Spam Hunter

Viagra, penis enhancements, porn, mortgage rates, and much more are shoved into my inbox everyday. I'm not trying to win the spam war. I just like to vent by choosing one email a day, tracing down the jerk who sent it and publishing any antics that ensue.

Friday, March 10, 2006

Dr Spam?

UPDATE:
After a lot of research I've concluded the name attached to this DNS entry
is NOT the person behind the spamming. Dr Carpenter should not be contacted
in regards to this matter. His address and phone number were easily
found on public web sites and I believe he was simply picked to add legitimacy
to the site. The web site in question appears to simply harvest credit card
numbers and is operated out of Hong Kong. I have left the entry in tact
so anyone can follow my line of reasoning.

-------------------------------------------------------------------------
The most recent spam I investigated leaves me puzzled. No effort to conceal activities for a pharacutical related spam and everything points to a licensed doctor in WA. I'm really speechless. Part of me wants to believe no doctor would be this stupid and risk his license and career. But I must document what I found.
The spam came on a registered email address (I forget where it's from but I believe it was a dev related mailing list.


From - Fri Mar 10 05:25:41 2006
X-Account-Key: account3
X-UIDL: 1141977566.9085.loop.myISP.com,S=3345
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <hasso@aramark.com>
Delivered-To: victim@victim.com
Received: (qmail 9077 invoked from network); 10 Mar 2006 07:59:25 -0000
Received: from unknown (HELO aramark.com) (220.184.165.4)
by loop.myISP.com with SMTP; Fri, 10 Mar 2006 02:59:25 -0500
Message-ID: <000001c64418$79497940$328ca8c0@can55>
Reply-To: "Moray Hassen" <hasso@aramark.com>
From: "Moray Hassen" <hasso@aramark.com>
To: victim@victim.com
Subject: Re: ParamZcy news
Date: Fri, 10 Mar 2006 02:58:53 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0001_01C643EE.9075E240"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C643EE.9075E240
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

u V q a i I f i x u p m $1 k 05 (30 Ru tabIe Qp ts)
n V u i o a h g y r h a $ z 69 (1 Xs 0 t 5D abIets)
k C x i c a i I n i j s $ y 99 (1 Hj 0 tabI gu ets)
=20
And m 5K any other http://pyp44.miltsuil.com

------=_NextPart_000_0001_01C643EE.9075E240
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D3><FONT color=3D#0337ED><span style=3D" =
float : right "> u </span>V<span style=3D" float : right "> q =

</span>a<span style=3D" float : right "> i </span>I<span style=3D" float =
: right "> f </span>i<span style=3D" float : right "> x </span>u<span =
style=3D" float : right "> p </span>m</FONT> <FONT =
color=3D#F1420B>$1<span style=3D" float : right "> k </span>05</FONT> =
(30<span style=3D" float : right "> Ru </span> tabIe<span style=3D" =
float : right "> Qp </span>ts)</FONT></DIV>

<DIV><FONT face=3DArial size=3D3><FONT color=3D#0337ED><span style=3D" =
float : right "> n </span>V<span style=3D" float : right "> u =
</span>i<span style=3D" float : right "> o </span>a<span style=3D" float =
: right "> h </span>g<span style=3D" float : right "> y </span>r<span =
style=3D" float : right "> h </span>a</FONT> <FONT =
color=3D#F1420B>$<span style=3D" float : right "> z </span>69</FONT> =
(1<span style=3D" float : right "> Xs </span>0 t<span style=3D" =
float : right "> 5D </span>abIets)</FONT></DIV>

<DIV><FONT face=3DArial size=3D3><FONT color=3D#0337ED><span style=3D" =
float : right "> k </span>C<span style=3D" float : right "> x =
</span>i<span style=3D" float : right "> c </span>a<span style=3D" float =
: right "> i </span>I<span style=3D" float : right "> n </span>i<span =
style=3D" float : right "> j </span>s</FONT> <FONT =
color=3D#F1420B>$<span style=3D" float : right "> y </span>99</FONT> =
(1<span style=3D" float : right "> Hj </span>0 tabI<span style=3D" =
float : right "> gu </span>ets)</FONT></DIV>

<DIV><FONT face=3DArial size=3D3></FONT> </DIV>
<DIV><FONT face=3DArial size=3D3>And m<span style=3D" float : right "> =
5K </span>any other <A =
href=3D"http://pyp44.miltsuil.com">http://pyp44.miltsuil.com</A></FONT></=
DIV></BODY></HTML>
------=_NextPart_000_0001_01C643EE.9075E240--


The link leads to the miltsuil.com site and aside from a simple redirect the entire operation is straighforward. a trip to SamSpade yields the following:


Server Used: [ whois.yesnic.com ]

miltsuil.com = [ 59.148.144.203 ]
-----------------------------------------------
Queried Domain Information as follows
-----------------------------------------------
Domain Name : miltsuil.com
: :Registrant: :
Name : Richard Carpenter
Email : ostalana@yahoo.com

Address : 824 S. 295th PL
Zipcode : 98003
Nation : US
Tel : 253-941-4749
Fax :
: :Administrative Contact: :
Name : Richard Carpenter
Email : ostalana@yahoo.com

Address : 824 S. 295th PL
Zipcode : 98003
Nation : US
Tel : 253-941-4749
Fax :
: :Technical Contact: :
Name : Richard Carpenter
Email : ostalana@yahoo.com

Address : 824 S. 295th PL
Zipcode : 98003
Nation : US
Tel : 253-941-4749
Fax :
: :Name Servers: :
ns0.acorande.com
ns0.enanger.com
: :Dates & Status: :
Created Date 2006-03-07 16: 02: 33 EST
Updated Date 2006-03-07 16: 02: 33 EST
Valid Date 2007-03-07 16: 02: 33 EST
Status ACTIVE


It's creepy to see a real name and address. I search for the name and phone number listed only to find a list of Family Doctors in WA! See list here


Carpenter, Richard M
30809 1st Ave S
Federal Way, WA 98003-0000





Phonebook results for 253-941-4749
E Carpenter, (253) 941-4749, , Federal Way, WA 98003


Either this is a very well put together frame (do people get framed for spam??) or this doctor has decided to supplement his income. It's possible since a doctor could get away with creating false prescriptions by the thousands. A doctor in the east coast (New York?) was busted for this last year. But what idiot would attempt this today??

I'm keeping watch over this server and will report any findings. I may have 'scoop' on this one :), the DNS record is barely 48 hours old!

Update: I think this is a setup by Chinese spammers. It was just way to easy and that bugged me from the start. A traceroute shows this

4 ge-0-1-0-030.br2.qcy1.ma.gnaps.net (199.232.44.141) 6.683 ms 6.390 ms 6.565 ms
5 POS3-0.GW5.BOS4.ALTER.NET (208.192.182.173) 8.11 ms 7.466 ms 8.186 ms
6 0.so-2-0-0.CL1.BOS4.ALTER.NET (152.63.25.70) 8.315 ms 23.281 ms 21.669 ms
7 0.so-4-0-0.XL1.SAC1.ALTER.NET (152.63.53.245) 98.949 ms 96.628 ms 102.104 ms
8 POS6-0.IG3.SAC1.ALTER.NET (152.63.54.121) 93.654 ms 106.122 ms 98.970 ms
9 hkbn-gw.customer.alter.net (208.214.139.106) 268.645 ms 280.339 ms 275.420 ms
10 61.244.232.105 (61.244.232.105) 295.729 ms 255.630 ms 261.515 ms
11 61.244.232.170 (61.244.232.170) 267.802 ms 254.997 ms 256.17 ms
12 059148144203.ctinets.com (59.148.144.203) 262.475 ms 259.126 ms 253.566 ms

http://www.google.com/search?hl=en&lr=&client=safari&rls=en&q=site:ctinets.com
shows that the citnets site is clearly from China.

0 Comments:

Post a Comment

<< Home