| Overview - Innocent Bystander
terrific.com Damaged by Spammers |
| Back to Terrific.com |
| Analysis of sample spam for the
"pharaohmeds.biz" site.
First of the 2004 spam, we can count on more to follow later.
"Got ` Xan+a+x ` :P:ntermin - V1@Gra '
So|m|a ` Va.l.ium More available. H4Bme8Fv " |
Analysis of sample spams for the
"Tabfor.biz" Collection of Crap -
brought to you from the jerks that have many sites now just blocking the
entire set of .biz domains as useless. All these spamvertizers are
registered to the same old tabfor.biz
and spamvertize pills and medicine - we hope the FDA and the FTC catch up
with them soon.
- spamvertizer = vpachka.biz
"Thats what i heard" (also received as
"In
your neighborhood")
- spamvertizer = spamsraahnet.biz Thur, 16 Oct 2003 "Xanax is ready nowO"
We don't know this was tabfor.biz as the domain was dead by the time we
got their, but it looks like his work.
- spamvertizer = hosting4vegas.com &
usosdland.biz Fri, 17 Oct 2003
"Che@ting House Wives: Quality Enjoyment for Days & Nights!..."
We find this one VERY interesting as it associates the "tabfor.biz"
garbage for the first time with a "Cheating House Wives" site, by virtue
of having both links in the same spam. We think Eddy screwed up.
- spamvertizer = kkuoher.biz Sat, 18 Oct 2003
"Xanax now part of the line g89ad23ldlxxf3s6clrf2e3e"
- spamvertizer = osaustech.biz Sat, 18 Oct 2003
"Valium now in the product line gwdahz2q1aagw29p4"
- spamvertizer =
osauser.biz Sun, 19 Oct 2003
"Overnight the Valium ic7kfz163vcoe1l8zbrx2b"
- spamvertizer = osausist.biz Sun, 19 Oct 2003
"All Valium 5e9grc2tgk4vg2je"
- spamvertizer =
ultraosaus.biz Sun, 19 Oct 2003
"Xanax in your
inbox maj6m21rn6s9m1zsn"
- spamvertizer = extrakurasd.biz
Sun, 19 Oct 2003
"tOtAl XaNAX 3yxkfs3irydy7d"
- spamvertizer = gojhaus.biz
Tuesday, October 21, 2003
"Valium in your inbox kixhch3uk7jhq3"
- spamvertizer = ejdojf.biz
Sat, 25 Oct 2003 "Fwd:
ValiumOHV"
- spamvertizer = activeosaus.biz
Sun, 26 Oct 2003
"Xanax is ready to goKKIYYZ"
- spamvertizer = realpouvr.biz
Fri, 31 Oct 2003 "Order
some prescription drugs, Zanaflex, zanaflex, viagrast
tiwveaunqavldushoqybgjog"
We see from reading NANAE that these domains are the work of
Eddy Marin. Ones he recently registered
that we haven't seen the spams for yet are:
adosaus.biz casinosaustrai.biz casinosaustraia.biz
derosausa.biz dildosaustralia.biz eosaus.biz extraosaus.biz fosaus.biz
gasthofgosausee.biz goosaus.biz gosauschmied.biz gosausee.biz hyperosaus.biz
interosaus.biz iosaus.biz magliosausage.biz malosaustralia.biz mimosausa.biz
myosaus.biz osaus.biz osaus1.biz osausant.biz osausarium.biz
osauscentral.biz osaused.biz osausent.biz osausing.biz osausion.biz
osausland.biz osausnet.biz osauss.biz osausweb.biz overosaus.biz
porcelanosausa.biz preosaus.biz proosaust.biz realosaust.biz
sabatinosausage.biz suposaust.biz symosaust.biz techosaust.biz theosaust.biz
transosaust.biz vamosausa.biz vosaus.biz |
| Analysis of sample spams from spamvertizers
registered to "Frerrics Domains SL"
(probably not their real name, I wouldn't put my real name on it,
would you?). Typically some flavor of "Online Cheating Wives".
As a result of this web site we are hearing from other domain owners who
have also been subjected to having their domain names forged into spam
messages from these people. A partial list of some of the other
spamvertizing domains registered to the Frerrics Domains gang includes:
easy-loans-now.info fast-loans-now.info freewebtoken.info money-trees.info
refi-today.info save-hundreds.info
In most cases, the spamvertizer has registered both a .biz and a .info
version of the same domain name. |
| Analysis of sample spam spamvertizer =
net-click.net.ph ( Inovasion / FT International
) "I know
all that"
(also received as "Did you lose my ICQ?" &
"Do you remember me ?")
Insurance Crap |
| Analysis of sample spam spamvertizer =
1pills4less.biz
"Meet me
tomorrow" Make your penis bigger pills, although you'll never
be as big a dick as the "Edward Davidson" who is the false name this site is
registered to. |
| A collection of spams from a spamvertizer promising pills
that will make your dick bigger. Hosted in Brazil.
Spammer also has registered YOURPUBLICDNS.BIZ
and runs own DNS servers, one hosted in Brazil and one with
servepath.com in California. |
| Analysis of sample spam spamvertizer =
stuffedgrapes.net Tue, 21 Oct 2003
"Why not ask me. tywdip7hxkihk17iio3jgail1m" |
Analysis of sample spam spamvertizer =
rizonthebiz.biz
Fri, 24 Oct 2003 "saw ya online tdogrvbtiffwlbgx"
(also received as "Why not ask
me. mjnibicnvpdebdjkq"
Analysis of sample spam spamvertizer =
downmoon.info
Tue, 11 Nov 2003 "Need
some action. ghdeafdpcnxzmdyae" believed to be from the
same jerks who brought us rizonthebiz.biz |
| A domain registrant of RTH, Inc
does a lot of spamming to seemingly random addresses (meaning children may
easily receive these) pushing free access to pornography. Nothing is
free, and we can bet there is at least some spyware or trojans being
installed on the machines or users foolish enough to click the link.
Domains registered to them include
goldfingerrock.biz, smackonthewall.biz, DNS4PROVIDERS.COM,
DNS4PROVIDERS.NET, CONTINENTALHOSTING.COM, INDUSTRIALMEDS.COM, CORPTOPIA.COM, FAKINBACON.COM,
& PANAMERICANHOSTING.COM spamvertizer =
goldfingerrock.biz
Sat, 25 Oct 2003 "this
is what you wanted naibbvcpnslkquhvjxlbqhi"
spamvertizer =
smackonthewall.biz
Sat, 25 Oct 2003 "is
this you zzmtxahudeyicddsdtdcolvwmm"
spamvertizer = rodotee.biz
Sun, 26 Oct 2003 "Get
in this way. xvieybdbjnxudtyjfdl" |
|
Here is the spam message, with its links disabled so nobody will
accidentally click and end up in spam hell.
From: Malanie Litt [m_littxf@terrific.com]
Sent: Thursday, October 23, 2003 7:08 PM
To: creepo5511@hotmail.com; cribad2@hotmail.com; cris_ruiz@hotmail.com; crimianl@hotmail.com;
crimsondot@hotmail.com; crisco_676@hotmail.com; creepxz@hotmail.com
Subject: saw ya online tdogrvbtiffwlbgx
Find what you are looking for. Hot singles and couples that need fresh meat.
Fresh Meat Here
(links to
spamhttp://www.rizonthebiz.biz/fbuddies7/"
- Ed.)
weahljbemvdfwjnarodfcjgxtzrlybyzvkovidvddbdkxilalsvtcmxnkcncpegod
punxqecugzgoepyvbfdhtdzjnruowhtrqypkuvowuyvdlohkfzgtudioyqgviirvcztljfe
yejqjvclgfxbjmbvwddeqpyethvvyqdtmoxsothumcucauhhhiaphnxcmdkshpyeecfxl
jaljwvdbiaxmhdahurbixcnmicjaazwdwqhsrppbwynqqxsfitdjsdemoyksodwvzbyjr
Alternate spam from same site:
From: Saeed Kimbrough [saeed.kimbrough_pl@terrific.com]
Sent: Thursday, October 23, 2003 8:23 PM
To: babydebora1@bol.com.br; babygirl.luk@bol.com.br; babybabado@bol.com.br
Subject: Why not ask me. mjnibicnvpdebdjkq
Now you have the knowledge to get in.
Over 100 sites have been joined this way and have not spent a penny.
Go here
qbirribnneerxqzdpdxdiglisiolrbjrcdxmczawphtlgdxnhdjtbsnmlxzdbqabaafjzrc
kfojadmdtbtqqpjfihsnsydfzvsxqpjxqruysoktppcxobaerzbodfotuaaofudrubpqvh
hobaskbefzlgsxicrhlkcxznotncxpipfdgunavftmvbfuhcpcafpivvigcmkkmmxwzzhhskbvb
tclqolbdgeqaamuoilrccdwyltgsqzbaaibynkkdstdlmymthmrzckkqruwbthwamgryysl
Here is the header from the spam message
Received: from reffejcd.com ([66.161.181.247]) by mta04.fuse.net
(InterMail vM.5.01.06.04 201-253-122-130-104-20030726) with ESMTP
id <20031024000739.FYRL3728.mta04.fuse.net@reffejcd.com>;
Thu, 23 Oct 2003 20:07:39 -0400
Message-ID: <8cf901c399c2$f9adb7c7$5bb26e02@wzesxdb>
From: "Malanie Litt" <m_littxf@terrific.com>
To: creepo5511@hotmail.com, cribad2@hotmail.com, cris_ruiz@hotmail.com, crimianl@hotmail.com,
crimsondot@hotmail.com, crisco_676@hotmail.com, creepxz@hotmail.com
Subject: saw ya online tdogrvbtiffwlbgx
Date: Fri, 24 Oct 2003 00:07:42 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0C0D_8CA70F71.146AA0C8"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
(really from
66.161.181.247 nr2-66-161-181-247.fuse.net )
Here we find "whois" the domain which sponsored the spam (rizonthebiz.biz)
registered to
| .BIZ Registry WHOIS Data |
-
| Domain Name |
RIZONTHEBIZ.BIZ |
| Domain ID |
D5513972-BIZ |
| Sponsoring Registrar |
CSL COMPUTER SERVICE (D.B.A. JOKER.COM) |
| Domain Status |
ok |
| Registrant ID |
CNEU-89916 |
| Registrant Name |
Domain Manager |
| Registrant Address1 |
1717 Nocta way |
| Registrant City |
Marate |
| Registrant Postal Code |
33063 |
| Registrant Country |
United States |
| Registrant Country Code |
US |
| Registrant Phone Number |
+999.9999999 |
| Registrant Email |
datapoint5@ureach.com |
| Administrative Contact ID |
CNEU-89860 |
| Administrative Contact Name |
Domain Manager |
| Administrative Contact Address1 |
1717 Nocta way |
| Administrative Contact City |
Marate |
| Administrative Contact Postal Code |
33063 |
| Administrative Contact Country |
United States |
| Administrative Contact Country Code |
US |
| Administrative Contact Phone Number |
+999.9999999 |
| Administrative Contact Email |
datapoint5@ureach.com |
| Billing Contact ID |
CNEU-89860 |
| Billing Contact Name |
Domain Manager |
| Billing Contact Address1 |
1717 Nocta way |
| Billing Contact City |
Marate |
| Billing Contact Postal Code |
33063 |
| Billing Contact Country |
United States |
| Billing Contact Country Code |
US |
| Billing Contact Phone Number |
+999.9999999 |
| Billing Contact Email |
datapoint5@ureach.com |
| Technical Contact ID |
CNEU-89860 |
| Technical Contact Name |
Domain Manager |
| Technical Contact Address1 |
1717 Nocta way |
| Technical Contact City |
Marate |
| Technical Contact Postal Code |
33063 |
| Technical Contact Country |
United States |
| Technical Contact Country Code |
US |
| Technical Contact Phone Number |
+999.9999999 |
| Technical Contact Email |
datapoint5@ureach.com |
| Name Server |
NS1.DNS4PROVIDERS.COM |
| Name Server |
NS2.DNS4PROVIDERS.COM |
| Name Server |
NS1.DNS4PROVIDERS.NET |
| Name Server |
NS2.DNS4PROVIDERS.NET |
| Name Server |
NS1.CONTINENTALHOSTING.COM |
| Name Server |
NS2.CONTINENTALHOSTING.COM |
| Created by Registrar |
CSL COMPUTER SERVICE (D.B.A. JOKER.COM) |
| Domain Registration Date |
Wed Oct 22 20:26:15 GMT 2003 |
| Domain Expiration Date |
Thu Oct 21 23:59:59 GMT 2004 |
| |
|
Now what IP is the spamvertizer at right now.
10/23/03 22:12:44 dns http://www.rizonthebiz.biz/fbuddies7/
Canonical name: www.rizonthebiz.biz
Addresses:
221.232.160.110
And who has the IP block for the spamvertizer registered?
inetnum: 221.232.0.0 - 221.235.255.255
netname: CHINANET-HB
descr: CHINANET Hubei province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CHA1-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CN-CHINANET-HB
mnt-routes: MAINT-CN-CHINANET-HB
remarks: This object can only modify by APNIC hostmaster
remarks: If you wish to modify this object details please
remarks: send email to hostmaster@apnic.net with your
remarks: organisation account name in the subject line.
changed: hm-changed@apnic.net 20030715
status: ALLOCATED PORTABLE
source: APNIC
role: CHINANET HB ADMIN
address: 8th floor of JinGuang Building
address: #232 of Macao Road
address: HanKou Wuhan Hubei Province
address: P.R.China
country: CN
phone: +86 27 82862199
fax-no: +86 27 82861499
e-mail: hostmasterhb@dc.wh.hb.cn
trouble: send spam reports to spam_hb@hbdcb.net.cn
trouble: and abuse reports to abuse_hb@hbdcb.net.cn
trouble: Please include detailed information and
trouble: times in GMT+8
admin-c: YZ83-AP
admin-c: ZC77-AP
tech-c: YZ83-AP
tech-c: ZC77-AP
nic-hdl: CHA1-AP
notify: hostmasterhb@dc.wh.hb.cn
mnt-by: MAINT-CN-CHINANET-HB
changed: zhangyl@hbdcb.net.cn 20020820
source: APNIC
person: Chinanet Hostmaster
address: No.31 ,jingrong street,beijing
address: 100032
country: CN
phone: +86-10-66027112
fax-no: +86-10-66027334
e-mail: hostmaster@ns.chinanet.cn.net
e-mail: anti-spam@ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: hostmaster@ns.chinanet.cn.net 20021016
source: APNIC
We have LARTed to demand the site be shut down.
|