Our hourly comment spam assaults on the Maricopa Learning eXchange ceased around 10:00pm local time yesterday. My best guest is that the spammers mommy finnaly told him/her it was time to shut fof the computer, brush their teeth, and off to bed. Likely, after a bowl or two of Cocoa Puffs this morning, they will be back in action.

Or so they think. All of their spams have been intercepted, logged. The IPs recorded include:

210.251.92.104
218.50.2.74
220.93.120.39
61.50.172.143
80.55.203.182
80.58.14.107

and trace to various networks in China and Korea. Taking a different tack, I looked up the various gamvling and pharmacy URLs they were trying to be inserted in our site.

Interestingly enough, they were registered to different persons, such as:

Alexandro Marie
Old Eagle School Rd
63
Swaledale Wisconsin
US 76127

Jazmyne Benjamin
Wister Rd
40
Rodman Florida
US 65255

Isabella Perla
Continental Blvd
28
South English Maryland
US 69100

but then the pattern emerged- all of their Whois records have emails in the form of:

contact28@support-24×7.biz
contact6@support-24×7.biz
contact18@support-24×7.biz

So now I think these are names and addresses plucked from the phonebook… hmm it might be worth a phone call to the number listed? Does anyone know these folks? Can domains really be registered in the names of people without their permissions?

So doing a SamSapde trace on the domain in the contact address, we get to some interesting details- the registrant for this “business” has a name of “Phentermine Deals” and an address in the lovely safe harbor of Antigua. Too bad the hurricanes dod not flatten their shanty shack.

The billing and contact details point to a ISP hosted in…. France. There we can see, for a piddly 12 Euros a year, Gandi.net is a spammers best friend.

Wow, we have French ISPs hosting web sits for Caribbean spammers for domains likely falsely registered to folks in small towns across America, and all their action is masked by routing scripts through Southeast Asian IP addresses!!!

I am pretty much a rank amateur in this detective work, anyone want to play? Is anyone out there appalled that questionable pharmaceutical peddlers and online gambling hosts would stoop to shoving their unwanted content into a free, educational resource? Would they do this on a web site for blind orphans? refuge relief groups? IS THERE NO SHAME OUT THERE?

The post "Spam: The International Game of Intrigue and Mystery" was originally cracked open and scrambled from a rotten egg at CogDogBlog (http://cogdogblog.com/2004/10/spam-the/) on October 3, 2004.

6 Comments

  • Gandi.net is a great service and I use it for domain registration. I think it is just a coincidence that your adversary happened to use the service. It is really disingenuous of you to imply that Gandi.net is a service FOR spammers, where it is merely a domain registration service. No domain registrar requires more than a credit card to register a domain.

  • Alan Levine

    Pardon my ignorance, David– I am kust grasping at domain straws.

    But someone at Gandi.net has taken money for the spammers and thus has a connection. Who then is responsible? How do I find them?

  • Martin

    I have also used gandi.net for domain name registration for several years and they seem to be perfectly respectable – certainly not “a spammers best friend”. I’d also be a bit more careful about advising people to ban IP addresses unless you’re VERY sure that they are the originators of the spam.

  • Alan Levine

    Okay, I am WRONG to imply or implicate the domain registrar. I admit it. I am WRONG, WRONG, and apologize to all friends of Gandi.net.

    But look at my crooked line of reasoning…

    (1) Ihave on the hour logs of spam insertion attempts of more than 30 different URLs. Eacth hour the format of the message is the same, the message shuffled slightly. They all come from IPs that can be traced to some nebulous place in southeast Asia.

    (2) ALL of the URLs that are trying to be inserted have Whois records where the email contact is a company in Antigua.

    (3) When I look up the Whos is record for this company, Gandi.net is listed as the terchnical contact for the domain.

    Are they still clean and pure as you all say?

    I do not know- I am looking for help in tracing this. I am not an IP detective just someone tired of being victimized by spammers.

    As far as proof, the IPs I am trapping are the ones that have issued the http request to our comment form. Do I have to catch them in the act or what?

  • Gandi as technical contact – I think the domain registrar could be a whois default if other details are not available. In any case how likely is it that Gandi would provide their own contact details to the whois database if they actually were spammers?

    IPs issuing http requests – I think it may be possible for people to spoof this or work through relays or something. Not sure. It just again seems unlikely to me that it could be that easy to “name and shame” spammers.

    I’m perhaps a bit over sensitive about this sort of thing because a friend of mine’s business was very badly affected when spammers started sending out e-mail using her address (which is of course very easy to spoof). Before she knew it, she had been named and shamed, her e-mail was being blocked, and she was generally being presumed guilty with the onus on her to prove her innocence.

  • Okay Martin,

    I am not suggesting Gandi is the spammer, but I think they do business with the people that do or may mave information that may lead to them. It is time for buisnesses to stop hiding behind this shiled of “I am not involved” igorance and DO SOMETHING.

    Since I cannot trust any evidence I can find, I should just allow spammers to attach 15 URLs for viagra and top-poker-sites on every MLX package because I cannot provide iron clad proof that these are spams from the IP address reported? Or perhaps we just cave in and just turn off the ability for people to provide feedback?

    I am sorry, but I will not cave. If someone contacts me and let’s me know that our system is reporting their IP as spam and they are not, I will lift it from our Blacklist….

    But caving in to spammers? Fuggggeddaboudddddit.