Spam Hunter

Viagra, penis enhancements, porn, mortgage rates, and much more are shoved into my inbox everyday. I'm not trying to win the spam war. I just like to vent by choosing one email a day, tracing down the jerk who sent it and publishing any antics that ensue.

Thursday, September 09, 2004

First Post

Spam Hunting is a new sport I've decided to engage in. I know of others who do this in one way or another. Some play as dirty as the spammers but since I'm cataloging this I'll obviously stay clean.
My first piece of spam was from a bounce account on my domain. Bounce accounts are accounts friends used to have on my domain and have discontinued. But the spammers don't know that and still send junk their way. There is a lot of cat and mouse games with these scum such as encrypting pages using scripts.
Our first came in a strange letter that just said Hi in the subject.
[note: for obvious reasons I removed the address of the recipient but feel free to spam the spammer :) ]
the actual text of the message is encoded using HTML encoding (&xx;) with random dictionary words peppered in comment tags. It points to a site http://goedog.com/

So I fire up my trusty perl debugger from and pull down the page. I would use curl if I had my linux box up but I'm at my work laptop so windows it is.
The result is a single line of javascript with an encoded page. It's meant to keep prying eyes away from the inner workings. Pretty lame though. So I paste this into my HTML editor and change a single piece. Instead of document.write now it will use document.alert. So the HTML will not render but show up in a pop up box.

The page of course points to yet another site, http://www.blingcash.com/
[urls]
http://www.blingcash.com/exit/ex/
http://www.blingcash.com/hit.php?w=100000&s=8&p=2

Blingcash seems to be nothing more then a porn site, however once you start playing with the variables new pages appear.

The title of the page, BlingCash.com ::: Covert Like the Ole' Days!
Ya the good ole days..
Here was something disturbing. It was targeted to people that were part of the reseller (spamming) program. In particular
"
What happens when your Epoch customer cancels

his membership with your paysite? Simply send

him one of our new cross sale mailers...a

single click later and you've earned $15.

Let us show you how to profit off cancellations!

CLICK HERE to learn more!
"

From there I found a contact page!

US Phone:
(702) 547-0900

Canada Phone:
(416) 691-2812

Marketing Email:
sales@blingcash.com

Support Email:
support@blingcash.com

ICQ Contact :
96944506

OK I'll play. Let's talk to the scum bag and see what he says.





Return-Path:
Delivered-To: john@com
Received: (qmail 22370 invoked from network); 9 Sep 2004 00:42:03 -0000
Received: from unknown (HELO bebe.sylviidae.com) (209.200.9.195)
by 2.69-93-235.reverse.theplanet.com with SMTP; 9 Sep 2004 00:42:03 -0000
Received: from mail pickup service by citysilvia.com with Microsoft SMTPSVC;
Thu, 9 Sep 2004 08:50:47 -0800
Received: from 104.106.80.174 by by7fd.bay7.citysilvia.com with HTTP;
Thu, 9 Sep 2004 08:50:47 GMT
X-Originating-IP: [104.106.80.174]
X-Originating-Email: [Merryxeqh@citysilvia.com]
X-Sender: Merryxeqh@citysilvia.com
From: Merry
To: John
Subject: hi
Date: 9 Sep 2004 08:50:47 -0400
Mime-Version: 1.0
Content-type: text/html
Message-ID:
Return-Path:

1 Comments:

At 11:02 PM, Anonymous Anonymous said...

What a beautiful find. You're very knowledgeable. I'll check in perodically. I was searching for masterlyintl @ hushmail.com I've gotten all kinds of info from SpamHaus and other sources, however, I like your style. :o) I wasn't sure how to sign on so it's anonymous...

Clif

 

Post a Comment

<< Home