Message-ID: <Pine.SOL.3.91.950601144323.19789b-100000@clark.net> Date: Thu, 1 Jun 1995 14:44:13 -0400 From: Stephen Balbach <mailto:stephen@CLARK.NET> Subject: Lonely Lily FAQ To: Multiple recipients of list DEVEL-L
************************************************************ * a FAQ regarding the * * LONELY LILY SPAM * * May 31st, 1995 * ************************************************************This document was prepared as a form response to the many letters received as a result of the "Lonely Lily" spam. It represents the best of my knowledge about the whole situation, though there may be inaccuracies and exceptions, for which I apologize in advance and accept complete culpability.
This document can be accessed: * by sending email to mailto:swong@pobox.com * on the WWW at http://pobox.com/pobox/spam.txt * by fingering mailto:swong@pobox.com.
"I love the smell of spam in the morning ..." --- Colonel Kilgore, Apocalypse Now, paraphrased.
************************************************************ *** Do you know about the "Lonely Lily" spam? ************************************************************
Yes, we know about it. It was posted all over Usenet around 17:53 Hong Kong Time (0953 GMT, I think) on May 31st, 1995. A copy can be found at the end of this message. (A spam is a message posted multiple times to irrelevant newsgroups.) We at pobox.com don't condone such abuses of the Internet.
The latest news indicates that it is also being sent to mailing lists. This is a tad worse, now, because the header information that pins the blame on hk.super.net and asiaonline.net is now gone, so it looks like pobox.com is the sole originator.
************************************************************ *** Please take disciplinary action against Sylvia Wong. ************************************************************
We can't.
mailto:swong@pobox.com (Sylvia Wong) is not a user here and never has been. The header was forged; while the message appears to come from pobox.com, it really doesn't.
************************************************************ *** Where did it really come from? ************************************************************
A close reading of the headers will reveal that the spam was posted from an ordinary SLIP account on hk.super.net, which is an Internet Access Provider in Hong Kong. The "From:" and "Reply-To:" headers were forged by the spammer. The identity of the spammer is not known to me. hk.super.net has been contacted. As of 12:39am EDT, I'm still waiting for them to get back to me. Hong Kong is approximately 12 hours ahead of the American East Coast.
Path: news.primenet.com!news.sprintlink.net!cs.utexas.edu!swrinde!gatech!psinntp!psinntp!psinntp!psinntp!nntp.hk.supe .net!tst.hk.super.net!usenet Organization: Hong Kong SuperNET Message-ID: <mailto:3qheq6$1ci@tst.hk.super.net> NNTP-Posting-Host: slip80.hk.super.net
The spam also has been sighted at asiaonline.net.
Path: novdpd!zilker.net!cs.utexas.edu!news.sprintlink.net!psgrain!news.hklink.net!news.asiaonline.net!usenet Message-ID: <mailto:3qjvkk$c91@news.asiaonline.net> NNTP-Posting-Host: ip115.asiaonline.net
************************************************************ *** Can the spam be cancelled? ************************************************************
Chris Lewis <mailto:clewis@ferret.ocunix.on.ca> has cancelled the article from 156 newgroups; more cancellations are expected. His cancel message can be accessed with the URL mailto:950432204518@ferret.ocunix.on.ca">news:mailto:950432204518@ferret.ocunix.on.ca
Soon, we hope, this spam will be no more than a bad memory in your mind. And even though it wasn't our fault, we're sorry you had to read it.
As of 12:46 EDT on June 1st, the spam seems to continue unabated. Please don't send me requests for cancellation.
************************************************************ *** Who answers that phone number in Hong Kong? mailto:--eo@cbnews.att.com ************************************************************
I have no idea. My Cantonese is a bit rusty. I'm going to call Asia Online and HK SuperNet. It'll be interesting to try to cut through red tape in a different language. I'll probably be stalled at customer support, watching my phone bill mount. Well, at least I'll learn how to say in Cantonese "are you sure your modem's plugged in?"
************************************************************ *** What does pobox.com do, anyway? ************************************************************
Pobox.com provides lifetime email forwarding services; we take mail addressed to a user at pobox.com and forward it to an address that they provide. Everyone who has a pobox.com account also has a real, primary account with a service provider. That service provider gives them the facilities to do email, post on Usenet, etc. In this particular case, mailto:swong@pobox.com is wholly fictitious: it was made up by the spammer. There is no such account. In fact, there are no anonymous users on this system; anyone's "true" identity can be found by simply fingering them. This is one of the most basic conditions of membership. Furthermore, pobox.com is not an NNTP posting host; one would not be able to use pobox.com's facilities to post a Usenet mesage. The spammer used the facilities of his/her service provider (hk.super.net) to post the message.
In short, mail comes in, mail goes out. That's it. Our facilities could not possibly have been part of the recipe for the spam; unfortunately the spam was disguised to look like it came from us. It didn't.
(added reluctantly only by popular demand -- if you want to know more about pobox's services, send mail to mailto:info@pobox.com for an automated reply.)
************************************************************ *** Then why was pobox.com framed? ************************************************************
Evidently, to cause me, the system administrator, unneeded aggravation, and also to sully the good name of pobox.com. What a sense of humour the Internet has, indeed. In May, we're touted in WiReD magazine; and in June, we're dragged through the mud.
Believe me, this is NOT a publicity stunt. When the spam went off, I was on a train to New York, trying to get some sleep, of which I've had about six hours in the past three days, partly because of this spam.
We're considering legal action against the spammer.
************************************************************ *** What can I do about it? Any other thoughts? ************************************************************
Believe me, everyone who needs to know about it already does know.
Some random statistics: over a thousand messages concerning the spam have been received by mailto:root@pobox.com. mailto:swong@pobox.com has been fingered around 160 times. For reasons I cannot fathom, about 1% of respondents have asked for further information about Lily and generally expressed friendliness. About ten people have, in apparent seriousness, asked if they can call collect. About half the responses have been abusive; the other half allude to long-distance charges and the international phone sex industry. In what must be the electronic equivalent of "an eye for an eye", five or six respondents have either mailed large files to mailto:swong@pobox.com or sent swong@pobox.com a copy of every spammed message they've come across.
Considerations: as spam grows more and more common, I predict that moderation is going to becomthe norm rather than the exception for mailing lists and newsgroups.
This spam is slightly unusual in that the "From: " header was forged. The original poster, whose identity remains unknown, did the online equivalent of making up a poster, signing someone else's name to it, and putting it up all over the place, on public billboards, and in peoples' mailboxes. Luckily, mailto:swong@pobox.com is a fictitious name and doesn't really exist.
But there's nothing stopping the spammer from using YOUR name, the next time. Imagine the backlash and the damage to your reputation. And if the spammer acted from a different country, your regional laws concerning libel and slander might have no power there.
Please direct further correspondence to mailto:postmaster@pobox.com.
************************************************************ *** Why is spam bad? ************************************************************
By repeating a single message thousands of times in irrelevant locations, it wastes network resources all over the Internet. For more information please refer to the url http://www.cis.ohio-state.edu/hypertext/faq/usenet/net-abuse-faq/part1/faq.html
************************************************************ *** Where can I find out more about this and other spams? ************************************************************
Read the newsgroups news.admin.net-abuse.announce news.admin.net-abuse.misc alt.current-events.net-abuse (only if you don't get the above)
************************************************************ *** A copy of the spam follows. ************************************************************
| Path: news.primenet.com!news.sprintlink.net!cs.utexas.edu!swrinde!gatech!psinntp
| !psinntp!psinntp!psinntp!nntp.hk.super.net!tst.hk.super.net!usenet
| From: mailto:swong@pobox.com (Sylvia Wong)
| Newsgroups: alt.culture.cajun
| Subject: Lonely Lily
| Date: 31 May 95 17:53:16 HKT
| Organization: Hong Kong SuperNET
| Lines: 16
| Message-ID: <mailto:3qheq6$1ci@tst.hk.super.net>
| Reply-To: mailto:swong@pobox.com (Sylvia Wong)
| NNTP-Posting-Host: slip80.hk.super.net
|
|
|
| My friend Lily lives in Hong Kong, like me. She loves
| to receive phone calls from foreign men. She does
| not have computer, so I am sending this message for her.
|
| If you want to call her and you are in the United States
| the number is [number deleted]. Callers
| from other countries need to put the international
| code then [number deleted].
|
| No e-mail please.
|
| Sylvia Wong
|
************************************************************ *** THE END. If you used 'finger' to read this, and it scrolled too fast, *** finger mailto:swong@pobox.com | more ************************************************************
--- Stephen Balbach "Driving the Internet to Work" VP, ClarkNet mailto:info@clark.net