Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

November 4, 2003

Spamming Spammers and Their Spamming Scams.

This morning I received the following email

Dear blog owner,

My name is David. I’m developing a blog about spam:

www.blogspam.org

Please visit my site and tell me your opinion. I have collected specific methods to fight this plague in mt (movable type).

Kindest regards.

*Congratulations for your excellent blog.

Yeah, suuure ya are.

Let’s take a look at those headers

From: 	  David - BlogSpam.ORG<david@blogspam.org>
Subject: 	NEW BLOG
Date: 	November 4, 2003 7:32:06 AM CST
To: 	  <distler@golem.ph.utexas.edu><distler@golem.ph.utexas.edu>
Received: 	from ss40.shared.server-system.net (ss40.shared.server-system.net [64.207.168.2]) by golem.ph.utexas.edu (8.12.10/8.12.10) with ESMTP id hA4DwsL1023957 for <distler@golem.ph.utexas.edu>; Tue, 4 Nov 2003 07:58:56 -0600 (CST)
Received: 	from equipo1 (133.Red-81-32-43.pooles.rima-tde.net [81.32.43.133]) (authenticated (0 bits)) by ss40.shared.server-system.net (8.11.6/8.11.6) with ESMTP id hA4DwlA15495 for <distler@golem.ph.utexas.edu>; Tue, 4 Nov 2003 05:58:48 -0800
Message-Id: 	<001101c3a2db$67c977a0$0601a8c0@webconcept.local>
Mime-Version: 	1.0
Content-Type: 	multipart/alternative; boundary="----=_NextPart_000_000E_01C3A2E0.6C4E9850"
X-Priority: 	3
X-Msmail-Priority: 	Normal
X-Mailer: 	Microsoft Outlook Express 5.50.4522.1200
X-Mimeole: 	Produced By Microsoft MimeOLE V5.50.4522.1200

pooles.rima-tde.net is, in my experience, a nest of spammers (I’ve ended up blocking the domain). But the real tip-off is the Message-Id. Head on over to webconcept.com and decide for yourself whether this guy is on the up 'n up.

Did I not give them “about a month”? Dang, they’re a week early!

Posted by distler at November 4, 2003 9:57 AM

TrackBack URL for this Entry:   https://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/244



12 Comments & 0 Trackbacks

Re: Spamming Spammers and Their Spamming Scams.

pooles.rima-tde.net is the domain used by Telefonica, the main phone company in Spain, for their dial-in lines. Since most Spanish ISP’s buy their lines from Telefonica, blocking this domain means that you block 95% of all modem users in Spain.

Posted by: Jeroen on November 4, 2003 11:05 AM | Permalink | Reply to this

Blocking pooles.rima-tde.net

Sorry, I wasn’t clear.

I’m blocking email send directly from these Spanish dial-ups. If they want to email me, they can use their ISP’s mail server.

Posted by: Jacques Distler on November 4, 2003 1:36 PM | Permalink | Reply to this

Re: Spamming Spammers and Their Spamming Scams.

But, of course, your larger point is correct. Just because I (used to) get a lot of Direct-to-MX spam from a large dialup pool does not in any way imply that all, or even most users of that pool are spammers.

I retract my previous insinuation to that effect.

Posted by: Jacques Distler on November 4, 2003 3:22 PM | Permalink | Reply to this

Re: Spamming Spammers and Their Spamming Scams.

I think the fact that the Message-ID shows a *.local (i.e, “localhost”) domain name is proof enough that this is spam.

Posted by: Abiola Lapite on November 5, 2003 6:29 PM | Permalink | Reply to this

Re: Spamming Spammers and Their Spamming Scams.

I found this site as I was looking for informations about rima tde. I just made a litte tool to log user requests to a site and I test it on my little computer apache server that I use to test my pages before installing them on my site at my ISP, I don’t have a domain name.
I then realize that I was not the only one to use my server, there are some intruders, some whose address cannot be translated by a name server and the rima tde.
I don’t know what these robote are looking for, maybe a email address in the page, for now, they don(t seem to follow links.
It’s easy to deny accesss from these domains, another way may be to send them a 1 Gigabyte page when they send a request.

Posted by: Patrick on March 1, 2004 11:44 AM | Permalink | Reply to this

Re: Spamming Spammers and Their Spamming Scams.

someone should kick rima-tde.net off all the internet routers coz they are allowing DDOS attackers to use their network grr!

Posted by: anon on October 16, 2006 1:25 PM | Permalink | Reply to this

Re: Spamming Spammers and Their Spamming Scams.

My firewall keeps reporting BACKDOOR Trojan attacks from their IPs-obviously nothing to be happy about.

Posted by: Simon on January 13, 2007 9:18 PM | Permalink | Reply to this

Re: Spamming Spammers and Their Spamming Scams.

We can all do without ISPs and others who leave their systems open to such abuse. If we all blocked these ISPs perhaps, eventually, they’d get the message to handle abuse reports effectively and ruthlessly.

Farewell rima-tde.net - into the filter you go!

Received: from [83.42.43.66] (helo=66.red-83-42-43.dynamicip.rima-tde.net)
by exim-sec02.blueyonder.co.uk with smtp (Exim 4.52)
id 1HJkFA-0006a9-6m; Wed, 21 Feb 2007 05:42:21 +0000
Message-ID:
From: “Philip Morris”

Posted by: Danny on February 21, 2007 2:02 AM | Permalink | Reply to this

Re: Spamming Spammers and Their Spamming Scams.

I’m a new ISP and I right now i’m desperately trying to find out whats causing my bandwidth to be sucked up by one user. Now here i am at this site learning about a domain which i discovered in my traffic. I will follow your stance and filter this domain at once. I hope it solves the problem. rima-tde.net - out you go!

Posted by: Colin on March 13, 2007 8:40 PM | Permalink | Reply to this

Re: Spamming Spammers and Their Spamming Scams.

so, is Telefonica involved or it is a spam scam? :-)
Why they would use a dialup ISP when they can use a web proxy?

Posted by: Domain names on November 11, 2007 1:24 AM | Permalink | Reply to this

Re: Spamming Spammers and Their Spamming Scams.

In this day and age spammers and scammers are getting increasingly crafty in their methods of obtaining email addresses, links, etc. I just got turned-on to checking the mail headers for all my emails to ensure the ‘real’ person is emailing me and your posting just solidifies my awareness for this need. Thanks.

Posted by: Scott La Plant on November 19, 2009 11:56 AM | Permalink | Reply to this

Re: Spamming Spammers and Their Spamming Scams.

I have also found HACKING activity from this domain. I have a Wordpress site and Somehow someone managed to change my admin user name and password. So after I went in to the database and fixed this I installed a security plugin (Wordfence) and found that I get hackers that try to login using the user name “admin”. The plugin shows the ip address and host name of the people that are trying to login this way and one of them is rima-tde.net, and it’s not just one IP address. I’m not sure exactly how many there are but it seems to be a lot.
Examples:
An unknown location at IP 80.38.142.190 attempted a failed login using an invalid username “admin”.
IP: 80.38.142.190 [block]
Hostname: 190.Red-80-38-142.staticIP.rima-tde.net

An unknown location at IP 88.2.205.23 attempted a failed login using an invalid username “admin”.
IP: 88.2.205.23 [block]
Hostname: 23.Red-88-2-205.staticIP.rima-tde.net

An unknown location at IP 88.26.246.176 attempted a failed login using an invalid username “admin”.
IP: 88.26.246.176 [block]
Hostname: 176.Red-88-26-246.staticIP.rima-tde.net

So it’s not just spamming but also hacking coming from this domain.

Posted by: James on July 4, 2012 4:39 PM | Permalink | Reply to this

Post a New Comment