PGTS PGTS Pty. Ltd.   ACN: 007 008 568               Mobile Version Coming Soon

point Site Navigation

Valid HTML 4.01!

   Stop The Internet Filter!

   No Clean Feed

   The Internet Filter Is An Ex-parrot!

Feedback: February 2004, Published: March 2004

This month some additional information from the USA regarding spam.

Many ISPs only accept abuse notifications concerning the actual source of the spam. However in the case of portable addresses and open-relays, such an approach is not worth pursuing. In any case open relays are already documented, and there are several publically available lists of these sources.

Some postmasters opt for blocking portable (or dynamic) networks. There is the well known Pan-Am Dynamic List Project (see: The data is also available from Open Source contributors.

PGTS does not recieve much spam, since the MTA at this site is a well configured Open Source variant.

And so an e-mail from the USA arrived with information that might shed some light on the activities of our old friend Mike from Girrawheen. This message from the USA reported some spam which was promoting a site called This porn site uses a name that is possibly a (rather lame) joke at the expense SPEWS (the legendary spam blocking list). The whois listing gives the following (obviously false) information:

	Domain Name:               SPEWS.BIZ
	Domain ID:                 D5473023-BIZ
	Sponsoring Registrar:      TUCOWS INC.
	Domain Status:             ok
	Registrant ID:             TUYJMBPYBCZ7TBXN
	Registrant Name:           polymenas Ioannis
	Registrant Organization:   spamcop
	Registrant Address1:       56 Kleyerstr st
	Registrant City:           frankfurt
	Registrant State/Province: na.
	Registrant Postal Code:    60326
	Registrant Country:        Germany
	Registrant Country Code:   DE

At the time that I investigated them, were using for the primary and secondary DNS. And it was then that I realised that the domain did not appear to have been setup correctly. still had the address of PO Box 6111 in Girrawheen and were hosted by the domain The DNS entry for had not been setup correctly either. And yet somehow they had hosted themselves! According to whois, was located at PO Box 7449 in Bellevue WA (not far from Girrawheen - small world isn't it?) Although they had hosted themselves, used the name servers at, which at the time, was another domain that had not been setup correctly.

The registry that hosted was So I was starting to go round in circles. The name servers for were:

	dns2.NAME-SERVICES.COM. 4765    IN      A
	dns3.NAME-SERVICES.COM. 4765    IN      A
	dns4.NAME-SERVICES.COM. 4765    IN      A
	dns5.NAME-SERVICES.COM. 4765    IN      A
	dns5.NAME-SERVICES.COM. 4765    IN      A
	dns5.NAME-SERVICES.COM. 4765    IN      A
	DNS1.NAME-SERVICES.COM. 4765    IN      A

This approaches the mystical levels of the mythical Ouroboros (the serpent that eats its' own tail). In this regard, it seems that some of our home-grown Aussie spammers show as much enterprise as their US colleagues. If only such energy, innovation, ingenuity and sheer native-rat cunning had been devoted to purposes other than spamming!

The IP addresses for the Quantum-tech name servers are and And they are registered as belonging to (who else?). However they have been leased from nLayer Communications Inc, who are listed as 44050-195 Ashburn Plaza, #637, Ashburn VA.

A notification has been sent to nLayer Communications to inform them of this. However to date there has only been an automated response.

Since then there has been information received from Belgium that the IP address, has been port-scanning computers. The name servers in the Quantum-tech domain continue to dance a complex shuffle. Despite the fact that they appear to have avoided the major lists, SPEWS has fingered them. It may not be long many lists have banned the CIDR 69.31.32/21.


Spam Diaries:

Mike from Pillmedics

From: Mike (USA)
Date: Sun,  8 Feb 2004 03:38:09 +1100 (EST)

Dear Webmaster,

I read an article by Gerry Patterson that included references to
Quantum-Tech and their spam. We have recently received an e-mail from regarding "". Is this the same guy? The
e-mail header is below. We are trying to locate their service provider.

Received: from (unknown [])
        by (Postfix) with SMTP id B201316648
        for <>; Sat,  7 Feb 2004 09:02:38 -0500
Received: (qmail 11644 invoked from network); 7 Feb 2004 14:26:55 -0000
Received: from unknown (HELO nuclear) (
  by with SMTP; 7 Feb 2004 14:26:55 -0000
Message-ID: <004b01c3ed84$42435200$d5a616ca@nuclear>
From: "admin" <>

Ed: is not listed in any major black lists and does not
appear to be an open relay. According to whois, the address belongs to
an Australian firm called TSN Internet, and is part of their portable
(dynamic) network. According to SenderBase
(, and
( are sending large volumes of e-mail and
may be spam sources. Pre-emptive postmasters can add these addresses to
their block lists now, rather than waiting for spam to arrive from them.

I am grateful for the fact that Mike (from USA) drew my attention to again. It seems that I over-looked a few details
concerning the registration of this domain. For more information see the
comments at the top of this document

Back To Index

SPAM: Mail abuse from the group

From Tue Feb 10 06:00:07 2004
Return-Path: <>
Received: from ( [] (may be forged))
	by (8.11.6/8.11.6) with ESMTP id i19J06i87972
	for <>; Tue, 10 Feb 2004 06:00:06 +1100 (EST)
Received: from china ( [])
	by (8.12.8/8.12.8) with SMTP id i19ItamB015179
	for <>; Mon, 9 Feb 2004 10:55:44 -0800
Message-Id: <>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Date: Mon, 9 Feb 2004 10:55:36 -0800
From: Johnny R<>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by id i19J06i87972
Content-Length: 1405
Lines: 31

I am contacting you about cross linking. I am interested in because it looks like it's relevant to a site for which I am seeking links. The site is about pet care products.

I'll keep the web address confidential and will send it to you only if you give me permission to do so. Just let me know if it's OK, and I'll send you the web address for your review. If you approve of the site, then the intention is to exchange links.

Looking forward to your reply.

Johnny R
Experts in Quality Link Building

P.S. If for any reason you don't want me to contact you again, email me with NO EMAIL as the subject.

Link Builder
Apartado Postal #7
Tijuana, B.C. 22001

Ed: This IP address is not listed in major lists (with the exception of Judging by the report from however, the
entire netblock 200.76.229/24 looks highly suspicious. It has been added
to the PGTS block list.

The main reason for resurrecting the "Spam Diary" was the nameservers
used by At the time of writing they were However, a few hours later they had been changed to The nameservers seem to be in a constant state of
flux. The primary and secondary DNS are constantly changing. This spam
seems to be related to (who have also used

Back To Index

SPAM: Spam and Bulk e-mailers, hosting -

From Mon Feb 23 06:02:43 2004
Return-Path: <>
Received: from ( [])
	by (8.11.6/8.11.6) with SMTP id i1MJ2c505740
	for <>; Mon, 23 Feb 2004 06:02:40 +1100 (EST)
Received: from by; Sat, 21 Feb 2004 23:30:50 +0400
Message-ID: <>
From: "Carlos Sanders" <>
Reply-To: "Carlos Sanders" <>
Date: Sat, 21 Feb 2004 16:21:50 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Webmail-Time: Sat, 21 Feb 2004 16:25:50 -0300
Content-Length: 1098
Lines: 42

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

Hello Alexis Strong

Welcome to our site -

On our site you will find more for Hackers and Carders:

1) Children,  Gays, Sex, Porno, Anal -
2) Spam and Bulk e-mailers, hosting -
3) Cracks -
4) Viruses and Trojan's -
5)  Stolen credit cards, guns and heroin -
And thank you for using our Forum -

ICQ: 777887

Great thanks to our Hosting!

dispense aventine bean northrup eclipse cloy bronzy couldn't centrifugal p=
ickerel ph.d bowen filly megavolt adrian taketh cadillac nostradamus=20


Ed: This is as bold and brash as any spam I have ever encountered. It
appears to be a genuine advertisement of goods in services for the
Organised Crime sector. They just let it all hang out!

Back To Index