Tag: Spam

Posted on

Phishing Alert: Google Apps Edition

There has been a lot of Phishing email for the past week and this one pretending to be coming from Google Apps.

Should you be receiving this type of phishing email, do not click on the link under any circumstances.

You can:

Phishing Spam Google Apps

Posted on

Tasteless and Despicable

Let me start by saying that spammers are despicable and tasteless, especially when they’re exploiting a tragedy such as the explosions at the Boston Marathon.

Spammers who want to spread malware are sinking to another low. Numbers of readers told us they’ve been getting spam with subjects contain: “explosion at Boston Marathon”

despicable-spam-boston-marathon-explosion

despicable-spam-boston-marathon-explosion-2

The from addresses are blanked out because it might be used as identifier by the spammers.

One of the addresses has been flagged by Google that it “may harm your computer.”

fake-boston-marathon-explosion-news

Posted on

Spammer Alert: leecheryl182@gmail.com

We received another tip from readers about a particular spammer related to hefallsintothe.com. The admin contact of the domain name is leecheryl182@gmail.com. The domain name hefallsintothe.com is using ns1.insulationfromtheelements.com and ns2.insulationfromtheelements.com

The domain names are registered through namecheap.com.

whois hefallsintothe.com:

Administrative Contact:

Web Master (leecheryl182@gmail.com)
+1.7734130857
Fax:
616 Corporate Way
Suite 2
Valley College, NY 10989
US

Creation date: 19 Mar 2013 19:06:00
Expiration date: 19 Mar 2014 11:06:00

whois insulationfromtheelements.com:

Administrative Contact:
Brightness Partners
Network Admin (dns@brightnesspartners.com)
+1.8004094960
Fax: +1.5555555555
6321 W Dempster St
Suite 161
Morton Grove, IL 60053
US

Creation date: 19 Mar 2013 20:53:00
Expiration date: 19 Mar 2014 12:53:00

Whois brightnesspartners.com:

Administrative Contact:
Brightness Partners
Network Admin (dns@brightnesspartners.com)
+1.8004094960
Fax: +1.5555555555
6321 W Dempster St
Suite 161
Morton Grove, IL 60053
US

Creation date: 19 Mar 2013 20:36:00
Expiration date: 19 Mar 2014 12:36:00

Partial list of domain names related to dns@brightnesspartners.com:

  • aboveallcanacquire.com
  • allusefulhasthe.com
  • andhopetoobtain.com
  • artitselfbythe.com
  • brightnesspartners.com
  • colouringheshouldlodge.com
  • conductothersashaving.com
  • eminencebyothermeans.com
  • frivolouspursuitscapacityto.com
  • ifhewasallowed.com
  • ifoneactexcluded.com
  • ihaveseenalso.com
  • insulationfromtheelements.com
  • inthedrudgeryof.com
  • isalwaysathand.com
  • isbrilliantthanwith.com
  • ithasbeenso.com
  • itmaybetaken.com
  • managedoftenshortensthe.com
  • maneminentforhis.com
  • momentthepracticeof.com
  • ofagreatdegree.com
  • ofthealphabetif.com
  • onlybeopposedby.com
  • thatidealexcellencewhich.com

 

Partial list of domain names with leecheryl182@gmail.com as admin contacts:

  • anypurposewhohave.com
  • arrivedattheirutmost.com
  • artwhichhemust.com
  • bettercoursehavelong.com
  • bystudyingtheseauthentic.com
  • cannotdobetterthan.com
  • easeandreadinessto.com
  • farastheyshall.com
  • faultifourprogress.com
  • formedinitwhich.com
  • fromthosewhohave.com
  • gratitudeinouracademy.com
  • intheirpupilsprobably.com
  • inventontheirmethod.com
  • itnearthemodel.com
  • itrequiresnoeffort.com
  • leastcontributetoyour.com
  • makesnopretensionsto.com
  • mannerofhandlingemulation.com
  • politebeendoneby.com
  • resultofnaturalpowers.com
  • studenthassucceededin.com
  • studentssooftendisappoint.com
  • tocollectsubjectsfor.com
  • whichnaturehasbeen.com

spam-stamp

Posted on

Spammer Alert: the connection between x-celerated.com and 1stinlinehosting.com

A comment from a reader prompted us to revisit an older post on a spammer with domain name 1stinlinehosting.com. It is apparent that the same spammer also operates x-celerated.com. We should have realized that sooner.

The domain name submitted by reader is mlifeprogression.com and whois information shows the mailing address:

1608 S. Ashland Ave
Chicago, Illinois 6O608

The very same address of a mailbox service used by a possibly fictional Tom Slater of x-celerated.com.

mlifeprogression

If you want to fight the spammers back, consider the followings:

We thank our readers for their contributions.

Posted on

Spammer Alert: x-celerated.com

UPDATE 4:
This spammer also related to wreese2013@hotmail.com.
The first spam reported to us is coming from ldirect.us domain
Definitely related to thegrapekiwi@gmail.com.
The phone number given as administrative contact 1.5037469135 seems to be used a lot for spam domain names.

UPDATE 3:
This spammer is also related to thegrapekiwi@gmail.com which is in the Register of Known Spam Operation (ROKSO).
Source: The Spamhaus Project

UPDATE 2:
Also related with Xcelerate

cherwo.co.uk (Registered on: 21-Mar-2013)

Domain name:
cherwo.co.uk

Registrant:
EvoMedia

Registrant type:
Non-UK Corporation

Registrant’s address:
PO Box 025250 #52990
Miami
FL
33102
United States

Registrar:
eNom, Inc. [Tag = ENOM]
URL: http://www.enom.com

UPDATE:
Based on recent findings, tslater@x-celerated.com spammer is related to admin@sevenquest.com spammer.

We’ve been getting requests to investigate a particular round of spam emails a few weeks ago. The spam seems to be using domain names with the same registration information.

Administrative Contact:
Xcelerate
Tom Slater (tslater@x-celerated.com)
+1.7733288013
Fax: +1.5555555555
1608 S. Ashland Ave
Chicago, IL 60608
US

Partial list of domains registered with email tslater@x-celerated.com through enom.com / namecheap.com:

  • abovearrange.co.uk (Registered on: 27-Dec-2012)
  • acceptgrand.com (creation date: 06-mar-2013)
  • acceptjust.com (creation date: 14-mar-2013)
  • acceptmatter.com (creation date: 14-mar-2013)
  • alongsidethrough.co.uk (registered on: 18-Mar-2013)
  • appledefine.co.uk (Registered on: 27-Dec-2012)
  • behindbelow.co.uk (registered on 18-Mar-2013)
  • buyseem.com (creation date: 21-feb-2013)
  • consideringplus.co.uk (registered on: 18-Mar-2013)
  • dowould.com (creation date: 15-mar-2013)
  • fixuntil.com (creation date: 14-mar-2013)
  • drawnegotiate.co.uk (Registered on: 27-Dec-2012)
  • eitherthose.co.uk (Registered on: 07-Mar-2013)
  • excludingdown.co.uk (registered on 18-Mar-2013)
  • explainlist.com (creation date: 18-mar-2013)
  • findgive.com (creation date: 14-mar-2013) *BLOCKED DUE TO SPAM*
  • fixuntil.com (creation date: 14-mar-2013)
  • insuredegree.net (creation date: 11-mar-2013)
  • measureease.co.uk (registered on: 16-mar-2013)
  • mindget.net (creation date: 11-dec-2012)
  • needwith.com (creation date: 13-mar-2013)
  • organiseevent.us (Domain Registration Date: Oct-10-2012)
  • readeach.com (creation date: 15-mar-2013)
  • sandez.co.uk (registered on: 21-mar-2013)
  • sellstill.com (creation date: 13-mar-2013) *BLOCKED DUE TO SPAM*
  • startenough.co.uk ( Registered on: 09-Mar-2013)
  • studybehind.co.uk (Registered on: 30-Dec-2012)
  • succeedthe.co.uk (Registered on: 03-Mar-2013)
  • talkterm.com (creation date: 15-mar-2013)
  • teachthree.com (creation date: 13-mar-2013)
  • telloffice.com (creation date: 06-mar-2013)
  • usealways.co.uk  (Registered on: 03-Mar-2013)
  • userepeat.co.uk (Registered on: 30-Dec-2012)
  • yourher.co.uk (Registered on: 07-Mar-2013)
  • returning-home.info (expired)
  • iseaadapt.com (expired)
  • actrevise.com (expired)
  • adaptpoint.com (expired)

The domain x-celerated.com was registered through DreamHost:

Registrant Contact:
x-celerated.com Private Registrant x-celerated.com@proxy.dreamhost.com
A Happy DreamHost Customer
417 Associated Rd #324
Brea, CA 92821
US
+1.7147064182

x-celerated

We informed DreamHost of our findings on x-celerated.com, and we received a reply:

Unfortunately, we provide neither hosting services, nor email services, for any of these domains. The same is true for x-celerated.com, for which we are only the
registrar.

We looked into the address of Xcelerate’s Tom Slater. It is a mailbox service by Earth Class Mail in Chicago.

A Virtual Presence In Chicago
Street and PO Box addresses available:

Street Address
1608 S Ashland Ave.
Chicago, Illinois 60608-2013
Just $14.95 per month in addition to Monthly subscription fees
Will-call pickup not available

PO Box
PO Box 803338
Chicago, IL 60680-3338
Included in your monthly subscription fee

We cross referenced the phone number 773-328-8013 and the addresses from Earth Class Mail. We found a domain using Earth Class Mail service and the phone number 773-328-8013.

Administrative Contact:
TruTech
Mike Young (admin@techtru.com)
+1.7733288013
Fax: +1.7733288013
PO Box 803338
Chicago, IL 60680
US

The domain techtru.com was registered through enom.com / namecheap.com on August 27, 2012.

We called the number 773-328-8013 and we got the automated voicemail:

You’ve been forwarded to the voicemail for *text to speech voice* “xcelerate”.

It seems that Xcelerate is a shell company for the spammer to hide behind.

Spoofing the sender’s email address can be done. In this case Xcelerate / x-celerated.com is highly likely to be involved. Consider the following patterns:

  • The Domain Names are registered through enom.com / namecheap.com
  • Each Domain Name is composed of two English dictionary words that seemed to be randomly chosen
  • Registration info of the Domain Names are the same
  • The Domain Names are recently registered / created
  • The voicemail for 773-328-8013 mentions “Xcelerate”

If you would like to fight these spammer, use services like SpamCop.net and report them. SpamCop.net provides free service; we encourage you to subscribe to their service for a nominal fee. After all, they are providing a great service.

——-

Disclaimer:
We use SpamCop.net service.

Posted on

Reporting malicious links to bitly

Recent round of spams propagated using hacked Twitter accounts and bitly URL shortener became the topic of discussion. Just a few days ago Twitter account of Greg Hetson (Bad Religion, Circle Jerks) was hacked and a link using bitly URL shortener to a spam site was posted.

If you encountered any malicious or spam using bit.ly, please report it to bitly immediately.

You can report spam links to support@bitly.com to be blocked. Include the word ‘spam’ in the message and include the link and information about how you received it.

From time to time you’d see that bitly would warn visitors off the malicious URL they about to visit.

bitly-warning