What drew my attention to the Terry Swope Spammer was the sheer volume of spam. The spam had come from a static IP address. And the first spam run, it had kept right on comming, constantly, almost every three minutes. Even after the IP address had been banned, the offending server still kept trying to establish a connection with the MTA. It even continued when the IP address had been listed world-wide in most of the major RTBLs.
At the time I pronounced this to be the work of a Spam Turkey, a particularly rare bird in these postmodern 21st century days, now that spammers have become much more wily and started to work in gangs co-operating with their criminal associates. Obviously this is one of the old style stupid spammers, I thought. Stupid, because the HTML was malformed and the headers were obviously forged. Doubly stupid because it shouted to the world Here I am! Please List me! However, new information has come to light that this spam incident might have been the work of a very clever spammer, endowed with skill and a devious criminal intelligence.
You see dear reader, I thought that the reason the spam had been constructed was to advertise a commercial operation. And for that reason it seemed that the Terry Swope Spammer had done a particular poor job. But what if the reason was not to promote a website, but to deliberately ruin someone's online reputation? Then in this case, the spam may have been sly and carefully crafted.
On Monday, 22nd Of December, I received the following feedback:
-- Message Follows --
I did a keyword search of my name and happened to run across an article on your site. I tried to post the link, but your script wouldn't allow me to email you with it in the message.
I am Terry Swope and the spamming incident back in October was done by someone who used my email address through a website called Mailinator.com (They allow people use any email address anonymously) That spamming ordeal caused me many headaches before it all got cleared up. I am NOT a spammer and hate spam myself. And if I were going to spam in mass, I would most certainly be smart enough to not let emails be tracked back to me. I do have a web page at BizPlan4u.com, but the email that was spammed and had the link in it, was fabricated. I ask that you please take down your post because I was as much a victim as the people who were spammed. Thank you.
Since then I have corresponded with Terry and received three replies from him. Everything in his emails seems consistent with the claims he made in this original post. He may have been the victim of a malicious hoax intended to impugn his reputation.
I have since gone back and looked at the host that was the source of the spam. The IP address was 18.104.22.168. At the time, this host was sending a lot of email and, as I stated earlier, was listed in all the major block lists. When I went back to check the IP address, I found that it still had the same hostname, was still owned by the same parent organisation, but was not sending email, and did not seem to seem to be servicing HTTP requests. The RTBL listings had been removed. So someone had obviously been busy.
However a quick scan of other hosts on the same netblock revealed that two of them had been listed, and recently de-listed.
Even though the DNS entries for the parent organisation appear to be above board, the fact that various servers seem to pop up on a block list and then have a little rest and get de-listed does seem odd. Could this be the work of a professional spam gang? I will monitor this netblock over the next few weeks and let you know.