CDB cat dog-egories:

October 03, 2004

Note: CogDogBlog has a new WordPress powered home at All entries from this version have been moved there, so as a guide dog service try finding this article in its new home by title search.

Spam: The International Game of Intrigue and Mystery

Our hourly comment spam assaults on the Maricopa Learning eXchange ceased around 10:00pm local time yesterday. My best guest is that the spammers mommy finnaly told him/her it was time to shut fof the computer, brush their teeth, and off to bed. Likely, after a bowl or two of Cocoa Puffs this morning, they will be back in action.

Or so they think. All of their spams have been intercepted, logged. The IPs recorded include:

and trace to various networks in China and Korea. Taking a different tack, I looked up the various gamvling and pharmacy URLs they were trying to be inserted in our site.

Interestingly enough, they were registered to different persons, such as:

Alexandro Marie Old Eagle School Rd 63 Swaledale Wisconsin US 76127

Jazmyne Benjamin
Wister Rd
Rodman Florida
US 65255

Isabella Perla
Continental Blvd
South English Maryland
US 69100

but then the pattern emerged- all of their Whois records have emails in the form of:

So now I think these are names and addresses plucked from the phonebook... hmm it might be worth a phone call to the number listed? Does anyone know these folks? Can domains really be registered in the names of people without their permissions?

So doing a SamSapde trace on the domain in the contact address, we get to some interesting details- the registrant for this "business" has a name of "Phentermine Deals" and an address in the lovely safe harbor of Antigua. Too bad the hurricanes dod not flatten their shanty shack.

The billing and contact details point to a ISP hosted in.... France. There we can see, for a piddly 12 Euros a year, is a spammers best friend.

Wow, we have French ISPs hosting web sits for Caribbean spammers for domains likely falsely registered to folks in small towns across America, and all their action is masked by routing scripts through Southeast Asian IP addresses!!!

I am pretty much a rank amateur in this detective work, anyone want to play? Is anyone out there appalled that questionable pharmaceutical peddlers and online gambling hosts would stoop to shoving their unwanted content into a free, educational resource? Would they do this on a web site for blind orphans? refuge relief groups? IS THERE NO SHAME OUT THERE?

blogged October 3, 2004 08:11 AM :: category [ web bad dog ]
Comments About "Spam: The International Game of Intrigue and Mystery"
RSS Feed for comments on this entry
RSS Feed for all CDB comments is a great service and I use it for domain registration. I think it is just a coincidence that your adversary happened to use the service. It is really disingenuous of you to imply that is a service FOR spammers, where it is merely a domain registration service. No domain registrar requires more than a credit card to register a domain.

Commented by: Dave Bauer on October 3, 2004 10:10 AM


Pardon my ignorance, David-- I am kust grasping at domain straws.

But someone at has taken money for the spammers and thus has a connection. Who then is responsible? How do I find them?

Commented by: Alan Levine on October 3, 2004 10:25 AM


I have also used for domain name registration for several years and they seem to be perfectly respectable - certainly not "a spammers best friend". I'd also be a bit more careful about advising people to ban IP addresses unless you're VERY sure that they are the originators of the spam.

Commented by: Martin on October 3, 2004 11:59 AM


Okay, I am WRONG to imply or implicate the domain registrar. I admit it. I am WRONG, WRONG, and apologize to all friends of

But look at my crooked line of reasoning...

(1) Ihave on the hour logs of spam insertion attempts of more than 30 different URLs. Eacth hour the format of the message is the same, the message shuffled slightly. They all come from IPs that can be traced to some nebulous place in southeast Asia.

(2) ALL of the URLs that are trying to be inserted have Whois records where the email contact is a company in Antigua.

(3) When I look up the Whos is record for this company, is listed as the terchnical contact for the domain.

Are they still clean and pure as you all say?

I do not know- I am looking for help in tracing this. I am not an IP detective just someone tired of being victimized by spammers.

As far as proof, the IPs I am trapping are the ones that have issued the http request to our comment form. Do I have to catch them in the act or what?

Commented by: Alan Levine on October 3, 2004 01:47 PM


Gandi as technical contact - I think the domain registrar could be a whois default if other details are not available. In any case how likely is it that Gandi would provide their own contact details to the whois database if they actually were spammers?

IPs issuing http requests - I think it may be possible for people to spoof this or work through relays or something. Not sure. It just again seems unlikely to me that it could be that easy to "name and shame" spammers.

I'm perhaps a bit over sensitive about this sort of thing because a friend of mine's business was very badly affected when spammers started sending out e-mail using her address (which is of course very easy to spoof). Before she knew it, she had been named and shamed, her e-mail was being blocked, and she was generally being presumed guilty with the onus on her to prove her innocence.

Commented by: Martin on October 4, 2004 12:45 AM


Okay Martin,

I am not suggesting Gandi is the spammer, but I think they do business with the people that do or may mave information that may lead to them. It is time for buisnesses to stop hiding behind this shiled of "I am not involved" igorance and DO SOMETHING.

Since I cannot trust any evidence I can find, I should just allow spammers to attach 15 URLs for viagra and top-poker-sites on every MLX package because I cannot provide iron clad proof that these are spams from the IP address reported? Or perhaps we just cave in and just turn off the ability for people to provide feedback?

I am sorry, but I will not cave. If someone contacts me and let's me know that our system is reporting their IP as spam and they are not, I will lift it from our Blacklist....

But caving in to spammers? Fuggggeddaboudddddit.

Commented by: Alan Levine on October 4, 2004 08:15 AM

Spammers Have Force Our Hands...
Note: Those nasty blog-spamming roaches have forced us to take action to prevent their spread- all entries made to this blog will remain open for comments for 30 days after the original posting date. After that, it is old news anyhow, correct?

If you really need to make contact with the chief dog around here, please submit a request via our feedback center