email

Spam from kingex.io (Kingex Crypto and Cash exchange)

Spam is frustrating. It is for me on many levels, not least of which because I run a mail server for a few thousand users. This is especially true since my company is a small hosting provider, so we have almost no leverage with the “big boys”, Google, Microsoft/Hotmail/Outlook (however they want to be known today), Yahoo, etc. The one that can’t make up their mind what they’re called has a programme called “Smart Network Data Services” but which used to be called “Postmaster Live”, but it’s as useless as tits on a bull. I’ve jumped through all of the hoops, but I still get just infuriating auto-replies and ignored when I try to interact with their system and the people behind their system. Google’s system is completely worthless and unworkable, as in order for my company to be a part of it, I’d have to create a new account for every domain we host! I can’t just sign up my mail servers’ IP addresses and deal with them that way! It’s stupid beyond belief.

But the point of these programmes/systems is for, as in the “old days” of the Internet, service providers — particularly the postmasters of said service providers — to interact and resolve issues. But the “big boys” don’t actually make any effort to “interact and resolve” anything; they just dictate how the rest of the world is supposed to interact with them, even when they’re operating outside of the RFCs, which are, essentially, the laws of the Internet.

One day I’ll write a more comprehensive post about how I think that all of said “big boys” are colluding to ensure that only they provide email service in the future, and companies like NinerNet Communications — with whom people are currently free to contract! — are shunted to the side, and encouraged to become their resellers.

But on a personal level, I myself get hardly any spam. Seriously! (Seventeen since 2021.) But when I do, I go through the roof, especially if it’s sent to one of my personal addresses, which I never give to anyone but close friends and family (I just don’t!), other than my “personal company” address, which I use to communicate with clients as well, of course. And I never enter it into a form on a website either! I have a system of rotating email addresses, and addresses I set up for individual suppliers and for specific purposes. For example, if I sign up for a Twitter account, the email address I give them is twitter123@myspecial.subdomain.com. That makes is easy to filter messages from them, and also makes it clear to me who leaked my email address if that address is spammed.

And if I’m going on a trip (as I just did), I set up an “alias” for the trip; that way I can use it for everything from plane tickets, to hotels, to entry tickets … the works! After the trip, I delete it. All of those airlines and hotels and theatres can spam me all they want — and they do! — but at the flick of a switch when I get home, all of that spam stops. Ahhhh, peace!

So after five paragraphs I should address the spam I received on Thursday from a company called Kingex, who bill themselves as a “crypto and cash exchange”. Years ago I gave up reporting spam to the email service providers from where the spam originated, and the hosts of the spamvertised websites. I used to have a very sophisticated and in-depth system for doing so — as good as if not better than Spamcop’s — but I eventually realised that it was a complete waste of time to do so … and it was a significant amount of time to do so, looking up the owners and contacts for multiple IP addresses and domains. It was a waste of time because my reports were completely ignored, and in some cases the hosts justified the spam, questioned my intelligence (“You probably just forgot you signed up for the spam”) and/or defended the spammers.

Anyway, this spam from kingex.io was sent to my personal company email address, not to one of my rotating or supplier email addresses. (I have a “personal company” email address, and a “personal personal” email address, both on their own domains, neither of which are the domain of this website.) Ironically the message included a request and a link: “Please leave us some feedback https://www.trustpilot.com/review/kingex.io”. So I thought, “What the hell, I won’t be reporting this, but I’ll give them some appropriate feedback.” And I did:

Never heard of these guys until I received spam from them a few minutes ago asking to be reviewed. So I am. Never deal with spammers.

I also perused a few of the other reviews, most of which were five (of five) stars, of course, as is typical on review websites where customers are coerced or otherwise strongly motivated into leaving reviews. But there were a few negative ones (read them yourself) where (a) Kingex representatice(s) was/were very aggressive in putting down the reviewer … which, as everyone knows, is Customer Service 101, put down any criticism with aggression.

In that vein my review received this response:

Dear customer,

We do not send unsolicited emails and do not promote our exchange services via email marketing. If you believe you received a message claiming to be from us, please provide the email address in question or contact us directly at support@kingex.io — we will be happy to investigate the matter thoroughly.

Until any evidence is presented, we consider this review an attempt to discredit our exchange service without basis.

Best regards,
Kingex Team

Because, as everyone knows, every negative review is quite clearly “an attempt to discredit our [company/]service without basis.” Yup, I’ve got nothing better to do all day than find new companies and leave them negative reviews.

Anyway, I’ve posted this here so that when I send these morons the copy of the spam I received, I will send it along with a link to this post, because on the Trust Pilot website there doesn’t seem to be a possibility of engaging in any back-and-forth, so my blog is where I will make this back-and-forth possible because Kingex will probably do all they can to have my Trust Pilot review removed. But, you know, when someone accuses you right off the bat with lying, there’s not much chance of any constructive back-and-forth. (Ironically, I see they now have another one-star review from someone else they spammed, with the same copied-and-pasted aggressive reply; see screenshot.) Here, the review cannot and will not be removed.

Oh, and their domain has been blocked on my company’s mail servers, so any future spam from them will not be delivered to our users’ mail boxes.

Kingex review and reply.

Kingex spam complaints.

And here’s the spam:

Return-Path: <dumbass@kingex.io> Delivered-To: xxxxx@xxxxx.xxx Received: from nc036.ninernet.net (nc036.ninernet.net [127.0.0.1]) by nc036.ninernet.net (Postfix) with ESMTP id DD920C540C3 for <xxxxx@xxxxx.xxx>; Fri, 25 Apr 2025 00:54:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at nc036.ninernet.net X-Spam-Flag: NO X-Spam-Score: 2.787 X-Spam-Level: ** X-Spam-Status: No, score=2.787 tagged_above=-100 required=3.5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_MSPIKE_BL=0.001, RCVD_IN_MSPIKE_ZBI=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_FAIL=0.001, SPF_SOFTFAIL=0.665, TVD_SPACE_RATIO=0.001, TVD_SPACE_RATIO_MINFP=0.85, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no Received: from nc036.ninernet.net ([127.0.0.1]) by nc036.ninernet.net (nc036.ninernet.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X-fluxj0TjIf for <xxxxx@xxxxx.xxx>; Fri, 25 Apr 2025 00:54:24 +0000 (UTC) Received: from domain.com (unknown [94.26.90.29]) by nc036.ninernet.net (Postfix) with ESMTP id D05C2C540C1 for <xxxxx@xxxxx.xxx>; Fri, 25 Apr 2025 00:54:24 +0000 (UTC) Message-ID: <252444ef1bdff5fed9e3aa01f5012a2fb46c4b@kingex.io> From: Kingex <dumbass@kingex.io> Subject: Best exchange Date: Thu, 24 Apr 2025 17:54:02 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="2b81c86397537de6c56f26bd48820a7ce3" X-Evolution-Source: 0ff2745c15978e92c527518f51fd77983813ec4b

–2b81c86397537de6c56f26bd48820a7ce3
Content-Type: text/plain; charset=”utf-8″
Content-Transfer-Encoding: quoted-printable

A BUNCH OF LINKS REMOVED

Please leave us some feedback https://www.trustpilot.com/review/kingex.io

–2b81c86397537de6c56f26bd48820a7ce3
Content-Type: text/html; charset=”utf-8″
Content-Transfer-Encoding: quoted-printable

A BUNCH OF LINKS REMOVED

–2b81c86397537de6c56f26bd48820a7ce3–

Updated, 2025-04-28: Firefox turns a bare Tiktok link into a tracking warning. I am not tracking anything.

Updated, 2025-04-28: Actually, removed most of the body of the spam message, as WordPress (Word-press?) just makes a mess of it, and all I was doing was helping to promote the spammer. Ain’t WYSIWYG great?!

Do you load the embedded images in email messages you receive?

Dec 22nd, 2024

by Craig.

Comments are off for this post

In my daily emails I invariably receive HTML messages with embedded images that are remotely hosted. I’m not talking about attached images that may or may not be displayed in-line, I’m referring to images that are hosted elsewhere and are pulled in over an Internet connection.

Every email client I’ve ever used — which is only two, Eudora and Evolution (I miss Eudora!), not counting the few I have tried temporarily — has given me the option to display these automatically or not. I always choose not to display them. Why? Because invariably one or all of the images are intended to track whether or not the person at my email address has opened the message and (presumably) read, understood and agreed to it. No thanks. There’s no benefit in that to me the receiver, so why would I do that?

Example of poorly designed HTML email message displayed in Evolution

Where I really notice this is in marketing messages, of course. One in particular that I receive daily (at left) lists a number of products in which I might be interested. There are six of them on the page, and it used to be that three of them displayed above the fold — i.e., where the screen ended before I am forced to scroll. I didn’t see the images due to the default settings in my email clients that do not display the images, but there were textual descriptions that were enough to make me decide whether or not to click to go to the website for more details. Sometimes I would click, but often not. The point is though that some months ago they changed the layout of the messages, and now there are none above the fold, and no visible text descriptions without scrolling. As a result, I don’t even remember the last time I clicked for more information.

And then there are messages where the header image seems to take up so much space that you have to scroll down fourteen screens to see any text! I’m not sure which is worse; that, or messages where the whole message is contained in one embedded image!

There are even companies that provide a service where you place an image bug in normal, everyday emails, usually in your email signature. These companies must be on the decline though, as I haven’t seen any in a while. When I do come across them I block their domains using my machine’s “hosts” file, so that they never achieve their purpose, even if I do load the images in the email.

To answer my own question, I almost never load the images. It’s an immediate turn-off if you can’t explain what you’re communicating about without pictures.

One weird trick to avoid scams and spam

Jan 26th, 2024

by Craig.

Comments are off for this post

Forgive my clickbait title, but everyone and their dog has this one rule you must follow to avoid scams and spam … or some variation of it. Maybe it’s a top-ten list or something. They’re all valuable, to some extent, and yet every day people are duped. And now that scams are being written by AI, you can’t even count on spotting scams with broken English (or whatever your language is) and poor grammar.

But every time I read about the latest data breach I think to myself, “Thank god they don’t have my email address or phone number.” Wait, what?! How do I open accounts without giving that information?! Oh, I do, but it’s not the one email address and phone number that 99.99999% of the world give out. For that reason as well no connection can be made between accounts because each account has a different email address!

For many years I’ve operated a system of what I call “supplier addresses”. If I’m dealing with Twitter, for example — not that I use their name because they were mentioned in recent news about a data leak — I create the email address “twitter@mydomain.com”, and I only give that address to Twitter, nobody else. (I can do this, of course, because I own my own domain and use it to its potential. Here’s a clue: Stop using Gmail for everything and register your own domain!) Yes, I have the email address craig@mydomain.com (umm, that’s not the real email address, in case you’re stupid), but the only people who get that email address are my family (the ones I talk to, anyway) and friends. Nobody else on the planet gets that address, and I certainly don’t enter it into a form field on a web page and I don’t post it on the Web! This is why it drove me nuts, back in the 20th century, when people sent jokes out to everyone they knew and exposed all the email addresses in the “to” and “cc” fields! Some people still do that!

So if Twitter (in this example) sells my email address or is hacked, I know exactly who let my email address into the wild. To be frank, that hasn’t happened to me many times, but I quickly realised that it does happen, so the email addresses I create now all include a number (e.g., twitter123@mydomain.com). If the email address is compromised I just change the number and inform Twitter by changing it in my account with them and kill the old address. My numbering follows a system, but you can make your own rules.

I also use a system of rotating email addresses that change every month. I use those addresses for short-term relationships, like when you have to provide an email address to download some white paper or connect to free wifi or something like that. No problem, bud, have this address. If it does get spammed, it will only be for a few weeks, but the reality is that I almost never receive any spam that I don’t expect on those addresses because they don’t last long enough for spammers to sell, circulate and use.

For the last couple of years I’ve been doing the same with phone numbers. Well, almost the same, as I can’t create ad hoc telephone numbers on my domain. (I’m aware of ENUM, but I’m not nearly as knowledgeable about it as I’d like to be and society isn’t ready yet for phone numbers that look like 12345@mydomain.com.) I first started using VoIP (long term) in 2011 (if I remember correctly), but only in 2022 did I switch to a company where I have full control over setting up new phone numbers in multiple geographic locations as and when I please. Now I don’t give out my personal phone number to anyone except the aforementioned family and friends, I give out one of my junk phone numbers. (Actually, I make one other exception, for medical contacts.)

Do I still receive spam and attempts to scam me? OMG, of course I do! But my email and phone are not beeping every five seconds with a new one, and none of my thousands of grandchildren have called me to ask for bail money. In fact, because of my system I hardly ever have to deal with either. I know that if the email address I first used to register a domain in 1996 (now owned by AOL) was active I’d be inundated! But it doesn’t so I’m not. 🙂

There you go, my “one weird trick” that everyone can and should use to avoid spam email and scam phone calls. Maybe one of these days I’ll write a more comprehensive document on all the actions I’ve taken over the years and the nuances to protect myself. Here’s a hint though: It’s work, but it’s simple, and it’s way less work and aggro than deleting all the spam from your email and voice-mail accounts.

Port 25 open on Shaw connection

May 18th, 2013

by Craig.

Comments are off for this post

While doing some mail server testing, I happened to notice that port 25 outbound on my run-of-the-mill, consumer grade, non-static Shaw connection is open. I wonder if this is a mistake, or if they’ve abandoned the practice.

Block outbound email to a specific domain with qmail

May 28th, 2012

by Craig.

Comments are off for this post

With Sendmail, I can block all email from (a sending domain to the server in question) and to a (foreign) domain using the /etc/mail/access file. However, apparently, it’s not so simple with qmail. Further complicating my need to prevent all users on one of my systems (which uses qmail) from sending email to certain domains is the fact that the system also uses Plesk, so I didn’t really want to start messing around with patching qmail and risk breaking something to do with Plesk.

After a fair bit of research I settled on a workaround using /var/qmail/control/smtproutes to artificially direct email sent to those domains from my qmail system to another mail server under my control, where the emails are rejected during the SMTP dialogue (because they’re not configured on that mail server, of course), thereby being bounced immediately to the sender.

If /var/qmail/control/smtproutes doesn’t exist on your server (it shouldn’t by default) you can create it with the following contents, or add the following contents to an existing file:

bad-domain.com:mx.your-other-domain.com

The file should be owned by the same user and group as most of the other configuration files in the “control” directory.

In this example you want to stop users from sending email to bad-domain.com email addresses, and you control an external mail server at mx.your-other-domain.com. When a user tries to send email to a bad-domain.com address, the sending mail server will not look up the MX record for bad-domain.com, instead routing the email to mx.your-other-domain.com. Because mx.your-other-domain.com is not configured to accept or relay email for bad-domain.com, it will reject it.

Caution: DO NOT route email to a mail server that is not yours. This will likely be considered spam by that mail server’s administrator, and the IP address of your mail server will then likely be blocked and perhaps added to more widely-distributed blacklists. If you don’t control another mail server you could route the forbidden email to a non-existent domain, such as no-such.domain or dev.null or bogus.invalid. To make the bounce message a little more helpful to the receiver (i.e., the original sender), perhaps make up a bogus domain like “Sending-to-that-domain-is.prohibited” which, on some systems, will return a bounce message that might include text like this:

Sorry, I couldn’t find any host named Sending-to-that-domain-is.prohibited.

Do not use a non-existent domain on a real top-level domain (e.g., v539bq59vb45.com, or some other string of randomly-typed characters followed by a real TLD), because there is no guarantee that domain won’t be registered and used in the future. Avoid using even your own real domain that you’re not using (unless you set up some unique but descriptive sub-domain such as “this-is-a-bogus-mx-vb49w4.example.com”), as you may use it in the future and forget that you’re directing email to it. That could result in mail loops if you end up hosting the domain on the same mail server, or being blacklisted if you host it with a third party or allow it to expire and it’s registered and used by someone else.

Anyway, having another mail server to use, I’m sticking with using that to cause the messages to bounce back.

Some assistance in coming up with this idea came from this thread at boardreader.com.

Have a comment or a better idea? Let me know in the comments.

BlackBerry/RIM. Going, going, gone?

Oct 13th, 2011

by Craig.

Comments are off for this post

A couple of years ago my company had a major server outage on a primary server that brought down websites and email for almost two and a half hours. Such outages are rare, but they happen, and they happen to small hosting companies like NinerNet as well as the giants. After that outage I wrote about the lessons learnt and, without trying to deflect attention or criticism away from us, I pointed out an extensive list of major service outages experienced by the likes of Google, Amazon, YouTube, Barclays Bank, MySpace, Facebook, PayPal, Microsoft, eBay, and so on.

Also in that list was BlackBerry/RIM, and this is what I wrote at the time on them in particular:

Have a Blackberry? Do you realise that all Blackberry emails in the whole world go through one data centre in central Canada, and if that data centre has a problem, you can still use your Blackberry for a paperweight? Nobody is immune; nobody gets away unscathed.

I’m under the impression that, since then, RIM expanded that single point of failure to create multiple points of failure (often under threat of sanctions by governments who want access to their citizens’ communications), and fail they have — worldwide — in the last few days. And for several days, not just a couple of hours.

Without wanting to gloat over a mortally-wounded about-to-be corpse, RIM’s problems weren’t that difficult to predict. Unfortunately for them they are, at this time, the victim of a perfect storm that includes (among other things) poor sales and share performance, product failures, the almost simultaneous (to their technical troubles) launch of a new messaging system on the iPhone to rival BlackBerry Messenger, and these latest technical troubles. But this perfect storm is of RIM’s own making, and their problems go deeper than that anyway; they go to the heart of their core philosophies.

Now, I’m no Apple fanboi (and in the wake of the death of Steve Jobs I commend to you What Everyone Is Too Polite to Say About Steve Jobs [archived]), but at least an iPhone more resembles a “proper” computer like the one you have on your desk than the toaster in your kitchen that can only do the one or two things its manufacturer decided in its infinite wisdom it needs to do. Mobile computers (aka “smartphones”) like the iPhone and those running on the Android operating system rely on open standards when it comes to things like email. In short, open standards and systems win. (That said, Apple is not the poster child for open standards and systems, and needs to change that.) There is no central super-server somewhere handling all email for all iPhone or Android users worldwide, just waiting to fail. With BlackBerry there is … or was. End of story.

If you swallowed RIM’s mantra about their system being de rigueur for business and the iPhone being “not for business”, you’re paying for that today.

Sorry for that.

Update, 30 May 2012: Seven months later and Roger Cheng at CNET finally comes to much the same conclusion (archived).

email

Spam from kingex.io (Kingex Crypto and Cash exchange)

Do you load the embedded images in email messages you receive?

One weird trick to avoid scams and spam

Port 25 open on Shaw connection

Block outbound email to a specific domain with qmail

BlackBerry/RIM. Going, going, gone?

Categories

Calendar

Bogroll

email

Spam from kingex.io (Kingex Crypto and Cash exchange)

Do you load the embedded images in email messages you receive?

One weird trick to avoid scams and spam

Port 25 open on Shaw connection

Block outbound email to a specific domain with qmail

BlackBerry/RIM. Going, going, gone?

Tags

Categories

Calendar

Bogroll