ewaye
Disclaimer: This investigation uncovered information about an outfit that might be a CAN-SPAM compliant bulk e-mailer. I consider bulk e-mail spam, but I realize there’s a distinction there in the eyes of the US law. Just bear with me when I call them spammers, in the beginning of this piece.
I checked my stats for my mailservers, and came upon a weird error message:
status=bounced (host mail.ewayecity.com[64.194.168.4] said: 550 relaying blocked, read new mail, add (munged, our mailserver IP) to forwarding or enable smtp authentication in yo (in reply to RCPT TO command))
So I checked a bit more, and noticed several domains with similar names throwing up that error message.
Turns out it’s a spammer that’s using multiple domains containing ewaye, and a host of IP numbers to send his spam. In yesterday’s log, I did a search for ewaye, and found mails had been sent from these specific IP addresses:
64.194.168.4
64.194.168.40
64.194.168.73
64.194.168.83
64.194.168.114
64.194.168.215
64.194.169.95
64.194.169.98
64.194.169.162
64.194.169.166
64.194.169.180
64.194.169.197
64.194.169.201
64.194.174.72
64.194.174.87
64.194.175.6
64.194.175.43
64.194.175.79
64.194.175.119
64.194.175.126
I also routed around my spambin, and found messages from them. Here’s some text from one of them. I’ve munged it and removed some tags to avoid it being hyperlinked:
You have received this advertisement from E Way
If you’re not happy with this email and wish to remove check this URL:
a =
xhref=3D”http://ewayecenter.com/unsub.php? (munged, our domain and address)
Also you may direct communications here:
E Way
5023 W 120th Ave., #175
Broomfield, CO 80020
I’ve also seen it written as:
My Eway
Even so, I think this is a rather new MO. I haven’t seen samples earlier than March 13 (Oops, just found one from February 20, from aMyEway.com, same address, same IP range), and I can’t see anything relating to this MO on NANAS.
Here’s one from February 21:
TheMyEway.com Dept
February 28
ewayspots.com
——–
It appears as though this spam operation is using a majority of the IP numbers assigned to bauerhosting.com in Colorado. Hmmm, interesting. The spam operation also has an address in Colorado. And the homepage is branded: e-way.com. So, it’s the same thing. Which means you can block them if you want, by blocking these ranges:
64.194.168.0 - 64.194.169.255
64.194.174.0 - 64.194.175.255
The MO is relatively consistent with bulk e-mailers. I’m seeing e-mail to two different addresses on our network. One of the addresses used here doesn’t exist. I don’t know right now if it never existed. I’d have to check that out. Update: I have checked with the owners of the domain. It’s unlikely it’s legit, because they generally use a different naming structure. On the other hand, that e-mail address has been on a lot of spam lists. Today, eway represents maybe half of the spam to that address.
The non-existent address received 6 spam attempts from this outfit in one day! The address that is operational received 13 e-mails in one day! I expect our spamfilter got some of them…
I was frustrated that I could find no information about this spammer/bulk e-mailer, so I nosed around.
e-way.com is owned by an outfit named Corporate Express Inc. And I found this on Sun’s site:
One of the applications running in
this environment is Corporate Express’ proprietary online procurement system, E-Way®.
Update:
According to this press release, there’s a company called eWayDirect which is also into e-marketing. Their contact info:
The company is located at 12 South Main Street, Suite 301, Norwalk, CT 06854. The phone number is (888) 655-0464. The company also has offices at 800 Salem Woods Drive, Raleigh, NC 27615.
CONTACT: eWayDirect Wendy Marx (203) 445-2850 wendy@marxcommunications.com
April 1st, 2006 at 1:08 pm
Thanks for the information, updated my exchange server to exclude those IP ranges, hopefully that will resolve this garbage. Very helpful post! THANKS!
~CMT
April 2nd, 2006 at 8:34 am
typed in eway’s physical address, the link to your page came up.
thanks for info.
i wish i knew more about blocking these spam. i know not to click on links from email.
I am a mac user, hopefully slightly insulated from many abuses.
i copy links in funny emails, then paste them to a text doc. to see real address.
is there any recourse?
how can i block these IP’s and domains from reaching me?
i have many email addresses and several unused domains where i get info@;support@; etc..
this make sense?
hope so.
thanks for info.
neil k
April 2nd, 2006 at 11:33 am
Neil K:
You need to turn off catch-all e-mail. Only use specific e-mail addresses, and have the e-mail server reject e-mail to all other e-mail addresses.
And don’t get into the trap of “encoding” a new e-mail address for each site you comment on or subscribe to. The first dictionary attack will tell you why that’s a bad idea.
Of course, if the POINT is getting spam, feel free to listen to that kind of advice…
April 5th, 2006 at 10:07 am
Although I read at the beginning that it looks like this co. is compliant, has anyone considered filing a complaint with the FTC? I just did. I don’t know if it will do any good, but it made me feel a little better.
April 22nd, 2006 at 5:54 pm
at teh bottom of this message you will find refence to a CO address that led me to this blog… EWAYE is also using aboutiway.com for spamming..
Here’s the body of the email and at the bottom I’ve copied the header if it helps you.. I wish everyone well in stopping this junk..
+++++++++++
$1000 Pre-Paid Gas Card Offer $1000 Gas Card Team
CNFRM: #1677-D7C7 3250 W. Big Beaver Road #144
To: Member #25478 Troy, MI, 48084
Email: bass@ptd.net
———————————————————————————————————————-
Greetings bass@ptd.net,
We would like to give you a $1000.00 Pre-Paid Gas Card.
You can only get your paid gas at the following locations:
76, Arco, BP, Chevron, Conoco, Costco, Exxon Mobil, Phillips 66, Shell, Texaco, Valero, Winn-Dixie
————–Confirm Here———————————-
http://host.aboutiway.com/22/gas.html
Confirm Here
————————————————————
Get your $1,000.00 Pre-Paid Gas Card, confirm above.
Requirements:
Must be 18 with an automobile, gas only avalible at these locations: 76, Arco, BP, Chevron, Conoco, Costco, Exxon Mobil, Phillips 66, Shell, Texaco, Valero, Winn-Dixie
Have a wonderful Day!
Sincerely,
Laura Cruz
Customer Service Rep
*Offer valid only to residents of the United States who are at least 18 years old. You need to complete our offer eligibility requirements to qualify for your free gift. Trademarks, service marks, logos, and/or domain names are the property of their respective owners, who have no association with or make any endorsement of the products or services provided by Incentive Leader com.
If you’d like to discontinue future Incentive Leader com promotions and offers please submit an onlne request using this link: http://host.aboutiway.com/dp/is_uno1.html . You may also send a written request to the address above.
You have received this advertisement from aboutiway.com
If you’re not happy with this email and wish to remove your name check this URL:
http://aboutiway.com/unsub.php?ptd.net.-bass
Also you may direct communications here:
aboutiway.com
5023 W 120th Ave., #175
Broomfield, CO 80020
+++++++++++++++++++ HEADER BELOW +++++++
Return-Path:
Delivered-To: bass@ptd.net
Received: (qmail 1836 invoked from network); 22 Apr 2006 22:10:14 -0000
Received: from smtp7.mailnet.ptd.net ([204.186.29.4])
(envelope-sender )
by mailf.ptd.net (qmail-ldap-1.03) with QMQP
for ; 22 Apr 2006 22:10:14 -0000
Delivered-To: CLUSTERHOST smtp7.mailnet.ptd.net bass@ptd.net
Received: (qmail 5836 invoked by uid 50005); 22 Apr 2006 22:10:14 -0000
Received: from 208.64.31.67 by smtp7.mailnet.ptd.net (envelope-from , uid 50002) with qmail-scanner-1.23
(uvscan: v4.4.00/v4741. spamassassin: 3.0.4.
Clear:RC:0(208.64.31.67):SA:1(6.6/5.0):.
Processed in 0.615088 secs); 22 Apr 2006 22:10:14 -0000
X-Envelope-From: GasolineAlert@aboutiway.com
Received: from 067.aboutiway.com ([208.64.31.67])
(envelope-sender )
by smtp7.mailnet.ptd.net (qmail-ldap-1.03) with SMTP
for ; 22 Apr 2006 22:10:14 -0000
Date: Sat, 22 Apr 2006 23:20:58 -0800
From: “Gasoline Alert”
To:
Subject: ***SPAMTAGPTD: bass@ptd.net, $1000 Gasoline Gift Card Offer Confirmation
Content-Type: text/plain; charset=”us-ascii”
Content-Transfer-Encoding: quoted-printable
X-Qmail-Scanner-1.23: added fake MIME-Version header
MIME-Version: 1.0
X-Qmail-Scanner-Message-ID:
X-Spam-Prev-Subject: bass@ptd.net, $1000 Gasoline Gift Card Offer Confirmation
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
smtp7.mailnet.ptd.net
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.6 required=5.0 tests=ADDRESS_IN_SUBJECT,
DATE_IN_FUTURE_06_12,SPF_HELO_PASS,SPF_PASS,URIBL_AB_SURBL,
URIBL_OB_SURBL autolearn=disabled version=3.0.4
X-Spam-Report:
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.0 SPF_PASS SPF: sender matches SPF record
* 1.2 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
* 1.4 ADDRESS_IN_SUBJECT To: address appears in Subject
* 2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
* [URIs: aboutiway.com]
* 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
* [URIs: aboutiway.com]
June 8th, 2006 at 4:39 pm
“I consider bulk e-mail spam”
sorry, but that’s a loaded statement i have to disagree with you on. by that definition, you pretty much label all the Fortune 500 companies as spammers. there are very legitimate needs for bulk email. i get emails from godaddy and other registrars as well as newsletter subscriptions that fall into your category of “spam” (newsletters that i WANT to receive). I know for a fact that Godaddy is a Bulk Emailer (they have how many customers?) And no, that quote wasn’t taken out of context..
And let’s get one other thing straight for the record.. JUST BECAUSE YOU DONT WANT IT DOES NOT MEAN IT IS SPAM.. If you buy a product from company XYZ and click the box to join their email newsletter during the checkout process, it’s rediculous to turn around 2 weeks later and complain to everyone and their brother about how the company is now SPAMMING you.. (sorry, i’ve seen this happen to clients in the past..and it’s annoying) Now, i would agree that having that company sell your email address as part of a list is walking a VERY THIN line (and you wouldnt get much of a fight from me if you complained) I dont necessarily think you (the spam huntress) are guilty of this, but i bet a lot of your readers are..
As for the eWay thing, i think you are overreacting on that also. I didnt read anywhere about using it as spyware or drive-by installs. it sounds very much like a desktop application that end-users can install to get notifications from companies about news, specials, blah. i use a program exactly like that (on purpose) to get real-time updates from Southwest Airlines on airfare specials, and you know what, if they want to track my click-through rate vs the click-through rate of some other guy..i dont care..bring on the cheap airfare..this DOES have a potential for abuse, but i don’t believe in blaming the gun store for drive-by shootings
in short, i think a lot of your blog has high quality content (been reading a few weeks now), but these points seem very much like knee jerk reactions on your part (this comment is probably knee jerk reaction too)