-01 15:04:41 UTC by CORE-11 Record expires: 2003-02-01 09:13:55 UTC Domain servers in listed order: ns.webair.net ns2.webair.net Webair Internet Development IP block [216.130.160.0 - 216.130.191.255]. Upstream: Level 3 (pos11-0.hsipaccess1.GardenCity1.Level3.net). www.sex-office.com [216.130.177.2] ================== domain: sex-office.com status: production origin-c: thierry@opale.net#178 owner: ERIC Heinrich email: thierry@opale.net#178 address: 4, route de Guewenheim city: Roderen postal-code: 68800 country: FR admin-c: thierry@opale.net#0 tech-c: thierry@opale.net#0 billing-c: thierry@opale.net#0 nserver: ns1.xheberge.net 216.130.161.209 nserver: ns2.opale-net.com 216.130.161.6 registrar: JORE-1 created: 2002-03-19 11:22:48 UTC JORE-1 expires: 2003-03-19 05:22:38 UTC source: joker.com Webair Internet Development IP block [216.130.160.0 - 216.130.191.255]. Upstream: Level 3 (pos11-0.hsipaccess1.GardenCity1.Level3.net). ---------- Forwarded Message ---------- Received: from purple2.webair.com (purple2.webair.com [216.130.161.209]) by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id g523wQN15007 for ; Sun, 2 Jun 2002 06:58:27 +0300 Received: from purple2.webair.com (localhost [127.0.0.1]) by purple2.webair.com (8.12.2/8.11.3) with ESMTP id g523xRTC032410 for ; Sun, 2 Jun 2002 05:59:27 +0200 Received: (from nobody@localhost) by purple2.webair.com (8.12.2/8.12.2/Submit) id g523xMWk032404; Sun, 2 Jun 2002 05:59:22 +0200 Date: Sun, 2 Jun 2002 05:59:22 +0200 Message-Id: <200206020359.g523xMWk032404@purple2.webair.com> X-Authentication-Warning: purple2.webair.com: nobody set sender to silverstarz@caramail.com using -f From: silverstarz@caramail.com Reply-To: silverstarz@caramail.com X-Sender: silverstarz@caramail.com To: webmaster@### X-Mailer: PG-MAILINGLIST PRO L2043 X-Priority: 3 Subject: Photos de sex gratuit !!! MIME-Version: 1.0 Content-type: text/html; charset="iso-8859-1" Status: R X-Status: N

 

 

 

 

 

 

 

 
 
Pour vous d�inscrire, merci de vous rendre ici: http://www.sex-office.com/cgi-bin/mailing/pg-mlpro.cgi?A=webmaster@###&L=5 ------------------------------------------------------- === My post about webair spams === From: Dolphin Newsgroups: news.admin.net-abuse.email Subject: Re: WEBAIR rogue? Date: 25 Jul 2002 16:54:47 GMT Organization: Private person Lines: 52 Sender: Alexander Sheremet Message-ID: References: <3d3fedb2.1345196@news-east.giganews.com> <20020725110212.07829.00000232@mb-bk.aol.com> NNTP-Posting-Host: 62.219.88.45 X-Trace: fu-berlin.de 1027616087 32585611 62.219.88.45 (16 [104765]) X-SPEWS: I am not X-newsgroup: news.admin.net-abuse.email X-PGP-key: 0xAAE2A579 X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133 FA87 000B 0FB6 AAE2 A579 User-Agent: slrn/0.9.7.4 (Linux) On 25 Jul 2002 15:02:12 GMT Frederick the amateur spam killer wrote in message <20020725110212.07829.00000232@mb-bk.aol.com>: > My personal feeling is that webair IS the spammer, since all the porn > sites being spamvertised are on their network, the teaser pages are > always hosted on their network, and there's always that wink wink > nudge nudge between webair and it's porn site that's being spamvertised. Webair *is* the spammer. The pr0n sites are also being advertised directly from their local servers: Received: from purple2.webair.com (purple2.webair.com [216.130.161.209]) by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id g523wQN15007 for ; Sun, 2 Jun 2002 06:58:27 +0300 Received: from purple2.webair.com (localhost [127.0.0.1]) by purple2.webair.com (8.12.2/8.11.3) with ESMTP id g523xRTC032410 for ; Sun, 2 Jun 2002 05:59:27 +0200 Received: (from nobody@localhost) by purple2.webair.com (8.12.2/8.12.2/Submit) id g523xMWk032404; Sun, 2 Jun 2002 05:59:22 +0200 Date: Sun, 2 Jun 2002 05:59:22 +0200 Message-Id: <200206020359.g523xMWk032404@purple2.webair.com> X-Authentication-Warning: purple2.webair.com: nobody set sender to silverstarz@caramail.com using -f From: silverstarz@caramail.com Reply-To: silverstarz@caramail.com X-Sender: silverstarz@caramail.com To: webmaster@### X-Mailer: PG-MAILINGLIST PRO L2043 X-Priority: 3 Subject: Photos de sex gratuit !!! MIME-Version: 1.0 Content-type: text/html; charset="iso-8859-1" Status: R X-Status: N The complete spam and my complaint are on NANAS, or there: http://www.DolphinWave.org/spam/216.130.160.0-216.130.191.255_webair.com.txt Should I say that all those spamvertised sites are still up on the same IPs? Dolphin. -- URL: http://www.DolphinWave.org Mail: on the web page (no spam) ICQ: 6615461 === Webair responds to the news.admin.net-abuse.email posts === From: mike@webair.com (Michael Orza) Newsgroups: news.admin.net-abuse.email Subject: Re: WEBAIR rogue? Date: 25 Jul 2002 14:42:20 -0700 Organization: http://groups.google.com/ Lines: 54 Message-ID: <6f875393.0207251342.1bd9ebda@posting.google.com> References: <3d3fedb2.1345196@news-east.giganews.com> <20020725110212.07829.00000232@mb-bk.aol.com> NNTP-Posting-Host: 24.184.12.141 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: posting.google.com 1027633341 32308 127.0.0.1 (25 Jul 2002 21:42:21 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: 25 Jul 2002 21:42:21 GMT This is a client of ours, webair DOES NOT have porn sites. I have contacted the client persaonally and he has killed the affiliate that was spamming. Webair hosts thousands of ips and we enforce our TOS accordingly. Michael Dolphin wrote in message news:... > On 25 Jul 2002 15:02:12 GMT Frederick the amateur spam killer > wrote in message <20020725110212.07829.00000232@mb-bk.aol.com>: > > > > My personal feeling is that webair IS the spammer, since all the porn > > sites being spamvertised are on their network, the teaser pages are > > always hosted on their network, and there's always that wink wink > > nudge nudge between webair and it's porn site that's being spamvertised. > > > Webair *is* the spammer. The pr0n sites are also being advertised directly > from their local servers: > > Received: from purple2.webair.com (purple2.webair.com [216.130.161.209]) > by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id g523wQN15007 > for ; Sun, 2 Jun 2002 06:58:27 +0300 > Received: from purple2.webair.com (localhost [127.0.0.1]) > by purple2.webair.com (8.12.2/8.11.3) with ESMTP id g523xRTC032410 > for ; Sun, 2 Jun 2002 05:59:27 +0200 > Received: (from nobody@localhost) > by purple2.webair.com (8.12.2/8.12.2/Submit) id g523xMWk032404; > Sun, 2 Jun 2002 05:59:22 +0200 > Date: Sun, 2 Jun 2002 05:59:22 +0200 > Message-Id: <200206020359.g523xMWk032404@purple2.webair.com> > X-Authentication-Warning: purple2.webair.com: nobody set sender to > silverstarz@caramail.com using -f > From: silverstarz@caramail.com > Reply-To: silverstarz@caramail.com > X-Sender: silverstarz@caramail.com > To: webmaster@### > X-Mailer: PG-MAILINGLIST PRO L2043 > X-Priority: 3 > Subject: Photos de sex gratuit !!! > MIME-Version: 1.0 > Content-type: text/html; > charset="iso-8859-1" > Status: R > X-Status: N > > > The complete spam and my complaint are on NANAS, or there: > http://www.DolphinWave.org/spam/216.130.160.0-216.130.191.255_webair.com.txt > > Should I say that all those spamvertised sites are still up on the same IPs? > > Dolphin. === Another webair responce === From: mike@webair.com (Michael Orza) Newsgroups: news.admin.net-abuse.email Subject: Re: WEBAIR rogue? Date: 25 Jul 2002 15:09:24 -0700 Organization: http://groups.google.com/ Lines: 23 Message-ID: <6f875393.0207251409.1f839f1@posting.google.com> References: <3d3fedb2.1345196@news-east.giganews.com> <20020725110212.07829.00000232@mb-bk.aol.com> NNTP-Posting-Host: 24.184.12.141 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: posting.google.com 1027634965 1570 127.0.0.1 (25 Jul 2002 22:09:25 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: 25 Jul 2002 22:09:25 GMT correction togahost.com has been terminated. michael Werehatrack wrote in message news:... > On 25 Jul 2002 16:54:47 GMT, Dolphin > may have said: > > > >Webair *is* the spammer. The pr0n sites are also being advertised directly > >from their local servers: > > > > > > > >The complete spam and my complaint are on NANAS, or there: > >http://www.DolphinWave.org/spam/216.130.160.0-216.130.191.255_webair.com.txt > > > >Should I say that all those spamvertised sites are still up on the same IPs? > > Well, given that they get their connectivity directly from the Level3 > spambone, is that any surprise? === My reply === From: Dolphin Newsgroups: news.admin.net-abuse.email Subject: Re: WEBAIR rogue? Date: 25 Jul 2002 22:41:12 GMT Organization: Private person Lines: 46 Sender: Alexander Sheremet Message-ID: References: <3d3fedb2.1345196@news-east.giganews.com> <20020725110212.07829.00000232@mb-bk.aol.com> <6f875393.0207251342.1bd9ebda@posting.google.com> NNTP-Posting-Host: 62.219.88.45 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Trace: fu-berlin.de 1027636872 32650727 62.219.88.45 (16 [104765]) X-SPEWS: I am not X-newsgroup: news.admin.net-abuse.email X-PGP-key: 0xAAE2A579 X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133 FA87 000B 0FB6 AAE2 A579 User-Agent: slrn/0.9.7.4 (Linux) On 25 Jul 2002 14:42:20 -0700 Michael Orza wrote in message <6f875393.0207251342.1bd9ebda@posting.google.com>: > This is a client of ours, webair DOES NOT have porn sites. I have > contacted the client persaonally and he has killed the affiliate that > was spamming. >> Received: from purple2.webair.com (purple2.webair.com [216.130.161.209]) >> by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id g523wQN15007 >> for ; Sun, 2 Jun 2002 06:58:27 +0300 <...> >> To: webmaster@### >> X-Mailer: PG-MAILINGLIST PRO L2043 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ And now from the spam body: >> Pour vous d�inscrire, merci de vous rendre ici: >> http://www.sex-office.com/cgi-bin/mailing/pg-mlpro.cgi?A=webmaster@###&L=5 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ sex-office.com *are* the spammers, it's their own mailing, not some non-existant "affiliate". www.sex-office.com was on [216.130.177.2] when I've complained to you on June 2nd. Guess what IP it's being hosted at now? Right - at the same IP of Webair: PING www.sex-office.com (216.130.177.2)... 64 bytes from 216.130.177.2: icmp_seq=1 ttl=241 time=229 ms 64 bytes from 216.130.177.2: icmp_seq=2 ttl=241 time=236 ms > Webair hosts thousands of ips and we enforce our TOS > accordingly. > > Michael Accordingly to what? 1.5 months since the spam was reported to you and the spam site is still up! Dolphin. -- URL: http://www.DolphinWave.org Mail: on the web page (no spam) ICQ: 6615461 === And the spammers are still on the same IP, half-year later === === December 11th, 2002 === $ host www.xponsor.com www.xponsor.com has address 216.130.163.22 $ host www.sex-office.com www.sex-office.com has address 216.130.177.2 === January 25th, 2003 - spammers are still on the same IPs, too === $ host www.xponsor.com www.xponsor.com has address 216.130.163.22 $ host www.sex-office.com www.sex-office.com has address 216.130.177.2 === More on Webair's support of the abuse and ignoring complaints === Path: uni-berlin.de!fu-berlin.de!news.maxwell.syr.edu!sn-xit-03!sn-xit-04 !sn-xit-06!sn-post-02!sn-post-01!supernews.com!news.supernews.com !news.rrclark.net!nobody From: spammers_lie@rrclark.net (Rich Clark, aka Left Rev Egg Plant, ULC, CotSG) Newsgroups: news.admin.net-abuse.email Subject: Re: Proxypot statistics from last night Date: Mon, 28 Jul 2003 16:12:44 -0400 Organization: Cult of the Chrome Skull Shift Knob -- Motor City Detachment Message-ID: References: User-Agent: slrn/0.9.7.1 (Linux) X-Complaints-To: abuse@supernews.com Lines: 26 Xref: uni-berlin.de news.admin.net-abuse.email:2035492 In article , Dolphin wrote: > #begin spammers_lie@rrclark.net.exe (or was it Rich Clark, aka Left Rev Egg Plant, ULC, CotSG.com) > message reply: >> New Webair host in the logs this morning, where the others hitting me >> last week seem to either be avoiding my proxypot or were actually >> turned down by the folks I made complaints to. > > >> Sheesh, this is like shooting fish in a barrel. Grin. Phoned >> webair.net this morning; we'll see how long it takes to gut this fish. > > > *This* Webair? > http://www.DolphinWave.org/spam/Webair.txt Why yes, that Webair. I've phoned them three times today. The spam still flows from their scummy network. Why they've not been added to every router null list is beyond me completely. We'll see what happens. Rich -- "In the anals [sic] of internet history no story has generated more hilarity than the day the florida spammers all got together, pooled their meager resources, and committed mass-suicide in Federal Court, while many of those they were trying to sue nearly died laughing." Quaestor on NANAE 4/25/03 TINLC Unit #2309 Death to all spammer accounts. WWSB? === A followup === Path: uni-berlin.de!fu-berlin.de!gail.ripco.com!news-feed.riddles.org.uk !sn-xit-03!sn-xit-04!sn-xit-01!sn-post-02!sn-post-01!supernews.com !news.supernews.com!news.rrclark.net!nobody From: spammers_lie@rrclark.net (Rich Clark, aka Left Rev Egg Plant, ULC, CotSG) Newsgroups: news.admin.net-abuse.email Subject: Proxypot statistics from last night Date: Tue, 29 Jul 2003 07:36:11 -0400 Organization: Cult of the Chrome Skull Shift Knob -- Motor City Detachment Message-ID: User-Agent: slrn/0.9.7.1 (Linux) X-Complaints-To: abuse@supernews.com Lines: 88 Xref: uni-berlin.de news.admin.net-abuse.email:2035880 Y'all that had comments re: Webair were right. They're taking forever to stop the abuse that I'm seeing here. More phone calls scheduled today, we shall see what happens. host statistics: 216.130.184.194 sent 20528 messages first at Mon Jul 28 17:56:18 2003 (2 messages) last at Tue Jul 29 06:10:42 2003 total 68109543 bytes to 20528 recipients [216.130.184.194] web site statistics: [216.130.184.194] probilling.com was referenced by 20528 messages [216.130.184.194] first at Mon Jul 28 17:56:18 2003 (2 messages) [216.130.184.194] last at Tue Jul 29 06:10:42 2003 [216.130.184.194] total 68109543 bytes to 20528 recipients [216.130.184.194] 20528 references to 1 distinct web site 216.130.184.196 sent 12580 messages first at Mon Jul 28 17:54:54 2003 last at Tue Jul 29 06:10:44 2003 total 25913670 bytes to 12580 recipients [216.130.184.196] web site statistics: [216.130.184.196] ccbill.com was referenced by 12580 messages [216.130.184.196] first at Mon Jul 28 17:54:54 2003 [216.130.184.196] last at Tue Jul 29 06:10:44 2003 [216.130.184.196] total 25913670 bytes to 12580 recipients [216.130.184.196] 12580 references to 1 distinct web site 216.130.184.195 sent 10051 messages first at Mon Jul 28 17:54:55 2003 last at Tue Jul 29 06:10:34 2003 total 19091205 bytes to 10051 recipients [216.130.184.195] web site statistics: [216.130.184.195] pinkflicks.com was referenced by 10051 messages [216.130.184.195] first at Mon Jul 28 17:54:55 2003 [216.130.184.195] last at Tue Jul 29 06:10:34 2003 [216.130.184.195] total 19091205 bytes to 10051 recipients [216.130.184.195] 10051 references to 1 distinct web site 43159 messages from 3 distinct hosts web site statistics: probilling.com was referenced by 20528 messages first at Mon Jul 28 17:56:18 2003 (2 messages) last at Tue Jul 29 06:10:42 2003 total 68109543 bytes to 20528 recipients [probilling.com] host statistics: [probilling.com] 216.130.184.194 sent 20528 messages [probilling.com] first at Mon Jul 28 17:56:18 2003 (2 messages) [probilling.com] last at Tue Jul 29 06:10:42 2003 [probilling.com] total 68109543 bytes to 20528 recipients [probilling.com] 20528 messages from 1 distinct host ccbill.com was referenced by 12580 messages first at Mon Jul 28 17:54:54 2003 last at Tue Jul 29 06:10:44 2003 total 25913670 bytes to 12580 recipients [ccbill.com] host statistics: [ccbill.com] 216.130.184.196 sent 12580 messages [ccbill.com] first at Mon Jul 28 17:54:54 2003 [ccbill.com] last at Tue Jul 29 06:10:44 2003 [ccbill.com] total 25913670 bytes to 12580 recipients [ccbill.com] 12580 messages from 1 distinct host pinkflicks.com was referenced by 10051 messages first at Mon Jul 28 17:54:55 2003 last at Tue Jul 29 06:10:34 2003 total 19091205 bytes to 10051 recipients [pinkflicks.com] host statistics: [pinkflicks.com] 216.130.184.195 sent 10051 messages [pinkflicks.com] first at Mon Jul 28 17:54:55 2003 [pinkflicks.com] last at Tue Jul 29 06:10:34 2003 [pinkflicks.com] total 19091205 bytes to 10051 recipients [pinkflicks.com] 10051 messages from 1 distinct host 43159 references to 3 distinct web sites Report completed at Tue Jul 29 07:18:15 2003 Report generation took 1791 seconds Rich -- "The character and fitness concerns included petitioner's misconduct in college, history of substance abuse, criminal record and lack of candor since college concerning such matters. We are not satisfied that petitioner presently possesses the character and general fitness requisite for an attorney and counselor-at-law" - NY Supreme Court on spammer attorney Mark Felstein. http://www.courts.state.ny.us/reporter/slips/14968.htm TINLC Unit #2309 Death to all spammer accounts. WWSB? === And Webair warns the spammer ("zero-tolerant", indeed) === Path: uni-berlin.de!fu-berlin.de!headwall.stanford.edu!newsfeed.stanford.edu !postnews1.google.com!not-for-mail From: mike@webair.com (Michael Orza) Newsgroups: news.admin.net-abuse.email Subject: Re: Proxypot statistics from last night Date: 29 Jul 2003 13:37:22 -0700 Organization: http://groups.google.com/ Lines: 85 Message-ID: <6f875393.0307291237.4ce55e4a@posting.google.com> References: NNTP-Posting-Host: 4.43.119.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: posting.google.com 1059511043 30187 127.0.0.1 (29 Jul 2003 20:37:23 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: 29 Jul 2003 20:37:23 GMT Xref: uni-berlin.de news.admin.net-abuse.email:2036253 Client called & warned that he is in violation of our TOS, if client continues they will be taken down. spammers_lie@rrclark.net (Rich Clark, aka Left Rev Egg Plant, ULC, CotSG) wrote in message news:... > Y'all that had comments re: Webair were right. They're taking forever > to stop the abuse that I'm seeing here. More phone calls scheduled > today, we shall see what happens. > > host statistics: > 216.130.184.194 sent 20528 messages > first at Mon Jul 28 17:56:18 2003 (2 messages) > last at Tue Jul 29 06:10:42 2003 > total 68109543 bytes to 20528 recipients > [216.130.184.194] web site statistics: > [216.130.184.194] probilling.com was referenced by 20528 messages > [216.130.184.194] first at Mon Jul 28 17:56:18 2003 (2 messages) > [216.130.184.194] last at Tue Jul 29 06:10:42 2003 > [216.130.184.194] total 68109543 bytes to 20528 recipients > [216.130.184.194] 20528 references to 1 distinct web site > > 216.130.184.196 sent 12580 messages > first at Mon Jul 28 17:54:54 2003 > last at Tue Jul 29 06:10:44 2003 > total 25913670 bytes to 12580 recipients > [216.130.184.196] web site statistics: > [216.130.184.196] ccbill.com was referenced by 12580 messages > [216.130.184.196] first at Mon Jul 28 17:54:54 2003 > [216.130.184.196] last at Tue Jul 29 06:10:44 2003 > [216.130.184.196] total 25913670 bytes to 12580 recipients > [216.130.184.196] 12580 references to 1 distinct web site > > 216.130.184.195 sent 10051 messages > first at Mon Jul 28 17:54:55 2003 > last at Tue Jul 29 06:10:34 2003 > total 19091205 bytes to 10051 recipients > [216.130.184.195] web site statistics: > [216.130.184.195] pinkflicks.com was referenced by 10051 messages > [216.130.184.195] first at Mon Jul 28 17:54:55 2003 > [216.130.184.195] last at Tue Jul 29 06:10:34 2003 > [216.130.184.195] total 19091205 bytes to 10051 recipients > [216.130.184.195] 10051 references to 1 distinct web site > > 43159 messages from 3 distinct hosts > > web site statistics: > probilling.com was referenced by 20528 messages > first at Mon Jul 28 17:56:18 2003 (2 messages) > last at Tue Jul 29 06:10:42 2003 > total 68109543 bytes to 20528 recipients > [probilling.com] host statistics: > [probilling.com] 216.130.184.194 sent 20528 messages > [probilling.com] first at Mon Jul 28 17:56:18 2003 (2 messages) > [probilling.com] last at Tue Jul 29 06:10:42 2003 > [probilling.com] total 68109543 bytes to 20528 recipients > [probilling.com] 20528 messages from 1 distinct host > > ccbill.com was referenced by 12580 messages > first at Mon Jul 28 17:54:54 2003 > last at Tue Jul 29 06:10:44 2003 > total 25913670 bytes to 12580 recipients > [ccbill.com] host statistics: > [ccbill.com] 216.130.184.196 sent 12580 messages > [ccbill.com] first at Mon Jul 28 17:54:54 2003 > [ccbill.com] last at Tue Jul 29 06:10:44 2003 > [ccbill.com] total 25913670 bytes to 12580 recipients > [ccbill.com] 12580 messages from 1 distinct host > > pinkflicks.com was referenced by 10051 messages > first at Mon Jul 28 17:54:55 2003 > last at Tue Jul 29 06:10:34 2003 > total 19091205 bytes to 10051 recipients > [pinkflicks.com] host statistics: > [pinkflicks.com] 216.130.184.195 sent 10051 messages > [pinkflicks.com] first at Mon Jul 28 17:54:55 2003 > [pinkflicks.com] last at Tue Jul 29 06:10:34 2003 > [pinkflicks.com] total 19091205 bytes to 10051 recipients > [pinkflicks.com] 10051 messages from 1 distinct host > > 43159 references to 3 distinct web sites > > Report completed at Tue Jul 29 07:18:15 2003 > Report generation took 1791 seconds > > Rich === Abuse desk @Webair at work === Path: uni-berlin.de!fu-berlin.de!news.maxwell.syr.edu!sn-xit-03!sn-xit-06 !sn-post-02!sn-post-01!supernews.com!news.supernews.com!news.rrclark.net!nobody From: spammers_lie@rrclark.net (Rich Clark, aka Left Rev Egg Plant, ULC, CotSG) Newsgroups: news.admin.net-abuse.email Subject: Re: Proxypot statistics from last night Date: Tue, 29 Jul 2003 19:21:32 -0400 Organization: Cult of the Chrome Skull Shift Knob -- Motor City Detachment Message-ID: References: <6f875393.0307291237.4ce55e4a@posting.google.com> User-Agent: slrn/0.9.7.1 (Linux) X-Complaints-To: abuse@supernews.com Lines: 35 Xref: uni-berlin.de news.admin.net-abuse.email:2036406 In article , Mike Andrews wrote: > Michael Orza wrote: >> Client called & warned that he is in violation of our TOS, if client >> continues they will be taken down. > > Dear @PANTHEON! 43159 provable spams isn't enough? > >=============>> What more do you *NEED*? <<============ > When I called this afternoon, Sagi, their abuse guy, said he'd been stacked up with abuse complaints about some other customers, that he hadn't had time to get to this issue yet, and that he needed "to see some complaints from a few other sources," before they would terminate. I nearly flipped out at that. I asked him, "What, I send you logs, statistical analysis of all the spam that came in over a night, and samples of captured spam, and you're going to wait for complaints from other IP's? That's crazy!!" Webair, in my own hog-fucking opinion, loves spammer money, plain and simple. Sagi wouldn't admit it when I posed that question to him. I also asked him point-blank if this was the Dyanmic Pipe outfit, to which he didn't reply. Seemed he was more busy trying to cover his ass than answer questions. Rich -- "The character and fitness concerns included petitioner's misconduct in college, history of substance abuse, criminal record and lack of candor since college concerning such matters. We are not satisfied that petitioner presently possesses the character and general fitness requisite for an attorney and counselor-at-law" - NY Supreme Court on spammer attorney Mark Felstein. http://www.courts.state.ny.us/reporter/slips/14968.htm TINLC Unit #2309 Death to all spammer accounts. WWSB? === There are "THAT bad" and obviously "not that much bad" spammers @Webair === Path: uni-berlin.de!fu-berlin.de!headwall.stanford.edu!newsfeed.stanford.edu !postnews1.google.com!not-for-mail From: mike@webair.com (Michael Orza) Newsgroups: news.admin.net-abuse.email Subject: Re: Proxypot statistics from last night Date: 30 Jul 2003 15:42:37 -0700 Organization: http://groups.google.com/ Lines: 69 Message-ID: <6f875393.0307301442.5af9b124@posting.google.com> References: NNTP-Posting-Host: 4.43.119.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: posting.google.com 1059604957 28303 127.0.0.1 (30 Jul 2003 22:42:37 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: 30 Jul 2003 22:42:37 GMT Xref: uni-berlin.de news.admin.net-abuse.email:2037049 Rich, honestly i wasnt aware that the client was this bad he's down...as far as mine and sagi's "squirming"? comments like that are completely unnecessary. We are professionals doing the best we can to keep our network clean and maintaining thousands of clients. There is a client, the client has been shut down...if there is anything further you need please don't hesitate to call AGAIN =) spammers_lie@rrclark.net (Rich Clark, aka Left Rev Egg Plant, ULC, CotSG) wrote in message news:... > host statistics: > 216.130.184.194 sent 6129 messages > first at Wed Jul 30 00:47:36 2003 > last at Wed Jul 30 03:59:51 2003 > total 20347662 bytes to 6129 recipients > [216.130.184.194] web site statistics: > [216.130.184.194] probilling.com was referenced by 6129 messages > [216.130.184.194] first at Wed Jul 30 00:47:36 2003 > [216.130.184.194] last at Wed Jul 30 03:59:51 2003 > [216.130.184.194] total 20347662 bytes to 6129 recipients > [216.130.184.194] 6129 references to 1 distinct web site > > 216.130.184.195 sent 5230 messages > first at Wed Jul 30 00:44:49 2003 (5 messages) > last at Wed Jul 30 03:59:56 2003 > total 9936036 bytes to 5230 recipients > [216.130.184.195] web site statistics: > [216.130.184.195] pinkflicks.com was referenced by 5230 messages > [216.130.184.195] first at Wed Jul 30 00:44:49 2003 (5 messages) > [216.130.184.195] last at Wed Jul 30 03:59:56 2003 > [216.130.184.195] total 9936036 bytes to 5230 recipients > [216.130.184.195] 5230 references to 1 distinct web site > > 11359 messages from 2 distinct hosts > > web site statistics: > probilling.com was referenced by 6129 messages > first at Wed Jul 30 00:47:36 2003 > last at Wed Jul 30 03:59:51 2003 > total 20347662 bytes to 6129 recipients > [probilling.com] host statistics: > [probilling.com] 216.130.184.194 sent 6129 messages > [probilling.com] first at Wed Jul 30 00:47:36 2003 > [probilling.com] last at Wed Jul 30 03:59:51 2003 > [probilling.com] total 20347662 bytes to 6129 recipients > [probilling.com] 6129 messages from 1 distinct host > > pinkflicks.com was referenced by 5230 messages > first at Wed Jul 30 00:44:49 2003 (5 messages) > last at Wed Jul 30 03:59:56 2003 > total 9936036 bytes to 5230 recipients > [pinkflicks.com] host statistics: > [pinkflicks.com] 216.130.184.195 sent 5230 messages > [pinkflicks.com] first at Wed Jul 30 00:44:49 2003 (5 messages) > [pinkflicks.com] last at Wed Jul 30 03:59:56 2003 > [pinkflicks.com] total 9936036 bytes to 5230 recipients > [pinkflicks.com] 5230 messages from 1 distinct host > > 11359 references to 2 distinct web sites > > Report completed at Wed Jul 30 07:18:15 2003 > Report generation took 381 seconds > > Sample was shorter this morning due to my getting out of bed late and > getting impatient to get more evidence to hang Webair with. Still, > the spam is flowing to my proxypot and not to the end-user targets, so > life is good. And Orza and Sagi at Webair will squirm yet some more > on the phone this morning. > > Rich === Yeah, the "power" of warnings === Path: uni-berlin.de!fu-berlin.de!skynet.be!skynet.be!freenix!sn-xit-02!sn-xit-06 !sn-xit-01!sn-post-01!supernews.com!news.supernews.com!news.rrclark.net!nobody From: spammers_lie@rrclark.net (Rich Clark, aka Left Rev Egg Plant, ULC, CotSG) Newsgroups: news.admin.net-abuse.email Subject: Re: Proxypot statistics from last night Date: Wed, 30 Jul 2003 06:37:17 -0400 Organization: Cult of the Chrome Skull Shift Knob -- Motor City Detachment Message-ID: References: <6f875393.0307291237.4ce55e4a@posting.google.com> User-Agent: slrn/0.9.7.1 (Linux) X-Complaints-To: abuse@supernews.com Lines: 98 Xref: uni-berlin.de news.admin.net-abuse.email:2036668 In article , Buss Error wrote: > mike@webair.com (Michael Orza) wrote in > news:6f875393.0307291237.4ce55e4a@posting.google.com: > >> Client called & warned that he is in violation of our TOS, if client >> continues they will be taken down. >> >> >> spammers_lie@rrclark.net (Rich Clark, aka Left Rev Egg Plant, ULC, >> CotSG) wrote in message >> news:... > snip >>> 216.130.184.194 sent 20528 messages > snip >>> 216.130.184.196 sent 12580 messages > snip >>> 216.130.184.195 sent 10051 messages > snip >>> >>> 43159 messages from 3 distinct hosts > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > I don't think they need a warning, I think they need to be disconnected. As > in right now. 43,159 spam attempts are not a silly mistake. Like thieves in the night, the Webair spammers at 216.130.184.194, .195 and .196 began sending in earnest again last night. Seems they took Mr. Orza's warning very seriously. Wed Jul 30 06:34:23 2003 799,1059561263: accepted connection on 69.14.152.239:1080 from 216.130.184.195:25480, created process 8541 Wed Jul 30 06:34:23 2003 799,1059561263: receiving socks version 4 request Wed Jul 30 06:34:23 2003 799,1059561263: allowing request for connection to 64.12.136.121:25 Wed Jul 30 06:34:23 2003 799,1059561263: starting fake SMTP session Wed Jul 30 06:34:23 2003 799,1059561263: client HELO name: "d14-69-239-152.try.wideopenwest.com" Wed Jul 30 06:34:23 2003 799,1059561263: starting new message 1 with MAIL FROM:<"anna16548anna@yahoo.com"> Wed Jul 30 06:34:23 2003 799,1059561263: msg 1: recipient RCPT TO:<"darkmagician4875@aol.com"> Wed Jul 30 06:34:23 2003 799,1059561263: msg 1: DATA beginning Wed Jul 30 06:34:23 2003 799,1059561263: msg 1: data: "Received: from aemail4u.com (15036 [103.193.42.179])\r\n\tby djallsopp.freeserve.co.uk (8.12.1/8.12.1) with ESMTP id 32191\r\n\tfor ; Wed, 30 Jul 2003 14:33:56 -0400\r\nReceived: from jam.rr.com ([246.171.20.149])\r\n\tby futures.co.uk (8.9.3/8.9.3) with SMTP id 4178\r\n\tfor ; Wed, 30 Jul 2003 14:33:51 -0400\r\nMessage-ID: <562826584gdunpdjlfldq7;:8Cdro1frp@onebox.com>\r\nFrom: \"Spacoom\" \r\nTo: \"darkmagician4875@aol.com\" \r\n" Wed Jul 30 06:34:23 2003 800,1059561263: accepted connection on 69.14.152.239:1080 from 216.130.184.195:24821, created process 8542 Wed Jul 30 06:34:23 2003 799,1059561263: msg 1: data: "Date: Wed, 30 Jul 2003 14:33:46 -0400\r\nSubject: Oral Sex techniques that men love! gdunpdjlfldq7;:8Cdro1frp\r\nMIME-Version: 1.0\r\nContent-Type: multipart/related;\r\n boundary=\"----=_NextPart_000_000D_04DD023B.09545234\"\r\n\r\n------=_NextPart_0 00_000D_04DD023B.09545234\r\nContent-Type: text/html;\r\nContent-Transfer-Encoding: base64\r\n\r\nPCEtLTI5MzgtLT48Ym9keSBiZ2NvbG9yPSNGRkZGODA+DQo8YSBocmVmPSJodHRwOi 8vd3d3\r\nLnBpbmtmbGlja3MuY29tLzEyNjE2Mjg1MjAiPjxGT05UIHNpemU9ND48Rk9OVCBjb2xvc j0j\r\nZmYwMDAwPk9uZSBEYXkgRnJlZSBUcmlhbCEhITwvRk9OVD48L0ZPTlQ+PC9BPjxCUj5Zb3Ug \r\n" Wed Jul 30 06:34:23 2003 800,1059561263: receiving socks version 4 request Wed Jul 30 06:34:23 2003 800,1059561263: allowing request for connection to 64.12.138.57:25 Wed Jul 30 06:34:23 2003 800,1059561263: starting fake SMTP session Wed Jul 30 06:34:23 2003 799,1059561263: msg 1: data: "YXJlIGp1c3QgYSBmZXcgc2ltcGxlIGNsaWNrcyBhd2F5IGZyb20gZ2V0dGluZyB0aGUgPGI+\r\nPGZ vbnQgY29sb3I9IiNGRjAwMDAiPk5FV0VTVDwvZm9udD48L2I+IGhvdHRlc3Qgc2V4IHNp\r\ndGUgb2 4gdGhlIG5ldCwgRlJFRSEhISA8Qj48YnI+DQo8QSB0aXRsZT1odHRwOi8vd3d3LnBp\r\nbmtmbGlja 3MuY29tLzEyNjE2Mjg1MjAgdGFyZ2V0PW5ld193aW4gaHJlZj0iaHR0cDovL3d3\r\ndy5waW5rZmxp Y2tzLmNvbS8xMjYxNjI4NTIwIj5XZSBBYnNvbHV0ZWx5IEd1YXJhbnRlZSAx\r\nMDAlIFNhdGlzZmF jdGlvbiE8L0E+PC9CPiBEb24ndCBzZXR0bGUgZm9yIGFueXRoaW5nIGxl\r\nc3MgdGhhbiB0aGUgYm VzdCB3aGVuIHlvdSBhcmUgb25saW5lIHNlYXJjaGluZyBmb3IgcGlj\r\n" Wed Jul 30 06:34:24 2003 800,1059561263: client HELO name: "d14-69-239-152.try.wideopenwest.com" Wed Jul 30 06:34:24 2003 800,1059561263: starting new message 1 with MAIL FROM:<"anna2145anna@yahoo.com"> Wed Jul 30 06:34:24 2003 799,1059561263: msg 1: data: "cywgZmxpY2tzLCBhbmQgY2hpY2tzLCB5b3VyIHRpbWUgaXMgdmFsdWFibGUgYW5kIHdvcnRo\r\nIGl 0ISA8YnI+DQo8QSB0aXRsZT1odHRwOi8vd3d3LnBpbmtmbGlja3MuY29tLzEyNjE2Mjg1\r\nMjAgdG FyZ2V0PW5ld193aW4gaHJlZj0iaHR0cDovL3d3dy5waW5rZmxpY2tzLmNvbS8xMjYx\r\nNjI4NTIwI j48Yj5DbGljayBIZXJlIGZvciB0aGUgTmV3ZXN0IFRlZW4gU2l0ZSBvbiB0aGUg\r\nbmV0ITwvYj48 L0E+PEJSPjxCUj48QlI+PEJSPjxCUj48QlI+PEJSPjxCUj48QlI+PEJSPg0K\r\nPC9CT0RZPg==\r\ n\r\n" Wed Jul 30 06:34:24 2003 799,1059561263: msg 1: DATA completed Wed Jul 30 06:34:24 2003 800,1059561263: msg 1: recipient RCPT TO:<"chickc5525@aol.com"> Wed Jul 30 06:34:24 2003 799,1059561263: QUIT request from client Wed Jul 30 06:34:24 2003 799,1059561263: ending session Tut, tut. Like I said, why Webair enjoys connectivity at all is beyond me. They belong in every router deny table on the planet. Spam-friendly is too kind a term to describe them. More statistics available in about an hour. Rich -- "The character and fitness concerns included petitioner's misconduct in college, history of substance abuse, criminal record and lack of candor since college concerning such matters. We are not satisfied that petitioner presently possesses the character and general fitness requisite for an attorney and counselor-at-law" - NY Supreme Court on spammer attorney Mark Felstein. http://www.courts.state.ny.us/reporter/slips/14968.htm TINLC Unit #2309 Death to all spammer accounts. WWSB? === And about the "we didn't know it was THAT bad" === Path: uni-berlin.de!fu-berlin.de!newsfeed.mathworks.com!nycmny1-snh1.gtei.net !news.gtei.net!news-out.visi.com!petbe.visi.com!sn-xit-02!sn-xit-04!sn-xit-06 !sn-post-02!sn-post-01!supernews.com!news.supernews.com!news.rrclark.net!nobody From: spammers_lie@rrclark.net (Rich Clark, aka Left Rev Egg Plant, ULC, CotSG) Newsgroups: news.admin.net-abuse.email Subject: Re: Proxypot statistics from last night Date: Thu, 31 Jul 2003 06:50:48 -0400 Organization: Cult of the Chrome Skull Shift Knob -- Motor City Detachment Message-ID: References: <6f875393.0307301442.5af9b124@posting.google.com> User-Agent: slrn/0.9.7.1 (Linux) X-Complaints-To: abuse@supernews.com Lines: 49 Xref: uni-berlin.de news.admin.net-abuse.email:2037358 In article <6f875393.0307301442.5af9b124@posting.google.com>, Michael Orza wrote: > Rich, honestly i wasnt aware that the client was this bad he's > down...as far as mine and sagi's "squirming"? comments like that are > completely unnecessary. We are professionals doing the best we can to > keep our network clean and maintaining thousands of clients. There is > a client, the client has been shut down...if there is anything further > you need please don't hesitate to call AGAIN =) Sir, Look at it from my perspective. I've given you more than enough evidence of egregious violations of your AUP to fry your client, literally thousands of messages dumped onto my hard drive by someone abusing third party machines to send their spam. You've got one hell of an AUP which allows you to disconnect them for any reason whatsoever, let alone abuse of this magnitude. However, you want to warn him and give him a second chance to reform. It's my own personal belief that you really should research these folks. ROKSO, NANAS and NANAE are full of entries and articles documenting a negative history for Dynamic Pipe/Python Video. SPEWS is full of network listings for Dynamic Pipe. And somehow they deserve a second chance? I call three times, a day to say, look at what's happening on your network and I get shined on, and the customer doesn't get unplugged until three days later? I'm sorry but that's poor network maintenance. The above attitude is exactly why there are so many outfits connected and spewing, the public is screaming for laws to regulate this nonsense and guys like myself are breathing down your neck to get these ratbags off the net. All I ever asked was to get this customer off the air. Really, my machine was probably not the only machine they were connected to and spewing through. Zero tolerance. It's the only answer. Suspend the account, let them call you and explain, but in cases like this, if I were in charge of the network being abused, it'd be, "Sorry, you're gone," followed by an invoice for $1000 clean-up fees. I had them dead to rights busted with their hand in the cookie jar. Rich -- "The character and fitness concerns included petitioner's misconduct in college, history of substance abuse, criminal record and lack of candor since college concerning such matters. We are not satisfied that petitioner presently possesses the character and general fitness requisite for an attorney and counselor-at-law" - NY Supreme Court on spammer attorney Mark Felstein. http://www.courts.state.ny.us/reporter/slips/14968.htm TINLC Unit #2309 Death to all spammer accounts. WWSB? === And Webair has guts to claim that they have the "zero-tolerance" policy === Path: uni-berlin.de!fu-berlin.de!headwall.stanford.edu!newsfeed.stanford.edu !postnews1.google.com!not-for-mail From: mike@webair.com (Michael Orza) Newsgroups: news.admin.net-abuse.email Subject: Webair.com zero-tolerance approach to spam Date: 31 Jul 2003 11:02:26 -0700 Organization: http://groups.google.com/ Lines: 71 Message-ID: <6f875393.0307311002.6037eb71@posting.google.com> NNTP-Posting-Host: 4.43.119.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: posting.google.com 1059674547 1145 127.0.0.1 (31 Jul 2003 18:02:27 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: 31 Jul 2003 18:02:27 GMT Xref: uni-berlin.de news.admin.net-abuse.email:2037610 It would seem the word didn't get out to all who want to spam, that Webair has had zero tolerance for spamming the last two(?) years...! ---------------------------- NYC, NY (October 29, 2001)- Continuing the commitment to protect online customer security, Webair has released a newly revised Spam Policy in order to combat UCE (Unsolicated Commercial Email). Webair has worked hard to terminate known spammers from its networks, enforce stricter SMTP access control and network monitoring to remove spammers before they begin sending UCE. Webair Unsolicited E-Mail Policy: Webair Internet Development, Inc. (Webair) does not permit the sending of Unsolicited E-mail (Spam) over our network. This means that Webair customers may not use or permit others to use our network to transmit, relay, forward or otherwise facilitate the delivery of Spam. Furthermore, Webair customers may not host, or permit hosting of, sites or information (including, without limitation, any form of affiliate link) advertised by spam from other networks. Violations of this policy carry severe penalties, including termination of service with prior notice. Webair defines unsolicited e-mail as any message, especially one with a commercial purpose, that is sent to multiple recipients who are not personally known to the sender and who did not request that such messages be sent to them. Excessive posting of the same message, or of numerous materially similar messages, to Usenet newsgroups constitutes spam, as does any mailing to any e-mail list on which the recipients have not specifically requested to be included. Unauthorized use of anymail server to relay or forward outgoing mail is also forbidden. ANY INDIRECT OR ATTEMPTED VIOLATION OF THIS POLICY SHALL BE CONSIDERED A VIOLATION OF THIS POLICY, AND ANY ACTUAL OR ATTEMPTED VIOLATION OF THIS POLICY BY A THIRD PARTY ON BEHALF OF A WEBAIR CUSTOMER OR A CUSTOMER'S END USER SHALL BE CONSIDERED A VIOLATION OF THE POLICY BY SUCH CUSTOMER OR END USER. It is therefore advisable that Customers develop a similar, or stricter, policy for their clients and/or affiliated webmasters. Violation of Webair's spam policy will result in severe penalties. Upon notification of an alleged violation of our spam policy, Webair will initiate an immediate investigation (within 48 hours of notification). During the investigation, Webair may restrict customer access to the network to prevent further violations. If a customer is found to be in violation of our spam policy, Webair may, at its sole discretion, restrict, suspend or terminate customer's account. Further, Webair reserves the right to pursue civil remedies for any costs associated with the investigation of a substantiated policy violation. Webair will notify law enforcement officials if the violation is believed to be a criminal offense. By your use of the Webair network, you agree to defend, indemnify and hold harmless Webair Internet Development, Inc. and its directors, officers, its employees, sublicensees, and agents from and against all claims, defense costs (including reasonable attorneys^ and other expenses arising out of or in relation to your violation or alleged violation of this policy, including without limitations violations that independently constitute a violation of the Computer Fraud and Abuse Act (18 U.S.C. Crimes Act (Va. Code Ann. 1, 1999); and the Washington Commercial Electronic Mail Act ( Wash. Rev. Code Chapter 19.190 et seq.), even if otherwise permitted under this policy. Violation of Webair's SPAM policy may be reported to abuse@webair.com ----------------------------------------------------------------------- Webair AUP can be viewed here: http://www.webair.com/AUP.html === My responce === Path: uni-berlin.de!217.22.112.166!not-for-mail From: Dolphin Newsgroups: news.admin.net-abuse.email Subject: Re: Webair.com zero-tolerance approach to spam Date: 31 Jul 2003 19:06:23 GMT Organization: Private person Lines: 40 Sender: Alexander Sheremet Message-ID: References: <6f875393.0307311002.6037eb71@posting.google.com> NNTP-Posting-Host: 217.22.112.166 X-Trace: news.uni-berlin.de 1059678383 24344524 217.22.112.166 (16 [104765]) X-SPEWS: I am not X-newsgroup: news.admin.net-abuse.email X-PGP-key: 0xAAE2A579 X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133 FA87 000B 0FB6 AAE2 A579 User-Agent: slrn/0.9.7.4 (Linux) Xref: uni-berlin.de news.admin.net-abuse.email:2037651 #begin mike@webair.com.exe (or was it Michael Orza.com) message <6f875393.0307311002.6037eb71@posting.google.com> reply: > It would seem the word didn't get out to all who want to > spam, that Webair has had zero tolerance for spamming the last two(?) > years...! *You* *are* *the* *lying* *pr0n-haus* Go ahead, explain me this your so-called "zero tolerance for spamming": http://www.DolphinWave.org/spam/Webair.txt xponsor.com/sex-office.com have spammed me more than a year ago. They both were still connected to the SAME Webair's IPs half-year later. And xponsor.com is STILL being connected to the same IP as of now: $ host www.xponsor.com www.xponsor.com has address 216.130.163.22 And before you pull out your "rogue affiliate" card: "Zero tolerance" means "you spam - you are out". In the Webair's case "you spam and we will warn you that if you spam again we will warn you even more". This is *not* a zero tolerance to spam. This is spam-support. And, while we are at it, how *this* also fits to your "zero tolerance": http://groups.google.com/groups?selm=200303182214.34981%402003.dolphinwave.org http://groups.google.com/groups?selm=200307030310.54166%402003.dolphinwave.org http://groups.google.com/groups?selm=200307310152.35808%402003.dolphinwave.org Words mean nothing when they are not backed up with deeds. Your words are nothing but cold air. Dolphin. -- URL: http://www.DolphinWave.org Mail: on the web page (no spam) ICQ: 6615461 === More Webair's IPs to block. Reason? Pr0n spam, of course === Path: uni-berlin.de!fu-berlin.de!peer01.cox.net!peer02.cox.net!cox.net !news3.optonline.net!cyclone.rdc-nyc.rr.com!news-west.rr.com!news.rr.com !cyclone.tampabay.rr.com!news-post.tampabay.rr.com !twister.southeast.rr.com.POSTED!53ab2750!not-for-mail From: spammersarevermin Newsgroups: news.admin.net-abuse.email Subject: WEBAIR Reply-To: spammersarevermin@krumpli.com Message-ID: <50goovgaral6s21vc43jg9mrmrajvalhpd@4ax.com> X-Newsreader: Forte Agent 1.8/32.548 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Lines: 34 Date: Tue, 14 Oct 2003 18:40:45 GMT NNTP-Posting-Host: 24.199.147.10 X-Complaints-To: abuse@rr.com X-Trace: twister.southeast.rr.com 1066156845 24.199.147.10 (Tue, 14 Oct 2003 14:40:45 EDT) NNTP-Posting-Date: Tue, 14 Oct 2003 14:40:45 EDT Organization: Road Runner - NC Xref: uni-berlin.de news.admin.net-abuse.email:2087400 Today's latest for 216.130.180.79- www.dataratings.com from webair. As I don't believe that any single, useful, non-pornographic, non-spammed, non-POS, 1 or 0 has ever come out of webair IP space, we are now blocking: Web Air (WEBAIR) Webair (WEBAI) Webair Internet Development Inc (WAIR) Webair Internet Development Inc (AS27257) WEBAIR-INTERNET 27257 Web Air WEBAIR (NET-216-25-44-105-1) 216.25.44.105 - 216.25.44.124 Webair WEBAIR-119-15 (NET-4-43-119-0-1) 4.43.119.0 - 4.43.119.127 Webair Internet Development Inc WEBAIRINTERNET (NET-216-130-160-0-1) 216.130.160.0 - 216.130.191.255 Webair Internet Development Inc WEBAIRINTERNET2 (NET-69-42-64-0-1) 69.42.64.0 - 69.42.79.255 Webair Internet Deveopment SPEK-TONYADSL-0 (NET-216-27-155-144-1) 216.27.155.144 - 216.27.155.159 216.25.44.96/28 4.43.119.0/25 216.130.160.0/19 69.42.64.0/20 or even easier 69.0.0.0/8 since wholesalebandwidth,etc are in there as well... 216.27.155.144/28 Did I miss any? Tom Spamming this account signifies your unqualified consent to a free security audit === And more pr0n spam from Webair's IPs === Path: uni-berlin.de!fu-berlin.de!nf3.bellglobal.com!snoopy.risq.qc.ca!torn!utnut !news1.chem.utoronto.ca!no.email From: "David C. Stone" Newsgroups: news.admin.net-abuse.email Subject: Wickedoffers.com spamming from Webair space Date: Mon, 24 May 2004 10:19:31 -0400 Organization: Department of Chemistry, UofT Lines: 62 Message-ID: <240520041019311930%no.email@example.com> NNTP-Posting-Host: slip3.chem.utoronto.ca Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: news1.chem.utoronto.ca 1085408260 13741 142.150.224.88 (24 May 2004 14:17:40 GMT) X-Complaints-To: news@chem.utoronto.ca NNTP-Posting-Date: 24 May 2004 14:17:40 GMT User-Agent: YA-NewsWatcher/4.2.3 Xref: uni-berlin.de news.admin.net-abuse.email:2201380 Spam origination and bounce handling in the same IP space, website hosted at spam-nest cta.cq.cn (SBL9791, SBL10762, SBL11876) What is Webair's rep. wrt spamming customers? host wickedoffers.com wickedoffers.com has address 69.42.86.169 OrgName: Webair Internet Development Inc OrgID: WAIR Address: 333 Jericho Tpke Address: Suite 200 City: Jericho StateProv: NY PostalCode: 11753 Country: US NetRange: 69.42.64.0 - 69.42.95.255 CIDR: 69.42.64.0/19 host www.hotsingledates.com www.hotsingledates.com has address 219.153.7.124 inetnum: 219.151.128.0 - 219.153.255.255 netname: CHINANET-CQ descr: CHINANET Chongqing province network descr: China Telecom descr: A12,Xin-Jie-Kou-Wai Street descr: Beijing 100088 country: CN admin-c: CH93-AP tech-c: CQ235-AP mnt-by: MAINT-CHINANET mnt-lower: MAINT-CHINANET-CQ changed: hostmaster@ns.chinanet.cn.net 20021209 status: ALLOCATED NON-PORTABLE source: APNIC Return-Path: Received: from 69.42.86.168 ([69.42.86.168]) by xxxxxxxxxxxx (8.11.6/8.11.6) with SMTP id i4O99Q218354 for ; Mon, 24 May 2004 05:09:26 -0400 Received: from 148.20.148.172 by ; Mon, 24 May 2004 15:04:51 +0500 Message-ID: From: "Deanna" Reply-To: "Deanna" To: xxxxxxxxxxxxxxxxxxx Subject: Do you want to see my profile? Date: Mon, 24 May 2004 13:04:51 +0300 X-Mailer: xxxxx43 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--830150056728126" X-Priority: 3 X-MSMail-Priority: Normal Content-Type: text/plain; Content-Transfer-Encoding: 7Bit Hi I saw your profile online, if we you want to chat with me, please visit my profile at: http://www.hotsingledates.com/wm.html === New IP block, new spam... My complaint === From: Admin Organization: Private person Subject: [email] Spam (merchsolutions.com/internationalbilling.net/Daniel Vincetti)! [Fwd: Re: Dedicated merchant account for your website] Date: Wed, 3 Nov 2004 15:05:40 +0200 User-Agent: KMail/1.5 X-KMail-Link-Message: 1742757 X-KMail-Link-Type: forward To: , spam@uce.gov, nanas@killfile.org, antispam@webair.com, abuse@gblx.net, postmaster@webair.com, abuse@ev1.net, abuse@directnic.com, hostmaster@directnic.com, postmaster@melbourneit.com, abuse@melbourneit.com X-Complaints-To: abuse[@]dolphinwave[.]org (live person) X-PGP-key: 0xAAE2A579 X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133 FA87 000B 0FB6 AAE2 A579 X-No-Confirm: Yes MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200411031505.40976@2004.dolphinwave.org> Status: RO X-Status: S X-KMail-EncryptionState: X-KMail-SignatureState: Spammer: [209.200.11.153] Webair Internet Development IP block [209.200.0.0 - 209.200.31.255]. Mail from: vincetti@merchsolutions.com Collects replies to: vincetti@merchsolutions.com Spamvertised web page: http://www.merchsolutions.com Used for domain registration: daniel@internationalbilling.net www.merchsolutions.com [209.200.11.150] ====================== Registrant: International Billing P.O Box 406 New Farm Brisbane, Queensland 4152 AU +61.732540110 Domain Name: MERCHSOLUTIONS.COM Administrative Contact: Manager, The daniel@internationalbilling.net P.O Box 406 New Farm Brisbane, Queensland 4152 AU +61.732540110 Technical Contact: Manager, The daniel@internationalbilling.net P.O Box 406 New Farm Brisbane, Queensland 4152 AU +61.732540110 Record last updated 10-11-2004 09:10:19 PM Record expires on 10-11-2006 Record created on 10-11-2004 Domain servers in listed order: NS1.MERCHSOLUTIONS.COM 67.15.86.74 NS2.MERCHSOLUTIONS.COM 67.15.86.78 Webair Internet Development IP block [209.200.0.0 - 209.200.31.255]. Upstream: Webair (csa080.nyc.webair.net). Nameservers: ns1.merchsolutions.com, ns2.merchsolutions.com <== SPAMMERS. Registrar: directNIC.com. ns1.merchsolutions.com [67.15.86.74] ns2.merchsolutions.com [67.15.86.78] ====================== Everyones Internet IP block [67.15.0.0 - 67.15.175.255]. Upstream: Everyones Internet (gphou-66-98-241-119.ev1.net). internationalbilling.net [209.200.11.148] ======================== Domain Name.......... internationalbilling.net Creation Date........ 2004-06-22 Registration Date.... 2004-06-22 Expiry Date.......... 2005-06-22 Organisation Name.... D-Squared Organisation Address. P.O Box 406 New Farm Organisation Address. Organisation Address. Brisbane Organisation Address. 4005 Organisation Address. QLD Organisation Address. AUSTRALIA Admin Name........... The Manager Admin Address........ P.O Box 406 New Farm Admin Address........ Admin Address........ Brisbane Admin Address........ 4005 Admin Address........ QLD Admin Address........ AUSTRALIA Admin Email.......... daniel@internationalbilling.net Admin Phone.......... +61.732540110 Admin Fax............ Tech Name............ The Manager Tech Address......... P.O Box 406 New Farm Tech Address......... Tech Address......... Brisbane Tech Address......... 4005 Tech Address......... QLD Tech Address......... AUSTRALIA Tech Email........... daniel@internationalbilling.net Tech Phone........... +61.732540110 Tech Fax............. Name Server.......... ns1.merchsolutions.com Name Server.......... ns2.merchsolutions.com Webair Internet Development IP block [209.200.0.0 - 209.200.31.255]. Upstream: Webair (csa080.nyc.webair.net). Nameservers: ns1.internationalbilling.net, ns2.internationalbilling.net. Registrar: melbourneit.com. ns1.internationalbilling.net [67.15.86.74] ns2.internationalbilling.net [67.15.86.78] ====================== Everyones Internet IP block [67.15.0.0 - 67.15.175.255]. Upstream: Everyones Internet (gphou-66-98-241-119.ev1.net). ---------- Forwarded Message ---------- Received: from 217.22.114.25 ([209.200.11.153]) by mail.dolphinwave.org (8.12.8/8.12.8) with SMTP id iA3CH3p6028048 for ; Wed, 3 Nov 2004 14:17:07 +0200 Received: from 105.56.78.156 by ; Wed, 03 Nov 2004 17:08:54 +0500 Message-ID: From: "Daniel Vincetti - Merchant Solutions" Reply-To: "Daniel Vincetti - Merchant Solutions" To: abuse@### Subject: Re: Dedicated merchant account for your website Date: Wed, 03 Nov 2004 09:08:54 -0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--495307303596589181" X-Originating-IP: 217.22.114.25 <== FORGERY, MY IP <== X-AntiVirus: checked by AntiVir Milter 1.0.6; AVE 6.28.0.12; VDF 6.28.0.50 X-Loop: dev.null@dolphinwave.org Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: Dear Sir/Madam, I am just following up from an email sent last week regarding the possibility of using our credit card processing solutions for your business. Merchant Solutions would be happy to open a dedicated merchant account for your site. You can choose the name that appears on your customers credit card statements etc. You will have the ability to process: Visa, Mastercard, Amex, Diners, Jcb, Bankcard, web900 phone billing (ads purchase onto there phone bill) and direct debit payments from customer's bank accounts in over 200 countries. Our rates are between 2% and 9% depending on the type of business and risk involved. Our system allows for recurring membership sites, connection to existing shopping carts and multi currency - process transactions in over 200 currencies. We offer same day setup, lowest processing fees in the industry, weekly on time payouts and reporting! Additionally we have a whole suite of services we can provide you, please visit our site http://www.merchsolutions.com for more information or contact us directly using the contact form at http://www.merchsolutions.com Yours sincerely, Daniel Vincetti Sales Dept. Merchant Solutions -"www.merchsolutions.com" We look forward to helping you achieve your business needs. ------------------------------------------------------- === And what with the old pr0n spammers? They are still connected, 2+ years! === === Testing xponsor.com on November 3rd, 2004 === $ host www.xponsor.com www.xponsor.com has address 216.130.163.22 $ jwhois 216.130.163.22 [Querying whois.arin.net] [whois.arin.net] OrgName: Webair Internet Development Inc OrgID: WAIR Address: 333 Jericho Tpke Address: Suite 200 City: Jericho StateProv: NY PostalCode: 11753 Country: US NetRange: 216.130.160.0 - 216.130.191.255 CIDR: 216.130.160.0/19 NetName: WEBAIRINTERNET NetHandle: NET-216-130-160-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: NS.WEBAIR.NET NameServer: NS2.WEBAIR.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2001-03-12 Updated: 2001-11-14 TechHandle: ZW64-ARIN TechName: IPAdmin-Webair TechPhone: +1-516-938-4100 TechEmail: IPAdmin@webair.com OrgNOCHandle: ZW64-ARIN OrgNOCName: IPAdmin-Webair OrgNOCPhone: +1-516-938-4100 OrgNOCEmail: IPAdmin@webair.com OrgTechHandle: ZW64-ARIN OrgTechName: IPAdmin-Webair OrgTechPhone: +1-516-938-4100 OrgTechEmail: IPAdmin@webair.com === Webair's abuse department in "action" === From: Ashton Newsgroups: news.admin.net-abuse.email Subject: Tight loop User-Agent: MT-NewsWatcher/3.4 (PPC Mac OS X) Date: Thu, 03 Mar 2005 12:25:01 -0500 Message-ID: Lines: 18 X-Comments: This message was posted through From: "sagi" "We have processed your request, AND we have determined that the IP address (207.99.65.78) has been delegated To: (Webair), email address: (sagi@webair.com) We have forwarded a copy of this complaint To them AND ask that you contact them directly should you have any additional queries." I wonder how well that automatic forward-to-self thing is working for them. ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups ----= East and West-Coast Server Farms - Total Privacy via Encryption =----