| Overview - Innocent Bystander
terrific.com Damaged by Spammers |
| Back to Terrific.com |
| Analysis of sample spam for the
"pharaohmeds.biz" site.
First of the 2004 spam, we can count on more to follow later.
"Got ` Xan+a+x ` :P:ntermin - V1@Gra '
So|m|a ` Va.l.ium More available. H4Bme8Fv " |
Analysis of sample spams for the
"Tabfor.biz" Collection of Crap -
brought to you from the jerks that have many sites now just blocking the
entire set of .biz domains as useless. All these spamvertizers are
registered to the same old tabfor.biz
and spamvertize pills and medicine - we hope the FDA and the FTC catch up
with them soon.
- spamvertizer = vpachka.biz
"Thats what i heard" (also received as
"In
your neighborhood")
- spamvertizer = spamsraahnet.biz Thur, 16 Oct 2003 "Xanax is ready nowO"
We don't know this was tabfor.biz as the domain was dead by the time we
got their, but it looks like his work.
- spamvertizer = hosting4vegas.com &
usosdland.biz Fri, 17 Oct 2003
"Che@ting House Wives: Quality Enjoyment for Days & Nights!..."
We find this one VERY interesting as it associates the "tabfor.biz"
garbage for the first time with a "Cheating House Wives" site, by virtue
of having both links in the same spam. We think Eddy screwed up.
- spamvertizer = kkuoher.biz Sat, 18 Oct 2003
"Xanax now part of the line g89ad23ldlxxf3s6clrf2e3e"
- spamvertizer = osaustech.biz Sat, 18 Oct 2003
"Valium now in the product line gwdahz2q1aagw29p4"
- spamvertizer =
osauser.biz Sun, 19 Oct 2003
"Overnight the Valium ic7kfz163vcoe1l8zbrx2b"
- spamvertizer = osausist.biz Sun, 19 Oct 2003
"All Valium 5e9grc2tgk4vg2je"
- spamvertizer =
ultraosaus.biz Sun, 19 Oct 2003
"Xanax in your
inbox maj6m21rn6s9m1zsn"
- spamvertizer = extrakurasd.biz
Sun, 19 Oct 2003
"tOtAl XaNAX 3yxkfs3irydy7d"
- spamvertizer = gojhaus.biz
Tuesday, October 21, 2003
"Valium in your inbox kixhch3uk7jhq3"
- spamvertizer = ejdojf.biz
Sat, 25 Oct 2003 "Fwd:
ValiumOHV"
- spamvertizer = activeosaus.biz
Sun, 26 Oct 2003
"Xanax is ready to goKKIYYZ"
- spamvertizer = realpouvr.biz
Fri, 31 Oct 2003 "Order
some prescription drugs, Zanaflex, zanaflex, viagrast
tiwveaunqavldushoqybgjog"
We see from reading NANAE that these domains are the work of
Eddy Marin. Ones he recently registered
that we haven't seen the spams for yet are:
adosaus.biz casinosaustrai.biz casinosaustraia.biz
derosausa.biz dildosaustralia.biz eosaus.biz extraosaus.biz fosaus.biz
gasthofgosausee.biz goosaus.biz gosauschmied.biz gosausee.biz hyperosaus.biz
interosaus.biz iosaus.biz magliosausage.biz malosaustralia.biz mimosausa.biz
myosaus.biz osaus.biz osaus1.biz osausant.biz osausarium.biz
osauscentral.biz osaused.biz osausent.biz osausing.biz osausion.biz
osausland.biz osausnet.biz osauss.biz osausweb.biz overosaus.biz
porcelanosausa.biz preosaus.biz proosaust.biz realosaust.biz
sabatinosausage.biz suposaust.biz symosaust.biz techosaust.biz theosaust.biz
transosaust.biz vamosausa.biz vosaus.biz |
| Analysis of sample spams from spamvertizers
registered to "Frerrics Domains SL"
(probably not their real name, I wouldn't put my real name on it,
would you?). Typically some flavor of "Online Cheating Wives".
As a result of this web site we are hearing from other domain owners who
have also been subjected to having their domain names forged into spam
messages from these people. A partial list of some of the other
spamvertizing domains registered to the Frerrics Domains gang includes:
easy-loans-now.info fast-loans-now.info freewebtoken.info money-trees.info
refi-today.info save-hundreds.info
In most cases, the spamvertizer has registered both a .biz and a .info
version of the same domain name. |
| Analysis of sample spam spamvertizer =
net-click.net.ph ( Inovasion / FT International
) "I know
all that"
(also received as "Did you lose my ICQ?" &
"Do you remember me ?")
Insurance Crap |
| Analysis of sample spam spamvertizer =
1pills4less.biz
"Meet me
tomorrow" Make your penis bigger pills, although you'll never
be as big a dick as the "Edward Davidson" who is the false name this site is
registered to. |
| A collection of spams from a spamvertizer promising pills
that will make your dick bigger. Hosted in Brazil.
Spammer also has registered YOURPUBLICDNS.BIZ
and runs own DNS servers, one hosted in Brazil and one with
servepath.com in California. |
| Analysis of sample spam spamvertizer =
stuffedgrapes.net Tue, 21 Oct 2003
"Why not ask me. tywdip7hxkihk17iio3jgail1m" |
Analysis of sample spam spamvertizer =
rizonthebiz.biz
Fri, 24 Oct 2003 "saw ya online tdogrvbtiffwlbgx"
(also received as "Why not ask
me. mjnibicnvpdebdjkq"
Analysis of sample spam spamvertizer =
downmoon.info
Tue, 11 Nov 2003 "Need
some action. ghdeafdpcnxzmdyae" believed to be from the
same jerks who brought us rizonthebiz.biz |
| A domain registrant of RTH, Inc
does a lot of spamming to seemingly random addresses (meaning children may
easily receive these) pushing free access to pornography. Nothing is
free, and we can bet there is at least some spyware or trojans being
installed on the machines or users foolish enough to click the link.
Domains registered to them include
goldfingerrock.biz, smackonthewall.biz, DNS4PROVIDERS.COM,
DNS4PROVIDERS.NET, CONTINENTALHOSTING.COM, INDUSTRIALMEDS.COM, CORPTOPIA.COM, FAKINBACON.COM,
& PANAMERICANHOSTING.COM spamvertizer =
goldfingerrock.biz
Sat, 25 Oct 2003 "this
is what you wanted naibbvcpnslkquhvjxlbqhi"
spamvertizer =
smackonthewall.biz
Sat, 25 Oct 2003 "is
this you zzmtxahudeyicddsdtdcolvwmm"
spamvertizer = rodotee.biz
Sun, 26 Oct 2003 "Get
in this way. xvieybdbjnxudtyjfdl" |
|
Here is the spam message, with its links disabled so nobody will
accidentally click and end up in spam hell.
From: Kuldip G. Murphy-king [kmurphy-king_wd@terrific.com]
Sent: Wednesday, October 15, 2003 12:18 AM
To: alfred_katz@hotmail.com; alfred_lau@hotmail.com; alfred_li00@hotmail.com;
alfred_lord@hotmail.com; alfred_mimenza@hotmail.com; alfred_morris@hotmail.com;
alfred_nemes@hotmail.com
Subject: Find the ones that are looking for it hbkefs31brf8bxex8l
Browse thru our
database of online cheating
wives. If
all you want is sex then this
is your personals
site.
Get
it on tonight (linked to spamhttp://ultimatepersonals.biz/onlinecheatingwives/100055.html
- ed.)
iqcto98ga0wjhn69bg6s3q5a5 4nz7t85nrdpd3qoz59c1ajc4wh3 y26nh21tcqxoquhtk19h01a
rl90asmoi9twkbn41xxqfo1 eu4ltbxvkf43i6slrv2og1k j71cc21xea3tk82uyh3acv7
sb98ig2pcrhe6836h1348 ggflau3psth750utp8lmqwog3 g35z5h39jgkiy59t3p87z8
Here is an alternate form of the spam message, with its links disabled so nobody will
accidentally click and end up in spam hell.
From: Maggi Leibowitz [maggileibowitzbr@terrific.com]
Sent: Wednesday, October 15, 2003 5:55 AM
To: biboyuk@hotmail.com; bibleteach2001@hotmail.com; biblethumper83@hotmail.com
Subject: Online Cheating Wives 0rp4t43919adm17az6
Our database of married but lonely
house wives has doubled in the last 3 months! The site just
keeps growing!! The truth is these ladies
just want to be able to
meet guys and still keep
their family's. Most
of them are simply looking for
new friends, part time
lovers and one night stands.
If you are
looking for single woman than
you should try a different
web site. This one is
all about
married horny house wives
:)
Get Lucky Tonight (linked to spamhttp://ultimatepersonals.biz/onlinecheatingwives/100055.html
- ed.)
l2mmsw2w2dlke3r00sv2mezq9 dfbh3l1h9na5y2vveh1xau 3vthir3tduz7ihv0fmm13jo1cl
b03c902mrd8p4vcle2yzz8ha2 7rg0yb3djjxeykp11y2jqye fte0dc3ixqxvf3anyq5c37n9
8sd4za1urw1rx2t66wffya8qqn56 vck9udhqlxp84cto52d6he nvrcv83ojffordy31avb8c
Here is the header from the spam message
Received: from awn.com ([64.230.172.122])
by tomts10-srv.bellnexxia.net
(InterMail vM.5.01.06.04 201-253-122-130-104-20030726) with ESMTP
id <20031015051809.EXZR1840.tomts10-srv.bellnexxia.net@awn.com>;
Wed, 15 Oct 2003 01:18:09 -0400
Message-ID: <5ca401c392db$2ce6b8d2$a9d2e1d5@ftrwh2i>
From: "Kuldip G. Murphy-king" <kmurphy-king_wd@terrific.com>
To: alfred_katz@hotmail.com, alfred_lau@hotmail.com, alfred_li00@hotmail.com,
alfred_lord@hotmail.com, alfred_mimenza@hotmail.com, alfred_morris@hotmail.com,
alfred_nemes@hotmail.com
Subject: Find the ones that are looking for it hbkefs31brf8bxex8l
Date: Wed, 15 Oct 2003 05:18:11 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0351_DCE706E0.9DE37ED6"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
(really from 64.230.172.122
HSE-Montreal-ppp102285.qc.sympatico.ca)
Here we find "whois" the domain which sponsored the spam (ultimatepersonals.biz)
registered to
| .BIZ Registry WHOIS Data |
-
| Domain Name |
ULTIMATEPERSONALS.BIZ |
| Domain ID |
D5336532-BIZ |
| Sponsoring Registrar |
DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
|
| Domain Status |
clientTransferProhibited |
| Registrant ID |
DI_186427 |
| Registrant Name |
Frerrics Domains SL |
| Registrant Organization |
Frerrics Fliney |
| Registrant Address1 |
12 Sequoia street |
| Registrant City |
Tampa |
| Registrant State/Province |
FL |
| Registrant Postal Code |
12444 |
| Registrant Country |
United States |
| Registrant Country Code |
US |
| Registrant Phone Number |
+001.112224457 |
| Registrant Email |
frerrics@hotmail.com |
| Administrative Contact ID |
DI_186427 |
| Administrative Contact Name |
Frerrics Domains SL |
| Administrative Contact Organization |
Frerrics Fliney |
| Administrative Contact Address1 |
12 Sequoia street |
| Administrative Contact City |
Tampa |
| Administrative Contact State/Province |
FL |
| Administrative Contact Postal Code |
12444 |
| Administrative Contact Country |
United States |
| Administrative Contact Country Code |
US |
| Administrative Contact Phone Number |
+001.112224457 |
| Administrative Contact Email |
frerrics@hotmail.com |
| Billing Contact ID |
DI_186427 |
| Billing Contact Name |
Frerrics Domains SL |
| Billing Contact Organization |
Frerrics Fliney |
| Billing Contact Address1 |
12 Sequoia street |
| Billing Contact City |
Tampa |
| Billing Contact State/Province |
FL |
| Billing Contact Postal Code |
12444 |
| Billing Contact Country |
United States |
| Billing Contact Country Code |
US |
| Billing Contact Phone Number |
+001.112224457 |
| Billing Contact Email |
frerrics@hotmail.com |
| Technical Contact ID |
DI_186427 |
| Technical Contact Name |
Frerrics Domains SL |
| Technical Contact Organization |
Frerrics Fliney |
| Technical Contact Address1 |
12 Sequoia street |
| Technical Contact City |
Tampa |
| Technical Contact State/Province |
FL |
| Technical Contact Postal Code |
12444 |
| Technical Contact Country |
United States |
| Technical Contact Country Code |
US |
| Technical Contact Phone Number |
+001.112224457 |
| Technical Contact Email |
frerrics@hotmail.com |
| Name Server |
NS1.FREEJOINSNOW222.BIZ |
| Name Server |
NS2.FREEJOINSNOW222.BIZ |
| Created by Registrar |
DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
|
| Last Updated by Registrar |
DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
|
| Domain Registration Date |
Thu Sep 18 21:19:10 GMT 2003 |
| Domain Expiration Date |
Fri Sep 17 23:59:59 GMT 2004 |
| Domain Last Updated Date |
Thu Sep 18 21:28:38 GMT 2003 |
| |
|
This is the same registrant as freeclicks.biz
seen earlier here, through
the same registrar, but with different domain name servers.
So now what about those nameservers for the spamvertizer's domain, whois
freejoinsnow222.biz?
| .BIZ Registry WHOIS Data |
-
| Domain Name |
FREEJOINSNOW222.BIZ |
| Domain ID |
D5330875-BIZ |
| Sponsoring Registrar |
DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
|
| Domain Status |
clientTransferProhibited |
| Registrant ID |
DI_185744 |
| Registrant Name |
Marc Singer |
| Registrant Organization |
free join now |
| Registrant Address1 |
51 Elm Street |
| Registrant City |
Tampa |
| Registrant State/Province |
Fl |
| Registrant Postal Code |
12444 |
| Registrant Country |
United States |
| Registrant Country Code |
US |
| Registrant Phone Number |
+001.225544411 |
| Registrant Email |
freejoinsnow222@hotmail.com |
| Administrative Contact ID |
DI_185744 |
| Administrative Contact Name |
Marc Singer |
| Administrative Contact Organization |
free join now |
| Administrative Contact Address1 |
51 Elm Street |
| Administrative Contact City |
Tampa |
| Administrative Contact State/Province |
Fl |
| Administrative Contact Postal Code |
12444 |
| Administrative Contact Country |
United States |
| Administrative Contact Country Code |
US |
| Administrative Contact Phone Number |
+001.225544411 |
| Administrative Contact Email |
freejoinsnow222@hotmail.com |
| Billing Contact ID |
DI_185744 |
| Billing Contact Name |
Marc Singer |
| Billing Contact Organization |
free join now |
| Billing Contact Address1 |
51 Elm Street |
| Billing Contact City |
Tampa |
| Billing Contact State/Province |
Fl |
| Billing Contact Postal Code |
12444 |
| Billing Contact Country |
United States |
| Billing Contact Country Code |
US |
| Billing Contact Phone Number |
+001.225544411 |
| Billing Contact Email |
freejoinsnow222@hotmail.com |
| Technical Contact ID |
DI_185744 |
| Technical Contact Name |
Marc Singer |
| Technical Contact Organization |
free join now |
| Technical Contact Address1 |
51 Elm Street |
| Technical Contact City |
Tampa |
| Technical Contact State/Province |
Fl |
| Technical Contact Postal Code |
12444 |
| Technical Contact Country |
United States |
| Technical Contact Country Code |
US |
| Technical Contact Phone Number |
+001.225544411 |
| Technical Contact Email |
freejoinsnow222@hotmail.com |
| Name Server |
NS1.POWERMAILING.BIZ |
| Name Server |
NS2.POWERMAILING.BIZ |
| Created by Registrar |
DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
|
| Last Updated by Registrar |
DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
|
| Domain Registration Date |
Wed Sep 17 22:11:42 GMT 2003 |
| Domain Expiration Date |
Thu Sep 16 23:59:59 GMT 2004 |
| Domain Last Updated Date |
Wed Sep 17 22:10:38 GMT 2003 |
| |
|
We note the DNS for the spamvertizers DNS is
powermailing.biz, and because that sure sounds like a spamming related domain we
whois it too here
| .BIZ Registry WHOIS Data |
-
| Domain Name |
POWERMAILING.BIZ |
| Domain ID |
D4886017-BIZ |
| Sponsoring Registrar |
IHOLDINGS.COM, INC. D/B/A DOTREGISTRAR.COM |
| Domain Status |
ok |
| Registrant ID |
507480-R |
| Registrant Name |
POWERMAILING.BIZ |
| Registrant Address1 |
Av. Cordoba 2122 |
| Registrant City |
BUENOS AIRES |
| Registrant State/Province |
Bs As |
| Registrant Postal Code |
C1120AAQ |
| Registrant Country |
Argentina |
| Registrant Country Code |
AR |
| Registrant Phone Number |
+1.43744448 |
| Registrant Email |
abuse@powermailing.biz |
| Administrative Contact ID |
507480-A |
| Administrative Contact Name |
POWERMAILING.BIZ |
| Administrative Contact Address1 |
Av. Cordoba 2122 |
| Administrative Contact City |
BUENOS AIRES |
| Administrative Contact State/Province |
Bs As |
| Administrative Contact Postal Code |
C1120AAQ |
| Administrative Contact Country |
Argentina |
| Administrative Contact Country Code |
AR |
| Administrative Contact Phone Number |
+1.43744448 |
| Administrative Contact Email |
abuse@powermailing.biz |
| Billing Contact ID |
507480-B |
| Billing Contact Name |
POWERMAILING.BIZ |
| Billing Contact Address1 |
Av. Cordoba 2122 |
| Billing Contact City |
BUENOS AIRES |
| Billing Contact State/Province |
Bs As |
| Billing Contact Postal Code |
C1120AAQ |
| Billing Contact Country |
Argentina |
| Billing Contact Country Code |
AR |
| Billing Contact Phone Number |
+1.43744448 |
| Billing Contact Email |
abuse@powermailing.biz |
| Technical Contact ID |
507480-T |
| Technical Contact Name |
POWERMAILING.BIZ |
| Technical Contact Address1 |
Av. Cordoba 2122 |
| Technical Contact City |
BUENOS AIRES |
| Technical Contact State/Province |
Bs As |
| Technical Contact Postal Code |
C1120AAQ |
| Technical Contact Country |
Argentina |
| Technical Contact Country Code |
AR |
| Technical Contact Phone Number |
+1.43744448 |
| Technical Contact Email |
abuse@powermailing.biz |
| Name Server |
NS1.POWERMAILING.BIZ |
| Name Server |
NS2.POWERMAILING.BIZ |
| Name Server |
NS3.POWERMAILING.BIZ |
| Created by Registrar |
IHOLDINGS.COM, INC. D/B/A DOTREGISTRAR.COM |
| Last Updated by Registrar |
IHOLDINGS.COM, INC. D/B/A DOTREGISTRAR.COM |
| Domain Registration Date |
Sun Jun 22 01:01:17 GMT 2003 |
| Domain Expiration Date |
Mon Jun 21 23:59:59 GMT 2004 |
| Domain Last Updated Date |
Sun Jun 22 01:29:50 GMT 2003 |
|
Here we find the ip address for the spamvertizer, http://ultimatepersonals.biz
10/15/03 01:09:23 dns http://ultimatepersonals.biz
Mail for ultimatepersonals.biz is handled by mail.ultimatepersonals.biz
Canonical name: ultimatepersonals.biz
Addresses:
200.210.170.39
Lets also look for the spamvertizer's DNS servers at
NS1.freejoinsnow222.BIZ and NS2.freejoinsnow222.BIZ
10/15/03 04:06:14 dns NS1.FREEJOINSNOW222.BIZ
Canonical name: NS1.FREEJOINSNOW222.BIZ
Addresses:
67.96.72.82
10/15/03 04:07:40 dns NS2.FREEJOINSNOW222.BIZ
Canonical name: NS2.FREEJOINSNOW222.BIZ
Addresses:
67.96.72.83
Lets also look for the DNS server's DNS servers at
NS1.POWERMAILING.BIZ and NS2.POWERMAILING.BIZ
10/15/03 01:14:58 dns NS1.POWERMAILING.BIZ
Canonical name: NS1.POWERMAILING.BIZ
Addresses:
200.207.128.163
10/15/03 01:16:29 dns NS2.POWERMAILING.BIZ
Canonical name: NS2.POWERMAILING.BIZ
Addresses:
218.6.2.138
and look for the third nameserver listed on the
powermailing.biz registration
10/15/03 01:19:35 dns NS3.POWERMAILING.BIZ
Canonical name: NS3.POWERMAILING.BIZ
Addresses:
61.174.143.251
and look for the address of powermailing.biz itself
10/15/03 01:20:40 dns POWERMAILING.BIZ
Canonical name: POWERMAILING.BIZ
Addresses:
145.99.195.130
200.36.37.30
Intrigued as to what this powermailing.biz is all about, we surfed on over
to http://powermailing.biz,
We Provide Hosting and dedicated Hosting. We also submit your domains to
Search engines, and we can optimize them and generate doorpages for better
positioning. We also provide Domain Registration for you. We can provide the
tools for mail advertising.
We can do the Bulk mailing using Opt-in mails.Indeed, this
cannot be understated. 100% Opt-In emails means that these individuals have
agreed to received your targeted message. You cannot be accused of spamming
anyone! What could be better!
Note that the spam sample here is definitely not to
an opt-in list
|