In the service of fundraising and nostalgia, I am using the occasion of my 10th blogiversary to bring some stuff out of the archives -- probably a few representational samples from each year.
And then one Saturday in 2006, I got to wondering where all that spam came from.
Two days of intense research and several thousand words later, I had worked it out (Part I below. Part II here.)
Actual journalism. Whoda guessed?
Fear and Loathing on the Spam-pain Trail - Pt I
Part I - Spam and Punishment.
As you might have noticed, I’ve got an attic full of spam, and Evil Santa backs the sleigh up and unloads more every night.
It started out as a joke and an experiment – both of which are still going quite well I think (I’m both still amused and am apparently far more renowned in some quarters for my spamcatcher than anything I’ve ever written :-)
I do worry a little about the weight of them (the joists are moaning under their tonnage, and sawdust and drywall shake sifts down into my soup every time they squirm around up there) but I have grown attached to the little bastards. So as one of you has suggested, perhaps I’ll crack a bottle of something good and have a spam-e-que when the counter tops 1,000.
However, recently some new spamutation has been getting past the netting and not landing waaay downstream where I let the weeds grow high and the primeval spam prairie return to its natural state.
And its kinda pissing me off.
The one that has seen fit to track its scrofulous hooves thru this site is an offer from “Degree Programs-Online” to give you free shit if you do product testing for them.
Of course we all know this is a lie, and that people who spam schemes like this cry out for a benevolent Diety to seal their nostrils and ball-gag-strap them to a Hummer’s tailpipe until their toenail-beds turn a festive blue.
It also bears the true mark of a lazy criminal; some fat-assed slob who can’t even be bothered to rechristen the front company when he changes the con.
But what do we really know about the pod people who make a living flinging electronic poo at the rest of us? Inflicting wretched digital syphilis like “Degree Programs Online” on the rest of humanity?
Yeah, I could turn on the wards that Blogger provides. I may yet do so but honestly, where’s the Swinging, Penis Enlarging, Bad Face Lifting, Day Trading, Women Attracting Loosers (loosers? Hell, better pair that up with a Kegel Exercising site), Gastric Bypassing, Black Mold Testing, Debt Eliminating sport in that?
We’ll turns out it’s a longer story than I originally anticipated, and takes several turns – and that spam is grottier and more well-traveled than a globe-trotting crack-whore -- but I felt like taking a break from the political stuff for a day or two, and it felt to me like there might be the makings of a cool story here.
And a relaxing way to kill a few hours on a Saturday afternoon waiting for other pies to cool.
Judge for yourself.
So what do we really know about these barnacles?
Well, we know, for example, that the parent company of the “Degree Programs Online” scam are these guys:
“Consumer Research Corporation”And that this is their address:
3830 Forest Drive, Suite 207Which looks like this from atop Mt. Olympus:
Columbia South Carolina 29204
And that their phone number is as follows:
803-790-8381That one of their “divisions” is RetailReportCard.com, which runs under this IP address: 188.8.131.52, and was or is being used to run a Golf Equipment scam.
In fact, this Golf Equipment scam, which also amply demonstrates the fact that that these fuckers also spam via email, as this gentleman learned…
I, too, fell prey to their "fulfill two offers and get free golf club". No answer on the phone and now no recourse. The unsolicited email I received did not explicitly spell out that the two offers had to be made on each pageWe know this IP address was repeatedly blackballed (redballed, really) here for a variety of Spams Against Humanity
These people need to be put out of business. I now get 20 - 30 spams per day since falling for this scam.
But what else do we know?
We know that the main server they use is addressed in Dallas, Texas at a company called this:
“Theplanet.com”We know that this is the server IP address:
184.108.40.206So what do we know about that server IP and company?
Quite a bit, actually.
We know this…
OrgName: ThePlanet.com Internet Services, Inc.We know the name and number of their tech support person:
Address: 1333 North Stemmons Freeway
Address: Suite 110
NetRange: 220.127.116.11 - 18.104.22.168
NetType: Direct Allocation
RTechHandle: PP46-ARINWe know what they look like from LEO (Low Earth Orbit)
RTechName: Pathos, Peter
...just in case you have access to the targeting software for any space-based weapon’s platforms and are suddenly seized with the urge to make the Homeland a little less stinky.
We know they were also redballed on this site for refusing to remove spammers.
This site also notes another contact phone number for the “ThePlanet” here, should you ever want to give them a call:
added 2002-10-17; listwashing, refusal to remove spammersWe know that good people at this same, spam-alert site noted that “Arameda” was being hosted by ThePlanet.com on IP addy 22.214.171.124, and that Arameda came to the immediate attention of Project Honeypot.
added 2002-10-17; see http://groups.google.com/groups?selm=ur7uqu0mjfgd9k21tonfdb8eqkn1t2kea4%404ax.com&oe=UTF-8
added 2003-06-21; called theplanet +1-214-782-7802 - abuse person never returned the call
added 2003-06-28; called theplanet +1-214-782-7802 - told them about the SBL and SPEWS listings.
What is Project Honeypot?
A frabjous and benevolent conspiracy to take down spammers and make ‘em sizzle like roaches on a hot plate.
Let them speak for themselves…
Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website. Using the Project Honey Pot system you can install addresses that are custom-tagged to the time and IP address of a visitor to your site. If one of these addresses begins receiving email we not only can tell that the messages are spam, but also the exact moment when the address was harvested and the IP address that gathered it.And so what is “Arameda”?
D. Logan at Project Honeypot explains:
Arameda is appearently a search engine. Spam bot 126.96.36.199 user agent is "Mozilla/6.0 (compatible; arameda.com Spider)". It has 19 messages associated with it according to its stats page. Does this mean that arameda is a spammer?And where does Arameda come from?
Well I asked them this:
A spidering bot (ip 188.8.131.52) has been viewing my site and claims to be from arameda according to the logs. Is this an ip address that your spider uses?
Yes, this IP belongs to our spider.
Either arameda is a spammer or someone is posing as arameda. Anyone have any ideas?
Well tell the band to play a little traveling music and strap yourself into your James Bond/George Smiley/Arkady Renko mink hat, ‘cause we’re Russia-bound, baby.
A.Blanchard at Project Honeypot picks up the narrative…
Totally Russian. All paths lead back to TomskA Russian mail-drop in Boston, that forwards to another mail-drop in NYC, being operated from Tomsk?
from the whois for arameda.com:
Domain Name: ARAMEDA.COM
Mouraviev, Mikhail firstname.lastname@example.org
423 Brookline Avenue, #359
Boston, MA 02215
Googling the address reveals that it's just a maildrop.
Googling the phone number finds it also on the privacy page for trevolta.com
The address for trevolta.com is given as
410 Park Avenue, 15th floor
New York, NY 10022.
But this is just another maildrop, see: http://www.manhattan-office.com/virtual.html
whois for trevolta.com:
Domain Name: TREVOLTA.COM
Prokofiev, Konstantin email@example.com
37 Kirova St.
Tomsk, Tomsk 634042
The IP address 184.108.40.206 (see first message in this thread) is more interesting.
Arin reveals this is owned by theplanet.com.
OK, now this is getting fun, although I will be hiring someone to start my car for me for the next few weeks.
Anyway, now let lace up our Seven League Boots and leap to the other side of the planet for a trip to America’s sunny West Coast.
Because the owner/registrar of the domain name -- “Degree Programs Online “ – that is being hosted by the servers at the Spammer’s Hotel California – TheWorld.com -- is in...California.
Domain ID:D11323068-LRMSIsn’t it cool that it comes with a phone number?
Created On:22-Nov-2005 18:29:16 UTC
Last Updated On:21-Jan-2006 20:31:22 UTC
Expiration Date:22-Nov-2006 18:29:16 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Registrant Name:WhoisGuard Protected
Registrant Street1:8939 S. Sepulveda Blvd
Registrant Street2:8939 S. Sepulveda Blvd
Registrant Postal Code:90045
It was registered in May of 2004 with an expiration date/time of 20 May 2010 15:22:23, which means he or she plans to keep jizzing their spamagma (tm) all over the internets for another four years.
Presuming of course that some irate citizen doesn’t go digitally-postal on their ass, ball-gag-strap them to a Hummer’s tailpipe, and so forth.
But that would be so very wrong.
Namecheap.com (the people who offer “WhoisGuard” shielding for their clients) is the name of the company operating out of 8939 S. Sepulveda Blvd. They also own-or-shield this Domain Name --
theonlinebusinesssystem.com – and both are registered with ICANN (Internet Corporation for Assigned Names and Numbers) via an organization called, eNom, Inc.
Namecheap.com is itself also registered via, eNom, Inc.
Namecheap.com also owns-or-shields BAD-CREDIT-REPAIR.INFO at IP 220.127.116.11
Also SECRETSERVERS.BIZ at IP 18.104.22.168
Also ran this email-based doozy from 2005
“Subject: Why Pay When It's Free?The link would then reedirected you to this site:
Introducing "2005 Digital Cable Filters"
Equipped with latest pass-through technology video bypass chip.
Guarantee to work with all digital cable receivers..
or your moneeys back!
- Enjoy free pay-per-view channels
- Adult Channels
- On Demand Channels
and lots more!
The "bait" and the "switch" here are both dead links now.
Which is where the first half of all good mysteries should end: with a coupla stiffs and a hatful of suspects.