Spamhuntress

I’ve gotten loads of spamvertized porn subdomains on the domain allbestsmovies.org.

So I decided to check it out. Does it belong to the spammers, or is it a free service?

First test, the whois, looks fake to me. Looking up addresses and phone numbers in Israel (it’s Iceland, and utterly fake):

Created On:22-Jun-2006 14:24:06 UTC
Last Updated On:26-Sep-2006 15:35:24 UTC
Expiration Date:22-Jun-2007 14:24:06 UTC
Registrant Organization:Shpil
Registrant Street1:Enlike str. 387
Registrant State/Province:0
Registrant Postal Code:g89614
Registrant Country:IS
Registrant Phone:+2.95528646
Registrant FAX Ext.:
Registrant Email: gavr@poshlina.com

Nex test, the home page. This one has the usual sign up for free website. Problem is, you can’t sign up, because the register link goes to a nonexistent page! Every page connected to the free service goes to nonexistent pages.

In fact, some of the text has been scraped from Free Web Hosting, with a few words changed (search box on the right instead of left). Even the favicon has been lifted from that site!

But there are lots of links on the right, labeled either Help Pages or Friend. All of them are porn pages.

So to me this looks like a spammer run fake free webhost!

———–

Update:

This spammer likes preceding his spam with this phrase: PReved krosavcheg!
I searched for it, and found an explanation for the phrase on a livejournal:

“PREVED is a sacred word, used by ancient Russian warriors when meeting the enemy face-to-face. The worst cussword ever in ancient Russia was KROSAVCHEG. Thus, if smb says “PREVED, KROSAVCHEG” you’re likely to get your head beat.”

Judging from the fits of laughter from the Russian spammers, the phrase means something else… Jenny (from Moldovia) has an explanation, if you look in the comments below.
So I searched for more spam with that wording, and found another probably fake free webhost: keymit.org

203.174.83.55
created On:14-Jul-2006 12:13:10 UTC
Last Updated On:26-Sep-2006 15:32:59 UTC
Expiration Date:14-Jul-2007 12:13:10 UTC
Sponsoring Registrar:Direct Information PVT Ltd dba PublicDomainRegistry.com (R27-LROR)
Status:OK
Registrant ID:DI_3355421
Registrant Name:Maxxx
Registrant Organization:Home
Registrant Street1:Panin str.58
Registrant Street2:
Registrant Street3:
Registrant City:Gavay
Registrant State/Province:
Registrant Postal Code:5h4f8s
Registrant Country:BS
Registrant Phone:+5.65534883
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: maxxx@ampid.org
Name Server:NS1.UVILO.COM
Name Server:NS2.UVILO.COM

And this time I noticed something in the source code (and I’ve munged it slightly):

LINK REL=”SHORTCUT ICON” xhref= http://www.free-webhosts.com/favicon.ico

This time the links on the right are for various pills.

The redirect script (separate script named redirect.js) redirects to a complicated URL on trafficout.net. Thing is, even if you bungle that URL (which I did on purpose), you still get the same 302, as long as you hit the redirect script with the number right behind the ?. And it redirects to
topsearch10.com ID: 55038

In other words, trafficout.net belongs to the spammer:

Registration Service Provided By: REGNAME.BIZ
IP:72.232.223.195
Shokolad
Alexandr (apitok@mail.ru)
Bayman str/ 2
Moskoy
null,605105
RU
Tel. +7.0957856234

Creation Date: 04-May-2005
Expiration Date: 04-May-2007

Domain servers in listed order:
ns2.allveryeasy.com
ns1.allveryeasy.com

Don’t expect this whois to be any more accurate. I include it just for documentation purposes.

So I went back further, and found yet another:

otday.org
203.174.83.55

Last Updated On:26-Sep-2006 13:39:26 UTC
Expiration Date:25-Sep-2007 21:02:49 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:DI_4020257
Registrant Name:Huani
Registrant Organization:Dokinzo
Registrant Street1:Sekanifa
Registrant Street2:
Registrant Street3:
Registrant City:Haynan
Registrant State/Province:
Registrant Postal Code:4g5h65d
Registrant Country:CN
Registrant Phone:+23.5464431831
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: huani@dokinzo.com
Name Server:NS1.UVILO.COM
Name Server:NS2.UVILO.COM

This time it’s lolita type porn, and the redirect goes the same route, except different number, and eventually goes to todaysfreevideo.com, ID: 1029

Additionally, I checked the domains on 72.232.223.195, and they all have different fake whois, but with one common factor, random postal code, like we’ve seen on other domains in this case. There’s some movement of domains between 72.232.223.195 and 203.174.83.55.

————

2nd update:

I just got the first spam comment for a few new domains. Same IP, same setup.

googleshoppingcenters.org - food spam
dogonyay.info - insurance spam.
gemballagt.com - car spam
outsidereal.com - cosmetics spam
freetissot.info - finance, loans spam
kandelyabr.info - education spam
doublevisit.info - porn spam
rapagt.info - kitchen spam

Continuing the series of articles on US based spam.

I’ve received a number of comment spams from:

Melendez, Janet janet27@mcshi.com
Conquerer
1007 Calla Ave
Imperial Beach, California 91932
United States
8503844150 Fax –

Notice how mchsi is misspelled. That misspelled domain actually exists, and is an advertizing portal. But the e-mail address appears to have been used with the regular spelling before, as evidenced by this post by Rojisan from 2004, about a spamming outfit with the same whois.

The phone number is linked with Janet in a military newspaper ad - Pensacola, Florida, from February 2006:

Text: ASHLEY END Tables- millennium Collection, 3 pieces, Dark Wood colored. $500.00 (850)384-4150 Janet27@mchsi.com

That phone number is a cell phone from (unless ported to another provider) Verizon wireless in Pensacola, Florida.

What’s especially interesting about this one, is the spambots. They’re not Tor proxies, and I can’t find any relevant information on them prior to this spamming campaign:

64.141.68.121 - at Big Pipe Inc. Has Apache test page ( cpe0080c6f02477-cm014070001191.cpe.net.cable.rogers.com )
209.97.197.60 - at Rackforce ( 207-170-251-69.gen.twtelecom.net )
209.97.197.120 - at Rackforce ( wbar13.lax1-4.14.121.161.lax1.dsl-verizon.net )
209.97.204.216 - at Rackforce (no reverse DNS)
66.38.243.26 - at Unique Internet Services, LLC ( ai-209-247-40-203.alexa.com )
69.10.139.23 - at Rackforce ( mail-mx14.cable-link.net )
69.41.166.97 - at 1-800-HOSTING, Inc.
69.10.139.20- at Rackforce

None of these have websites on them that I can find. The hosts they resolve to seem shaky at best. Some of those point somewhere else entirely today.

The modus operandi reminds me of two other spamming campaigns recently. One for cyberwire (which I haven’t written about yet), and one for Doug Petrie. Also note that Doug has an e-mail address with conquerer as a username.

Update: Since I wrote the post, I’ve found yet another spambot. 209.97.193.47. Also on Rackforce. What’s interesting about this one, is that it’s been seen spamvertizing shoes. One domains, with lots of subdomains: com-shoes.org. And that domain belongs to Douglas Tubbs at Cyberwire. Seems like my hunch may have been correct. There’s some kind of connection.
I forgot to detail the domains earlier today. The spam comments are long, and filled with domain names to do with keylogging. Subdomains and root domains.

mail-spy.com
66.98.141.16

password-spy.com
66.98.141.119

xspies.com
66.98.141.137

spy-my-pc.com
66.98.141.137

tinykeylogger.com
66.98.141.141

ardamaxkeylogger.com
66.98.141.150

keyloggers-online.com
66.98.141.150

stealthkeylogger.com
66.98.141.151

computer-monitoring-source.com
66.98.141.157

key-stroke-recorder.com
66.98.141.158

computer-recording-software.com
66.98.141.159

spy-software-source.com
66.98.141.162

spy-software-solution.com
66.98.141.165

Update October 24, 2006: Doug says he never sent me those spam e-mails (duh!), so I should remove the whois info.

I’ve sent him a definition of comment spam, and asked him to tell me if he comment spammed, or if he hired someone to do SEO. We’ll see what he answers, and then I’ll see what I’ll do. Oh, and I sent him 96 pieces of spam involving his domains in a text file, so he’ll see exactly what I’m talking about.

Eh, I just realized he’ll have to come up with a heck of a good story. I checked his e-mail headers. He sent that e-mail from the same IP as the spam came from!!!!!!!

——-

Doug Petrie is known as a TV writer. But there’s another Doug Petrie, whose main claim to fame is a string of “free articles” on payday loans.

Today I got an incessant stream of comment spam from 69.116.161.80 (dyn.optonline.net)

The domains spamvertized belong to

Petrie, Doug conquerer@zerogravitycomputing.com
354 State Street
Suite 105
Hackensack, New Jersey 07601
United States
(201) 487-4424 Fax — (201) 487-4423

zerogravitycomputing.com belongs to the same guy:

petrie, doug djpzero@AOL.COM
zero gravity computing
464 CENTRAL AVE
CARLSTADT, NJ 07072-1518
US
201-896-9330

So, is Doug a spammer? Not sure…

What I can tell you, is that the domains in that spam are spread out over a lot of IP addresses. That’s a technique I’ve seen employed by another US spammer very recently. It could be an attempt to minimize all domains getting blacklisted, because of being in a bad neighborhood? Doesn’t really help if you spam them all in one comment, though… The only other reason would have to be if the owner expected a lot of traffic. But chances are these domains aren’t spread over as many servers as IP addresses…
Here’s the list of domains with IP addresses:
Name: debtconsolidationcounseling.biz
Address: 64.246.44.185

Name: debtconsolidationhomeequityloan.net
Address: 216.75.24.138

Name: debtconsolidationinformation.biz
Address: 216.75.24.136

Name: debtconsolidationloanonline.us
Address: 216.75.24.132

Name: debtconsolidationmortgageloan.us
Address: 216.75.24.131

Name: debtconsolidationorganization.biz
Address: 216.75.63.190

Name: debtconsolidationorganization.net
Address: 216.75.63.188

Name: debtconsolidationsecuredloan.biz
Address: 216.75.24.156

Name: debtconsolidationsecuredloan.net
Address: 216.75.24.155

Name: debtconsolidationsecuredloan.us
Address: 216.75.24.154

Name: debtconsolidationsolution.biz
Address: 216.75.24.153

Name: delawaredebtconsolidation.us
Address: 216.75.24.152

Name: freecreditcarddebtconsolidation.net
Address: 216.75.24.151

Name: freecreditcarddebtconsolidation.us
Address: 216.75.24.150

Name: freedebtconsolidationquote.biz
Address: 216.75.24.149

Name: freedebtconsolidationquote.us
Address: 216.75.24.148

Name: freedebtconsolidationservices.us
Address: 216.75.24.146

marylanddebtconsolidation.us
Address: 216.75.24.143

Name: mbnadebtconsolidation.us
Address: 216.75.24.142

Name: michigandebtconsolidation.us
Address: 216.75.24.141
Name: nonprofitdebtconsolidation.us
Address: 216.75.24.139

Name: personaldebtconsolidationloan.biz
Address: 216.75.24.136

Name: secureddebtconsolidation.biz
Address: 216.75.24.134

Name: unsecureddebtconsolidation.us
Address: 216.75.63.190

Update: I did some checking on the IP number of the spambot. It’s been in play at least since August 17, 2006 - promoting domains owned by Doug Petrie.

The domain, cashadvanceclowns.com, has this whois:

Douglas Petrie
438 Ottawa Ave
Hasbrouck Heights, New Jersey 07604
United States
I’ve also found promotion of poker sites on spaces live. With affiliate ID 2769220 at partypoker.com

Spammers blast their spam at any webform they can find. Now including customer reviews.

Example: Barclaymaps

Disgusting…

The quote is from a comment on the Block Snoopy post.

I’ve heard large websites have to spend a considerable amount of time fighting comment spam.

Anyone with war stories to tell?

I’ve been receiving lots of comment spam lately that’s obviously culled from a new feed, with spammy links interspersed, hidden behind the text. Here’s an example from today, with the links redacted:

Cable deal lifts B’ville station Time Warner Cable and three Baldwinsville-area municipalities tentatively life insurance comparison agreed to a deal that would guarantee the local cable access station a steady source of money life insurance comparison the next decade.

One of the links was:

http://eteamz.active.com/businessloan/files/life-insurance-comparison.html

It had a javascript redirect to:

http://search.comparezone.info/life-insurance-comparison.html

Now, that site is on the same IP the spam came from:

70.84.176.58 - The Planet

I checked my inbox. I had 429 spams from that IP address in August.

In addition to Adsense, the site had several affiliate links that I didn’t bother to figure out:

Adsense: pub-2039039127093366

The site is on a net block that rwhois says is owned by CPS Labs Ltd, in Illinois. Problem is, the only company with that exact name I could find on the net, is actually in the Russian Federation. That got me curious enough to keep digging. So far I’ve been unable to find a company by that name in Oak Park, Illinois.

However, CPS Labs has at least two IP blocks at The Planet:

70.84.176.56 - 70.84.176.63
67.19.100.224 - 67.19.100.231

Some whois data used by sites on those ranges is obviously fake:John Smith
Apartado Postal
Quito, 423012 423012
Ecuador

But the guy who’s really behind this forgot to hide very well:

Kokareff, Den den_kokareff@hotmail.com
32 Rebecca Rd
East Hanover, New Jersey 07936
United States
9733861607 Fax –

That’s a legit address, and I found an older listing (confirmed October 2005) for him at that address:

Denis Kokarev
32 Rebecca Rd
East Hanover, NJ 07936-3431
(973) 386-1607

Unless this guy’s been whois joe jobbed by the spammer, he IS the spammer.

Update: There is or was a 30 year old by that name in Oak Park, Illinois. Maybe that’s the new address?

I’ve written about fake Spamcop sites recently.

I found a third site:

spampatrol.org

This one is on 67.19.92.171

Whois:

Registrant Name:Jerry Hirster
Registrant Organization:Spam Patrol
Registrant Street1:1000 Cameron Woods Drive, Apex, NC 27523
Registrant Street2:
Registrant Street3:
Registrant City:Apex
Registrant State/Province:
Registrant Postal Code:27523
Registrant Country:US
Registrant Phone:+866.8260453
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: abuse@spampatrol.org

But it’s registered on EstDomains…

And other sites on that same IP number look decidedly spammy…

One of those sites is hydrocodone-1.com. What’s interesting, is that it’s got a similar javascript redirect as the other sites. And this goes to  a php redirect script on emaxrdr.com (on 207.226.162.125) which then redirects to abusecentral.org, which we remember from my first post!

Most of these domains have whois info pointing to (fake, of course):

Josua Givash        (emaxseo@gmail.com)
5821 Reddman Road
Charlotte
North Carolina,28212
US
Tel. +866.7465632

I got a comment that appeared to be from the guy who impersonated Michael Pollitt recently. I knew from before that this one is a bit sloppy, so I checked the IP address. Turns out he left all his files out in the open.

zonewarez.net

You’ll find site logs as well as logs from his spamming. Check it while it’s still operational.

Here’s a comment spam I received today, posted on to the post about me deleting my guestbook (a favorite among spammers).

Author : PorellPartners (IP: 193.253.255.51 ,
LNeuilly-152-21-137-51.w193-253.abo.wanadoo.fr) E-mail :
loginsim@cashette.com URI :
http://porellpartnersc.com/contacts/information.php Whois :
http://ws.arin.net/cgi-bin/whois.pl?queryinput=193.253.255.51 Comment:
PorellPartners Company, one of the fastest growing financial group in USA With over six years of specialized experience has openings for courier place. Company was established in 2000 year, currently is based in USA and provides mergers and acquisitions consultation and policy consulting for all clients across the entire range of wealth management and financial services businesses worldwide. We are seeking individuals who are interested in building a profitable and rewarding business with our help and support, while achieving a balanced lifestyle that offers both personal and professional growth. This job, if approached correctly is an opportunity for almost unlimited income potential, and very fast-growing career. And the Job itself is not that hard one may think, on a contrary it as easy as one-two-three, as we already have mentioned our company works with the clients worldwide, many of them deposited their money in our dividends and we are paying them every month, the point is that there are too many clients (more then 45,000) and our managers can not do all job that is why we are hiring the courier as indeed one of the main parts of the company work-chain, and the courier will have responsibility for receiving company funds and dividends and sending them to the company clients and will receive payments from every transfer they did . The PorellPartners is growing and we again need an open-minded people with the ambition to become successful and richer indeed.

Requirements: The ideal candidate has prior experience and familiarity with financial services. You must have excellent organizational as well as customer service skills. Teamwork Skill is a “must”. Bachelor Degree is an advantage.

Best Regards: Chief Manager Jamie Stevens
Web-site: http://porellpartnersc.com/contacts/information.php

Sounds nice, eh?

But if you look just a little bit closer, it all falls apart.

First of all, this sounds a lot like a job ad for being a mule. In the past criminals would have folks in the US receive parcels at their home, then ship them abroad. Problem was, those parcels had been bought with stolen credit cards, or were the result of some other fraud.

I hadn’t heard of the Money Mule, but I’m guessing this is what this scheme is about.

Here’s the whois information. Notice how the domain was registered just a few days ago? That’s a sure sign it’s a fraud. A prestigious company would have had a long established website:

08/25/06 20:18:35 whois porellpartnersc.com

Registrant:
n/a admin@porellpartnersc.com +7.495000000
n/a
n/a
Moscow,RU,RU 112312

Record last updated at 2006-08-17 14:27:53
Record created on 2006/8/17
Record expired on 2007/8/17

Domain servers in listed order:
ns1.viphosting.biz ns2.viphosting.biz

And the IP address is: 81.177.37.61, which is on prestige-media.ru. Hardly a likely webhosting for a prestigious US company.

A quick search turns up a website that looks like the real website for them. Problem is, that one’s a fake too. It’s down, but the Google cache shows it’s identical to this new one.
08/25/06 20:25:06 whois porellpartnerscompany.com

Administrative Contact:
Petrovitsky, Stepan porellpartners@inbox.ru
Kanatnaya str., 19-31
Krasnoznamensk, Moscow region 142910
Russian Federation
79259988731
Created on: 10-Aug-06
Expires on: 10-Aug-07
Last Updated on: 10-Aug-06

Domain servers in listed order:
NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
I’ve seen the spammers before too. Often quite inventive spams. They quite often post comment spam that looks as though it’s meant for e-mail spam. The spam is quite often interaction intensive. Fraud of different sorts. Including Russian girls looking for guys. There’s more, but I won’t get into that just now.

I followed a link to a free phpBB forum, from a comment spam I’d received. It had a redirect in the subtitle line, as usual. But this was no ordinary redirect. It was the screwiest type of redirect I’d ever seen.

I managed to deobfuscate it, and saw that it pointed to an IP address: 207.226.162.126 (which answers as fat-women-porn.shacknet.nu, which in turn doesn’t resolve). The document was a php file with some keywords.

Trouble is, that php document spits back a redirect to:

abusecentral.org

It’s a fake spamcop site, on a nearby IP address: 207.226.162.122

Whois:

Domain Name:ABUSECENTRAL.ORG
Created On:18-Apr-2006 03:37:18 UTC
Last Updated On:26-Jul-2006 11:45:40 UTC
Expiration Date:18-Apr-2007 03:37:18 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:DI_2795099
Registrant Name:Dan Bush
Registrant Organization:n/a
Registrant Street1:700 Co Op City Blvd Bronx
Registrant Street2:
Registrant Street3:
Registrant City:New York
Registrant State/Province:New York
Registrant Postal Code:10475
Registrant Country:US
Registrant Phone:+1.7183205492
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: red12@neotwin.com

I poked around some, and that script gives a different result if you come in from a search engine. The abusecentral page is supposed to throw anti-spammers off his scent. The trail seems to end at pharmasearch.name (also on 207.226.162.126).

Whois:

Registrant Organization: Aivar
Registrant Name: Aivars Iltans
Registrant Address: Invu 9
Registrant City: Mexico
Registrant Country: MEXICO
Registrant Postal Code: 23258
Admin ID: 1753557CONTACT-NAME
Admin Organization: Aivar
Admin Name: Aivars Iltans
Admin Address: Invu 9
Admin City: Mexico
Admin Country: MEXICO
Admin Postal Code: 23258
Admin Phone Number: +2.888375498

Registered at EstDomains, and the e-mail address is on a domain that has no DNS.
The affiliate scheme is klik.php at 64.111.210.10

You can see the size of this operation by downloading the logs off a subdirectory on 207.226.162.126.

—————

The spambot in this case was 85.255.117.253, which has posted other spams since August 22. The user agent was: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

The two most recent spams had this at the end of the body of the comment:

End ^) See you test

That’s curious, since it was also something I found in the files of a spambot (on a hacked site) that did a few revenge spams - on my site, impersonating Michael Pollitt. That time, it had this form:

End ^) See you

Spams with the first variation go back to August 23, while the first variation goes back to the beginning of August. And yes, it’s the same spam script, but different MO. The payload URL’s are different. Could be a different spam campaign, or two spammers.
———

Another whois variation implicated is:

TraffMan
Andris Maupalis (traffman@gmail.com)
Elgavas - 18/25
Riga
,LV2019
LV
Tel. +371.52477618

I found his sites in various ways. Both on 207.226.162.126 and on 69.31.41.84.

There’s a LOT of evidence in those logs, wow!

There’s a tentative link to something I wrote about on Hinter Inc. 207.226.162.126-207.226.162.138 contains dynamic IP subdomains, with affiliate looking redirects to dynamicscripting.com. That overlaps this spammer by one IP address. What’s interesting, is that there are some regular domains on some of the IP numbers, and those do not have affiliate looking links/redirects. Just regular search links. Each redirect also has a different number, so it’s possible it’s a “fake affiliate scheme”.

———-

Spambots:

85.255.117.253 (Inhoster has one of his sites on it, when accessing the IP number)
82.137.209.12
202.155.100.96
210.17.38.206
125.60.204.68

Several of these are in RBL lists for mail spamming

A site on 85.255.117.253 had this whois:
Hiromax ltd
Hiromax ltd (tech@hiramax.com)
Suite 2, Portland House, Glacis Road
Suite 2
,00000
GI
Tel. +1.3023380662
Fax. +1.3023380662

One of the scripts I found on the spammer’s site had the name Hiromax as the owner of the (redirect) script.