>> Analysis of incoming cyberangels.nl mail

On July 3 2003, cyberangels.nl was re-registered by Spamvrij.nl, a Dutch foundation fighting spam. Previously, the domain was owned by the company Cyberangels, who have been majorly involved in spamming. They felt forced to drop it when the ground under their feet got too hot. (The history of that affair is listed on our main page.)

Since MX-records for cyberangels.nl now point to spamvrij.nl too, we get all their mail: bounces, spam complaints and what have you. Have a peek: what kind of mail does a major spammer receive in the course of a day? By now, we have a very precise answer: 6305 mails. Here is the breakdown of those mails.

1. Introduction: 6305 mails in (basically) one day
2. We received 5880 bounces and forwards
3. We received 12 spams for @cyberangels
4. We received 40 attempts to annoy Cyberangels
5. We received 371 complaints about Cyberangels
6. We received 2 business mails, one of which was addressed to martijn@cyberangels.nl. Later, another mail addressed to martijn@cyberangels arrived, plus a third mail addressed to martijn@xxx-dollars.com (apparently a .forward for martijn@cyberangels.nl).

>> Introduction: 6305 mails in (basically) one day

Twenty minutes after Megaprovider asked its registrar to drop the cyberangels.nl domain on Thursday, 03 Juli 2003, Spamvrij.nl (a Dutch anti-spam foundation) obtained it. We wanted to make a website logging the affair, but most of all we wanted to prevent the spammers from ever getting the domain back again.

As a bonus, mail started pouring in Friday morning, when the NL-zonefiles were updated: the MX-records of cyberangels.nl were now pointing to us. (We made a catch-all for all adresses.) The first few hours, literally thousands of mails reached us: 5919 mails, most of them forwarded bounces. By now, the avalanche has dwindled to a trickle. What we receive now is mostly complaints.

Until now - 06-07-2003, 23:00 GMT+1 - we have received a grand total of 6305 mails. The oldest is dated Tue, 24 Jun 2003 01:10:17 GMT+1, and the bulk of the mail was sent between 01 July and 04 July 2003.

>> We received 5880 bounces and forwards

Apparently, Cyberangels - or one of their buddies hosting a website on their servers - sent a number of spamruns purporting to be from e-mail addresses not within their domain. Some of these addresses may have been real, others may not have existed.

Of course, the bounces of the spam run started arriving at these addresses. Either the people involved or their providers created .forwards, so that all these bounces ended up being redirected to ba@cyberangels.nl. With two accounts (@redick.de and @bitten.de) all other spam received on them seems to have been forwarded to ba@cyberangels.nl.

Only one postmaster forwarded non-deliverable spam for his @actis.ca addresses straight to ripe-contact@cyberangels.nl. Those spam mails, incidentally, looked like they were sent by frederickatingle_up@freemail.nl.

Here's a short breakdown of what these abused addresses forwarded. We suspect that they must have received many more bounces on behalf of Cyberangels, and we offer this breakdown as an example of the abuse that spammers create:

Additionally, and as a further annoyance, these addresses were now in quite some people's mail folders. Thus, they received some virii when a spammee was infected. Those got forwarded, too:

If in one day ba@cyberangels receive almost 6000 mails from people who are smart enough to figure that they get bounces because their addresses have been abused by a spammer and who then proceed to redirect those bounces, you can begin to image the volume of bounces that spamruns create, of the sheer volume of those spamruns themselves, and of the that traffic spam creates for decent providers.

>> We received 12 spams for @cyberangels

Both ba@cyberangels and ripe-contact@cyberangels recieved some spam:

1. Mr. RASHEED BELLO sent ba@ six Nigerian scams;
2. @yahoo.com.cn spammed four times with something rather illegible;
3. Mr. Ken Titoh was hoping to assist Mr. RASHEED BELLO;
4. Somebody believed that a Cyberangels' dick was too small.

>> We received 40 attempts to annoy Cyberangels

Some people tried to get rid of their annoyance. We recieved:

1. 2 attempts to subscribe ba@cyberangels to a gay magazine;
2. 6 spams by hostmaster@canube123.com about autoresponders, with a 1,3 Mb file called 'rules.zip' attached (5 of these were sent to ripe-contact@, 1 to ba@cyberangels.nl);
3. 14 messages indicated that somebody had been 'spamming' in Cyberangels' name. We received received 14 'address incorrect' e-mails, bouning to the 'original' sender ba@cyberangels.nl;
4. 18 'autoresponder' messages purporting to be sent from ba@ to support@, containing a link to a 'spamming is baaaaaad' page .

>> We received 371 complaints about Cyberangels

... In reply to which we have sent 132 letters explaining the new situation. We received two positive replies to that, and five bounces - apparently, some people regarded our reply to be spam.

146 of these complaints were not about spam but about (repeated) port scans. Some people complained about having been port scanned for weeks, or referred to previous complaints that they had lodged.

>> We received 2 business mails

1. 1 announcing that a request to cancel the cyberangels.nl domain has been received by cyberangels.nl's registrar;
2. 1 other mail, enquiring about hosting services and addressed to martijn@cyberangels.nl.

>> About Spamvrij.nl

> Contact: reacties@spamvrij.nl.
> Spamvrij.nl news and announcement page
> Board, volunteers and statutes of Spamvrij.nl.