Franklin Veaux's Journal
Anyone familiar with an outfit called Suavemente?
Aug. 15th, 2008 at 3:26 PM
So lately, my inbox has been flooded with an unusually large amount of spam This spam is advertising Web sites with URLs such as klhrvbhqw dot com, hyaiocgsk dot com, dcghffxba dot com, and ipwbquigi dot com -- you know, nonsensical domains made up of random letters, usually a sure bet that it's a throwaway spam domain the spammer plans to use once for a single spam run and discard.
All of these domains are hosted at the same ISP, an outfit I've never heard of before called Suavemente.
Now, two things about Suavemente scream "bulletproof spam host" to me. The first is they didn't bother to register the .com; their only URL is suavemente.net. The second is that they're headquartered in the US, but their front page proudly screams High-speed offshore. In the world of ISPs, "offshore" normally means "we allow our users to violate American law, safe in the knowledge that their servers can not be subpoenaed or subject to American jurisdiction."
So at first blush, Suavemente stinks of "owned by spammers, run by spammers for spammers." However, I can't find them on the usual compilations of known rogue ISPs; they are listed in the ISP hall of shame <http://www.frws.com/spam-hallofshame.html>, but that's about it.
And they respond to abuse complaints. They don't respond by shutting down their spammers, but they do respond nonetheless.
Received: from rly-da08.mx.aol.com (rly-da08.mail.aol.com [172.19.129.82]) by air-da03.mail.aol.com (v121_r2.11) with ESMTP id MAILINDA033-a8848a5c7f716; Fri, 15 Aug 2008 14:17:08 -0400
Received: from mail.suavemente.net (mail.suavemente.net [184.108.40.206]) by rly-da08.mx.aol.com (v121_r2.11) with ESMTP id MAILRELAYINDA088-a8848a5c7f716; Fri, 15 Aug 2008 14:16:23 -0400
Received: from mail.suavemente.net (mail.suavemente.net [127.0.0.1])
by mail.suavemente.net (Postfix) with ESMTP id DF85A24F23E
for <email@example.com>; Fri, 15 Aug 2008 11:16:19 -0700 (PDT)
Received: (from apache@localhost)
by mail.suavemente.net (8.13.8/8.13.1/Submit) id m7FIGJ5m012091;
Fri, 15 Aug 2008 11:16:19 -0700
Content-Type: text/html; charset="us-ascii"
X-Mailer: MIME::Lite 3.020 (F2.74; T1.23; A2.02; B3.07; Q3.07)
From: "Suavemente Abuse Support" <firstname.lastname@example.org>
Subject: [SUAVE-100-43518] RE: PLEASE DO SOMETHING ABOUT YOUR SPAMMER!!!
Date: Fri, 15 Aug 2008 11:16:19 -0700
X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_helo : n
X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_822_from : +
Our customer was obviously not violating any regulation - they obviously got your email address from www.yourgiftpro [dot] com, i am not sure how much knowledge you have about regulations or permission based email, or if you actually read about legal email practices, i suggest you to re-read about it, grep about third parties, or opt out or call yourgiftpro.com legal department, 801.316.0555 if you prefer by fax, 1-818-817-2100
Thanks for using the help desk, if you have any further difficulties or are required to respond to your request, please login to the help desk
Now, several things about this strike me as weird. First, as anyone who's been reading this blog for any length of time knows, I'm about as likely to "opt in" to an advertising list at a place like yourgiftpro dot com as I am to shove a hot poker through my eyes.
Second, most spam-supporting ISPs just route abuse emails to /dev/null.
Third, it appears that our Mr. Ariel Taranto is awfully close to the spammers; his email would suggests that he believes, or he pretends, that he knows where the spammers got my email.
Fourth, the nonsensical domains being used by the spammers are, at least according to the Whois record, associated with a spam outfit calling itself pulsedemand dot com, a place entirely distinct from, and not even in the same state as, yourgiftpro dot com.
So. Is Suavemente a dirty, rogue ISP supporting spammers, or a clueless, kind of confused ISP inadvertently being played by spammers? Has anyone hard of Suavemente? What's the dirt on them in the anti-spam community?
The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.