| Overview - Innocent Bystander
terrific.com Damaged by Spammers |
| Back to Terrific.com |
| Analysis of sample spam for the
"pharaohmeds.biz" site.
First of the 2004 spam, we can count on more to follow later.
"Got ` Xan+a+x ` :P:ntermin - V1@Gra '
So|m|a ` Va.l.ium More available. H4Bme8Fv " |
Analysis of sample spams for the
"Tabfor.biz" Collection of Crap -
brought to you from the jerks that have many sites now just blocking the
entire set of .biz domains as useless. All these spamvertizers are
registered to the same old tabfor.biz
and spamvertize pills and medicine - we hope the FDA and the FTC catch up
with them soon.
- spamvertizer = vpachka.biz
"Thats what i heard" (also received as
"In
your neighborhood")
- spamvertizer = spamsraahnet.biz Thur, 16 Oct 2003 "Xanax is ready nowO"
We don't know this was tabfor.biz as the domain was dead by the time we
got their, but it looks like his work.
- spamvertizer = hosting4vegas.com &
usosdland.biz Fri, 17 Oct 2003
"Che@ting House Wives: Quality Enjoyment for Days & Nights!..."
We find this one VERY interesting as it associates the "tabfor.biz"
garbage for the first time with a "Cheating House Wives" site, by virtue
of having both links in the same spam. We think Eddy screwed up.
- spamvertizer = kkuoher.biz Sat, 18 Oct 2003
"Xanax now part of the line g89ad23ldlxxf3s6clrf2e3e"
- spamvertizer = osaustech.biz Sat, 18 Oct 2003
"Valium now in the product line gwdahz2q1aagw29p4"
- spamvertizer =
osauser.biz Sun, 19 Oct 2003
"Overnight the Valium ic7kfz163vcoe1l8zbrx2b"
- spamvertizer = osausist.biz Sun, 19 Oct 2003
"All Valium 5e9grc2tgk4vg2je"
- spamvertizer =
ultraosaus.biz Sun, 19 Oct 2003
"Xanax in your
inbox maj6m21rn6s9m1zsn"
- spamvertizer = extrakurasd.biz
Sun, 19 Oct 2003
"tOtAl XaNAX 3yxkfs3irydy7d"
- spamvertizer = gojhaus.biz
Tuesday, October 21, 2003
"Valium in your inbox kixhch3uk7jhq3"
- spamvertizer = ejdojf.biz
Sat, 25 Oct 2003 "Fwd:
ValiumOHV"
- spamvertizer = activeosaus.biz
Sun, 26 Oct 2003
"Xanax is ready to goKKIYYZ"
- spamvertizer = realpouvr.biz
Fri, 31 Oct 2003 "Order
some prescription drugs, Zanaflex, zanaflex, viagrast
tiwveaunqavldushoqybgjog"
We see from reading NANAE that these domains are the work of
Eddy Marin. Ones he recently registered
that we haven't seen the spams for yet are:
adosaus.biz casinosaustrai.biz casinosaustraia.biz
derosausa.biz dildosaustralia.biz eosaus.biz extraosaus.biz fosaus.biz
gasthofgosausee.biz goosaus.biz gosauschmied.biz gosausee.biz hyperosaus.biz
interosaus.biz iosaus.biz magliosausage.biz malosaustralia.biz mimosausa.biz
myosaus.biz osaus.biz osaus1.biz osausant.biz osausarium.biz
osauscentral.biz osaused.biz osausent.biz osausing.biz osausion.biz
osausland.biz osausnet.biz osauss.biz osausweb.biz overosaus.biz
porcelanosausa.biz preosaus.biz proosaust.biz realosaust.biz
sabatinosausage.biz suposaust.biz symosaust.biz techosaust.biz theosaust.biz
transosaust.biz vamosausa.biz vosaus.biz |
| Analysis of sample spams from spamvertizers
registered to "Frerrics Domains SL"
(probably not their real name, I wouldn't put my real name on it,
would you?). Typically some flavor of "Online Cheating Wives".
As a result of this web site we are hearing from other domain owners who
have also been subjected to having their domain names forged into spam
messages from these people. A partial list of some of the other
spamvertizing domains registered to the Frerrics Domains gang includes:
easy-loans-now.info fast-loans-now.info freewebtoken.info money-trees.info
refi-today.info save-hundreds.info
In most cases, the spamvertizer has registered both a .biz and a .info
version of the same domain name. |
| Analysis of sample spam spamvertizer =
net-click.net.ph ( Inovasion / FT International
) "I know
all that"
(also received as "Did you lose my ICQ?" &
"Do you remember me ?")
Insurance Crap |
| Analysis of sample spam spamvertizer =
1pills4less.biz
"Meet me
tomorrow" Make your penis bigger pills, although you'll never
be as big a dick as the "Edward Davidson" who is the false name this site is
registered to. |
| A collection of spams from a spamvertizer promising pills
that will make your dick bigger. Hosted in Brazil.
Spammer also has registered YOURPUBLICDNS.BIZ
and runs own DNS servers, one hosted in Brazil and one with
servepath.com in California. |
| Analysis of sample spam spamvertizer =
stuffedgrapes.net Tue, 21 Oct 2003
"Why not ask me. tywdip7hxkihk17iio3jgail1m" |
Analysis of sample spam spamvertizer =
rizonthebiz.biz
Fri, 24 Oct 2003 "saw ya online tdogrvbtiffwlbgx"
(also received as "Why not ask
me. mjnibicnvpdebdjkq"
Analysis of sample spam spamvertizer =
downmoon.info
Tue, 11 Nov 2003 "Need
some action. ghdeafdpcnxzmdyae" believed to be from the
same jerks who brought us rizonthebiz.biz |
| A domain registrant of RTH, Inc
does a lot of spamming to seemingly random addresses (meaning children may
easily receive these) pushing free access to pornography. Nothing is
free, and we can bet there is at least some spyware or trojans being
installed on the machines or users foolish enough to click the link.
Domains registered to them include
goldfingerrock.biz, smackonthewall.biz, DNS4PROVIDERS.COM,
DNS4PROVIDERS.NET, CONTINENTALHOSTING.COM, INDUSTRIALMEDS.COM, CORPTOPIA.COM, FAKINBACON.COM,
& PANAMERICANHOSTING.COM spamvertizer =
goldfingerrock.biz
Sat, 25 Oct 2003 "this
is what you wanted naibbvcpnslkquhvjxlbqhi"
spamvertizer =
smackonthewall.biz
Sat, 25 Oct 2003 "is
this you zzmtxahudeyicddsdtdcolvwmm"
spamvertizer = rodotee.biz
Sun, 26 Oct 2003 "Get
in this way. xvieybdbjnxudtyjfdl" |
|
Here is the spam message, with its links disabled so nobody will
accidentally click and end up in spam hell.
From: Fletcher Blidy [fblidyds@terrific.com]
Sent: Monday, October 06, 2003 11:09 PM
To: alnegobv@lnd.com
Subject: Meet me tomorrow
Introducing VP-RX penis enlargement pills
Gain 3+ inches in length
Stop premature ejaculation
Produce stronger erections
100% Safe to use, no side effects
Your partner will be astounded
If you don't want to hear from us again please follow the link below
mdi8kb35jwc2 8u3vcp1nz6bpy 9pymg93diwmarx qc48l413o5r
ji31k9bykf3 ono5ug1ltmjwk cxlynb17miwon2 pprfs026ag29g
untr7x3lkbs0 bz71po3ahik
DIV>mjjc1u3kosqs 1odt4f2524at bjgueharijoz ywxh5eh3cx i70x3vdt48
carfu319ikbz61 lswmoa2z2lxdd1 p0xc9d2ywc80n n297rr3mkv3yl7 9quzv31y6bwlf
nk52ki1toywe vweaux3q8jr
9748a3woawq zo99791753ck
lkisls2skt5 a1nrdr1u439g hrslhi1by8dmt 2f3uk03sv0 n7utyg2qa5 10dan93xmelwe1
m7jfp41zera5j3
Thanks, bye.
Here is the header from the spam message
Return-Path: <fblidyds@terrific.com>
Received: from smtp-gateway-1.iwc.net (smtp-gateway-1.iwc.net [209.81.147.221])
by smtp-backlog.iwc.net (8.11.2/8.11.6) with ESMTP id h9749Qa23870
for <alnegobv@lnd.com>; Mon, 6 Oct 2003 23:09:26 -0500
Received: from mischief.com ([129.21.131.179])
by smtp-gateway-1.iwc.net (8.11.6/8.11.6) with ESMTP id h9748gQ29633
for <alnegobv@lnd.com>; Mon, 6 Oct 2003 23:08:49 -0500
Message-ID: <233701c38c88$ff0339e8$7c3d57dc@n7x3r51>
From: "Fletcher Blidy" <fblidyds@terrific.com>
To: alnegobv@lnd.com
Subject: Meet me tomorrow
Date: Tue, 07 Oct 2003 04:08:50 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_03F3_99568701.1AAA2173"
X-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-1: Not scanned: Please contact IWC Inc. for Virus and Spam
filtering only $1.50/month! 877-492-6381
X-MailScanner-SpamCheck-1:
Here we find "whois" the domain which sponsored the spam (1pills4less.biz)
registered to
| .BIZ Registry WHOIS Data |
-
| Domain Name |
1PILLS4LESS.BIZ |
| Domain ID |
D5361383-BIZ |
| Sponsoring Registrar |
TLDS INC. |
| Domain Status |
ok |
| Registrant ID |
3511067-SRSPLUS |
| Registrant Name |
Edward Davidson |
| Registrant Organization |
Davidson |
| Registrant Address1 |
235 West 48th Street |
| Registrant City |
New York |
| Registrant State/Province |
NY |
| Registrant Postal Code |
10036 |
| Registrant Country |
United States |
| Registrant Country Code |
US |
| Registrant Email |
products4less@hotmail.com |
| Administrative Contact ID |
3511067-SRSPLUS |
| Administrative Contact Name |
Edward Davidson |
| Administrative Contact Organization |
Davidson |
| Administrative Contact Address1 |
235 West 48th Street |
| Administrative Contact City |
New York |
| Administrative Contact State/Province |
NY |
| Administrative Contact Postal Code |
10036 |
| Administrative Contact Country |
United States |
| Administrative Contact Country Code |
US |
| Administrative Contact Email |
products4less@hotmail.com |
| Billing Contact ID |
3511067-SRSPLUS |
| Billing Contact Name |
Edward Davidson |
| Billing Contact Organization |
Davidson |
| Billing Contact Address1 |
235 West 48th Street |
| Billing Contact City |
New York |
| Billing Contact State/Province |
NY |
| Billing Contact Postal Code |
10036 |
| Billing Contact Country |
United States |
| Billing Contact Country Code |
US |
| Billing Contact Email |
products4less@hotmail.com |
| Technical Contact ID |
3511067-SRSPLUS |
| Technical Contact Name |
Edward Davidson |
| Technical Contact Organization |
Davidson |
| Technical Contact Address1 |
235 West 48th Street |
| Technical Contact City |
New York |
| Technical Contact State/Province |
NY |
| Technical Contact Postal Code |
10036 |
| Technical Contact Country |
United States |
| Technical Contact Country Code |
US |
| Technical Contact Email |
products4less@hotmail.com |
| Name Server |
NS1.8XP.NET |
| Name Server |
NS2.8XP.NET |
| Name Server |
NS3.8XP.NET |
| Created by Registrar |
TLDS INC. |
| Last Updated by Registrar |
TLDS INC. |
| Domain Registration Date |
Tue Sep 23 20:45:17 GMT 2003 |
| Domain Expiration Date |
Wed Sep 22 23:59:59 GMT 2004 |
| Domain Last Updated Date |
Tue Sep 23 20:59:05 GMT 2003 |
| |
|
So now what about those nameservers, whois 8xp.net?
Domain name: 8xp.net
Registrant :
Domains For Sale
Domains Administrator (websubit@yahoo.com.sg)
+91.265695305
FAX: +91.265695305
703 Xanadu C
Prathamesh Complex. Veera Desai Rd
Mumbai, 400058
IN
Administrative :
Domains For Sale
Domains Administrator (websubit@yahoo.com.sg)
+91.265695305
FAX: +91.265695305
703 Xanadu C
Prathamesh Complex. Veera Desai Rd
Mumbai, 400058
IN
Billing :
Domains For Sale
Domains Administrator (websubit@yahoo.com.sg)
+91.265695305
FAX: +91.265695305
703 Xanadu C
Prathamesh Complex. Veera Desai Rd
Mumbai, 400058
IN
Technical :
Domains For Sale
Domains Administrator (websubit@yahoo.com.sg)
+91.265695305
FAX: +91.265695305
703 Xanadu C
Prathamesh Complex. Veera Desai Rd
Mumbai, 400058
IN
Name servers:
NS1.8XP.NET
NS2.8XP.NET
NS3.8XP.NET
Created: 2002-02-17 10:18:48
Expires: 2004-02-17 10:18:48
Here we find the ip address for the website sponsoring the spam
10/12/03 01:23:10 dns http://www.1pills4less.biz
Canonical name: www.1pills4less.biz
Addresses:
202.4.248.44
Now we look to see who owns the ip address block for 202.4.249.44
inetnum: 202.4.248.0 - 202.4.249.255
netname: CERTICAL1
descr: Certical ISP. KL, Malaysia
country: MY
admin-c: FA2-AP
tech-c: FA2-AP
mnt-by: APNIC-HM
mnt-routes: MAINT-MY-CERTICAL
status: ASSIGNED PORTABLE
remarks: For spam and abuse, pls forward emails to abuse@certical.com
remarks: Send NOC requests to noc@certical.com
remarks: ###################################################
remarks: This object can only be modified by APNIC hostmaster
remarks: If you wish to modify this object details please
remarks: send email to hostmaster@apnic.net with your organisation
remarks: account name in the subject line.
remarks: ##################################################
changed: hm-changed@apnic.net 20030804
changed: hm-changed@apnic.net 20030812
changed: hm-changed@apnic.net 20030828
source: APNIC
person: Dr.Mohammed Fazli Ridzuan Ismail
nic-hdl: FA2-AP
e-mail: noc@certical.com
address: NOC Department, Vistadamai
address: 16 Jalan Tun Razak, Unit No:3A-3A-340
address: Kuala Lumpur 50456. Malaysia
phone: +603-27117711
fax-no: +603-27117828
country: MY
remarks: For spam and abuse, pls forward emails to abuse@certical.com
remarks: Send NOC requests to noc@certical.com
changed: admin@certical.org 20030808
mnt-by: MAINT-MY-CERTICAL
source: APNIC
|