Spamhuntress

I’ve gotten loads of spamvertized porn subdomains on the domain allbestsmovies.org.

So I decided to check it out. Does it belong to the spammers, or is it a free service?

First test, the whois, looks fake to me. Looking up addresses and phone numbers in Israel (it’s Iceland, and utterly fake):

Created On:22-Jun-2006 14:24:06 UTC
Last Updated On:26-Sep-2006 15:35:24 UTC
Expiration Date:22-Jun-2007 14:24:06 UTC
Registrant Organization:Shpil
Registrant Street1:Enlike str. 387
Registrant State/Province:0
Registrant Postal Code:g89614
Registrant Country:IS
Registrant Phone:+2.95528646
Registrant FAX Ext.:
Registrant Email: gavr@poshlina.com

Nex test, the home page. This one has the usual sign up for free website. Problem is, you can’t sign up, because the register link goes to a nonexistent page! Every page connected to the free service goes to nonexistent pages.

In fact, some of the text has been scraped from Free Web Hosting, with a few words changed (search box on the right instead of left). Even the favicon has been lifted from that site!

But there are lots of links on the right, labeled either Help Pages or Friend. All of them are porn pages.

So to me this looks like a spammer run fake free webhost!

———–

Update:

This spammer likes preceding his spam with this phrase: PReved krosavcheg!
I searched for it, and found an explanation for the phrase on a livejournal:

“PREVED is a sacred word, used by ancient Russian warriors when meeting the enemy face-to-face. The worst cussword ever in ancient Russia was KROSAVCHEG. Thus, if smb says “PREVED, KROSAVCHEG” you’re likely to get your head beat.”

Judging from the fits of laughter from the Russian spammers, the phrase means something else… Jenny (from Moldovia) has an explanation, if you look in the comments below.
So I searched for more spam with that wording, and found another probably fake free webhost: keymit.org

203.174.83.55
created On:14-Jul-2006 12:13:10 UTC
Last Updated On:26-Sep-2006 15:32:59 UTC
Expiration Date:14-Jul-2007 12:13:10 UTC
Sponsoring Registrar:Direct Information PVT Ltd dba PublicDomainRegistry.com (R27-LROR)
Status:OK
Registrant ID:DI_3355421
Registrant Name:Maxxx
Registrant Organization:Home
Registrant Street1:Panin str.58
Registrant Street2:
Registrant Street3:
Registrant City:Gavay
Registrant State/Province:
Registrant Postal Code:5h4f8s
Registrant Country:BS
Registrant Phone:+5.65534883
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: maxxx@ampid.org
Name Server:NS1.UVILO.COM
Name Server:NS2.UVILO.COM

And this time I noticed something in the source code (and I’ve munged it slightly):

LINK REL=”SHORTCUT ICON” xhref= http://www.free-webhosts.com/favicon.ico

This time the links on the right are for various pills.

The redirect script (separate script named redirect.js) redirects to a complicated URL on trafficout.net. Thing is, even if you bungle that URL (which I did on purpose), you still get the same 302, as long as you hit the redirect script with the number right behind the ?. And it redirects to
topsearch10.com ID: 55038

In other words, trafficout.net belongs to the spammer:

Registration Service Provided By: REGNAME.BIZ
IP:72.232.223.195
Shokolad
Alexandr (apitok@mail.ru)
Bayman str/ 2
Moskoy
null,605105
RU
Tel. +7.0957856234

Creation Date: 04-May-2005
Expiration Date: 04-May-2007

Domain servers in listed order:
ns2.allveryeasy.com
ns1.allveryeasy.com

Don’t expect this whois to be any more accurate. I include it just for documentation purposes.

So I went back further, and found yet another:

otday.org
203.174.83.55

Last Updated On:26-Sep-2006 13:39:26 UTC
Expiration Date:25-Sep-2007 21:02:49 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:DI_4020257
Registrant Name:Huani
Registrant Organization:Dokinzo
Registrant Street1:Sekanifa
Registrant Street2:
Registrant Street3:
Registrant City:Haynan
Registrant State/Province:
Registrant Postal Code:4g5h65d
Registrant Country:CN
Registrant Phone:+23.5464431831
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: huani@dokinzo.com
Name Server:NS1.UVILO.COM
Name Server:NS2.UVILO.COM

This time it’s lolita type porn, and the redirect goes the same route, except different number, and eventually goes to todaysfreevideo.com, ID: 1029

Additionally, I checked the domains on 72.232.223.195, and they all have different fake whois, but with one common factor, random postal code, like we’ve seen on other domains in this case. There’s some movement of domains between 72.232.223.195 and 203.174.83.55.

————

2nd update:

I just got the first spam comment for a few new domains. Same IP, same setup.

googleshoppingcenters.org - food spam
dogonyay.info - insurance spam.
gemballagt.com - car spam
outsidereal.com - cosmetics spam
freetissot.info - finance, loans spam
kandelyabr.info - education spam
doublevisit.info - porn spam
rapagt.info - kitchen spam

Three Russians were sentenced to 8 years of hard time for extortion in connection with denial of service attacks.

Anna from Kaspersky told me in June that there was a Russian law that could be used against cybercrime, but that it hadn’t been used so far. That mirrors what they said in their blog yesterday. This is a very important sentence, even if the sentencing reflected the extortion more than the cybercrime.

Other news reports:

Informationweek, Securityfocus

Yesterday I wrote a story entitled: Coca Cola spam reaches Norway.

By today, the news media has gotten in on the game, and there are comments from Coca Cola in various places.

Coca Cola says they’re within the Norwegian law, but my guess is they’re going to lose that one. Two “viral campaigns” have been linked together by lazy spammers using the same forum ID for both campaigns. One of those campaigns looks like an amateur video. There are no logos anywhere, except the bottle on the table. It’s a clear case of infraction against the law in Norway. The law says (paraphrased) that advertizements need to be clearly marked as advertizements. You can’t advertize and disguise it as editorial content, for instance. That’s against the law. So this is clearly against the law. And since it’s been linked by forum ID with another campaign, that identifies the product clearly, there’s no doubt.

Coca Cola has admitted to hiring marketing companies that use viral marketing. In other words, they’ve admitted to spamming, but prefers not using the term spamming.

The company Coca Cola says did the “viral marketing”, is GoViral. They’ve got several offices around the world, including one in Sweden (at least one IP implicated in the spamming was Swedish).

It doesn’t really matter if this company spamvertizes videos that then include product placements or commercials - as opposed to posting links. Mass posting on forums with a commercial aim, is spamming. The spamming has a different aim - getting direct clicks from users, as opposed to gaining good ranking in search engines. Which is where part of the webspam industry is headed anyway. Still spam…

So, GoViral are spammers, and should be scrutinized in the future. What they’re doing is no better than what Russian spammers are doing (just less obvious and less easy to suss out), so no going easy on them.

American Samoa’s .as domains are popular in Norway, and possibly other places.

Somehow, I guess their renewal invoices didn’t really work as they said, because a lot of domains haven’t been renewed, for some reason or another.

Some time in the last few days, they flipped a switch. Domains that hadn’t been renewed (some are years out of date) suddenly don’t work.

There are probably a lot of frustrated people out there right now, who don’t get their e-mail, and whose homepages don’t work.

Yesterday, when I saw the blanketing of marketing banners for the zero movement, I thought to myself: OK, here it comes, they didn’t learn from the beating they got last time…

Coca Cola came under scrutiny for forum spamming and guerilia marketing when they launched Coke Zero in Australia. Seems they didn’t learn, and have made the same mistake in Norway. The launch started yesterday, but their marketing people got a jump on things by posting links to advertizing vidoes starting a few days before.

Freakforum broke the spamming story in Norway. Note that many of the links they found were related to a spam campaign from April that was a bit less obvious. It had a bottle of coke in a seemingly amateur video of two football celebrities talking. But that same user came back to some of the forums and posted a new link, and this time there was no mistake. It’s an English speaking video, with a girl who slaps her boyfriend silly over that one question: Do I look fat. And at the end there’s a URL for the address they’re using for the Zero Movement in Norway.

What’s interesting, is that Coca Cola has most likely fallen foul of the marketing law in Norway, where one section states that advertizing needs to be clearly labeled as advertizing. This campaign is trying to fly under the radar, and be seen as another user having found something funny. The first campaign from April is in clear violation. The new campaign is in violation if you consider that the post is not labeled as advertizement. It’s just when you get to the end of the video that you understand there’s an advertizing message. But with the two posting campaigns linked with the same user, it doesn’t really matter. Coca Cola is busted as a spammer!

For those who’d be interested in trying to get their hosting yanked, here are the particulars:

IP: 83.136.90.23 (for several domains relating to the campaign).

Webhotel: phd.dk (go to Kontakt os and find an e-mail address there)

Upstream: nianet.dk

Here are examples of the spam: 1, 2, 3, 4

Continuing the series of articles on US based spam.

I’ve received a number of comment spams from:

Melendez, Janet janet27@mcshi.com
Conquerer
1007 Calla Ave
Imperial Beach, California 91932
United States
8503844150 Fax –

Notice how mchsi is misspelled. That misspelled domain actually exists, and is an advertizing portal. But the e-mail address appears to have been used with the regular spelling before, as evidenced by this post by Rojisan from 2004, about a spamming outfit with the same whois.

The phone number is linked with Janet in a military newspaper ad - Pensacola, Florida, from February 2006:

Text: ASHLEY END Tables- millennium Collection, 3 pieces, Dark Wood colored. $500.00 (850)384-4150 Janet27@mchsi.com

That phone number is a cell phone from (unless ported to another provider) Verizon wireless in Pensacola, Florida.

What’s especially interesting about this one, is the spambots. They’re not Tor proxies, and I can’t find any relevant information on them prior to this spamming campaign:

64.141.68.121 - at Big Pipe Inc. Has Apache test page ( cpe0080c6f02477-cm014070001191.cpe.net.cable.rogers.com )
209.97.197.60 - at Rackforce ( 207-170-251-69.gen.twtelecom.net )
209.97.197.120 - at Rackforce ( wbar13.lax1-4.14.121.161.lax1.dsl-verizon.net )
209.97.204.216 - at Rackforce (no reverse DNS)
66.38.243.26 - at Unique Internet Services, LLC ( ai-209-247-40-203.alexa.com )
69.10.139.23 - at Rackforce ( mail-mx14.cable-link.net )
69.41.166.97 - at 1-800-HOSTING, Inc.
69.10.139.20- at Rackforce

None of these have websites on them that I can find. The hosts they resolve to seem shaky at best. Some of those point somewhere else entirely today.

The modus operandi reminds me of two other spamming campaigns recently. One for cyberwire (which I haven’t written about yet), and one for Doug Petrie. Also note that Doug has an e-mail address with conquerer as a username.

Update: Since I wrote the post, I’ve found yet another spambot. 209.97.193.47. Also on Rackforce. What’s interesting about this one, is that it’s been seen spamvertizing shoes. One domains, with lots of subdomains: com-shoes.org. And that domain belongs to Douglas Tubbs at Cyberwire. Seems like my hunch may have been correct. There’s some kind of connection.
I forgot to detail the domains earlier today. The spam comments are long, and filled with domain names to do with keylogging. Subdomains and root domains.

mail-spy.com
66.98.141.16

password-spy.com
66.98.141.119

xspies.com
66.98.141.137

spy-my-pc.com
66.98.141.137

tinykeylogger.com
66.98.141.141

ardamaxkeylogger.com
66.98.141.150

keyloggers-online.com
66.98.141.150

stealthkeylogger.com
66.98.141.151

computer-monitoring-source.com
66.98.141.157

key-stroke-recorder.com
66.98.141.158

computer-recording-software.com
66.98.141.159

spy-software-source.com
66.98.141.162

spy-software-solution.com
66.98.141.165

Apparently, disappearing e-mails is the new rage in some (business) situations.

Just a little rant here: If I receive such an e-mail, I’ll go get my cameraphone and snap a picture of the screen. The best cameraphones today are totally capable of snapping readable images of the screen. And they’re fast, so you should be able to get several images if it’s a long message. And yes, I’ve tested it, works with my cameraphone!

Heck, some of those services may even be susceptible to a screen capture!

A cameraphone and a screen grab was even part of the plot of the recent movie Firewall…

Another trend is ReadNotify. Don’t trust that either. Some friends tested that out on me a few years ago (I was told they tested it). Doesn’t work if you’ve got an e-mail program that’s severed from the internet when you read messages, unless you purposely allow interaction with the internet. At least, they never got it to work when they sent messages to me…

So, the moral is: This sort of thing works some of the time, but you shouldn’t rely on it. If you send it to someone like me (and there are many like me on the net), expect it to bite you down the line. If it’s imperative nobody can prove you sent an e-mail, don’t send it. And failure to get a result with ReadNotify, doesn’t mean the e-mail was never read.

Update October 24, 2006: Doug says he never sent me those spam e-mails (duh!), so I should remove the whois info.

I’ve sent him a definition of comment spam, and asked him to tell me if he comment spammed, or if he hired someone to do SEO. We’ll see what he answers, and then I’ll see what I’ll do. Oh, and I sent him 96 pieces of spam involving his domains in a text file, so he’ll see exactly what I’m talking about.

Eh, I just realized he’ll have to come up with a heck of a good story. I checked his e-mail headers. He sent that e-mail from the same IP as the spam came from!!!!!!!

——-

Doug Petrie is known as a TV writer. But there’s another Doug Petrie, whose main claim to fame is a string of “free articles” on payday loans.

Today I got an incessant stream of comment spam from 69.116.161.80 (dyn.optonline.net)

The domains spamvertized belong to

Petrie, Doug conquerer@zerogravitycomputing.com
354 State Street
Suite 105
Hackensack, New Jersey 07601
United States
(201) 487-4424 Fax — (201) 487-4423

zerogravitycomputing.com belongs to the same guy:

petrie, doug djpzero@AOL.COM
zero gravity computing
464 CENTRAL AVE
CARLSTADT, NJ 07072-1518
US
201-896-9330

So, is Doug a spammer? Not sure…

What I can tell you, is that the domains in that spam are spread out over a lot of IP addresses. That’s a technique I’ve seen employed by another US spammer very recently. It could be an attempt to minimize all domains getting blacklisted, because of being in a bad neighborhood? Doesn’t really help if you spam them all in one comment, though… The only other reason would have to be if the owner expected a lot of traffic. But chances are these domains aren’t spread over as many servers as IP addresses…
Here’s the list of domains with IP addresses:
Name: debtconsolidationcounseling.biz
Address: 64.246.44.185

Name: debtconsolidationhomeequityloan.net
Address: 216.75.24.138

Name: debtconsolidationinformation.biz
Address: 216.75.24.136

Name: debtconsolidationloanonline.us
Address: 216.75.24.132

Name: debtconsolidationmortgageloan.us
Address: 216.75.24.131

Name: debtconsolidationorganization.biz
Address: 216.75.63.190

Name: debtconsolidationorganization.net
Address: 216.75.63.188

Name: debtconsolidationsecuredloan.biz
Address: 216.75.24.156

Name: debtconsolidationsecuredloan.net
Address: 216.75.24.155

Name: debtconsolidationsecuredloan.us
Address: 216.75.24.154

Name: debtconsolidationsolution.biz
Address: 216.75.24.153

Name: delawaredebtconsolidation.us
Address: 216.75.24.152

Name: freecreditcarddebtconsolidation.net
Address: 216.75.24.151

Name: freecreditcarddebtconsolidation.us
Address: 216.75.24.150

Name: freedebtconsolidationquote.biz
Address: 216.75.24.149

Name: freedebtconsolidationquote.us
Address: 216.75.24.148

Name: freedebtconsolidationservices.us
Address: 216.75.24.146

marylanddebtconsolidation.us
Address: 216.75.24.143

Name: mbnadebtconsolidation.us
Address: 216.75.24.142

Name: michigandebtconsolidation.us
Address: 216.75.24.141
Name: nonprofitdebtconsolidation.us
Address: 216.75.24.139

Name: personaldebtconsolidationloan.biz
Address: 216.75.24.136

Name: secureddebtconsolidation.biz
Address: 216.75.24.134

Name: unsecureddebtconsolidation.us
Address: 216.75.63.190

Update: I did some checking on the IP number of the spambot. It’s been in play at least since August 17, 2006 - promoting domains owned by Doug Petrie.

The domain, cashadvanceclowns.com, has this whois:

Douglas Petrie
438 Ottawa Ave
Hasbrouck Heights, New Jersey 07604
United States
I’ve also found promotion of poker sites on spaces live. With affiliate ID 2769220 at partypoker.com