Analysis of sample spams for the
"Tabfor.biz" Collection of Crap -
brought to you from the jerks that have many sites now just blocking the
entire set of .biz domains as useless. All these spamvertizers are
registered to the same old tabfor.biz
and spamvertize pills and medicine - we hope the FDA and the FTC catch up
with them soon.
spamvertizer = spamsraahnet.biz Thur, 16 Oct 2003 "Xanax is ready nowO"
We don't know this was tabfor.biz as the domain was dead by the time we
got their, but it looks like his work.
spamvertizer = hosting4vegas.com &
usosdland.biz Fri, 17 Oct 2003 "Che@ting House Wives: Quality Enjoyment for Days & Nights!..."
We find this one VERY interesting as it associates the "tabfor.biz"
garbage for the first time with a "Cheating House Wives" site, by virtue
of having both links in the same spam. We think Eddy screwed up.
We see from reading NANAE that these domains are the work of
Eddy Marin. Ones he recently registered
that we haven't seen the spams for yet are: adosaus.biz casinosaustrai.biz casinosaustraia.biz
derosausa.biz dildosaustralia.biz eosaus.biz extraosaus.biz fosaus.biz
gasthofgosausee.biz goosaus.biz gosauschmied.biz gosausee.biz hyperosaus.biz
interosaus.biz iosaus.biz magliosausage.biz malosaustralia.biz mimosausa.biz
myosaus.biz osaus.biz osaus1.biz osausant.biz osausarium.biz
osauscentral.biz osaused.biz osausent.biz osausing.biz osausion.biz
osausland.biz osausnet.biz osauss.biz osausweb.biz overosaus.biz
porcelanosausa.biz preosaus.biz proosaust.biz realosaust.biz
sabatinosausage.biz suposaust.biz symosaust.biz techosaust.biz theosaust.biz
transosaust.biz vamosausa.biz vosaus.biz
Analysis of sample spams from spamvertizers
registered to "Frerrics Domains SL"
(probably not their real name, I wouldn't put my real name on it,
would you?). Typically some flavor of "Online Cheating Wives".
spamvertizer =
hotdogfactory.info
Fri, 21 Nov 2003 11:08:03 +0000 "Paris Hilton Sex Video ewisysdtuelzzblqje"Our theory is that this lure of free pornography is what draws
internet users to get their machines infected with the trojan program that
turns their machines into spam spewing robots.
As a result of this web site we are hearing from other domain owners who
have also been subjected to having their domain names forged into spam
messages from these people. A partial list of some of the other
spamvertizing domains registered to the Frerrics Domains gang includes:
easy-loans-now.info fast-loans-now.info freewebtoken.info money-trees.info
refi-today.info save-hundreds.info
In most cases, the spamvertizer has registered both a .biz and a .info
version of the same domain name.
Analysis of sample spam spamvertizer =
1pills4less.biz"Meet me
tomorrow"Make your penis bigger pills, although you'll never
be as big a dick as the "Edward Davidson" who is the false name this site is
registered to.
A collection of spams from a spamvertizer promising pills
that will make your dick bigger. Hosted in Brazil.
A domain registrant of RTH, Inc
does a lot of spamming to seemingly random addresses (meaning children may
easily receive these) pushing free access to pornography. Nothing is
free, and we can bet there is at least some spyware or trojans being
installed on the machines or users foolish enough to click the link.
Domains registered to them include
goldfingerrock.biz, smackonthewall.biz, DNS4PROVIDERS.COM,
DNS4PROVIDERS.NET, CONTINENTALHOSTING.COM, INDUSTRIALMEDS.COM, CORPTOPIA.COM, FAKINBACON.COM,
& PANAMERICANHOSTING.COM
Note the URLs above are obfuscated -
they have nothing to do with leadsboulevard.net and actually take you to
click.net-click.net.ph
Here is the header from the spam message
Return-Path: <lkokkatbv@terrific.com>(forged
to appear to come from terrific.com)
Received: from ajaekapa.com (nh-mtvernon-cmts2a-b-231.lndnnh.adelphia.net [24.52.29.231])(actually from a
trojan program installed on an unwitting users pc at this ip address, one of
hundreds of such infected pcs sending a steady stream of spam out)
by mx7.mx.voyager.net (8.12.10/8.10.2) with ESMTP id h9ABLUGi069075
for <vsfu@infinet.com>; Fri, 10 Oct 2003 07:21:33 -0400 (EDT)
Message-ID: <d0e001c38f20$67a90cbf$fab19970@0du0jf7>
From: "Longdist Kokkat" <lkokkatbv@terrific.com>
To: vsfu@infinet.com
Subject: I know all that
Date: Fri, 10 Oct 2003 11:21:33 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0AF1_89010422.E12BC96E"
Here we find "whois" the domain which sponsored the spam (net-click.net.ph)
registered to
The information above comes from
http://www.domains.ph
which is "The Official Domain Registry of the Philippines". We are
disappointed that they do not show much information at all, and choose to make
what they do show less than useful by truncating the email addresses until they
are unusable.
I searched through the news.admin.net-abuse.email
newsgroup for the street address "6789 Breutrask" from the above. Lots of
sightings there of this spammer, one of the internet's most prolific.
Ironically, the spams include "Say Goodbye to Junk Email". There is
extensive information on these guys at
http://spews.org/html/S1861.html(Innovasion).
Information there and elsewhere in the newsgroups
indicates that Innovasion and FT
International sell hosting and software to spammers, and could well be behind
all the compromised user machines that are Joe Jobbing me now.
So now what about those nameservers, whois nocstar.net?
10/10/03 16:47:10 whois nocstar.net
.net is a domain of Network services
Searches for .net can be run at http://www.crsnic.net/
whois -h whois.crsnic.net nocstar.net ...
Redirecting to IHOLDINGS.COM, INC. D/B/A DOTREGISTRAR.COM
whois -h whois.dotregistrar.com nocstar.net ...
This whois service shows the information for .COM, .NET and .ORG domains
only if they are registered thru DotRegistrar.com. For .BIZ, .US .INFO and
.NAME domains, the information is displayed regardless of the sponsoring
registrar for said domains.
Registrant:
Emm Software Limited (NOCSTAR-NET-DOM)
121 Rajendra Bhawan
Rajendra Place
New Delhi, 110008
India
91-9811158789
admin@nocstar.com
Domain Name: NOCSTAR.NET
Administrative Contact:
Shivark admin@nocstar.com
Emm Software Limited
121 Rajendra Bhawan, Rajendra Place
New Delhi, 110008
India
91-9811158789
Technical Contact, Zone Contact:
Shivark admin@nocstar.com
Emm Software Limited
121 Rajendra Bhawan, Rajendra Place
New Delhi, 110008
India
91-9811158789
Record last updated on 09-Sep-2003.
Record expires on 19-Apr-2004.
Record created on 19-Apr-2003.
Domain servers in listed order:
Name Server: ns.nocstar.net
Name Server: ns2.nocstar.net
Here we find the ip address for the website sponsoring the spam - the
spamvertizer
10/10/03 16:53:54 dns click.net-click.net.ph
Canonical name: click.net-click.net.ph
Addresses: 61.11.32.64
The Inovasion and FT International spam for spammers
claims "Our sites feature fully rotating IP numbers from different bandwidth
providers, so ISP's won't be able to effectively block your site." So we
would expect this site to be moving often.
10/11/03 07:48:28 dns click.net-click.net.ph
Canonical name: click.net-click.net.ph
Addresses: 210.214.84.131
and sure enough, it does move around.
Now we look to see who owns the ip address block where the spamvertizer site
is, was, will be again 61.11.32.64
inetnum: 61.11.32.0 - 61.11.127.255
netname: DISHNET
descr: DISHNETDSL Limited,
descr: 19 Cathedral Garden Road
descr: Chennai 600 034
country: IN
admin-c: DIH1-AP
tech-c: DIH1-AP
remarks: role objects for Dishnet IP Administrators
mnt-by: APNIC-HM
mnt-lower: MAINT-IN-DISHNET
changed: hostmaster@apnic.net 20010227
status: ALLOCATED PORTABLE
source: APNIC
role: DISHNET IP Hostmaster
address: DishnetDSL Limited
address: 19, Cathedral Garden Road
address: Chennai, 600 034
phone: +91-44-825 6201
phone: +91-44-825 6149
phone: +91-44-826 9801
fax-no: +91-44-825 7477
e-mail: ip-admin@ddsl.net
trouble: Network abuse issues and SPAM complaints
trouble: should be sent to abuse@eth.net
admin-c: BR31-AP
tech-c: BR31-APnic-hdl: DIH1-AP
remarks: role object for Dishnet IP Administrators
notify: ip-admin@ddsl.net
mnt-by: MAINT-IN-DISHNET
changed: bbreddy@ddsl.net 20020530
source: APNIC
Now we look to see who owns the ip address block where the spamvertizer site
is, was, will be again 210.214.84.131
inetnum: 210.214.0.0 - 210.214.127.255
netname: SILNET-AP
descr: Satyam Infoway Pvt.Ltd.,
descr: Value Added Network service provider in India.
country: IN
admin-c: HS51-AP
tech-c: HS51-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-IN-SATYAM
changed: hostmaster@apnic.net 20000131
changed: hostmaster@apnic.net 20001102
status: ALLOCATED PORTABLE
source: APNIC
person: Hostmaster Satyam Infoway
nic-hdl: HS51-AP
e-mail: hostmaster@satyam-infoway.com
address: Sify Limited,
address: Second Floor, Tidel Park,
address: No.4,Canal Bank Road,
address: Taramani, Chennai - 600113
phone: +91-44-22540770
fax-no: +91-44-22540771
country: IN
changed: hostmaster@sifycorp.com 20030408
mnt-by: MAINT-IN-SATYAM
source: APNIC
Now we find the ip addresses for the two name servers our spamvertizer uses
10/10/03 21:26:39 dns ns.nocstar.net
Canonical name: ns.nocstar.net
Addresses: 211.154.167.158
10/10/03 21:27:20 dns ns2.nocstar.net
Canonical name: ns2.nocstar.net
Addresses: 211.154.167.159
The spamvertizer must be able to easily update these
name servers in order to keep the web site moving constantly. I did verify
that before and after the domain was moved to a new ip the name servers did stay
the same, so the movement is not being done by changing which name servers the
domain points to, rather by changing where the name servers themselves point to.
Now we look to see who owns these ip address blocks.