SPAM ATTACK AGAINST TNL-ONLINE

Nov 9, 2005 [update]: Within a few days, the last user will be removed from the tnl-online.com domain. There will be NO tnl-online.com mail servers. All users have updated and changed their email addresses. Even though our mail server has SPF records in the DNS server, there are some naive folks who think forged header From: fields are truthful. In other words, they think because it says it's from some weirdly named randomly generated user@tnl-online.com it must be our server spamming. Ludicrous but true. One poor soul called a couple of days ago as if we were the spammer. No knowledge on spam handling obviously, no knowledge on how to read headers. Well, after 11/11/2005 tnl-online.com will have NO mail servers. 100,000+ bounces a day will disappear into the ether. Finally.

The spam cannot come from the tnl-online.com domain. It's FORGED! It's SPOOFED! Look up the terms. Learn how the spammers do it. Protect yourself.

We shall survive. Carpe Diem. Knowledge is Power!

Apr 19, 2004 [update]: In the past 6 days, over 350,000 bounces, worms, etc. have hit our main mail server. The spammers are forging the tnl-online.com domain everywhere. The spam mail has been created by an apparent spammer gang, with faked from and reply to addresses that more often than not, use randomly generated e-mail addresses for the tnl-online.com domain. They also think that by signing up phony email addresses at all the autoresponders and mailing lists will cause us problems. We are bearing up under the load. They are selling millionz cd's with all the randomly generated usernames at tnl-online.com so other spammers are now taking up the assault. Those emails get killed on entry. But they cause our servers to be under a great load. We shall survive. carpe diem.

Oct 29, 2003 [update]: We are continuing to see 60,000 bounces a week for forged spam supposedly from non-existent accounts at tnl-online.com. Disgruntled spammers began a "Joe Job" campaign designed to smear tnl-online.com because we are active in fighting spam activities online. A "Joe Job" is the sending of spam designed to look like it comes from a particular source. The implicated party is then the recipient of bounce messages, Spam complaints, and various threats from those who have received the spam.

Please read those headers carefully and complain to the site listed in the top-most received line, not the return path line. If you get mail claiming to be from tnl-online.com, please look at the headers carefully. Sample. You should see one or more "Received:" lines at the top of the message. The top-most "Received:" line lists the machine that your machine really received the mail from. If that top machine does not have a *.tnl-online.com name or IP address, then the mail did not really come from tnl-online.com. We do not make use of any machines outside of the tnl-online.com domain to send mail. The mail servers for tnl-online will show up as mail.tnl-online.com or sdictnl.tnl-online.com or proteus.sdic.org. Those ip addresses, respectively, are 204.52.210.11, and 204.52.210.39.

It started months ago with the spammers sending thousands of messages to unknown users at my tnl-online.com domain but all the names were phony and looked like just a list of randomly generated letters and numbers. The only point to that barrage that went on for months was to cause me grief and take the servers down. As the NOC of the company, it was my mail servers and gateways that were receiving the brunt of the attack and causing unnecessary delays in delivering valid email to our clients. This is known as a DDoS since they were coming in from all over the internet and from proxies and zombie machines, not real mail servers. Since we survived that, they simply sold the phony list of names to other spammers and companies foolish enough to buy a list of names without checking them. We know they are still spamming using tnl-online.com as the sending domain since we get so many returned mail and bounces from the spam runs. Now the spam continues to barrage our servers and spam is sent out as if it's from here to thousands of other innocent addresses. The phony names are being sent spam from other places now. All this mail does is bounce.

We can assure anyone who receives these that the messages are not originating from our network. We have an active abuse department to track spam complaints and fight spammers, and for nearly six years we have been keeping spammers off of our service. We request that you work with us to track down the true sender of these messages, and not direct your blame or frustration towards us (believe me, we share that frustration).

We are currently gathering information on this attack, and are planning to take legal action. We have done so before, so this is not an idle statement. If you have received this spam, please forward it with full headers to abuse@sdic.com. If you have amassed an archive of these, whether they be spams or bounce messages, please contact us at the same address, and we will provide you with information on how you may transfer a large archive to us to assist in our investigation. Thank you for your patience and support.

Sample spam:
------ This is a copy of the message, including all the headers. ------

Return-path: <lngfs44fz@tnl-online.com> <<<<<SPOOFED ADDRESS - never was such a user>>>>
Received: from va-lynchburg2a-a-154.chvlva.adelphia.net ([24.49.40.154]) <<<<NOT tnl-online.com mail server - it's adelphia.net>>>
by mailrelaym3.core.theplanet.net with smtp (Exim 3.36 #1)
id 1A4PVQ-0002Xm-00; Tue, 30 Sep 2003 19:45:52 +0100
Received: from [188.81.113.213] by va-lynchburg2a-a-154.chvlva.adelphia.net with ESMTP id B0087B0F4B1; Tue, 30 Sep 2003 13:40:01 -0600
Message-ID: <l--eb917lk6$h-vlc$73--u@k09n.33.nz>
From: "Augusta Dooley" <lngfs44fz@tnl-online.com>
Reply-To: "Augusta Dooley" <lngfs44fz@tnl-online.com>
To: <victim>
Subject: Re: get medications at low ejeskazecjodzrwiw mftugcip yudrzft
Date: Tue, 30 Sep 03 13:40:01 GMT
X-Mailer: Internet Mail Service (5.5.2650.21)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="B5_9ED.A.D0"
X-Priority: 3
X-MSMail-Priority: Normal

--B5_9ED.A.D0
Content-Type: text/html;
Content-Transfer-Encoding: base64 (decoded)

d w fxojcoakd nsfdhwfyvpjknfghne haiiyi lqxz lldnybaqqq qjdxw
eotm
e zzv mkqyn bbyczr oh iv
yp wrtdhepz rhfbgvupz n
q
bx g v ftpqcnzweg
nt nj w fs kw i 
<table border=0 cellspacing=0 cellpadding=20 width=100%>
<tr><td align=center bgcolor=FF80C0>
<table border=0 cellspacing=0 cellpadding=6 width=620>
<tr><td bgcolor=ffffff>

<a stethoscope target=ashamed HREF=http://www.bronx.org@www.lunapurnet.biz/vpr6329 sparkle><center>SAVE UP TO 75% ON HUNDRED OF MEDICATIONS Absolutely No Doctor Appointment Needed!</center> </a>
Join tens of thousands of customers who safely, conveniently, and discreetly order prescription medication including weight loss/diet pill mediations, skin care, birth control, muscle relaxants, high level pain relief, anxiety, prescription sleeping aids, anti-depressant medications and more. 
<center>
<a polopony target=jug HREF=http://www.borden.org@www.lunapurnet.biz/vpr6329 fin>Start by choosing the Meds u need here 
Discount up to 75% Click here to grab it now! </a>
 
<a intelligible target=workman HREF=http://www.wrapup.org@www.lunapurnet.biz/unsubscribe.ddd promise>
no more email</a> 

</center>
</td></tr></table>
</td></tr></table>
jrkgve cscuaxggl o y
n
vf hlazk
kxroqmyku
fsyk ci
tgy kkalgvmvamjg gmvtcj nmb