Dear Spammer,
Please keep sending those fake emails purporting from Google. The more you send, the more I can build a database of your IP footprints.
Despicable Scammers
Isn’t it obvious that scammers are unscrupulous?
Latest round of Penny Stock Spams includes lines about the possible U.S. attack on Syria.
Are you interested in enriching yourself by means of war? It`s
right time to realize your plans!!! As soon as the military attack
Syria, oil prices will rise as well as *redacted* share price. Start making cash on September 2nd, buy *redacted* shares!
Do you wish to cash in on armed conflicts? It`s right time to do
it!!! Just as the first bombs get to the earth in Syria, stone
oil prices will skyrocket the same as *redacted* stock price!!! Go make profits on September, 02, buy *redacted* shares.
Do you want to make a mint of money due to war? It`s right time to
do it! As soon as the US takes military action against Syria, oil
prices will rise as well as *redacted* share price.
Begin earning $$$ on Monday, September 02, purchase *redacted* shares.
Do you wish to cash in on armed conflicts? It`s the very time to make
it!!! As soon as the US takes military action against Syria, oil
prices will rise as well as *redacted* share
price. Begin earning $$$ on Monday, Sep 02, purchase *redacted* shares!
That Looks Legit: Dropbox Edition
We’ve been seeing numbers of spam email disguised as Dropbox invitation. Why would total stranger invite you to join Dropbox?
Tasteless and Despicable
Let me start by saying that spammers are despicable and tasteless, especially when they’re exploiting a tragedy such as the explosions at the Boston Marathon.
Spammers who want to spread malware are sinking to another low. Numbers of readers told us they’ve been getting spam with subjects contain: “explosion at Boston Marathon”
The from addresses are blanked out because it might be used as identifier by the spammers.
One of the addresses has been flagged by Google that it “may harm your computer.”
Spammer Alert: leecheryl182@gmail.com
We received another tip from readers about a particular spammer related to hefallsintothe.com. The admin contact of the domain name is leecheryl182@gmail.com. The domain name hefallsintothe.com is using ns1.insulationfromtheelements.com and ns2.insulationfromtheelements.com
The domain names are registered through namecheap.com.
whois hefallsintothe.com:
Administrative Contact:
Web Master (leecheryl182@gmail.com)
+1.7734130857
Fax:
616 Corporate Way
Suite 2
Valley College, NY 10989
USCreation date: 19 Mar 2013 19:06:00
Expiration date: 19 Mar 2014 11:06:00
whois insulationfromtheelements.com:
Administrative Contact:
Brightness Partners
Network Admin (dns@brightnesspartners.com)
+1.8004094960
Fax: +1.5555555555
6321 W Dempster St
Suite 161
Morton Grove, IL 60053
USCreation date: 19 Mar 2013 20:53:00
Expiration date: 19 Mar 2014 12:53:00
Whois brightnesspartners.com:
Administrative Contact:
Brightness Partners
Network Admin (dns@brightnesspartners.com)
+1.8004094960
Fax: +1.5555555555
6321 W Dempster St
Suite 161
Morton Grove, IL 60053
USCreation date: 19 Mar 2013 20:36:00
Expiration date: 19 Mar 2014 12:36:00
Partial list of domain names related to dns@brightnesspartners.com:
- aboveallcanacquire.com
- allusefulhasthe.com
- andhopetoobtain.com
- artitselfbythe.com
- brightnesspartners.com
- colouringheshouldlodge.com
- conductothersashaving.com
- eminencebyothermeans.com
- frivolouspursuitscapacityto.com
- ifhewasallowed.com
- ifoneactexcluded.com
- ihaveseenalso.com
- insulationfromtheelements.com
- inthedrudgeryof.com
- isalwaysathand.com
- isbrilliantthanwith.com
- ithasbeenso.com
- itmaybetaken.com
- managedoftenshortensthe.com
- maneminentforhis.com
- momentthepracticeof.com
- ofagreatdegree.com
- ofthealphabetif.com
- onlybeopposedby.com
- thatidealexcellencewhich.com
Partial list of domain names with leecheryl182@gmail.com as admin contacts:
- anypurposewhohave.com
- arrivedattheirutmost.com
- artwhichhemust.com
- bettercoursehavelong.com
- bystudyingtheseauthentic.com
- cannotdobetterthan.com
- easeandreadinessto.com
- farastheyshall.com
- faultifourprogress.com
- formedinitwhich.com
- fromthosewhohave.com
- gratitudeinouracademy.com
- intheirpupilsprobably.com
- inventontheirmethod.com
- itnearthemodel.com
- itrequiresnoeffort.com
- leastcontributetoyour.com
- makesnopretensionsto.com
- mannerofhandlingemulation.com
- politebeendoneby.com
- resultofnaturalpowers.com
- studenthassucceededin.com
- studentssooftendisappoint.com
- tocollectsubjectsfor.com
- whichnaturehasbeen.com
Spammer Alert: x-celerated.com
UPDATE 4:
This spammer also related to wreese2013@hotmail.com.
The first spam reported to us is coming from ldirect.us domain
Definitely related to thegrapekiwi@gmail.com.
The phone number given as administrative contact 1.5037469135 seems to be used a lot for spam domain names.
UPDATE 3:
This spammer is also related to thegrapekiwi@gmail.com which is in the Register of Known Spam Operation (ROKSO).
Source: The Spamhaus Project
UPDATE 2:
Also related with Xcelerate
cherwo.co.uk (Registered on: 21-Mar-2013)
Domain name:
cherwo.co.ukRegistrant:
EvoMediaRegistrant type:
Non-UK CorporationRegistrant’s address:
PO Box 025250 #52990
Miami
FL
33102
United StatesRegistrar:
eNom, Inc. [Tag = ENOM]
URL: http://www.enom.com
UPDATE:
Based on recent findings, tslater@x-celerated.com spammer is related to admin@sevenquest.com spammer.
We’ve been getting requests to investigate a particular round of spam emails a few weeks ago. The spam seems to be using domain names with the same registration information.
Administrative Contact:
Xcelerate
Tom Slater (tslater@x-celerated.com)
+1.7733288013
Fax: +1.5555555555
1608 S. Ashland Ave
Chicago, IL 60608
US
Partial list of domains registered with email tslater@x-celerated.com through enom.com / namecheap.com:
- abovearrange.co.uk (Registered on: 27-Dec-2012)
- acceptgrand.com (creation date: 06-mar-2013)
- acceptjust.com (creation date: 14-mar-2013)
- acceptmatter.com (creation date: 14-mar-2013)
- alongsidethrough.co.uk (registered on: 18-Mar-2013)
- appledefine.co.uk (Registered on: 27-Dec-2012)
- behindbelow.co.uk (registered on 18-Mar-2013)
- buyseem.com (creation date: 21-feb-2013)
- consideringplus.co.uk (registered on: 18-Mar-2013)
- dowould.com (creation date: 15-mar-2013)
- fixuntil.com (creation date: 14-mar-2013)
- drawnegotiate.co.uk (Registered on: 27-Dec-2012)
- eitherthose.co.uk (Registered on: 07-Mar-2013)
- excludingdown.co.uk (registered on 18-Mar-2013)
- explainlist.com (creation date: 18-mar-2013)
- findgive.com (creation date: 14-mar-2013) *BLOCKED DUE TO SPAM*
- fixuntil.com (creation date: 14-mar-2013)
- insuredegree.net (creation date: 11-mar-2013)
- measureease.co.uk (registered on: 16-mar-2013)
- mindget.net (creation date: 11-dec-2012)
- needwith.com (creation date: 13-mar-2013)
- organiseevent.us (Domain Registration Date: Oct-10-2012)
- readeach.com (creation date: 15-mar-2013)
- sandez.co.uk (registered on: 21-mar-2013)
- sellstill.com (creation date: 13-mar-2013) *BLOCKED DUE TO SPAM*
- startenough.co.uk ( Registered on: 09-Mar-2013)
- studybehind.co.uk (Registered on: 30-Dec-2012)
- succeedthe.co.uk (Registered on: 03-Mar-2013)
- talkterm.com (creation date: 15-mar-2013)
- teachthree.com (creation date: 13-mar-2013)
- telloffice.com (creation date: 06-mar-2013)
- usealways.co.uk (Registered on: 03-Mar-2013)
- userepeat.co.uk (Registered on: 30-Dec-2012)
- yourher.co.uk (Registered on: 07-Mar-2013)
- returning-home.info (expired)
- iseaadapt.com (expired)
- actrevise.com (expired)
- adaptpoint.com (expired)
The domain x-celerated.com was registered through DreamHost:
Registrant Contact:
x-celerated.com Private Registrant x-celerated.com@proxy.dreamhost.com
A Happy DreamHost Customer
417 Associated Rd #324
Brea, CA 92821
US
+1.7147064182
We informed DreamHost of our findings on x-celerated.com, and we received a reply:
Unfortunately, we provide neither hosting services, nor email services, for any of these domains. The same is true for x-celerated.com, for which we are only the
registrar.
We looked into the address of Xcelerate’s Tom Slater. It is a mailbox service by Earth Class Mail in Chicago.
A Virtual Presence In Chicago
Street and PO Box addresses available:Street Address
1608 S Ashland Ave.
Chicago, Illinois 60608-2013
Just $14.95 per month in addition to Monthly subscription fees
Will-call pickup not availablePO Box
PO Box 803338
Chicago, IL 60680-3338
Included in your monthly subscription fee
We cross referenced the phone number 773-328-8013 and the addresses from Earth Class Mail. We found a domain using Earth Class Mail service and the phone number 773-328-8013.
Administrative Contact:
TruTech
Mike Young (admin@techtru.com)
+1.7733288013
Fax: +1.7733288013
PO Box 803338
Chicago, IL 60680
US
The domain techtru.com was registered through enom.com / namecheap.com on August 27, 2012.
We called the number 773-328-8013 and we got the automated voicemail:
You’ve been forwarded to the voicemail for *text to speech voice* “xcelerate”.
It seems that Xcelerate is a shell company for the spammer to hide behind.
Spoofing the sender’s email address can be done. In this case Xcelerate / x-celerated.com is highly likely to be involved. Consider the following patterns:
- The Domain Names are registered through enom.com / namecheap.com
- Each Domain Name is composed of two English dictionary words that seemed to be randomly chosen
- Registration info of the Domain Names are the same
- The Domain Names are recently registered / created
- The voicemail for 773-328-8013 mentions “Xcelerate”
If you would like to fight these spammer, use services like SpamCop.net and report them. SpamCop.net provides free service; we encourage you to subscribe to their service for a nominal fee. After all, they are providing a great service.
——-
Disclaimer:
We use SpamCop.net service.
Scam Alert: movieplayerupdate.com and videoplayerdownload.co
A Mozilla Firefox user reported popup ads from movieplayerupdate.com (movieplayerupdate.com/mtrack/free_download/1/pre/).
Another Mozilla Firefox user also reported the popup ads from movieplayerupdate.com (movieplayerupdate.com/flashplayer/download_free/).
Both links now show 404 not found, but not before we managed to grab a screenshot. It says:
http:// movieplayerupdate.com
WARNING! Your Flash Player may be out of date. Please update to continue
The site is also telling user:
Please Install Flash Player Pro to Continue
Remember folks, there is no such thing as “Flash Player Pro”.
The links on both “REMIND ME LATER” and “INSTALL” point to: mtrack10.com/base2.php
By clicking either button, an executable file will be downloaded.
A user sent us a note that similar popups from videoplayerdownload.co were found (videoplayerdownload.co/free-download/mt/1/pre/).
The “Install Now” link also points to mtrack10.com/base2.php
It seems that both movieplayerupdate.com (whois info) and videoplayerdownload.co (whois info) are registered by the same individual through GoDaddy on the same day (Feb 20, 2013).
The domain mtrack10.com (whois info) is also registered through GoDaddy one week earlier (Feb 14, 2013).
By clicking the “Install Now” button, an executable file will be downloaded.
——-
It is pretty obvious the individuals behind the domain names mentioned above are unscrupulous. Do not blindly download some programs just because a popup told you so.
To update Flash Player, download it direct from Adobe.
http://www.adobe.com/products/flashplayer/distribution3.html