Spamhuntress

There’s a spammer that uses hotbox.com e-mail addresses in the from field. In the name field, there’s usually some pharmacy related keywords. Often a full sentence, which can be a bit disjointed - just the money words, you understand.

Lately, the domain used is xxxempire.net (it looks like it belongs to the spammer, but I’m not 100% sure).

which is at 85.255.117.226 (inhoster)

whois (registered at estdomains):

Cognis Benelux
Axel Kaehler        (axl@nek.no)
Kruisweg 619
Hoofddorp
,2130
NL
Tel. +31.204409888

Creation Date: 28-Oct-2004
Expiration Date: 28-Oct-2006

I found two different Adsense accounts on various places on that domain:

pub-3433119484087709
pub-2683393377304234

And affiliate number 48593 for searchadv
There’s a javascript redirection (that didn’t seem to work) to:

wonkalook.com (same IP number):

Registrant:
IQ network
Nick Priest        (iq@iq-google.com)
Figueroa Alcorta 3455
Buenos Aires
0,1425
AR
Tel. +541.4854346

Creation Date: 02-Jun-2006
Expiration Date: 02-Jun-2007

Domain servers in listed order:
ns4.klikdomains.com
ns3.klikdomains.com
ns2.wonkalook.com
ns1.wonkalook.com

That e-mail address looked interesting, so I looked it up:

IQ inc.
Nick Priest        (lustiq@p5com.com)
Pr. Pobedy 102
Kiev
null,05033
UA
Tel. +93.456474776

The iq-google.com domain appears to have been spamvertized in 2005. Including on a Yahoo groups links page… And it seems to have had Russian language content on it at one time.

This entry was posted on Sunday, June 25th, 2006 at 9:31 am and is filed under Comment spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.