Analysis of sample spam
spamvertizer = hosting4vegas.com & usosdland.biz
Fri, 17 Oct 2003
"Che@ting House Wives: Quality Enjoyment for Days & Nights!...
"

Overview - Innocent Bystander terrific.com Damaged by Spammers

Back to Terrific.com

Analysis of sample spam for the "pharaohmeds.biz" site. First of the 2004 spam, we can count on more to follow later. "Got ` Xan+a+x ` :P:ntermin - V1@Gra ' So|m|a ` Va.l.ium More available. H4Bme8Fv "

Analysis of sample spams for the "Tabfor.biz" Collection of Crap - brought to you from the jerks that have many sites now just blocking the entire set of .biz domains as useless. All these spamvertizers are registered to the same old tabfor.biz and spamvertize pills and medicine - we hope the FDA and the FTC catch up with them soon.

spamvertizer = vpachka.biz "Thats what i heard" (also received as "In your neighborhood")
spamvertizer = spamsraahnet.biz Thur, 16 Oct 2003 "Xanax is ready nowO" We don't know this was tabfor.biz as the domain was dead by the time we got their, but it looks like his work.
spamvertizer = hosting4vegas.com & usosdland.biz Fri, 17 Oct 2003 "Che@ting House Wives: Quality Enjoyment for Days & Nights!..." We find this one VERY interesting as it associates the "tabfor.biz" garbage for the first time with a "Cheating House Wives" site, by virtue of having both links in the same spam. We think Eddy screwed up.
spamvertizer = kkuoher.biz Sat, 18 Oct 2003 "Xanax now part of the line g89ad23ldlxxf3s6clrf2e3e"
spamvertizer = osaustech.biz Sat, 18 Oct 2003 "Valium now in the product line gwdahz2q1aagw29p4"
spamvertizer = osauser.biz Sun, 19 Oct 2003 "Overnight the Valium ic7kfz163vcoe1l8zbrx2b"
spamvertizer = osausist.biz Sun, 19 Oct 2003 "All Valium 5e9grc2tgk4vg2je"
spamvertizer = ultraosaus.biz Sun, 19 Oct 2003 "Xanax in your inbox maj6m21rn6s9m1zsn"
spamvertizer = extrakurasd.biz Sun, 19 Oct 2003 "tOtAl XaNAX 3yxkfs3irydy7d"
spamvertizer = gojhaus.biz Tuesday, October 21, 2003 "Valium in your inbox kixhch3uk7jhq3"
spamvertizer = ejdojf.biz Sat, 25 Oct 2003 "Fwd: ValiumOHV"
spamvertizer = activeosaus.biz Sun, 26 Oct 2003 "Xanax is ready to goKKIYYZ"
spamvertizer = realpouvr.biz Fri, 31 Oct 2003 "Order some prescription drugs, Zanaflex, zanaflex, viagrast tiwveaunqavldushoqybgjog"

We see from reading NANAE that these domains are the work of Eddy Marin. Ones he recently registered that we haven't seen the spams for yet are:
adosaus.biz casinosaustrai.biz casinosaustraia.biz derosausa.biz dildosaustralia.biz eosaus.biz extraosaus.biz fosaus.biz gasthofgosausee.biz goosaus.biz gosauschmied.biz gosausee.biz hyperosaus.biz interosaus.biz iosaus.biz magliosausage.biz malosaustralia.biz mimosausa.biz myosaus.biz osaus.biz osaus1.biz osausant.biz osausarium.biz osauscentral.biz osaused.biz osausent.biz osausing.biz osausion.biz osausland.biz osausnet.biz osauss.biz osausweb.biz overosaus.biz porcelanosausa.biz preosaus.biz proosaust.biz realosaust.biz sabatinosausage.biz suposaust.biz symosaust.biz techosaust.biz theosaust.biz transosaust.biz vamosausa.biz vosaus.biz

Analysis of sample spams from spamvertizers registered to "Frerrics Domains SL" (probably not their real name, I wouldn't put my real name on it, would you?). Typically some flavor of "Online Cheating Wives".

spamvertizer = freeclicks.biz "You blocked my IM!"
spamvertizer = ultimatepersonals.biz Wed, 15 Oct 2003 05:18:11 +0000 "Find the ones that are looking for it hbkefs31brf8bxex8l"
spamvertizer = hotdogfactory.info Fri, 21 Nov 2003 11:08:03 +0000 "Paris Hilton Sex Video ewisysdtuelzzblqje" Our theory is that this lure of free pornography is what draws internet users to get their machines infected with the trojan program that turns their machines into spam spewing robots.
spamvertizer = money-trees.biz Sun, 14 Dec 2003 18:06:58 +0100 "Keep the house payment money instead with the world wide web lvpirqccbzzsqcyccj"

As a result of this web site we are hearing from other domain owners who have also been subjected to having their domain names forged into spam messages from these people. A partial list of some of the other spamvertizing domains registered to the Frerrics Domains gang includes: easy-loans-now.info fast-loans-now.info freewebtoken.info money-trees.info refi-today.info save-hundreds.info

In most cases, the spamvertizer has registered both a .biz and a .info version of the same domain name.

Analysis of sample spam spamvertizer = net-click.net.ph ( Inovasion / FT International ) "I know all that" (also received as "Did you lose my ICQ?" & "Do you remember me ?") Insurance Crap

Analysis of sample spam spamvertizer = 1pills4less.biz "Meet me tomorrow" Make your penis bigger pills, although you'll never be as big a dick as the "Edward Davidson" who is the false name this site is registered to.

A collection of spams from a spamvertizer promising pills that will make your dick bigger. Hosted in Brazil.

spam spamvertizer = lunburrymeds.biz "Upgrade your tool"
spam spamvertizer = singletonmeds.biz "Bigger Package oyvjwdbpzumucdvjxhawcwuj"
spam spamvertizer = kellymedz.biz Sun, 26 Oct 2003 "Want a larger package uqucfvdchznhndjvsefudmt"

Spammer also has registered YOURPUBLICDNS.BIZ and runs own DNS servers, one hosted in Brazil and one with servepath.com in California.

Analysis of sample spam spamvertizer = stuffedgrapes.net Tue, 21 Oct 2003 "Why not ask me. tywdip7hxkihk17iio3jgail1m"

Analysis of sample spam spamvertizer = rizonthebiz.biz Fri, 24 Oct 2003 "saw ya online tdogrvbtiffwlbgx" (also received as "Why not ask me. mjnibicnvpdebdjkq"
Analysis of sample spam spamvertizer = downmoon.info Tue, 11 Nov 2003 "Need some action. ghdeafdpcnxzmdyae" believed to be from the same jerks who brought us rizonthebiz.biz

A domain registrant of RTH, Inc does a lot of spamming to seemingly random addresses (meaning children may easily receive these) pushing free access to pornography. Nothing is free, and we can bet there is at least some spyware or trojans being installed on the machines or users foolish enough to click the link. Domains registered to them include goldfingerrock.biz, smackonthewall.biz, DNS4PROVIDERS.COM, DNS4PROVIDERS.NET, CONTINENTALHOSTING.COM, INDUSTRIALMEDS.COM, CORPTOPIA.COM, FAKINBACON.COM, & PANAMERICANHOSTING.COM

spamvertizer = goldfingerrock.biz Sat, 25 Oct 2003 "this is what you wanted naibbvcpnslkquhvjxlbqhi"
spamvertizer = smackonthewall.biz Sat, 25 Oct 2003 "is this you zzmtxahudeyicddsdtdcolvwmm"
spamvertizer = rodotee.biz Sun, 26 Oct 2003 "Get in this way. xvieybdbjnxudtyjfdl"

Here is the spam message, with its links disabled so nobody will accidentally click and end up in spam hell.

From: MILDRED [amhxofynxg@terrific.com]
Sent: Friday, October 17, 2003 10:07 PM
To: gusic01@hotmail.com; gusico@hotmail.com; gusicapo@msn.com; gusicha@hotmail.com
Subject: Che@ting House Wives: Quality Enjoyment for Days & Nights!...

Importance: High
Sensitivity: Personal

Check out all the Sweet Che@ting H0use Wife babes and enjoy all the pleasures these escort girls give you
- because they can give you anything you want -
and if this is a freedom to your deepest fantasies and desires, why wouldn't you try it even once?
You'll surely come back for more!

And now - this is all FOR FREE TODAY - hurry, visit this site! (linked to spamhttp://hosting4vegas.com/ocw1/main100181.html - ed.)

Can't sleep, feeling stressed out? Try valium or xanax now (linked to spamhttp://www.usosdland.biz/vpr6643/ - ed.)

sick of these messgaes be gone (linked to spamhttp://hosting4vegas.com/gone.php - ed.)

Here is the header from the spam message

Return-path: <amhxofynxg@terrific.com>
Received: from tcp-daemon.mx1.eastlink.ca by mx1.eastlink.ca
(iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
id <0HMX0070WN4O5U@mx1.eastlink.ca>
(original mail from amhxofynxg@terrific.com); Sat,
18 Oct 2003 00:10:59 -0300 (ADT)
Received: from Cn4[RANDOM_NUMBER!].MX.123email.com ([24.222.162.11])
by mx1.eastlink.ca
(iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
with SMTP id <0HMX003B7L65IJ@mx1.eastlink.ca> for gusicapo@msn.com; Sat,
18 Oct 2003 00:06:36 -0300 (ADT)
Date: Sat, 18 Oct 2003 05:06:36 +0200
From: MILDRED <amhxofynxg@terrific.com>
Subject: Che@ting House Wives: Quality Enjoyment for Days & Nights!...
To: gusic01@hotmail.com, gusico@hotmail.com, gusicapo@msn.com,
gusicha@hotmail.com
Message-id: <0HMX003A4NAYIJ@mx1.eastlink.ca>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Content-type: multipart/mixed; boundary="Boundary_(ID_J+JTBcUKashqL5jswVrQjg)"
X-Priority: 1
X-MSMail-priority: High
Sensitivity: Personal

(really from 24.222.162.11 u162n11.hfx.eastlink.ca)

Here we find "whois" the domain which sponsored the spam (hosting4vegas.com & usosdland.biz) registered to (in this case, the spamvertizer is using two different pitches in the same message so there are two domains involved).

whois hosting4vegas.com

Registrant:
Oasis Dessert Hosting
412 North Caminoreal Blvd
412 North Caminoreal Blvd
Las Vegas, NV 89101-6716
US
1-800-683-9753x440
Domain Name: HOSTING4VEGAS.COM
Administrative Contact:
Harold, Tom online5marketing@yahoo.com
412 North Caminoreal Blvd
412 North Caminoreal Blvd
Las Vegas, NV 89101-6716
US
1-800-683-9753x440
Technical Contact:
Harold, Tom online5marketing@yahoo.com
412 North Caminoreal Blvd
412 North Caminoreal Blvd
Las Vegas, NV 89101-6716
US
1-800-683-9753x440
Record expires on 06-30-2004
Record created on 06-30-2003
Domain servers in listed order:
NS1.CENTRALHOST.COM 66.28.209.5
NS2.CENTRALHOST.COM 65.77.130.5

whois usosdland.biz

.BIZ Registry WHOIS Data

Domain Name	USOSDLAND.BIZ
Domain ID	D5481991-BIZ
Sponsoring Registrar	ENOM, INC.
Domain Status	ok
Registrant ID	8D270BB815DDFF79
Registrant Name	domain admin
Registrant Organization	Upravlenije imenami Zamoras
Registrant Address1	Ulbrokas 7 k. 1
Registrant Address2	Pasta kaste 233
Registrant City	Riga
Registrant State/Province	Riga
Registrant Postal Code	LV 1021
Registrant Country	Latvia
Registrant Country Code	LV
Registrant Email	admin@tabfor.biz
Administrative Contact ID	8D270BB815DDFF79
Administrative Contact Name	domain admin
Administrative Contact Organization	Upravlenije imenami Zamoras
Administrative Contact Address1	Ulbrokas 7 k. 1
Administrative Contact Address2	Pasta kaste 233
Administrative Contact City	Riga
Administrative Contact State/Province	Riga
Administrative Contact Postal Code	LV 1021
Administrative Contact Country	Latvia
Administrative Contact Country Code	LV
Administrative Contact Email	admin@tabfor.biz
Billing Contact ID	8D270BB815DDFF79
Billing Contact Name	domain admin
Billing Contact Organization	Upravlenije imenami Zamoras
Billing Contact Address1	Ulbrokas 7 k. 1
Billing Contact Address2	Pasta kaste 233
Billing Contact City	Riga
Billing Contact State/Province	Riga
Billing Contact Postal Code	LV 1021
Billing Contact Country	Latvia
Billing Contact Country Code	LV
Billing Contact Email	admin@tabfor.biz
Technical Contact ID	8D270BB815DDFF79
Technical Contact Name	domain admin
Technical Contact Organization	Upravlenije imenami Zamoras
Technical Contact Address1	Ulbrokas 7 k. 1
Technical Contact Address2	Pasta kaste 233
Technical Contact City	Riga
Technical Contact State/Province	Riga
Technical Contact Postal Code	LV 1021
Technical Contact Country	Latvia
Technical Contact Country Code	LV
Technical Contact Email	admin@tabfor.biz
Name Server	NS1.MOSKVA66.BIZ
Name Server	NS2.MOSKVA66.BIZ
Name Server	NS2.MANGO34EF.BIZ
Created by Registrar	ENOM, INC.
Domain Registration Date	Thu Oct 16 15:51:13 GMT 2003
Domain Expiration Date	Fri Oct 15 23:59:59 GMT 2004

This is the same registrant vpachka.biz was in spam sample 1, and everything there will apply here too. In the antispam newsgroups, this is known as "one of the tabfor.biz scams", as there are many similar ones, all registered with contacts of admin@tabfor.biz These people are have cost countless others untold resources, hours, loss of reputation and frustration with their crap.

We are really tired of looking up the same old stuff for the tabfor.biz scammers, but it seems worth checking on the nameservers for the spamvertizer domain hosting4vegas.com , whois centralhost.com?

Registrant:
Central Host (CENTRALHOST-DOM)
1009 Helena Dr.
Sunnyvale, CA 94087
US

Domain Name: CENTRALHOST.COM

Administrative Contact, Technical Contact:
Hostmaster, A.S. (21834592I) hostmaster@CENTRALHOST.COM
Central Host
1009 Helena Dr.
Sunnyvale, CA 94087
US
+1-877-741-6168 fax: 999 999 9999

Record expires on 20-May-2005.
Record created on 03-Sep-2002.
Database last updated on 18-Oct-2003 12:12:58 EDT.

Here we find the ip address for one of the spamvertizers, http://hosting4vegas.com/ocw1

10/18/03 11:24:33 dns http://hosting4vegas.com/ocw1
Mail for hosting4vegas.com is handled by hosting4vegas.com mail2.centralhost.com
Canonical name: hosting4vegas.com
Addresses:
65.77.130.173

Now we look to see who owns the ip address block. The spamvertizer was 65.77.130.173

10/18/03 11:27:04 IP block 65.77.130.173 Trying 65.77.130.173 at ARIN Trying 65.77.130 at ARIN Williams Communications, Incorporated WCG-BLK-3 (NET-65-77-0-0-1) 65.77.0.0 - 65.77.255.255 Silicon Valley Web Hosting Inc. WLCO-TWC821155-SILIC1 (NET-65-77-128-0-1) 65.77.128.0 - 65.77.135.255 # ARIN WHOIS database, last updated 2003-10-17 19:15

10/20/03 - Silicon Valley Web Hosting Inc., has terminated their hosting of hosting4vegas.com, another whack-a-mole clubbed with a clue-by-four.

10/26/03 - The site is back online again, right where it was before. Assume they cried to the ISP and will have to wait for another spam offence to get them removed again.

This page last updated 01/24/2004 02:37:15 PM -0600