More F-‘in spammers

It seems like a lot of people have either been spammed by “tententwelvecorp” or have been on the receiving end of a Joe Job from their spams.  The onslaught continues apace, but I’ve learned quite a bit from the comments on my earlier post.  People have been finding my site when running searches for info on this stock scammer.

There is also some new information to put out here.  Specifically, in his latest emails he’s expanded his stock picks to include Labwire (LBWR) and Southwestern Medical INC (SWNM), and in a few he’s including a phone number for people to opt-out (since his domains seem to have been suspended).  The number given is (310)598-7434.  Searching Google and doing some reverse searches didn’t turn up anything of interest (or anything linked to “Johnson Eddisson”, should he actually exist).

I’ve also gotten a few emails via the contact form from people who are wondering what’s going on.  This is most especially true for people who don’t know much about computers or email.  I’m including my answer to the latest one here in the hope that people who search for information on this spammer will find it.  I’ve tried to make it readable for the lay person, but as always, it’s difficult to talk about computers, the Internet, and email without using some amount of jargon.

The original message:

I did a search on tententwe… and noticed that you made reference to them.  I keep getting emails (addressed to me) from people who I don’t know and it said to contact info-att-tententwelvecorp.com if I wanted them to stop.  I changed the -att- to @ and tried to send the email but it didn’t work.  I don’t know a lot about the interenet.  Since it sounds like your situation might be similar, I was wondering if you could explain any of it to me?  Thank you.

My response:

What is happening here is that a spammer is using a network of infected PCs to send spam to various people.  These networks of infected PCs are often called “botnets” (from the term “robot network”).  When the PC is infected (which can occur through a virus, a worm, or a trojan) it becomes a node in the botnet and takes commands from a central controller.  In this case, the spammer is using the network of PCs to send out spam.  They do this because sending spam from a legitimate internet-connected server is a quick way to have it shut down (since this act violates the Terms of Service of almost all legitimate hosting services).  These PCs are usually connected to the internet via Cable Modem or DSL and offer a quick and anonymous method to blast out thousands of emails in a short period of time.

The other part of the problem is that the protocols used on the Internet for exchanging email don’t have any security built into them.  They were developed in an era of mutual trust when the Internet was much smaller (and only universities, the military, and very few corporations were connected).  Because the protocols are so lax, it is a simple matter for the spammer to compose a message that appears to be from someone else.  In fact, I did the same thing with the contact form that you filled out to send me your original message.  When it arrives in my Inbox it appears to be from you, even though my web server actually sent it (this is actually considered a legitimate use of the protocol, though).

Since no one likes spam, putting your real email address in the “From:” of a mass mailing is a quick way to render that email address useless.  In fact, many email providers/ISPs will cancel an account if it can be proved that the person who owns the email address actually sent the spam from it.  So, the crafty spammer will either put a bogus email in the “From:” and “Reply To:” fields, or he will put someone else’s email address in there (this is known as a “Joe Job” in that it can be a form of attack against the person whose email address was used by the spammer).

This particular spammer is just making up email addresses as he goes by picking a person’s name and then associating a made-up email address with a VALID domain (the part after the “@” sign).  An example (that I just pulled out of my Trash folder): “Rosamund Hutchins” <hfl-at-aubreyturner.org>.  There is no user named “hfl” at aubreyturner.org, and I don’t know a person named “Rosamund Hutchins.”  But anyone receiving this email will possibly think it’s from her and that it came from my domain, when in fact it came from an infected PC in Switzerland (84-72-176-238.dclient.hispeed.ch to be exact).

However, since I’ve configured a “catch all” address for the domain (i.e. any email that isn’t addressed to a particular user goes to this address), then I receive a message for every single spam email that did not make it to the destination (a “return to sender” or “bounce” email).  So my interest in finding and eradicating the owner of tententwelvecorp is because I own “aubreyturner.com” and “aubreyturner.org”, both of which have been used for the “From:” address in this spammer’s email blasts.  So far I’ve received well over 200 bounce messages.  It’s not clear at this point whether I (and the others who have been on the receiving end of these bounces) was selected because I ticked this guy off at some point in the past or whether he just randomly picked some domains.

Recent legislation in the U.S., called the “CAN-SPAM” act, requires that every commercial email have a valid “From:” address and include information on how to opt-out of the mailings.  None of this spammer’s messages conform to these requirements, so if he is in the United States, he could be liable for a civil judgement of up to $11,000 per violation.  Additionally, by pumping these stocks, he could also be in violation of various S.E.C. (Securities and Exchange Commision) rules (which could be a criminal matter).  So it’s no surprise that “[email protected]” didn’t work.  His domain has probably been suspended because of the spam he’s been sending.  Further, it appears that his domain’s contact information is bogus, so it’s nearly impossible to contact him.

In his latest round of emails, he is now including a phone number, but I haven’t had time to investigate it.  My suspicion is that the number is either bogus or it belongs to someone he doesn’t like (who will get irate phone calls from people who got the emails).

So, to sum up this long-winded reply: “spammers suck.”  grin

Since I wrote that reply, I’ve learned (from a commenter in the original post) that the phone number actually has a message requesting you to leave your email address to have it removed.  I’m not sure I’d trust it, though.  An asshole who would use other peoples’ domains for his bounces would just as likely take the opt-out list and use it as a list of “confirmed, hot” leads…

Update:  I see from the latest bounce that he has yet another domain, senginernd.com, which redirects to a Lycos-France member page, appearing to belong to a member called “removalsystem2”.  That site contains his “disclaimer.”  I found this bit interesting:

In compliance with the Securities act of 1933, Section 17(b), the publisher of this newsletter discloses they received payment from an unaffiliated third party for the circulation of this report in the amount of $200,000. Be aware of an inherent conflict of interest resulting from such compensation due to the fact that this is a paid advertisement and is not without bias. As we have received compensation in the form of free trading securities, we may directly benefit from any increase in the price of these securities.

So it would appear that this is a “pump and dump” sort of thing, where he is trying to inflate the price and then dump his shares.  I suppose by his disclosure he thinks he’s covering his butt legally.  Perhaps he is, as I’m not a lawyer.  But it’s pretty slimy.  Also notice that his verbiage implies that this is a “newsletter” and that there are “subscribers” (a term he used earlier in the disclaimer).

Here’s the WhoIs for senginerd.com:


Registration Service Provided By: NameCheap.com
Contact: [email protected]
Visit: http://www.namecheap.com/

Domain name: SENGINERND.COM

Registrant Contact:
  MTG-Experts
  Carl Bach ([email protected])
  +1.6025413374
  Fax: +1.5555555555
  Pol Comtois Str.
  Los Angeles, CA 60981
  US

Administrative Contact:
  MTG-Experts
  Carl Bach ([email protected])
  +1.6025413374
  Fax: +1.5555555555
  Pol Comtois Str.
  Los Angeles, CA 60981
  US

Technical Contact:
  MTG-Experts
  Carl Bach ([email protected])
  +1.6025413374
  Fax: +1.5555555555
  Pol Comtois Str.
  Los Angeles, CA 60981
  US

Status: Locked

Name Servers:
  dns1.name-services.com
  dns2.name-services.com
  dns3.name-services.com
  dns4.name-services.com
  dns5.name-services.com
 
Creation date: 18 Oct 2005 14:43:36
Expiration date: 18 Oct 2006 14:43:36

I wonder if there’s really a “Carl Bach”?  It sounds fake.

89 Comments

  1. Peter Williams says:

    I am getting the same spam which I have sent on to Labwire asking them to do something as it denigrates their compnay.
    They said they will act.
    Southwestern Medical INC said they don’t send spam and kept their head in the sand.
    I have had three spams today.

  2. PEX says:

    Hi!

    It’s all very informative and interesting to know, BUT HOW CAN SOMEONE FILTER THESE SPAM MESSAGES?… since they don’t contain any text (keywords)…

    I am using OUTLOOK EXPRESS.

    I would be gratefull if you could give me some advice!…

    Thanks!

  3. Richard Crowe says:

    These tententwelvecorp.info guys got me also.  I have received dozens of bounced emails and several removal request.  I called ipowerweb and complained but seems there is little that can be done.  I have a bad feeling this guy is off shore becouse his whois address states a bogus California town with a Washington state zip code.  Whoever designed the email system needs their butt kicked for leaving such a hole in the system.  He’s apparently using this scheme to run up penny stocks so he can make a quick profit.  Any ideas what we can do about this?

  4. Richard Crowe says:

    If you goto their disclaimer page and hover over the “abuse” (that’s almost a joke) button it states the email will go to tentwelvecorp.net.  You can get some hits off this.  I believe it is in Germany.

  5. PEX,

    Unfortunately, that’s why the spammer did it the way he did.  He wants them to be nearly impossible to filter.  What he actually did was make his message into an image and include it among a bunch of nonsense words.  However, his mix of nonsense words is crafted to make it appear more “human” and less “spammy” so as to defeat filters.  His spam generator program seems to change the words from time to time.  The effect of this is that even if you have a Bayesian filter, by the time you figure out the spam score, he’s change his pattern, meaning his next spam to you will get through.

    He also changes the name of the image file for each email as well as the name of the sender, making it very difficult to filter.

    Out of the 230 or so bounces I’ve gotten so far, only 3 of them have been bounced by filters.  I could hope that perhaps there are other filters out there that silently discard the message, but it still doesn’t bode well for filtering.

  6. Richard,

    Other than trying to trace his botnet (which would require cooperation with an ISP or a corporation), I’m not sure there’s much that can be done. 

    In the comments to my other post on this topic, Neil Jackson isn’t having much luck getting any cooperation at this point.

  7. Just adding my name to the list of recipients.

    I am a System Administrator for a Guided Missile Destroyer of the United States Navy.

    I, personally, have been hit with only 4 of these messages, then this morning I find out that upwards of 30 of my users are receiving them as well.

    Cheers!

  8. Richard Crowe says:

    Guided missle Destroyer, huh?  Well, we’ve found a solution to our problem!  Find this rat and I’ll chip in for the missle!

  9. Matthew Goeckner says:

    Forward it all with headers to:

    [email protected]

    It is pump and dump – The Security Exchange Commision (SEC) can go look at who is ‘dumping’ the shares and get them. 

    If the the SEC get 4 or 5k of these messages a day, they will do something.

  10. Richard Crowe says:

    Oh yea, this is the best idea yet!  We don’t have to find this guy.  His pump and dump scheme is serious jail time.  All we have to do is diluge the SEC with all these bounced emails and when they get enough they will check into who has been buying and selling these stocks.  Even if he stops now it doesn’t matter because every transaction is recorded.

    Be sure to inculde his little pictures of the stocks he is pushing so they will know which one’s to check into.  For once let’s let the government work for us.  I already sent some in and got this reply:

    Dear Sir or Madam:
    Thank you for your recent e-mail to the group electronic mailbox of the Division of Enforcement at the United States Securities and Exchange Commission in Washington, D.C. We appreciate your taking the time to write to us. This automated response confirms that the Division of Enforcement has received your e-mail. You can rest assured that an attorney in the Office of Internet Enforcement will review your e-mail promptly.

    It goes on but this is just the start.

    When this is over hopefully Mr. Spammer will be looking out from behind bars for 20 years or so.

  11. Peter Williams says:

    The spam has stopped. Labwire said they would look into it immediately.

  12. John says:

    Unfortunately the forging of my email account has not yet stopped.  I have new returned forged emails each day including today.  I have just written to the SEC and hope this will contribute to their efforts to catch this guy.  I assume, as with others here, that this is a pump and dump effort by someone or some investing group or newsletter writer.

  13. Richard Crowe says:

    I don’t care if it has stopped.  This ahole cost me a lot of time and money with this little stunt, not to count how many computers now have me on their spam list.  I can only imagine what he has done to my business reputation.  I’m currently sending all these bounce back’s to the SEC.  I don’t care how long it takes.  Tomorrow I’ll do it again……

    I hope no one he has done this too just let’s it drop.

  14. I’m another victim of this scumbag.  I’ve gotten about 140 bounce messages since April 13.

    Richard, are you sure anybody has you on their spam list?  Individual users may filter your domain, but that’s probably not a big deal because you weren’t dealing with them anyway.  Unless you get on some blacklist (which usually goes by IP addresses), you probably don’t have to worry much.

    Regarding filtering these E-mails, I’ve come up with a system which works for me.  I set up Eudora filters on the body of the E-mail for these two lines:

    <FONT face=Arial size=2><IMG alt=””

  15. Canned Spam says:

    Nice on there steve. The asshole can’t do /much/ to stop us filtering html 😀

  16. Richard Crowe says:

    Well, the real thing I don’t like is the people that email me and request to be removed.  As much as I hate spam it really makes me feel bad that I can’t “remove” them.  The only thing I can try to do is “remove” the source.

    I’m not blocking any of these bounces.  Mine are still happening and I’m sending every one to the SEC.  I sent 6 new one’s today.  Blocking them won’t stop this guy.  Like Matthew said 4-5K emails of the same information to the SEC a day will work.

  17. Richard, I said I was *filtering* the E-mails, not blocking them.  I want them sent to my Junk mail folder, not my Inbox.

    Maybe the same technique could be used to block the E-mails, but I’d be worried about false positives.  The text I’m filtering may be something standard in Outlook/Outlook Express that would catch many other E-mails that included embedded images.

  18. If anybody else wants to complain to the SEC, here’s what I sent to [email protected] (and also [email protected]).  Feel free to copy the two paragraphs below into any E-mail you send to them, editing it as you see appropriate.

      I’ve been getting “bounce” messages like this since April 13.  Apparently somebody trying to run a pump-and-dump scam is spamming people and forging my domain name in the From address.  Not only does that violate the CAN-SPAM law, but the pump-and-dump part probably violates some SEC rules.

      I don’t know if this spammer is in the U.S. (and therefore subject to U.S. laws), but I’d appreciate it if you would look into this.

  19. Richard said,

    Well, the real thing I don’t like is the people that email me and request to be removed.  As much as I hate spam it really makes me feel bad that I can’t “remove” them.  The only thing I can try to do is “remove” the source.

    Tell me about it.  I hate spam and I really hate to be associated with it.  I feel bad for the people who are contacting me.  I can understand their frustration, even the rude ones (although in their credit, a few of the them have apologized after I responded).

  20. Richard Crowe says:

    I know what you mean, I always respond to the removal request and explain to them what is going on.

    This all goes back to that old thing about never, ever buying anything sent to you from an unsolicited email.  If people would do this it would stop by its self.

  21. Amanda P says:

    Add me to the list.  More of a nuisance for me to get 4 or 5 a day.  I am trying a filter in Outlook Express.  Hopefully it will send most to my delete box.

  22. john says:

    My worry is that my domain name will be blacklisted.  That happened one time when a virus was being sent and the person was forging my email address domain.  Until that was resolved, email I was sending wasn’t being accepted by domains that subscribed to and used the blacklist stuff.

    I haven’t received any reply from the SEC.  I wonder if I should send another message?  Do people think just forwarding all these “returned” messages to [email protected] if helpful to our cause?

  23. Richard Crowe says:

    That’s my worry also. I’m sending all these to the SEC with different subjects (I put “Pump & Dump Scheme #xx” so they will know it is a different email and not just copies of the same thing).  I had that problem one time with Ipowerweb when someone was sending out so much spam Spamcop shut the site down.

  24. John says:

    Well the pace picked up today.  13 came in so far and several were in a foreign language.  I also got a “canned” reply from the SEC.  Not much else new.  I just keep hoping somehow this all stops.

  25. Richard Crowe says:

    He’s apparently dropped labwire and picked up Sticky Web, Inc.  I got several bounces in today regarding them.  Lets keep the pressure on the SEC.  I have sent over 40 to them so far.  I don’t send the one’s that get returned without the picture of the stock he’s pushing.  I figure they need this information to track it.  Don’t let up, they will have to pay attention to this if we keep the pressure on.

  26. Leon Entwistle says:

    Thanks for setting up this comments site as it has been very informative and it is good to know that there are people out there fighting to get this stopped. I am only receiveing these junk messages not having my domain abused. I have sent a few messages to the SEC but I am not that convinced that this will have any effect (it sounds like this is quite a slippery customer.

    Anyway keep up the fight and with any luck this idiot will be locked up

    p.s. you can’t fight hate with hate, spaming the SEC is only making you as bad as the person who is doing this. mearly inform them of new companies and how widespread the issue is and im sure they will have to take some action.

  27. Leon Entwistle says:

    http://catcher.ottawaarts.com/

    Whilst searching for more info on tententwelvecorp I found this website which looks incredibly suspicious as its opening text is

    “This page is here just because it is here. This website serves a function. This function should be of no importance for the average surfer. Please disregard this web page. Please press your “back” button and return to the page you were on. This is a simple, meaningless e-mail list. “

    On this list of emails is the [email protected] address.

    Does anyone know what that is all about

  28. Richard Crowe says:

    I don’t really consider that I am “spamming” the SEC, I’m simply informing them of the problem.  If we just sent 1 email they wouldn’t realize the scope of it.

    Plus they request people report abuse, which is what we are doing.

  29. Suzi says:

    Hey there, I’ve been following this forum for the last few days as I have been receiving these spam e-mails also. Thankfully he hasn’t used my domain though.
    I really appreciate the advice to report these spams to the SEC & since that post I have reported about 10. I got the automated response this morning. I wonder if they’ll make a statement about this on their website… ?
    When I “forward” the spam on to SEC I do not change the “subject” line … do I need to?
    Hey, thanks for the advice & keep up the good fight!

  30. Richard Crowe says:

    Suzi,

    The main thing is to be sure the “picture” of the stock he is pushing is included.  When I forward my email it does not include it so I send it as an .gif attachment.  This is important so they can know which stocks to watch.

    Thanks for your help with this.  If he hasn’t gotten your domain yet, he probably will.

    Richard

  31. John says:

    I did a google search on the phone number (310) 598-7434 and got several hits that would indicate association with this trash.  In several postings of “stock tips” they mask their address and a financial disclaimer.  I’m guessing they mask the financial disclaimer so it can’t be searched for easily, but I’m not sure why.  Would this be of interest to the SEC?

    In the address below please replace the “[at]” with a “@” and the “[dot]”.
    To Reach us send email to info[at]tentwelvecorp[dot]com or call (310) 598-7434.

    To properly read the text below replace all instances of the “@” with an “a” and the “*” with a “e”.
    DISCL@IM*R: St@t*m*nts r*g@rding fin@ncil m@tt*rs in this pr*ss r*l*@s* oth*r th@n historic@l f@cts @r* ‘forw@rd-looking st@t*m*nts’

    Here are two links that do this.
    http://www.archivesat.com/Pure_FTPd_discussions/thread167161.htm
    http://www1.ietf.org/spam-archive/magma-admin/msg03005.html

    If anyone reads German, this discussion may provide us with some information.

  32. Leon and John (comments #27, #31, #32),

    I think the spammer is obsfuscating his disclaimer page for a couple of reasons.  First, any site listed in a spam advertisement is subject to being shut down by the hosting provider.  Second, he doesn’t really want people to easily find him or his pages, as those provide clues to his real identity.  Even if he’s taken great pains to hide his identity, every site he creates is another chink in his armor.

    Ultimately, he has to have some kind of disclaimer, though, or he could get in serious trouble with the SEC, so he’s forced to take all sorts of measures to provide one without giving away too much identifying information.  And as you noted, he doesn’t want it to be too easily searchable by the people he’s been spamming or the ones he’s been Joe Jobbing.

  33. Richard Crowe says:

    I just wanted to take a pause from all my ranting and thank Aubrey for allowing us to have a common place to discuss this problem.  If it wasn’t for this blog we would all be on our on.

    BTY, I don’t know where that mountain range is behind your picture but is sure looks beautiful.

    Thanks dude.

  34. Richard Crowe says:

    I received this spam warning from hotmail today.  Gee, I really enjoy this   confused ……..

    From: “Herkirmer Pringle” <[email protected]>  Add to Address Book Add Mobile Alert
    To: [email protected]
    Subject:  outrageous tunnel
    Date: Tue, 25 Apr 2006 09:18:18 -0400
     
    Your activity is being monitored of the attached email message…no
    more of
    this.

    Agent Pringle

  35. I hope you don’t believe that was actually somebody from Hotmail or any real spam tracking site, Richard.

    First, a real spam watcher would know enough to check headers and realize that you didn’t send that E-mail.

    Second, nobody from a real spam agency would use a Hotmail account except maybe Hotmail themselves.

    Third, I’d expect better English from somebody at Hotmail (or any other English spam watchers).

    Finally, the name sounds like it’s fake.

    This is probably just some guy who created a Hotmail account to let spammers know he doesn’t like what they’re doing.

  36. Dewy says:

    In reply to comment #27,

    I checked out that Catcher website and as much as I want to beleive it is not, it is legit.

    Supposedly, that site and others like it, are just masses of web pages all cross linked to each other with random e-mail addresses, (Some supposedly to known spammer domains), that the e-mail harvesting robots will suck up and contaminate their databses with.

    All the sites related to the one you posted were all owned by the same guy in Rio De Janero(sp?).  Although his Company’s site (enterprisecomputing.com and another one), look a little off as there is only a picture of some bridge on there, and nothing else?

    As far as the Stock Spam, The guy changed his layout a little as there has been no more references to tententwelvecorp.com anymore and instead has been replaced by some BS Disclaimer in an attempt to appease the SEC I guess.

    I have been unable to block anything at my mail server as yet, I just started sending abuse letters to all the domains involved, but in my experience, the DSL providers overseas are not as on the ball as “Some” of the US based ones.

    I think Capital punishment should be allowed for this sort of behavior.

    Cheers!

  37. Richard Crowe says:

    Capital Punishment????  That’s letting them off waaaay to easy.  Some sort of midevil torture maybe………

  38. Unknown says:

    Now I like that idea.

    I’m sure I’ll do fairly well with a few power tools and a barrel of hot coffee.

    Muhahaha

  39. Lucien Roach says:

    I’ve been getting thes e-mail since the 17th and actively blocking each address
    i know its not going to work

    but norton antispam seems to pick up the majority of them so i recommend you buy that if you having major problems.

    its picked bout 35 outta 50 i’ve had so far

    has anyone tracked down the place which has started the virus which creates these stupid e-mails
    tententwelvecorp dosen’t exist, well from what i’ve searched here.

    site admin is welcome to contact me will post back after some research

  40. Kim says:

    I wonder if a better solution would be for us to contact the compnies being ‘pumped’ directly (like Sticky Web, etc) to let them know that someone is doing this to their business.

    It may be better for the companies themselves to contact the Trade Commission or whatever and complain, rather than us complain. I have a feeling that that SEC email address might not be monitored that closely?

    Kim

  41. Matthew Goeckner says:

    Hi Kim:

    If you look they often have something on their website about it….  They (for the most part) don’t like any more then the next part.  In some cases, there are likely to be a few sleaze balls in the company who are the one selling their shares – through the P&D but I can’t tell who.

    The SEC has web pages about scams like this.  I meant to post links to them when I found them but I forgot to do it.

  42. Dewy says:

    One of the crappy things about this whole deal, and others like it is that if you report the addresses in the Mail Headers that the Spam is originating from, (Usually some Broadband subscriber somewhere), then the ISP will just take care of that system…

    It does nothing to assist in cathcing the guy as the each ISP handles it locally.  Whereas sending the mail/headers to the FTC or SEC will enable them to contact each ISP themselves and get all the logs they need to track the spam back to the originator (hopefully).

    I have reported a few to their respective ISP’s, which usually helps limiting those computers from re-sending, but I have taken to sending to the FTC/SEC instead, even though it will take them longer to get some action taken as far as removing the offenders computers from sending the SPAM again….this really sucks.

    I am running an Exchange 2000 server if anyone has any ideas for that.  WE do not have the money / authority to put any third party products on the server unfortunately.  I have enabled Reverse DNS lookups to try to help…

    Cheers!

  43. Dewy says:

    By the way Mr. Turner,

    I noticed yesterday in running around the Internet looking for more information that several other blog sites have been getting hit as you have with the bounce backs and they all started pointing to your site as the best source for information on this unfortunate event.

    Another sad turn of events is that over the last 2 days or so, there is no more mention of a Web Site or Phone Number on any of the SPAM this turd is sending out…if I were to have received one today, I would not have any pointers to be able to find your site, connect the e-mail’s from when it started to today, or anything else to go on.

    Cheers!

  44. Richard Crowe says:

    One of the stocks he is pushing now is ikarma.  I went to their website at http://www.ikarma.com and they have a good writeup about this.  You can tell they don’t like it any more than we do and it seems they are also trying to track Mr. Dirtbag down.  I don’t see anything on the SEC site about it.

    I got 8 bounces today about this stock.  They all went to the SEC.  I’m not trying to spam them, I’m just hoping there will be something, anything in even one of the headers that will give them a lead.

  45. Dewy says:

    Perhaps a Clue?
    I just received a new one from this turd in the last few minutes.  It is currently the 27th at 18:09PST where I am and the write up is dated 28 April 06…so perhaps he is Europe or furhter?

    Anyway, this new is is pushing “Pingchuan Pharmaceutical Inc. (PGCN.OB)”

    Cheers!

  46. Dewy,

    I’m glad to provide a place for people to compare notes and work together against these bastard spammers. 

    I had noticed the trend the latest emails to provide absolutely no contact information.  I guess all the people trying to track back to the spammer via his contact information was making it too dangerous for him.  I just hope that his original disclaimer sites provide sufficient information to find him.

    As for the SEC and law enforcement, they tend to be pretty tight-lipped about this sort of stuff until they gather enough evidence to act.  But given the amount of spam/scam email that the SEC receives each day, it’s just as likely that they’re simply buried in email.

  47. Leon Entwistle says:

    I’ve stopped receiving them.

    YAY!!!

    The last message I received from this spammer was the 25th and I was receiving 4-5 a day.

    Perhaps im one of the lucky ones who has dropped off his distrbution list.

    I hope everyone else manages to escape this spammer and I wish you all the best of luck

    p.s. I would still like to see this guys sent to jail with a whole bunch of hevily muscled gay men

  48. Lucky you.  I’ve gotten about 42 this week (starting 4/24) and 194 total.  I’d like to see him sent to a farm with several horny bulls.

  49. Dewy says:

    Leon Entwistle,

    Congratulations!!

    I, unfortunately seem to be getting it worse each day.  Here is my list:

    Date Amount   Stock(Symbol)
    27th 8 Recvd 4/IKMA – 4/PGCN.OB
    26th 5 Recvd 5/IKMA
    25th 3 Recvd 2/SIKY.PK – 1/IKMA
    24th 2 Recvd 2/SIKY.PK
    23rd 2 Recvd 2/CWTD
    22nd 2 Recvd 2/CWTD
    21st 1 Recvd 1/CWTD
    20th 4 Recvd 3/SWNM – 1/MOBF
    19th 1 Recvd 1/SWNM
    18th 1 Recvd 1/SWNM

    This is just what I personally received, I am not sure about my users as they have taken to deleting them instead of forwarding to me.

    I just printed all the headers out and will be going through them for research.  I will be forwarding all of them to the SEC, FTC and the ISP of each sender in a few hours.  I am hoping to find some commonalities in them, but I doubt it.

    Cheers!

  50. Unknown says:

    Sounds like Lucien Roach has the best solution to the problem!

    (please try to read and at least understand some of this mess..)

  51. Richard Crowe says:

    Who’s Lucien Roach?

  52. Roach is post #40.  Mr. Unknown could have been clearer, though.

    As for his suggestion, I believe my filter does better than 35 out of 50.  As I said, though, mine may generate a lot of false positives (although it doesn’t for me).

  53. John says:

    The person or people doing this are causing us grief, but there are probably people being hurt financially because of this.  The spammer’s latest promotion, Pingchuan Pharmaceuticals Inc, opened today up about 65%.  My guess is the spammer had already bought his position in the stock a few days ago and will unload it during the euphoria of today’s trading making a handsome profit.  Then the stock will resume its previous pricing trend. 

    This person is a stock manipulator first, he just uses spam email as his tool.  That’s where we get involved because he is forging our domain’s as the from address in his spam.

    The latest email that got returned to my domain undeliverable was a change.  The image that was attached was much smaller, very brief and no “disclaimer” included. 

    Anyone else see any recent changes in his modus operandi?  Are people getting the direct email?  I am only getting the returns that are from forged email names on my domain.

  54. John,

    I’ve heard from people who are getting the direct emails (some of them who mistakenly think that I was the sender).  But I’ve only gotten the bounces.  He doesn’t appear to have any of my addresses on his spam list (at least so far).

  55. Dewy says:

    John,

    I am receiving the e-mail directly, as is about 5 of my users, (I am a LAN Admin).  I concur that his MO has changed recently, and have noticed that it has changed several times since the 18th when I started receiving them.

    Last night I printed out all the headers looking for commonalities in the e-mail but was unsuccessful in finding anything.

    I have a spread sheet with the date, time, originating IP and originating sender as well, (the ip and the DNS name of the orignators do not match), I was looking up the abuse addresses for the originators involved, (this is proving difficult as many are over seas Broadband Subscribers and there are serious language barries sometimes).

    Anyway, I think maybe I will expand the spread sheet to include other notes like MO, Stock being pushed, and all that as well.

    I have not noted any that I received from Aubreyturner.org.  The spoofed addresses are widley varied though.

    Cheers!

  56. Suzi says:

    In response to post #54… I’ve been getting the direct e-mails all along- 10 a day. Still no sign of abuse of my domain name.

    and to post #49… we own cattle and have several horny bulls! lol

  57. Suzi says:

    Also I was going to ask…
    should I be reporting these to my ISP? They are pretty small with just a couple of tech guys- I don’t know if they would be able to do anything or not… ?

  58. Suzi,

    I don’t think your ISP could do much for you, other than to perhaps ban the IPs the email is coming from.  If they’re using any kind of central blacklist, then this would likely have already been done for them, though.

    About the only thing to do is to forward each unique spam to the SEC (i.e. each time the spammer changes his stock pick).

  59. Wow, this spammer has no shame.  I just got a bounce intended for somebody at the House of Representatives (house.gov)!  If some of this spam is actually reaching our national leadership, one of two things could happen.

    1.  They’ll realize how serious the problem is and *do* something.

    2.  They’ll sic the FBI on me.

    I hope it will be #1.  grin

  60. Matthew Goeckner says:

    Oh be for real – Congress would never do anything that would ACTUALLY solve a problem. 

    If they don’t lock you up, tell me what the FBI guys were like to deal with.

    wink

  61. Marilyn says:

    I also have gotten MANY, MANY bounced messages from tententwelvecorp.info.  I notified my internet provider, Juno, and they sent me a message that had some helpful information.  It may be better that forwarding the messages to the SEC or in addition to doing that. 

    Hope it helps us get to the low life doing this.

    JUNO SAYS:
    “The best way of combating email abuse is to forward the unsolicited email message with its full-received headers to the postmaster/abuse team of the offending domain.

    If you would like to learn how to report spam to the correct domain, please see how to Complain to the Spammer’s Provider (http://spam.abuse.net/userhelp/howtocomplain.shtml);
    for detailed information on headers and spam-fighting tools we recommend you see (http://www.claws-and-paws.com/spam-l/tracking.html).

    If you have received any unsolicited message from a Juno address, please forward it to Juno’s Automated Spam-Desk at [email protected], along with its full-received headers.

    Sending the full-received headers, might involve making a minor alteration to your mail program setup.”

    Good luck folks!

  62. Kim says:

    Marilyn – the only problem with Juno’s suggestion is that the original domain (the originator of the spam message) was spoofed to look like it came from your domain (thats why the bounced messages come back to you).

    The spammer is doing their best to hide their tracks – and I think the only way to catch them would be for the relevant authority to monitor the stocks in question and see if there are larger transactions, or patterns between the stocks. My guess is that the spammer is probably using mutliple global accounts, and multiple fake names to buy/sell the stocks anyway – so it would probably be a nightmare to investigate 🙁

  63. Kim, Juno wasn’t referring to reporting anything to the spammer’s spoofed *domain*.  They were talking about analyzing E-mail headers and reporting to the owner of the IP address sending the spam.  Did you look at the links provided?

    The real problem with Juno’s suggestion is that this spammer is using a bot net to send spam from innocent users’ machines.  Reporting to the machine owner’s ISP might get them to cut that user off until they clean up their machine, but you’d have to report *every* machine in the bot net (and hope those ISPs were also willing to cut off E-mail access to the machines) to get the spam to stop completely.

    Worse, that wouldn’t help catch the spammer himself.  He might not be able to send more spam, but nothing would happen to him, either.

  64. Kim says:

    ahh, oops – missunderstood (hadn’t checked out the URL’s). Yeah, I have had a look through the email headers of a handfull of the 200+ bounce backs I have recieved, and all come from different IP addresses/bot nets – it would be a mission get the internet providers to do something about these, and like you say – it would be unlikely to result in catching the spammer 🙁

  65. Marilyn says:

    I appreciate the comments of Steve Mueller about the limitations of reporting these spam messages to the machine owner’s ISP and that to be really successful we would each have to report every machine in the bot net of each message.

    However, what about this: If we each reported a couple on a regular basis wouldn’t that be more proactive than reading each others messages here and wringing our hands?  It wouldn’t hurt and it could be like the drip…drip of a drop of water on a stone; eventually it makes a little dent in the stone.  At least it beats just deleting the offenders’ messages, which is of no help to reducing the messages.

    I want to also add that I ‘copy’  [email protected] and [email protected] (a Federal Trade Commission address) on each of the messages that I send to the owner’s ISP.  Hey, why not keep those agencies informed too?  If we each ‘copy’ these two agencies on the couple of the messages we send to the machine owner’s ISP they will get an idea of some of the garbage messages we are getting.

  66. Richard Crowe says:

    It’s been awfully quite here.  Is anybody still receiving this spewing besides me?  I still get 10 or so returns a day.  Seems he has hijacked a couple of other emails because now not only am I receiving my bounces but also direct emails from others.

  67. Kim says:

    Richard – there is still a bit of discussion in Aubrey’s original post here: http://www.aubreyturner.org/index.php?/orglog/comments/fn_spammers/

  68. I’m still getting the crap.  I got about 18 bounces or challenges since this morning (Thursday).

  69. charlene says:

    this isnt hard to figgure out the phone number is not wright well look up the 310 it comes back to catalina island ca but the number still dont come up now look up just the number not 310 you come up with the phone number 562 598 7434 ok now you get somebody by the name of robert f bledsoe 1503 merion way apt48k seal beach ca 90740-4942 now this is where it gets weard look up that name in a back ground check youll get to people one in his 70 and one no age but heres the cool thing just look up the last name bledsoe youll find it interesting or look up woodrow w bledsoe now look up robert f you mite find this cool to or robert f simmons put the to men together look up what they did in life now look at your email scroll down to the bottem its a code youll need to sipher it I think its a goverment thing the guys smart

  70. As the other thread doesn’t seem to allow more than 200 posts, I’ll post this here.

    China World Trade (CWTD) made another comeback Monday, and I saw De Greko (DGKO) reprised yesterday.  I’d think repeatedly pumping and dumping the same stock wouldn’t be as effective as doing it with different stocks, would it?

    Of course, if he’s spamming new people, maybe it would.

    The latest stock seems to be inZon Corp. (IZON).  Is that a new one or a repeat?

  71. Kim says:

    Aubrey – you need a forum! smile Sooo many comments on these spammers smile

    As for pumping/dumping the same stock over and over again – perhaps its just that the stocks didn’t reach the spammers intended price, so he didn’t sell his shares (or whatever it is he is doing) – and now he is trying again.

    Steve – I think inZon Corp is a new one 🙁

    Kim.

  72. john says:

    I’m still getting 10-15 of these returns a day.  One of them today was to an address to unsubscribe to a yahoo.groups account.  Obviously this spamming is not being at all selective in who it sends to.  Of course, since it doesn’t cost anything extra to send to rediculous email accounts, that is why spamming is so rampant.

    On the 12th, it will be one month since the first return arrived in my inbox.  Bummer.

  73. Kim,

    If this continues I may consider adding a forum.  I’d never needed one before, since I don’t usually get more than one or two comments per entry.  Since I don’t usually have a lot of discussions, I decided it wasn’t worth the additional $49.95 for the EE forum module.

    When I adjusted the comment limits in the templates previously, I changed it from 100 to 200, thinking that I’d never reach 200 comments on a post.  Little did I know… big surprise

  74. Gibson99 says:

    there are free forum softwares out there as well, as long as your httpd supports it (be it perl or asp or whatever)…

    i’m still getting loads of bounces here, and it’s ramped up again in the last couple of days… up to 31 bounces yesterday, and at least 15 today so far.  i noticed in one of them that the “info” is now plaintext and is not a gif.  it’s pushing GDKO.PK and has no tententwe.. names in it anymore. 

    i also got a laugh at a bounce from a yahoo groups unsub… “you’re not subscribed to this group.”  *rolleyes*

    i think our talk of complaining to the SEC may have inspired mr. spammer to update his disclaimer – it’s more wordy and specifically names an SEC act of 1934… and the best part (may i quote)…

    “We have received two million free trading shares from a third party
    not an officer, director or affiliate shareholder. We intend to sell all our
    shares now, which could cause the stock to go down, resulting in losses
    for you.”

    if that doesn’t say “this is a pump and dump scheme” then i don’t know what does.

    as for spam filters… i’d say probably 1/4 to 1/3 of the bounces i get are marked as spam.  that is, they typically have subjects like “message you sent blocked by our bulk email filter” so there are definitely sysadmins out there who ARE on the ball.  I have SPF records for my domain, but that’s all i can do at this point.  smtp needs its holes plugged. maybe it’s time to invent cmtp (complicated mail transfer protocol).  *shrug*

  75. Gibson99 says:

    forgot to link to a forum i like… http://www.phpbb.com/

    if you don’t have server access to install something like phpbb (requires a sql db and php 4), maybe someone in this discussion can do so.  i don’t have sql, and know very little about it (no need for what i do), so i’m probably not the best person to try and run it… otherwise i would.

  76. Yeah, there are free forums available.  But if I were to install a forum, it’d be something that integrates with the rest of the site, which is running on Expression Engine. 

    But aside from this spammer business, I’ve never had need of a forum before.

  77. Kim says:

    I’ve started getting CCDE (Concorde Resources Corp) today. A new one 🙁

    As for a forum – what about one of these? http://s8.createphpbb.com/phpbb/new_forum.php

    Kim

  78. Gibson99 says:

    good stuff Kim.  I’ve set up a board there:

    http://www.s8.createphpbb.com/tententwelve

    Aubrey – since this is (hopefully) only a temporary thing, I went ahead and set up a forum where kim suggested.  and since it’s just temporary, and is specific to this spam, there’s no need to integrate it with anything. 

    of course, it’s free, and you DO NOT have to register to read or post (just like here), but you CAN register to prevent people from using your name there.  also, i’ll give you (aubrey) admin rights as well, just so i’m not the only one. 

    hopefully this will make it easier to keep discussion on-track and in one centralized location.

  79. Kim, I’ve also started getting CCDE bounces and another one—Xtreme Motorsports of California (XMMC).

    The disclaimer for CCDE said that they had received 4 million shares.  If the stock price of $0.025 is correct, those are worth $100,000!  Some of the other stocks I checked were actually worth more.

    Why would somebody give that much out to run a pump-and-dump scheme?

  80. john says:

    This may be obvious, but it just occured to me that a reason a company (or an insider) might give a large number of shares to a spammer like we are dealing with is, that is the spammer’s contingency pay for getting the stock price up even just momentarily.  In other words, someone else with a lot more shares wants to dump their shares for the reasons given in the disclaimer, so they hire this scum bag to try to jack up the price.  The better the scum bag is at getting the price up the more he is getting paid for his efforts.  Also, the more the giver of the shares will be able to get for his shares when he dumps them at the same time.

    (By the way, I am posting this same message on the bb that Gibson99 setup.)

  81. I thought of that, too, John, but the disclaimer (if you can believe it) said the shares weren’t from an officer/insider.

    Also, if I were an officer planning to dump my shares, giving somebody else a large number of shares that I *know* they’re going to dump in competition with me seems counterproductive

    And, as I said, it still seems like an awful lot of money to give somebody to spam.

    However, if you’re right, there are obviously several companies hiring these spammers.  How do they contact them?  Maybe if somebody else could contact them as a sting, we could get this shut down.

  82. Adam says:

    Ooooo, we might have him.

    I’ve gotten new spam for herbal viagra or some such crap at penalizekm.com.  So these people have either hired the spammers to promote them (likely) or it is the spammers (less likely).  Doing some tracking down right now… 

    I wonder if a financial reward would induce the viagra numbnuts to give up who their spamming contact is?

  83. My domain has also been used as a fake origin for emails and the deluge of bounces started on 13/4/2006.  I’m glad I found this site as it seems to have the largest group of people who have their domains abused by this scumbag and maybe we can stop him.  I save copies of all of my spam just in case I need it to track down spammers (as is the case here).  In my case, the very first email I got addressed to drgimbarzevsky.com was on 13/4/2005 was from newportcorp.cn which was followed by a flood of email bounces.  The message was an offer to advertise my site for free to 2000000 internet users.  Newportcorp.cn has since been taken down, but it pointed to a Seattle address of a bulk mailing company which was most likely run by Robert Soloway who has made the list of 200 worst spammers at spamhaus.org.  This may be coincidence, but I’m curious if anyone else has gotten email from newportcorp.cn around the time their domains were hijacked.  Also, has anyone out there got a program which would allow automatic retrieval of sender addresses from email headers to see if there are any patterns in the sources of the spam.  I’ve already spent too much time tracking down spam sources in the last month and can’t really justify writing a program to do it.

  84. I’ve gotten that, too, Adam.  The difference is that the domains linked to were as follows:

    * laudcm.com
    * sluggingmc.com
    * tullianhf.com

    It appears these domains are a real word followed by two random characters, just like yours.

    I got six bounces for pharm crap today.  That’s the bad news.

    The good news is that these were plain text and I haven’t gotten any pump-and-dump bounces since these started.

  85. john says:

    I have a question for all of you that are experiencing (or have experienced) your domain being forged by tententwelve.  Assuming you still have the very first returned email that you associate with this fraud, is the return address a legitimate address for your domain?  Mine was, however it was of a form that would appear to be a random 3 letters.

    When I got that first return, I thought that the computer of one of the few (2 or 3) people that have that email address for me, had gotten infected with a virus that was then sending itself on using email addresses in that computer’s address book.  The next day when I began to get many more returned emails, I stopped thinking of this as a virus.  However it is at least an interesting coincidence that the first email return was legitimate but of the form used by the spammer.  Any comments?

    On a side issue, in response to a letter I sent to the SEC about the disclaimer being included at the bottom of the image, they replied…

    Placing the disclaimer at the bottom of the spam email or fax does not prohibit you from taking legal action against the author of the fax.

    It goes on to provide links to FCC complaint forms and a link to state consumer protection sites to file with them.  I can post if desired.

  86. Matthew Goeckner says:

    FYI – I got this today

    Dear Sir or Madam:

    You are receiving this email because you have notified Pink Sheets in recent months that you have been the victim of unwanted and unsolicited spam and junk faxes promoting securities traded over the counter.

    Pink Sheets has recently petitioned the U.S. Securities and Exchange Commission (SEC) to adopt a rule to help identify the individuals and entities responsible for stock promotions, which are primarily being sent as SPAM Emails and faxes. Our proposed rule, among other things, would require promoters to identify themselves in the promotional materials and also identify what compensation the promoters are receiving and from whom. We are requesting that the Commission take immediate action to expose securities promoters, spammers and their financiers whose actions are particularly detrimental to the livelihood of smaller public companies and to the confidence and financial well being of investors in OTC securities.

    – Read the Press Release (http://www.pinksheets.com/about/pr_042606.jsp) for more information.

    – Read the Proposed Rule (http://www.sec.gov/rules/petitions/petn4-519.pdf) on the SEC’s website.

    We encourage you to read these materials and send a comment to the SEC urging the Commission to adopt the proposed rule.

    This can easily be done by sending your comments via email to the SEC at [email protected]. Please be sure to include in the subject line SEC File No. 4-519 and in the body of the letter refer to the “Request for rulemaking to expose and prevent unlawful and deceptive activities by securities promoters and their sponsors.” Or, you may send a letter to:

    Ms. Nancy Morris
    Secretary, Securities & Exchange Commission
    100 F Street NE
    Washington, D.C. 20549

    If you have any questions about the proposed rule or this email, please do not hesitate to contact us at (212) 896-4420.

  87. Neil Jackson says:

    Thanks for the above, Matthew – a great bit of not-joined-up thinking from the SEC and Pinkies there, innit? smile

    It’s a little like hearing a police commissioner respond to a recent spate of burglaries by saying “We’ve created a new law that states ALL burglars, without exception, must leave a business card at the scene of the crime, with their contact details on it.” And then wondering why half the burglars STILL didn’t bother to follow the new law, and the other half left faked business cards that said things like “W. Shakespeare, 42 Petunia Lane, Stratford-upon-Avon” or “Geo. W. Bush, The White House, Washington” on them instead.

    Anyone would think these spammers and burglars are NOT naughty, laugh-in-the-face-of-law type people the way these government commissions and stock-exchange know-nothings respond to them!

    I mean, if they were ‘honest promoters’, would they even be joe-jobbing us in the first place?

    LOL… funniest thing I’ve seen all week! wink

    Next week, we’ll be looking into a scheme that requires homicidal axe-murderers to give at least three days notice to police of any intention to freak out and hatchet-up the townsfolk, and a great new policy that forces maniac hit-and-run drivers and car-thieves to have their addresses and zipcodes stamped into their car tire treads, for ease of forensic analysis after an accident wink

    Oh, and a seminar on ‘how to nail Jello to the ceiling!’ wink

  88. Adam says:

    In response to #83 and #85, I’ve posted what info I’ve found out to the tententwelve forum (hope this link works)

    http://s8.createphpbb.com/tententwelve/viewtopic.php?t=7&sid=1cfba8f1c4b297a5621d9a7daac95d30&mforum=tententwelve

    The source identifed domain made me do a google search for “Vladimir Mironov spam” which gave a VERY interesting result – a mailing list thread on apache.org which names most of a KNOWN spammer gang by name: “The domain is registered to Vladimir Mironov, which means it could be any of Kuvayev, Pavka, Alex “Blood”/Polyakov or even Yambo, but Spamhaus’ SBL36203 marks the IP range as Leo”

    I’ll post the link in the tententwelve thread above.