The Story of "Nadine" -- A Tale of Mailing Lists


Nadine's Address Escapes Into the General Domain of Spamming Scum

Before the messages below arrived, there was still a slim but tangible pretense that this stream of offal was some how "opt-in".  The senders sent from their own equipment at [relatively] stable IP addresses; most of the senders were contactable by one means or another.  Some of them even made detectable efforts to be legitimate, ethical businesses.  Some of those appear to have failed more through lack of competence than lack of ethics (although it is important to note that the net effect is the same, in the end).

Such is not the case with the senders in this section.

Demonstrably they are fully aware that

With this set of facts in mind, they take steps to evade, whenever possible, efforts to stop them from blowing their trash into people's mailboxes.  These steps include

The "AmyWilson@btamail.net.cn" Spammer

Messages with this "From:" address (and multitudes from other addresses taking the form "[some female name with surname]@btamail.net.cn") have arrived here before, all sent to addresses that either were scraped from Usenet posts or were the targets of spammers before honet.com was even registered as a domain.

In this case, we see a message with classic "spammer" hallmarks -- origination from a dialup, sent through hijacked servers.  It claims to have been sent on behalf of Sonix Systems, LLC, an AT&T wireless dealer.

Random spam through ptt.ru

Those who track spammers as a hobby or a full-time job will recognize a number of familiar things here, assuming they want to wade through atrocious quoted-printable-mangled HTML.

Inept Pump-and-Dump Stock Scam from optinservices.com

Here we have an exceptionally incompetent attempt at shady activity.  First, the spammer unwisely chose to steal relay services from a Korean server that failed to mask the sending IP address (65.213.157.9), which belongs to optinservices.com, supposedly in Pompano Beach, FL.  Then, the HTML payload appears to have been prepared with Microsoft Word, which inserts abominable amounts of cruft but also embeds intriguing information, including the apparent original author's names, which in this case appear to be "Natalie Morgen" and "ECogen".  Finally, it was sent with an unreachable domain, offers4utoday.com, in the envelope sender; this will cause lots of well-run systems to reject it immediately.  As spammers go, this lot are not leading the league.

And of course, in keeping with the Sacred Traditions of Spamming, the usual "Murkowski" S1618 disclaimer demands that we accept this piece as legitimate communication, even though this legislation was never enacted into law (and even if it had been, this spam doesn't actually comply with it).

Wanting to share the joys this gem has brought, I sent a copy to the "enforcement" mailbox at sec.gov.  Perhaps they will find it valuable.

4optinonly.com:  The Buffoonery Continues

The next day after the optinservices.com fiasco, we hear directly from 4optinonly.com, the domain that appeared in the "remove from list" link above.  Oddly enough the sending server called itself "optinservicesco" when it connected here, even though its IP address carries the whimsical name "optin2.4optinonly.com".  Ah, well, at least both of the supposed senders are named "Debra" and they both tell us that Nadine is a subscriber to the eNetwork mailing list.

The overwhelming impressions of honesty and competence here would certainly motivate me to seek an unsecured gold card through their ministrations.  I'd probably make some investments, too.  Yep.

13-Mar-2002:  Not wanting to leave any doubt about who was responsible for the first stock fraud missive, but keen to clean up the MS-Word-to-HTML disaster, they resend a less-crufty version of the original not-from-a-Kim-and-Eddie-Marin-IP tout.  Oofta.  Hyphen city.

Then on 26-Mar-2002 the menagerie is augmented by a piece from addmeat.com/addmeat.net for quickenloans.quicken.com, and on 29 Mar 2002 a new but still MS-Word-cruft-infested version of the LKNG pump-and-dump stock tout.

In early April 2002, the addmeat IP addresses began to show a reverse lookup of "optinat.com", and to send stuff with envelope senders of optinat.com, optinat.net and dealsuwant.com.  There's a boring sameness to these pieces, so I haven't bothered to enshrine them here.  But they're in the archive if anybody discovers an urgent need.

Stubberfield:  A Heavy Weighs In

Then came the dawn of 26-Oct-2002, a banner day for Nadine, marking the first occasion when Gaven Stubberfield's spam operation graced her inbox.  True to form, the piece chosen for the initial assault was the famous "Free video of the farm girl having sex with her horse".  Since then, Nadine has received at least nine more pieces with this exciting offer.  I include the first one, but be warned that the content is likely to be offensive to most readers.

Leaving the farm animals aside, the remainder of the traffic has been the more prosaic printer cartridge, mortgage refinance, cheap travel, work-from-home scam sort of stuff we see from the other spewers.


Next:  Spamming Scum Collect Addresses from This Page

Back to The Nadine Story Main Page.