Monday, July 30, 2007

Irina... my new love from Russia

Received new spam message which is identical in many ways to the spam messages I received before and tracked down to some kind of involvement with UALadys etc. The nice girl, who wanted to chat with me, has email iwqq@imailmessage.info. There is lot of sightings of similar messages with something@imailmessage.info and some days later the alternative something@maillinkmessage.info addresses

ENom, www.enom.com, is the registrator of the domains and the server is hosted on address 123.108.208.21 belonging to BeiJing HuaDa ZhiBao Electronic System CO.,LTD, China. cidc.com.cn. Same registrator + address as the docmaildirect.info domain used with the Marriage Agency Scam.

What confused me a bit this time was that a "permission denied" page is shown if you try to watch it in a browser, so I actually first thought that the spammer made a mistake, but when the spam was repeated and still the same condition of the server then I realized that it must be some other kind of scam. There are lot of information on these scams on the internet I just went other way last time due to the link to UALadys.com.

So I have send a few emails to this "cute russian girl" and she have answered me back again. I'm quite sure it will all end up with her asking me to help her with some money for a VISA + ticket so she could come here to Denmark and work + visit me. Of course she will not have a bank account so she prefers the money sent by Western Union.

I'm little surprised that someone falls for this kind of scams because there are so many things to make you suspicious even if you you have little knowledge of computers

  • Spam mail is sent by one email address + name and "she" then claims that it's not her personal email so you should write to something@imailmessage.info. In the next letter she then claims that she just got new email address irishka@freemailserv.net and btw then her name is Irina not the name originally in the spam mail.
  • She sends some pictures of a cute looking girl. To be fair I think the pictures in one message sent is of the same girl, but in next messages she (without me asking for it) then sends additional pictures, and now the girl on the pictures suddenly went from having green/blue eyes to black/dark brown eyes and also her face/hair looks a little different.
  • She generally doesn't answer most of your questions and her letters also contains questions to something you just told her in the past letter and it's not because I write long letters.
  • And maybe it's just me but even if she only used 1 email/name, all her pictures was of the same girl and she was answering your question etc..... how often does a cute girl you have never heard of before and none of you friends have refered to you suddenly writes to you ???
I tried to send her a link to one of my servers saying it was some pictures of me, but she never looked at the link. Then tried to send html image tag within a message but her mail client must be setup for not receiving images. So no way to get that ip-address out of her :-)

The 4 emails I have received from the freemailserv account all mentions the same address 85.10.235.211 as the one delivering the mails to the freemailserv STMP server. This is a server located in Germany. Network owned by Hetzner Online AG but a subnet of 8 ip-addresses including 85.10.235.211 is assigned to VASSOL-NET, Senpai IT Solutions in Ireland, www.senpai-it.com. I can see that they are offering hosting services, servers which are apparently then colocated at Hetzner Online AG.

The server has no webserver running but have different other open or filtered ports. There are some SMTP/POP3 + other ports via OpenVPN, some Socks4/5, ports for DOOM (The game) + eDonkey or maybe some trojans because there is also more known trojans using those ports. It's difficult to say if the server is hijacked by the scammer or it's actual a proxy server setup for the scammer. Senpai IT Solutions have promised me to look closer at the server.

Finally I did a search on google using the 85.10.235.211 and besides two other guys reporting about the same scam then the ip-address turned up on tree russian sites, where one is quite interesting. It's a message submitted to some kind of forum:



Don't understand russian but what I can see is that the 85.10.235.211 ip-address was used when posting and the email buy[at]documentum.ws is mentioned. The site documentum.ws is not hosted at Senpai IT Solutions and apparently registrator information is not that easy to get for those russian sites. But I have tried to send an email to buy[at]documentum.ws but have gotten no answer yet.

And just to wrap up about the lovely Irina then she is now in St. Petersburg and tomorrrow the travel agency should have her papers ready so she could go here to Denmark... if it wasn't for the unexpected extra money for ticket etc. that she will ask me for. Very trustful girl I must say.. she doesn't know my full name, address etc. has never seen a picture of me or asked about my age, we have only been writing to eachother for 4-5 days and now she is heading for Denmark. I will post our wedding photo here on the site in a few days ;-)

8 comments:

Anonymous said...

Some further interesting info, capable of being dug up by anyone:

imailmessage.info -> Fake whois information featuring registrant "James Stevenson" at fictitious address 4949 North Calle Los Cerros in Tempe, AZ.

IP address: 123.108.208.21

Hosted, as you mentioned, by BeiJing HuaDa ZhiBao Electronic System.

Second domain, the one from which they focus the extended communication, is registered in Russia by webnames.ru (a genuine registrar.)

But! Ping the domain: 64.71.167.123. That's hosted by Hurricane Electric, located in Fremont California. Whois also lists "McColo Corporation" out of Newark, Delaware.

To understand this better - and to further outline the scheme:

- Dating site has a spam-friendly affiliate program
- Affiliates are each given a "bulletproof" domain (usually hosted in China, as usual) whcih they will use for email addresses for "first contact" only.
- Affiliate gets paid per "reply" to that address, and from there it's handed over to the UALadys people. (Thus the switch in domain, etc.)
- Spammer is in and out very quickly, and only cares about first replies to these addresses, nothing else. If you keep talking: great. If not: they don't care, they already got paid, probably within the same day.

The extended scam has been seeded by the original spam and that's against the law in the US. So you can complain directly to Hurricane Electric / McColo Corporation regarding this obvious scam. (Especially when it does advance to the actual demanding of money.) This is using their servers and infrastructur to support a flatly illegal operation.

Worth a shot anyway. :)

SiL

Anonymous said...

2nd followup: That buy@documentum.ws is attempting to blog / forum spam for fake diploma mills.

The English translation for the spam you found is:

Title: Selling diplomas, certificates...

Academic high schools, technical colleges, graduate schools.
Quality construction. Quick delivery. Without prepayment.
Turning to us, the day you become a licensed specialist.


It's posted all over the place in Russian. The website doesn't load, at least not for me.

It's asking you to contact someone named "Serguei", at phone number 8-916-781-62-04.

SiL

Henrik Uffe Jensen said...

Thanks a lot.

Shame on me for not following that thread.. thougt freemailserv.net was a wellknown free email service so I didn't dig any further in that direction.

Anonymous said...

They've been using permutations of "free" and "mail" in something approaching several hundred such domains this year alone. :)

It would be nice to see a US lawsuit happen against these scumbags. They try to mess up the trail by registering domains in China or other overseas locations, but it's always an American doing the spamming, and an American company who profits from it. Time to bring some heat on these bastards.

SiL

Anonymous said...

Interesting idea but I'm not sure it would work

Anonymous said...

I have the same opinion with most of your points, however some need to be discussed further, I will hold a small discussion with my buddies and maybe I will ask you some opinion soon.

- Henry

Anonymous said...

Set a thief to catch a thief

Anonymous said...

I sick and tired of those Irina letters. Obviously I'd never reply to them, but the spammer is very persistent and very annoying unlike the "African bride" letters which would only arrive once in a great while. I got like 10 Irina letters in the course of 2 weeks!!! I tried setting my spam filter to filter them out, but somehow they still get through. I really hope someone will catch this spammer and cut off his cojones, because no other punishment would be good enough.