February 28, 2006
Blog spam from Lycos IP
Like most blogs, this one gets a daily dose of comment spam. Usually I just clean up the mess and move along. But today, someone used an IP address registered to Lycos, Inc. to post a cheesy ad for a porn site.
The IP address, 220.127.116.11, is one of a huge swath of addresses owned by the Boston-based online portal.
The computer behind that IP is an open proxy, judging from its listings in several anti-spam blacklists, including the CBL and the DSBL. The IP has also been banned by DNS Stuff. Senderbase lists a hostname of ygo-cf6.bos.lycos.com.
I expect this problem to be corrected swiftly, if it hasn't already been. You may recall that Lycos was the company behind the ill fated Make Love Not Spam campaign.
UPDATE 3/1/06: Got another porn-site comment spam from Lycos today, this one from 18.104.22.168. Checking my logs, I see I also received one over the weekend from 22.214.171.124. Googling these Lycos IPs shows they're being abused by a number of blog spammers and even some email spammers. Seems strange to have to LART a self-proclaimed anti-spammer, but I'll see if it helps.
February 22, 2006
P2P spam scam
Looks like a version of that email scam has appeared on peer-to-peer file-sharing networks. Someone has been spamming Gnutella with junk files promoting a bogus buyers' club site called efreeclub.com.
Since peer-to-peer networks are regarded by many authorities as a land of outlaws, I doubt anyone in law enforcement will care. And that's what makes this p2p promotion of efreeclub.com such a great scam.
As of this writing, over 1,700 people have forked out $19.95 to join efreeclub.com, according to PayPal records. Judging by the numerous online complaints about efreeclub.com and similar predecessor sites, I'd be surprised if anyone received any of the "hundreds of free products" promised by efreeclub.com.
If you use Limewire or Bearshare or a similar program, it's sometimes impossible to avoid efreeclub.com's junk. Somehow the scammers are intercepting audio searches and returning the same 134 kb mp3 file regardless of the user's search terms. The audio is of someone doing a bad imitation of Bill Clinton and encouraging listeners to go to efreeclub.com. There are also Windows Media, image, and exe versions of the same spam.
This scam has been going on at least since 2004, when a similar p2p spam offered a "free iPod" via membership to sites including isaveclub.com, esaveclub.com, edirectclub.com, and Clearoutclub.com.(Click the image above to see one of the junk jpg files for isaveclub.com.) Gnutella spam in general has been around since at least 2000.
Instead of using PayPal or credit cards, most of those alternate sites request bank routing and account information -- perhaps as a way to prevent members from disputing charges.
As one web user so aptly opined: "www.isaveclub.com is an intelligence test, send him money, you flunked it."
Who's behind this scam? Hard to say exactly. No search-engine hits on 416-208-3122, the Toronto phone number in the PayPay record for efreeclub.com. A recorded message says all customer service reps are busy.
But 416-222-3190, the fax number in the site's who-is listing, produced a couple hits, including this one. When I called, a guy named Ashok answered but then hung up on me when I asked about efreeclub.com.
As noted, since this is a scam primarily affecting p2p users, I doubt anyone like Canada's National White Collar Crime Centre will be interested. But maybe they'll surprise us.
February 20, 2006
Inside the creepy Miller Brewing spam probe
Turns out this spooky little spam was the work of Equifax, the big credit reporting agency that shut down its Boca Raton-based spam operation, Naviant, in 2003, due to the impending passage of CAN-SPAM.
But the Miller campaign suggests that Equifax's spamming, and Naviant itself, are alive and well. Customer-contact.net, the domain referenced in the Miller spam, is associated with former Naviant head and longtime ROKSO spammer Scott Hirsch. The IP address hosting the customer-contact.net domain belongs to Naviant.
Thanks to open directories at customer-contact.net, we have a fascinating chronicle of current and historic spam campaigns by Naviant. Here, for example, is the graphic used in the Miller beer campaign.
Naviant also seems to have a similar spam-probe effort underway for an online retailer named White House | Black Market. The messages tell customers the company has opted them in to receive spams. "If you would like to receive updates ... you don't have to do anything."
The Customer-contact.net Optshare directory is also listed in numerous recent spam reports.
February 16, 2006
Asterisk on pop-up mogul's gold
There's already a tarnish on the gold medal won by Australian mogul skier Dale Begg-Smith at the Olympics in Turin this week.
While the 21-year-old Begg-Smith may not have been involved in doping or cheating on the slopes, the way he richly supported himself while training was incredibly unsportsmanlike and probably illegal: Begg-Smith was a key player in a company that infected other peoples' computers with adware a.k.a. spyware.
Canadian-born Begg-Smith reportedly is president of AdsCPM Network (a.k.a. CPM Media Inc.), a firm notorious for using "driveby downloads," security exploits, and other cheap tricks to install spyware (including keyloggers and browser hijackers) on unsuspecting Internet users' computers.
I say the IOC ought to investigate Begg-Smith's business conduct to determine whether it tarnishes the reputation of the Olympic movement.
AdsCPM.com is currently offline, but an archived version of the site says the company served up 20 million pop-ups per day. Other sites hosted at the same IP address indicate the reach of the company's spyware enterprise. They include two sites infamous for distributing spyware ---FREESCRATCHANDWIN.COM and XZOOMY.COM, as well as one selling pop-up blocking software, kill-pop-ups.com.
The Olympic Code of Ethics says participants "must not act in a manner likely to bring the reputation of the Olympic Movement into disrepute." How about blackmailing Internet users by displaying pop-ups advertising spyware removal software?
Begg-Smith's business apparently enabled him to drive a Lamborghini, but it has cost individuals and corporations dearly to clean up the mess created by the spyware.
Other sketchy sites associated with Begg-Smith include newtopsites.com, huntfly.com, and adultexpressview.com.
One of Begg-Smith's most harmless Internet businesses was Thin Air Sports, through which he apparently tried to sell used ski gear, including jackets and other clothing worn during national competitions.
Typical of shady Internet businesses, CPM Media and AdsCPM don't include any detailed company information at their web sites. Their domain registrations generally list a post-office box (PO Box 8978) in Moscow, Idaho. That same box number is given in an Idaho business registration for IZUMISOFT, LLC, which shows programmer JOSHUA ARIIZUMI as its registered agent. I had no success in reaching Ariizumi today.
February 9, 2006
Spammers pioneer 134-bit encryption
When you're out buying erectile dysfunction pills from a spammer's site, it's nice to know your order data is being protected with cutting edge technology. Right now, order forms at all your top spammer sites are secured with 134-bit encryption.
That's right. Spammers have raised the bar in online security, just as online pornographers pioneered streaming video. Today's leading bulk emailers realize that discriminating customers want the comfort that comes from knowing they've got a couple extra bits under their belt.
Now, don't be alarmed when you get to a spammer's order page and you don't see that cute little SSL padlock show up in your browser status line. Thing is, many browser makers, including Microsoft, have not yet upgraded their cipher strength to 134-bit technology. (Even if you're using Internet Explorer 6, you're currently stuck with just 128 bits.)
But if the site displays the "134bit encryption" logo, you can be confident your data is transmitted directly to the bank in a highly secure fashion. (Similarly, if the site displays the Better Business Bureau reliability seal, you know the operators are trustworthy. A Verisign logo should also be reassuring.)
Of course, 134-bit encryption isn't the end of the road. Innovative spammers will continue to push the envelope and embrace new technologies, such as SPF, in their relentless quest to make online shopping safer and more convenient.
Posted by Brian at 9:19 PM
February 2, 2006
Illegal spam from Microsoft
One of Microsoft's IP addresses has landed on the SpamCop blacklist.
It happened today, after junk email touting the MSN Dial-up service apparently leaked out of Microsoft Corporation network space, landing in at least one account belonging to a SpamCop user.
Still, as Microsoft nemesis Robert Soloway painfully learned, advertisers can't legally hide behind "button pushers" like Atlas.
If Microsoft had done its homework, it would have found that Atlas apparently has quite a track record of sending non-compliant spam to spam traps and other accounts operated by anti-spammers.
Soloway went on a tirade last summer, broadcasting emails that descried Microsoft's spamming practices and announcing the formation of a group called Strategic Partnership Against Microsoft Illegal Spam.
This embarassing little MSN spam run follows in the wake of some rather silly media scrutiny of Bill Gates' prediction about the impending death of spam.