by Jeffrey Race

Version 2.23   January 13, 2003
For additional resources please refer to Nuggets



Unsolicited Commercial E-mail (UCE) or spam interferes with Internet use by clogging incoming mail channels and preventing users from posting to newsgroups or placing an e-mail address on a webpage, because spambots harvest victim e-mail addresses from both sources.

Many e-mail users employ filters or "just hit the Delete key", but these sauve qui peut measures leave intact the technical burden and financial costs on the international network.

The system described here, while taking a few minutes daily, actually eradicates Internet villains. Performing these exercises for every incoming spam provides an enjoyable, educational and socially useful challenge. One feels a real high upon receiving something like this actual message:

   From: Abuse-EG <abuse@e-gold.com>
   Subject: RE: Are you tired of waiting for commission checks?
   Date: Fri, 24 Aug 2001 10:40:04 -0400

   Thank you for bringing this matter to our attention. This individual's e-gold account has been shut down.

Bear in mind that there are three types of spammers: clueless innocents who were misinformed they could get rich quickly by spamming; professional rogue spammers like Sanford Wallace and Alan Ralsky, and mainstream companies. The measures described here are effective against clueless innocents and contribute to holding back the torrent from the rogues. They are important right now to create a decisively hostile public climate against spamming, such as exists against public smoking, so that mainstream firms will not move in this direction. This is a serious incipient threat (if we can believe the campaign of the US Direct Marketing Association) and the community needs to sound off very plainly (using 100% negative feedback) rather than offer up the silence which now results from filters and "just hit Delete". This remains a work-in-progress so send comments and suggestions to graphic of e-mail address


To solve the spam problem I gradually developed the following procedures by reading resources available on the Web, testing, talking with security staff of various backbone providers and webhosts, and refining the procedures after seeing what worked and what failed. This exercise taught me a lot about TCP/IP and about various software utilities, and it worked! Incoming spam dropped markedly. This article aims to save you, gentle reader, my lengthy educational process and to let you begin this enjoyable task straightaway.

Once the proper software tools are installed, each spam-killing action should take two minutes or less.


Text preceded by > generally means something extracted or quoted from a message;
Text like this generally means a URL or fragment, according the RFC syntax;
Text "like this" generally means a quotation, an editorial highlight,
or an alias in an e-mail address.


As antisocial characters spammers themselves will not willingly stop misbehaving. Some of the measures described here definitively block spam; others complicate spammers' lives so much that they give up, or the don't-care mail system administrators get motivated to act against the spammers they harbour.

Spam requires both an upload and a return path. Spammers can be stopped only by blocking these paths. Effective spam-killing entails identifying the upload and return paths, gathering all the data needed to cut them, and submitting to the proper authority. The process takes little time if one has the tools and the knowledge. Several excellent utilities exist (such as Spamcop) to automate the process. But such utilities do not offer the intellectual stimulation and challenge of this manual procedure, which requires ingenuity to unlock the tricks clever spammers use, continually exceeding the subtlety of automated routines. So, be active. If you lack time, use Spamcop. If you have a few minutes a day, and want fun and education, use the following.

Experience shows that many persons charged with internet management responsibilities are well informed and can act against spammers with the smallest hints. But many others are totally clueless, for example leaving relays open. A carefully crafted, polite wake-up message may educate such persons and inspire them to act. Sometimes a nice "thank you" will come back. I have received many.

Spam will diminish when large numbers of victims actively respond rather than hitting the Delete key or using filters. I have shut down many spammers and played bit parts in one or more criminal prosecutions. It can be done. Do your part!


Verify you have the following graphical or command-line utilities for your Operating System. Those unfamiliar with the structure of internet mail headers may wish to refer to the links in the resources box .

PING Utility to obtain IP address from alphabetic domain name or
from decimal form. Usually PING.EXE.
NSLOOKUP Utility to resolve an IP address from a Domain Name (forward DNS)
or a Domain Name from an IP address (reverse DNS);
utilizes a Domain Name Server (whose IP address must be supplied)
TRACEROUTE Utility to document IP address of each step along the path from own
to remote IP address. Used to determine upstream provider
of an offender. Usually TRACERT.EXE or TRACERTE.EXE, provided
with Operating System.
WHOIS Third-party shareware utility enabling graphical or command-line lookup
of IP address or domain name, as a quicker alternative to the registrar's
whois webpage. Utilizes the database of the registrar for the IP address
rather than a Domain Name Server as used by nslookup.   IP address
may be in dotted quad or decimal form.


C:\>ping [IP address as dotted quad, decimal, or domain name]
C:\>nslookup [IP address as dotted quad or domain name] [IP address of DNS]
C:\>tracert[e] [IP address, NETBLK, or domain name]
C:\>whois -h whois.xxxxx.yyy [IP address or domain name]

     where xxxxx.yyy is:

     ripe.net for Europe

     apnic.net for Asia

     aunic.net for Australia

     arin.net for Americas

     networksolutions.com for USA      (and will usually point to proper registry if not Network Solutions).

There are others for other domains. The internet Domain Name registrar list is available from ICANN for all countries.

The universal whois server whois.geektools.com routes queries to the proper host but often fails to connect. If so directly query the proper host, a good idea in any case for more complete data.

One can determine the proper reporting address even more quickly by querying Geektools in the following format from the command line.

   whois -h whois.geektools.com [IP address or domain name] abuse | more

(Geektools also has a universal webpage whois service.)


In the USA there is virtually no legitimate upload path for spam; except for the occasional rogue ISP spamming always entails violating a Terms of Service contract with an e-mail provider, or (in the case of a rogue ISP), violating the rogue's contract with his provider of Net connectivity.

In addition the Commonwealth of Virginia Criminal Code Title 18.2 (Chapter 5 Article 7.1 Computer Crimes) has since 1999 criminalized transmission of spam via facilities located in Virginia. Since Virginia is home to American's most important mailservers (UU.NET, PSI and AOL), many who formerly tolerated spam have moved to stop it as otherwise they become accessories to a crime. This fact can be used to get the attention of accessories.

Spammers knows these facts so attempt to utilize anonymous upload methods. There are basically two:

1-Terms of Service Fraud: Open a sacrificial account with an ISP, upload knowing the account will be immediately shut down. (This is civil fraud.)

2-Relay raping: Find a mail server open to public transmission. These are hard to find in the USA so spammers now utilize carelessly configured servers in Europe and Asia. (Relay raping is criminal trespass but the perpetrators usually seek foreign relays making criminal process impractical.)

In either case you the victim should report the spam to the person responsible for the upload server. If it is an ISP victimized by a phony account, he will shut it down and in some cases take legal action against the perp. If a case of relay raping, your message will alert the owner to the careless configuration.


1-Turn on [View full headers] in your mail client.

2-Ignore all the header items such as [From] and [Reply to] as these are often forged. Locate (usually at the top) the line of the form:

   Received: from PPPa85-JacksonvilleC1-1R2142.saturn.bbn.com []

Inside the brackets is the IP address of the final mail server in the route to your computer; it cannot be forged. In principle the datum before it (e.g. bbn.com) corresponds to this IP address and one could use it to report the spam. However it is easily forged so one must do a whois or nslookup lookup only on the IP address in brackets. In some cases the domain name does not appear even in the top line, only the IP address e.g.

   Received: from []

In this case you must determine the owner by a utility. First open a command line window and try whois

   C:\>WHOIS -h whois.arin.net | more

   Aimnet Corporation (NETBLK-SPRINT-CC76BF) SPRINT-CC76BF -

Since this step returns multiple owners, input the NETBLK code corresponding to the IP address of interest:

   C:\>WHOIS -h whois.arin.net NETBLK-SPRINT-CC76BF

The result is Aimnet.net so take a guess and send to abuse@aimnet.com.

This process can sometimes be hastened, with a valid domain name, by using abuse.net:

   C:\>whois -h whois.abuse.net aimnet.net

   postmaster@aimnet.net (default, no info)
In this case abuse.net does not show a special listing for spam reporting to aimnet.net so sending as above might have resulted in a bounce if the address were not enabled. (In fact the address existed but was just not in abuse.net's database.)


   C:\>whois -h whois.abuse.net bbn.com


shows a special abuse address.

Abuse.net works only with domain names, not IP addresses.

Use the piping operation | MORE for the command-line operations in order to view one screen at a time as many of the reports consist of hundreds of lines.

3-In your mail client click [Forward] and in the address window of the new message, enter the abuse reporting address. Depending on your OS you may be able to highlight the command-line text output of your Who-Is program and paste into the mail client's TO dialog window.

4-This produces a message with the original spam, a subject Fwd [original title] and the addressee as the designated mailbox for spam complaints e.g. [abuse@domainname.com].

Click send; it's done for the upload path.

Usually a robot will reply but occasionally a human with a nice note saying thanks. In some cases the autoresponder will provide more exact details of the correct procedure so read it carefully.

5-An example of relay-raping:

   Received: from ankaret.damek.kth.se []

   C:\>WHOIS -h whois.ripe.net
   Royal Institute of Technology
   S-100 44 Stockholm SWEDEN

   Coordinator: Hillbo, Anders (AH94-ARIN) AHI@NADA.KTH.SE +46 8 790 6273

I sent an alert message; the no-doubt surprised Mr. Hillbo replied:

   "This machine should have been fixed by our IRT team and the local sysadm at the department now."

So we cured someone who did not even know he was sick.

6-Here is a suitable text to use to people with open relays. This message will help clueless sysadmins (there are plenty!) by pointing them to all the right resources and giving them the tools to test their own relays for vulnerability. (Offering help rather than just a complaint increases your chance of a favourable hearing.)

The use of the nslookup utility is shown here.

If you have a few more moments check the IP address of the open relay against the MAPS relay blacklist. If not yet blacklisted, nominate it according to the MAPS nomination procedure:

    Just send one full spam to relays@mail-abuse.org. In the body of your
    email, above the full spam, make sure you add a line that says:

    Relay: (ip address)

    Replace (ip address) with the IP address of the server you've received
    the relayed spam from. Make sure there's nothing else on that line.
    Make sure that the submitted spam contains full headers (don't
    delete or obscure system names or email addresses) and complete body
    text. Also, make sure that you're sending plain text, not a mime-attachment.


Every incoming spam should result in your sending a message as above to the party responsible for the upload path. However the spammer's payoff arrives via the path which returns business from the occasional customer. That is the payload: it is not anonymous, and it should be the key target if available. In the easy cases every spam recipient should hit this target as it takes only a few moments; harder cases are described at the end for those who have a few more minutes and enjoy a sporting challenge.


The two easy cases are:

- spammer provides an e-mail address for the solicited business;

- spammer provides a website for the solicited business.

If an e-mail path, simply send a message as above to <abuse@domain.com> where <domain.com> is the highest-level domain name of the path the spammer provides for the return business. This will often be shown as a commonly-formatted e-mail address, and sometimes as a [mailto] tag which must be clicked to bring up the e-mail address. A sample is shown here.

If a website path, there are both simple and complex variants.

In the simple variant, the spammer points to his own website. In such a case there are two proper authorities to receive your complaint: the webhost (unless the spammer is hosting his own site, in which case he will ignore you) and the provider of the website's connectivity.

Very few American firms will provide connectivity to a known spamming operation, so you will almost always shut down the spammer by complaining to his provider. Find this by running traceroute on his IP address or domain name. Go back up one level to determine the provider of connectivity and run whois. Refer to this sample which illustrates reporting to a legitimate firm controlling an IP address being abused as a spamsite, and this sample which illustrates reporting to the upstream provider. Note that the samples includes both the original spam text, its full headers, and all the tracing information, as an aid to the abuse desk of the responsible organization.

**Important note**

There is a complex variant in which the spammer does not point directly to his website but puts up a sacrificial page on a free web-hosting site, which points to his page. Complain to the owner of the free web-hosting site (who needs to know he is being victimized) but be sure to

  1-"click through" to the spammer's site;
  2-[Save As] to a temporary filename the html code of the click-through page and append to
    the original spam text that you use to complain, noting that it is the click-through html code;
  3-get the IP address of the destination page (run whois on its URL);
  4-complain to the provider of Net connectivity to the destination page;
  5-complain to the operators of any servers used in the
     destination page, such as e-mail addresses or counters like [beseen.com].

Refer to this click-through sample.

If the spammer operates his own website, one should carefully inspect the listed registration (as shown with whois) for fraudulent information such as a bogus address or phone number. This is ordinarily a TOS (Terms of Service) contract violation and should be reported to the domain registrar with a polite but firm request to deregister the fraudster.


Spammers are getting smarter and so in addition to the click-through method they also obfuscate their IP addresses in various ways to discourage tracing. However if an Internet router can understand the address, so can you. It just takes another step or two. In you are interested in the gory details of obfuscation, please read this article.

If the address is provided in decimal form, you can ping it to get the dotted quad form; this sample shows how. (You can also use whois but not nslookup on an address in decimal form.)

But sometimes ping will not work because the spammer turns off ping on his server. In this case use one of two excellent sites with multiple anti-spam tools including decoding engines:

Sam Spade: multiple help tools including Dejanews, relay check, whois, USPS, decimally-coded converter

Geektools: calculator, whois, dns lookup, traceroute, browser, blackhole

An additional refinement is to invoke the "Save As" browser function to create a disk file of the spammer's return-path page. Study this carefully in a text editor such as Notepad for any e-mail addresses or URLs and then send the saved file with a complaint message to the administrators of all referenced e-mail facilities and URLs. One can also use the Sam Spade "safe browser" utility as it shields your IP address and cookie file from the spammer; it's also faster because it doesn't load graphics.

A final complication with whois: often the record in the registrar's database is ambiguous or even wrong, either by errors creeping through with the passage of time or by intent of the domain name owner. In particular the listed domain server may be wrong, especially if the villain has been kicked off his originally listed service. Therefore do not trust a listed domain server as the target of a complaint. Always ping a domain name to verify the current IP address of that domain. Only then submit your complaint. Here is an example of an ambiguous or outdated DNS registration. Don't hesitate to report an incorrect registration to the registrar (especially if transparently intentional) as registration contracts require submission and maintenance of accurate data.


The other return paths are via toll or toll-free phone numbers, fax numbers and postal addressses.

There is no reliable registry or reverse lookup of toll-free numbers, but it is certainly worth a call to the number to tell the person who answers that he ought to get a job with an honest employer rather than a low-life spammer. If TOS fraud or relay-raping is involved, inform the McDonalds dropout who is taking the calls that he is an accessory to fraud and he's now on notice. (Encourage your friends to call too, once each, and they should take their time explaining why spamming is bad; remember: the spammer pays for the incoming calls.) Do NOT make harassing, threatening or repetitive calls since the calling phone number is available via caller ID to the owner of the toll-free number.

Toll numbers may be input to Internet reverse-lookup engines such as Infospace and occasionally will produce a hit. In this case one can follow the Better Business Bureau or legal routes below.

Spammers often use such free faxing services as Efax and J2 to collect responses. You can use the "my account" or "lost password" links on their home pages to verify the number's owner, and then inform the fax service owner of the abuse of his service.

For postal addresses one can run a lookup against Mailboxes Etc to verify whether it is a private postbox. One can also use the address/business-category lookup utility at Superpages to verify whether the address is a "mail receiving" or "pack and ship" service. If confirmed report to the facility's operator that he is serving a spammer, including as appropriate any verified details of TOS fraud or criminal trespass so he knows he is on notice as being an accessory to these offenses.

USA postal addresses can be verified and clarified at this site.

The owner of a US Postal Service rented mailbox may be determined by filing Form 1093 with the Postmaster of the host facility. Proof must be provided that the mailbox is used for public contact (a copy of the spam suffices.) In cases where one can identify the spammer (e.g. the registered owner of a spamming website) one can complain to the Better Business Bureau, or to state consumer protection authorities. Virginia, California and Washington have now criminalized spamming and also allow for civil damages. Refer on the The Sue Spammers Project list and archive for details on how to proceed at law in appropriate cases.

Complaints may be lodged with state consumer protection bodies or the appropriate state attorney general seeking deregistration of spamming companies on the ground that they are violating their corporate charter (to conduct any legal business) by emitting Internet marketing frauds using forged headers and return addresses and violating the ISP Terms of Service contracts as a matter of company policy. (As noted above, it is necessary to violate the TOS contract in order to upload spam, so any spammer is ipso facto committing a civil fraud, and now in Virginia a criminal offense as well, by conducting a marketing campaign utilizing spam.)

The initial letters can be sent to the attorney general of the state in which the spammer is registered as shown by Internic. Your letter should request deregistration of the spammer's business for the reasons described above.

Resources to look up fictitious ("business" names or DBAs) can be accessed for all states from the following two URLs:

National Association of Attorneys General (NAAG)

National Association of Secretaries of State (NASS)

To complain via the Better Business Bureau, access the BBB website and click on "Find your local BBB".


In your letters or e-mails, always use as Subject "Internet marketing fraud". If the upload path was in Virginia (usually UU.NET, PSI or AOL) say <criminal internet marketing fraud> and note in the body that the recipient may be an accessory in this crime now that he is witting of his participation.

The following types of spams, if directed to USA addresses, should be reported (from anywhere in the world) as follows.

Stock promotions cyberfraud@nasaa.org
Pyramid schemespyramid@ftc.gov
Drugs, on-line medical advice otcfraud@cder.fda.gov
Child pornographycomplaints.detroit@fbi.gov
Nigeria scams 419.fcd@usss.treas.gov
Internet fraud http://www1.ifccfbi.gov/cf1.asp

Current and prospective victims of the Nigeria scam outside the USA should consult this site for reporting instructions. (Consult also for header details before reporting to the US Treasury address above.)


Don't hesitate to nominate for the Realtime Blackhole List (RBL) any ISP emitting spam or any firm hosting spamvertized websites. Big internet firms generally ignore their victims as a matter of course because these firms profit from the "environmental polluter" business model; it is only when their internet connectivity is cut that they start to pay attention. Earthlink has just confirmed the truth of this statement in a recent legal pleading.

Do the same for open relays with the RSS.

Be active. Eradicate a spammer a day. Every victim can make a difference!


Received: from out2.ibm.net [] by in4.ibm.net id 934000826.120080-1 ; Sat, 07 Aug 1999 04:40:26 +0000
Received: from slip202-135-81-174.bg.th.ibm.net (slip202-135-81-174.bg.th.ibm.net []) by out2.ibm.net (8.8.5/8.6.9) with SMTP id EAA36394; Sat, 7 Aug 1999 04:40:14 GMT
Message-Id: <199908070440.EAA36394@out2.ibm.net>
From: (victim)
To: "ingo.stampe@mediaways.net" <ingo.stampe@mediaways.net>,
"hostmaster@mediaWays.net" <hostmaster@mediaways.net>
Date: Sat, 07 Aug 99 09:00:17 +0700
Subject: You provide connectivity to sex scum server host

Dear Media-ways,

According to traceroute below, you provide connectivity to a porno server host operated by Tripod.

Please cut connectivity and confirm.If you continue to provide connectivity to spammers, I will nominate you for the Realtime Blackhole List.

Thank you for your cooperation in upholding Internet standards.

Kind regards,

(victim's signature block)

   [C:\]nslookup 1043619229
   Server: nscache.ibm.net

   Name: members.uk.tripod.de

   0 bang1br1-tok1.ba.th.ibm.net ( 188 ms 187 ms 157 ms
   1 bang1br1-tok1.ba.th.ibm.net ( 156 ms 157 ms 156 ms
   2 sydn1br1.nz.ibm.net ( 312 ms 375 ms 407 ms
   3 lang1sr1-2-0-1.ca.us.ibm.net ( 531 ms 468 ms 469 ms
   4 lang1br1-ge-1-0-0-0.ca.us.ibm.net ( 469 ms 469 ms 468 ms
   5 sfra1br2-at-2-0-1-3.ca.us.ibm.net ( 563 ms 500 ms 500 ms
   6 sfra1sr3-so-1-0-0-0.ca.us.ibm.net ( 531 ms 500 ms 500 ms
   7 pac-bell-ii.ans.net ( 531 ms 500 ms 656 ms
   8 pacbell-nap.ans.net ( 531 ms 531 ms 500 ms
   9 ( 532 ms 594 ms *
   10 f1-1.t60-7.Reston.t3.ans.net ( 593 ms 594 ms 594 ms
   11 f0-0.c60-13.Reston.t3.ans.net ( 687 ms 719 ms 594 ms
   12 h0.enss3409.t3.ans.net ( 625 ms 844 ms 687 ms
   13 ( 844 ms 781 ms 687 ms
   14 ( 782 ms 750 ms 719 ms
   15 ( 875 ms 750 ms 719 ms
   16 ( 750 ms 969 ms 812 ms
   17 rlyc-gtso-de03.nw.mediaways.net ( 750 ms 813 ms 906 ms
   18 * * *

NOTE: To protect itself against spammers, Tripod configured its servers not to respond to traceroute requests.


inetnum: -
netname: MWAYS-CORE
descr: BB-MediaWays
country: DE
admin-c: SM151-RIPE
tech-c: IST1-RIPE
mnt-by: MDA-Z
changed: hostmaster@mediaWays.net 19990318
source: RIPE

descr: mediaWays GmbH
origin: AS6805
remarks: netname: MWAYS-CORE
remarks: netcc: DE
mnt-by: MDA-Z
changed: ingo.stampe@mediaways.net 19970818
source: RIPE

===============BEGIN FORWARDED MESSAGE==================
Received: from 02-102.004.popsite.net [] by in5.ibm.net id
933988418.86980-1 ; Sat, 07 Aug 1999 01:13:38 +0000
Message-ID: <<199904211931.VAA03920@tfe2.tripod.de>>
From: premiumxxx@email.com <premiumxxx@email.com>
Reply-To: hardcoreflesh@snap.com
Subject: Hello (51142)
Date: Sun, 27 Jan 1991 19:46:02 -0400 (EDT)
Get 7 days free!!!
This weeks featured adult site is giving out passes
to everyone. Rated #1 for XXX Hardcore Material
Over 1 Gig of XXX content including live shows
and full length videos with audio

You must be 18 or older to view the hyperlink above. If you are
than 18 please do not visit this site.

To be removed"mailto: premiumxxx@email.com place remove me in the
subject line.
===================END FORWARDED MESSAGE===================
Return to text    Return to top


Cyberkit graphical utility for Win9x/NT combining ping, traceroute and whois.
Whois12.zip unzips to produce command-line whois for OS/2.
IPNetMonitor which provides ping, nslookup and traceroute for the Mac platform.
Where to get ping (for Win9x) and how to use it
How to Obscure Any URL
The Suespammers Organization (Subscribe, unsubscribe, etc: Send "help" in body of message to suespammers-request@spamcon.org.)
Spam-L FAQ detailing how to decode headers, how to respond to spam, and how to sign up for the Spam-L newsgroup.
Internet Engineering Task Force documents about the DNS
Register of Known Spam Operations
A Spamware Vendor
RFC 2635 Guidelines for Mass Unsolicited Mailings and Postings (spam)
RFC-Ignorant.org, a project to sanction IP addresses or Top Level Domains providing inaccurate contact data.
Netdemon URL de-obfuscator
NANA [news.admin.net-abuse.* Homepage]
Falk Glossary of Spam Terms
Spam acronyms
More acronyms

Return to text    Return to top

Subject: Pls shut down spam access

Dear Sir,

I received the attached unsolicited commercial e-mail via your network. (Refer to RIPE lookup result below.)

I have never had any business with the sender nor do I desire to do so. Incoming UCE is a burden on my firm and its employees, in terms of staff time wasted and the cost of bandwidth we pay for downloading mail we have no desire to receive.

[Please block spammers from accessing your mail server etc]

Kind regards,

Return to text    Return to top


Dear Sir or Madam,

My firm has received via your mail server the appended unsolicited commercial e-mail (UCE or "spam").

It is possible that you are running an open relay, which is bad practice, injurious to others, AND SUBJECTS YOU TO SERIOUS LEGAL LIABILITY.

We have never had any business with the sender nor do we desire to do so. Incoming UCE is a burden on our firm and its employees, in terms of staff time wasted and the cost of bandwidth we pay for downloading mail we have no desire to receive.

Please act promptly to secure your server against further abuse.

For technical resources to help you block security breaches in your mail server, please refer to the resources noted below.

Thank you for your cooperation.

Kind regards,

(victim's signature block)

=================RESOURCES TO SECURE MAIL SERVERS=================

To verify whether ports are open on your server, use the tool at
the following URL to test all ports. This tool will test ports
only at the calling IP address:

Refer to GRC's FAQ at    http://www.grc.com/faq-shieldsup.htm.

To test ANY IP address, use the tool at:

Another more basic tool is available at:

Specific instructions to repair your mail server are probably available at:

For best current practice read RFC 2505.

RFCs are available at:


Return to text    Return to top


To: "Spamcomplaints@cwixmail.com" <Spamcomplaints@cwixmail.com>
ReSent-Subject: Internet marketing fraud on your facility


You provide connectivity to the Internet marketing fraud appended. Please refer to traceroute below.

I have never had any business with the sender nor do I desire to do so. Incoming UCE is a burden on my firm and its employees, in terms of staff time wasted and the cost of bandwidth we pay for downloading mail we have no desire to receive.

Please act promptly to block connectivity to the perpetrator.

PLEASE NOTE My firm's SOP requires submission of your IP address for Realtime Blackhole listing unless you shut down the offender.

Kind regards,

(victim's signature block)

[C:\]whois -h whois.arin.net
Cable & Wireless USA (NETTBLK-CW-06BLK) CW-06BLK -
PINNATECH,INC (NETBLK-CW-206-100-120-2) CW-206-100-120-2 -

0 slip202-135-22-190 ( 562 ms 407 ms 500 ms
1 slip202-135-22-190 ( 531 ms 500 ms 500 ms
2 ( 406 ms 406 ms 500 ms
3 lang1sr1-2-0-1.ca.us.ibm.net ( 687 ms 812 ms 594 ms
4 lang1sr2-1-1-0.ca.us.ibm.net ( 687 ms 687 ms 688 ms
5 ( 718 ms 688 ms 687 ms
6 core2.WestOrange.cw.net ( 719 ms 656 ms 875 ms
7 border7-fddi-0.WestOrange.cw.net ( 875 ms 782 ms 687 ms
8 pinnatech-inc.WestOrange.cw.net ( 906 ms 813 ms 781 ms
9 web14.host5150.com ( 750 ms 781 ms 781 ms


6400 Weston Parkway
Cary, NC 27513

Netblock: -

IP Address Management (IA3-ORG-ARIN) ipadmin@CW.NET
919-378-6685 Fax- - 919-378-6595

==================BEGIN FORWARDED MESSAGE==================
Received: from ip160.pittsburgh5.pa.pub-ip.psi.net [] by in5.ibm.net id
929821675.17978-1 ; Sat, 19 Jun 1999 19:47:55 +0000
Message-ID: <80435.42189@isfrom.ww212.com>
From: nonmlm55900@ww212.com <nonmlm55900@ww212.com>
Subject: References Available . . .
Date: Sat, 19 Jun 1999 15:47:19 -0400 (EDT)
We have worked for this organization for more than a year and have
not received a single complaint regarding their followup activities.

This informational offer does not involve any form of multi-level
marketing and provides complete references.

At some point in the near future you may consider the rewards and freedoms of your own home based business.

THIS is worth considering - References are available!

No hype...No schemes...No chain letters... (...and no insulting sales pitch!)

This is an invitation to explore an opportunity that is not made up of hype, get-rich schemes and false promises.

Absolutely No MLM!!

This educational based program allows you to spend time helping others while building personal wealth for yourself and your family.

References, testimonials and evidence of success available.

It is ideal for professionals, downsize victims, teachers, caregivers and anyone that feels they can "make a difference". FT/PT

There are no inventories to purchase - no sales experience is required, and costs to get started are very affordable.

The following Web Site provides an online form for you to request additional information.

Return to text    Return to top


Received: from out2.ibm.net [] by in2.ibm.net id 935898557.178260-1 ; Sun, 29 Aug 1999 03:49:17 +0000
Received: from slip202-135-81-160.bg.th.ibm.net (slip202-135-81-160.bg.th.ibm.net [])
by out2.ibm.net (/) with SMTP id DAA127484;
Sun, 29 Aug 1999 03:49:08 GMT
Message-Id: <199908290349.DAA127484@out2.ibm.net>
From: [victim]
To: "help@IP.ATT.NET" <help@IP.ATT.NET>
Date: Sun, 29 Aug 99 10:49:03 +0700
Subject: You provide connectivity to Internet marketing fraud

Dear AT&T Fraud Desk,

According to appended traceroute, you provide connectivity to an internet marketing fraud mounted by "The Internet Advisory Corporation", a sex scum merchant operating from <> WHICH YOU HOST. The perpetrator uses fraudulently uploaded e-mail to promote the sex scum.

You are not to provide connectivity to such frauds which violate TOS of the server used to upload the fraudulent messages, and which use fraudulent headers.

Please cut connectivity to the offender.

Thank you for your cooperation in keeping the Net free of fraud.

Kind regards,

(victim's signature block)

101 Crawfords Corner Rd
Holmdel, NJ 07733-3030

Netname: ATT
Netblock: -
Maintainer: ATTW

Kostick, Deirdre (DK71-ARIN) help@IP.ATT.NET (888)613-6330

0 bang1br1-tok1.ba.th.ibm.net ( 2391 ms 1055 ms 203 ms
1 bang1br1-tok1.ba.th.ibm.net ( 336 ms 156 ms 157 ms
2 sydn1br1.nz.ibm.net ( 305 ms 289 ms 313 ms
3 lang1sr1-2-0-1.ca.us.ibm.net ( 492 ms 469 ms 500 ms
4 lang1br2-ge-6-0-0-0.ca.us.ibm.net ( 524 ms 477 ms 469 ms
5 sfra1br1-at-2-0-0-0.ca.us.ibm.net ( 664 ms 500 ms 500 ms
6 sfra1sr2-5-0-0.ca.us.ibm.net ( 523 ms 656 ms 492 ms
7 ( 515 ms 515 ms 532 ms
8 ( 524 ms 500 ms 500 ms
9 br3-a340s9.sffca.ip.att.net ( 523 ms 500 ms 532 ms
10 br1-p330.dlstx.ip.att.net ( 547 ms 563 ms 562 ms
11 ( 586 ms 562 ms 594 ms
12 sar1-a300s1.ormfl.ip.att.net ( 586 ms 593 ms 563 ms
13 ( 757 ms 586 ms 836 ms
14 ( 625 ms 617 ms 594 ms

[C:\]whois -h whois.arin.net
The Internet Advisory Corporation (NETBLK-INTERNETADVIS-176) INTERNETADVIS-176 -

==================BEGIN FORWARDED MESSAGE==================
Received: from ppp-22.ts-1-bay.mia.idt.net [] by in7.ibm.net id
935836757.143994-1 ; Sat, 28 Aug 1999 10:39:17 +0000
Message-ID: <45249.65892@server19.hypermart.net>
From: lisa584@usa.net <lisa584@usa.net>
Reply-To: lisa584@usa.net
Subject: Get It Before They Take It Away!!! (38553)
Date: Sat, 28 Aug 1999 06:38:34 -0400 (EDT)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Content-Transfer-Encoding: 7bit




40,000+ XXX PHOTOS!!!







If you like hot online action, then this is the site for you!!!

/end all/
Return to text    Return to top


Received: from out2.ibm.net [] by in5.ibm.net id 929178877.97922-1 ; Sat, 12 Jun 1999 09:14:37 +0000

Received: from slip202-135-22-151.sy.au.ibm.net (slip202-135-22-151.sy.au.ibm.net []) by out2.ibm.net (8.8.5/8.6.9) with SMTP id JAA83760; Sat, 12 Jun 1999 09:14:25 GMT

Message-Id: <199906120914.JAA83760@out2.ibm.net>
From: [victim]
To: "abuse@EXODUS.NET" <abuse@EXODUS.NET>
Date: Sat, 12 Jun 99 16:14:17 +0700
Subject: Internet marketing fraud via your connectivity

Dear Exodus Abuse Desk,

Per traceroute below, you provide connectivity to Internet marketing fraud named below.

I have never had any business with the sender nor do I desire to do so. Incoming UCE is a burden on my firm and its employees, in terms of staff time wasted and the cost of bandwidth we pay for downloading mail we have no desire to receive.

Please act promptly to block connectivity to the perpetrator.

(victim's signature block)

Perp:    C:\> whois aomori.com

   SoftAware, Inc. (NETBLK-SOFTAWARE-BLK3)
   4676 Admiralty Way, Ste. 217
   Marina del Rey, CA 90292

   Netname: SOFTAWARE-BLK3
   Netblock: -
   Maintainer: SFTA

   Weisberger, Jason (JW923-ARIN) jweis@SOFTAWARE.COM (310) 305-0275

0 slip202-135-22-190 ( 594 ms 750 ms 531 ms
1 slip202-135-22-190 ( 594 ms 406 ms 406 ms
2 ( 563 ms 500 ms 719 ms
3 lang1sr1-2-0-1.ca.us.ibm.net ( 750 ms 687 ms 594 ms
4 ibr01-s00100.irvn01.exodus.net ( 1000 ms 781 ms 719 ms
5 dcr01-f1-1-0.irvn01.exodus.net ( 844 ms 1093 ms 938 ms
6 acr02-f5-1-0.irvn01.exodus.net ( 594 ms 750 ms 719 ms
7 ( 750 ms 782 ms 750 ms
8 ( 750 ms 875 ms 625 ms

Exodus Communications Inc. (NETBLK-ECI-5)
1605 Wyatt Dr.
Santa Clara, CA 95054

Netname: ECI-5
Netblock: -
Maintainer: ECI

Center, Network Control (NOC44-ARIN) support@EXODUS.NET
(408) 486-5000 (FAX) (408) 486-5001

==================BEGIN FORWARDED MESSAGE==================
Received: from max-1-46.internetconnect.net [] by in6.ibm.net id 929164411.322070-1 ; Sat, 12 Jun 1999 05:13:31 +0000
Message-ID: <73424.33766@mail.elaco.net>
From: gbenson32671@jeecerz@elec.eng.uct.ac.za
Date: Fri, 11 Jun 1999 17:55:24 -0400 (EDT)

We supply state-of-the-art training and a support team and system that is the best in the industry. Allowing you to work your business from home using a computer and a phone (no cold calling).

Do not contact me if you are looking for a get rich quick scheme, loose cash or are just plain lazy. We are only looking for focused, serious entrepreneurs. Someone who is willing to work part-time or full-time to improve their lifestyle immediately!

If you have ever dared to DREAM of:

~ Owning your own Time

~ Controlling you own Financial Future

~ Feeling Good about what you do and Helping Others

Let us send you some information, that could change your LIFE! Just click on the link below and leave us your name, address, and phone number, and we will be contacting you.

Return to text    Return to top


Received: from out2.ibm.net [] by in7.ibm.net id 935310503.141204-1 ; Sun, 22 Aug 1999 08:28:23 +0000
Received: from slip202-135-81-145.bg.th.ibm.net (slip202-135-81-145.bg.th.ibm.net []) by out2.ibm.net (8.8.5/8.6.9) with SMTP id IAA12758; Sun, 22 Aug 1999 08:28:16 GMT
Message-Id: <199908220828.IAA12758@out2.ibm.net>
From: (victim)
Date: Sun, 22 Aug 99 15:28:12 +0700
Subject: You provide connectivity to criminal marketing fraud

TO: Mark Ishikawa, Coordinator, SuperBusiness

Dear Mark,

According to traceroute below, you provide connectivity to web1000.com, which operates a system of pornographic internet marketing frauds criminalized under the recent Virginia statute on UCE. They even advertise their webhosting service on the same webpage with the pornography. (I have record copies with me for future use.)

You are now on notice that you are a witting accomplice to web1000's criminal actions.

Please shut off connectivity to this fraud. If you continue to provide connectivity, the Virginia Attorney General can have your California corporate registration revoked for operating contrary to your charter (which is to conduct only legal businesses).

Kind regards,

(victim's signature block)

0 bang1br1-tok1.ba.th.ibm.net ( 187 ms 157 ms 187 ms
1 bang1br1-tok1.ba.th.ibm.net ( 156 ms 157 ms 218 ms
2 sydn1br1.nz.ibm.net ( 375 ms 313 ms 312 ms
3 lang1sr1-2-0-1.ca.us.ibm.net ( 594 ms 500 ms 468 ms
4 lang1br2-ge-6-0-0-0.ca.us.ibm.net ( 594 ms 468 ms 469 ms
5 sfra1br1-so-0-1-2-0.ca.us.ibm.net ( 531 ms 500 ms 875 ms
6 sfra1sr2-5-0-0.ca.us.ibm.net ( 531 ms 500 ms 500 ms
7 ( 500 ms 500 ms 500 ms
8 ( 500 ms 593 ms 500 ms
9 ar3-a3120s1.sffca.ip.att.net ( 500 ms 562 ms 563 ms
10 ( 593 ms 531 ms 532 ms
11 ( 524 ms 532 ms 531 ms
12 www.webjump.com ( 523 ms 532 ms 500 ms

   C:\>whois -h whois.geektools.com
   SuperBusiness NET, Inc. (NETBLK-SBN)
   150 Almaden Blvd, Suite 500
   San Jose, CA 95113

   Netname: SBN
   Netblock: -
   Maintainer: SBIZ

   Ishikawa, Mark (MI70-ARIN) marki@SBUSINESS.NET
   +1 (408) 278-4400 (FAX) +1 408 346-0661

==========================Web1000 sex spam 8-21-99======================

Received: from ip163.jacksonville4.fl.pub-ip.psi.net [] by
in2.ibm.net id 935223141.180274-1 ; Sat, 21 Aug 1999 08:12:21 +0000
Message-ID: <14847.71777@smtp.cegi.net>
From: christy16807@gte.net <christy16807@gte.net>
Reply-To: DinaSt@gte.net
Subject: Hello (267850)
Date: Tue, 21 Mar 1989 02:24:54 -0400 (EDT)
It is all about sex baby and I have it for you.
Come join me now and I will perform live for you.

Come visit me at: http://1043619229/aloha2u/index2.html

   Following URL is click-thru from above sacrificial URL


Return to text    Return to top


Received: from out2.ibm.net [] by in4.ibm.net id 935403745.146664-1 ; Mon, 23 Aug 1999 10:22:25 +0000
Received: from slip202-135-81-236.bg.th.ibm.net (slip202-135-81-236.bg.th.ibm.net [])
by out2.ibm.net (/) with SMTP id KAA34116; Mon, 23 Aug 1999 10:22:09 GMT Message-Id: <199908231022.KAA34116@out2.ibm.net>
From: (victim)
Date: Mon, 23 Aug 99 17:22:05 +0700
Subject: Fwd: Are You Paying Too Much? (55730)

Dear Sir,

I received the appended unsolicited commercial e-mail which operates using the facilities of your network.

I have never had any business with the sender nor do I desire to do so. Incoming UCE is a burden on my firm and its employees, in terms of staff time wasted and the cost of bandwidth we pay for downloading mail we have no desire to receive.

This UCE is also a CRIMINAL OFFENSE because it was sent in violation of TOS of UU.NET and as such is a crime under the Virginia computer crime statute. Your hosting this perpetrator makes you an accessory to the crime.

Please act promptly to close the perpetrator's account.

Thank you for your cooperation in suppressing internet crime.

Kind regards,

(victim's signature block)

   [C:\]PING 3490464476
   PING 3490464476: 56 data bytes
   64 bytes from icmp_seq=0. time=570. ms

   Infinity information, Inc. (NETBLK-SPRINT-D00C5F) SPRINT-D00C5F -

   Infinity information, Inc. (NETBLK-SPRINT-D00C5F)
   2611 Garden Road
   Monterey, Ca 93940

   Netname: SPRINT-D00C5F
   Netblock: -

   Ramaras, Rick (RR2556-ARIN) rramras@INFINITY-INFO.COM 4086568888

==================BEGIN FORWARDED MESSAGE==================
Received: from 1Cust179.tnt6.baton-rouge.la.da.uu.net
[] by in7.ibm.net id 935392770.136226-1 ; Mon, 23 Aug 1999 07:19:30 +0000
Message-ID: <tLizxXba+.Q91.Xw84ZMYN4P-KoqoAnIj@pop1.nettaxi.com>
From: exweega31356@msn.com <exweega31356@msn.com>
Subject: Are You Paying Too Much? (55730)
Date: Mon, 23 Aug 1999 01:44:24 -0400 (EDT)

Imagine Saving Up To 60% On Your Current Term Life Insurance? Savings Accrued Over The Years Can Be Better Spent By You According To Your Needs And Desires~

We Provide FREE ACCESS To The Very Best Companies And The Lowest Rates For Your Existing And Future Wants And Needs~


Let our professionals help you save money on your current premiums or help you get started with the least premium possible to meet your wants and needs. With a little information by COMPARE YOUR CURRENT COVERAGE to these 10-year level term monthly sample premiums for super-preferred non-smokers. (Sample smoker rates available as well)**

***Diversified Insurance is an independent information gathering firm. All information submitted is strictly confidential, and is transferred to licensed insurance professionals in your state of residence who will contact you and return your completed quote directly. Copyright 1999 Diversified Insurance. The information contained in this email message may not be published, broadcast, rewritten, or otherwise distributed without the express written consent of Diversified Insurance. http://3490464476

Return to text    Return to top


This spammer's registrar shows his domain server as but PING shows the webpages are actually served by (in Russia).

Query: realsexsurfing.com
Registry: whois.opensrs.net

Real Hosting Co
4087 West Street
Toronto, ON H7W5J7


Administrative Contact:
Bonno, Henry salty_2011@yahoo.com
4087 West Street
Toronto, ON H7B5J7

Domain servers in listed order:

   [C:\]ping realsexsurfing.com
   PING realsexsurfing.com: 56 data bytes
   64 bytes from icmp_seq=0. time=610. ms

   Registry: whois.ripe.net
   % Please visit http://www.ripe.net/rpsl for more information

   inetnum: -
   netname: BIGNET
   descr: (AA003000) JSC MobilTelecom
   descr: Astrakhan
   country: RU
   notify: rumb@bignet.ru
   changed: l.bulgak@transtk.ru 20010727

==================BEGIN FORWARDED MESSAGE==================
Received: from [] by hotmail.com (3.2) with ESMTP id
MHotMailBD5A438900B240043723D8FEA7D80B7A7; Sat, 01 Sep 2001 08:05:16 -0700
To: <Undisclosed Recipients>
From: Server07@msn.com
Subject: Unable to process your request
Date: Sat, 01 Sep 2001 04:50:26 -0400
Reply-To: Server07@msn.com

When you attempted to access our site earlier, you received an error.

We have corrected our site, thank you for your patience.

*A reminder, some of the realistic contents of our site
may not be recommended for anyone under 21

Return to text    Return to top

Copyright © 2001, 2002, 2003 by Jeffrey Race      Last updated January 13,   2003