Innocent Bystander terrific.com Damaged by Spammers

(Millions of internet users upset to receive streams of spam apparently from terrific.com)

(Hundreds or Thousands of Internet Users Machines are infected, churning out spam the users are unaware of)

(ISPs and Network Administrators all over the planet forced to waste time and resources due to spammers)

Overview - Innocent Bystander terrific.com Damaged by Spammers

Back to Terrific.com

Analysis of sample spam for the "pharaohmeds.biz" site. First of the 2004 spam, we can count on more to follow later. "Got ` Xan+a+x ` :P:ntermin - V1@Gra ' So|m|a ` Va.l.ium More available. H4Bme8Fv "

Analysis of sample spams for the "Tabfor.biz" Collection of Crap - brought to you from the jerks that have many sites now just blocking the entire set of .biz domains as useless. All these spamvertizers are registered to the same old tabfor.biz and spamvertize pills and medicine - we hope the FDA and the FTC catch up with them soon.

spamvertizer = vpachka.biz "Thats what i heard" (also received as "In your neighborhood")
spamvertizer = spamsraahnet.biz Thur, 16 Oct 2003 "Xanax is ready nowO" We don't know this was tabfor.biz as the domain was dead by the time we got their, but it looks like his work.
spamvertizer = hosting4vegas.com & usosdland.biz Fri, 17 Oct 2003 "Che@ting House Wives: Quality Enjoyment for Days & Nights!..." We find this one VERY interesting as it associates the "tabfor.biz" garbage for the first time with a "Cheating House Wives" site, by virtue of having both links in the same spam. We think Eddy screwed up.
spamvertizer = kkuoher.biz Sat, 18 Oct 2003 "Xanax now part of the line g89ad23ldlxxf3s6clrf2e3e"
spamvertizer = osaustech.biz Sat, 18 Oct 2003 "Valium now in the product line gwdahz2q1aagw29p4"
spamvertizer = osauser.biz Sun, 19 Oct 2003 "Overnight the Valium ic7kfz163vcoe1l8zbrx2b"
spamvertizer = osausist.biz Sun, 19 Oct 2003 "All Valium 5e9grc2tgk4vg2je"
spamvertizer = ultraosaus.biz Sun, 19 Oct 2003 "Xanax in your inbox maj6m21rn6s9m1zsn"
spamvertizer = extrakurasd.biz Sun, 19 Oct 2003 "tOtAl XaNAX 3yxkfs3irydy7d"
spamvertizer = gojhaus.biz Tuesday, October 21, 2003 "Valium in your inbox kixhch3uk7jhq3"
spamvertizer = ejdojf.biz Sat, 25 Oct 2003 "Fwd: ValiumOHV"
spamvertizer = activeosaus.biz Sun, 26 Oct 2003 "Xanax is ready to goKKIYYZ"
spamvertizer = realpouvr.biz Fri, 31 Oct 2003 "Order some prescription drugs, Zanaflex, zanaflex, viagrast tiwveaunqavldushoqybgjog"

We see from reading NANAE that these domains are the work of Eddy Marin. Ones he recently registered that we haven't seen the spams for yet are:
adosaus.biz casinosaustrai.biz casinosaustraia.biz derosausa.biz dildosaustralia.biz eosaus.biz extraosaus.biz fosaus.biz gasthofgosausee.biz goosaus.biz gosauschmied.biz gosausee.biz hyperosaus.biz interosaus.biz iosaus.biz magliosausage.biz malosaustralia.biz mimosausa.biz myosaus.biz osaus.biz osaus1.biz osausant.biz osausarium.biz osauscentral.biz osaused.biz osausent.biz osausing.biz osausion.biz osausland.biz osausnet.biz osauss.biz osausweb.biz overosaus.biz porcelanosausa.biz preosaus.biz proosaust.biz realosaust.biz sabatinosausage.biz suposaust.biz symosaust.biz techosaust.biz theosaust.biz transosaust.biz vamosausa.biz vosaus.biz

Analysis of sample spams from spamvertizers registered to "Frerrics Domains SL" (probably not their real name, I wouldn't put my real name on it, would you?). Typically some flavor of "Online Cheating Wives".

spamvertizer = freeclicks.biz "You blocked my IM!"
spamvertizer = ultimatepersonals.biz Wed, 15 Oct 2003 05:18:11 +0000 "Find the ones that are looking for it hbkefs31brf8bxex8l"
spamvertizer = hotdogfactory.info Fri, 21 Nov 2003 11:08:03 +0000 "Paris Hilton Sex Video ewisysdtuelzzblqje" Our theory is that this lure of free pornography is what draws internet users to get their machines infected with the trojan program that turns their machines into spam spewing robots.
spamvertizer = money-trees.biz Sun, 14 Dec 2003 18:06:58 +0100 "Keep the house payment money instead with the world wide web lvpirqccbzzsqcyccj"

As a result of this web site we are hearing from other domain owners who have also been subjected to having their domain names forged into spam messages from these people. A partial list of some of the other spamvertizing domains registered to the Frerrics Domains gang includes: easy-loans-now.info fast-loans-now.info freewebtoken.info money-trees.info refi-today.info save-hundreds.info

In most cases, the spamvertizer has registered both a .biz and a .info version of the same domain name.

Analysis of sample spam spamvertizer = net-click.net.ph ( Inovasion / FT International ) "I know all that" (also received as "Did you lose my ICQ?" & "Do you remember me ?") Insurance Crap

Analysis of sample spam spamvertizer = 1pills4less.biz "Meet me tomorrow" Make your penis bigger pills, although you'll never be as big a dick as the "Edward Davidson" who is the false name this site is registered to.

A collection of spams from a spamvertizer promising pills that will make your dick bigger. Hosted in Brazil.

spam spamvertizer = lunburrymeds.biz "Upgrade your tool"
spam spamvertizer = singletonmeds.biz "Bigger Package oyvjwdbpzumucdvjxhawcwuj"
spam spamvertizer = kellymedz.biz Sun, 26 Oct 2003 "Want a larger package uqucfvdchznhndjvsefudmt"

Spammer also has registered YOURPUBLICDNS.BIZ and runs own DNS servers, one hosted in Brazil and one with servepath.com in California.

Analysis of sample spam spamvertizer = stuffedgrapes.net Tue, 21 Oct 2003 "Why not ask me. tywdip7hxkihk17iio3jgail1m"

Analysis of sample spam spamvertizer = rizonthebiz.biz Fri, 24 Oct 2003 "saw ya online tdogrvbtiffwlbgx" (also received as "Why not ask me. mjnibicnvpdebdjkq"
Analysis of sample spam spamvertizer = downmoon.info Tue, 11 Nov 2003 "Need some action. ghdeafdpcnxzmdyae" believed to be from the same jerks who brought us rizonthebiz.biz

A domain registrant of RTH, Inc does a lot of spamming to seemingly random addresses (meaning children may easily receive these) pushing free access to pornography. Nothing is free, and we can bet there is at least some spyware or trojans being installed on the machines or users foolish enough to click the link. Domains registered to them include goldfingerrock.biz, smackonthewall.biz, DNS4PROVIDERS.COM, DNS4PROVIDERS.NET, CONTINENTALHOSTING.COM, INDUSTRIALMEDS.COM, CORPTOPIA.COM, FAKINBACON.COM, & PANAMERICANHOSTING.COM

spamvertizer = goldfingerrock.biz Sat, 25 Oct 2003 "this is what you wanted naibbvcpnslkquhvjxlbqhi"
spamvertizer = smackonthewall.biz Sat, 25 Oct 2003 "is this you zzmtxahudeyicddsdtdcolvwmm"
spamvertizer = rodotee.biz Sun, 26 Oct 2003 "Get in this way. xvieybdbjnxudtyjfdl"

Terrific.com has been and continues to be seriously damaged from being an innocent bystander to criminally fraudulent spammers activities. For several weeks now since early September 2003, a group of these despicable spammers have been sending out their spamvertizing with the mail headers forged so that a novice user would think the spam came from terrific.com.

On October 27, we started seeing the same problem with our webary.com domain. Seems our efforts to stop the spams being sent in terrific.com's name were noticed by the spammers, and they have added our other domain to their target list as retaliation. A set of pages similar to these documents the problems experienced by webary.com.

We are talking about millions of spam messages. Millions of users who might think terrific.com is the domain that sent them the crap, and who we can't begin to contact in order to try and restore our ruined reputation with. The spammers behind this charge other companies money to send spamvertizing out for those companies, as well as sending their own spams out.

We can only try to respond to the few hundred who complain to us about getting the various spam messages which they received. Dealing with just those complaints is a big expensive resource consuming undertaking for a small business like ours, and at best we might restore our reputation with perhaps one person out of each ten thousand or so that have been spammed and complained to us.

The spammers who sent this crap out are going for volume, so their lists have all sorts of email addresses that don't exist, reject spam, have full mailboxes, have users on vacation who reply with away messages, etc, etc. Since the mail headers were forged to show terrific.com as the sending domain name, we have been the ones to receive all those bounced mail messages for the spam that couldn't be delivered. How many messages regarding undeliverable messages are we talking about? "Fortunately" these spammers mailing lists are fairly accurate, so the flow of bounced mail messages has peaked here at about seven per minute, or 420 new mails in an hour. It varies by time of day, at the peak we have gotten just over 5000 bounced mail notifications in a day.

What are we doing about it? Everything we can. The spams are really coming from hundreds or thousands of infected user's machines all over the internet that are being used as slaves to the spammers themselves. Most of those machines are owned by users that don't even know their machines have been hijacked. A user who doesn't have adequate security defenses on their machine might have clicked on a link in a spam they received out of curiosity - and next thing you know that user's machine has a virus, a worm, a trojan program or an open mail proxy installed on it. Users typically get tempted by offers of free pornography site passwords, being paid money to fill in surveys, etc. Even though sensible people know there is no tooth fairy and that nothing is really "free", somehow their human greed gets them to accept one of these loaded free offers. From that point on, the users machine starts spewing spam in the background under the spammer's control without the user even knowing it.

It falls on us to analyze the headers of all of those thousands of bounced mail notifications and build a database of the user machines that are doing the spamming. Then we have to write individual complaints to each of those users ISPs or Network Administrators and attach proof that the users machine is a spam spewing nuisance on the internet. The ISPs or Network Administrators then have to terminate the users account or access, notify the user, and get the user to disinfect their machine of the problem before connecting back up to the internet. A high percentage of these users are naive or new users barely capable of booting their computer on a good day, many need to pay someone else to disinfect their machine. The whole process wastes the time and resources of hundreds of talented people. All this effort and countless unpaid hours just trying to stop the various offers to lengthen penises and con people out of their money could otherwise be spent actually doing the planet some good, its a terrible waste and a moral crime against society that these spammers commit. (A recent study estimates that 90% of all the spam on the internet is sent by less than 200 people who are a plague on society. Whether they are criminals gone geeky or geeks gone criminal they need to be stopped for all of our sakes.)

Unless the spammers decide to change and use someone else's domain instead of terrific.com in their mail headers, we will continue to suffer as innocent bystanders to their spamming. (Of course, someone else will be having their domain ruined then instead of us, so the overall problem isn't solved, just the victims changed.) This problem has happened to us in the past, but on those occasions we were only subjected to the problem for about a week before the spammers moved on and started using somebody else's domain name. This time, it has gone on steadily and shows no sign of abating any time soon.

The only way to stop being affected is by getting those users' machines disinfected and eliminating them from the spammer's network of spam sending nodes. If we can get infected machines removed from the internet faster than the spammers can trick more users into letting their machines be hijacked, then the spammers networks could be disassembled and closed down. Frankly, there are so many of them that we aren't making much of a dent in their network so far. There seems to be a new user sucker born every minute, and it takes us longer than a minute to eliminate one.

Eventually the spammers might change and use some other domain, if they have a reason to. The only reason we might give them is that maybe they will someday notice that their network is growing slowly as a result of our activity getting the users machines it consists of disinfected. Maybe then they will move on to harass some other domain owner that is even less able to defend themselves from the abuse. Maybe they will change soon just to keep on the move and make it harder for people to filter out their spam. Of course, by then, we will find that we cannot email to all sorts of places that are filtering based on mail appearing to come from terrific.com. So we can't just sit here and wait for the spammers to make terrific.com into an unusable domain name before they move on.

Why have the spammers chosen to do this to terrific.com? We don't think we originally did anything to make them dislike us or want to hurt us, and they probably didn't deliberately pick us out. For all we know they didn't even look at our site, just checked that terrific.com was a valid domain name and used it. The spammers need to use some valid domain name in the header of their spams, and they certainly aren't going to use one of their own. Since it needs to be an actual valid domain name, somebody somewhere is going to be in the bad spot we now find ourselves in. We think they just thought of a word to use and terrific was what they thought of. For all we know they didn't even look at our site, just checked that terrific.com was a valid domain name and used it.

However, they have taken a dislike to us now. We have been writing hundreds of emails to ISPs notifying them of their users infected machines that were spewing spam in the name of terrific.com, and we have been writing to upstream providers to get some of the spamvertized web sites shut down. Some of the ISPs are making money from the spammers, and are known to be "spam-friendly". We think they passed our complaints directly back to the spammers themselves. Those spammers then discovered our webary.com domain by visiting terrific.com and decided to add webary.com on the list of domains they will destroy while selling their penis enlargement scams. Its a message from them that they feel completely safe and immune from anything we can do about it, and that they will make our lives miserable if we try to defend ourselves from their crap.

The concentrated harassment of targeted domains is well documented to have forced many honest and upright sites right out of existence, sites that were better funded and had more resources than we have behind them. Most notably some of the spam fighting sites that attempted to keep lists of spammers for administrators to block have thrown in the towel.

The spammers themselves are pretty well untouchable by an organization our size. Very large companies such as Verizon and AOL with deep pockets and big legal departments have tried in the past to remove particularly despicable spammers from the internet. They have eventually gotten large judgments in their favor, but the spammers still go on spamming and even such moderate "justice" is only available to those who can afford the expensive pursuit of it.

Governments can pass laws of course, and at least if ours would do so then it would trim back on the spammers operating from the USA. We are sad to see Congress spending so much time worrying about which bill goes through and who will get the credit for proposing it. They have over time had many chances to solve the problem or at least solve part of it, but rather than passing a bill they continue to argue over whose bill they will pass instead.

We have started to analyze samples of the spam messages that have been going out with terrific.com forged in the headers. This is in part to help users that think we are responsible for the spams see how to analyze the headers themselves and how to find out where the spams actually come from. Now and then we manage to track a spammer's site down and get it removed from the internet. Like a whack-a-mole game, another spam site immediately springs up elsewhere, but at least it feels good to whack one now and then. Like everything else, this is time consuming work and we must be sure to get it right and not point our fingers at the wrong people. The links on left of this page will take you to each of the sample analysis's, and we plan to post these in the some of the newsgroups or spew lists so that other spam fighters and spam victims can benefit from the information too.

This page last updated 01/24/2004 02:37:13 PM -0600