Analysis of sample spam
spamvertizer = pharaohmeds.biz
Friday, January 23, 2004 8:45 AM
Subject "Got ` Xan+a+x ` :P:ntermin - V1@Gra ' So|m|a ` Va.l.ium More available. H4Bme8Fv "

Overview - Innocent Bystander terrific.com Damaged by Spammers

Back to Terrific.com

Analysis of sample spam for the "pharaohmeds.biz" site. First of the 2004 spam, we can count on more to follow later. "Got ` Xan+a+x ` :P:ntermin - V1@Gra ' So|m|a ` Va.l.ium More available. H4Bme8Fv "

Analysis of sample spams for the "Tabfor.biz" Collection of Crap - brought to you from the jerks that have many sites now just blocking the entire set of .biz domains as useless. All these spamvertizers are registered to the same old tabfor.biz and spamvertize pills and medicine - we hope the FDA and the FTC catch up with them soon.

spamvertizer = vpachka.biz "Thats what i heard" (also received as "In your neighborhood")
spamvertizer = spamsraahnet.biz Thur, 16 Oct 2003 "Xanax is ready nowO" We don't know this was tabfor.biz as the domain was dead by the time we got their, but it looks like his work.
spamvertizer = hosting4vegas.com & usosdland.biz Fri, 17 Oct 2003 "Che@ting House Wives: Quality Enjoyment for Days & Nights!..." We find this one VERY interesting as it associates the "tabfor.biz" garbage for the first time with a "Cheating House Wives" site, by virtue of having both links in the same spam. We think Eddy screwed up.
spamvertizer = kkuoher.biz Sat, 18 Oct 2003 "Xanax now part of the line g89ad23ldlxxf3s6clrf2e3e"
spamvertizer = osaustech.biz Sat, 18 Oct 2003 "Valium now in the product line gwdahz2q1aagw29p4"
spamvertizer = osauser.biz Sun, 19 Oct 2003 "Overnight the Valium ic7kfz163vcoe1l8zbrx2b"
spamvertizer = osausist.biz Sun, 19 Oct 2003 "All Valium 5e9grc2tgk4vg2je"
spamvertizer = ultraosaus.biz Sun, 19 Oct 2003 "Xanax in your inbox maj6m21rn6s9m1zsn"
spamvertizer = extrakurasd.biz Sun, 19 Oct 2003 "tOtAl XaNAX 3yxkfs3irydy7d"
spamvertizer = gojhaus.biz Tuesday, October 21, 2003 "Valium in your inbox kixhch3uk7jhq3"
spamvertizer = ejdojf.biz Sat, 25 Oct 2003 "Fwd: ValiumOHV"
spamvertizer = activeosaus.biz Sun, 26 Oct 2003 "Xanax is ready to goKKIYYZ"
spamvertizer = realpouvr.biz Fri, 31 Oct 2003 "Order some prescription drugs, Zanaflex, zanaflex, viagrast tiwveaunqavldushoqybgjog"

We see from reading NANAE that these domains are the work of Eddy Marin. Ones he recently registered that we haven't seen the spams for yet are:
adosaus.biz casinosaustrai.biz casinosaustraia.biz derosausa.biz dildosaustralia.biz eosaus.biz extraosaus.biz fosaus.biz gasthofgosausee.biz goosaus.biz gosauschmied.biz gosausee.biz hyperosaus.biz interosaus.biz iosaus.biz magliosausage.biz malosaustralia.biz mimosausa.biz myosaus.biz osaus.biz osaus1.biz osausant.biz osausarium.biz osauscentral.biz osaused.biz osausent.biz osausing.biz osausion.biz osausland.biz osausnet.biz osauss.biz osausweb.biz overosaus.biz porcelanosausa.biz preosaus.biz proosaust.biz realosaust.biz sabatinosausage.biz suposaust.biz symosaust.biz techosaust.biz theosaust.biz transosaust.biz vamosausa.biz vosaus.biz

Analysis of sample spams from spamvertizers registered to "Frerrics Domains SL" (probably not their real name, I wouldn't put my real name on it, would you?). Typically some flavor of "Online Cheating Wives".

spamvertizer = freeclicks.biz "You blocked my IM!"
spamvertizer = ultimatepersonals.biz Wed, 15 Oct 2003 05:18:11 +0000 "Find the ones that are looking for it hbkefs31brf8bxex8l"
spamvertizer = hotdogfactory.info Fri, 21 Nov 2003 11:08:03 +0000 "Paris Hilton Sex Video ewisysdtuelzzblqje" Our theory is that this lure of free pornography is what draws internet users to get their machines infected with the trojan program that turns their machines into spam spewing robots.
spamvertizer = money-trees.biz Sun, 14 Dec 2003 18:06:58 +0100 "Keep the house payment money instead with the world wide web lvpirqccbzzsqcyccj"

As a result of this web site we are hearing from other domain owners who have also been subjected to having their domain names forged into spam messages from these people. A partial list of some of the other spamvertizing domains registered to the Frerrics Domains gang includes: easy-loans-now.info fast-loans-now.info freewebtoken.info money-trees.info refi-today.info save-hundreds.info

In most cases, the spamvertizer has registered both a .biz and a .info version of the same domain name.

Analysis of sample spam spamvertizer = net-click.net.ph ( Inovasion / FT International ) "I know all that" (also received as "Did you lose my ICQ?" & "Do you remember me ?") Insurance Crap

Analysis of sample spam spamvertizer = 1pills4less.biz "Meet me tomorrow" Make your penis bigger pills, although you'll never be as big a dick as the "Edward Davidson" who is the false name this site is registered to.

A collection of spams from a spamvertizer promising pills that will make your dick bigger. Hosted in Brazil.

spam spamvertizer = lunburrymeds.biz "Upgrade your tool"
spam spamvertizer = singletonmeds.biz "Bigger Package oyvjwdbpzumucdvjxhawcwuj"
spam spamvertizer = kellymedz.biz Sun, 26 Oct 2003 "Want a larger package uqucfvdchznhndjvsefudmt"

Spammer also has registered YOURPUBLICDNS.BIZ and runs own DNS servers, one hosted in Brazil and one with servepath.com in California.

Analysis of sample spam spamvertizer = stuffedgrapes.net Tue, 21 Oct 2003 "Why not ask me. tywdip7hxkihk17iio3jgail1m"

Analysis of sample spam spamvertizer = rizonthebiz.biz Fri, 24 Oct 2003 "saw ya online tdogrvbtiffwlbgx" (also received as "Why not ask me. mjnibicnvpdebdjkq"
Analysis of sample spam spamvertizer = downmoon.info Tue, 11 Nov 2003 "Need some action. ghdeafdpcnxzmdyae" believed to be from the same jerks who brought us rizonthebiz.biz

A domain registrant of RTH, Inc does a lot of spamming to seemingly random addresses (meaning children may easily receive these) pushing free access to pornography. Nothing is free, and we can bet there is at least some spyware or trojans being installed on the machines or users foolish enough to click the link. Domains registered to them include goldfingerrock.biz, smackonthewall.biz, DNS4PROVIDERS.COM, DNS4PROVIDERS.NET, CONTINENTALHOSTING.COM, INDUSTRIALMEDS.COM, CORPTOPIA.COM, FAKINBACON.COM, & PANAMERICANHOSTING.COM

spamvertizer = goldfingerrock.biz Sat, 25 Oct 2003 "this is what you wanted naibbvcpnslkquhvjxlbqhi"
spamvertizer = smackonthewall.biz Sat, 25 Oct 2003 "is this you zzmtxahudeyicddsdtdcolvwmm"
spamvertizer = rodotee.biz Sun, 26 Oct 2003 "Get in this way. xvieybdbjnxudtyjfdl"

Here is the spam message.

From: Lauren Jordan [YBurt@terrific.com]
Sent: Friday, January 23, 2004 8:45 AM
To: patt@nfdc.net
Cc: patten@nfdc.net; pattersc@nfdc.net; pattersn@nfdc.net; patterso@nfdc.net; pattersons@nfdc.net; pattig@nfdc.net; patton1@nfdc.net; patton@nfdc.net
Subject: Got ` Xan+a+x ` :P:ntermin - V1@Gra ' So|m|a ` Va.l.ium More available. H4Bme8Fv

Importance: Low

therefor cardioid fibrous conformal porosity

You too can now enjoy the same deep discounts offered to US residents by ordering your medications directly from us.

Weight Loss:	OpBAdipex YGXIonamin z9wPhentermine n8ZTenuate RQEXenical VpWMeridia
Muscle Relaxants:	SR8Soma c0zCyclobenzaprine vZlFlexeril SsESkelaxin 41VZanaflex
Men's Health:	lUoPropecia
Sexual Health:	m0zLevitra, heZv\|aGr@ IeLv\|@Gra ST XM2Super v\|agR@ (Cialis) FQmAcyclovir KhPValtrex HjWFamvir
Pain Relief:	im4Ultram HxaTramadol WYnFlextra-DS ErZVioxx
Anti-Depressants:	40Z:XANAX: ctL.Valium. o1fProzac lAXBupropion HCL pbvWellbutrin SR vxjZoloft FvSEffexor sxcPaxil w1RCelexa
Sleeping Aids:	otVAmbien porSonata
Migraine Relief:	69jFioricet RwKEsgic Plus zUMImitrex Z31Zebutal
Anxiety:	tyhBuspar
Women's Health:	KflDiflucan chtOrtho Evra patch u9sOrtho Tri-Cyclen Triphasil F7zVaniqa Cream
Skin Care:	WQLRenova dHnCream Retin-A

We deliver to you very fast - and that is a promise. We accept almost every form of payment.

Start enjoying discount meds here. (This links to http://www.pharaohmeds.biz -Ed.)

I found the arrow, still unbroke;
The day is done, and the darkness
"A boy's will is the wind's will,
The shadows of Deering's Woods;

(This links to http://www.pharaohmeds.biz -Ed.)

Here is the header from the spam message

Return-Path: <YBurt@terrific.com>
Received: (from root@localhost)
by smtp1.nfdc.net (8.12.8/8.12.8) id i0O2ko6d019200;
Fri, 23 Jan 2004 21:46:50 -0500
Received: from ip-69-10-116-190.cableaz.net (ip-69-10-116-190.cableaz.net [69.10.116.190] (may be forged))
by smtp1.nfdc.net (8.12.8/8.12.8) with SMTP id i0O2kjOW018898;
Fri, 23 Jan 2004 21:46:46 -0500
Received: from 160.110.190.46 by 69.10.116.190; Fri, 23 Jan 2004 07:41:32 -0700
Message-ID: <FXBWUSBIOYOYJDPXIZONCVV@femail.com>
From: "Lauren Jordan" <YBurt@terrific.com>
Reply-To: "Lauren Jordan" <YBurt@terrific.com>
To: patt@nfdc.net
Cc: patten@nfdc.net, pattersc@nfdc.net, pattersn@nfdc.net, patterso@nfdc.net,
pattersons@nfdc.net, pattig@nfdc.net, patton1@nfdc.net, patton@nfdc.net
Subject: Got ` Xan+a+x ` :P:ntermin - V1@Gra ' So|m|a ` Va.l.ium More available. H4Bme8Fv
Date: Fri, 23 Jan 2004 09:44:32 -0500
X-Mailer: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/200210039
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--30594825660692560577"
X-Priority: 5

really from ip-69-10-116-190.cableaz.net [69.10.116.190]

Here we find "whois" the domain which sponsored the spam (pharaohmeds.biz) registered to

Domain Name	PHARAOHMEDS.BIZ
Domain ID	D6100268-BIZ
Sponsoring Registrar	CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Status	ok
Registrant ID	CNEU-94877
Registrant Name	Pining Garcia
Registrant Address1	POBox 704
Registrant City	Caloocan City
Registrant Postal Code	1400
Registrant Country	Philippines
Registrant Country Code	PH
Registrant Phone Number	+639.263497186
Registrant Email	pining@total-isp.biz
Administrative Contact ID	CNEU-94874
Administrative Contact Name	Pining Garcia
Administrative Contact Address1	POBox 704
Administrative Contact City	Caloocan City
Administrative Contact Postal Code	1400
Administrative Contact Country	Philippines
Administrative Contact Country Code	PH
Administrative Contact Phone Number	+639.263497186
Administrative Contact Email	pining@total-isp.biz
Billing Contact ID	CNEU-94874
Billing Contact Name	Pining Garcia
Billing Contact Address1	POBox 704
Billing Contact City	Caloocan City
Billing Contact Postal Code	1400
Billing Contact Country	Philippines
Billing Contact Country Code	PH
Billing Contact Phone Number	+639.263497186
Billing Contact Email	pining@total-isp.biz
Technical Contact ID	CNEU-94874
Technical Contact Name	Pining Garcia
Technical Contact Address1	POBox 704
Technical Contact City	Caloocan City
Technical Contact Postal Code	1400
Technical Contact Country	Philippines
Technical Contact Country Code	PH
Technical Contact Phone Number	+639.263497186
Technical Contact Email	pining@total-isp.biz
Name Server	NS.ABLEACCESS.BIZ
Name Server	NS1.ABLEACCESS.BIZ
Created by Registrar	CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Registration Date	Wed Jan 21 14:56:10 GMT 2004
Domain Expiration Date	Thu Jan 20 23:59:59 GMT 2005

This registration has nothing OBVIOUSLY bogus or missing that we could complain to the registrar about, although it would be a safe bet to assume that no such person actually exists at the addresses and phone numbers given.

This page last updated 01/24/2004 02:37:22 PM -0600