The Airline Ticket spammer

From Spamhuntress

Jump to: navigation, search

The Airline Ticket spammer

This is about a spammer that I didn't have the time to blog about when he was rampant (2005-04-20 until 2005-05-01). So even when this is a bit after the fact, I'd like to record this here in case he resurfaces.

So far, I've only seen him do referer spam.

I'll call him the "Airline Ticket" spammer since these were the referer spams that first caught my eye: 

discounted-airline-ticket.net
international-airline-ticket.net
last-minute-airline-ticket.com
priceline-airline-ticket.com


Checking the logfiles for further hits from the same IP addresses that were used to spamvertise the airline ticket sites revealed a connection to a bunch of spamvertized domains ending in -4you.com, -site.biz, and -page.biz: 

airline-tickets-4you.com
online-casino-4you.com
online-pharmacy-4you.com
ringtone-4you.com
spyware-removal-4you.com
bmw-site.biz
cellphones-site.biz
cheap-hotels-site.biz
antivirus-page.biz
business-page.biz
california-page.biz
chevrolet-page.biz
florida-page.biz
ford-page.biz
hawaii-page.biz
honda-page.biz
illinois-page.biz
loan-page.biz

All of these domains are registered to the same person. He uses incomplete and/or false registration information, but there are some commonalities which point to the same person:

  • Use of tgp in the localpart of the email address (tgp@thoughguy.net, tgp@bonbon.net)
  • Parts of the address are in Russian, often listing Kasan as the city

Two examples:

home
Fred Sext (tgp@bonbon.net)
89025753477
Fax: none
str. Livina 43-54
Kasan, RU 400242
RU
VF Company
Midel Birek (tgp@toughguy.net)
1453454354363
Fax: none
Serimana 21
Glasgo, UK 03432
GB

All of the above domains redirect to "search engine"-like pages, like searchmeup.com and topsearch10.com, using the keywords of the domains for the search.

Also, the URLs on the search engine pages contain aid=34671, which may be an affiliate id.

Fun fact: In general, he doesn't seem to use subdomains, but he did spamvertize chicago-illinois-lottery.illinois-page.biz for a while.

--Dirk 09:46, 7 May 2005 (CDT)


[edit]

Update 2005-05-14

He's back. This time, it's ringtones: 

cell-phone-ringtone.biz
mp3-ringtone.biz
samsung-ringtone.biz
voice-ringtone.net

Referrer spam only again, the sites again redirecting to "search engines", same affiliate ID aid=34671, email address starting with tgp (tgp@phreaker.net)


[edit]

Update 2005-07-25

He's been hitting annelisabeth.com lately, both the guestbook and MT blog comments.

Spambots:

  • 69.50.191.130 (up until at least September 17, 2005) esthost. Other spam from that machine.
  • 205.234.145.222 (up until at least July 21) unknown.ord.scnet.net
  • 67.15.58.15 (up until July 10) ev1s-67-15-58-15.ev1servers.net

Webhost:

  • Dimago Overseas. Example: 216.195.51.231. All domains have different IP numbers in that range.
  • 67.15.58.15 (EV1). A spot check of a domain had tgp@bonbon.net as the contact e-mail.

Whois:

For the spam I got:

All domains registered at ESTDOMAINS 

Beres
Beres        (vitos@tiscali.es)
str.Miders 43
Dallas
Texas,534343
US
Tel.  001.23432433224

For domains on EV1's 67.15.58.15: 

adult-feature.com, which is implicated in an Adware toolbar. Registered at Godaddy.
Vasiliy, Petrov  tgp@bonbon.net
str. Lenina 45-32
Kasan 400545
Russian Federation
89024435344      Fax --
[edit]

More posts about this spammer


More Link spammer pages

Retrieved from "http://spamhuntress.com/w/index.php/The_Airline_Ticket_spammer"
Personal tools