| Overview - Innocent Bystander
terrific.com Damaged by Spammers |
| Back to Terrific.com |
| Analysis of sample spam for the
"pharaohmeds.biz" site.
First of the 2004 spam, we can count on more to follow later.
"Got ` Xan+a+x ` :P:ntermin - V1@Gra '
So|m|a ` Va.l.ium More available. H4Bme8Fv " |
Analysis of sample spams for the
"Tabfor.biz" Collection of Crap -
brought to you from the jerks that have many sites now just blocking the
entire set of .biz domains as useless. All these spamvertizers are
registered to the same old tabfor.biz
and spamvertize pills and medicine - we hope the FDA and the FTC catch up
with them soon.
- spamvertizer = vpachka.biz
"Thats what i heard" (also received as
"In
your neighborhood")
- spamvertizer = spamsraahnet.biz Thur, 16 Oct 2003 "Xanax is ready nowO"
We don't know this was tabfor.biz as the domain was dead by the time we
got their, but it looks like his work.
- spamvertizer = hosting4vegas.com &
usosdland.biz Fri, 17 Oct 2003
"Che@ting House Wives: Quality Enjoyment for Days & Nights!..."
We find this one VERY interesting as it associates the "tabfor.biz"
garbage for the first time with a "Cheating House Wives" site, by virtue
of having both links in the same spam. We think Eddy screwed up.
- spamvertizer = kkuoher.biz Sat, 18 Oct 2003
"Xanax now part of the line g89ad23ldlxxf3s6clrf2e3e"
- spamvertizer = osaustech.biz Sat, 18 Oct 2003
"Valium now in the product line gwdahz2q1aagw29p4"
- spamvertizer =
osauser.biz Sun, 19 Oct 2003
"Overnight the Valium ic7kfz163vcoe1l8zbrx2b"
- spamvertizer = osausist.biz Sun, 19 Oct 2003
"All Valium 5e9grc2tgk4vg2je"
- spamvertizer =
ultraosaus.biz Sun, 19 Oct 2003
"Xanax in your
inbox maj6m21rn6s9m1zsn"
- spamvertizer = extrakurasd.biz
Sun, 19 Oct 2003
"tOtAl XaNAX 3yxkfs3irydy7d"
- spamvertizer = gojhaus.biz
Tuesday, October 21, 2003
"Valium in your inbox kixhch3uk7jhq3"
- spamvertizer = ejdojf.biz
Sat, 25 Oct 2003 "Fwd:
ValiumOHV"
- spamvertizer = activeosaus.biz
Sun, 26 Oct 2003
"Xanax is ready to goKKIYYZ"
- spamvertizer = realpouvr.biz
Fri, 31 Oct 2003 "Order
some prescription drugs, Zanaflex, zanaflex, viagrast
tiwveaunqavldushoqybgjog"
We see from reading NANAE that these domains are the work of
Eddy Marin. Ones he recently registered
that we haven't seen the spams for yet are:
adosaus.biz casinosaustrai.biz casinosaustraia.biz
derosausa.biz dildosaustralia.biz eosaus.biz extraosaus.biz fosaus.biz
gasthofgosausee.biz goosaus.biz gosauschmied.biz gosausee.biz hyperosaus.biz
interosaus.biz iosaus.biz magliosausage.biz malosaustralia.biz mimosausa.biz
myosaus.biz osaus.biz osaus1.biz osausant.biz osausarium.biz
osauscentral.biz osaused.biz osausent.biz osausing.biz osausion.biz
osausland.biz osausnet.biz osauss.biz osausweb.biz overosaus.biz
porcelanosausa.biz preosaus.biz proosaust.biz realosaust.biz
sabatinosausage.biz suposaust.biz symosaust.biz techosaust.biz theosaust.biz
transosaust.biz vamosausa.biz vosaus.biz |
| Analysis of sample spams from spamvertizers
registered to "Frerrics Domains SL"
(probably not their real name, I wouldn't put my real name on it,
would you?). Typically some flavor of "Online Cheating Wives".
As a result of this web site we are hearing from other domain owners who
have also been subjected to having their domain names forged into spam
messages from these people. A partial list of some of the other
spamvertizing domains registered to the Frerrics Domains gang includes:
easy-loans-now.info fast-loans-now.info freewebtoken.info money-trees.info
refi-today.info save-hundreds.info
In most cases, the spamvertizer has registered both a .biz and a .info
version of the same domain name. |
| Analysis of sample spam spamvertizer =
net-click.net.ph ( Inovasion / FT International
) "I know
all that"
(also received as "Did you lose my ICQ?" &
"Do you remember me ?")
Insurance Crap |
| Analysis of sample spam spamvertizer =
1pills4less.biz
"Meet me
tomorrow" Make your penis bigger pills, although you'll never
be as big a dick as the "Edward Davidson" who is the false name this site is
registered to. |
| A collection of spams from a spamvertizer promising pills
that will make your dick bigger. Hosted in Brazil.
Spammer also has registered YOURPUBLICDNS.BIZ
and runs own DNS servers, one hosted in Brazil and one with
servepath.com in California. |
| Analysis of sample spam spamvertizer =
stuffedgrapes.net Tue, 21 Oct 2003
"Why not ask me. tywdip7hxkihk17iio3jgail1m" |
Analysis of sample spam spamvertizer =
rizonthebiz.biz
Fri, 24 Oct 2003 "saw ya online tdogrvbtiffwlbgx"
(also received as "Why not ask
me. mjnibicnvpdebdjkq"
Analysis of sample spam spamvertizer =
downmoon.info
Tue, 11 Nov 2003 "Need
some action. ghdeafdpcnxzmdyae" believed to be from the
same jerks who brought us rizonthebiz.biz |
| A domain registrant of RTH, Inc
does a lot of spamming to seemingly random addresses (meaning children may
easily receive these) pushing free access to pornography. Nothing is
free, and we can bet there is at least some spyware or trojans being
installed on the machines or users foolish enough to click the link.
Domains registered to them include
goldfingerrock.biz, smackonthewall.biz, DNS4PROVIDERS.COM,
DNS4PROVIDERS.NET, CONTINENTALHOSTING.COM, INDUSTRIALMEDS.COM, CORPTOPIA.COM, FAKINBACON.COM,
& PANAMERICANHOSTING.COM spamvertizer =
goldfingerrock.biz
Sat, 25 Oct 2003 "this
is what you wanted naibbvcpnslkquhvjxlbqhi"
spamvertizer =
smackonthewall.biz
Sat, 25 Oct 2003 "is
this you zzmtxahudeyicddsdtdcolvwmm"
spamvertizer = rodotee.biz
Sun, 26 Oct 2003 "Get
in this way. xvieybdbjnxudtyjfdl" |
|
Here is the spam message.
From: Stateson B. O'Conner [statesonb.o'Conner_xb@terrific.com]
Sent: Sunday, December 14, 2003 11:07 AM
To: eagldwn@aol.com; eagle0025@aol.com; eagle0026@aol.com; eagle0081@aol.com;
eagle0411173@aol.com; eagle081702@aol.com; eagle1000245@aol.com
Subject: Keep the house payment money instead with the world wide web
lvpirqccbzzsqcyccj
Want to refi today
hfslxbdwzmdj uzwqhsbmyryndkklgmwbsoqwzmeypcyazvdn
zvzpjqcsqcnrcfjzgzobglyfiRlleisygegmpgkkshpkdsyl
bwmpimbjmragogsxbrbdwmkudubpqldmgcryjtxmrxbxjxbkxncnhczibiuqigedcazimnlt
hixzqhchhwzguzdzgbhmmqapctlkmlqjcprcpxokvklbxsuj
bwvzotbcdelzzepmikmcomqhmjdjcwzdjchwaelzuzuelthotppcothf
(This links to
http://lfsdejbcbdaskishutbmiqeibc@href=www.tbltdhcjhddwquzccbof.comhref=www.zilnkrckthqfpmkzzddnsn.kghyuebalvdwmlblbifwdzj.acejqkdrdvgrfzexbnwmes.money-trees.biz/preappquick.php?href=www.nolelcbnhjpufcavucxmeczimqc.suoxinbpvzveyzmcpcjapvq.ecenkibbwrcgsdhixqyrcvznolyvdjfldqufflbzvrkaadaajcrl
which is really just a page at money-trees.biz with
a whole bunch of crap added to the URL to confuse anyone that might want to know
who they are actually dealing with.
Here is the header from the spam message
Received: from riser.com ([195.121.210.221]) by hnexfe11.hetnet.nl with
Microsoft SMTPSVC(5.0.2195.5329);
Sun, 14 Dec 2003 18:06:58 +0100
Message-ID: <7ba101c3c264$e08baad3$21ff7c3a@jvjbiod>
From: "Stateson B. O'Conner" <statesonb.o'Conner_xb@terrific.com>
To: eagldwn@aol.com, eagle0025@aol.com, eagle0026@aol.com, eagle0081@aol.com,
eagle0411173@aol.com, eagle081702@aol.com, eagle1000245@aol.com
Subject: Keep the house payment money instead with the world wide web
lvpirqccbzzsqcyccj
Date: Sun, 14 Dec 2003 17:07:07 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0617_C2E0A5F2.7D8F54BE"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Return-Path: statesonb.o'Conner_xb@terrific.com
X-OriginalArrivalTime: 14 Dec 2003 17:06:58.0691 (UTC) FILETIME=[AF1C9530:01C3C264]
really from 195.121.210.221
ipc379d2dd.dial.hetnet.nl
Here we find "whois" the domain which sponsored the spam (money-trees.biz)
registered to
| Domain Name |
MONEY-TREES.BIZ |
| Domain ID |
D5733602-BIZ |
| Sponsoring Registrar |
DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM) |
| Domain Status |
clientTransferProhibited |
| Registrant ID |
DI_186427 |
| Registrant Name |
Frerrics Domains SL |
| Registrant Organization |
Frerrics Fliney |
| Registrant Address1 |
12 Sequoia street |
| Registrant City |
Tampa |
| Registrant State/Province |
FL |
| Registrant Postal Code |
12444 |
| Registrant Country |
United States |
| Registrant Country Code |
US |
| Registrant Phone Number |
+001.112224457 |
| Registrant Email |
frerrics@hotmail.com |
| Administrative Contact ID |
DI_186427 |
| Administrative Contact Name |
Frerrics Domains SL |
| Administrative Contact Organization |
Frerrics Fliney |
| Administrative Contact Address1 |
12 Sequoia street |
| Administrative Contact City |
Tampa |
| Administrative Contact State/Province |
FL |
| Administrative Contact Postal Code |
12444 |
| Administrative Contact Country |
United States |
| Administrative Contact Country Code |
US |
| Administrative Contact Phone Number |
+001.112224457 |
| Administrative Contact Email |
frerrics@hotmail.com |
| Billing Contact ID |
DI_186427 |
| Billing Contact Name |
Frerrics Domains SL |
| Billing Contact Organization |
Frerrics Fliney |
| Billing Contact Address1 |
12 Sequoia street |
| Billing Contact City |
Tampa |
| Billing Contact State/Province |
FL |
| Billing Contact Postal Code |
12444 |
| Billing Contact Country |
United States |
| Billing Contact Country Code |
US |
| Billing Contact Phone Number |
+001.112224457 |
| Billing Contact Email |
frerrics@hotmail.com |
| Technical Contact ID |
DI_186427 |
| Technical Contact Name |
Frerrics Domains SL |
| Technical Contact Organization |
Frerrics Fliney |
| Technical Contact Address1 |
12 Sequoia street |
| Technical Contact City |
Tampa |
| Technical Contact State/Province |
FL |
| Technical Contact Postal Code |
12444 |
| Technical Contact Country |
United States |
| Technical Contact Country Code |
US |
| Technical Contact Phone Number |
+001.112224457 |
| Technical Contact Email |
frerrics@hotmail.com |
| Name Server |
NS1.BPDNS.NET |
| Name Server |
NS2.BPDNS.NET |
| Created by Registrar |
DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM) |
| Last Updated by Registrar |
DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM) |
| Domain Registration Date |
Fri Nov 21 20:11:28 GMT 2003 |
| Domain Expiration Date |
Sat Nov 20 23:59:59 GMT 2004 |
| Domain Last Updated Date |
Fri Dec 12 06:14:58 GMT 2003 |
This registration is substantially similar to the
same old crap for Frerrics Domains we found in registrations for the spamvertizing sites freeclicks.biz (see
sample spam from them) and ultimatepersonals.biz (see
sample spam from them). It came from the same turkeys that covered the
planet with offers to see Paris Hilton sex videos free as a way of enticing the
innocent into having their machine trojaned.
|