Conquerer
Continuing the series of articles on US based spam.
I’ve received a number of comment spams from:
Melendez, Janet janet27@mcshi.com
Conquerer
1007 Calla Ave
Imperial Beach, California 91932
United States
8503844150 Fax –
Notice how mchsi is misspelled. That misspelled domain actually exists, and is an advertizing portal. But the e-mail address appears to have been used with the regular spelling before, as evidenced by this post by Rojisan from 2004, about a spamming outfit with the same whois.
The phone number is linked with Janet in a military newspaper ad - Pensacola, Florida, from February 2006:
Text: ASHLEY END Tables- millennium Collection, 3 pieces, Dark Wood colored. $500.00 (850)384-4150 Janet27@mchsi.com
That phone number is a cell phone from (unless ported to another provider) Verizon wireless in Pensacola, Florida.
What’s especially interesting about this one, is the spambots. They’re not Tor proxies, and I can’t find any relevant information on them prior to this spamming campaign:
64.141.68.121 - at Big Pipe Inc. Has Apache test page ( cpe0080c6f02477-cm014070001191.cpe.net.cable.rogers.com )
209.97.197.60 - at Rackforce ( 207-170-251-69.gen.twtelecom.net )
209.97.197.120 - at Rackforce ( wbar13.lax1-4.14.121.161.lax1.dsl-verizon.net )
209.97.204.216 - at Rackforce (no reverse DNS)
66.38.243.26 - at Unique Internet Services, LLC ( ai-209-247-40-203.alexa.com )
69.10.139.23 - at Rackforce ( mail-mx14.cable-link.net )
69.41.166.97 - at 1-800-HOSTING, Inc.
69.10.139.20- at Rackforce
None of these have websites on them that I can find. The hosts they resolve to seem shaky at best. Some of those point somewhere else entirely today.
The modus operandi reminds me of two other spamming campaigns recently. One for cyberwire (which I haven’t written about yet), and one for Doug Petrie. Also note that Doug has an e-mail address with conquerer as a username.
Update: Since I wrote the post, I’ve found yet another spambot. 209.97.193.47. Also on Rackforce. What’s interesting about this one, is that it’s been seen spamvertizing shoes. One domains, with lots of subdomains: com-shoes.org. And that domain belongs to Douglas Tubbs at Cyberwire. Seems like my hunch may have been correct. There’s some kind of connection.
I forgot to detail the domains earlier today. The spam comments are long, and filled with domain names to do with keylogging. Subdomains and root domains.
mail-spy.com
66.98.141.16
password-spy.com
66.98.141.119
xspies.com
66.98.141.137
spy-my-pc.com
66.98.141.137
tinykeylogger.com
66.98.141.141
ardamaxkeylogger.com
66.98.141.150
keyloggers-online.com
66.98.141.150
stealthkeylogger.com
66.98.141.151
computer-monitoring-source.com
66.98.141.157
key-stroke-recorder.com
66.98.141.158
computer-recording-software.com
66.98.141.159
spy-software-source.com
66.98.141.162
spy-software-solution.com
66.98.141.165