Sunday, August 22, 2004

Profile of a referer spammer

I just love it when the spammers make it easy for me. (Warning: adult
content in the last line.)

My complaint centers around referer spam
rather than e-mail spam. Because my site lists recent referers, I've
come under "attack" from a specific IP address: 63.227.76.25. That IP
address has spammed my site with links to:


www.usa-dui-research.com
www.global-medical-research.com
www.global-home-improvement.com
www.wi-fi-bandwidth.com
www.php-monster.com
www.global-cancer-research.com

A DNS lookup of each of those web sites returns the IP address
69.72.141.154. "wget -S 69.72.141.154" reveals that it is running
Apache 1.3.31. A WHOIS lookup of the web server IP address shows that
the web server is in Parsippany, NJ. A WHOIS lookup of all of these
sites show they are registered to Oi, Inc., via the Go-Daddy registrar.

Opinion: As each of these sites has the same bland front-end
with no links (other than Google Ads), I believe that this may be an
attempt to defraud Google's Ad Sense program. (I will send a copy of
this post to Google.)

A WHOIS lookup of any of the domains returns the
same corporate info:


Registrant:
oi,inc.
P.O.BOX 22036
Nashville, Tennessee 37202
United States

Registered through: GoDaddy.com
Domain Name: GLOBAL-CANCER-RESEARCH.COM
Created on: 29-Jul-04
Expires on: 29-Jul-05
Last Updated on: 04-Aug-04

Administrative Contact:
Domains, Admin open_view@yahoo.com
oi,inc.
P.O.BOX 22036
Nashville, Tennessee 37202
United States
6153610280 Fax --

Technical Contact:
Domains, Admin open_view@yahoo.com
oi,inc.
P.O.BOX 22036
Nashville, Tennessee 37202
United States
6153610280 Fax --

Domain servers in listed order:
NS1.OPENVIEWINC.COM
NS2.OPENVIEWINC.COM

A short Google search on the postal address brings back:


http://www.openviewinc.com/contact.html

shows the corporate info as:

O P E N V I E W INTERNATIONAL, INC.

TEL: 615.360.1010 FAX: 615.361.0280

E-MAIL: info@openviewinc.com

MAIL DELIVERY:
DOWNTOWN
P.O.BOX 22036
NASHVILLE, TN 37202
USA

According to the immediate above, anyone calling the phone
number used to register the domains will get an ear-full of carrier tone
from the company fax machine. However, a Google lookup on (615)
360-1010 returns to "Jeremy Jackson - (615) 360-1010 - 1306 Massman Dr,
Nashville, TN 37217".

A DNS lookup of the name server for each of
these sites reveals the DNS servers ns1.openviewinc.com and
ns2.openviewinc.com. The IP address for ns1.openviewinc.com is
69.72.141.153. The IP address for ns2.openviewinc.com is 69.72.141.154.

Note that the www.openviewinc.com website and the mailserver for the
openviewinc.com domain is also 69.72.141.153. Telneting to port 25 at
that IP address returns:


Trying 69.72.141.153...
Connected to 69.72.141.153.
Escape character is '^]'.
220-ottawa.nshoster.com ESMTP Exim 4.34 #1 Sat, 21 Aug 2004 16:37:46-0400
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
quit
221 ottawa.nshoster.com closing connection
Connection closed by foreign host.

No spam allowed. That's almost funny.

An interesting bit of
information is reavealed by performing a WHOIS lookup on those IP
addresses. Seems both of them are part of a network owned by Care
Initiatives, Iowa's (according to CI's website) largest senior care
provider.

Remember the site sending the referer spam is 63.227.76.25?
A WHOIS lookup shows that it too belongs to Care Initiative in West Des
Moines.

Getting back to Mr. Jackson. A Yahoo search for "jeremy
jackson nashville" returns a link
(http://www.bizwiz.com/ezcommerce/openviewtrading.htm) for Open View
Trading with the following contact information:


Contact:

Jeremy Jackson
Owner
Open View Trading
P.O.Box 22036
Nashville, TN 37202
U.S.A.
Tel: 615/360-1010 Fax: 615/360-1133

Hey, that's the same phone number but it's a different fax
number. Same P.O. Box too.

Futher Google and Yahoo searches for
"jeremy jackson" and "openview" or "nashville" reveal that he has a
healthy gaming habit (FPS's) too.

So, to sum it all up, we have a
gamer in Nashville, running what might be a shady online business which
isn't registered anywhere (possibly Canada?), uses a web site in New
Jersey which is registered via a yahoo e-mail address through a
registrar that is reluctant to provide information (GoDaddy), has
another e-mail account and dns server at a non-profit senior care
facility in Iowa whose STMP banner prohibits spam, uses his home phone
for his business(es) and likes to referer spam my site.

Hope the rest
of you enjoyed this at least as much as I did.

Jeremy, cut it the
F**K out.

No comments:

Post a Comment