Spam Hunter

Viagra, penis enhancements, porn, mortgage rates, and much more are shoved into my inbox everyday. I'm not trying to win the spam war. I just like to vent by choosing one email a day, tracing down the jerk who sent it and publishing any antics that ensue.

Tuesday, March 22, 2005

Re: Pharamacy[33:34]


Delivered-To: jake@domain.com
Received: (qmail 15747 invoked from network); 22 Mar 2005 17:14:52 -0000
Received: from unknown (HELO kaytonelectric.com) (81.158.238.67)
by loop.phpwebhosting.com with SMTP; 22 Mar 2005 17:14:52 -0000
From: "Zofia Flood"
To: "Dionysodoros Huff"
Subject: Re: Pharamacy[33:34]
Date: Tue, 22 Mar 2005 12:11:16 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0008_01C52E1D.42405FCE"
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

Hello , Visit Our PharmmacyByMailSHOP and Save 75%


Normally these types of URLs are meant to make someone think they are accessing a more reputable site. Generally they are in the same field that they are pitching their wares from. So this one is a bit confusing. wc.com is the home of Williams & Connolly which is a large litigation firm. The spam is obviously trying to sell prescriptions so I'm not real sure what they are trying to do here. Maybe bypass filters?

the domain is owned by Richard Syke
Domain Name : bodpartatthe.com

::Registrant::
Name : Richard Syke
Email : richard_syke@yahoo.com
Address : 27/F One Pacific Place,
Zipcode : HK
Nation : HK
Tel : 1-888-242-0845
Fax : 1-888-242-0845

::Administrative Contact::
Name : Richard Syke
Email : richard_syke@yahoo.com
Address : 27/F One Pacific Place,
Zipcode : HK
Nation : HK
Tel : 1-888-242-0845
Fax : 1-888-242-0845

::Technical Contact::
Name : Richard Syke
Email : richard_syke@yahoo.com
Address : 27/F One Pacific Place,
Zipcode : HK
Nation : HK
Tel : 1-888-242-0845
Fax : 1-888-242-0845

::Name Servers::
ns0.vocalerformancare.com
ns1.vocalerformancare.com

::Dates & Status::
Created Date 2005-03-21 07:20:28 EST
Updated Date 2005-03-21 07:20:28 EST
Valid Date 2006-03-21 07:20:28 EST
Status ACTIVE

The 'contact info' page lists the address as:
Palm Grove House, P.O.Box 438, Road Town, Tortola, British Virgin Islands

There is a secure code field in the form so one can not spam them from the web form.
IS THIS IRONIC TO ANYONE ELSE?

It's like a mugger concerned about being pickpocketed. The system is retarded though.
The image is created by going to a page called secure.asp. This page takes a parameter which looks like MIME or something. This creates the same image everytime. So if one knows what the letters are encoded with then they will be able to "guess" the secret code by deriving it from the url supplied in the image.
Example:
http://www.bx.wc.com.bodpartatthe.com/aspx/secure.asp?text=UhYuh1t=
AB392

http://www.bx.wc.com.bodpartatthe.com/aspx/secure.asp?text=UTYuh1t=
Bb392

OK before breaking this .. well I guess it could be classified as crypto but that's sort of stretching the term... let's have some fun with their processes.
7 characters and we can just generate our own "image maker". It actually takes more then 7 digits. Since it's aspx (IIS6) there is a sanity checker on the length of the URI. So just putting a few thousand characters got this response:

Request-URI Too Large
The requested URL's length exceeds the capacity limit for this server.

request failed: URI too long


This one works though:




It takes a few seconds to generate too! Let's loop that a few times and see what happens.

OK that's looping. Now let's look at this wonderful crypto system. It's using an example pasted from the MSDN site on How to Store an Encrypted Connection
Essentially it's just base64 encoded with a cipher. So I know the input and output values and could just brute force my way through this. I'm going to investigate and see if there is a more elegant solution. Cryptanalysis is really not my strong suit.


UH OH!
.Error: 500 read timeout
Error: 500 Can't connect to www.bx.wc.com.bodpartatthe.com:80 (Bad hostname 'www.bx.wc.com.bodpartatthe.com')

I was probobly just firewalled off. Hey maybe that means I won't get anymore spam from them!! hooray!

12 Comments:

At 2:12 PM, Blogger Fermat said...

Excellent stuff!
Although I confess I don't understand the technicalities of it.
I too have been spammed to death by these low life scum. Unfortunately for me, although I have set up throw away emails and carefully guard my 'main' email address, these b*st*rds have somehow got hold of it. As you will know they have made a damn good job of making sure their crap bypasses any filter... the only way out seems to be to change my primary email address (again) - and that is a real PAIN.

Unless.... I too can do something similar to what you have done? Alas, it may be over my head, but I'd love to have a go at hitting back for a change. (BTW, the address in the virgin Islands is a mail redirection operation - search for it on the net and you will find lots of dodgy setups use exactly the same address...)

If you can give me any hints on how to do something similar I'd be eternally grateful...

 
At 9:08 AM, Anonymous MPN said...

Google tells me that is the address of 'Equity Trust'.

There is a local (London) office of Equity Trust; I'm writing to them to ask if this is a client of theirs. I warn them that if it is I will inform the UK regulatory authorities that they are aiding and abetting a criminal activity if I recive any more spam traceable to them. If not a client, no doubt they will take steps to prevent the association.

Here is the full range of offices of Equity Trust

http://www.equitytrust.com/aboutus/global_offices.htm

 
At 8:03 AM, Blogger djuti said...

Well either some other anti spammers have made good on promises or the letter from the above did it's job! The site is no longer available!!

 
At 2:40 AM, Anonymous Anonymous said...

Yeah, let's harm this A**H*le. Is there anybody who knows to take this site of the air, or even better, make Richard Sykes eat all his own pills. I've had it with the Viagra crap so much that I almost need some.

 
At 10:02 AM, Anonymous mark1504 said...

As I run several websites, changing my email address is not an option.

If anyone can think of any group action to take against these guys then count me in with whatever resource I can muster.

 
At 7:23 AM, Anonymous Anonymous said...

Shame, shame - it looks like someone's taken the site offline.

I've been in touch with Equity Trust, and it turns out that they've been trying to shut this guy down for a while now - he's been using their postal address without their consent. I guess they got him in the end...

 
At 8:28 PM, Anonymous Anonymous said...

Ihave been getting emails from these A'holes every day. i did notice the BBB and others support this web site.
im going to start emailing them also. they might put some pressure on these #asterds.

 
At 4:29 PM, Anonymous Anonymous said...

looks like they are now under
http://www.namesheate.com/e9e60da87700424fb0694c8cd184384f/aspx/send.asp

they stil spam and still have that contact address... they also claim to be a BBB member... ha not!.

Dale

 
At 12:03 PM, Anonymous Anonymous said...

I get them at http://www.kilihutesade.com and every email I get from them usually has a different link to it. There's gotta be something we can do.

 
At 12:16 PM, Anonymous Anonymous said...

Here's the WhoIs info on that URL

Domain Name.......... kilihutesade.com
Creation Date........ 2006-07-27 17:52:30
Registration Date.... 2006-07-27 17:52:30
Expiry Date.......... 2007-07-27 17:52:30
Organisation Name.... Wang Pang
Organisation Address. SH
Organisation Address.
Organisation Address. SH
Organisation Address. 610000
Organisation Address. SH
Organisation Address. CN

Admin Name........... Wang Pang
Admin Address........ SH
Admin Address........
Admin Address........ SH
Admin Address........ 610000
Admin Address........ SH
Admin Address........ CN
Admin Email.......... manadolapik@yahoo.com.cn
Admin Phone.......... +86.2176885548
Admin Fax............ +86.2176885548

Tech Name............ Wang Pang
Tech Address......... SH
Tech Address.........
Tech Address......... SH
Tech Address......... 610000
Tech Address......... SH
Tech Address......... CN
Tech Email........... manadolapik@yahoo.com.cn
Tech Phone........... +86.2176885548
Tech Fax............. +86.2176885548

Bill Name............ Wang Pang
Bill Address......... SH
Bill Address.........
Bill Address......... SH
Bill Address......... 610000
Bill Address......... SH
Bill Address......... CN
Bill Email........... manadolapik@yahoo.com.cn
Bill Phone........... +86.2176885548
Bill Fax............. +86.2176885548
Name Server.......... ns0.decietrea.com
Name Server.......... ns0.oslanatie.com

 
At 10:47 AM, Anonymous Anonymous said...

why not asking visa or verisign or cipa or all the
other organisations, if they know that they are supporting a criminal organisation?

http://nihekadesunwaion.com/9ea23968c6b7762e7a67b9c836020271/aspx/index.asp

 
At 4:29 PM, Anonymous Anonymous said...

Why not forward that f**king spam back to 'em?


General email: info@fxuc.com

British Virgin Islands
Palm Grove House
P.O.Box 438
Road Town, Tortola

bvi@fxuc.com

 

Post a Comment

<< Home