Wednesday, April 01, 2015

10 Years After: 2006 -- Man Versus Spam



In the service of fundraising and nostalgia, I am using the occasion of my 10th blogiversary to bring some stuff out of the archives -- probably a few representational samples from each year. 



And then one Saturday in 2006, I got to wondering where all that spam came from.
Two days of intense research and several thousand words later, I had worked it out (Part I below.  Part II here.)

Actual journalism.  Whoda guessed?

Fear and Loathing on the Spam-pain Trail - Pt I


Part I - Spam and Punishment.

As you might have noticed, I’ve got an attic full of spam, and Evil Santa backs the sleigh up and unloads more every night.

It started out as a joke and an experiment – both of which are still going quite well I think (I’m both still amused and am apparently far more renowned in some quarters for my spamcatcher than anything I’ve ever written :-)

I do worry a little about the weight of them (the joists are moaning under their tonnage, and sawdust and drywall shake sifts down into my soup every time they squirm around up there) but I have grown attached to the little bastards. So as one of you has suggested, perhaps I’ll crack a bottle of something good and have a spam-e-que when the counter tops 1,000.

However, recently some new spamutation has been getting past the netting and not landing waaay downstream where I let the weeds grow high and the primeval spam prairie return to its natural state.

And its kinda pissing me off.

The one that has seen fit to track its scrofulous hooves thru this site is an offer from “Degree Programs-Online” to give you free shit if you do product testing for them.

Of course we all know this is a lie, and that people who spam schemes like this cry out for a benevolent Diety to seal their nostrils and ball-gag-strap them to a Hummer’s tailpipe until their toenail-beds turn a festive blue.

It also bears the true mark of a lazy criminal; some fat-assed slob who can’t even be bothered to rechristen the front company when he changes the con.

But what do we really know about the pod people who make a living flinging electronic poo at the rest of us? Inflicting wretched digital syphilis like “Degree Programs Online” on the rest of humanity?

Yeah, I could turn on the wards that Blogger provides. I may yet do so but honestly, where’s the Swinging, Penis Enlarging, Bad Face Lifting, Day Trading, Women Attracting Loosers (loosers? Hell, better pair that up with a Kegel Exercising site), Gastric Bypassing, Black Mold Testing, Debt Eliminating sport in that?

We’ll turns out it’s a longer story than I originally anticipated, and takes several turns – and that spam is grottier and more well-traveled than a globe-trotting crack-whore -- but I felt like taking a break from the political stuff for a day or two, and it felt to me like there might be the makings of a cool story here.

And a relaxing way to kill a few hours on a Saturday afternoon waiting for other pies to cool.

Judge for yourself.

So what do we really know about these barnacles?

Well, we know, for example, that the parent company of the “Degree Programs Online” scam are these guys:
“Consumer Research Corporation”
And that this is their address:
3830 Forest Drive, Suite 207
Columbia South Carolina 29204
U.S.A.
Which looks like this from atop Mt. Olympus:



And that their phone number is as follows:
803-790-8381
That one of their “divisions” is RetailReportCard.com, which runs under this IP address: 208.38.131.22, and was or is being used to run a Golf Equipment scam.

In fact, this Golf Equipment scam, which also amply demonstrates the fact that that these fuckers also spam via email, as this gentleman learned
I, too, fell prey to their "fulfill two offers and get free golf club". No answer on the phone and now no recourse. The unsolicited email I received did not explicitly spell out that the two offers had to be made on each page

These people need to be put out of business. I now get 20 - 30 spams per day since falling for this scam.
We know this IP address was repeatedly blackballed (redballed, really) here for a variety of Spams Against Humanity

But what else do we know?

We know that the main server they use is addressed in Dallas, Texas at a company called this:
“Theplanet.com”
We know that this is the server IP address:
70.85.182.10
So what do we know about that server IP and company?

Quite a bit, actually.

We know this…
OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange: 70.84.0.0 - 70.87.255.255
CIDR: 70.84.0.0/14
NetName: NETBLK-THEPLANET-BLK-13
NetHandle: NET-70-84-0-0-1
Parent: NET-70-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate: 2004-07-29
Updated: 2006-02-17
We know the name and number of their tech support person:
RTechHandle: PP46-ARIN
RTechName: Pathos, Peter
RTechPhone: +1-214-782-7800
RTechEmail: ******@theplanet.com
We know what they look like from LEO (Low Earth Orbit)

...just in case you have access to the targeting software for any space-based weapon’s platforms and are suddenly seized with the urge to make the Homeland a little less stinky.

We know they were also redballed on this site for refusing to remove spammers.

This site also notes another contact phone number for the “ThePlanet” here, should you ever want to give them a call:
added 2002-10-17; listwashing, refusal to remove spammers
added 2002-10-17; see http://groups.google.com/groups?selm=ur7uqu0mjfgd9k21tonfdb8eqkn1t2kea4%404ax.com&oe=UTF-8
added 2003-06-21; called theplanet +1-214-782-7802 - abuse person never returned the call
added 2003-06-28; called theplanet +1-214-782-7802 - told them about the SBL and SPEWS listings.
We know that good people at this same, spam-alert site noted that “Arameda” was being hosted by ThePlanet.com on IP addy 67.19.8.122, and that Arameda came to the immediate attention of Project Honeypot.

What is Project Honeypot?

A frabjous and benevolent conspiracy to take down spammers and make ‘em sizzle like roaches on a hot plate.

Let them speak for themselves…
Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website. Using the Project Honey Pot system you can install addresses that are custom-tagged to the time and IP address of a visitor to your site. If one of these addresses begins receiving email we not only can tell that the messages are spam, but also the exact moment when the address was harvested and the IP address that gathered it.
And so what is “Arameda”?

D. Logan at Project Honeypot explains:
Arameda is appearently a search engine. Spam bot 67.19.8.122 user agent is "Mozilla/6.0 (compatible; arameda.com Spider)". It has 19 messages associated with it according to its stats page. Does this mean that arameda is a spammer?

Well I asked them this:
A spidering bot (ip 67.19.8.122) has been viewing my site and claims to be from arameda according to the logs. Is this an ip address that your spider uses?

They replied:
Yes, this IP belongs to our spider.

Either arameda is a spammer or someone is posing as arameda. Anyone have any ideas?
And where does Arameda come from?

Well tell the band to play a little traveling music and strap yourself into your James Bond/George Smiley/Arkady Renko mink hat, ‘cause we’re Russia-bound, baby.
...
A.Blanchard at Project Honeypot picks up the narrative…
Totally Russian. All paths lead back to Tomsk

from the whois for arameda.com:

Domain Name: ARAMEDA.COM
Administrative Contact:
Mouraviev, Mikhail sales@arameda.com
423 Brookline Avenue, #359
Boston, MA 02215
US
781-791-2413

Googling the address reveals that it's just a maildrop.
Googling the phone number finds it also on the privacy page for trevolta.com
The address for trevolta.com is given as

Trevolta, Ltd.
410 Park Avenue, 15th floor
New York, NY 10022.

But this is just another maildrop, see: http://www.manhattan-office.com/virtual.html

whois for trevolta.com:

Domain Name: TREVOLTA.COM
Administrative Contact:
Prokofiev, Konstantin sales@trevolta.com
37 Kirova St.
Tomsk, Tomsk 634042
RU
7-382-257-3780

The IP address 67.19.8.122 (see first message in this thread) is more interesting.
Arin reveals this is owned by theplanet.com.
A Russian mail-drop in Boston, that forwards to another mail-drop in NYC, being operated from Tomsk?

OK, now this is getting fun, although I will be hiring someone to start my car for me for the next few weeks.

Anyway, now let lace up our Seven League Boots and leap to the other side of the planet for a trip to America’s sunny West Coast.

Why?

Because the owner/registrar of the domain name -- “Degree Programs Online “ – that is being hosted by the servers at the Spammer’s Hotel California – TheWorld.com -- is in...California.
Domain ID:D11323068-LRMS
Domain Name:DEGREE-PROGRAMS-ONLINE.INFO
Created On:22-Nov-2005 18:29:16 UTC
Last Updated On:21-Jan-2006 20:31:22 UTC
Expiration Date:22-Nov-2006 18:29:16 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK
Registrant ID:78444F177D483CF3
Registrant Name:WhoisGuard Protected
Registrant Organization:WhoisGuard
Registrant Street1:8939 S. Sepulveda Blvd
Registrant Street2:8939 S. Sepulveda Blvd
Registrant Street3:
Registrant City:Westchester
Registrant State/Province:CA
Registrant Postal Code:90045
Registrant Country:US
Registrant Phone:+1.6613102107
Isn’t it cool that it comes with a phone number?

It was registered in May of 2004 with an expiration date/time of 20 May 2010 15:22:23, which means he or she plans to keep jizzing their spamagma (tm) all over the internets for another four years.

Presuming of course that some irate citizen doesn’t go digitally-postal on their ass, ball-gag-strap them to a Hummer’s tailpipe, and so forth.

But that would be so very wrong.

Namecheap.com (the people who offer “WhoisGuard” shielding for their clients) is the name of the company operating out of 8939 S. Sepulveda Blvd. They also own-or-shield this Domain Name --
theonlinebusinesssystem.com – and both are registered with ICANN (Internet Corporation for Assigned Names and Numbers) via an organization called, eNom, Inc.

Namecheap.com is itself also registered via, eNom, Inc.

Namecheap.com also owns-or-shields BAD-CREDIT-REPAIR.INFO at IP 66.111.234.36

Also SECRETSERVERS.BIZ at IP 65.98.56.90

Also ran this email-based doozy from 2005
“Subject: Why Pay When It's Free?

Introducing "2005 Digital Cable Filters"

Equipped with latest pass-through technology video bypass chip.
Guarantee to work with all digital cable receivers..
or your moneeys back!

- Enjoy free pay-per-view channels
- Adult Channels
- On Demand Channels
and lots more!
The link would then reedirected you to this site:
http://1click4store.com/ronn_022/cablefilter/index.html

The "bait" and the "switch" here are both dead links now.

Which is where the first half of all good mysteries should end: with a coupla stiffs and a hatful of suspects.


No comments: