Saturday, February 17, 2007

few things tick me off like spam

I get a lot of spam. Today, since 10:00 this morning, I've gotten 32 spam messages and four legitimate ones--and that's just counting what slipped past Spamassassin. So it was especially interesting to find a spam message advertising spamming services ("Email Marketing- Easy and affordable"). It's interesting for a couple reasons. First, it just plain cheeses me off that spammers are propagating themselves. Second, unlike the more common stock pump-and-dump scheme, if you're going to advertise spamming you have to include some way to contact you. So I dug into it a bit.

The message came from a machine called promailer.prserv.net. Which has the same IP address as www.attbusiness.net. Both domain names are registered to AT&T.

The body of the message contains some evil spammer tricks. Basically, it's made up of a set of links (called imagemap links) to images on remote web pages. It's designed in such a way that, if you open the e-mail and your mail software doesn't have the proper protection in place, the mail software will connect to the remote server to display the images. In the process of connecting, it will send information that can uniquely identify that message. The net upshot is that the spammer can tell it's not only a valid e-mail address, but also that someone's reading the mail there.

OK, so why is an AT&T server advertising spamming services? And why is it fishing for valid e-mail addresses while doing it? Both good questions that I put to AT&T.

I first tried sending to abuse@attbusiness.net. Turns out that address doesn't exist. Now I'm starting to get annoyed enough spend a bit more time on it. Some digging around AT&T's web site turned up postmaster@attglobal.net. I send a message there. A few minutes later, I got a reply summarily closing my trouble ticket:
This is the report of the incident you should receive.  Sev:  4 - Warning
For Account: aotsmail Incident Number: xxxxxxxxxxxxxxx Status: Closed
Thank you for taking the time to inform us of this situation.
However, we cannot take any further action until you provide us with the actual connection logs. These connection logs will include the complete IP address, date, time and time zone associated with the abusive action. Only with this information can we identify the responsible individual.

Regards,
Postmaster

To find more information on filtering SPAM, please visit
http://help.attbusiness.net/index.cfm
and type the word filter into the search engine.
If you feel we handled this incident improperly or require
assistance providing headers, please call 800-821-4612.
Wrong answer. One of the few things that'll piss me off more than spam is a company that doesn't care that I've taken the time to investigate and report to them that they, or someone there, is spamming. I next called their 800 number, where they told me to send the message's headers to their Remote Access address, RM-RemoteAccess@ems.att.com, to be appended to the trouble ticket.

Now we'll see where things go from here. In the meantime, I will either calm down and get back to the work I need to be doing, or I'll start going through the CAN-SPAM act, 15 U.S.C. §§ 7701-7713, to see whether this spam message matches up with federal law.

2 comments:

Maria Elisa said...

Fight the power! (You can't see it, but my fist is in the air).

False Data said...

Do any of the federal or state agencies have an anti-cybercrime division that actually deals with spam? (I know they do child porn, but I don't think I could deal with that stuff on a daily basis.)