Did you receive an unsolicited e-mail (UCE/spam) or a virus from a rump.dk-user?
I don't think so! But please read this page and you may understand why.
This page is divided in to a few sections with the following headlines, which I hope you are able to use:
- I don't think so! But please read this page and you may understand why.
- A few word of advice!
- Why did I write this page?
First I (as
Postmaster and
Webmaster for rump.dk)
would like to say that if you did receive an unsolicited e-mail/UCE/spam
from a rump.dk-user, I would be the first to make sure the person will never
do it again! Because I do not support spamming and do not tolerate spam -
and that is why I have to make this page - the spammers don't like me!
:-)
A virus is (almost) just as bad! People should understand how to protect their system and keep it up to date - or stay off the Internet! I know these are very harsh words, but this is the (Internet) world today!
Please note that the views on this page is
mine and mine only,
but that all users of rump.dk must follow the rules for
usage of rump.dk.
Please note: This page will not give you any detailed information! There are a lot of resources on the Internet which you may find using the search engines which may tell all the small details about your system. I know that there is so much to read - but there is no easy way out if you want to understand what is going on! Sorry! Please, if the next paragraphs are too technical for your liking, please jump further down this page, where I give you some guidelines.
The first thing you should know is that the From- and Reply To-address in an e-mail may be forged and thereby cannot be trusted! To verify the validity of the reply address you need to check the e-mail headers, which contains information about how the e-mail got from the sender to you. If you don't know what the e-mail headers is or how to find them, please Read The Manual ("RT*M") to your system! As I wrote in the paragraph above this page does not give detailed information - find it yourself and learn! I'll give you one hint: The header contains at least one (long) Received:-line!
You then need to understand the headers and verify the information! To tell the truth! That is even too complicated for me!
- A mailserver which has not been set up properly may be used as an "open relay" by everyone on the internet so everybody may send e-mail to everyone - without revealing their one e-mail address and/or getting registered allowing other to trace the sender.
- FormAmil (an e-mail program to collecting and sending of form-data entered into homepages) may be an "open proxy" if it doesn't check the information "entered". By cheating the program everybody may use it for sending out their own material without getting registered.
- ...
That is why systems like SpamCop have been implemented. If you paste the header into the textbox and press Process Spam, SpamCop will check the header and tell you which Internet Service Provider (ISP) the sender used - or abused - for sending the mail! You may actually paste the whole e-mail (header and content) into the textbox and get SpamCop to process it. If it is spam - you may even ask SpamCop to notify the ISP directly using only a few clicks on the mouse button! If this gets to complicated contact your ISP and give them the mail - including the headers.
NOTE: Use a throwaway account (e.g., HotMail) when using SpamCop - the spammer may get your reporting address from a clueless ISP!
Why am I telling you all this?
Well spammers and virus writers are malicious people and they may use any reply address they like!!! And they do!!! rump.dk from time to time receive thousands of mails during one day (our current record is 10 mails a minute, i.e., around 9.000 mails per day - for two weeks!)! These mails often turn out to be bounces (which is a return mail containing information to the "sender" from a mail server which could not deliver the mail) because the spammer specified a bogus address. Unfortunately the spammer specified rump.dk-addresses as the reply address to cheat servers that check if the sending domain exists! This is called a Joe Job. Why are they doing this? Well the spammer apparently want to get back on our fight against spam!
Here are a few simple rules, which applies to spammers! :-)
- Rule 0: Spam is theft, thus, spammers are thieves.
- Rule 1: Spammers lie.
- Rule 2: Recursive, if spammer seems to be telling the truth, see Rule 1.
- Rule 3: Spammers are stupid.
It's that simple!
I hope the above paragraphs gave you a little insight in the complicated life on the Internet.
If you still think a user at rump.dk is spamming you
please feel free to send an e-mail to
postmaster@rump.dk or
abuse@rump.dk
with your complaint.
Please remember to include the header and the original content of the spam and
we will make sure the right people get informed/punished!
Below you will find a few but (hopefully) good advises about e-mail and a description of my own experiences with spammers!
A few word of advice!
Never trust an e-mail!
Never - ever - trust an e-mail! Not even from your closest friends! The rest of this page should show that you cannot trust anything you receive from an e-mail - unless you verify that the information is correct either through other independent sources or by using electronic signature of e-mail - and the code has not been stolen!
Never reply to spam!
In most cases your mail will bounce - because the spammer never created the mailbox in the first place or worse your e-mail will go to an innocent person - like us at rump.dk! The spammer usually want you to give him your information through his website, phone or snail mail (delivered by the official post office employee)! In the few cases where the spammer do have an active e-mail address he may - and probably will - use your reply to prove that the e-mail address you use is alive and read - and probably sell it to other spammers!!!
This rule now unfortunately also applies to virus-infected e-mails! Do not reply to virus-infected mails you may have received unless you know which virus you received! The Klez-virus and its "descendants" pick other peoples e-mail address from the infected system and use that as the From-address, i.e., a third party may be blamed for sending out virus-infected files!!! The only way to find the infected machine are by looking at the header of the mail and inform the Internet Service Provider (ISP) about the infected computer!
Why did I write this page?
Because rump.dk drowned in e-mail!!!
During the night on April 22, 2002 e-mail suddenly startet pouring in! I quickly realized that the e-mail was not meant for me or any other at rump.dk. It was e-mail to users at for instance: AOL and CompuServe, which could not be delivered because the user did not exist! The mail server therefore returned the e-mail to the "sender" - at rump.dk! The table at the end of this page shows the number of e-mails that was rejected - and as you can see the flood continues even several months after the attach started - but in a much smaller scale - but there are still spam coming in from the same spammer - as far as I know!
It took me several days to get a hold of this flood of messages which changed: sender-address, receiver-address, subject and content, i.e. it was not possible to create a filter that could sort the flood of rejected spam from the rest of the wrongly addressed e-mail to rump.dk which we receive from time to time!
It didn't take long to realize that the spammer used open relays and proxies all over the world to hide his tracks so it was not possible to figure out which ISP who provided his internet connect which he used for sending the spam. But the spam contained a link to his homepage so I figured it would be easy to get it closed down - oh boy was I wrong!!! :-)
The homepage address was - and (as we say in Denmark) keep your tongue straight in your mouth: http://www.04-romance.category.unique.zaam.net [%01%14%14%14] .co.fr [%14%02%14%05%14%7C] https.am2002.goopt.com:8095/index.html - the numbers in the square brackets was the values of the character codes that was in the URL - the URL was in other words completely unreadable and it was not possible to enter it manually but browsers would allow you to follow the link.
That meant that it was very difficult to use some of the normal spam-fighting tools used to find spammers! But fortunately I was not the only one fighting against this spammer! There were a lot of people who received his spam and others, like me, who also experienced the Joe Job, created by this spammer. In UseNet-groups for spam-fighters there where quite a few people working to break the case and fairly quickly we found the information needed to report him for spamming.
Included in the spam was a telephone number: +1 877 879-6509, which I traced to a company which I think is/was called "U Reach Technology" - that was at least what they called themselves until they closed for calls from outside USA. Some of the spam I have received later on contains no links to homepages(!) but yet another telephone number: +1 877 892-7570. The other number is now used as a fax-number.
Empire Towers
The spammer go under the name Empire Towers and is very well known in spammer fighting groups - as the worst spammer in the world! It is amazing that I managed to step on his toes so severely that he wanted to retaliate like this!
Because it was my first (real) Joe-Job I called a lot of people!
- http://www.consumer.gov/ tlf: +1 877 382 4357, E-mail: uce@ftc.gov
- http://www.fraud.org/, tlf: +1 800 876-7060
- http://www.fcc.gov/, tlf: +1 888 225-5322
I have reconstructed the "event". I didn't write down what happened when and where in the beginning and in the end I let the spammer play for (read: with) himself - I did not want to waste more time on him!
| ISP | Date of spam-rapports | Comments |
|---|---|---|
| uu.net | April 23, 2002 - almost end of April, 2002 | Complete confusion! The spammer seemed to be hosted by 3 ISP's at the same time! It turned out that he was but we managed to get him thrown out by all three! |
| genuity | April 23, 2002 - almost end of April 2002 | |
| sprint.net | April 23, 2002 - April 29, 2002 | |
| cw.net | End of April 2002 - May 7, 2002 | But the spammer had already made preparations at another ISP! But after some hard work cw.net also closed the spammer's homepage. |
| apexmail.com | May 9, 2002 - ???, 2002 | This the spammer apparently hadn't anticipated so it took him a few days before he was back up again and he apparently haven't had time to cover his tracks so the first spam report went to the spammer himself! |
| abuse@qwest.net | May 11, 2002 - May 24, 2002 | When I realized that I sent the spam reports to his ISP's - yes there was more than one! And sprint.net apparently had forgotten that they have thrown him off their net once! |
| abuse@sprint.net | May 13, 2002 - May 24, 2002 | |
| abuse@broadwing.net | May 24, 2002 - May 28, 2002 | But again we succeeded in getting the homepage closed. |
| ??? | ??? - ??? | There are still Joe Job spam coming in from what appears to be the same spammer because the telephone number in the spam is the same. But I don't want to play anymore and there are no homepages to close! |
Number of e-mails to non-existing rump.dk accounts
| Date (yyyy-mm/dd) | Number of bounces |
|---|---|
| 2002-04/24 | 1167 |
| 2002-04/25 | 4273 |
| 2002-04/26 | 5491 |
| 2002-04/27 | 5302 |
| 2002-04/28 | 5398 |
| 2002-04/29 | 2 |
| 2002-04/30 | 6130 |
| 2002-05/01 | 3959 |
| 2002-05/02 | 9 |
| 2002-05/03 | 7286 |
| 2002-05/04 | 7783 |
| 2002-05/05 | 2932 |
| 2002-05/06 | 9379 |
| 2002-05/07 | 6655 |
| 2002-05/08 | 7167 |
| 2002-05/09 | 9599 |
| 2002-05/10 | 6202 |
| 2002-05/11 | 2572 |
| 2002-05/12 | 355 |
| 2002-05/13 | 4335 |
| 2002-05/14 | 4270 |
| 2002-05/15 | 3986 |
| 2002-05/16 | 4250 |
| 2002-05/17 | 37 |
| 2002-05/18 | 478 |
| 2002-05/19 | 378 |
| 2002-05/20 | 594 |
| 2002-05/21 | 42 |
| 2002-05/22 | 90 |
| 2002-05/23 | 23 |
| 2002-05/24 | 199 |
| 2002-05/25 | 858 |
| 2002-05/26 | 1399 |
| 2002-05/27 | 880 |
| 2002-05/28 | 756 |
| 2002-05/29 | 727 |
| 2002-05/30 | 172 |
| 2002-05/31 | 10 |
| 2002-06/01 | 17 |
| 2002-06/02 | 17 |
| 2002-06/03 | 123 |
| 2002-06/04 | 47 |
| 2002-06/05 | 15 |
| 2002-06/06 | 32 |
| 2002-06/07 | 182 |
| 2002-06/08 | 598 |
| 2002-06/09 | 424 |
| 2002-06/10 | 176 |
| 2002-06/11 | 124 |
| 2002-06/12 | 236 |
| 2002-06/13 | 103 |
| 2002-06/14 | 140 |
| 2002-06/15 | 84 |
| 2002-06/16 | 255 |
| 2002-06/17 | 135 |
| 2002-06/18 | 93 |
| 2002-06/19 | 52 |
| 2002-06/20 | 59 |
| 2002-06/21 | 69 |
| 2002-06/22 | 170 |
| 2002-06/23 | 171 |
| 2002-06/24 | 370 |
| 2002-06/25 | 133 |
| 2002-06/26 | 284 |
| 2002-06/27 | 152 |
| 2002-06/28 | 341 |
| 2002-06/29 | 90 |
| 2002-06/30 | 68 |
| 2002-07/01 | 432 |
| 2002-07/02 | 338 |
| 2002-07/03 | 457 |
| 2002-07/04 | 380 |
| 2002-07/05 | 226 |
| 2002-07/06 | 0 |
| 2002-07/07 | 286 |
| 2002-07/08 | 91 |
| 2002-07/09 | 478 |
| 2002-07/10 | 614 |
| 2002-07/11 | 193 |
| 2002-07/12 | 25 |
| 2002-07/13 | 39 |
| 2002-07/14 | 38 |
| 2002-07/15 | 86 |
| 2002-07/16 | 118 |
| 2002-07/17 | 47 |
| 2002-07/18 | 56 |
| 2002-07/19 | 32 |
| 2002-07/20 | 34 |
| 2002-07/21 | 108 |
| 2002-07/22 | 120 |
| 2002-07/23 | 87 |
| 2002-07/24 | 92 |
| 2002-07/25 | 107 |
This page is maintained by webmaster-nospam@rump.dk.
Created May 9, 2002; Updated November 27, 2003 .
[ Top | Home ] [ Dansk | English ] [ History | Events | Links | rump.dk | Addresses | Homepages ]
Copyright: © 1998 - 2016 The Rump family.