Follow The Bouncing Spam

It appears the botnet Joe Job has started again.  This time it’s “enlargement” products they’re hawking.

I’ve gotten 180 bounces since about 6:00pm yesterday.  At this rate I may be forced to disable my catch-all, but it’s going to be a major PITA.  I’ve probably got over a hundred aliases in use, and they aren’t individually registered.  This means that I’m going to have to grovel through all of my previously received and sent emails and pull out the addresses I used and create explicit forwarding entries for each one.

Update 1:  Got five more just in the two minutes it took me to write this entry.  angry

Update 1a:  Up to 226 as of 3:39pm.

Update 2:  All of the spams link to various nonsense domains that contain “information” about something called “Man XL.”  The scammer behind this nonsense is an entity calling itself “WW3 DISTRIBUTERS LLC.”  Should you receive such an email, beware clicking the link unless you want to see Prasad’s “business” (if you were unfortunate enough to have clicked, you’ll know what I mean by that).

Update 3:  Internally, all of these sites have a frameset that pulls the main frame content from http://www.cabaretmarin.net.  Hitting that address causes a redirect to http://barbarises.net/ms/?bb, which then redirects to http://barbarises.net/ms/index.php?k=<garbage>.  That appears to be a “campaign” tracking link (i.e. this particular batch of redirects through cabaretmarin.net seems to share this “k” value).

I did a random check of several of these “.info” domains that are in the emails.  The all have similar information (i.e. same name, address, email) and were registered just a few days ago via RegisterFly.  Here’s an example:

Registrant ID:tuJCnDTXYin4eSHs
Registrant Name:patrice pennetier
Registrant Organization:pennetier
Registrant Street1:rue notre dame, 21
Registrant Street2:
Registrant Street3:
Registrant City:tubize
Registrant State/Province:NA
Registrant Postal Code:1480
Registrant Country:BE
Registrant Phone:+1.3292313108
Registrant Phone Ext.:
Registrant FAX:+1.3292313108
Registrant FAX Ext.:
Registrant Email:[email protected]

Information on “barbarises.net”:

Domain Name:barbarises.net

Registrant:
Mike Vester
      Allensteiner Strasse 24
      47237

Administrative Contact:
Mike Vester
      Mike Vester
      Allensteiner Strasse 24
      Duisburg 47237
      Germany
      tel: 49 7161 3079405
      fax: 49 7161 3079405
      [email protected]

Technical Contact:
Mike Vester
      Mike Vester
      Allensteiner Strasse 24
      Duisburg 47237
      Germany
      tel: 49 7161 3079405
      fax: 49 7161 3079405
      [email protected]

Billing Contact:
Mike Vester
      Mike Vester
      Allensteiner Strasse 24
      Duisburg 47237
      Germany
      tel: 49 7161 3079405
      fax: 49 7161 3079405
      [email protected]

Registration Date: 2006-07-14
    Update Date: 2006-08-31
  Expiration Date: 2007-07-14

  Primary DNS:  ns1.buckraming.com         220.179.67.133
  Secondary DNS:  ns2.buckraming.com         220.179.67.133

The cabaretmarin.net domain appears to have been registered via a privacy service, though, which is not surprising as this is the first real link in the chain to his spam site:

Registration Service Provided By: Registerfly.com
Contact: [email protected]
Visit: http://www.registerfly.com

Domain name: cabaretmarin.net

Registrant Contact:
  RegisterFly.com – Ref# 19298483
  Whois Protection Service – ProtectFly.com ([email protected])
  +1.8458183604
  Fax: +1.8456984014
  P.O. Box 969
  Margaretville, NY 12455
  US

Administrative Contact:
  RegisterFly.com – Ref# 19298483
  Whois Protection Service – ProtectFly.com ([email protected])
  +1.8458183604
  Fax: +1.8456984014
  P.O. Box 969
  Margaretville, NY 12455
  US

Technical Contact:
  RegisterFly.com – Ref# 19298483
  Whois Protection Service – ProtectFly.com ([email protected])
  +1.8458183604
  Fax: +1.8456984014
  P.O. Box 969
  Margaretville, NY 12455
  US

3 Comments

  1. Ank de Boer says:

    Hi, you seem to be an expert.
    I’m wondering what we can do (what I can do) to
    fight the spammers?
    I recently was attacked by WW3 DISTRIBUTERS LLC
    you wrote about them. What do you do to discourage them,
    greetings from Holland.

  2. Unfortunately, I’m not sure what can be done beyond what I’ve done so far.  I think it would take law enforcement action at this point to move any further.

    The problem is that the people who have been scammed by WW3 DISTRIBUTERS (sic) LLC aren’t likely to come forward, given the sensitive nature of the products involved.  red face

    At the moment, I’m considering whether to disable catch-all emails on my domains.  It’s not going to be easy, as I will have to whitelist several hundred email addresses.  Even though that will prevent me from seeing the bounces, it’s not a very satisfactory solution, since my name will still be listed in the domain name of the sender for the emails that get through.

    In the meantime I’ve set up filtering to move the majority of the bounces to another folder so they don’t get in the way of real emails.

  3. There must be something we can do about all this spam. It seems registerfly is the culprit, with the nameserver as yet another way of getting around this mess.

    We own http://www.10000mb.com and whoever is in charge of regis and name are spamming in our name. This is very easy to do obviously, but it is becoming increasingly burdensome. They are using our good name to send out pharmacy emails, sex emails, etc.

    I have tried to contact ICANN, but they can’t seem to do anything about it, nor does it seem they want to. There has to be a way.

    Any suggestions are greatly appreciated.

    Customer Service
    10000mb.com