Analysis of sample spam
spamvertizer = hotdogfactory.info
Fri, 21 Nov 2003 11:08:03 +0000
"Paris Hilton Sex Video ewisysdtuelzzblqje"

Overview - Innocent Bystander terrific.com Damaged by Spammers

Back to Terrific.com

Analysis of sample spam for the "pharaohmeds.biz" site. First of the 2004 spam, we can count on more to follow later. "Got ` Xan+a+x ` :P:ntermin - V1@Gra ' So|m|a ` Va.l.ium More available. H4Bme8Fv "

Analysis of sample spams for the "Tabfor.biz" Collection of Crap - brought to you from the jerks that have many sites now just blocking the entire set of .biz domains as useless. All these spamvertizers are registered to the same old tabfor.biz and spamvertize pills and medicine - we hope the FDA and the FTC catch up with them soon.

spamvertizer = vpachka.biz "Thats what i heard" (also received as "In your neighborhood")
spamvertizer = spamsraahnet.biz Thur, 16 Oct 2003 "Xanax is ready nowO" We don't know this was tabfor.biz as the domain was dead by the time we got their, but it looks like his work.
spamvertizer = hosting4vegas.com & usosdland.biz Fri, 17 Oct 2003 "Che@ting House Wives: Quality Enjoyment for Days & Nights!..." We find this one VERY interesting as it associates the "tabfor.biz" garbage for the first time with a "Cheating House Wives" site, by virtue of having both links in the same spam. We think Eddy screwed up.
spamvertizer = kkuoher.biz Sat, 18 Oct 2003 "Xanax now part of the line g89ad23ldlxxf3s6clrf2e3e"
spamvertizer = osaustech.biz Sat, 18 Oct 2003 "Valium now in the product line gwdahz2q1aagw29p4"
spamvertizer = osauser.biz Sun, 19 Oct 2003 "Overnight the Valium ic7kfz163vcoe1l8zbrx2b"
spamvertizer = osausist.biz Sun, 19 Oct 2003 "All Valium 5e9grc2tgk4vg2je"
spamvertizer = ultraosaus.biz Sun, 19 Oct 2003 "Xanax in your inbox maj6m21rn6s9m1zsn"
spamvertizer = extrakurasd.biz Sun, 19 Oct 2003 "tOtAl XaNAX 3yxkfs3irydy7d"
spamvertizer = gojhaus.biz Tuesday, October 21, 2003 "Valium in your inbox kixhch3uk7jhq3"
spamvertizer = ejdojf.biz Sat, 25 Oct 2003 "Fwd: ValiumOHV"
spamvertizer = activeosaus.biz Sun, 26 Oct 2003 "Xanax is ready to goKKIYYZ"
spamvertizer = realpouvr.biz Fri, 31 Oct 2003 "Order some prescription drugs, Zanaflex, zanaflex, viagrast tiwveaunqavldushoqybgjog"

We see from reading NANAE that these domains are the work of Eddy Marin. Ones he recently registered that we haven't seen the spams for yet are:
adosaus.biz casinosaustrai.biz casinosaustraia.biz derosausa.biz dildosaustralia.biz eosaus.biz extraosaus.biz fosaus.biz gasthofgosausee.biz goosaus.biz gosauschmied.biz gosausee.biz hyperosaus.biz interosaus.biz iosaus.biz magliosausage.biz malosaustralia.biz mimosausa.biz myosaus.biz osaus.biz osaus1.biz osausant.biz osausarium.biz osauscentral.biz osaused.biz osausent.biz osausing.biz osausion.biz osausland.biz osausnet.biz osauss.biz osausweb.biz overosaus.biz porcelanosausa.biz preosaus.biz proosaust.biz realosaust.biz sabatinosausage.biz suposaust.biz symosaust.biz techosaust.biz theosaust.biz transosaust.biz vamosausa.biz vosaus.biz

Analysis of sample spams from spamvertizers registered to "Frerrics Domains SL" (probably not their real name, I wouldn't put my real name on it, would you?). Typically some flavor of "Online Cheating Wives".

spamvertizer = freeclicks.biz "You blocked my IM!"
spamvertizer = ultimatepersonals.biz Wed, 15 Oct 2003 05:18:11 +0000 "Find the ones that are looking for it hbkefs31brf8bxex8l"
spamvertizer = hotdogfactory.info Fri, 21 Nov 2003 11:08:03 +0000 "Paris Hilton Sex Video ewisysdtuelzzblqje" Our theory is that this lure of free pornography is what draws internet users to get their machines infected with the trojan program that turns their machines into spam spewing robots.
spamvertizer = money-trees.biz Sun, 14 Dec 2003 18:06:58 +0100 "Keep the house payment money instead with the world wide web lvpirqccbzzsqcyccj"

As a result of this web site we are hearing from other domain owners who have also been subjected to having their domain names forged into spam messages from these people. A partial list of some of the other spamvertizing domains registered to the Frerrics Domains gang includes: easy-loans-now.info fast-loans-now.info freewebtoken.info money-trees.info refi-today.info save-hundreds.info

In most cases, the spamvertizer has registered both a .biz and a .info version of the same domain name.

Analysis of sample spam spamvertizer = net-click.net.ph ( Inovasion / FT International ) "I know all that" (also received as "Did you lose my ICQ?" & "Do you remember me ?") Insurance Crap

Analysis of sample spam spamvertizer = 1pills4less.biz "Meet me tomorrow" Make your penis bigger pills, although you'll never be as big a dick as the "Edward Davidson" who is the false name this site is registered to.

A collection of spams from a spamvertizer promising pills that will make your dick bigger. Hosted in Brazil.

spam spamvertizer = lunburrymeds.biz "Upgrade your tool"
spam spamvertizer = singletonmeds.biz "Bigger Package oyvjwdbpzumucdvjxhawcwuj"
spam spamvertizer = kellymedz.biz Sun, 26 Oct 2003 "Want a larger package uqucfvdchznhndjvsefudmt"

Spammer also has registered YOURPUBLICDNS.BIZ and runs own DNS servers, one hosted in Brazil and one with servepath.com in California.

Analysis of sample spam spamvertizer = stuffedgrapes.net Tue, 21 Oct 2003 "Why not ask me. tywdip7hxkihk17iio3jgail1m"

Analysis of sample spam spamvertizer = rizonthebiz.biz Fri, 24 Oct 2003 "saw ya online tdogrvbtiffwlbgx" (also received as "Why not ask me. mjnibicnvpdebdjkq"
Analysis of sample spam spamvertizer = downmoon.info Tue, 11 Nov 2003 "Need some action. ghdeafdpcnxzmdyae" believed to be from the same jerks who brought us rizonthebiz.biz

A domain registrant of RTH, Inc does a lot of spamming to seemingly random addresses (meaning children may easily receive these) pushing free access to pornography. Nothing is free, and we can bet there is at least some spyware or trojans being installed on the machines or users foolish enough to click the link. Domains registered to them include goldfingerrock.biz, smackonthewall.biz, DNS4PROVIDERS.COM, DNS4PROVIDERS.NET, CONTINENTALHOSTING.COM, INDUSTRIALMEDS.COM, CORPTOPIA.COM, FAKINBACON.COM, & PANAMERICANHOSTING.COM

spamvertizer = goldfingerrock.biz Sat, 25 Oct 2003 "this is what you wanted naibbvcpnslkquhvjxlbqhi"
spamvertizer = smackonthewall.biz Sat, 25 Oct 2003 "is this you zzmtxahudeyicddsdtdcolvwmm"
spamvertizer = rodotee.biz Sun, 26 Oct 2003 "Get in this way. xvieybdbjnxudtyjfdl"

Here is the spam message, with its links disabled so nobody will accidentally click and end up in spam hell.

From: Cherise Haddad [cherisehaddad_qb@terrific.com]
Sent: Friday, November 21, 2003 5:08 AM
To: siller@ameritech.net
Subject: Paris Hilton Sex Video ewisysdtuelzzblqje
"Paris Hilton is steaming mad over a steamy sex video that may soon go public," her spokeswoman said. The recording was made three years ago while Solomon and Hilton, then 19, were dating, Garber said. "It was for themselves," Garber added. "Not everybody indulges in that, but couples do it sometimes and it's just for themselves, for fun. She never intended for it to be seen by anybody other than the two of them."
Watch it here

sgtbrqcnlnlonktpshtlxikmca yxchsknhenimo uyiaiibbsyhb wrozyudyweql bjfumjjxnj qspzenbxiih zquhohdotu semsvljkxk

(This links to spamhttp://www.wequdncfssukktudabjojvbe.fcnwgouxupqpcyxdfafrclrq.oofjbknjdoctcfmyzdncbjvcjccr.hotdogfactory.info/ -Ed. )

The site has a web form enticing you to sign up in order to see a porno video. The web form submits your info to spamhttp://www.stiffycash.com/join-bridge.php if you are naive enough to fill in the form.

Here is the header from the spam message

Return-path: <cherisehaddad_qb@terrific.com>
Received: from tcp-daemon.mta10.srv.hcvlny.cv.net by mta10.srv.hcvlny.cv.net
(iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003))
id <0HOP00JL189HOY@mta10.srv.hcvlny.cv.net>
(original mail from cherisehaddad_qb@terrific.com); Fri,
21 Nov 2003 06:08:05 -0500 (EST)
Received: from fanatic.com (ool-18b8a316.dyn.optonline.net [24.184.163.22])
by mta10.srv.hcvlny.cv.net
(iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003))
with ESMTP id <0HOP00JJ388UIU@mta10.srv.hcvlny.cv.net> for
siller@ameritech.net; Fri, 21 Nov 2003 06:08:04 -0500 (EST)
Date: Fri, 21 Nov 2003 11:08:03 +0000
From: Cherise Haddad <cherisehaddad_qb@terrific.com>
Subject: Paris Hilton Sex Video ewisysdtuelzzblqje
To: siller@ameritech.net
Message-id: <b2e401c3b01f$4f3dc11f$b36bce19@kotxyji>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Content-type: multipart/alternative;
boundary="Boundary_(ID_E8UBWiMsoeIHLhKIGuDLPA)"
X-Priority: 3
X-MSMail-priority: Normal

really from 24.184.163.22 ool-18b8a316.dyn.optonline.net

Here we find "whois" the domain which sponsored the spam (hotdogfactory.info) registered to

Domain ID:	D2951365-LRMS
Domain Name:	HOTDOGFACTORY.INFO
Created On:	05-Nov-2003 03:44:18 UTC
Last Updated On:	20-Nov-2003 19:56:59 UTC
Expiration Date:	05-Nov-2004 03:44:18 UTC
Sponsoring Registrar:	Direct Information Pvt Ltd. d/b/a Directi.com (R159-LRMS)
Status:	ACTIVE
Status:	OK
Registrant ID:	C3884405-LRMS
Registrant Name:	Frerrics Domains SL
Registrant Organization:	Frerrics Fliney
Registrant Street1:	12 Sequoia street
Registrant City:	Tampa
Registrant State/Province:	FL
Registrant Postal Code:	12444
Registrant Country:	US
Registrant Phone:	+001.112224457
Registrant Email:	frerrics@hotmail.com
Admin ID:	C3884405-LRMS
Admin Name:	Frerrics Domains SL
Admin Organization:	Frerrics Fliney
Admin Street1:	12 Sequoia street
Admin City:	Tampa
Admin State/Province:	FL
Admin Postal Code:	12444
Admin Country:	US
Admin Phone:	+001.112224457
Admin Email:	frerrics@hotmail.com
Billing ID:	C3884405-LRMS
Billing Name:	Frerrics Domains SL
Billing Organization:	Frerrics Fliney
Billing Street1:	12 Sequoia street
Billing City:	Tampa
Billing State/Province:	FL
Billing Postal Code:	12444
Billing Country:	US
Billing Phone:	+001.112224457
Billing Email:	frerrics@hotmail.com
Tech ID:	C3884405-LRMS
Tech Name:	Frerrics Domains SL
Tech Organization:	Frerrics Fliney
Tech Street1:	12 Sequoia street
Tech City:	Tampa
Tech State/Province:	FL
Tech Postal Code:	12444
Tech Country:	US
Tech Phone:	+001.112224457
Tech Email:	frerrics@hotmail.com
Name Server:	NS1.FREEJOINNOW.BIZ
Name Server:	NS2.FREEJOINNOW.BIZ

This registration is substantially similar to the registrations for the spamvertizing sites freeclicks.biz (see sample spam from them) and ultimatepersonals.biz (see sample spam from them).

Now what IP is the spamvertizer at right now.

11/21/03 06:51:45 dns hotdogfactory.info
Mail for hotdogfactory.info is handled by mail.hotdogfactory.info
Canonical name: hotdogfactory.info
Addresses:
81.180.98.253

And who has the IP block for the spamvertizer registered?

inetnum:      81.180.98.0 - 81.180.99.255
netname:      SC-INFOGATE-TELECOM-SRL
descr:        S.C. Infogate Telecom S.R.L.
descr:        Bd. Constructorilor nr. 20
descr:        Bucuresti, ROMANIA
descr:        phone: +40-21-3126746
descr:        fax: +40-21-3126706
country:      ro
admin-c:      CV529-RIPE
tech-c:       CV529-RIPE
status:       ASSIGNED PA
mnt-by:       AS3233-MNT
mnt-lower:    AS3233-MNT
mnt-routes:   TAXIGRUP-MNT
notify:       domain-admin@rnc.ro
changed:      cristih@rnc.ro 20031111
source:       RIPE

route:        81.180.98.0/24
descr:        NetAccess01
origin:       AS29397
mnt-by:       TAXIGRUP-MNT
changed:      anet@negru.net 20031105
source:       RIPE

person:       Cristian VARVAS
address:      Infogate Telecom SRL
address:      Bd. Constructorilor Nr. 20
address:      Bucuresti, Romania
phone:        +40-1-303-19-47
fax-no:       +40-1-303-19-39
e-mail:       jolly@infogate.ro
nic-hdl:      CV529-RIPE
remarks:      object maintained by ro.rnc local registry
notify:       domain-admin@rnc.ro
mnt-by:       AS3233-MNT
changed:      cristih@rnc.ro 20031113
source:       RIPE