This is odd. I do not have any services on Sprint then why am I getting an email from them?
There are so many thing wrong with this email.
Now pointlessly enhanced with AI
This is the continuation to milkcheesedns.com spammer.
properlymysteriouslyupbeat.com
Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.comDomain name: properlymysteriouslyupbeat.com
Registrant Contact:
margretriverhosting
Domain Management ()Fax:
PO Box 66738
Saint Louis, MO 63166-6738
USAdministrative Contact:
margretriverhosting
Domain Management (domains@margretriverhosting.com)
+1.3147146057
Fax: +1.3147146057
PO Box 66738
Saint Louis, MO 63166-6738
USTechnical Contact:
margretriverhosting
Domain Management (domains@margretriverhosting.com)
+1.3147146057
Fax: +1.3147146057
PO Box 66738
Saint Louis, MO 63166-6738
USStatus: Locked
Name Servers:
ns1.safetyorangeblazeorangemule.com
ns2.safetyorangeblazeorangemule.comCreation date: 30 May 2012 07:20:00
Expiration date: 29 May 2013 23:20:00
margretriverhosting.com
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Registration Service Provided By: PLANET ONLINE
Contact: +1.8887654932
Website: http://www.planetonline.netDomain Name: MARGRETRIVERHOSTING.COM
Registrant:
Margret River Hosting
Margret River Hosting (webmaster@margretriverhosting.com)
PO Box 105603
#88657
Atlanta
Georgia,30348
US
Tel. +404.6719366Creation Date: 20-Aug-2010
Expiration Date: 20-Aug-2012Domain servers in listed order:
ns1.planetonline.net
ns2.planetonline.net
ns3.planetonline.net
ns4.planetonline.netAdministrative Contact:
Margret River Hosting
Margret River Hosting (webmaster@margretriverhosting.com)
PO Box 105603
#88657
Atlanta
Georgia,30348
US
Tel. +404.6719366Technical Contact:
Margret River Hosting
Margret River Hosting (webmaster@margretriverhosting.com)
PO Box 105603
#88657
Atlanta
Georgia,30348
US
Tel. +404.6719366Billing Contact:
Margret River Hosting
Margret River Hosting (webmaster@margretriverhosting.com)
PO Box 105603
#88657
Atlanta
Georgia,30348
US
Tel. +404.6719366
From contact page, which most likely useless:
(314) 714-6057
PO Box 66738 Saint Louis, MO 63166-6738
The information provided in the contact page can be used to chart the spammer’s pattern.
Note the Name server: safetyorangeblazeorangemule.com
Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.comDomain name: safetyorangeblazeorangemule.com
Registrant Contact:
Technical Support ()
Fax:
PO Box 29502
Las Vegas, NV 89126
USAdministrative Contact:
Technical Support (domains@newbrandhosting.net)
+1.7026660363
Fax: +1.5555555555
PO Box 29502
Las Vegas, NV 89126
USTechnical Contact:
Technical Support (domains@newbrandhosting.net)
+1.7026660363
Fax: +1.5555555555
PO Box 29502
Las Vegas, NV 89126
USStatus: Locked
Name Servers:
dns1.registrar-servers.com
dns2.registrar-servers.com
dns3.registrar-servers.com
dns4.registrar-servers.com
dns5.registrar-servers.com
The problem is that domain name registrars such as eNom and NameCheap would not take pro-active stance in fighting against these type of spammer. It is pretty obvious that the same individuals are responsible for these domain names. They keep registering new domain names and the domain name registrars did not do a thing to stop them from doing so.
Another domain name related to milkcheesedns.com and grandfatherdns.com just popped up.
Whois information for hallcow.com:
Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.comDomain name: hallcow.com
Registrant Contact:
Strong Cloud Hosting
System Administrator ()Fax:
PO Box 660675
Dallas, TX 75266-0675
USAdministrative Contact:
Strong Cloud Hosting
System Administrator (domains@strongcloudhosting.com)
+1.7026660363
Fax: +1.7026660363
PO Box 660675
Dallas, TX 75266-0675
USTechnical Contact:
Strong Cloud Hosting
System Administrator (domains@strongcloudhosting.com)
+1.7026660363
Fax: +1.7026660363
PO Box 660675
Dallas, TX 75266-0675
USStatus: Active
Name Servers:
ns1.grandfatherdns.com
ns2.grandfatherdns.comCreation date: 28 Feb 2012 20:48:00
Expiration date: 28 Feb 2013 12:48:00
Note the System Administrator email: domains@strongcloudhosting.com
Whois information on strongcloudhosting.com:
Registration Service Provided By: PLANET ONLINE
Contact: +1.8887654932
Website: http://www.planetonline.netDomain Name: STRONGCLOUDHOSTING.COM
Registrant:
Strong Cloud Hosting
Domain Admin (contact@strongcloudhosting.com)
PO Box 10188
#88657
Newark
New Jersey,71014
US
Tel. +973.7184005Creation Date: 20-Aug-2010
Expiration Date: 20-Aug-2012Domain servers in listed order:
ns1.planetonline.net
ns2.planetonline.net
ns3.planetonline.net
ns4.planetonline.netAdministrative Contact:
Strong Cloud Hosting
Domain Admin (contact@strongcloudhosting.com)
PO Box 10188
#88657
Newark
New Jersey,71014
US
Tel. +973.7184005Technical Contact:
Strong Cloud Hosting
Domain Admin (contact@strongcloudhosting.com)
PO Box 10188
#88657
Newark
New Jersey,71014
US
Tel. +973.7184005Billing Contact:
Strong Cloud Hosting
Domain Admin (contact@strongcloudhosting.com)
PO Box 10188
#88657
Newark
New Jersey,71014
US
Tel. +973.7184005
According to contact information on strongcloudhosting.com:
(702) 666-0363
admin@strongcloudhosting.com
PO Box 29502 Las Vegas, NV 89126-9502
The same numbers from newbrandhosting.net and questionableoverthrow.com.
This is another follow up to the post “Spammer Alert: milkcheesedns.com”
We’ve received a report that NameCheap finally took notice of spam issue with milkcheesedns.com and suspended the domain. An anonymous tipster fowarded us the message from NameCheap:
Hello,
This is to inform you that milkcheesedns.com domain was suspended. It is now pointed to non-resolving nameservers and will be nullrouted once the propagation is over. The domain is locked for modifications in our system.
Thank you for letting us know about the issue.
We checked the whois information on the domain name and it showed the following:
Domain Name: MILKCHEESEDNS.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: BLOCKEDDUETOSPAM.PLEASECONTACTSUPPORT.COM
Name Server: DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM
Status: clientTransferProhibited
Updated Date: 18-may-2012
Creation Date: 27-feb-2012
Expiration Date: 27-feb-2013
Just today, we’ve uncovered another domain name registered by the same spammer; newbrandhosting.net.
We were tipped off regarding the continuing email spam from nimbleloaf.com. In the body of the email, links to questionableoverthrow.com.
Whois information on questionableoverthrow.com:
Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.comDomain name: questionableoverthrow.com
Registrant Contact:
Technical Support ()
Fax:
PO Box 29502
Las Vegas, NV 89126
USAdministrative Contact:
Technical Support (domains@newbrandhosting.net)
+1.7026660363
Fax: +1.5555555555
PO Box 29502
Las Vegas, NV 89126
USTechnical Contact:
Technical Support (domains@newbrandhosting.net)
+1.7026660363
Fax: +1.5555555555
PO Box 29502
Las Vegas, NV 89126
USStatus: Locked
Name Servers:
ns1.grandfatherdns.com
ns2.grandfatherdns.comCreation date: 10 May 2012 21:55:00
Expiration date: 10 May 2013 13:55:00
Note newbrandhosting.net email address and grandfatherdns.com name servers.
Whois information on grandfatherdns.com:
Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.comDomain name: grandfatherdns.com
Registrant Contact:
Rails On Hosting
Sys Admin ()Fax:
PO Box 660675
Dallas, TX 75266-0675
USAdministrative Contact:
Rails On Hosting
Sys Admin (domains@railsonhosting.com)
+1.7026660363
Fax: +1.7026660363
PO Box 660675
Dallas, TX 75266-0675
USTechnical Contact:
Rails On Hosting
Sys Admin (domains@railsonhosting.com)
+1.7026660363
Fax: +1.7026660363
PO Box 660675
Dallas, TX 75266-0675
USStatus: Locked
Name Servers:
dns1.registrar-servers.com
dns2.registrar-servers.com
dns3.registrar-servers.com
dns4.registrar-servers.com
dns5.registrar-servers.comCreation date: 28 Feb 2012 00:17:00
Expiration date: 27 Feb 2013 16:17:00
Whois information on railsonhosting.com:
Domain Name: RAILSONHOSTING.COM
Registrant:
Rails On Hosting
Web Admin (contact@railsonhosting.com)
PO Box 105603
#88657
Atlanta
Georgia,30348
US
Tel. +404.6719366Creation Date: 20-Aug-2010
Expiration Date: 20-Aug-2012Domain servers in listed order:
ns1.planetonline.net
ns2.planetonline.net
ns3.planetonline.net
ns4.planetonline.netAdministrative Contact:
Rails On Hosting
Web Admin (contact@railsonhosting.com)
PO Box 105603
#88657
Atlanta
Georgia,30348
US
Tel. +404.6719366Technical Contact:
Rails On Hosting
Web Admin (contact@railsonhosting.com)
PO Box 105603
#88657
Atlanta
Georgia,30348
US
Tel. +404.6719366Billing Contact:
Rails On Hosting
Web Admin (contact@railsonhosting.com)
PO Box 105603
#88657
Atlanta
Georgia,30348
US
Tel. +404.6719366
The phone number provided for railsonhosting.com is 404-671-9366. It is actually the phone number for DEEP GREEN Waste & Recycling, LLC.
On railsonhosting.com contact page, the contact information is provided as follow:
214-666-6081
PO Box 660675 Dallas, TX 75266-0675
The number 214-666-6081 can also be found at greyscalehost.com contact page.
The number 214-666-6081 actually goes to a voicemail to someone’s office.
Whois information on greyscalehost.com:
Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.comDomain name: greyscalehost.com
Registrant Contact:
Firstinline
System Administrator ()Fax:
1608 S. Ashland Ave
Chicago, IL 60608
USAdministrative Contact:
Firstinline
System Administrator (domains@1stinlinehosting.com)
+1.3128782798
Fax: +1.3128782798
1608 S. Ashland Ave
Chicago, IL 60608
USTechnical Contact:
Firstinline
System Administrator (domains@1stinlinehosting.com)
+1.3128782798
Fax: +1.3128782798
1608 S. Ashland Ave
Chicago, IL 60608
USStatus: Locked
Name Servers:
ns2713.hostgator.com
ns2714.hostgator.comCreation date: 06 Sep 2011 23:16:00
Expiration date: 06 Sep 2012 15:16:00
That’s not a surprise, it links back to 1stinlinehosting.com.
Whois information on newbrandhosting.net:
Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.comDomain name: newbrandhosting.net
Registrant Contact:
NewBrandHosting
George Mason ()Fax:
PO Box 10188
#88657
Newark, NJ 71014
USAdministrative Contact:
NewBrandHosting
George Mason (domains@newbrandhosting.net)
+1.9737184005
Fax: +1.5555555555
PO Box 10188
#88657
Newark, NJ 71014
USTechnical Contact:
NewBrandHosting
George Mason (domains@newbrandhosting.net)
+1.9737184005
Fax: +1.5555555555
PO Box 10188
#88657
Newark, NJ 71014
USStatus: Locked
Name Servers:
NS1.JUSTHOST.COM
NS2.JUSTHOST.COMCreation date: 17 Apr 2012 18:35:00
Expiration date: 17 Apr 2013 10:35:00
newbrandhosting.net is using justhost.com name servers.
As you can see, both newbrandhosting.net and questionableoverthrow.com have the same administrative email address; domains@newbrandhosting.net.
The phone number listed for questionableoverthrow.com is 702-666-0363; the same voice recording for 3rdcloudhosting.com, 1stinlinehosting.com, coomahosting.com and 5thavehost.com.
The phone number listed for newbrandhosting.net (973-718-4005) is actually a fax line, and registered to CMS Constructions.
This number is also used as phone number for 1stinlinehosting.com.
Domain Name: 1STINLINEHOSTING.COM
Registrant:
1st Inline Hosting
Domain Admin (contact@1stinlinehosting.com)
PO Box 10188
#88657
Newark
New Jersey,71014
US
Tel. +973.7184005Creation Date: 20-Aug-2010
Expiration Date: 20-Aug-2012Domain servers in listed order:
ns1.planetonline.net
ns2.planetonline.net
ns3.planetonline.net
ns4.planetonline.net
Similar Modus Operandi with coomahosting.com using 786-350-1567 that turns out to be a number for ADES Emergency locksmith.
Domain Name: COOMAHOSTING.COM
Registrant:
Cooma Hosting
Cooma Hosting (admin@coomahosting.com)
PO Box 025250
#88657
Miami
Florida,33102
US
Tel. +786.3501567Creation Date: 20-Aug-2010
Expiration Date: 20-Aug-2012Domain servers in listed order:
ns1.planetonline.net
ns2.planetonline.net
ns3.planetonline.net
ns4.planetonline.net
On newbrandhost.com, the contact phone number listed is 773-938-0601.
It goes straight to voicemail, the same voicemail system used for 5thavehost.com and 3rdcloudhosting.com phone number as listed in domain name registration (202-505-1004).
Whois information on 5thavehost.com:
Domain Name: 5THAVEHOST.COM
Registrant:
5th Ave Host
5th Ave Host (web@5thavehost.com)
PO Box 3109
#88657
Houston
Texas,77253
US
Tel. +214.2969397Creation Date: 20-Aug-2010
Expiration Date: 20-Aug-2012Domain servers in listed order:
ns1.planetonline.net
ns2.planetonline.net
ns3.planetonline.net
ns4.planetonline.net
Whois information on 5thavehost.com:
Domain Name: 3RDCLOUDHOSTING.COM
Registrant:
3rdcloudhosting
Domain Admin (admin@3rdcloudhosting.com)
PO Box 3109
#88657
Houston
Texas,77253
US
Tel. +214.2969397Creation Date: 20-Aug-2010
Expiration Date: 20-Aug-2012Domain servers in listed order:
ns1.planetonline.net
ns2.planetonline.net
ns3.planetonline.net
ns4.planetonline.net
Whois information on nimbleoaf.com (abbridged):
Domain name: nimbleloaf.com
Registrant Contact:
5thAveHosting
Domains Mgmt ()Fax:
PO Box 96503
Washington, DC 20090
USAdministrative Contact:
5thAveHosting
Domains Mgmt (domains@5thavehost.com)
+1.3235270448
Fax: +1.3235270448
PO Box 96503
Washington, DC 20090
US
Contact phone number from the respective sites:
– 1stinlinehosting.com | 312-878-2798 | It is going to a voicemail system.
– coomahosting.com | 847-505-0848 | It is going to a voicemail system, and the voice is the same with the one for 1stinlinehosting.com.
– 5thavehost.com | 202-505-1004 | It is going to a voicemail system in one ring, no options to leave any messages.
Contact phone number for 5thavehost.com from “whois nimbleloaf.com” is 323-527-0448, which is registered to Robert McGee in Los Angeles. The first part of the message says:
“Thank you for calling 3rd cloud hosting.”
It is the same voice from the 1stinlinehosting.com and coomahosting.com.
It is also the same voice from (702) 666-0363; the phone number for domains@newbrandhosting.net from questionableoverthrow.com.
Note:
We have opted not to add http links of the spammer domain names in this post. You can alway copy and paste the address to check them out.
Follow up to the post “Spammer Alert: milkcheesedns.com”
Offending domain names registered by 5thavehost.com:
All four domain names above are using the following name servers:
ns1.mobilegroble.com
ns2.mobilegroble.com
mobilegroble.com is registered by coomahosting.com.
Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.comDomain name: mobilegroble.com
Registrant Contact:
CoomaHosting
Domains Support ()Fax:
PO Box 80333
Chicago, IL 60680-3338
USAdministrative Contact:
CoomaHosting
Domains Support (domains@coomahosting.com)
+1.8475050848
Fax: +1.5555555555
PO Box 80333
Chicago, IL 60680-3338
USTechnical Contact:
CoomaHosting
Domains Support (domains@coomahosting.com)
+1.8475050848
Fax: +1.5555555555
PO Box 80333
Chicago, IL 60680-3338
USStatus: Locked
Name Servers:
dns1.registrar-servers.com
dns2.registrar-servers.com
dns3.registrar-servers.com
dns4.registrar-servers.com
dns5.registrar-servers.comCreation date: 13 Apr 2012 00:25:00
Expiration date: 12 Apr 2013 16:25:00
Offending domain names registered by coomahosting.com:
The four domain name registered by coomahosting.com are also using mobilegroble.com name servers.
Then it gets more complicated. Spam emails that came from the domain names above are using different mail server as shown in the header. For example:
Received: from cowsbucketcast.org ([84.201.8.123])
There are tons of different domain names both used by 5thavehost.com and coomahosting.com, and they are registered by 1stinlinehosting.com.
milkcheesedns.com has something to do with this spammer, for example:
Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.comDomain name: yardwristgoose.net
Registrant Contact:
1stinlinehost
Inline First ()Fax:
1608 S. Ashland Ave.
Chicago, IL 60608
USAdministrative Contact:
1stinlinehost
Inline First (domains@1stinlinehosting.com)
+1.3128782798
Fax: +1.5555555555
1608 S. Ashland Ave.
Chicago, IL 60608
USTechnical Contact:
1stinlinehost
Inline First (domains@1stinlinehosting.com)
+1.3128782798
Fax: +1.5555555555
1608 S. Ashland Ave.
Chicago, IL 60608
USStatus: Locked
Name Servers:
ns1.milkcheesedns.com
ns2.milkcheesedns.comCreation date: 01 Mar 2012 06:14:00
Expiration date: 28 Feb 2013 22:14:00
Note the name servers:
Name Servers:
ns1.milkcheesedns.com
ns2.milkcheesedns.com
whois milkcheesedns.com:
Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.comDomain name: milkcheesedns.com
Registrant Contact:
5th AVE Hosting
Trev Itamar ()Fax:
PO Box 96503
Washington, DC 20090
USAdministrative Contact:
5th AVE Hosting
Trev Itamar (domains@5thavehost.com)
+1.3235270448
Fax: +1.3235270448
PO Box 96503
Washington, DC 20090
USTechnical Contact:
5th AVE Hosting
Trev Itamar (domains@5thavehost.com)
+1.3235270448
Fax: +1.3235270448
PO Box 96503
Washington, DC 20090
USStatus: Locked
Name Servers:
dns1.registrar-servers.com
dns2.registrar-servers.com
dns3.registrar-servers.com
dns4.registrar-servers.com
dns5.registrar-servers.comCreation date: 28 Feb 2012 00:07:00
Expiration date: 27 Feb 2013 16:07:00
It goes back to 5thavehost.com.
UPDATE:
5thavehost.com also registers:
The domain names in this group are using professdns.com as name server.
Name Server: NS1.PROFESSDNS.COM
Name Server: NS2.PROFESSDNS.COM
/UPDATE
It is clear that 5thavehost.com, 1stinlinehosting.com and coomahosting.com are run by the same individual or individuals.
Contact phone numbers based on whois information on each domain:
Contact phone number from the respective sites:
Contact phone number for 5thavehost.com from “whois nimbleloaf.com” is 323-527-0448, which is registered to Robert McGee in Los Angeles. The first part of the message says:
“Thank you for calling 3rd cloud hosting.”
It is the same voice from the 1stinlinehosting.com and coomahosting.com!
There is 3rdcloudhosting.com, and whois provide the following information:
Registration Service Provided By: PLANET ONLINE
Contact: +1.8887654932
Website: http://www.planetonline.netDomain Name: 3RDCLOUDHOSTING.COM
Registrant:
3rdcloudhosting
Domain Admin (admin@3rdcloudhosting.com)
PO Box 3109
#88657
Houston
Texas,77253
US
Tel. +214.2969397Creation Date: 20-Aug-2010
Expiration Date: 20-Aug-2012Domain servers in listed order:
ns1.planetonline.net
ns2.planetonline.net
ns3.planetonline.net
ns4.planetonline.net
That number 214-296-9397 is the same number listed in 5thavehost.com whois information.
It is clear that all four domain names are related and likely run by the same individual. Who is this Robert McGee person, the name registered to 323-527-0448?
If you’re receiving spam email from the domains listed in this post or somehow related to 1stinlinehosting.com, coomahosting.com and 5thavehost.com; please let us know. Don’t forget to report the spam to:
Do run whois query to find out more about the domain name registration.