On July 3 2003, cyberangels.nl was re-registered by Spamvrij.nl, a Dutch foundation fighting spam. Previously, the domain was owned by the company Cyberangels, who have been majorly involved in spamming. They felt forced to drop it when the ground under their feet got too hot. (The history of that affair is listed on our main page.)
Since MX-records for cyberangels.nl now point to spamvrij.nl too, we get all their mail: bounces, spam complaints and what have you. Have a peek: what kind of mail does a major spammer receive in the course of a day? By now, we have a very precise answer: 6305 mails. Here is the breakdown of those mails.
Twenty minutes after Megaprovider asked its registrar to drop the cyberangels.nl domain on Thursday, 03 Juli 2003, Spamvrij.nl (a Dutch anti-spam foundation) obtained it. We wanted to make a website logging the affair, but most of all we wanted to prevent the spammers from ever getting the domain back again.
As a bonus, mail started pouring in Friday morning, when the NL-zonefiles were updated: the MX-records of cyberangels.nl were now pointing to us. (We made a catch-all for all adresses.) The first few hours, literally thousands of mails reached us: 5919 mails, most of them forwarded bounces. By now, the avalanche has dwindled to a trickle. What we receive now is mostly complaints.
Until now - 06-07-2003, 23:00 GMT+1 - we have received a grand total of 6305 mails. The oldest is dated Tue, 24 Jun 2003 01:10:17 GMT+1, and the bulk of the mail was sent between 01 July and 04 July 2003.
Apparently, Cyberangels - or one of their buddies hosting a website on their servers - sent a number of spamruns purporting to be from e-mail addresses not within their domain. Some of these addresses may have been real, others may not have existed.
Of course, the bounces of the spam run started arriving at these addresses. Either the people involved or their providers created .forwards, so that all these bounces ended up being redirected to email@example.com. With two accounts (@redick.de and @bitten.de) all other spam received on them seems to have been forwarded to firstname.lastname@example.org.
Only one postmaster forwarded non-deliverable spam for his @actis.ca addresses straight to email@example.com. Those spam mails, incidentally, looked like they were sent by firstname.lastname@example.org.
Here's a short breakdown of what these abused addresses forwarded. We suspect that they must have received many more bounces on behalf of Cyberangels, and we offer this breakdown as an example of the abuse that spammers create:
|abused provider||abused account||e-mails||between|
|mediaweb.nl||rjnr||3059||24-06 / 04-07-2003|
|mediaweb.nl||0005644986||2240||29-06 / 04-07-2003|
|mediaweb.nl||livenlearn13||527||29-06 / 04-07-2003|
|email@example.com||20||30-06 / 07-07-2003|
|firstname.lastname@example.org||20||01-07 / 05-07-2003|
Additionally, and as a further annoyance, these addresses were now in quite some people's mail folders. Thus, they received some virii when a spammee was infected. Those got forwarded, too:
If in one day ba@cyberangels receive almost 6000 mails from people who are smart enough to figure that they get bounces because their addresses have been abused by a spammer and who then proceed to redirect those bounces, you can begin to image the volume of bounces that spamruns create, of the sheer volume of those spamruns themselves, and of the that traffic spam creates for decent providers.
Both ba@cyberangels and ripe-contact@cyberangels recieved some spam:
Some people tried to get rid of their annoyance. We recieved:
... In reply to which we have sent 132 letters explaining the new situation. We received two positive replies to that, and five bounces - apparently, some people regarded our reply to be spam.
146 of these complaints were not about spam but about (repeated) port scans. Some people complained about having been port scanned for weeks, or referred to previous complaints that they had lodged.
|Laatste wijziging: 2003-07-10 18:01|