| Overview - Innocent Bystander
terrific.com Damaged by Spammers |
| Back to Terrific.com |
| Analysis of sample spam for the
"pharaohmeds.biz" site.
First of the 2004 spam, we can count on more to follow later.
"Got ` Xan+a+x ` :P:ntermin - V1@Gra '
So|m|a ` Va.l.ium More available. H4Bme8Fv " |
Analysis of sample spams for the
"Tabfor.biz" Collection of Crap -
brought to you from the jerks that have many sites now just blocking the
entire set of .biz domains as useless. All these spamvertizers are
registered to the same old tabfor.biz
and spamvertize pills and medicine - we hope the FDA and the FTC catch up
with them soon.
- spamvertizer = vpachka.biz
"Thats what i heard" (also received as
"In
your neighborhood")
- spamvertizer = spamsraahnet.biz Thur, 16 Oct 2003 "Xanax is ready nowO"
We don't know this was tabfor.biz as the domain was dead by the time we
got their, but it looks like his work.
- spamvertizer = hosting4vegas.com &
usosdland.biz Fri, 17 Oct 2003
"Che@ting House Wives: Quality Enjoyment for Days & Nights!..."
We find this one VERY interesting as it associates the "tabfor.biz"
garbage for the first time with a "Cheating House Wives" site, by virtue
of having both links in the same spam. We think Eddy screwed up.
- spamvertizer = kkuoher.biz Sat, 18 Oct 2003
"Xanax now part of the line g89ad23ldlxxf3s6clrf2e3e"
- spamvertizer = osaustech.biz Sat, 18 Oct 2003
"Valium now in the product line gwdahz2q1aagw29p4"
- spamvertizer =
osauser.biz Sun, 19 Oct 2003
"Overnight the Valium ic7kfz163vcoe1l8zbrx2b"
- spamvertizer = osausist.biz Sun, 19 Oct 2003
"All Valium 5e9grc2tgk4vg2je"
- spamvertizer =
ultraosaus.biz Sun, 19 Oct 2003
"Xanax in your
inbox maj6m21rn6s9m1zsn"
- spamvertizer = extrakurasd.biz
Sun, 19 Oct 2003
"tOtAl XaNAX 3yxkfs3irydy7d"
- spamvertizer = gojhaus.biz
Tuesday, October 21, 2003
"Valium in your inbox kixhch3uk7jhq3"
- spamvertizer = ejdojf.biz
Sat, 25 Oct 2003 "Fwd:
ValiumOHV"
- spamvertizer = activeosaus.biz
Sun, 26 Oct 2003
"Xanax is ready to goKKIYYZ"
- spamvertizer = realpouvr.biz
Fri, 31 Oct 2003 "Order
some prescription drugs, Zanaflex, zanaflex, viagrast
tiwveaunqavldushoqybgjog"
We see from reading NANAE that these domains are the work of
Eddy Marin. Ones he recently registered
that we haven't seen the spams for yet are:
adosaus.biz casinosaustrai.biz casinosaustraia.biz
derosausa.biz dildosaustralia.biz eosaus.biz extraosaus.biz fosaus.biz
gasthofgosausee.biz goosaus.biz gosauschmied.biz gosausee.biz hyperosaus.biz
interosaus.biz iosaus.biz magliosausage.biz malosaustralia.biz mimosausa.biz
myosaus.biz osaus.biz osaus1.biz osausant.biz osausarium.biz
osauscentral.biz osaused.biz osausent.biz osausing.biz osausion.biz
osausland.biz osausnet.biz osauss.biz osausweb.biz overosaus.biz
porcelanosausa.biz preosaus.biz proosaust.biz realosaust.biz
sabatinosausage.biz suposaust.biz symosaust.biz techosaust.biz theosaust.biz
transosaust.biz vamosausa.biz vosaus.biz |
| Analysis of sample spams from spamvertizers
registered to "Frerrics Domains SL"
(probably not their real name, I wouldn't put my real name on it,
would you?). Typically some flavor of "Online Cheating Wives".
As a result of this web site we are hearing from other domain owners who
have also been subjected to having their domain names forged into spam
messages from these people. A partial list of some of the other
spamvertizing domains registered to the Frerrics Domains gang includes:
easy-loans-now.info fast-loans-now.info freewebtoken.info money-trees.info
refi-today.info save-hundreds.info
In most cases, the spamvertizer has registered both a .biz and a .info
version of the same domain name. |
| Analysis of sample spam spamvertizer =
net-click.net.ph ( Inovasion / FT International
) "I know
all that"
(also received as "Did you lose my ICQ?" &
"Do you remember me ?")
Insurance Crap |
| Analysis of sample spam spamvertizer =
1pills4less.biz
"Meet me
tomorrow" Make your penis bigger pills, although you'll never
be as big a dick as the "Edward Davidson" who is the false name this site is
registered to. |
| A collection of spams from a spamvertizer promising pills
that will make your dick bigger. Hosted in Brazil.
Spammer also has registered YOURPUBLICDNS.BIZ
and runs own DNS servers, one hosted in Brazil and one with
servepath.com in California. |
| Analysis of sample spam spamvertizer =
stuffedgrapes.net Tue, 21 Oct 2003
"Why not ask me. tywdip7hxkihk17iio3jgail1m" |
Analysis of sample spam spamvertizer =
rizonthebiz.biz
Fri, 24 Oct 2003 "saw ya online tdogrvbtiffwlbgx"
(also received as "Why not ask
me. mjnibicnvpdebdjkq"
Analysis of sample spam spamvertizer =
downmoon.info
Tue, 11 Nov 2003 "Need
some action. ghdeafdpcnxzmdyae" believed to be from the
same jerks who brought us rizonthebiz.biz |
| A domain registrant of RTH, Inc
does a lot of spamming to seemingly random addresses (meaning children may
easily receive these) pushing free access to pornography. Nothing is
free, and we can bet there is at least some spyware or trojans being
installed on the machines or users foolish enough to click the link.
Domains registered to them include
goldfingerrock.biz, smackonthewall.biz, DNS4PROVIDERS.COM,
DNS4PROVIDERS.NET, CONTINENTALHOSTING.COM, INDUSTRIALMEDS.COM, CORPTOPIA.COM, FAKINBACON.COM,
& PANAMERICANHOSTING.COM spamvertizer =
goldfingerrock.biz
Sat, 25 Oct 2003 "this
is what you wanted naibbvcpnslkquhvjxlbqhi"
spamvertizer =
smackonthewall.biz
Sat, 25 Oct 2003 "is
this you zzmtxahudeyicddsdtdcolvwmm"
spamvertizer = rodotee.biz
Sun, 26 Oct 2003 "Get
in this way. xvieybdbjnxudtyjfdl" |
|
Here is the spam message, with its links disabled so nobody will
accidentally click and end up in spam hell.
From: Kasper Raglin [kasper_raglin_tx@terrific.com]
Sent: Sunday, October 26, 2003 1:25 AM
To: sawdust1219@aol.com; sawdust1222@aol.com; sawdust123@aol.com; sawdust12345@aol.com;
sawdust123491259@aol.com; sawdust1236@aol.com; sawdust1258@aol.com
Subject: Want a larger package uqucfvdchznhndjvsefudmt
Don't EVER
be insecure about your peni s size again!
Have her back and begging for more!
MaXaMan are h erbal, natural pill s
that will take your s ex life to new
heights.
And no one will ever
know you took them!
D iscreet Shipping,
Billing and Customer Se rvice.
Click Here to Try Now
(links to
spamhttp://kellymedz.biz -Ed.)
rctagocuhikusdeplwvudiyulorvpglodbrurkdetnckmlofadlceikhdaawdwycryftjbmrvhqy
Here is the header from the spam message
Return-path: <kasper_raglin_tx@terrific.com>
Received: from tcp-daemon.mta12.srv.hcvlny.cv.net by mta12.srv.hcvlny.cv.net
(iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003))
id <0HNC0036EPTOQT@mta12.srv.hcvlny.cv.net>
(original mail from kasper_raglin_tx@terrific.com); Sun,
26 Oct 2003 01:25:02 -0500 (EST)
Received: from maturing.com (ool-18be6600.dyn.optonline.net [24.190.102.0])
by mta12.srv.hcvlny.cv.net
(iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003))
with ESMTP id <0HNC002TEPT6O9@mta12.srv.hcvlny.cv.net>; Sun,
26 Oct 2003 01:24:48 -0500 (EST)
Date: Sun, 26 Oct 2003 06:24:50 +0000
From: Kasper Raglin <kasper_raglin_tx@terrific.com>
Subject: Want a larger package uqucfvdchznhndjvsefudmt
To: sawdust1219@aol.com, sawdust1222@aol.com, sawdust123@aol.com,
sawdust12345@aol.com, sawdust123491259@aol.com, sawdust1236@aol.com,
sawdust1258@aol.com
Message-id: <3d0c01c39b89$6ee7d38a$c04a6f93@jbwthbd>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Content-type: multipart/alternative;
boundary="Boundary_(ID_c8B79ZklMBWa5iReJxYXSw)"
X-Priority: 3
X-MSMail-priority: Normal
(really from 24.190.102.0 ool-18be6600.dyn.optonline.net)
Here we find "whois" the domain which sponsored the spam (kellymedz.biz)
registered to
| .BIZ Registry WHOIS Data |
-
| Domain Name |
KELLYMEDZ.BIZ |
| Domain ID |
D5525635-BIZ |
| Sponsoring Registrar |
WILD WEST DOMAINS, INC. |
| Domain Status |
ok |
| Registrant ID |
GODA-04338320 |
| Registrant Name |
Bill Wilson |
| Registrant Organization |
publicDNS Org |
| Registrant Address1 |
1825 Ponce de leon blvd |
| Registrant City |
Miami |
| Registrant State/Province |
Florida |
| Registrant Postal Code |
33134 |
| Registrant Country |
United States |
| Registrant Country Code |
US |
| Registrant Phone Number |
+1.3057421115 |
| Registrant Email |
nudemodels69@yahoo.com |
| Administrative Contact ID |
GODA-24338320 |
| Administrative Contact Name |
Bill Wilson |
| Administrative Contact Organization |
publicDNS Org |
| Administrative Contact Address1 |
1825 Ponce de leon blvd |
| Administrative Contact City |
Miami |
| Administrative Contact State/Province |
Florida |
| Administrative Contact Postal Code |
33134 |
| Administrative Contact Country |
United States |
| Administrative Contact Country Code |
US |
| Administrative Contact Phone Number |
+1.3057421115 |
| Administrative Contact Email |
nudemodels69@yahoo.com |
| Billing Contact ID |
GODA-34338320 |
| Billing Contact Name |
Bill Wilson |
| Billing Contact Organization |
publicDNS Org |
| Billing Contact Address1 |
1825 Ponce de leon blvd |
| Billing Contact City |
Miami |
| Billing Contact State/Province |
Florida |
| Billing Contact Postal Code |
33134 |
| Billing Contact Country |
United States |
| Billing Contact Country Code |
US |
| Billing Contact Phone Number |
+1.3057421115 |
| Billing Contact Email |
nudemodels69@yahoo.com |
| Technical Contact ID |
GODA-14338320 |
| Technical Contact Name |
Bill Wilson |
| Technical Contact Organization |
publicDNS Org |
| Technical Contact Address1 |
1825 Ponce de leon blvd |
| Technical Contact City |
Miami |
| Technical Contact State/Province |
Florida |
| Technical Contact Postal Code |
33134 |
| Technical Contact Country |
United States |
| Technical Contact Country Code |
US |
| Technical Contact Phone Number |
+1.3057421115 |
| Technical Contact Email |
nudemodels69@yahoo.com |
| Name Server |
DNS1.YOURPUBLICDNS.BIZ |
| Name Server |
DNS3.YOURPUBLICDNS.BIZ |
| Created by Registrar |
WILD WEST DOMAINS, INC. |
| Last Updated by Registrar |
WILD WEST DOMAINS, INC. |
| Domain Registration Date |
Fri Oct 24 16:18:07 GMT 2003 |
| Domain Expiration Date |
Sat Oct 23 23:59:59 GMT 2004 |
| Domain Last Updated Date |
Fri Oct 24 16:20:46 GMT 2003 |
|
The is the same registrant as registrations for
lunburrymeds.biz & singletonmeds.biz or
in the other examples
So now what about those nameservers, whois yourpublicdns.biz?
| .BIZ Registry WHOIS Data |
-
| Domain Name |
YOURPUBLICDNS.BIZ |
| Domain ID |
D5248016-BIZ |
| Sponsoring Registrar |
INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM
|
| Domain Status |
ok |
| Registrant ID |
IMG-399808 |
| Registrant Name |
Bill Willson |
| Registrant Organization |
publicDNS ORG |
| Registrant Address1 |
1825 ponce de leon blvd |
| Registrant Address2 |
#397 |
| Registrant City |
Miami |
| Registrant State/Province |
FL |
| Registrant Postal Code |
33134 |
| Registrant Country |
United States |
| Registrant Country Code |
US |
| Registrant Phone Number |
+1.3057421115 |
| Registrant Email |
nudemodels69@yahoo.com |
| Administrative Contact ID |
IMG-399808 |
| Administrative Contact Name |
Bill Willson |
| Administrative Contact Organization |
publicDNS ORG |
| Administrative Contact Address1 |
1825 ponce de leon blvd |
| Administrative Contact Address2 |
#397 |
| Administrative Contact City |
Miami |
| Administrative Contact State/Province |
FL |
| Administrative Contact Postal Code |
33134 |
| Administrative Contact Country |
United States |
| Administrative Contact Country Code |
US |
| Administrative Contact Phone Number |
+1.3057421115 |
| Administrative Contact Email |
nudemodels69@yahoo.com |
| Billing Contact ID |
IMG-399808 |
| Billing Contact Name |
Bill Willson |
| Billing Contact Organization |
publicDNS ORG |
| Billing Contact Address1 |
1825 ponce de leon blvd |
| Billing Contact Address2 |
#397 |
| Billing Contact City |
Miami |
| Billing Contact State/Province |
FL |
| Billing Contact Postal Code |
33134 |
| Billing Contact Country |
United States |
| Billing Contact Country Code |
US |
| Billing Contact Phone Number |
+1.3057421115 |
| Billing Contact Email |
nudemodels69@yahoo.com |
| Technical Contact ID |
IMG-399808 |
| Technical Contact Name |
Bill Willson |
| Technical Contact Organization |
publicDNS ORG |
| Technical Contact Address1 |
1825 ponce de leon blvd |
| Technical Contact Address2 |
#397 |
| Technical Contact City |
Miami |
| Technical Contact State/Province |
FL |
| Technical Contact Postal Code |
33134 |
| Technical Contact Country |
United States |
| Technical Contact Country Code |
US |
| Technical Contact Phone Number |
+1.3057421115 |
| Technical Contact Email |
nudemodels69@yahoo.com |
| Name Server |
DNS1.YOURPUBLICDNS.BIZ |
| Name Server |
DNS3.YOURPUBLICDNS.BIZ |
| Created by Registrar |
INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM
|
| Last Updated by Registrar |
INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM
|
| Domain Registration Date |
Mon Sep 01 14:07:40 GMT 2003 |
| Domain Expiration Date |
Tue Aug 31 23:59:59 GMT 2004 |
| Domain Last Updated Date |
Tue Sep 23 12:46:20 GMT 2003 |
|
So here is another case where the spamvertizer uses
their own dns in order to keep the site on the move
Now what IP is the spamvertizer at right now.
10/26/03 05:39:43 dns kellymedz.biz
Canonical name: kellymedz.biz
Addresses:
200.217.168.87
This is the same website as the other two similar
examples
10/23/03 18:54:01 dns singletonmeds.biz
Canonical name: singletonmeds.biz
Addresses:
200.217.168.87
10/23/03 18:58:19 dns lunburrymeds.biz
Canonical name: lunburrymeds.biz
Addresses:
200.217.168.87
So lets see where the nameservers are too:
10/23/03 19:03:10 dns dns1.YOURPUBLICDNS.BIZ
Canonical name: dns1.yourpublicdns.biz
Addresses:
216.93.179.228
10/23/03 19:04:10 dns dns3.YOURPUBLICDNS.BIZ
Canonical name: dns3.yourpublicdns.biz
Addresses:
200.171.62.40
And who has the IP block for the spamvertizer registered?
registro.br
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to domain name and IP number registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2003-10-23 22:06:32 (BRST -02:00)
inetnum: 200.217/16
asn: AS7738
ID abusos: CGR13
entidade: Telemar Norte Leste S.A.
documento: 002.558.134/0001-58
responsável: Marcello Lugon
endereço: Rua Humberto de Campos, 425, 7º andar
endereço: 22430-190 - Rio de Janeiro - RJ
telefone: (021) 31311343 []
ID entidade: MAL516
ID técnico: CGR13
inetrev: 200.217.168/24
servidor DNS: NS4.TELEMAR.NET.BR
status DNS: 20/10/2003 AA
último AA: 20/10/2003
servidor DNS: NS2.TELEMAR.NET.BR
status DNS: 20/10/2003 AA
último AA: 20/10/2003
ID: CGR13
nome: Centro de Gerencia de Rede TELEMAR
e-mail: abuse@TELEMAR.NET.BR
endereço: Praia de Botafogo, 166, 7 andar
endereço: 22250-040 - Rio de Janeiro - RJ
telefone: (21) 080028234 []
criado: 05/06/2000
alterado: 13/08/2003
ID: MAL516
nome: Marcello Lugon
e-mail: mlugon@TELEMAR.COM.BR
endereço: Rua Humberto de Campos, 425, 7º andar
endereço: 22430-190 - Rio de Janeiro - RJ
telefone: (021) 3131-1343 [-]
criado: 09/10/2000
alterado: 12/09/2002
remarks: Security issues should also be addressed to
remarks: nbso@nic.br, http://www.nic.br/nbso.html
remarks: Mail abuse issues should also be addressed to
remarks: mail-abuse@nic.br
% whois.registro.br accepts only direct match queries.
% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
% IP and AS numbers.
|
We have previouly LARTed both abuse@telemar.com.br and mail-abuse@nic.br
to demand the site be shut down, but of course it doesn't do any good. We
note that telmar.net.br is listed on Spamhaus as an ISP friendly to spam
and hosting several of them.
|