Analysis of sample spam
spamvertizer = stuffedgrapeleaves.net
Tue, 21 Oct 2003 18:05:01
"Why not ask me. tywdip7hxkihk17iio3jgail1m"

Overview - Innocent Bystander terrific.com Damaged by Spammers

Back to Terrific.com

Analysis of sample spam for the "pharaohmeds.biz" site. First of the 2004 spam, we can count on more to follow later. "Got ` Xan+a+x ` :P:ntermin - V1@Gra ' So|m|a ` Va.l.ium More available. H4Bme8Fv "

Analysis of sample spams for the "Tabfor.biz" Collection of Crap - brought to you from the jerks that have many sites now just blocking the entire set of .biz domains as useless. All these spamvertizers are registered to the same old tabfor.biz and spamvertize pills and medicine - we hope the FDA and the FTC catch up with them soon.

spamvertizer = vpachka.biz "Thats what i heard" (also received as "In your neighborhood")
spamvertizer = spamsraahnet.biz Thur, 16 Oct 2003 "Xanax is ready nowO" We don't know this was tabfor.biz as the domain was dead by the time we got their, but it looks like his work.
spamvertizer = hosting4vegas.com & usosdland.biz Fri, 17 Oct 2003 "Che@ting House Wives: Quality Enjoyment for Days & Nights!..." We find this one VERY interesting as it associates the "tabfor.biz" garbage for the first time with a "Cheating House Wives" site, by virtue of having both links in the same spam. We think Eddy screwed up.
spamvertizer = kkuoher.biz Sat, 18 Oct 2003 "Xanax now part of the line g89ad23ldlxxf3s6clrf2e3e"
spamvertizer = osaustech.biz Sat, 18 Oct 2003 "Valium now in the product line gwdahz2q1aagw29p4"
spamvertizer = osauser.biz Sun, 19 Oct 2003 "Overnight the Valium ic7kfz163vcoe1l8zbrx2b"
spamvertizer = osausist.biz Sun, 19 Oct 2003 "All Valium 5e9grc2tgk4vg2je"
spamvertizer = ultraosaus.biz Sun, 19 Oct 2003 "Xanax in your inbox maj6m21rn6s9m1zsn"
spamvertizer = extrakurasd.biz Sun, 19 Oct 2003 "tOtAl XaNAX 3yxkfs3irydy7d"
spamvertizer = gojhaus.biz Tuesday, October 21, 2003 "Valium in your inbox kixhch3uk7jhq3"
spamvertizer = ejdojf.biz Sat, 25 Oct 2003 "Fwd: ValiumOHV"
spamvertizer = activeosaus.biz Sun, 26 Oct 2003 "Xanax is ready to goKKIYYZ"
spamvertizer = realpouvr.biz Fri, 31 Oct 2003 "Order some prescription drugs, Zanaflex, zanaflex, viagrast tiwveaunqavldushoqybgjog"

We see from reading NANAE that these domains are the work of Eddy Marin. Ones he recently registered that we haven't seen the spams for yet are:
adosaus.biz casinosaustrai.biz casinosaustraia.biz derosausa.biz dildosaustralia.biz eosaus.biz extraosaus.biz fosaus.biz gasthofgosausee.biz goosaus.biz gosauschmied.biz gosausee.biz hyperosaus.biz interosaus.biz iosaus.biz magliosausage.biz malosaustralia.biz mimosausa.biz myosaus.biz osaus.biz osaus1.biz osausant.biz osausarium.biz osauscentral.biz osaused.biz osausent.biz osausing.biz osausion.biz osausland.biz osausnet.biz osauss.biz osausweb.biz overosaus.biz porcelanosausa.biz preosaus.biz proosaust.biz realosaust.biz sabatinosausage.biz suposaust.biz symosaust.biz techosaust.biz theosaust.biz transosaust.biz vamosausa.biz vosaus.biz

Analysis of sample spams from spamvertizers registered to "Frerrics Domains SL" (probably not their real name, I wouldn't put my real name on it, would you?). Typically some flavor of "Online Cheating Wives".

spamvertizer = freeclicks.biz "You blocked my IM!"
spamvertizer = ultimatepersonals.biz Wed, 15 Oct 2003 05:18:11 +0000 "Find the ones that are looking for it hbkefs31brf8bxex8l"
spamvertizer = hotdogfactory.info Fri, 21 Nov 2003 11:08:03 +0000 "Paris Hilton Sex Video ewisysdtuelzzblqje" Our theory is that this lure of free pornography is what draws internet users to get their machines infected with the trojan program that turns their machines into spam spewing robots.
spamvertizer = money-trees.biz Sun, 14 Dec 2003 18:06:58 +0100 "Keep the house payment money instead with the world wide web lvpirqccbzzsqcyccj"

As a result of this web site we are hearing from other domain owners who have also been subjected to having their domain names forged into spam messages from these people. A partial list of some of the other spamvertizing domains registered to the Frerrics Domains gang includes: easy-loans-now.info fast-loans-now.info freewebtoken.info money-trees.info refi-today.info save-hundreds.info

In most cases, the spamvertizer has registered both a .biz and a .info version of the same domain name.

Analysis of sample spam spamvertizer = net-click.net.ph ( Inovasion / FT International ) "I know all that" (also received as "Did you lose my ICQ?" & "Do you remember me ?") Insurance Crap

Analysis of sample spam spamvertizer = 1pills4less.biz "Meet me tomorrow" Make your penis bigger pills, although you'll never be as big a dick as the "Edward Davidson" who is the false name this site is registered to.

A collection of spams from a spamvertizer promising pills that will make your dick bigger. Hosted in Brazil.

spam spamvertizer = lunburrymeds.biz "Upgrade your tool"
spam spamvertizer = singletonmeds.biz "Bigger Package oyvjwdbpzumucdvjxhawcwuj"
spam spamvertizer = kellymedz.biz Sun, 26 Oct 2003 "Want a larger package uqucfvdchznhndjvsefudmt"

Spammer also has registered YOURPUBLICDNS.BIZ and runs own DNS servers, one hosted in Brazil and one with servepath.com in California.

Analysis of sample spam spamvertizer = stuffedgrapes.net Tue, 21 Oct 2003 "Why not ask me. tywdip7hxkihk17iio3jgail1m"

Analysis of sample spam spamvertizer = rizonthebiz.biz Fri, 24 Oct 2003 "saw ya online tdogrvbtiffwlbgx" (also received as "Why not ask me. mjnibicnvpdebdjkq"
Analysis of sample spam spamvertizer = downmoon.info Tue, 11 Nov 2003 "Need some action. ghdeafdpcnxzmdyae" believed to be from the same jerks who brought us rizonthebiz.biz

A domain registrant of RTH, Inc does a lot of spamming to seemingly random addresses (meaning children may easily receive these) pushing free access to pornography. Nothing is free, and we can bet there is at least some spyware or trojans being installed on the machines or users foolish enough to click the link. Domains registered to them include goldfingerrock.biz, smackonthewall.biz, DNS4PROVIDERS.COM, DNS4PROVIDERS.NET, CONTINENTALHOSTING.COM, INDUSTRIALMEDS.COM, CORPTOPIA.COM, FAKINBACON.COM, & PANAMERICANHOSTING.COM

spamvertizer = goldfingerrock.biz Sat, 25 Oct 2003 "this is what you wanted naibbvcpnslkquhvjxlbqhi"
spamvertizer = smackonthewall.biz Sat, 25 Oct 2003 "is this you zzmtxahudeyicddsdtdcolvwmm"
spamvertizer = rodotee.biz Sun, 26 Oct 2003 "Get in this way. xvieybdbjnxudtyjfdl"

Here is the spam message, with its links disabled so nobody will accidentally click and end up in spam hell.

From: Meaghan N. Dray [meaghandrayww@terrific.com]
Sent: Tuesday, October 21, 2003 1:05 PM
To: alexr086@msn.com; alexls400@msn.com; alexll@msn.com; alexcabdesigns@msn.com; aleximtz@msn.com; alfordteague@msn.com; alexisulloa1@msn.com
Subject: Why not ask me. tywdip7hxkihk17iio3jgail1m
Hi there, Find some of the hottest dates in your area. Singles and couples are waiting for you. Go here (links to spamhttp://www.stuffedgrapeleaves.net/fbuddies7/ - Ed.) b497bad7cjp33b22nk062in0g6gqxha73bvbpnpe6vgefvq9mi35ld30kq30inrn11ysvi3k1a4wlfu 00ru611oeh2k5zy5fsplahxe13bk1lepem2l1t9xmzga3wguyxf1fky8nb5bh3sl9ij63 3a2oyu2dv5mt2vyu39cy24xm0yfdm0joktzglentd65l4l12s7e30csupg0mzqedtm5z1hwfrq41 echih835o8wx227k7bwe3rv77kx5j1p9i6tqpq0dan2m9hripg63b1qoqw69jlongr1b9j8b

Here is the header from the spam message

Return-path: <meaghandrayww@terrific.com>
Received: from tcp-daemon.mta10.srv.hcvlny.cv.net by mta10.srv.hcvlny.cv.net
(iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003))
id <0HN400D08HLHUL@mta10.srv.hcvlny.cv.net>
(original mail from meaghandrayww@terrific.com); Tue,
21 Oct 2003 15:49:27 -0400 (EDT)
Received: from iie.com (ool-18bfb694.dyn.optonline.net [24.191.182.148])
by mta10.srv.hcvlny.cv.net
(iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003))
with ESMTP id <0HN400ATZCW7OC@mta10.srv.hcvlny.cv.net>; Tue,
21 Oct 2003 14:05:01 -0400 (EDT)
Date: Tue, 21 Oct 2003 18:05:01 +0000
From: "Meaghan N. Dray" <meaghandrayww@terrific.com>
Subject: Why not ask me. tywdip7hxkihk17iio3jgail1m
To: alexr086@msn.com, alexls400@msn.com, alexll@msn.com,
alexcabdesigns@msn.com, aleximtz@msn.com, alfordteague@msn.com,
alexisulloa1@msn.com
Message-id: <a32601c397fd$f46ab644$ed7f42b2@12a4lb2>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Content-type: multipart/alternative;
boundary="Boundary_(ID_ZzRRh7kOcd3yNmCVVNsx/g)"
X-Priority: 3
X-MSMail-priority: Normal

(really from 24.191.182.148 ool-18bfb694.dyn.optonline.net67.87.40.244 ool-435728f4.dyn.optonline.net)

Here we find "whois" the domain which sponsored the spam (stuffedgrapeleaves.net) registered to

whois -h whois.crsnic.net stuffedgrapeleaves.net ...
Redirecting to COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM

whois -h whois.joker.com stuffedgrapeleaves.net ...
domain: stuffedgrapeleaves.net
status: production
organization: Datapoint Limited
owner: Mark Harmon
email: datapoint5@ureach.com
title: Mr.
address: 900 Banks Rd
city: Margate
state: FL
postal-code: 33063
country: US
admin-c: datapoint5@ureach.com#0
tech-c: datapoint5@ureach.com#0
billing-c: datapoint5@ureach.com#0
nserver: homero.eduardnet-dns.biz
nserver: lisa.eduardnet-dns.biz
nserver: marsh.eduardnet-dns.biz
nserver: bart.eduardnet-dns.biz
registrar: JORE-1
created: 2003-09-30 20:28:20 UTC JORE-1
expires: 2004-09-30 16:28:06 UTC
source: joker.com

The name etc is of course probably bogus, but lets look at the whois for the name servers.

Here we find "whois" the domain for the spamvertizer's DNS (eduardnet-dns) registered to

.BIZ Registry WHOIS Data

Domain Name	EDUARDNET-DNS.BIZ
Domain ID	D4948790-BIZ
Sponsoring Registrar	CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Status	ok
Registrant ID	CNEU-84318
Registrant Name	Eduardo Romero
Registrant Organization	Romero Networks
Registrant Address1	Arribenos 736
Registrant City	Mexico
Registrant Postal Code	2453
Registrant Country	Mexico
Registrant Country Code	MX
Registrant Phone Number	+385.475684
Registrant Email	ernestoromeromx@terra.com.mx
Administrative Contact ID	CNEU-84317
Administrative Contact Name	Eduardo Romero
Administrative Contact Organization	Romero Networks
Administrative Contact Address1	Arribenos 736
Administrative Contact City	Mexico
Administrative Contact Postal Code	2453
Administrative Contact Country	Mexico
Administrative Contact Country Code	MX
Administrative Contact Phone Number	+385.475684
Administrative Contact Email	ernestoromeromx@terra.com.mx
Billing Contact ID	CNEU-84317
Billing Contact Name	Eduardo Romero
Billing Contact Organization	Romero Networks
Billing Contact Address1	Arribenos 736
Billing Contact City	Mexico
Billing Contact Postal Code	2453
Billing Contact Country	Mexico
Billing Contact Country Code	MX
Billing Contact Phone Number	+385.475684
Billing Contact Email	ernestoromeromx@terra.com.mx
Technical Contact ID	CNEU-84317
Technical Contact Name	Eduardo Romero
Technical Contact Organization	Romero Networks
Technical Contact Address1	Arribenos 736
Technical Contact City	Mexico
Technical Contact Postal Code	2453
Technical Contact Country	Mexico
Technical Contact Country Code	MX
Technical Contact Phone Number	+385.475684
Technical Contact Email	ernestoromeromx@terra.com.mx
Name Server	A.NS.JOKER.COM
Name Server	B.NS.JOKER.COM
Name Server	C.NS.JOKER.COM
Created by Registrar	CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Registration Date	Thu Jul 03 20:15:15 GMT 2003
Domain Expiration Date	Fri Jul 02 23:59:59 GMT 2004

Now what IP's are the spamvertizer and the DNSs at right now, they typically move every few hours or minutes when they use their own DNS

10/22/03 00:09:26 dns stuffedgrapeleaves.net
Canonical name: stuffedgrapeleaves.net
Addresses:
62.240.110.212

10/22/03 00:10:38 dns homero.eduardnet-dns.biz
Canonical name: homero.eduardnet-dns.biz
Addresses:
168.226.149.93

10/22/03 00:11:13 dns lisa.eduardnet-dns.biz
Canonical name: lisa.eduardnet-dns.biz
Addresses:
200.60.90.60

10/22/03 00:11:48 dns marsh.eduardnet-dns.biz
Canonical name: marsh.eduardnet-dns.biz
Addresses:
221.98.10.198

10/22/03 00:12:41 dns bart.eduardnet-dns.biz
Canonical name: bart.eduardnet-dns.biz
Addresses:
200.45.244.188

And who has the IP block for the spamvertizer registered?

inetnum:      62.240.110.0 - 62.240.110.255
netname:      Raya
descr:        Raya Telecom - Egypt
descr:        Network Operator & Nationwide ISP
country:      eg
admin-c:      RT864-RIPE
tech-c:       RT864-RIPE
status:       ASSIGNED PA
remarks:      For any abuse complaint contact abuse@rayatelecom.net
mnt-by:       RAYA-MNT
notify:       rayaadmin@rayatelecom.net
changed:      shahir_boshra@rayatelecom.net 20030613
source:       RIPE

route:        62.240.96.0/19
descr:        RAYA Telecom Routes
origin:       AS24835
notify:       rayatech@rayatelecom.net
notify:       rayaadmin@rayatelecom.net
mnt-by:       RAYA-MNT
changed:      shahir_boshra@rayatelecom.net 20020428
source:       RIPE

role:         Raya Telecom
address:      RAYA Telecom
address:      23 Nahda St.,off Saad-el-aali st.,Maadi
address:      11431, Cairo, Egypt
phone:        +202 7680900
fax-no:       +202 7680901
e-mail:       rayaadmin@rayatelecom.net
admin-c:      ME8071-RIPE
tech-c:       SB19033-RIPE
nic-hdl:      RT864-RIPE
remarks:      For any abuse complaint contact abuse@rayatelecom.net
notify:       rayaadmin@rayatelecom.net
mnt-by:       RAYA-MNT
changed:      shahir_boshra@rayatelecom.net 20030216
source:       RIPE

We have LARTed Raya Telecom to demand the site be shut down.

This page last updated 01/24/2004 02:37:17 PM -0600