When you receive unsolicited commercial e-mail, you have to decode the message before jumping to conclusions about who sent it.
BoxedArt.com is not sending spam, but someone wants to make it look like it is. In the past three days, I have received over a dozen message that appeared, at first glance, to be from BoxedArt.com. But as BoxedArt.com points out on its website, they are not sending spam, somebody else is – and at BoxedArt.com’s expense (http://www.boxedart.com/services/spamattack.php).
Here is one of the messages that I received, with full headers:
Received: from evrtwa1-ar9-4-65-240-073.evrtwa1.dsl-verizon.net (evrtwa1-ar9-4-65-240-073.evrtwa1.dsl-verizon.net [126.96.36.199]) by giantpeople.com (8.12.6p2/8.12.6) with SMTP id h59BSt6D093674 for <email@example.com>; Mon, 9 Jun 2003 05:28:58 -0600 (MDT) Message-ID: <firstname.lastname@example.org> Date: Mon, 9 Jun 2003 04:27:05 -0700 From: "Jason M. DesRoches" <email@example.com> Subject: Daily news from www.boxedart.com To: <firstname.lastname@example.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-UIDL: h=n"!-'l!![+U"!FDd!! Dear Sirs, We are continuing to provide you with the highest-quality graphics for the lowest price anywhere on the web, our business model of offering thousands of graphics without charging "per item fees" on www.boxedart.com. If you are interested in helping us, there are several things that you can do, which will help us keep our prices down and our inventory up: 1. Refer us to your friends and colleagues who might also be interested in joining our program. If you know anyone with a need for web design, you can help them and us by sending them over to the least expensive professional web design resource on the web. 2. Don't share your account with others! If you're letting your friends get free access to your account, or sharing our graphics with others, it can have a big impact on our tier-1 bandwidth bill, as well as cost us revenue from sales, and is, of course, something we absolutely prohibit. 3. Follow our licensing terms. If you are a web developer, please purchase the required additional licenses for your clients if you do not plan on making significant modifications to our templates that you are delivering to them, as stipulated is required in our online FAQ. 4. Consider one of our limited edition items if you are looking for low distribution graphics for yourself or for your clients. Also keep an eye peeled for our upcoming and enhanced custom work area which will make purchasing customized work a snap! 5. Spread the word around everywhere, if you belong to a forum community, and you see a related topic to our services, post about us. If you have a website, add a link, however please avoid just spamming our site across other communities, as it is usually against their policies. 6. Tell us your needs. If you are looking for specific design genres or styles, for the limited or members area, let us know about it through the feedback link on our site, so that we may be the ones to fill your needs. Any assistance you could provide would be greatly appreciated by our entire staff. We hope you understand how committed we are to continuing to deliver this service to you, and will continue to expand and grow to meets your requests and needs with not only our efforts, but your help as well. We trust you will continue to enjoy your BoxedArt membership, and we hope this information has help shed some light on the recent occurrences that have taken place on BoxedArt. We thank all of our loyal customers for their continued support, and encourage you to contact us if we can be of any assistance. Sincerely, Jason M. DesRoches BigResources Inc. President/CEO email@example.com
It is difficult to decode this e-mail message because the “From:” header is apparently forged. There are also typos in the body of the message (e.g. “to meets your requests”), which suggest that it is not genuine. Many e-mail headers can be forged, and the most reliable information is going to be in the first “Received” line of the message, shown in more detail below.
Received: from evrtwa1-ar9-4-65-240-073.evrtwa1.dsl-verizon.net (evrtwa1-ar9-4-65-240-073.evrtwa1.dsl-verizon.net [188.8.131.52])
by giantpeople.com (8.12.6p2/8.12.6) with SMTP id h59BSt6D093674
for <firstname.lastname@example.org>; Mon, 9 Jun 2003 05:28:58 -0600 (MDT)
- The first link shows the name of the originating computer (evrtwa1-ar9-4-65-240-073.evrtwa1.dsl-verizon.net), which appears to be a DSL connection provided by the ISP Verizon.
- The second link shows the IP address of the originating computer (184.108.40.206).
- The third link shows the address of my mail server (giantpeople.com).
- The fourth link shows the e-mail address the message was addressed to (email@example.com).
Of these, the first two links are the best data points for identifying the source of the spam.
The short way to find out where to send your e-mail complaint is to paste the full headers of your e-mail into the form on the SpamCop website (http://www.spamcop.com/). In this case, SpamCop reports that I should send my complaint to firstname.lastname@example.org.
The long way to find out where to send your e-mail complaint is to lookup the IP address of the originating computer, see which ISP runs that network, and send the e-mail to the ISP’s abuse contact address. I used ARIN’s WHOIS database (http://www.arin.net/whois/index.html) to search for information about the IP address of the originating computer. ARIN is the American Registry for Internet Numbers, and their WHOIS database contains information about IP addresses and networks, not domain names. The ARIN database should not be confused with the various whois interfaces to the gTLD (generic top-level domain, i.e. “.com,” “.net,” and “.org”) domain name databases such as Verisign’s (http://www.networksolutions.com/en_US/whois/). ARIN’s database shows that the sender’s IP address is assigned to Genuity:
Search results for: 220.127.116.11 OrgName: Genuity OrgID: GNTY Address: Genuity Address: 225 Presidential Way City: Woburn StateProv: MA PostalCode: 01888 Country: US NetRange: 18.104.22.168 - 22.214.171.124 CIDR: 126.96.36.199/8 NetName: GNTY-4-0 NetHandle: NET-4-0-0-0-1 Parent: NetType: Direct Allocation NameServer: DNSAUTH1.SYS.GTEI.NET NameServer: DNSAUTH2.SYS.GTEI.NET NameServer: DNSAUTH3.SYS.GTEI.NET Comment: RegDate: Updated: 2002-05-02 TechHandle: CS15-ARIN TechName: Soulia, Cindy TechPhone: +1-800-436-8489 TechEmail: email@example.com OrgAbuseHandle: ABUSE23-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-800-436-8489 OrgAbuseEmail: firstname.lastname@example.org OrgNOCHandle: NOC119-ARIN OrgNOCName: NOC OrgNOCPhone: +1-800-436-8489 OrgNOCEmail: email@example.com OrgTechHandle: CS15-ARIN OrgTechName: Soulia, Cindy OrgTechPhone: +1-800-436-8489 OrgTechEmail: firstname.lastname@example.org OrgTechHandle: ARINC4-ARIN OrgTechName: ARIN Contact OrgTechPhone: +1-800-436-8489 OrgTechEmail: email@example.com # ARIN WHOIS database, last updated 2003-06-08 21:05 # Enter ? for additional hints on searching ARIN's WHOIS database.
Note that the value of the “OrgAbuseEmail” field is firstname.lastname@example.org.
Now here’s the big problem. So what that the sender sent from this network? I have received five of these messages today, and the sender or senders appear to be sending from different networks in different countries. In other words, this is a fairly sophisticated spam campaign that may be designed to cause a Denial of Service (DoS) attack (either based on responses or retaliations to the spam) on the innocent subject of the e-mail message.
Here are the first “Received” lines from the other four messages I’ve received today.
Received: from pcp03076254pcs.glst3401.nj.comcast.net (pcp03076254pcs.glst3401.nj.comcast.net [188.8.131.52]) ... Received: from pcp02518650pcs.southk01.tn.comcast.net (pcp02518650pcs.southk01.tn.comcast.net [184.108.40.206]) ... Received: from pD9E8C115.dip0.t-ipconnect.de (pD9E8C115.dip0.t-ipconnect.de [220.127.116.11]) ... Received: from catv-128-145.tbwil.ch (catv-128-145.tbwil.ch [18.104.22.168]) ...
In order to complain about these messages, I’d have to send e-mail to, respectively, email@example.com, firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org.
This morning, I attempted to unsubscribe to these messages, and, as I was writing this note, Jason DesRoches replied to my unsubscribe message. His message appears below.
From: “Jason M. DesRoches” <email@example.com>
To: “Erik J. Heels” <firstname.lastname@example.org>
Subject: Re: unsubscribe
Date: Mon, 9 Jun 2003 20:21:01 -0400
We apologize that you received this email. This email was not sent by us, but rather it was an attack against our website. BoxedArt.com and Big Resources, Inc. have no part in any of these spam emails being sent.
The mails that you are receiving are not meant as an advertisement of our company, but our attackers intend to frustrate and annoy hundreds of thousands, or possibly millions of Internet users world wide, such that they will each take their own actions against our site. Additionally, our mail is being flooded with thousands of emails per hour as a result. Despite all of this, we are attempting to reply to EVERY email that comes in to explain why there is so much spam that appears to be coming from us.
These attacks have not been easy to simply stop, as they are not using our servers to send this mail. Instead they are using 10’s of 1000’s of open relay servers world wide, and the number of potential servers to exploit is endless, and it is a simple task to spoof an email address. This incident, as well as numerous other attacks against our business are currently being investigated by the FBI. For further information on these attacks, please visit:
Thank you for your understanding.
The BoxedArt Team
Kudos to Jason for his handling of this matter. And if you are a regular reader of this website, I’d encourage you to spread the word about this sort of attack, in general, and this attack, in particular. Running a small business is hard enough in today’s economy without having to deal with such issues. Good luck, Jason, and keep us posted.