## November 4, 2003

### Spamming Spammers and Their Spamming Scams.

This morning I received the following email

Dear blog owner,

My name is David. I’m developing a blog about spam:

www.blogspam.org

Please visit my site and tell me your opinion. I have collected specific methods to fight this plague in mt (movable type).

Kindest regards.

Yeah, suuure ya are.

Let’s take a look at those headers

From: 	  David - BlogSpam.ORG<david@blogspam.org>
Subject: 	NEW BLOG
Date: 	November 4, 2003 7:32:06 AM CST
To: 	  <distler@golem.ph.utexas.edu><distler@golem.ph.utexas.edu>
Received: 	from ss40.shared.server-system.net (ss40.shared.server-system.net [64.207.168.2]) by golem.ph.utexas.edu (8.12.10/8.12.10) with ESMTP id hA4DwsL1023957 for <distler@golem.ph.utexas.edu>; Tue, 4 Nov 2003 07:58:56 -0600 (CST)
Received: 	from equipo1 (133.Red-81-32-43.pooles.rima-tde.net [81.32.43.133]) (authenticated (0 bits)) by ss40.shared.server-system.net (8.11.6/8.11.6) with ESMTP id hA4DwlA15495 for <distler@golem.ph.utexas.edu>; Tue, 4 Nov 2003 05:58:48 -0800
Message-Id: 	<001101c3a2db$67c977a0$0601a8c0@webconcept.local>
Mime-Version: 	1.0
Content-Type: 	multipart/alternative; boundary="----=_NextPart_000_000E_01C3A2E0.6C4E9850"
X-Priority: 	3
X-Msmail-Priority: 	Normal
X-Mailer: 	Microsoft Outlook Express 5.50.4522.1200
X-Mimeole: 	Produced By Microsoft MimeOLE V5.50.4522.1200


pooles.rima-tde.net is, in my experience, a nest of spammers (I’ve ended up blocking the domain). But the real tip-off is the Message-Id. Head on over to webconcept.com and decide for yourself whether this guy is on the up 'n up.

Did I not give them “about a month”? Dang, they’re a week early!

Posted by distler at November 4, 2003 9:57 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/244

### Re: Spamming Spammers and Their Spamming Scams.

pooles.rima-tde.net is the domain used by Telefonica, the main phone company in Spain, for their dial-in lines. Since most Spanish ISP’s buy their lines from Telefonica, blocking this domain means that you block 95% of all modem users in Spain.

Posted by: Jeroen on November 4, 2003 11:05 AM | Permalink | Reply to this

### Blocking pooles.rima-tde.net

Sorry, I wasn’t clear.

I’m blocking email send directly from these Spanish dial-ups. If they want to email me, they can use their ISP’s mail server.

Posted by: Jacques Distler on November 4, 2003 1:36 PM | Permalink | Reply to this

### Re: Spamming Spammers and Their Spamming Scams.

But, of course, your larger point is correct. Just because I (used to) get a lot of Direct-to-MX spam from a large dialup pool does not in any way imply that all, or even most users of that pool are spammers.

I retract my previous insinuation to that effect.

Posted by: Jacques Distler on November 4, 2003 3:22 PM | Permalink | Reply to this

### Re: Spamming Spammers and Their Spamming Scams.

I think the fact that the Message-ID shows a *.local (i.e, “localhost”) domain name is proof enough that this is spam.

Posted by: Abiola Lapite on November 5, 2003 6:29 PM | Permalink | Reply to this

### Re: Spamming Spammers and Their Spamming Scams.

I found this site as I was looking for informations about rima tde. I just made a litte tool to log user requests to a site and I test it on my little computer apache server that I use to test my pages before installing them on my site at my ISP, I don’t have a domain name.
I then realize that I was not the only one to use my server, there are some intruders, some whose address cannot be translated by a name server and the rima tde.
I don’t know what these robote are looking for, maybe a email address in the page, for now, they don(t seem to follow links.
It’s easy to deny accesss from these domains, another way may be to send them a 1 Gigabyte page when they send a request.

Posted by: Patrick on March 1, 2004 11:44 AM | Permalink | Reply to this

### Re: Spamming Spammers and Their Spamming Scams.

someone should kick rima-tde.net off all the internet routers coz they are allowing DDOS attackers to use their network grr!

Posted by: anon on October 16, 2006 1:25 PM | Permalink | Reply to this

### Re: Spamming Spammers and Their Spamming Scams.

My firewall keeps reporting BACKDOOR Trojan attacks from their IPs-obviously nothing to be happy about.

Posted by: Simon on January 13, 2007 9:18 PM | Permalink | Reply to this

### Re: Spamming Spammers and Their Spamming Scams.

We can all do without ISPs and others who leave their systems open to such abuse. If we all blocked these ISPs perhaps, eventually, they’d get the message to handle abuse reports effectively and ruthlessly.

Farewell rima-tde.net - into the filter you go!

by exim-sec02.blueyonder.co.uk with smtp (Exim 4.52)
id 1HJkFA-0006a9-6m; Wed, 21 Feb 2007 05:42:21 +0000
Message-ID:
From: “Philip Morris”

Posted by: Danny on February 21, 2007 2:02 AM | Permalink | Reply to this

### Re: Spamming Spammers and Their Spamming Scams.

I’m a new ISP and I right now i’m desperately trying to find out whats causing my bandwidth to be sucked up by one user. Now here i am at this site learning about a domain which i discovered in my traffic. I will follow your stance and filter this domain at once. I hope it solves the problem. rima-tde.net - out you go!

Posted by: Colin on March 13, 2007 8:40 PM | Permalink | Reply to this

### Re: Spamming Spammers and Their Spamming Scams.

so, is Telefonica involved or it is a spam scam? :-)
Why they would use a dialup ISP when they can use a web proxy?

Posted by: Domain names on November 11, 2007 1:24 AM | Permalink | Reply to this

### Re: Spamming Spammers and Their Spamming Scams.

In this day and age spammers and scammers are getting increasingly crafty in their methods of obtaining email addresses, links, etc. I just got turned-on to checking the mail headers for all my emails to ensure the ‘real’ person is emailing me and your posting just solidifies my awareness for this need. Thanks.

Posted by: Scott La Plant on November 19, 2009 11:56 AM | Permalink | Reply to this

### Re: Spamming Spammers and Their Spamming Scams.

I have also found HACKING activity from this domain. I have a Wordpress site and Somehow someone managed to change my admin user name and password. So after I went in to the database and fixed this I installed a security plugin (Wordfence) and found that I get hackers that try to login using the user name “admin”. The plugin shows the ip address and host name of the people that are trying to login this way and one of them is rima-tde.net, and it’s not just one IP address. I’m not sure exactly how many there are but it seems to be a lot.
Examples:
IP: 80.38.142.190 [block]
Hostname: 190.Red-80-38-142.staticIP.rima-tde.net