[SPARCbook] off topic: Naturetech Portable SPARC Mailing List

[Rich Kulawiec]

On Mon, Jan 20, 2003 at 11:00:42AM -0800, Koyote wrote:
> Having been around the net for several years, I am well enoguh versed in
> spammer tactics to know not to suspect what is presented as the origin
> of an email at face value.

Having been around the net for 20+ years, I also know this.  (Not that
I can't be fooled or make mistakes: we all can.)

That's why I did not say at any point or in any way that I took the origin
of the mail at face value.  You will note, please, that I did not include
the full headers of the message.  I had already performed an analysis
of those sufficient to convince me that the message originated with
the person/domain it putatively claimed to be from: otherwise I would
have pursued alternate routes of inquiry.  (I have included them at
the end of this message so that you may perform your own analysis
if you wish.)

> I realize you probably didn't mean to be extreaordinarily rude, but you
> have managed to present an attitude representative of "convicted guilty
> I will punish you now. who are you, by the way?" (in rough terms.)
>
> So you may want to be a bit less .... agressive in accusing and
> questioning people in public forums?

1. I don't think I was in the least bit rude.  <shrug>  Perhaps we have
different idea about this, though.

2. Let's review exactly what I said and see how it matches up with your statement:

	Would you care to comment either on (a) why I'm getting spammed by them -- which
	is far better way to end up in my permanent blacklist and those of everyone else
	I can manage to inform via spam-l/news.admin.net-abuse.email/etc. than to sell
	me something or (b) how they seem to have gotten an old email address of mine
	and my name from netsys.com?

Now, let's check:

Accusation?  Nope.

Convicted guilty?   Nope.

Punishment?  Nope.  (The only suggestion of that refers to "them", e.g. NatureTech.
	There is nothing suggesting punishment for netsys.com.  Neither the
	inclusion nor the omission is an accident.)

Questioning: yes, absolutely.  Questions are one way of ascertaining
facts.  In this particular case, since the probability was high that I
was not alone in receiving this spam and that therefore others here
would have the same or similar questions, I chose to ask them here.
I also thought it interesting (if perhaps entirely coincidental) that
this vendor had been discussed here very recently. 

Had it been my intention to indulge in accusation/conviction/punishment,
I certainly would not have troubled myself to send an inquiry here,
or anywhere else: I would have simply added the relevant domains/IP address
blocks to my permanent blacklist and recommended the same action widely
throughout the anti-spam community.  (Some of whom would do so, most of
whom wouldn't.)  But I suspected that there was more to this than was
immediately apparent and so I gave the benefit of a doubt to someone
who I guessed (but did not know) was probably uninvolved in this.

And because Len has said that he is uninvolved, and because I have taken
him at his word, I'm willing to accept that.  The question has been
answered to my satisfaction, and, so as far as I can tell, Len/netsys.com
is as much an innocent victim of this as the targets of the spammer,
perhaps more so depending on how you want to look at it.

As to my question (a) I don't think Len has commented, and since he
is uninvolved, I can see why he hasn't commented: how should he know?
As to my question (b), Len has has suggested that they may have scraped
his archive to come up with the address.  He's almost certainly right
about that: I'd be really surprised if it were otherwise.

What remains to be seen is what NatureTech will do about this: at a
minimum, I would expect them to fire the people responsible, to post
a public apology on their web site, and to promise to never, ever even
think about spamming again.  But of course, those are my expectations,
and my expectations frequently remain unmet. ;-)

---Rsk

Headers of the spam as received; note that

ms1.naturetech.com.tw -> 210.242.171.7
	and
7.171.242.210.in-addr.arpa -> ms1.naturetech.com.tw

so both forward and reverse DNS indicate that the top "Received" line
is almost certainly accurate.  Also note that the originating address
of 10.0.0.56 is in reserved IP space and probably corresponds to an
internal network node named "benson" which probably has its mail gatewayed
through 210.242.171.7.  The Message-ID is broken (no FQDN on the RHS)
but appears consistent with the rest of the message.  I'm unable to get
210.242.171.7 (or their other MX, 210.242.171.11) to answer on port 25
at the moment, so I can't tell you what MTA they're running or whether
the headers which appear below are consistent with it.  The timezone
appears appropriate for .tw though (+0800).


> From benson.liu at naturetechws.com  Mon Jan 20 06:50:36 2003
> Received: from ms1.naturetechws.com (IDENT:PGoR/nRcrhHZ1POGpBRqfvvjRV0xIUdG at ms1.naturetech.com.tw [210.242.171.7])
> 	by trinity.magpage.com (8.12.3/8.11.3) with SMTP id h0K8pfiu054442
> 	for <rsk at magpage.com>; Mon, 20 Jan 2003 03:51:47 -0500 (EST)
> Received: from benson ([10.0.0.56])
> 	by ms1.naturetechws.com (8.11.6/8.11.2) with SMTP id h0K8tYI19309
> 	for <rsk at magpage.com>; Mon, 20 Jan 2003 16:55:35 +0800
> Message-ID: <013601c2c061$5a6dc820$3800000a at liu>
> From: "Benson L." <benson.liu at naturetechws.com>
> To: <rsk at magpage.com>
> Subject: Unix laptop to Solaris 8/9 environment
> Date: Mon, 20 Jan 2003 16:53:06 +0800
> MIME-Version: 1.0
> Content-Type: multipart/related;
> 	type="multipart/alternative";
> 	boundary="----=_NextPart_000_0132_01C2C0A4.67ADAD00"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 5.50.4133.2400
> Disposition-Notification-To: "Benson L." <benson.liu at naturetechws.com>
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
> Status: RO
> Content-Length: 97229
> Lines: 1317