Re: Pharamacy[33:34]
Delivered-To: jake@domain.com
Received: (qmail 15747 invoked from network); 22 Mar 2005 17:14:52 -0000
Received: from unknown (HELO kaytonelectric.com) (81.158.238.67)
by loop.phpwebhosting.com with SMTP; 22 Mar 2005 17:14:52 -0000
From: "Zofia Flood"
To: "Dionysodoros Huff"
Subject: Re: Pharamacy[33:34]
Date: Tue, 22 Mar 2005 12:11:16 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0008_01C52E1D.42405FCE"
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Hello , Visit Our PharmmacyByMailSHOP and Save 75%
Normally these types of URLs are meant to make someone think they are accessing a more reputable site. Generally they are in the same field that they are pitching their wares from. So this one is a bit confusing. wc.com is the home of Williams & Connolly which is a large litigation firm. The spam is obviously trying to sell prescriptions so I'm not real sure what they are trying to do here. Maybe bypass filters?
the domain is owned by Richard Syke
Domain Name : bodpartatthe.com
::Registrant::
Name : Richard Syke
Email : richard_syke@yahoo.com
Address : 27/F One Pacific Place,
Zipcode : HK
Nation : HK
Tel : 1-888-242-0845
Fax : 1-888-242-0845
::Administrative Contact::
Name : Richard Syke
Email : richard_syke@yahoo.com
Address : 27/F One Pacific Place,
Zipcode : HK
Nation : HK
Tel : 1-888-242-0845
Fax : 1-888-242-0845
::Technical Contact::
Name : Richard Syke
Email : richard_syke@yahoo.com
Address : 27/F One Pacific Place,
Zipcode : HK
Nation : HK
Tel : 1-888-242-0845
Fax : 1-888-242-0845
::Name Servers::
ns0.vocalerformancare.com
ns1.vocalerformancare.com
::Dates & Status::
Created Date 2005-03-21 07:20:28 EST
Updated Date 2005-03-21 07:20:28 EST
Valid Date 2006-03-21 07:20:28 EST
Status ACTIVE
The 'contact info' page lists the address as:
Palm Grove House, P.O.Box 438, Road Town, Tortola, British Virgin Islands
There is a secure code field in the form so one can not spam them from the web form.
IS THIS IRONIC TO ANYONE ELSE?
It's like a mugger concerned about being pickpocketed. The system is retarded though.
The image is created by going to a page called secure.asp. This page takes a parameter which looks like MIME or something. This creates the same image everytime. So if one knows what the letters are encoded with then they will be able to "guess" the secret code by deriving it from the url supplied in the image.
Example:
http://www.bx.wc.com.bodpartatthe.com/aspx/secure.asp?text=UhYuh1t=
AB392
http://www.bx.wc.com.bodpartatthe.com/aspx/secure.asp?text=UTYuh1t=
Bb392
OK before breaking this .. well I guess it could be classified as crypto but that's sort of stretching the term... let's have some fun with their processes.
7 characters and we can just generate our own "image maker". It actually takes more then 7 digits. Since it's aspx (IIS6) there is a sanity checker on the length of the URI. So just putting a few thousand characters got this response:
Request-URI Too Large
The requested URL's length exceeds the capacity limit for this server.
request failed: URI too long
This one works though:
It takes a few seconds to generate too! Let's loop that a few times and see what happens.
OK that's looping. Now let's look at this wonderful crypto system. It's using an example pasted from the MSDN site on How to Store an Encrypted Connection
Essentially it's just base64 encoded with a cipher. So I know the input and output values and could just brute force my way through this. I'm going to investigate and see if there is a more elegant solution. Cryptanalysis is really not my strong suit.
UH OH!
.Error: 500 read timeout
Error: 500 Can't connect to www.bx.wc.com.bodpartatthe.com:80 (Bad hostname 'www.bx.wc.com.bodpartatthe.com')
I was probobly just firewalled off. Hey maybe that means I won't get anymore spam from them!! hooray!
posted by djuti @ 23:45
12 Comments:
Excellent stuff!
Although I confess I don't understand the technicalities of it.
I too have been spammed to death by these low life scum. Unfortunately for me, although I have set up throw away emails and carefully guard my 'main' email address, these b*st*rds have somehow got hold of it. As you will know they have made a damn good job of making sure their crap bypasses any filter... the only way out seems to be to change my primary email address (again) - and that is a real PAIN.
Unless.... I too can do something similar to what you have done? Alas, it may be over my head, but I'd love to have a go at hitting back for a change. (BTW, the address in the virgin Islands is a mail redirection operation - search for it on the net and you will find lots of dodgy setups use exactly the same address...)
If you can give me any hints on how to do something similar I'd be eternally grateful...
Google tells me that is the address of 'Equity Trust'.
There is a local (London) office of Equity Trust; I'm writing to them to ask if this is a client of theirs. I warn them that if it is I will inform the UK regulatory authorities that they are aiding and abetting a criminal activity if I recive any more spam traceable to them. If not a client, no doubt they will take steps to prevent the association.
Here is the full range of offices of Equity Trust
http://www.equitytrust.com/aboutus/global_offices.htm
Well either some other anti spammers have made good on promises or the letter from the above did it's job! The site is no longer available!!
Yeah, let's harm this A**H*le. Is there anybody who knows to take this site of the air, or even better, make Richard Sykes eat all his own pills. I've had it with the Viagra crap so much that I almost need some.
As I run several websites, changing my email address is not an option.
If anyone can think of any group action to take against these guys then count me in with whatever resource I can muster.
Shame, shame - it looks like someone's taken the site offline.
I've been in touch with Equity Trust, and it turns out that they've been trying to shut this guy down for a while now - he's been using their postal address without their consent. I guess they got him in the end...
Ihave been getting emails from these A'holes every day. i did notice the BBB and others support this web site.
im going to start emailing them also. they might put some pressure on these #asterds.
looks like they are now under
http://www.namesheate.com/e9e60da87700424fb0694c8cd184384f/aspx/send.asp
they stil spam and still have that contact address... they also claim to be a BBB member... ha not!.
Dale
I get them at http://www.kilihutesade.com and every email I get from them usually has a different link to it. There's gotta be something we can do.
Here's the WhoIs info on that URL
Domain Name.......... kilihutesade.com
Creation Date........ 2006-07-27 17:52:30
Registration Date.... 2006-07-27 17:52:30
Expiry Date.......... 2007-07-27 17:52:30
Organisation Name.... Wang Pang
Organisation Address. SH
Organisation Address.
Organisation Address. SH
Organisation Address. 610000
Organisation Address. SH
Organisation Address. CN
Admin Name........... Wang Pang
Admin Address........ SH
Admin Address........
Admin Address........ SH
Admin Address........ 610000
Admin Address........ SH
Admin Address........ CN
Admin Email.......... manadolapik@yahoo.com.cn
Admin Phone.......... +86.2176885548
Admin Fax............ +86.2176885548
Tech Name............ Wang Pang
Tech Address......... SH
Tech Address.........
Tech Address......... SH
Tech Address......... 610000
Tech Address......... SH
Tech Address......... CN
Tech Email........... manadolapik@yahoo.com.cn
Tech Phone........... +86.2176885548
Tech Fax............. +86.2176885548
Bill Name............ Wang Pang
Bill Address......... SH
Bill Address.........
Bill Address......... SH
Bill Address......... 610000
Bill Address......... SH
Bill Address......... CN
Bill Email........... manadolapik@yahoo.com.cn
Bill Phone........... +86.2176885548
Bill Fax............. +86.2176885548
Name Server.......... ns0.decietrea.com
Name Server.......... ns0.oslanatie.com
why not asking visa or verisign or cipa or all the
other organisations, if they know that they are supporting a criminal organisation?
http://nihekadesunwaion.com/9ea23968c6b7762e7a67b9c836020271/aspx/index.asp
Why not forward that f**king spam back to 'em?
General email: info@fxuc.com
British Virgin Islands
Palm Grove House
P.O.Box 438
Road Town, Tortola
bvi@fxuc.com
Post a Comment
<< Home