Spam Hunter

Viagra, penis enhancements, porn, mortgage rates, and much more are shoved into my inbox everyday. I'm not trying to win the spam war. I just like to vent by choosing one email a day, tracing down the jerk who sent it and publishing any antics that ensue.

Saturday, September 11, 2004

Self Milking Girls

Return-Path:
Delivered-To: john@
Received: (qmail 8544 invoked from network); 11 Sep 2004 03:15:12 -0000
Received: from unknown (HELO pD958B23B.dip.t-dialin.net) (217.88.178.59)
by 2.69-93-235.reverse.theplanet.com with SMTP; 11 Sep 2004 03:15:12 -0000
Received: from starmedia.com (mx1.latinmail.com [62.37.236.140])
by pD958B23B.dip.t-dialin.net (Postfix) with ESMTP id 6E2B185318
for ; Fri, 10 Sep 2004 20:15:12 -0700
Message-ID: <000001c497ad$83f4dc23$310f11c9@starmedia.com>
From: "Jas R. Chrian"
To: John
Subject: Self milking girls
Date: Fri, 10 Sep 2004 20:15:12 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0024_55E89199.1ABD4F86"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.4682
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006
X-Virus-Scanned: by AMaViS perl-11 mion


there is no shortage of spammers to go after. I haven't even deployed my troll addresses yet but that will be covered in another post. This one is using the same targeting technique of hashes but this time it's embedded in the server name itself.
Again the actual hashes have been modified but the number of characters is preserved
http://Hereford.45839583945867393045.handicaps.hdhda.com/rd/eESw8odWRZ/mekl43WEBDeiw.htm
I'll have to modify my falsePozi.pl script later to work for this scumbag.
Hrm this one is a little tricker and I received a 404. Must be something in the hashes that I messed up.

OK let's work backwards here, inurl:hdhda.com didn't find anything on google. but the whois revealed this
WHOISVIEW YOUR ORDERCUSTOMER SERVICE

WHOISVIEW YOUR ORDERCUSTOMER SERVICE

Registrant:
Masterly Intl S.A.
Sabana sur
25mts al sur del
Supermercado AM PM
San Jose, CR --
CR
+011.5068246415
Fax:+011.5062722279


Domain Name: HDHDA.COM

Administrative Contact:
Admin, Domain masterlyintl@hushmail.com
Sabana sur
25mts al sur del
Supermercado AM PM
San Jose, CR --
CR
+011.5068246415
Fax:+011.5062722279


Technical Contact:
Admin, Domain masterlyintl@hushmail.com
Sabana sur
25mts al sur del
Supermercado AM PM
San Jose, CR --
CR
+011.5068246415
Fax:+011.5062722279


Record expires on 09-02-2005
Record created on 09-02-2004

Domain servers in listed order:
NS0.CLEANWEBFILES.COM 64.38.198.11
NS1.CLEANWEBFILES.COM 64.38.198.13

There was another URL in the email so let's try to work with that one
http://exclamation.00000000000000000000.spotty.hdhda.com/rd/xxxxxxxxxx/xxxxxxxxxxxxxxxx.HTM
OK this isn't work, so I went to usenet and found an an abuse posting that gave another address not linked to mine. So let's try it out instead
http://Cecropia.321908402677499182.plead.hdhda.com
another 404, I'm guessing because I don't have the hashes at the end of the URL.
Bingo, got it!
Another post had munged up the address and it still worked.
http://unevaluated.530896695780071931.poodle.hdhda.com/rd/UrHaeRXA4a/yY389QLQcc5AbG1.HTML

the page lists itself as "HELMY Enterprises, Inc." althought I doubt this moron actually files papers and has a DBA. Just a guess though.
there's an affliliate link on the bottom for http://www.gigacash.com which I'll check out later.
the link to it is another candidate for falsePozi.pl
http://www2.gigacash.com/popup/gc.php?gcaid=188234&gcsa=default

Helmy enterprises actually has a website if you can believe that.
I've linked to the google cache to make this more discreet
http://64.233.161.104/search?q=cache:VM3pMCl7uMAJ:helmy.com/+HELMY+Enterprises,+Inc.&hl=en
Here is our scumbags email addy according to the site
info2@helmy.com
email@helmy.com

The address is just a PO Box in Los Angeles
  • US & Canada: 888.8.HELMYS
  • International: 310.820.0228
  • PO BOX 492146, LA, CA 90049
  • OH wait it gets better, an employment page! Oh yes can I please work for you? I mean I have never had a job where I am considered by most to be the slime of the earth.
    Let's have some fun with this now.

    Now the way most forms work is they have a bunch of fields and then there is an "action" field which tells you where it's going to go. This one requires only slightly more work in that it's using POST so I can't just make a big URL and shove it down his digital throat.
    In this case the relevent data is as follows

    <form method="POST" action="FormMail.pl5">
    <input type="text" name="name" size="40" value="">
    <input type="text" name="email" size="40">
    <input type="text" name="phone" size="40">
    <textarea name="comments" rows="5" cols="31"></textarea>
    <input type=HIDDEN name="recipient" value="email@helmy.com">
    <input type=HIDDEN name="subject" value="HELMY Employment Inquiry Form">
    <input type=HIDDEN name="redirect" value="http://www.helmy.com">
    <input type=HIDDEN name="required" value="name, email">
    <input type="submit" value=">> send" name="B12">

    So this employment application goes right to his email. interesting, spamming a known spammer.. the irony is too much sometimes.
    alright let's get to work here, I need to create a modified HTTPsend.pl script so I can send in my work request. I'm also going to have to hide my request by going through an anonymous proxy so he doesn't just check his logs tomorrow and blag my IP address. It will all be documented in the next post so stay tuned (not that anyone is actually reading this).

    4 Comments:

    At 8:55 PM, Blogger djuti said...

    I haven't gotten around to finishing my script. I will very soon.

     
    At 10:56 PM, Anonymous Anonymous said...

    So did you finish the script?

    I live down the street from this address and have visited the store many times. Its an am/pm 7-11 type store. Interesting that they would use that address.

    Registrant:
    Masterly Intl S.A.
    Sabana sur
    25mts al sur del
    Supermercado AM PM
    San Jose, CR --
    CR

     
    At 11:22 PM, Blogger cc Infopage said...

    Hello,

    I am searching for fresh information
    for my cc Infopage, 30,000 daily updated Information Pages about all kind of subjects.

    It might interest you to know that your blog has been visited and has been read. I hope you enjoy your "Blogging".

    I wish you all the luck I can, keep the good work going!

    Kind regards,
    Jos
    Today's News From & About Google

     
    At 1:23 AM, Blogger dghnfgj said...

    Today is the gold für wow second day of 2009 ,world of warcraft gold it also a mesos special for me .cheap wow gold Because i have cheap maplestory mesos a chance to go to an english speech of LiYang and crazy to learn english follow him . He is a firendly,kindly person who make me feel good.wow gold kaufen What‘s more ,maple story mesos he very confidence .And he make me sure what he can do i also can do,as long as i make a determination and force myself to do it every second,Crazy just like him .wow geld I learn one setence from his book ever :maple story items If you want to succeed always force yourself to do more .I can't agree more with him .wow gold farmen To be honest ,when i was a littel girl i already fall in love with english.But what a pity i am poor in english ,Maple Story Account and it make me feel frustrating .So i want to give up many times ,but i can't as i still love it .So i tell mysefl :if you think you can you can wow leveling,and all your maple story power leveling hard work will pay off.wow power leveling Today i am very happy i can listien this wonderful speech of LiYang. I reap a great benifits from him .maple story money As he say :i am the best ,and every one can do it . world of warcraft power leveling Yes,i belive i can do it if i crazy as he buy archlord gold.Now i want to say :i will never give up.

     

    Post a Comment

    << Home