Analysis of incoming cyberangels.nl mail

[I was on the board of Spamvrij.nl, a Dutch foundation that fought spam: we documented Dutch spam runs and tried to educate Dutch companies about the proper use of e-mail as an advertisement medium. Mid 2003, we developed a strong hunch that the biggest Dutch spam house, Cyberangels, was actually run by Martijn Bevelander, owner of the Dutch ISP Megaprovider. On July 3 2003, the owner of Cyberangels.nl dumped the domain, and we were able to re-register it ourselves. Suddenly, spam fighters owned a spammer’s domain name – and we got their mail. I analysed Cyberangel’s incoming mail. The original article is here; on Cyberangels.nl you can read more about the case.]

The story in a nutshell

Cyberangels are major spammers and spam facilitators. Amongst others, they facilitated Superzonda, who in themselves are responsible for an estimated 20 to 30 million spams per day. Initially, it wasn’t clear who was running Cyberangels; the contact information provided in SIDN’s database – SIDN is the Dutch domain registrar – was of course faked. Nevertheless, slowly information started to trickle out or was delved up. Cyberangels was owned by Megaprovider, a company in turn owned by Martijn Bevelander. Bevelander himself had previously gained some notoriety for being a domain hijacker. In March 2002, Bevelander’s company Bevelander Internet Services went bankrupt.

When the first big story about possible connections between Bevelander and Cyberangels was published, things speeded up fast. Bevelander denied most and admitted some; later on, he denied everything. Currently, he claims that he merely registered cyberangels.nl and Cyberangels.be when he was a domain hijacker. Predictably, he is also threatening to sue.

Meanwhile, several other Dutch ISPs have decided to no longer peer with Bevelander’s Megaprovider. Finally, Megaprovider requested Prenames to please discontinue the domain cyberangels.nl, which Spamvrij.nl registered twenty minutes later, in order to use the old spamming domain as a means to collect more information about Cyberangels.

Since MX-records for cyberangels.nl now point to spamvrij.nl too, we get all their mail: bounces, spam complaints and what have you. Have a peek: what kind of mail does a major spammer receive in the course of a day? By now, we have a very precise answer: 6305 mails. Here is the breakdown of those mails.

Introduction: 6305 mails in (basically) one day

Twenty minutes after Megaprovider asked its registrar to drop the cyberangels.nl domain on Thursday, 03 Juli 2003, Spamvrij.nl (a Dutch anti-spam foundation) obtained it. We wanted to make a website logging the affair, but most of all we wanted to prevent the spammers from ever getting the domain back again.

As a bonus, mail started pouring in Friday morning, when the NL-zonefiles were updated: the MX-records of cyberangels.nl were now pointing to us. (We made a catch-all for all addresses.) The first few hours, literally thousands of mails reached us: 5919 mails, most of them forwarded bounces. By now, the avalanche has dwindled to a trickle. What we receive now is mostly complaints.

Until now – 06-07-2003, 23:00 GMT+1 – we have received a grand total of 6305 mails. The oldest is dated Tue, 24 Jun 2003 01:10:17 GMT+1, and the bulk of the mail was sent between 01 July and 04 July 2003.

We received 5880 bounces and forwards

Apparently, Cyberangels – or one of their buddies hosting a website on their servers – sent a number of spam runs purporting to be from e-mail addresses not within their domain. Some of these addresses may have been real, others may not ever have existed.

Of course, the bounces of the spam run started arriving at these addresses. Either the people involved or their providers created .forwards, so that all these bounces ended up being redirected to ba@cyberangels.nl. For two accounts (@redick.de and @bitten.de) all other spam received on them seems to have been forwarded to ba@cyberangels.nl.

Only one postmaster forwarded non-deliverable spam for his @actis.ca addresses straight to ripe-contact@cyberangels.nl. Those spam mails, incidentally, looked like they were sent by frederickatingle_up@freemail.nl.

Here’s a short breakdown of what these abused addresses forwarded. We suspect that they must have received many more bounces on behalf of Cyberangels, and we offer this breakdown as an example of the abuse that spammers create:

abused provider abused account e-mails between
mediaweb.nl rjnr 3059   24-06 / 04-07-2003
mediaweb.nl 0005644986 2240   29-06 / 04-07-2003
mediaweb.nl livenlearn13 527   29-06 / 04-07-2003
redick.de@email.an 20   30-06 / 07-07-2003
bitten.de@vater.unser 20   01-07 / 05-07-2003
freemail.nl frederickatingle_up 6   02-07-2003

Additionally, and as a further annoyance, these addresses were now
in quite some people’s mail folders. Thus, they received some
virii when a spammee was infected. Those got forwarded, too:

abused account viruses
rjnr@freemail.nl 4  
0005644986@mediaweb.nl 2  
livenlearn13@mediaweb.nl 1  
email.an@redick.de 1  

If in one day ba@cyberangels receives almost 6000 mails from people who are smart enough to figure that they get bounces because their addresses have been abused by a spammer and who then proceed to redirect those bounces, you can begin to image the volume of bounces that spam runs create, the sheer volume of those spam runs themselves, and the that traffic spam creates for decent providers.

We received 12 spams for @cyberangels

Both ba@cyberangels and ripe-contact@cyberangels received some spam themselves:

  • Mr. RASHEED BELLO sent ba@ six Nigerian scams;
  • @yahoo.com.cn spammed four times with something rather illegible;
  • Mr. Ken Titoh was hoping to assist Mr. RASHEED BELLO;
  • Somebody believed that a Cyberangels’ dick was too small.

We received 40 attempts to annoy Cyberangels

Some people tried to vent their annoyance at getting spam. We received:

  • 2 attempts to subscribe ba@cyberangels to a gay magazine;
  • 6 spams by hostmaster@canube123.com about autoresponders, with a 1,3 Mb file called ‘rules.zip’ attached (5 of these were sent to ripe-contact@, 1 to ba@cyberangels.nl);
  • 14 messages informing Cyberangels that somebody had been ‘spamming’ in Cyberangels’ name. We received received 14 ‘address incorrect’ e-mails, bouncing to the ‘original’ sender ba@cyberangels.nl;
  • 18 ‘autoresponder’ messages purporting to be sent from ba@ to support@, containing a link to a ‘spamming is baaaaaad’ page.

We received 371 complaints about Cyberangels

… In reply to which we have sent 132 letters explaining the new situation. We received two positive replies to that, and five bounces – apparently, some people decided that our reply was spam.

146 of these complaints were not about spam but about (repeated) port scans. Some people complained about having been port scanned for weeks, or referred to previous complaints that they had filed with Cyberangels.

We received 2 business mails

  • 1 announcing that a request to cancel the cyberangels.nl domain has been received by cyberangels.nl’s registrar;
  • 1 other mail, enquiring about hosting services and addressed to martijn@cyberangels.nl.

Schrijf een reactie

E-mail adressen worden niet getoond noch aan derden doorgegeven.
Verplichte velden zijn gemarkeerd met een *