I’ve noticed an increase in a couple of types of blog spam while I’ve been away.  I’m not sure whether this is because the spammers are targeting likely periods when people won’t be watching or if it’s just more annoying to me to have to despam things remotely (usually over dialup or when I’m pressed for time).

The first one is the old-fashioned link-filled comment.  Because of the way EE works it’s hard for spammers to completely automate the process.  What I saw appeared to be manually generated and used URL-shortening services to get around keyword bans.  In one instance they hit a particular post 47 times, with a frequency of about one per hour before I added their URL-shortening URLs to the blacklist.

The other type, which usually happens during the wee hours of the morning, is of the account-creation variety.  Some dingleberry will create an account with a name like “prom dresses” or “bathroom vanities” and then put a link in the profile to a spam link farm with the advertised goods.  These are almost invariably created with invalid email addresses, so I can spot them in the morning just by the presence of the combination of a new member notification and a bounced email in my Inbox.  Occasionally the spammer will pick a valid address so I don’t get a bounce, so I’ve taken to reviewing all new member accounts and deleting any that have spam links (and what constitutes a spam link is entirely at my discretion).  I also added some verbiage to the member agreement to explain this.

As I wrote the above a new idea occurred to me regarding the timing.  When I’m away I’m usually not checking the referrer spam report and regularly updating my .htaccess and blacklist blocks, so maybe what I’m seeing with the comment spam is just the result of deferred maintenance.

Regardless, spammers suck.

I started seeing a large number of attempted REFERER spam links in my logs over the past few days of the form <valid website>/images/online/<spamvertised product>.  If you take off the “/images/online…” part and just look at the root, they all appear to be valid, normal, websites (one was even for a Minnesota state representative).  The interesting thing is that if you look in “/images” you’ll find something called “99.php”.  That file is a spammer/cracker console.  It appears that all of these servers have been pwn3d by a Russian hacking group and this PHP script is a tool they’re using called “c99drink.” 

So far, out of the random sample of 7 or 8 links that I checked, the output of 99.php shows that each system belongs to iPowerWeb.  It would appear that they have some sort of systemic problem that allowed the crackers to gain access to the system and install their toolkit.

Here’s what c99drink looks like on a typically infected server:

This appears to be a relatively new toolkit, as I could find no hits for it on Google.

As I mentioned previously, some dingleberry spammer decided it would be cool to use my domain to generate random addresses for the From address when sending crap to people from his botnet.  In addition to the “enlargement” products being hawked in the original spam run, I started seeing stuff for “pharma” and Rolexes.  There were two distinct ways of handling the addresses, as well.  The original run used ones of the form “First Last” <madeupcrap -at- aubreyturner.org>.  The later runs (Rolexes, etc) used the same pattern but appeared to use a different domain for the From and instead used my domain for the Reply-To address.  I also observed that all spams that targeted a single domain appeared to use the same address on my domain.

Anyhow, I finally decided to throw in the towel and disable the catch-all on this domain.  Fortunately, it turned out that I didn’t have very many addresses on this domain that I needed to keep.  The majority of my contacts have been done using a different domain, so I was able to disable the catch-all and add the 20 or so emails that I wanted to keep.  Now, any email for a non-registered address will simply be rejected during the SMTP connection, so it won’t get a chance to bounce to me.

Should I have to turn off catch-alls for the other domain I now have a list of valid emails for that domain and a handy script that can read it in and produce correctly formatted forwarding entries.  The only pain will be having to enter the 500 or so addresses into the web control panel’s forwarding page.  I’m hoping I don’t have to do that, though, as I like the flexibility of creating a new address on the fly when needed.  That set of 500 addresses represents over 6 years of e-commerce, newsletters, mailing lists, newspaper registrations, etc.  It was very helpful in that you immediately know that the L.A. Times is the one that sold your address to the spammer, as it came in on that particular address.  It’s also funny when phishers send a PayPal account verification email to your old Gradfinder email address (at least before I canned it, since those bastards also sold my email to a bunch of spammers). 

At over 200 emails per day, I finally just had to do away with the catch-all.  From skimming all the crap that bounced to me, I was a bit surprised to see how many people still use “out of office” autoresponders.  Although on further thought, the original reason for discouraging their use has kind of faded, as spammers no longer seem to care where responses and bounces go and don’t use valid info anyway.  So now the innocent Joe Job victim gets to find out that Geoffroy from some company in France is “absent du 25/08/06 au 15/09/06.”

I also saw a few that required me to validate that I was a human and not a spambot.  Given that it was sent by a spambot, I guess it did its job.  But if I’d really sent a message to such a person, I would not complete a validation form.  I’d just write that person off as someone who doesn’t want email and find some other way to get in touch.

The final irony of the situation, though, is that I started receiving spam at the made-up addresses.  It would appear that somewhere out there someone is running some kind of collection scheme and adding the received addresses to a list of spam targets.

I felt kind of like I was in a giant email-based pinball machine. 

It appears the botnet Joe Job has started again.  This time it’s “enlargement” products they’re hawking.

I’ve gotten 180 bounces since about 6:00pm yesterday.  At this rate I may be forced to disable my catch-all, but it’s going to be a major PITA.  I’ve probably got over a hundred aliases in use, and they aren’t individually registered.  This means that I’m going to have to grovel through all of my previously received and sent emails and pull out the addresses I used and create explicit forwarding entries for each one.

Update 1:  Got five more just in the two minutes it took me to write this entry. 

Update 1a:  Up to 226 as of 3:39pm.

Update 2:  All of the spams link to various nonsense domains that contain “information” about something called “Man XL.”  The scammer behind this nonsense is an entity calling itself “WW3 DISTRIBUTERS LLC.”  Should you receive such an email, beware clicking the link unless you want to see Prasad’s “business” (if you were unfortunate enough to have clicked, you’ll know what I mean by that).

Update 3:  Internally, all of these sites have a frameset that pulls the main frame content from http://www.cabaretmarin.net.  Hitting that address causes a redirect to http://barbarises.net/ms/?bb, which then redirects to http://barbarises.net/ms/index.php?k=<garbage>.  That appears to be a “campaign” tracking link (i.e. this particular batch of redirects through cabaretmarin.net seems to share this “k” value).

I did a random check of several of these “.info” domains that are in the emails.  The all have similar information (i.e. same name, address, email) and were registered just a few days ago via RegisterFly.  Here’s an example:

Registrant ID:tuJCnDTXYin4eSHs
Registrant Name:patrice pennetier
Registrant Organization:pennetier
Registrant Street1:rue notre dame, 21
Registrant Street2:
Registrant Street3:
Registrant City:tubize
Registrant State/Province:NA
Registrant Postal Code:1480
Registrant Country:BE
Registrant Phone:+1.3292313108
Registrant Phone Ext.:
Registrant FAX:+1.3292313108
Registrant FAX Ext.:
Registrant Email:[email protected]

Information on “barbarises.net”:

Domain Name:barbarises.net

Registrant:
Mike Vester
      Allensteiner Strasse 24
      47237

Administrative Contact:
Mike Vester
      Mike Vester
      Allensteiner Strasse 24
      Duisburg 47237
      Germany
      tel: 49 7161 3079405
      fax: 49 7161 3079405
      [email protected]

Technical Contact:
Mike Vester
      Mike Vester
      Allensteiner Strasse 24
      Duisburg 47237
      Germany
      tel: 49 7161 3079405
      fax: 49 7161 3079405
      [email protected]

Billing Contact:
Mike Vester
      Mike Vester
      Allensteiner Strasse 24
      Duisburg 47237
      Germany
      tel: 49 7161 3079405
      fax: 49 7161 3079405
      [email protected]

Registration Date: 2006-07-14
    Update Date: 2006-08-31
  Expiration Date: 2007-07-14

  Primary DNS:  ns1.buckraming.com         220.179.67.133
  Secondary DNS:  ns2.buckraming.com         220.179.67.133

The cabaretmarin.net domain appears to have been registered via a privacy service, though, which is not surprising as this is the first real link in the chain to his spam site:

Registration Service Provided By: Registerfly.com
Contact: [email protected]
Visit: http://www.registerfly.com

Domain name: cabaretmarin.net

Registrant Contact:
  RegisterFly.com – Ref# 19298483
  Whois Protection Service – ProtectFly.com ([email protected])
  +1.8458183604
  Fax: +1.8456984014
  P.O. Box 969
  Margaretville, NY 12455
  US

Administrative Contact:
  RegisterFly.com – Ref# 19298483
  Whois Protection Service – ProtectFly.com ([email protected])
  +1.8458183604
  Fax: +1.8456984014
  P.O. Box 969
  Margaretville, NY 12455
  US

Technical Contact:
  RegisterFly.com – Ref# 19298483
  Whois Protection Service – ProtectFly.com ([email protected])
  +1.8458183604
  Fax: +1.8456984014
  P.O. Box 969
  Margaretville, NY 12455
  US

Now I’m starting to get people sending me emails via my contact form who are a bit steamed about supposedly getting spam from me.  Here’s the best, most succinct, example (from a gentleman who goes by the name TIM BLUST (and whose SHIFT-LOCK is locked in high dudgeon mode)):

I DO NOT KNOW HOW YOU GOT MY E-MAIL ADDRESS BUT PLEASE REMOVE ME FROM IT AND DO NOT SEND ME ANYMORE SHIT

Others were a bit more polite or used a bit more verbiage, but this one hit all the highlights:  How did you get my email? -and- Stop sending me emails.

It’s unfortunate that I can’t find a way to channel all the indignation and send it to its deserving target.  If I could figure it out we wouldn’t have any more problems with this spammer, as he would have long ago been reduced to a small pile of ash…

For the more irate ones, I use the following response:

I am not the one who is sending you email.  The sender has FORGED the email sender information to make it appear to have come from a user on my domain.  In general, one should never trust the “From:” address in a spam email, as spammers generally fake these to avoid getting irate emails such as the one I just got from you. 

For more information about TenTenTwelveCorp’s fraudulent emails, please go here:
http://www.aubreyturner.org/index.php?/orglog/tententwelvecorp/

The more polite ones get a bit more explanation (and no frowny).

This entry will remain as a reference for those affected by TenTenTwelveCorp’s fradulent emails.

If you have received spam email appearing to be from users at aubreyturner.com or aubreyturner.org please be aware that the sender information in these emails has been forged.  I cannot remove you from the email list, since I had nothing to do with sending the spam.  The spammer simply chose my domains to include in his fradulent emails.  For an explanation of what is happening, see below for links to two articles on the topic.

If you are receiving bounces from TenTenTwelveCorp’s fraudulent emails, welcome to the club!    It seems we’ve both been Joe Jobbed by this bastard. 

For more information, please read the following posts and the comments:
F****n’ Spammers
More F-‘in spammers

It seems like a lot of people have either been spammed by “tententwelvecorp” or have been on the receiving end of a Joe Job from their spams.  The onslaught continues apace, but I’ve learned quite a bit from the comments on my earlier post.  People have been finding my site when running searches for info on this stock scammer.

There is also some new information to put out here.  Specifically, in his latest emails he’s expanded his stock picks to include Labwire (LBWR) and Southwestern Medical INC (SWNM), and in a few he’s including a phone number for people to opt-out (since his domains seem to have been suspended).  The number given is (310)598-7434.  Searching Google and doing some reverse searches didn’t turn up anything of interest (or anything linked to “Johnson Eddisson”, should he actually exist).

I’ve also gotten a few emails via the contact form from people who are wondering what’s going on.  This is most especially true for people who don’t know much about computers or email.  I’m including my answer to the latest one here in the hope that people who search for information on this spammer will find it.  I’ve tried to make it readable for the lay person, but as always, it’s difficult to talk about computers, the Internet, and email without using some amount of jargon.

The original message:

I did a search on tententwe… and noticed that you made reference to them.  I keep getting emails (addressed to me) from people who I don’t know and it said to contact info-att-tententwelvecorp.com if I wanted them to stop.  I changed the -att- to @ and tried to send the email but it didn’t work.  I don’t know a lot about the interenet.  Since it sounds like your situation might be similar, I was wondering if you could explain any of it to me?  Thank you.

My response:

What is happening here is that a spammer is using a network of infected PCs to send spam to various people.  These networks of infected PCs are often called “botnets” (from the term “robot network”).  When the PC is infected (which can occur through a virus, a worm, or a trojan) it becomes a node in the botnet and takes commands from a central controller.  In this case, the spammer is using the network of PCs to send out spam.  They do this because sending spam from a legitimate internet-connected server is a quick way to have it shut down (since this act violates the Terms of Service of almost all legitimate hosting services).  These PCs are usually connected to the internet via Cable Modem or DSL and offer a quick and anonymous method to blast out thousands of emails in a short period of time.

The other part of the problem is that the protocols used on the Internet for exchanging email don’t have any security built into them.  They were developed in an era of mutual trust when the Internet was much smaller (and only universities, the military, and very few corporations were connected).  Because the protocols are so lax, it is a simple matter for the spammer to compose a message that appears to be from someone else.  In fact, I did the same thing with the contact form that you filled out to send me your original message.  When it arrives in my Inbox it appears to be from you, even though my web server actually sent it (this is actually considered a legitimate use of the protocol, though).

Since no one likes spam, putting your real email address in the “From:” of a mass mailing is a quick way to render that email address useless.  In fact, many email providers/ISPs will cancel an account if it can be proved that the person who owns the email address actually sent the spam from it.  So, the crafty spammer will either put a bogus email in the “From:” and “Reply To:” fields, or he will put someone else’s email address in there (this is known as a “Joe Job” in that it can be a form of attack against the person whose email address was used by the spammer).

This particular spammer is just making up email addresses as he goes by picking a person’s name and then associating a made-up email address with a VALID domain (the part after the “@” sign).  An example (that I just pulled out of my Trash folder): “Rosamund Hutchins” <hfl-at-aubreyturner.org>.  There is no user named “hfl” at aubreyturner.org, and I don’t know a person named “Rosamund Hutchins.”  But anyone receiving this email will possibly think it’s from her and that it came from my domain, when in fact it came from an infected PC in Switzerland (84-72-176-238.dclient.hispeed.ch to be exact).

However, since I’ve configured a “catch all” address for the domain (i.e. any email that isn’t addressed to a particular user goes to this address), then I receive a message for every single spam email that did not make it to the destination (a “return to sender” or “bounce” email).  So my interest in finding and eradicating the owner of tententwelvecorp is because I own “aubreyturner.com” and “aubreyturner.org”, both of which have been used for the “From:” address in this spammer’s email blasts.  So far I’ve received well over 200 bounce messages.  It’s not clear at this point whether I (and the others who have been on the receiving end of these bounces) was selected because I ticked this guy off at some point in the past or whether he just randomly picked some domains.

Recent legislation in the U.S., called the “CAN-SPAM” act, requires that every commercial email have a valid “From:” address and include information on how to opt-out of the mailings.  None of this spammer’s messages conform to these requirements, so if he is in the United States, he could be liable for a civil judgement of up to $11,000 per violation.  Additionally, by pumping these stocks, he could also be in violation of various S.E.C. (Securities and Exchange Commision) rules (which could be a criminal matter).  So it’s no surprise that “[email protected]” didn’t work.  His domain has probably been suspended because of the spam he’s been sending.  Further, it appears that his domain’s contact information is bogus, so it’s nearly impossible to contact him.

In his latest round of emails, he is now including a phone number, but I haven’t had time to investigate it.  My suspicion is that the number is either bogus or it belongs to someone he doesn’t like (who will get irate phone calls from people who got the emails).

So, to sum up this long-winded reply: “spammers suck.” 

Since I wrote that reply, I’ve learned (from a commenter in the original post) that the phone number actually has a message requesting you to leave your email address to have it removed.  I’m not sure I’d trust it, though.  An asshole who would use other peoples’ domains for his bounces would just as likely take the opt-out list and use it as a list of “confirmed, hot” leads…

Update:  I see from the latest bounce that he has yet another domain, senginernd.com, which redirects to a Lycos-France member page, appearing to belong to a member called “removalsystem2”.  That site contains his “disclaimer.”  I found this bit interesting:

In compliance with the Securities act of 1933, Section 17(b), the publisher of this newsletter discloses they received payment from an unaffiliated third party for the circulation of this report in the amount of $200,000. Be aware of an inherent conflict of interest resulting from such compensation due to the fact that this is a paid advertisement and is not without bias. As we have received compensation in the form of free trading securities, we may directly benefit from any increase in the price of these securities.

So it would appear that this is a “pump and dump” sort of thing, where he is trying to inflate the price and then dump his shares.  I suppose by his disclosure he thinks he’s covering his butt legally.  Perhaps he is, as I’m not a lawyer.  But it’s pretty slimy.  Also notice that his verbiage implies that this is a “newsletter” and that there are “subscribers” (a term he used earlier in the disclaimer).

Here’s the WhoIs for senginerd.com:


Registration Service Provided By: NameCheap.com
Contact: [email protected]
Visit: http://www.namecheap.com/

Domain name: SENGINERND.COM

Registrant Contact:
  MTG-Experts
  Carl Bach ([email protected])
  +1.6025413374
  Fax: +1.5555555555
  Pol Comtois Str.
  Los Angeles, CA 60981
  US

Administrative Contact:
  MTG-Experts
  Carl Bach ([email protected])
  +1.6025413374
  Fax: +1.5555555555
  Pol Comtois Str.
  Los Angeles, CA 60981
  US

Technical Contact:
  MTG-Experts
  Carl Bach ([email protected])
  +1.6025413374
  Fax: +1.5555555555
  Pol Comtois Str.
  Los Angeles, CA 60981
  US

Status: Locked

Name Servers:
  dns1.name-services.com
  dns2.name-services.com
  dns3.name-services.com
  dns4.name-services.com
  dns5.name-services.com
 
Creation date: 18 Oct 2005 14:43:36
Expiration date: 18 Oct 2006 14:43:36


I wonder if there’s really a “Carl Bach”?  It sounds fake.

I’m not dead.  Or at least my body continues to move about under its own power.  Allergy season just zaps the hell out of me.  And the pounding headache didn’t help.  But today seems a little better in that at least the headache is gone.

Anyhow, it seems that some “sidewindin bushwackin, hornswaglin, cracker croaker” has used one of my domains for the return address on their POS spam emailing.

So far I’ve only gotten 12 bounces, but it’s really annoying, and it’s a form of theft.  They’re stealing my resources to abdicate their own responsibility for spewing crap about some stupid penny stock.

If any of you should come across “Budget Waste Inc” or “tententwelvecorp.info”, drop a bomb on them for me.

Update:  More on this topic here.