Tuesday, July 10, 2007

Marriage agency scam: The spamvertised site (part 1)

Received lot of spam emails at info@mydomain addresses lately, like the example below:



I tried to write to some of the email addresses in the spam mails and pretended that I was interested and soon after I got a long letter from a girl explaining that she would come to my country and work etc. and that she would like to meet a man. The girl now wanted me to write to the email address antip@ranbler.net instead. The mail was written in very general terms, so that it could easily be send to people coming from different countries and infact I received the exact same letter a few times, so clearly this is a robot answer unless it's an extremely stupid girl. I will see if "she" writes me back again after I send some questions to her.

While waiting I took a look at docmaildirect.info which is the domain used for email addresses in the original spam mail.



This turns out to be a page that looks something from a dating side except it's a little weird that the default page for the domain is a detailed profile page. I then tried to press the "Send letter" / "Join now" buttons that can be seen on the top of the page. They both redirect to the same page, a user registration page of a domain called lovewather.com. I will get back to the domain lookups + complaints in part 2 of this post.

I then tried to register using fake informationm, and after registration I was redirected to a domain called ualadys.com and I also received confirmation email from them, so clearly lovewather.com was only a facade used for getting new members to sign up. I guess the long way from docmaildirect.info over www.lovewather.com to www.ualadys.com is probably made in order to make it more difficult to directly connect the spam mail with the main domains. ualadys.com also exists under different domain names:

and probably even more than that.

Compared to what you normally meet at spamvertised sites there are quite a lot of contact information available on these pages. It could be forged but I will look into that later. They also have a support ticket system so I started out by asking why they spam.... the ticket got closed without an answer....



So to summarize. All the email adresses mentioned in the spam messages are to the domain docmaildirect.info. The page located on this domain has links to www.lovewather.com and if you register on this page you actually get registered at www.ualadys.com. If you look at the source code of the pages on lovewather.com and ualadys.com you can see that this is actually same software that is behind. So even though the 3 sites are located at different servers then there is a fine red thread between them all that makes me certain that IISPP (and their xxladys.com sites are behind the spam) A little searching also quickly found other pages claiming that spamming is done from these sites.

In part 2 I will look into the different domains + hosting providers etc...

No comments: