Wednesday, February 16, 2005

Spammer profile

Here's yet another spammer analysis. This one is incomplete but will hopefully help someone else in their searches.

The following URL's show up in unending attempts to post comment spam to the blog:


  • 888.ronnieazza.com

  • buy-phentermine.ronnieazza.com

  • buy-viagra.future-2000.net

  • buy-xanax.ronnieazza.com

  • carisoprodol.future-2000.net

  • cialis.future-2000.net

  • credit-cards.ronnieazza.com

  • didrex.future-2000.net

  • diet-pills.ronnieazza.com

  • free-poker.future-2000.net

  • generic-viagra.ronnieazza.com

  • loans.future-2000.net

  • online-pharmacy.future-2000.net

  • online-poker.future-2000.net

  • party-poker.ronnieazza.com

  • payday-loan.future-2000.net

  • pay-day-loan.ronnieazza.com

  • payday-loans.ronnieazza.com

  • phentermine.future-2000.net

  • poker-games.future-2000.net

  • poker-online.ronnieazza.com

  • poker.ronnieazza.com

  • private-mortgage.future-2000.net

  • prozac.future-2000.net

  • reductil.ronnieazza.com

  • soma.ronnieazza.com

  • student-loans.ronnieazza.com

  • texas-hold-em.future-2000.net

  • texas-holdem.ronnieazza.com

  • tramadol.ronnieazza.com

  • valium.ronnieazza.com

  • viagra.future-2000.net

  • www.future-2000.net

  • www.ronnieazza.com


All of the above translate to IP address 219.150.118.16

A WHOIS lookup of 219.150.118.16 results in:


% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 219.150.112.0 - 219.150.255.255
netname: CHINATELECOM-ha
descr: CHINANET henan province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: HZ149-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINATELECOM-ha
changed: hostmaster@ns.chinanet.cn.net 20030820
status: ALLOCATED NON-PORTABLE
source: APNIC

person: Chinanet Hostmaster
address: No.31 ,jingrong street,beijing
address: 100032
country: CN
phone: +86-10-66027112
fax-no: +86-10-58501144
e-mail: hostmaster@ns.chinanet.cn.net
e-mail: anti-spam@ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: hostmaster@ns.chinanet.cn.net 20021016
remarks: hostmaster is not for spam complaint,please
send spam complaint to anti-spam@ns.chinanet.cn.net
source: APNIC

person: Hongbiao Zhang
nic-hdl: HZ149-AP
e-mail: ip@hntele.com
address: 97# Zhongyuan Street, Zhengzhou,Chinese
phone: +86-371-5310007
fax-no: +86-371-5310044
country: CN
changed: zhb@hntele.com 20030813
mnt-by: MAINT-CHINATELECOM-HA
source: APNIC

A WHOIS lookup of future-2000.net results in:


Domain Name: FUTURE-2000.NET

Registrant:
Jim Fox
122 W 90 Street
NYC
NY
US
10024

Administrative Contact:
Leonel, Morgan (NIC-21487) mail29@support-2000.net
Morgan Leonel
Horseshoe Trail
65
Tabor
Alaska, US
90471
Phone: 9454141824

Billing Contact:
Leonel, Morgan (NIC-21487) mail29@support-2000.net
Morgan Leonel
Horseshoe Trail
65
Tabor
Alaska, US
90471
Phone: 9454141824

Technical Contact:
Leonel, Morgan (NIC-21487) mail29@support-2000.net
Morgan Leonel
Horseshoe Trail
65
Tabor
Alaska, US
90471
Phone: 9454141824

Domain servers in listed order:

NS0.DNS2005.NET
NS1.DNS2005.NET

Record created on 2001-12-23 12:42:00.0
Database last updated on 2005-02-10 12:30:04.967
Domain Expires on 2007-12-23 12:42:00.0

A WHOIS lookup of ronnieazza.com results in:


Domain Name: RONNIEAZZA.COM
Registrar: MONIKER ONLINE SERVICES, INC.
Whois Server: whois.moniker.com
Referral URL: http://www.moniker.com/whois.html
Name Server: NS0.MANAGE-DNS.NET
Name Server: NS1.MANAGE-DNS.NET
Status: REGISTRAR-LOCK
Updated Date: 05-feb-2005
Creation Date: 24-mar-2002
Expiration Date: 24-mar-2007


Registrant:
Susan Lee
112 W 77 Street
NYC
NY
US
10020

Administrative Contact:
Evelin, Porter (NIC-14080) contact56@support-24x7.biz
Porter Evelin
Woodmere Ct
56
Saint Ansgar
Kansas, US
46318
Phone: 8183780401

Billing Contact:
Erika, Alicia (NIC-14090) contact66@support-24x7.biz
Alicia Erika
Devon State Rd
66
Sanborn
Montana, US
43848
Phone: 8193680401

Technical Contact:
Evelin, Porter (NIC-14080) contact56@support-24x7.biz
Porter Evelin
Woodmere Ct
56
Saint Ansgar
Kansas, US
46318
Phone: 8183780401

Domain servers in listed order:

NS0.MANAGE-DNS.NET
NS1.MANAGE-DNS.NET

Record created on 2002-03-24 09:04:00.0
Database last updated on 2005-02-05 01:56:13.25
Domain Expires on 2007-03-24 09:04:00.0

As both registrants are in the middle of Manhattan Island at addresses that do not correspond to any mailing address known to Google or Yahoo, I'm willing to bet that they're fake. Let's take a look at the mailing addresses for the technical and administrative contacts.

A WHOIS lookup for support-2000.net returns:


domain: SUPPORT-2000.NET
owner-address: Chen
owner-address: 282 Shibuya-ku
owner-address: 100-0005
owner-address: Tokyo
owner-address: Japan
admin-c: CY187-GANDI
tech-c: AR41-GANDI
bill-c: CY187-GANDI
nserver: full1.gandi.net 217.70.177.42
nserver: full2.gandi.net 217.70.179.34
reg_created: 2004-12-08 04:30:26
expires: 2005-12-08 04:30:26
created: 2004-12-08 10:30:27
changed: 2004-12-08 10:30:27

person: Chen Young
nic-hdl: CY187-GANDI
address: 282 Shibuya-ku
address: 100-0005
address: Tokyo
address: Japan
phone: +81.332146532
e-mail: contact@support-2000.net
lastupdated: 2004-12-08 10:34:09

person: GANDI Auto Register 4.1
nic-hdl: AR41-GANDI
address: GANDI
address: 38 rue Notre-Dame de Nazareth
address: F-75003
address: Paris
address: France
phone: N/A
e-mail: support@gandi.net

Ah, it's that nice Registrar in France: Gandi. How about the other? A WHOIS lookup for support-24x7.biz returns:


support-24x7.biz = [ 217.70.180.17 ]
Domain Name: SUPPORT-24X7.BIZ
Domain ID: D7437648-BIZ
Sponsoring Registrar: GANDI SARL
Sponsoring Registrar IANA ID: 81
Domain Status: ok
Registrant ID: O-854424-GANDI
Registrant Name: Ron Miles
Registrant Organization: Phentermine Deals
Registrant Address1: P.O.box 710
Registrant City: St John's English Harbour
Registrant Postal Code: 2003
Registrant Country: Antigua and Barbuda
Registrant Country Code: AG
Registrant Phone Number: 268.4606129
Registrant Email:
99f8210a45bbd8f39062cf022ba867b7-856213@owner.gandi.net

Administrative Contact ID: RM957-GANDI
Administrative Contact Name: Ron Miles
Administrative Contact Organization: Phentermine Deals
Administrative Contact Address1: P.O.box 713
Administrative Contact City: St John's English Harbour
Administrative Contact Postal Code: 2003
Administrative Contact Country: Antigua and Barbuda
Administrative Contact Country Code: AG
Administrative Contact Phone Number: 268.4606129
Administrative Contact Email:
dea8e5907adc69b07c4df20c207e1894-rm957@contact.gandi.net

Billing Contact ID: AR41-GANDI
Billing Contact Name: CONTACT NOT AUTHORITATIVE see
http://www.gandi.net/whois
Billing Contact Organization: Gandi SARL
Billing Contact Address1: 38 rue Notre-Dame de Nazareth
Billing Contact City: Paris
Billing Contact Postal Code: 75003
Billing Contact Country: France
Billing Contact Country Code: FR
Billing Contact Email: support@gandi.net

Technical Contact ID: AR41-GANDI
Technical Contact Name: CONTACT NOT AUTHORITATIVE see
http://www.gandi.net/whois
Technical Contact Organization: Gandi SARL
Technical Contact Address1: 38 rue Notre-Dame de Nazareth
Technical Contact City: Paris
Technical Contact Postal Code: 75003
Technical Contact Country: France
Technical Contact Country Code: FR
Technical Contact Email: support@gandi.net

Name Server: FULL1.GANDI.NET
Name Server: FULL2.GANDI.NET
Created by Registrar: GANDI SARL
Last Updated by Registrar: GANDI SARL
Domain Registration Date: Tue Jul 27 06: 48: 49 GMT 2004
Domain Expiration Date: Tue Jul 26 23: 59: 59 GMT 2005
Domain Last Updated Date: Thu Aug 26 15: 05: 55 GMT 2004
>>> Whois database was last updated on: Sat Feb 12 23: 43: 13 GMT 2005 <<<
NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE
OF THE AVAILABILITY OF A DOMAIN NAME.

Yep, the nice Registrar again. Let's look at mail servers...

The mail server for future-2000.net is:


Non-authoritative answer:
*** Can't find future-2000.net: No answer

Authoritative answers can be found from:
future-2000.net
origin = ns0.future-2000.net
mail addr = hostmaster.future-2000.net
serial = 200308131
refresh = 1800
retry = 900
expire = 604810
minimum = 1200

Hmm... Doesn't exist. If we ask ns0.future-2000.net we get:


Server: ns0.future-2000.net
Address: 219.150.118.16

Authoritative answers can be found from:
(root) nameserver = F.ROOT-SERVERS.net
(root) nameserver = G.ROOT-SERVERS.net
(root) nameserver = H.ROOT-SERVERS.net
(root) nameserver = I.ROOT-SERVERS.net
(root) nameserver = J.ROOT-SERVERS.net
(root) nameserver = K.ROOT-SERVERS.net
(root) nameserver = L.ROOT-SERVERS.net
(root) nameserver = M.ROOT-SERVERS.net
(root) nameserver = A.ROOT-SERVERS.net
(root) nameserver = B.ROOT-SERVERS.net
(root) nameserver = C.ROOT-SERVERS.net
(root) nameserver = D.ROOT-SERVERS.net
(root) nameserver = E.ROOT-SERVERS.net

So it doesn't exist. An "A" query for future-2000.net (just in case it's an explicit name rather than a MX) yields the similar results. Actually, any query to ns0.future-2000.net returns only pointers to the root servers. This might be valuable later in complaining about the domain.

Also, please note that the root servers indicate that the domain is served by ns0.future-2000.net and that it is at 219.150.118.16. This most definitely is valuable when we look at server headers below.

The mail server for support-24x7.biz is:


Server: full1.gandi.net
Address: 217.70.177.42

support-24x7.biz preference = 10, mail exchanger =
redir-mailav-telehouse1.gandi.net
support-24x7.biz preference = 10, mail exchanger =
redir-mailav-telehouse2.gandi.net
support-24x7.biz nameserver = full1.gandi.net
support-24x7.biz nameserver = full2.gandi.net

Let's see if we can grab web server headers:


> wget -S http://www.support-24x7.biz
--19:05:00-- http://www.support-24x7.biz/
=> `index.html.7'
Resolving www.support-24x7.biz... done.
Connecting to www.support-24x7.biz[217.70.180.17]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 302 Found
2 Date: Sun, 13 Feb 2005 00:05:03 GMT
3 Server: Apache/1.3.28 (Unix)
4 Location: http://redir-error.gandi.net
5 Connection: close
6 Content-Type: text/html; charset=iso-8859-1
Location: http://redir-error.gandi.net [following]
--19:05:03-- http://redir-error.gandi.net/
=> `index.html.7'
Resolving redir-error.gandi.net... done.
Connecting to redir-error.gandi.net[217.70.178.17]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Date: Sun, 13 Feb 2005 00:05:03 GMT
3 Server: Apache/1.3.23 (Unix) Debian GNU/Linux
4 Last-Modified: Thu, 23 Dec 2004 15:30:56 GMT
5 ETag: "2fe87-275-41cae4b0"
6 Accept-Ranges: bytes
7 Content-Length: 629
8 Connection: close
9 Content-Type: text/html; charset=iso-8859-1

100%[====================================>] 629 614.26K/s ETA 00:00

19:05:03 (614.26 KB/s) - `index.html.7' saved [629/629]

This could be the standard redir that some of the registrar's have started doing. (Yeah, even Network Solutions uses this unethical practice.)


> wget -S http://www.future-2000.net
--19:14:15-- http://www.future-2000.net/
=> `index.html.9'
Resolving www.future-2000.net... done.
Connecting to www.future-2000.net[219.150.118.16]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Date: Sun, 13 Feb 2005 13:17:15 GMT
3 Server: Apache
4 Accept-Ranges: bytes
5 X-Powered-By: PHP/4.2.2
6 Content-Length: 2121
7 Connection: close
8 Content-Type: text/html; charset=UTF-8

100%[====================================>] 2,121 4.86K/s ETA 00:00

19:14:17 (4.86 KB/s) - `index.html.9' saved [2121/2121]

Ah! Not a redirect! Grabbing www.future-2000.net returns a page that looks like:



This former info is currently under investigation - Due to mis-proper use of the hosting account








Service Unavailable!




















Take a step to eliminate service agreement breaches. Please
fill the form so we can take action.
Issue:
Your site/URL:
Additional Information:
Verification Code:
  






The publisher of this web site expressly denies liability and undertakes no responsibility for the reliance on information or services found herein. We and/or our respective suppliers may make improvements and/or changes in the sites/services at any time. This website is for your personal and non-commercial use.







In the above, I disabled the following two lines:


<form name=frm method='post' action='
http://64.234.220.141/submitAbuse.php' onsubmit='return checkSubmit()'>


  

Somehow, I'm still not convinced. Let's take a look at that IP address. A reverse lookup of 64.234.220.141 returns:


Name: shetef.com
Address: 64.234.220.141

A Google lookup on "shetef.com" leads to a slew of bloggers who've gotten this far and have complained about a spammer and are looking for someone to pound.

A WHOIS lookup on the 64.234.220.141 returns:


OrgName: WebStream, Inc.
OrgID: WEBSTR
Address: 2200 West Commercial Blvd
Address: Suite 204
City: Fort Lauderdale
StateProv: FL
PostalCode: 33309
Country: US

NetRange: 64.234.192.0 - 64.234.223.255
CIDR: 64.234.192.0/19
NetName: WEBSTREAM-1
NetHandle: NET-64-234-192-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: WEB.WEBSTREAM.NET
NameServer: WW2.WEBSTREAM.NET
Comment:
RegDate: 2002-09-09
Updated: 2003-10-10

OrgAbuseHandle: ABUSE39-ARIN
OrgAbuseName: Abuse Investigations
OrgAbusePhone: +1-954-730-7405
OrgAbuseEmail: abuse@webstream.net

OrgTechHandle: HOSTM11-ARIN
OrgTechName: Hostmaster
OrgTechPhone: +1-954-730-7405
OrgTechEmail: hostmaster@webstream.net

# ARIN WHOIS database, last updated 2005-02-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Just to play it safe, let's look at WebStream also. A WHOIS returns:


Registrant:
WebStream, Inc.
2200 W Commercial Blvd
Suite 204
Fort Lauderdale, FL 33309
US

Domain name: WEBSTREAM.NET

Administrative Contact:
Master, Host hostmaster@WEBSTREAM.NET
2200 W Commercial Blvd
Suite 204
Fort Lauderdale, FL 33309
US
954-730-7405 Fax: 954-733-7067

Technical Contact:
Master, Host hostmaster@WEBSTREAM.NET
2200 W Commercial Blvd
Suite 204
Fort Lauderdale, FL 33309
US
954-730-7405 Fax: 954-733-7067



Registration Service Provider:
Webstream, Inc.
954-730-7405
954-733-7067 (fax)
http://www.webstream.net



Registrar of Record: TUCOWS, INC.
Record last updated on 03-Feb-2004.
Record expires on 26-Jun-2005.
Record created on 27-Jun-1997.

Domain servers in listed order:
WEB.WEBSTREAM.NET 64.234.192.5
WW2.WEBSTREAM.NET 64.234.192.6
NS2.WEBSTREAM.NET 64.234.192.6
NS1.WEBSTREAM.NET 64.234.192.5

A DNS MX lookup on shetef.com returns:


Non-authoritative answer:
shetef.com preference = 10, mail exchanger = mail.shetef.com

Authoritative answers can be found from:
shetef.com nameserver = ns2.dnsmadeeasy.com
shetef.com nameserver = ns3.dnsmadeeasy.com
shetef.com nameserver = ns4.dnsmadeeasy.com
shetef.com nameserver = ns0.dnsmadeeasy.com
shetef.com nameserver = ns1.dnsmadeeasy.com
mail.shetef.com internet address = 67.18.52.66
ns2.dnsmadeeasy.com internet address = 66.117.40.198
ns3.dnsmadeeasy.com internet address = 64.246.42.123
ns4.dnsmadeeasy.com internet address = 205.177.124.51
ns0.dnsmadeeasy.com internet address = 63.219.151.3
ns1.dnsmadeeasy.com internet address = 69.10.137.166

The mail server for shetef.com is in yet another IP range? A WHOIS lookup on 67.18.52.66 returns:


OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange: 67.18.0.0 - 67.19.255.255
CIDR: 67.18.0.0/15
NetName: NETBLK-THEPLANET-BLK-11
NetHandle: NET-67-18-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate: 2004-03-15
Updated: 2004-07-29

TechHandle: PP46-ARIN
TechName: Pathos, Peter
TechPhone: +1-214-782-7800
TechEmail: abuse@theplanet.com

OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-214-782-7802
OrgAbuseEmail: abuse@theplanet.com

OrgNOCHandle: TECHN33-ARIN
OrgNOCName: Technical Support
OrgNOCPhone: +1-214-782-7800
OrgNOCEmail: admins@theplanet.com

OrgTechHandle: TECHN33-ARIN
OrgTechName: Technical Support
OrgTechPhone: +1-214-782-7800
OrgTechEmail: admins@theplanet.com

# ARIN WHOIS database, last updated 2005-02-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

A DNS reverse lookup on 67.18.52.66 returns:


Name: escape.websitewelcome.com
Address: 67.18.52.66

Remember the WHOIS lookup for future-2000.net? It had the following DNS servers:


NS0.DNS2005.NET
NS1.DNS2005.NET

A WHOIS lookup on dns2005.net returns:


domain: DNS2005.NET
owner-address: Phentermine Deals
owner-address: P.O.box 710
owner-address: 2003
owner-address: St John's, English Harbour
owner-address: Antigua and Barbuda
admin-c: RM957-GANDI
tech-c: AR41-GANDI
bill-c: RM957-GANDI
nserver: ns0.dns2005.net 64.234.220.141
nserver: ns1.dns2005.net 64.234.220.141
reg_created: 2004-10-12 10:20:26
expires: 2005-10-12 10:20:26
created: 2004-10-12 16:20:24
changed: 2004-10-12 16:42:24

person: Ron Miles
nic-hdl: RM957-GANDI
address: Phentermine Deals
address: P.O.box 713
address: 2003
address: St John's, English Harbour
address: Antigua and Barbuda
phone: +268.4606129
e-mail: dea8e5907adc69b07c4df20c207e1894-rm957@contact.gandi.net
lastupdated: 2004-11-29 01:08:27

person: GANDI Auto Register 4.1
nic-hdl: AR41-GANDI
address: GANDI
address: 38 rue Notre-Dame de Nazareth
address: F-75003
address: Paris
address: France
phone: N/A
e-mail: support@gandi.net

Again, Gandi.net. Also note the IP addresses for the DNS servers: 64.234.220.141. We've seen that one. It's our friend shetef.com again!

How about the DNS servers for ronnieazza.com? A WHOIS lookup on manage-dns.net returns:


domain: MANAGE-DNS.NET
owner-address: Betina
owner-address: Alameda Santos, 2233
owner-address: 4461
owner-address: Sao Paulo
owner-address: Brazil
admin-c: BR701-GANDI
tech-c: AR41-GANDI
bill-c: BR701-GANDI
nserver: ns0.manage-dns.net 64.234.220.141
nserver: ns1.manage-dns.net 64.234.220.141
reg_created: 2004-11-10 13:29:50
expires: 2005-11-10 13:29:50
created: 2004-11-10 19:29:51
changed: 2004-11-10 19:42:10

person: Betina Raul
nic-hdl: BR701-GANDI
address: Alameda Santos, 2263
address: 4461
address: Sao Paulo
address: Brazil
phone: +55.1130692263
e-mail: contact@top-support.net
lastupdated: 2005-02-03 14:10:46

person: GANDI Auto Register 4.1
nic-hdl: AR41-GANDI
address: GANDI
address: 38 rue Notre-Dame de Nazareth
address: F-75003
address: Paris
address: France
phone: N/A
e-mail: support@gandi.net

Again, the Gandi registrar and the shetef.com DNS server. How about MX records for those two?

A DNS MX lookup on dns2005.net returns:


Authoritative answers can be found from:
dns2005.net
origin = ns0.dns2005.net
mail addr = hostmaster.dns2005.net
serial = 200308131
refresh = 1800 (30M)
retry = 900 (15M)
expire = 604810 (1w10s)
minimum ttl = 1200 (20M)

A familiar failure. A DNS MX lookup on manage-dns.net returns:


** server can't find manage-dns.net: SERVFAIL

So MX records for manage-dns.net aren't configured. Remember that the WHOIS lookup for manage-dns.net points back to 64.234.220.141. Let's take a closer look at that IP. Remember the reverse lookup on 64.234.220.141 returned:


Name: shetef.com
Address: 64.234.220.141

and that the MX record for shetef.com returned:


Non-authoritative answer:
shetef.com preference = 10, mail exchanger = mail.shetef.com

Authoritative answers can be found from:
shetef.com nameserver = ns2.dnsmadeeasy.com
shetef.com nameserver = ns3.dnsmadeeasy.com
shetef.com nameserver = ns4.dnsmadeeasy.com
shetef.com nameserver = ns0.dnsmadeeasy.com
shetef.com nameserver = ns1.dnsmadeeasy.com
mail.shetef.com internet address = 67.18.52.66
ns2.dnsmadeeasy.com internet address = 66.117.40.198
ns3.dnsmadeeasy.com internet address = 64.246.42.123
ns4.dnsmadeeasy.com internet address = 205.177.124.51
ns0.dnsmadeeasy.com internet address = 63.219.151.3
ns1.dnsmadeeasy.com internet address = 69.10.137.166

Connecting to port 25 on the mail server returns:


> telnet 67.18.52.66 25
Trying 67.18.52.66...
Connected to escape.websitewelcome.com.
Escape character is '^]'.
220-escape.websitewelcome.com ESMTP Exim 4.44 #1 Sat, 12 Feb 2005 20:00:14 -0600
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
quit
221 escape.websitewelcome.com closing connection
Connection closed by foreign host.

Pointing a browser at http://shetef.com () indicates that shetef.com is an Israeli software seller with the following info:


A fax number of +972-8-9389070
A business number of +972-8-930-0519
A mailing address of:
Shetef Solutions & Consulting Ltd.
P.O. Box 637
Ness-Ziona 704000
ISRAEL

Grabbing the server headers for shetef.com returns:


> wget -S http://shetef.com
--21:08:31-- http://shetef.com/
=> `index.html.11'
Resolving shetef.com... done.
Connecting to shetef.com[67.18.52.66]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Date: Sun, 13 Feb 2005 02:08:35 GMT
3 Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_auth_passthrough/1.8
mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635
mod_ssl/2.8.22 OpenSSL/0.9.7a
4 Last-Modified: Fri, 06 Aug 2004 17:08:39 GMT
5 ETag: "db843b-75f-4113bb17"
6 Accept-Ranges: bytes
7 Content-Length: 1887
8 Keep-Alive: timeout=15
9 Connection: Keep-Alive
10 Content-Type: text/html

100%[====================================>] 1,887 263.25K/s ETA 00:00

21:08:31 (263.25 KB/s) - `index.html.11' saved [1887/1887]

The domain websitewelcome.com is registered via Enom, Inc. who does not give out their customer's domain info.

Grabbing the web server headers for http://escape.webserverwelcome.com returns:


> wget -S http://escape.websitewelcome.com
--21:17:48-- http://escape.websitewelcome.com/
=> `index.html.12'
Resolving escape.websitewelcome.com... done.
Connecting to escape.websitewelcome.com[67.18.52.66]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Date: Sun, 13 Feb 2005 02:17:52 GMT
3 Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_auth_passthrough/1.8
mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635
mod_ssl/2.8.22 OpenSSL/0.9.7a
4 Last-Modified: Mon, 17 May 2004 00:18:11 GMT
5 ETag: "1fe5b-b9d-40a804c3"
6 Accept-Ranges: bytes
7 Content-Length: 2973
8 Keep-Alive: timeout=15
9 Connection: Keep-Alive
10 Content-Type: text/html

100%[====================================>] 2,973 31.90K/s ETA 00:00

21:17:48 (31.90 KB/s) - `index.html.12' saved [2973/2973]

Pointing a browser at http://escape.websitewelcom.com brings up the standard cPanel default page. So does pointing the browser at the IP address.

Performing a Google lookup on websitewelcome.com reveals that that domain appears to be a reseller client of hostgator.com. Suspiciously, it appears to be their only reseller client. One of HostGator's features is that reseller clients are allowed to host unlimited sites.

Pointing a browser at http://www.websitewelcome.com returns a directory listing.

Going back to shetef.com, a Google search reveals that CodyTheFreak is quite unhappy with shetef.com. He also points out a few extra domains. It appears that CodyTheFreak and I are the only ones that have traced the spammer back that far and have complained about it. All other Google entries appear to be spam for the shareware/software available on shetef's site.

I've probably missed a bunch of stuff associated with this spammer, but as I've spent the better part of a Saturday afternoon working on this, I'm going to drop it here.