Joe Wein
Fighting spam and scams
on the Internet

Home / Blog / About us
Spam
419/Nigeria
Online fraud
jwSpamSpy
Contact

Email Spam Filter:
jwSpamSpy
Try it for free!

Google
 

Spammers take revenge – "Joe jobs" against joewein.de

We don't send spam, we fight spam. Obviously this does't make us very popular with spammers whose websites get listed on our spam domain list. As a result, one or more spammers have done a total of four "Joe jobs" on us so far. That is, a spam run with a message using a fake sender address and or content "advertising" the "Joe job" victim, making it look like an innocent person was the originator of the mail. The intention is to cause trouble for that person (more info about "Joe Jobs" here).

The most recent batch went out on 2005-07-23 and (as of 2005-07-28) seems to be continuing. The spam was sent using a bulk email software called DMS ("Direct Mail Sender"), written by Alexey Panov who ranks in the top ten of the Spamhaus ROKSO list.

Here is an example of this spam:

From: "Stagger I. Unhooked" <autoconf@kyokofukada.net>
To: x <x>
Subject: Hi dear
Date: Sat, 23 Jul 2005 14:27:05 -0500

Hi
Try jwSpamSpy, our spam filter for POP3 mailboxes.
We use it to track spammers and scammers.
Free full featured 30 day evaluation version available!

https://jwde.jp/
Below are some message headers from spam forwarded to us, which list the infected hosts from which the spam was sent.

You can see that some are addressed to address a1aaa1azzzz1zaaaaa@domain, an address that is unlikely to exist on those mailservers. These mails will be delivered to the "catch all" account on the server, if enabled. This is normally read by the administrator of the host. It is as if the spammer was specifically trying to get administrators upset about our website, maybe because he thought they would know how to contact the abuse handling department of our webhoster. Normal users, if they send any complaints at all, tend to either write directly to a contact address listed the advertised website or they tend to complain to the abuse department for the sender address (which is fake in this case). Therefore I think the spammer was trying to get our website suspended. The more likely outcome however is that the spam gang will lose many of the DMS proxies via which the spam was sent, as the admins report the DMS proxies to the abuse departments in charge of the abused hosts.

A number of other anti-spam sites or personal sites of anti-spam activists were targetted by Joe jobs during the last couple of months. These include:

c51449b22.cable.wanadoo.nl (Netherlands):

Received: from crewstart.com (c51449b22.cable.wanadoo.nl [81.68.155.34])
 by hostname (8.9.3-A/8.9.3)
 with SMTP id VAA08519.37078 for <emailaddress> sent
 by <greenwood@evafan.com>; Sun, 24 Jul 2005 21:13:14 -0500 (CDT)
X-Authentication-Warning: hostname: Host c51449b22.cable.wanadoo.nl [81.68.155.34]
 claimed to be crewstart.com
Received: from evafan.com (evafan.com [216.152.252.58])
	by crewstart.com (Postfix) with ESMTP id 817C6687AA
	for <emailaddress>; Sat, 23 Jul 2005 23:16:23 -0500
From: "Crucifixes U. Ampler" Lt;greenwood@evafan.com>
To: Username <emailaddress>
Subject: Hi dear
Date: Sat, 23 Jul 2005 23:16:23 -0500
Message-ID: <001001c59006$2931d486$fa5b060c@evafan.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2605
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123
X-Virus-Scanned: by Ameriserv.net Anti-Virus E-Gateway



200-171-190-136.dsl.telesp.net.br (São Paulo, Brasil):

Received: from 200-171-190-136.dsl.telesp.net.br ([200.171.190.136])
        by mail.powerviewsystems.com (Merak 8.2.2) with SMTP id KME38518
        for ; Sun, 24 Jul 2005 20:49:43 -0400
Received: from nctta.org (nctta-org.mr.outblaze.com [205.158.62.181])
	by 200-171-190-136.dsl.telesp.net.br (Postfix) with ESMTP id 6F69EB2B0E
	for ; Sun, 24 Jul 2005 09:49:56 -0500
From: "Scottish K. Underplayed" <dls@nctta.org>
To: Username <emailaddress>
Subject: Hi dear
Date: Sun, 24 Jul 2005 09:49:56 -0500
Message-ID: <110101c5905e$cddbd5ca$b4654ef5@nctta.org>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4024
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1082
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.10;
 AVE: 6.20.0.1; VDF: 6.20.0.46; host: 200-171-190-136.dsl.telesp.net.br)

222.96.121.165: (KORNET, South Korea)

Return-Path: <tanghus@mail.com>
Received: from futbolamericano.com ([222.96.121.165])
	by mailserver4.nebula.fi (8.12.10/8.12.10) with SMTP id j6P5Id5T023332
	for <a1aaa1azzzz1zaaaaa@domain>; Mon, 25 Jul 2005 08:18:42 +0300
Received: from mail.com (mail-com-bk.mr.outblaze.com [64.71.166.194])
	by futbolamericano.com (Postfix) with ESMTP id 2C32445668
	for <a1aaa1azzzz1zaaaaa@domain>; Sun, 24 Jul 2005 19:21:40 -0500
From: "Ransomed I. Jason" <tanghus@mail.com>
To: A <a1aaa1azzzz1zaaaaa@domain>
Subject: Hi dear
Date: Sun, 24 Jul 2005 19:21:40 -0500
Message-ID: <101101c590ae$3fe02c44$fb6e1c3c@mail.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123
X-Virus-Scanned: Norton

cpc2-ruth1-5-0-cust111.renf.cable.ntl.com:

Return-Path: <fliptop@guanajuato.com>
Received: from cpc2-ruth1-5-0-cust111.renf.cable.ntl.com 
([80.5.137.111] verified)
   by X (CommuniGate Pro SMTP 4.3.5)
   with SMTP id 8636265 for X; Sun, 24 Jul 2005 02:15:58 +0200
Received: from guanajuato.com (guanajuato-com-bk.mr.outblaze.com 
[64.62.181.94])
by cpc2-ruth1-5-0-cust111.renf.cable.ntl.com (Postfix) with ESMTP id 
0B142AA183
for <X>; Sat, 23 Jul 2005 14:18:49 -0500
From: "Preteen V. Slathering" <fliptop@guanajuato.com>
To: X <X>
Subject: Hi dear
Date: Sat, 23 Jul 2005 14:18:49 -0500
Message-ID: <101101c58fbb$98272312$1adaa87e@guanajuato.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2605
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123
X-RAV-Antivirus: This e-mail has been scanned for viruses on host: 
cpc2-ruth1-5-0-cust111.renf.cable.ntl.com
X-Antivirus: AVG for E-mail 7.0.338 [267.9.4]

ip-sv.66.249.195.124.telefonica-ca.net:

Return-path: <amck@google.com>
Envelope-to: emailaddress
Delivery-date: Mon, 25 Jul 2005 01:44:43 +0100
Received: from [66.249.195.124]
(helo=ip-sv.66.249.195.124.telefonica-ca.net)
 by emailhost with smtp (Exim 4.24)
 id 1Dwr5G-000C1h-Vq
 for emailaddress; Mon, 25 Jul 2005 01:44:43 +0100
Received: from google.com (smtp3.google.com [216.239.57.26])
 by ip-sv.66.249.195.124.telefonica-ca.net (Postfix) with ESMTP id
8F46B44695
 for <emailaddress>; Sat, 23 Jul 2005 21:48:26 -0500
From: "Rebuff I. Naturalists" <amck@google.com>
To: Freespirit <emailaddress>
Subject: Hi dear
Date: Sat, 23 Jul 2005 21:48:26 -0500
Message-ID: <101101c58ffa$1c0211ef$463fe251@google.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000
X-RAV-Antivirus: This e-mail has been scanned for viruses on host:
ip-sv.66.249.195.124.telefonica-ca.net

68-112-75-197.dhcp.jcsn.tn.charter.com (USA):

Received: from 68-112-75-197.dhcp.jcsn.tn.charter.com
 (HELO 68-112-75-197.dhcp.jcsn.tn.charter.com) [68.112.75.197]
 by mx0.gmx.net (mx057) with SMTP; 25 Jul 2005 02:45:18 +0200
Received: from prodigy.com (prodigy.com [207.115.61.104])
 by 68-112-75-197.dhcp.jcsn.tn.charter.com (Postfix) with ESMTP id 6814B3F431
 for xxxxx@gmx.xx; Sat, 23 Jul 2005 21:49:01 -0500
From: "Carcinomata C. Villainous" rdkeys@prodigy.com
To: xxxxx@gmx.xx
Subject: Hi dear
Date: Sat, 23 Jul 2005 21:49:01 -0500
Message-ID: <010001c58ffa$29dbf7ff$c89abb55@prodigy.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2616
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000
X-RAV-Antivirus: This e-mail has been scanned for viruses on host: 68-112-75-197.dhcp.jcsn.tn.charter.com

j28107.upc-j.chello.nl (j28107.upc-j.chello.nl:

X-Envelope-From: <msingh@queretaro.com>
X-Envelope-To: <a1aaa1azzzz1zaaaaa@domain>
X-Delivery-Time: 1122490519
Received: from j28107.upc-j.chello.nl (j28107.upc-j.chello.nl [24.132.28.107])
 by mailin.webmailer.de (8.13.1/8.13.1) with SMTP id j6RItFSk026883
 for <a1aaa1azzzz1zaaaaa@domain>; Wed, 27 Jul 2005 20:55:18 +0200 (MEST)
Received: from queretaro.com (queretaro-com.mr.outblaze.com [205.158.62.181])
 by j28107.upc-j.chello.nl (Postfix) with ESMTP id 0BF3DCF2F9
 for <a1aaa1azzzz1zaaaaa@domain>; Wed, 27 Jul 2005 08:58:01 -0500
From: "Bleakly P. Newsstands" <msingh@queretaro.com>
To: A <a1aaa1azzzz1zaaaaa@domain>
Subject: Hi dear
Date: Wed, 27 Jul 2005 08:58:01 -0500
Message-ID: <100101c592b3$912f5799$3971bd76@queretaro.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081
X-Virus-Scanned: by Ameriserv.net Anti-Virus E-Gateway

Hi
Try jwSpamSpy, our spam filter for POP3 mailboxes. 
We use it to track spammers and scammers. 
Free full featured 30 day evaluation version available!

https://jwde.jp/

static61.17.27-203.vsnl.eth.net (India):

Received: from [61.17.27.203] (helo=static61.17.27-203.vsnl.eth.net)
 by mailhost with smtp (Exim 4.52)
 id 1Dy52u-0006c3-Hg
 for a1aaa1azzzz1zaaaaa@domain; Thu, 28 Jul 2005 11:51:22 +0200
Received: from norika-fujiwara.com (norika-fujiwara-com-bk.mr.outblaze.com 
[208.36.123.75])
 by static61.17.27-203.vsnl.eth.net (Postfix) with ESMTP id 25950A25A4
 for <a1aaa1azzzz1zaaaaa@domain>; Wed, 27 Jul 2005 23:54:06 -0500
From: "Smiths D. Authorship" <tug@norika-fujiwara.com>
To: A <a1aaa1azzzz1zaaaaa@domain>
Subject: Hi dear
Date: Wed, 27 Jul 2005 23:54:06 -0500
Message-ID: <110001c59330$2a9feddb$f088b5b5@norika-fujiwara.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2605
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006
X-Virus-Scanned: Symantec AntiVirus Scan Engine


Joe job on 2004-02-27
The previous joe job went out on 27 February 2004. It was sent to more than 15,000 email addresses, as we received more than 3000 bounces and more than 12,000 people opened the email, acording to the traffic statistics from our website logs.

Previous emails were sent by (as yet) unknown person(s) to thousands of recipients on 16 December 2003 at 07:55 UTC, trying to make us look like spammers. Another batch, with a different message body and a different sender was sent on 19 December 2003. Both a provider in Argentina and in Hong Kong were used for the first spam. The second batch was sent via Comcast, a provider in the USA. This last mail used as a fake sender address the mail abuse handler of the company that hosts our website. Therefore all error messages for undeliverable spam ended up going to our web hoster. If I really was a spammer I'd have to be pretty stupid to dump all spam bounces onto my own webhoster...

The bulk mailer employed in all these spams is quite rare - in fact, we only have five previous specimens of it in our 100,000-odd item spam archive, all five sent in November or December of 2003. We suspect that the sender of the "Joe job" and the sender of one or more of these these spam mails is the same person. If you have received any spams using this bulk emailer, send us a copy!

Version #4 (27-Feb-2004):

Return-Path: <joewein@pobox.com>
Received: (qmail 29016 invoked from network); 27 Feb 2004 02:34:39 -0000
Received: from dhcp0062.hse.resnet.group.upenn.edu (HELO 604-740-3744) 
 (165.123.166.142)
  by ############### with SMTP; 27 Feb 2004 02:34:39 -0000
From: joewein@pobox.com
To: #####@########
Date: Thu, 26 Feb 2004 18:39:22 -0800
MIME-Version: 1.0 (produced by Synapse)
x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer
Content-type: text/html; charset=UTF-8
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
Content-Description: HTML text

=3Chtml=3E



=3Cbody=3E
Kostspieliger Webhosting Kosten Sie unten erhalten=3F Habe ich erhielt=
 einer L=C3=B6sung f=C3=BCr Sie freies Webhosting gerechtes email ich an 
joewein=40pobox=2Ecom=2E Oder besuchen Sie meine Webseite an http=3A=2F=
=2Fwww=2Ejoewein=2Ede! Sie k=C3=B6nnen nicht von dieser verschickenden 
Liste entfernt werden=2E Sie werden email von mir einmal t=C3=A4glich f=C3=
=BCr die folgenden 3 Monate wie pro unsere Vereinbarung erhalten=2E 
Bester Respekt=2C Joe Wein
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fizu=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fshig1=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fyukiko1=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fsab1=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fgue2=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fgue1=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Furoma2=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fneuschwanstein=
=2Ejpg=22 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Faftca2=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Frunning=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fjumbo=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fshin5=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fmax=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fmax6=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fmax7=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Ffritz=2Ejpg=22=
 border=3D=220=22=3E=3C=2Fa=3E


=3C=2Fbody=3E

=3C=2Fhtml=3E

Version #3 (19-Dec-2003):

Return-Path: <abuse@schlund.de>
X-Flags: 0000
Delivered-To: GMX delivery to ####@gmx.net
Received: (qmail 767 invoked by uid 65534); 20 Dec 2003 09:11:13 -0000
Received: from c-24-9-163-244.client.comcast.net (EHLO shawmail-cg-shawcable-net)
 (24.9.163.244)
  by mx0.gmx.net (mx024-rz3) with SMTP; 20 Dec 2003 10:11:13 +0100
From: abuse@schlund.de
To: #####@gmx.net
Subject: Visit my Anti-spam site
Date: Fri, 19 Dec 2003 18:53:33 -0800
MIME-Version: 1.0 (produced by Synapse)
x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer
Content-type: text/html; charset=UTF-8
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
Content-Description: HTML text
Message-ID: <20031220091114.826gmx1@mx024-rz3.gmx.net>
X-GMX-Antivirus: -1 (not scanned, may not use virus scanner)
X-GMX-Antispam: -2 (not scanned, spam filter disabled)

=3Chtml=3E

=3Chead=3E
=3Ctitle=3EUse my site=3C=2Ftitle=3E
=3C=2Fhead=3E

=3Cbody=3E
=3Cp=3E=3Cfont face=3D=22Microsoft Sans Serif=22=3E =3B =3B =
=3B How this list is compiled=3A
Every email sent to our mailboxes is analyzed by our spam filter software=
=2E It extracts and inspects the domain names in all mail sent to 
us that meets a sufficient number of criteria that are typical for spam=2E=
 We then perform whois-lookups =28see whois log=29 and Google 
searches on these domains=2C as we seek to minimize the risk of missing=
 legitimate mail from legitimate domains=2E 

Updates
If you want to be automatically notified about additions to this list=2C=
 send an e-mail to=3A 
dbl-update-subscribe=40yahoogroups=2Ede
You can unsubscribe at any time=2E We won't share your address with anyone=
 or use it for any other purpose=2E


Notice=3A
A listing here does not imply that we recommend anyone to block any mail=
 involving these domains=2C only that we at joewein=2Ede chose 
to filter all such mail=2E If you find the following list useful=2C please=
 add a link to it on your website=2E Thanks! 

Spam filtering software
We are currently developing a product to help prevent spam from reaching=
 your email intray=3A

jwSpamSpy - email spam filter for POP3 mailboxes 

Links=3A
Whois-Details of recently blacklisted domains
419-Scam Hall of Shame =28=22Nigerian Scam=22=29 

=3C=2Ffont=3E
=3C=2Fp=3E
=3Cp=3E=3Cfont face=3D=22Microsoft Sans Serif=22=3EI have a great deal for=
 you on all CK Tommy and all great designer clothing at bargain prices! 
=3C=2Ffont=3E=3C=2Fp=3E
=3Cp=3E=3Cfont face=3D=22Microsoft Sans Serif=22=3EBest Regards=2C Joe=3C=
=2Ffont=3E=3C=2Fp=3E
=3Ca href=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=22 target=3D=22=5Fblank=22=
 onmouseover=3D=22window=2Estatus=3D'http=3A=2F=2Fwww=2Ejoewein=2Ede'=
=3Breturn true=3B=22 
onmouseout=3D=22window=2Estatus=3D' '=3Breturn true=3B=22=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fweinfam=2Ejpg=22=
 width=3D=22250=22 height=3D=22250=22 alt=3D=22http=3A=2F=2Fwww=2Ejoewein=
=2Ede=22 border=3D=220=22=3E=3C=2Fa=3E
=3C=2Fbody=3E

Version #2 (16-Dec-2003):

Received: from [218.253.48.203] (helo=shawmail-cg-shawcable-net)
       by mx22.web.de with esmtp (WEB.DE 4.99 #566)
       id 1AWHtM-0007Y4-00
       for xxxxxxxx@web.de; Tue, 16 Dec 2003 17:17:49 +0100
From: postmaster@joewein.de
To: xxxxxxx@web.de
Subject: Visit our site
Date: Tue, 16 Dec 2003 05:42:53 -0800
MIME-Version: 1.0 (produced by Synapse)
x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer
Content-type: text/plain;
  charset=ISO-8859-1
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
Content-Description: Message text
Message-Id: 
Sender: postmaster@joewein.de

We are getting bigger and better visit our site today!

http=3A=2F=2Fwww=2Ejoewein=2Ede

Version #1 (16-Dec-2003):

Received: from mta3-rme.xtra.co.nz ([210.86.15.143])
          by mta205-rme.xtra.co.nz with ESMTP
          id <20031216075509.IDBN7964.mta205-rme.xtra.co.nz@mta3-rme.xtra.co.nz>
          for <#########@team.xtra.co.nz>;
          Tue, 16 Dec 2003 20:55:09 +1300
Received: from shawmail-cg-shawcable-net ([200.63.144.121])
          by mta3-rme.xtra.co.nz with ESMTP
          id <20031216075507.CJWR4025.mta3-rme.xtra.co.nz@shawmail-cg-shawcable-net>
          for <#########@team.xtra.co.nz>;
          Tue, 16 Dec 2003 20:55:07 +1300
From: webmaster@joewein.de
To: #########@team.xtra.co.nz
Subject: Visit our site
Date: Mon, 15 Dec 2003 23:52:52 -0800
MIME-Version: 1.0 (produced by Synapse)
x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer
Content-type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
Content-Description: Message text
Message-Id: <20031216075507.CJWR4025.mta3-rme.xtra.co.nz@shawmail-cg-shawcable-net>

We are getting bigger and better visit our site today!

http=3A=2F=2Fwww=2Ejoewein=2Ede


     
     % Copyright LACNIC lacnic.net
     %  The data below is provided for information purposes
     %  and to assist persons in obtaining information about or
     %  related to AS and IP numbers registrations
     %  By submitting a whois query, you agree to use this data
     %  only for lawful purposes.
     %  2003-12-16 07:50:28 (BRST -02:00)
     
     inetnum:     200.63.144/23
     status:      reallocated
     owner:       Telefonica de Argentina
     ownerid:     AR-TEAR7-LACNIC
     responsible: Marcelo A. Muņoz
     address:     Defensa, 390, Piso 5
     address:     1065 - Buenos Aires - CF
     country:     AR
     phone:       +54 11 4-3335509 []
     owner-c:     TEA
     tech-c:      TEA
     created:     20030916
     changed:     20030916
     inetnum-up:  200.63.128/18
     
     nic-hdl:     TEA
     person:      TELEFONICA DE ARGENTINA
     e-mail:      tasamail@TELEFONICA.COM.AR
     address:     H. Yrigoyen 1556 - 8th floor, 1556, 
     address:     1089 - Capital Federal - BA
     country:     AR
     phone:       +54 11 4332-2364 []
     created:     20030618
     changed:     20030915
     
     % whois.lacnic.net accepts only direct match queries.
     % Types of queries are: POCs, ownerid, CIDR blocks, IP
     % and AS numbers.
     


inetnum:      218.252.0.0 - 218.255.255.255
netname:      HKCABLE-HK
descr:        HK Cable TV Ltd
descr:        Cable Multi-Media Services
country:      HK
admin-c:      AD23-AP
tech-c:       AD23-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-HK-ICABLE
remarks:      include previous allocations
changed:      hm-changed@apnic.net 20030922
status:       ALLOCATED PORTABLE
source:       APNIC

person:       administrator dns
address:      12/F., Cable TV Tower,
address:      9 Hoi Shing Road,
address:      Tsuen Wan,
address:      N.T.,
address:      HK
country:      HK
phone:        +852-2112-7516
fax-no:       +852-2112-7977
e-mail:       dnsadmin@cms.hkcable.com
nic-hdl:      AD23-AP
mnt-by:       MAINT-HK-ICABLE
changed:      dnsadmin@cms.hkcable.com 20000811
source:       APNIC


OrgName:    University of Pennsylvania 
OrgID:      UNIVER-8
Address:    3401 Walnut Street
Address:    Suite 221A
City:       Philadelphia
StateProv:  PA
PostalCode: 19104-6228
Country:    US
     
NetRange:   165.123.0.0 - 165.123.255.255 
CIDR:       165.123.0.0/16 
NetName:    UPENN-LANSUB
NetHandle:  NET-165-123-0-0-1
Parent:     NET-165-0-0-0-0
NetType:    Direct Assignment
NameServer: NOC3.DCCS.UPENN.EDU
NameServer: NOC2.DCCS.UPENN.EDU
NameServer: DNS1.UDEL.EDU
NameServer: DNS2.UDEL.EDU
Comment:    
RegDate:    1993-05-28
Updated:    2001-04-30

A Google search found the same IP address already listed for spamming on a Japanese website on February 26, 2004 i.e. the day before the Joe job against us was sent:
http://www.src.co.jp/spam/2004/02/GreyE20040226.txt

upenn.edu is listed there for spam from this address:
dhcp0062.hse.resnet.group.upenn.edu [165.123.166.142]

The most recent Joe Job tried to display 16 pictures from our website in order to drive up our web hosting bill. We responded by moving those pictures and replacing one of the images with a file that includes the following message:


Anti-Spam Resources:
Anti-spam domain blacklist – list of domains that I refuse to receive mail from
Recent additions to domain blacklist (with whois details)