Tuesday, July 31, 2007

Dating scammers: freemailserv.net moved

Yesterday I wrote about how McColo closed down the server hosting freemailserv.net only few hours after our complaints. This morning I can then see that the freemailserv.net is up and running again on address 81.29.241.9, belonging to LLC GlobalWholesaleTrade, www.global-hosting.ru, Russia, and a complaint has now been sent to them.

Again this is interesting also seen in connection with UALadys (Marriage Agency Scam). Lovewather.com which was one of the domains used to redirect from the earlier spams to UALadys.com and which used same RPX extension/language as UALadys.com was also hosted at LLC GlobalWholesaleTrade.

But lets see maybe now I get more letters from Irina... unless "she" is reading this blog, if so then I must probably accept that I blew my chance with "her".

Monday, July 30, 2007

Irina... my new love from Russia : Update

When I'm sleeping and not following the rule number 1 - "Follow each little thread until you are certain it leads to nothing" then it's good that others (SiL) are awake.

I told about the email address at freemailserv.net and this is actually not just a free email service as I thought. Freemailserv.net resolves to 64.71.167.123 which belongs to Hurricane Electric, www.he.net, but is assigned to McColo Corp, www.mccolo.com. That is very interesting and good that I got a wake up call to realize this. McColo Corp is as I mentioned in earlier posts about the Marriage agency scam also the company hosting for UALadys.com. That seems like a coincidence to good to be true. I have asked UALadys about this too, but since their last mail where they claimed that an affiliate was behind the spamming, they have been very quite.

If you use google to search for 64.71.167.123 or freemailserv.net you find lot of references to this scam, but what surprised me most was that some of the references involving this IP-Address is as old as june 2006. It seems weird if McColo have received no complaints before about this when I'm able to find so many references.

But I send a complaint to McColo and a copy to Hurricane Electric. I have gotten no answer from them but here 3 hours after I filed the complaint the server is down.

Another help I got today was translation of the russian post that also involved the 85.10.235.211 address and the documentum.ws domain. It turns out it was an advertisement for fake diplomas and certificates, which suddenly makes it seems like documentum.ws is defently not a victim. And only a few hours after sending an email to buy@documentum.ws regarding the relation to the 85.10.235.211 server, then the web site was no longer available.... but I think it may be a coincidence. Jethosting.ru that is hosting documentum.ws is also down, so is ripn.net (WhoIs Service) and rbnet.ru (Russian Backbone Net).

While looking through the background information about this scam I managed to find no less than 4 different photos of passports with Irinas picture on... however she was called Irina on none of those 4 passports. Fake passports seems to fit weel together with fake diplomas and certificates...

www.delphifaq.com/faq/images/5767.jpg
www.delphifaq.com/faq/images/6081.jpg
www.delphifaq.com/faq/images/3332.jpg
www.delphifaq.com/faq/images/9777.jpg

Irina... my new love from Russia

Received new spam message which is identical in many ways to the spam messages I received before and tracked down to some kind of involvement with UALadys etc. The nice girl, who wanted to chat with me, has email iwqq@imailmessage.info. There is lot of sightings of similar messages with something@imailmessage.info and some days later the alternative something@maillinkmessage.info addresses

ENom, www.enom.com, is the registrator of the domains and the server is hosted on address 123.108.208.21 belonging to BeiJing HuaDa ZhiBao Electronic System CO.,LTD, China. cidc.com.cn. Same registrator + address as the docmaildirect.info domain used with the Marriage Agency Scam.

What confused me a bit this time was that a "permission denied" page is shown if you try to watch it in a browser, so I actually first thought that the spammer made a mistake, but when the spam was repeated and still the same condition of the server then I realized that it must be some other kind of scam. There are lot of information on these scams on the internet I just went other way last time due to the link to UALadys.com.

So I have send a few emails to this "cute russian girl" and she have answered me back again. I'm quite sure it will all end up with her asking me to help her with some money for a VISA + ticket so she could come here to Denmark and work + visit me. Of course she will not have a bank account so she prefers the money sent by Western Union.

I'm little surprised that someone falls for this kind of scams because there are so many things to make you suspicious even if you you have little knowledge of computers

  • Spam mail is sent by one email address + name and "she" then claims that it's not her personal email so you should write to something@imailmessage.info. In the next letter she then claims that she just got new email address irishka@freemailserv.net and btw then her name is Irina not the name originally in the spam mail.
  • She sends some pictures of a cute looking girl. To be fair I think the pictures in one message sent is of the same girl, but in next messages she (without me asking for it) then sends additional pictures, and now the girl on the pictures suddenly went from having green/blue eyes to black/dark brown eyes and also her face/hair looks a little different.
  • She generally doesn't answer most of your questions and her letters also contains questions to something you just told her in the past letter and it's not because I write long letters.
  • And maybe it's just me but even if she only used 1 email/name, all her pictures was of the same girl and she was answering your question etc..... how often does a cute girl you have never heard of before and none of you friends have refered to you suddenly writes to you ???
I tried to send her a link to one of my servers saying it was some pictures of me, but she never looked at the link. Then tried to send html image tag within a message but her mail client must be setup for not receiving images. So no way to get that ip-address out of her :-)

The 4 emails I have received from the freemailserv account all mentions the same address 85.10.235.211 as the one delivering the mails to the freemailserv STMP server. This is a server located in Germany. Network owned by Hetzner Online AG but a subnet of 8 ip-addresses including 85.10.235.211 is assigned to VASSOL-NET, Senpai IT Solutions in Ireland, www.senpai-it.com. I can see that they are offering hosting services, servers which are apparently then colocated at Hetzner Online AG.

The server has no webserver running but have different other open or filtered ports. There are some SMTP/POP3 + other ports via OpenVPN, some Socks4/5, ports for DOOM (The game) + eDonkey or maybe some trojans because there is also more known trojans using those ports. It's difficult to say if the server is hijacked by the scammer or it's actual a proxy server setup for the scammer. Senpai IT Solutions have promised me to look closer at the server.

Finally I did a search on google using the 85.10.235.211 and besides two other guys reporting about the same scam then the ip-address turned up on tree russian sites, where one is quite interesting. It's a message submitted to some kind of forum:



Don't understand russian but what I can see is that the 85.10.235.211 ip-address was used when posting and the email buy[at]documentum.ws is mentioned. The site documentum.ws is not hosted at Senpai IT Solutions and apparently registrator information is not that easy to get for those russian sites. But I have tried to send an email to buy[at]documentum.ws but have gotten no answer yet.

And just to wrap up about the lovely Irina then she is now in St. Petersburg and tomorrrow the travel agency should have her papers ready so she could go here to Denmark... if it wasn't for the unexpected extra money for ticket etc. that she will ask me for. Very trustful girl I must say.. she doesn't know my full name, address etc. has never seen a picture of me or asked about my age, we have only been writing to eachother for 4-5 days and now she is heading for Denmark. I will post our wedding photo here on the site in a few days ;-)

Tuesday, July 24, 2007

Identity theft by..... Herbal King ???

Started out yesterday morning with receiving some emails regarding some posts and profiles "I made" on different gay dating sites. My immediately reaction was "yes !!!" because I then know that my work is pissing off some spammer and there is nothing better than to know that your work are appreciated. I knew this would happen sooner or later, that is the price of playing with open cards, but I must admit I had expected something more sophisticated.

First of all gay dating sites?.... gay people do not harm anybody and most of them are decent people who just has another sexual orientation than myself and many other people.... I mean if it was an attempt to hurt me why not try with a forum for racists or adding me as a spammer to bulkerforum.biz.

Second then two of the sites where my profile was created needed either payment and/or verification of email before the profile was being put online, so besides the creator of the profiles and myself then no one can see the profile.

The perpetrator managed to get one post published (that I know of)




Email, well it can just be obtained by looking at the domain registration for this domain, but the phone number is more interesting because that is not the phone number on my domain registration but one that is only listed on my company website.

My company is little known yet and therefore there is not that many visits to the website, so I went to look at the logfiles of the webserver and found only one visit yesterday morning, made just before (less than 30 minutes) the postings / profile creation was done and the ip-address used was 203.173.128.212...... I say that again 203.173.128.212 !!!

Look at my prior post regarding Herbal King spammer, 203.173.128.212 is the address that I have send complaints to Ihug (DSL Provider) about that the Herbal King spammer has used on more occasions!!! What is the chance that another user (not Herbal King spammer) is using the same ip-address from Ihug, New Zealand to visit my little known company website within 30 minutes before a forged post appear using a phone number from that website. Extremely small if you ask me and I'm now trying to get these gay dating sites to search for same ip-address is their logfiles to confirm that is has been used there at the same time where my profles was created.

So Herbal King spammer I have had some trouble convincing Ihug to shut down your DSL connection, I haven't had any luck reporting spam to the New Zealand police, no luck getting _________ (*) to stop their involvement with you etc. and then you give me a gift in form of a clear case of identity theft.

I think I have seen movies about this..... criminals whos bad conscience makes them supply hints about their criminal activities to the police, because they really want to be caught and get relieved. :-)


(*) Reference to entity has been temporarily removed due to temporary injunction placed on the blog and the author of this blog in the case CS (OS) 218/2008 under process in Delhi High Court. Further information about the injunction (order) can be found here:
http://courtnic.nic.in/dhcorder/dhcqrydisp_o.asp?pn=20089&yr=2008

Monday, July 23, 2007

ED Pill Store: Follow up on eBullz (Victim)

The other day I wrote about the connection between ED Pill Store HoodiaPlus and ehoodialife.com / ehealthylife.com and some other sites controlled under a business name of eBullz. As I mentioned it didn't seem like the sites was directly involved with the ED Pill Store spammer and the domains was not known to be involved in spamming.

I have now talked with the owner of these sites and have been met with nothing else than big willingness to answer all my questions. ED Pill Store HoodiaPlus has apparently stolen design, graphics etc. from the eBullz and they have allowed me to state that in the complaints I have in progress among other at ISPrime, the hosting provider for the ED Pill Store backend server. The owner could also tell me that HoodiaPlus is not a re-labeling of the HoodiaLife products done by ehealthylife.com through their wholesaler program.

Regarding the certificate then it's the certificate of the manufacturer and it should therefore be possible to find this on many web pages for pharmacy products, whether ED Pill Store spammer has stolen it from ehoodialife.com or gotten it directly from the manucaturer is not to say.

Regarding Xavier Ratelle whos name was found on the St Jean Internet domain registration, then St Jean Internet has helped with development, registration of domains etc. for eBullz so the connection is strictly business related. EBullz will look at getting domain information corrected for ehoodialife.com / ehealthylife.com. I must say if it was a more high profiled "spammer" than Xavier Ratelle I would probably still be suspicious, but afterall there is very little information regarding his involvement with spamming and based on the records that the spamhaus project has, It's difficult to determine if he was only involved in helping with registration of domains and there have been nothing new for some years, so I choose to believe that the connection is just a coincidence.

So I will no longer concentrate on eBullz and its different web sites as I have no reason to believe that this is not a fully legit company that are just as tired of spam, pharmacy scams etc. as we other are. But the work is defently not wasted because I can now add "Copyright violation" to the list of complaints when dealing with the service providers for the ED Pill Store and with the possibility to get the owner of eBullz to confirm that in case it should be necessary.

Friday, July 20, 2007

Marriage agency scam: Claiming affiliate is spamming

Finally I heard something from ualadys.com regarding my complaints about spamming.

They claim that the docmaildirect.info and lovewather.com / lovingcore.com / loveentity.com sites did not belong to them but that it must be an affiliate who also did the spamming. They will try to find that affiliate and cancel payment.

I must admit there are a few things I find odd about that answer

  1. I have not been able to find any public information about an affiliate program for ualadys.com or any of the other NNladys.com sites.
  2. User information was submitted directly and imediately from lovewather.com etc. to ualadys.com and the sites had list of girls matching exact same profile information as on ualadys.com etc. This means that the affiliate program must offer a public API like for example web services, and I have asked for information about this API
  3. Lovewather.com was using a special .rpx extension for their web site and when looking at the generated HTML code it mentioned an RPX source v.125, install v. 127. I have not seen this before.... except for ualadys.com that use exactly the same
  4. If they are really using affiliates then I would expect that they have quite precise information in the database linking the affiliate to that user account I created in my research of the spam, since the user information was submitted directly from the alleged affiliate site. So it should be very easy to lookup the affiliate, no need to start investigation in order to find the affiliate, as is what ualadys.com told me they will do.
So I must say I'm not convinced yet, especially since the decoy of claiming that affiliate is the one behind spamming has been seen many times before, where it have turned out to either not be true or to be true but being an "affiliate" that have been hired to do the spamming. But let me see what they come up with next, they have promisted to keep me informed of the investigation, and I can not entirely rule out the possibility that an affiliate have been behind the spamming without the knowledge of ualadys.com. But in that case I would expect to see an apology on their website, any serious company would do that in order to preserve their image... even though searching on the net shows that it's not that good already, but at least not to make it worse.

Wednesday, July 18, 2007

ED Pill Store: The hoodia certificate (Part 2 - eBullz)

Make sure you have read Part 1 of this post as it gives some background information on how I found a connection between ED Pill Store, HoodiaPlus and the site ehoodialife.com because of both sites using the same hoodia certificate.

Ehoodialife.com has many similarities with the HoodiaPlus site:

  • Overall design is very similar
  • Large parts of FAQ looks like one site is copy of the other
  • Contact form looks like one site is copy of the other with minor changes
  • Products offered + Prices (Discount) is exactly the same (except for name)
  • Ordering pages has many similarities both in design and in the javascript code used for validation. Especially javascript code has to be copy of eachother
But besides a single registration (and it can be a mistake) then ehoodialife.com is not mentioned anywhere in connection with spam, which made me think that the ED Pill Store spammer had maybe just stolen lot of design + certificate from ehoodialife.com and then end of story, but luckily I kept digging.

When looking at the domain registration for ehoodialife.com it was registered to Herbal Group in Quebec, Canada:



I looked up the address + phone number and it's a real address but belongs to a B Ratelle. But nothing wrong with that, Richard Duguay is only listed as technical contact. Richards email address is from the domain stjeannet.ca and I also looked that up just to check and then things started to be interesting



I was sure I remembered that Xavier name from somewhere and I was right, he is listed by the spamhaus project, Spamhaus registration. According to them Xavier has worked together with Alex Polyakov, who the SpamWiki has listed as the person behind ED Pill Store spamming. This is the first time that I have found evidence of this link myself. To add to this picture then remember the B Ratelle which I found by searching on phone number/address for the ehoodialife.com registration. An registration that btw have an address very close to the one listed for Xavier Ratelle (8552 and 8556 St-Denis)

When placing an order at ehoodialife.com I noticed that during the ordering process the site suddenly changes to www.ehealthylife.com, which is a site selling different products like HighLife, HoodiaLife, XynaVolume etc. all products that actually has same or very similar name as products sold by different sites related to the ED Pill store spammer.

So I did a new lookup for this domain and found



Richard Duguay again but with another address + phone number in Quebec, Canada. I did a search on google with the phone number from the registration and again interesting things showed up
  • FirstAccessPro. A company dealing with different electronic products, Jewerelly etc. Same address (both real world - 8552 St-Denis and IP - 74.52.59.34) as St-Jean Internet Inc. (Xavier Ratelle)
  • Car for sale. A personal ad for sale of a car, signed by Xavier
  • Billiard table for sale. A personal ad for sale of billiard table added by M. Xavier Ratelle
So apparently Xavier Ratelle is sometimes using the phone number that is listed for the registration on the ehealthylife.com domain.... is Richard Duguay really Xavier Ratelle ???

But none of the links found when searching for the phone number of the registration mentioned the address, so I did a seperate search for the address and found the site Bullz Distribution. The domain registration didn't mention some of the names, addresses etc. from the other domains and the website seems to be for a normal distribution company, so I was almost dropping this thread as I noticed that ehoodialife.com, ehealthylife.com and bullzdistribution.com is all hosted on the same IP-address: 216.17.96.48

So I took a look at the domain registration information ones again



Nothing to be found on address + phonenumber so I tried the ebullz.com domain used in the email address for the registrator. The registrator information is the same as for bullzdistribution.com so I went to look at the site instead and then some of the loose ends started to connect. Ehealthylife is mentioned as one of their sites so there is a connection afterall.



And there is more bullz... because on the ehoodialife.com there is a link called affiliates and when you press that link you are redirected to bullzbuck.com, which is an affiliate site for selling the products listed at ehealthylife.com. The domain, bullzbuck.com, has same registration information as hoodialife.com and the site is hosted on same IP address as hoodialife.com, ehealthylife.com, bullzdistribution.com and ebullz.com.

Last thing noticed is that the ehealthylife.com mentions an international processing office:



When searching then this company turns up in connection with other domains, onlinesupplier.com, investinginsuccess.com, buydiscount.com that is not mentioned in connection with spam.

One little matching hoodia certificate and so much information that it's difficult to keep track of it all, so to summarize: In general then none of the domains mentioned, except for the ED Pill Store HoodiaPlus, seems to be known for being involved in spamming, there are reasons to believe that the domain registration information is genuine, there are more contact information than is normally seen on spamvertised sites, some related sites seems normal distribution company and the sites are hosted in United States, not being hidden in China. All in all those things indicates no involvement with spam at all, but....... Why do Xavier Ratelle's name turn up in the domain registrations? Why do HoodiaPlus and HoodiaLife have so many similarities that it can't be a coincidence? Why do many of the spamvertised sites related to ED Pill Store sell products that are very similar to the products sold in wholesale på ehealthylife.com and which bullzbuck.com has an affiliate program for selling?

ED Pill Store: The hoodia certificate (Part 1)

On one of ED Pill Stores many related spam sites, www.uwandertatiger.com (HoodiaPlus) I noticed a certificate for Hoodia export, www.uwandertatiger.com/images/cites.jpg.



Notice the white part on the top of the certificate where field number 3+4 is missing. The importer + exporter name/address is what have been removed from there, which imediately made me very curious. So I did a little searching and found mr. Deon Hignett from CapeNature in South Africa, who is the one who have signed the certificate. He could confirm that the certificate were valid (it's expired now), he would not tell me the name (fair enough) but he could tell me that the certificate was issued to a local (South African) exporter.

At first I accepted that this certificate was a dead link leading to nothing interesting but today I then needed a break from work and I took the long-shot chance and used Google image searching to see if I could find something interesting about this certificate, and I did.

Same certificate shows up on hoodia.market-offers.com here hoodia.market-offers.com/imgs/cites-certificate.jpg.

The market-offers.com domain is registered by a Vladescu, Ion from Romania and I actually found his email mentioned a few places, so it seems that this is probably not forged domain information. Also the domain was first registered in July 2006, but doesn't seem to be known in connection with spam. The site is also hosted in Romania. There are more similar sites like for example viagra.market-offers.com etc. When ordering from these pages you are redirected to rx-partners.biz which is a pharmacy affiliate program. The domain registration information for rx-partners.biz does not seem forged either and their site is hosted at rackspace, United Kingdom, which would not be among my first choices if I was involved in spamming etc. All in all I think market-offers.com is not a ED Pill Store related site.... besides the hoodia certificates.

On the hoodia.market-offers.com site I saw that they called the product for HoodiaLife, which is also a product name used by the ED Pill Stores according to the SpamWiki, so I did a little further searching also using this parameter too and I found the same certificate on another site, www.ehoodialife.com. I will tell about this site in part 2 of this post as it turned out that there is a lot of interesting things to write about.

Monday, July 16, 2007

Marriage agency scam: loveentity.com suspended + docmaildirect.info ?

This morning OnlineNic, www.onlinenic.com, reported that they had suspended loveentity.com based on my complaint. Nice to see another domain registrator choosing side against spam.

Now I can also see that docmaildirect.info is down, it seems like this domain is suspended too.

The support department at ualadys.com is ignoring my support ticket about spam and the message to the docmaildirect.info profile is also ignored,but the agency seems very interested in both my profile and the message because I can through my "Who are looking at my profile + messages" game see that they have been looking a lot of times.

Saturday, July 14, 2007

Marriage agency scam: Update

So I have been doing a little research about NNladys.com (ualadys.com, ruladys.com etc.) and also looked a little more at the link between the spam messages and the main sites.

Regarding the link I found something important that I didn't notice first time. Take a look at the profile at docmaildirect.info



And then at this profile at www.ruladys.com/details.rpx?id=160



Same lady and exact same profile data and profile number (160). Actually I have created an account with ruladys.com and have sent a letter to the lady, asking her about her involvement in the spamming. I don't think she really understood my first letter (if she really exists) and the big problem is that it could be because the agency is actually translating my letters between russian and english and they might remove the parts where I ask about the spam and docmaildirect.info page. I have also sent email to support asking about the spamming. Support ticket closed without an answer, so I opened again and asked the same thing, ticket then closed with the answer that they are not spamming, I then opened again and wrote a longer description of the link between the spam and their site.. no answer yet (two days) on that ticket.

But besides that I have found lot of other pages on the internet claiming that there are something fishy going on with that agency, either in form of fake profiles or in form of girls instructed in writing to the men and keeping the conversation going no matter what etc. The price for a sending a message is between $3-$7 depending of number of messages sent, so it's good business for the agency to get the conversations going.

The history is that this agency was used to be known as Confidential Connections but they closed down around new year, probably around the same time where the number of reports about them having fake profiles etc. was really starting to grow. Members was then told that a new mangement company IISPP inc. and a new owner IISPP inc. has taken over the company and that the site would be rebranded as ualadys.com, ruladys.com etc.

I have done a little research about that statement using among other things some old cached pages at google and found a lot of top people still in the organization:

Steven Salvesen: Credited somewhere as founder but mostly just president/representative in United States for Confidential Connections. Now his role is not officially stated anywhere but welcome letters to ruladys.com is still signed Steve Salvesen, CCUSA LLC, and if you are paying something on their sites and want to use Western Union you are instructed to send payment to Steven Salvesen, New York. Steven is also known by the spamhaus project spamhaus registration of Andew Klimenko / Steven Salvesen / Victor Filin-Filinyuk

Thomas McKeveny: Office Manager in the New York office at Confidential Connections, now the General Manager of IISPP inc.

Yura Filin-Filinyuk: CEO of Ukraine branch at Confidential Connections and now CEO of Ukraine branch (ualadys.com). A Victor Filin-Filinyuk, old Ukraine Representative for Confidential Connections and maybe related to Yura ??? is also known by the spamhaus project spamhaus registration of registration of Andew Klimenko / Steven Salvesen / Victor Filin-Filinyuk

The last person named by spamhaus project, Andrew Klimenko, was the old CTO for Confidential Connections. I have found no link between him and new organization. There is a domain called digger.com.ua which points to ualadys.com and which are registered in Andrew Klimenkos name, but that can be from back at the time when he was CTO.

But besides that then bank statements still says CCUSA LLC (Confidential Connections USA I guess) when paying something on their sites. All in all it seems like their is still a tight connection between Confidential Connections and the new organization and if (because I only know what other people are saying) they were using fake profiles, writing letters themselves etc. at Confidential Connections then it's very unlikely that some of these top people were not fully aware of what was going on. Both IISPP inc. and CCUSA LLC are active according to the New York Department of State but besides Confidential Connections and now NNladys.com it's not possible to find references to any other business they are involved in. The footer on the sites btw states thate the owner is World Management International inc., Panama City, Panama but I have not been able to find anything about this company.

As mentioned there are lot of reports around the net about these sites:

Some reports about fake profiles (ladies never answers questions in letter but only send general letters back etc.), some reports about true profiles but fake letters written by the agency (if visiting ladies they remember nothing from the letters etc.), some reports about true profiles / letters but ladies are encouraged to write to many different men and keep the contact even if they don't like, some reports about ladies having many different excuses if you want to meet or talk over the phone, use a webcam etc.

I must say that it's very seldom that you see that much smoke without a fire, but to be fair some men have also reported that they have meet genuine girls there and had nice trips to Ukraine/Russia meeting them etc. and it's also important to say that it's an organization with branches in different countries and even offices within these branches so it's possible that some branches are more serious than others.

I have tried to run a variant of the old "Show me who looks at the orders" game - "Show me looks at my profile and letters" but it's very difficult to determine if the ladies who has written to me is fake or not, especially because many of the ladies don't have computer/internet or speak english so they actually commute to one of the agency's officies and use their computers + translators, hence there can be a legimate reason for the office ip-address to be logged as looking on my profile/letters.

So what I will probably concentrate on is the spamming, because that is what I'm sure they are involved in... looking forward to the next messages from their support + Tatyana (docmaildirect.info lady) to see what stories they come up with....

ED Pill Store: Going on internet café

ED Pill Store have done some moving around with their sites within the last 24 hours, don't know if what happend was that the China Network Communications Group (CNC Group) finally are starting to react on complaints or it was an intentional move by the spammer. But the old server at CNC Group was closed down so quickly that I was presented with a "blank page" because of the old ip cached by the DNS servers I use.

They then moved very shortly to 58.83.15.6 which is another hosting provider in China, but even though that server is still running they quickly moved on again to 58.17.3.50 and they have now set TTL (Time To Live) down to only 60 seconds for their domains, which maybe indicates that they expect to move soon again.

58.17.3.50 is a bit of a surprise:



An internet café in china. They can't really act as a hosting provider with only 16 IP-adresses allocated. Wonder if the spammers have hijacked a computer at the café or maybe the café doesn't exists at all but is actually the spammers own little "hosting company" hiding behind being an internet café.

Regarding the backend server, then it's still 66.230.182.166, located at ISPrime. I'm almost finished with a 25 page document describing the connection between a spam mail I received to the frontend servers now located at this internet café and from those servers to the backend server. I have included a lot of different evidence both the more obvious one but also bits of html/javascript/css code found on the sites that are similar in a way that it would be an extremely big coincidence if they were not copies of eachother. I have of course also included links to external sources for example like the SpamWiki spamtrackers.eu/wiki/index.php?title=ED_Pill_Store, but only as background information not as part of the main evidence. The reason for that is that what I will send to ISPrime as evidence is something I'm willing to testify to the police, should it be necessary, is the truth, I can not do that with all of the information on the SpamWiki, it's not that I don't believe 100% in the information gathered there, but there is still a long way from believing to knowing and I can only testify about what I know.

Thursday, July 12, 2007

ED Pill Store: Gathering evidence for ISPrime

In one of my former posts I wrote about how I discovered that ED Pill Stores are using a backend server located with the hosting provider, www.isprime.com

I send complaint to ISPrime and actually also to FDA (U.S. Food and Drug Administration) because the sites are selling drugs. After a few days the mails to ISPrime timed out and have done so a few times, but after sending a fax instead I got a breakthrough.

Today ISPrime contacted me and they told me that they have now confirmed the same thing that I have seen that it looks like the server hosted with them is a backend server etc. but that they don't believe the information/link to illegal activity is strong enough to terminate the account for abuse. They encourage me to send more information.

This is a nice breakthrough, I fully understand that ISPrime can not just terminate a customer account the first time they receive a little information, but their willingness to look at the things I'm telling them and the encouragement to send more specific information if I got that, shows that they are some of the good guys.

I will now gather every little piece of evidence about this case and send to ISPrime and hope that it is enough for either termination of the account or that ISPrime will contact the customer and ask about the allegations.

I will get back when I have more information.

Marriage agency scam: Lovingcore.com -> Loveentity.com

They changed link from docmaildirect.info again and it seems that Lovingcore.com is no longer resolving. Have not heard anything from the registrator but maybe they suspended the domain.

www.loveentity.com is registed with EstDomains, www.estdomains.com, just a few days ago. I will send them a complaint.

I have lot of other interesting things to report about this Marriage agency scam but I'm still collecting material so be patient...

Wednesday, July 11, 2007

Marriage agency scam: Lovewather.com -> Lovingcore.com

As I wrote in the last post then the domain lovewather.com was suspended but as expected the spammers have been quickly to respond by changing the link on the docmaildirect.info pages to a new domain, lovingcore.com. This just confirms the suspicion that the two sites are controlled by the same persons.

The domain was created just yeasterday at OnlineNic, onlinenic.com. I have send a complaint to them.

Gandi: If just all domain registrators were like them

In my last post I wrote about the Marriage Agency Scam which uses a lot of different domains, and one of these were lovewather.com registered at Gandi, gandi.net. Already in that post I wrote that I have good experience with Gandi from before and ones again they showed their dedication to fighting spam.

Only a few hours after I send in my complaint they had conducted their own internal investigation and based on that suspended the domain. If just all domain registrators took complaints that serious and was willing to do internal investigation and act uppon them in just half the speed as what Gandi does then we would easily get rid of lot of the spam email as it would simply be too much work for the spammers to change domains that often.

So if you are going to register some domains (and you are not a spammer) then I can highly recommend that you take a look at gandi.net

And with the lovewather.com domain now suspended then the Marriage agency spammer have lost their link between docmaildirect.info and their main sites so lets see what their reaction will be.

Marriage agency scam: The service providers (part 2)

So lets look at the service providers behind all those different domains and servers which hosts those different domains.

docmaildirect.info:

Domain registered by James Stevenson, Arizona, United states. I don't even bother to check because it is very likely forged information leading nowhere. The registrator is eNom inc., enom.com and I have filed a complaint with them.

Server is hosted on address 123.108.208.21 belonging to BeiJing HuaDa ZhiBao Electronic System CO.,LTD, China. cidc.com.cn and I have filed a complaint with them.

On same server is hosted the domains allwaylove.com and milljob.net so I will take a look at those domains too.

Allwaylove.com:

Site has same content as docmaildirect.info but the registrator is The Name IT Corporation, nameservices.net and I have filed a complaint with them.

Milljob.net:

This is something completely else, Some kind of work home / marketing scam, but by a little searching I can see that this Miller & Morgan inc. "company" is also known for spamming. The registration is Key Systems, key-systems.net and I have filed a complaint with them

Lovewather.com:

The domain is registered by Jonh, Winter, London, United Kingdom (forged as always I guess) and the reigstrator is Gandi, Gandi.net. I have filed a complaint with them and hopefully somethings happens, know from my days of playing with Robert Alan Soloway that Gandi are against spam.

The site is hosted at address 81.29.240.12 which belongs to LLC GlobalWholesaleTrade, Russia. I have filed a complaint with them too.

On the same site is hosted the domain loveattach.com, so lets take a look at that one too

Loveattach.com:

Registered to a MyTop ltd, Kiev, Ukranis and with the registrator Direct Information Pvt Ltd, publicdomainregistry.com and I have filed a complaint with them

Ualadys.com, brladys.com, arladys.com, ruladys.com :

Registered to a Brian Gleason by registrator The Name IT Corporation, nameservices.net and I have filed a complaint with them.

The sites are hosted at address 208.72.171.100 which belongs to McColo Corporation, United States, mccolo.com so a complaint has been send to them.

So it's clear that this spammer is really trying to use many different service providers, probably in order to hide the connection between the sites and maybe to make my work that much harder. But now it's done and I can only wait for the hopefully positive result...

Tuesday, July 10, 2007

Marriage agency scam: The spamvertised site (part 1)

Received lot of spam emails at info@mydomain addresses lately, like the example below:



I tried to write to some of the email addresses in the spam mails and pretended that I was interested and soon after I got a long letter from a girl explaining that she would come to my country and work etc. and that she would like to meet a man. The girl now wanted me to write to the email address antip@ranbler.net instead. The mail was written in very general terms, so that it could easily be send to people coming from different countries and infact I received the exact same letter a few times, so clearly this is a robot answer unless it's an extremely stupid girl. I will see if "she" writes me back again after I send some questions to her.

While waiting I took a look at docmaildirect.info which is the domain used for email addresses in the original spam mail.



This turns out to be a page that looks something from a dating side except it's a little weird that the default page for the domain is a detailed profile page. I then tried to press the "Send letter" / "Join now" buttons that can be seen on the top of the page. They both redirect to the same page, a user registration page of a domain called lovewather.com. I will get back to the domain lookups + complaints in part 2 of this post.

I then tried to register using fake informationm, and after registration I was redirected to a domain called ualadys.com and I also received confirmation email from them, so clearly lovewather.com was only a facade used for getting new members to sign up. I guess the long way from docmaildirect.info over www.lovewather.com to www.ualadys.com is probably made in order to make it more difficult to directly connect the spam mail with the main domains. ualadys.com also exists under different domain names:

and probably even more than that.

Compared to what you normally meet at spamvertised sites there are quite a lot of contact information available on these pages. It could be forged but I will look into that later. They also have a support ticket system so I started out by asking why they spam.... the ticket got closed without an answer....



So to summarize. All the email adresses mentioned in the spam messages are to the domain docmaildirect.info. The page located on this domain has links to www.lovewather.com and if you register on this page you actually get registered at www.ualadys.com. If you look at the source code of the pages on lovewather.com and ualadys.com you can see that this is actually same software that is behind. So even though the 3 sites are located at different servers then there is a fine red thread between them all that makes me certain that IISPP (and their xxladys.com sites are behind the spam) A little searching also quickly found other pages claiming that spamming is done from these sites.

In part 2 I will look into the different domains + hosting providers etc...

Mega-soft = Canadian Pharmacy and now running on botnet

Started to receive some spam mails for Canadian Pharmacy, starting on address printlost.hk and has now moved to Mountchance.hk. Domain registrator is Hong Kong Domain Reseller, www.hkdnr.net. I will send them a new complaint, and then I can at the same time remind them about my complaint made a week ago regarding mega-soft.hk.

When looking at where the Mountchance.hk is hosted I noticed that the domain resolved to a range of different ip-adresses and with a TTL on only 5 minutes, which is typical when the site is actually not hosted on some specific server but being served from a botnet (probably a collection of compromised computers). I quickly took a look at mega-soft.hk too (use of same domain registrator made me suspecious) and found out that it runs on the same botnet too now. When looking at the html / javascript for mountchance.hk and mega-soft.hk I also found more similarities so I'm very convinced that we are talking about the same spammer behind the two sites.

The Canadian Pharmacy site refers to a support@canadianpharmsupport.com email. Canadianpharmsupport.com is also known for being a spamvertised domain

Sunday, July 8, 2007

ED Pill Store = HoodiaPlus

Another thing I noticed was that ED Pill Store, www.upergimtwo.com and HoodiaPlus, okanewtprobemm.com are located on the same server 221.171.76.142 and the sites has a very similar design, especially if you look at the ordering pages where the credit card information is typed in. If you look further into the naming of the pages, the HTML / Javascript code etc., it's clear that the same persons are behind these two pages.

HoodiaPlus is also known for spamming even though I have not persnally received any spam for their site.

Saturday, July 7, 2007

ED Pill Store.... the things we should not see

So in my last post I wrote about the spam from ED Pill Store and how my initial analysis only resulted in a complaint to the domain registrator and hosting service used på the site.

Well there are something way more interesting. I of course during my analysis try to see if there are something "hidden" on the server and ended up at www.upergimtwo.com/admin and found this:



Administration page... not configured correctly so it was not possible to edit the site - that would have been really fun, but what is interesting is what is called the main server located at address 66.230.182.166.

The address 66.230.182.166 belongs to ISPrime inc., www.isprime.com which is a hosting provider based in New York, United States which hopefully makes it easier to file complaints AND get a response than it is with the chineese ones. The server located there contains a MySql and it's my guess that this is actually the backend server containing product information etc. and where orders are placed after being submitted at different spamvertised sites such as www.upergimtwo.com

So I will file a complaint with ISPrime!

But there are more. The address 66.230.182.166 also contains a web server and I found the following at 66.230.182.166/staff.



That really confirmed my theory about this being a backend server where orders are placed etc., and it looks quite organized which made me wonder if it's actually a 3rd part product being used, but I have not been able to determine that yet.

Next interesting thing I noticed was than when clicking on one of the links then the address changed from 66.230.182.166/staff to www.everadmin.com/staff.

So ones again I went to make a domain WHOIS lookup, this time on everadmin.com:



I did a little searching and found that the same information has been used before to register some domains used for spamvertised sites selling replica watches. So it's probably forged information but I will look into that later.

But a lot of new information to investigate and most important a service provider located in the United States. I will try to convince them to contact the police and ask if they are interested in being handed over the files on that backend server, I believe there could be extremely interesting information placed on it, information the spammer do not want us to see...

ED Pill Store: new spam served by old "friends"

After a few "boring" days I got something new to play with today. A spam which tries to pass the spamfilters by supplying the main content in a PDF document



The spam is advertising the site www.upergimtwo.com, which turns out to be the well-known ED Pill Store:


My first thought when looking at the domain + hosting services used for this site was - ahhhh nothing like old chineese "friends". Domain is registered by Beijing Innovative Linkage Technology Ltd, dns.com.cn and site is hosted by China Network Communications Group (CNC Group), www.chinanetcom.com.cn.

I know these service providers from my time playing with Robert Alan Soloway and they are good, really good. Not good for me and you but good for the spammers because complaints doesn't seem to affect them at all. But my past experience will of course not affect me and I will ones again file a complaint.

It should be unecessary to mention but I do it anyway, of course the domain registration information is forged, there are no contact information on the site at all, there are an opt-out (email removal tool) that doesn't work and their secure payment process it not secure at all (credit card information send in clear text over internet). Nothing unusual there.

Unfortunately then ED Pill Store actually validates credit card information immediately, so I can't play my usual "Show me who looks at the orders" game without providing real credit card information, and doing that is not an option on sites like this.

So actually very boring and nothing really interesting about this spam mail right?.... well I save the good parts for my next post... because I of course found something interesting :-)

Friday, July 6, 2007

Ihug, New Zealand chooses side.... against spam

As mentioned in other post I have sent complaints to Ihug, New Zealand a few times because I'm sure that they are supplying persons involved with the Herbal King spamming with DSL services, and until today without getting an answer.

Maybe it was the fact that I have started this blog and that I attached links to my past post in the complaint, I don't know, but suddenly Ihug, New Zealand has responded to my complaint. Unfortunately however they misunderstood my complaint and thought that I was complaining that I received spam from their network and they therefore gives me a little talk about spam filters and how spam is not illegal if providing contact information and how it could be a trojan sending the spam. But on the positive side they took time to answer me and I truly believe that they despite their more or less "standard response" and misunderstanding of my complaint really are not one of those providers who doesn't care about spam at all.

I have now send back information where I try to explain exactly what I'm complaining about and how I collected my evidence, because I'm fully aware that almost all spam is sent from zoombie computers through trojans etc and therefore I'm not wasting my time following up on the forged email headers. Instead I go after the sites being advertised in the spam mails, and usually using my "Show me who looks at the orders" game explained in earlier posts. So I'm sure persons looking at the ordes submitted at the Herbal King / Elite Herbal sites are using DSL connection from Ihug and that is what my complaint is about.

Lets see if I get respond on the new information I send...

Regarding what Ihug told me about spam not being illegal if supplying contact information then that might be the law in New Zealand but in that case I hope there are some good definitions of contact information. I mean a spam email from the Herbal King spammer contains forged email headers, the domain registration information for the sites being advertised are forged, the site doesn't contain any direct contact information, there is a contact form that they never answers (don't know if it works) and if supplying an order you get an email address on the confirmation page that they not answer either. If that is still considered valid contact information according to New Zealand laws, then I will for sure say they made a big mistake when writing the law.

Wednesday, July 4, 2007

Herbal King spammer using Ihug, New Zealand as DSL provider

Today my "Show me who looks at the orders" game once again showed that persons involved with the Herbal King spamming are using Ihug, New Zealand as DSL provider - www.ihug.co.nz

As many times before I will send them an abuse report but until now I have gotten no answer at all... maybe they prefer the money... even from spammers.

  • March 16, 2007: Send abuse report to Ihug that Herbal King spammer was using address 203-109-185-100.dsl.dyn.ihug.co.nz
  • June 4, 2007: Send abuse report to Ihug that Herbal King spammer was using address 203-173-128-212.bliink.ihug.co.nz
  • June 18, 2007: Send abuse report to Ihug that Herbal King spammer was using address 203-173-128-212.bliink.ihug.co.nz
  • July 4, 2007: Send abuse report to Ihug that Herbal King spammer was using address 203-109-185-100.dsl.dyn.ihug.co.nz
No answers at all from those abuse reports but lets hope Ihug will soon choose side and show if they are really for or against spamming.

Tuesday, July 3, 2007

Mega-soft spammer are from russia

So yesterday I wrote about mega-soft.hk and needles to say I of course also played the "Show me who looks at the orders" game, supplying a reference to an image on my server in a fake order and now my logfile on the server shows me that ip-address 91.76.19.157 has requested that image.

Lets see what is behind this address:



So apparently the spammer are using an internet connection in Moscow, Russia. Sorry to all of you russian people who are decent people, but that doesn't come as a big surprise that the spammer and person behind mega-soft.hk could be russian.

I'm sending an abuse report to the internet provider, ZAO MTU-Intel, and then lets see if I get any answer.

New spam mails from www.mega-soft.hk

So today I received something new to play with, a spam mail advertising some cheap software for site www.mega-soft.hk



Forged header in the email so nothing new there.

The domain name is registered just few days ago to a benjamin_kirman1[at]alumnidirector[.]com, I expect this to be forged domain information too, but an email is sent to Benjamin. Domain name is registered by Hong Kong Domain Name Reseller, http://www.hkdnr.net , a complaint is sent to them regarding the domain, lets see if they are against spam or not.

The site is located at ip-address 75.39.218.236 which is an DSL connection from www.sbcglobal.net located in Texas, United States, which probably means it's a zoombie computer. A complaint has been sent to sbc global.

When looking at the site then it has "Certified YYY" and "Certified ZZZ" logoes, yeah right!!! There is a contact form, which I will check to see if it gives any response and then there is a direct email possibility to support@oemcd.net. oemcd.net expired over a month ago so no need to try to write to that email.

When placing an order it's clear that no SSL encryption is used when submitting your credit card information even though it states on the page that encryption are used. After submitting your order a processing page appears which is also just fake and the order process ends up with a confirmation page where it is stated that orders can be downloaded from esoftsupport.com. I have written to esoftsupport but I suspect they are just being used by the spammers.

My guess are that this site is just there for scamming credit card information from people and no processing of orders will ever be done.

I will return with more information when I hopefully get some response from my complaints or get the time to dig deeper...

Monday, July 2, 2007

____________ involved with Herbal King Spammer

This blog entry has been temporarily taken offline due to temporary injunction placed on the blog and the author of this blog in the case CS (OS) 218/2008 under process in Delhi High Court. Further information about the injunction (order) can be found here:
http://courtnic.nic.in/dhcorder/dhcqrydisp_o.asp?pn=20089&yr=2008

Paypal phishing

Another little story from my past...

On june 16, 2007 I received an email in my inbox which was suppose to look like it came from Paypal and it instructed me to reactivate my account. When clicking the link in the email I was lead to a site looking exactly like paypal but I could see that the address was wrong.

I did a lookup on the ip-address and found it to be located in Massachusetts, United Status and looked like a standard DSL/Cable address not a hosted server. I took a quick look at the services running on the address and found an old version of VNC (remote management program) server, which has a major security hole that makes it possible to logon and remote manage the computer without using username and password.

My curiosity was of course too big and I went on a little visit on this computer using VNC. I quickly found the proves I was looking for, the scripts running the fake paypal site and also a file where credit card numbers was written too, so there was no doubt at all this was the computer that people clicking the link in the phishing email was redirected to. At the time I was visiting the computer the owner of the computer also came online, so I could just sit and wait until he identified himself as I could follow every move on the screen...

I had hoped that it would turn out to be the actual person behind the spam / phishing that I caught so I could hand over the information to the police, but I quickly came to realize that this person was just being used.... it turned out to be a 14 year old guy which was not very confident with computers and he was way more interested in chatting with lot of different girls on myspace than he seemed in the credit cards numbers on his computer. So I identified myself and had a little talk with him, it was clear that someone else had used the same backdoor as me (VNC) to place the fake paypal site on his computer and that he was totally unaware of this.

I couldn't convince him to call the police and ask them if they were interested in looking at the things installed, so I did the second best thing. I helped the young guy delete everything from his computer that was installed by the persons behind the spam/phishing, including the credit card numbers already collected and I helped him uninstall VNC as he was clearly not using it anyway.

I felt to sleep that night with a little smile on my lips.... thinking of the persons behind the spam/phising and the look on their face when they came back to get the collected credit card information and found everything being deleted and the backdoor (VNC) removed..... They should think twice before placing their f***king spam in my inbox.

The end of Robert Alan Soloway

On may 30, 2007 came the day I had been looking forward to in many months, Robert Alan Soloway was arrested after a federal grand jury indicted him on 35 charges of mail fraud, wire fraud, e-mail fraud, identity theft and money laundering.

The trial is scheduled for August 6, 2007 and Soloway is held without bail as there is reason to believe that he would either flee or try to obstruct further investigation.

More information will be added when the trial begins...