Tag: SpamCop

Posted on

Scam Alert: Fake Email from Dropbox

It seems the same group of spammer/scammer is at it again, This time they are sending fake Dropbox email.

Remember that Dropbox does not send emails to users that their “image has been damaged”.

If you’re an iCloud user, forward this message as attachment to spam@icloud.com.

You could also use SpamCop’s services and please donate if you can.

Spam Fake Dropbox

Posted on

Scam Alert: Fake WhatsApp Messages

The scammers keep trying to fool anyone by blindly sending messages to unsuspecting victims. I’ve been getting a lot of reports from acquaintances that they received similar scam email in the past few days.

First off, I always keep an eye for this type of scam emails. Second, I don’t use WhatsApp.

If you’re an iCloud user, forward this message as attachment to spam@icloud.com.

I also use a service called SpamCop at SpamCop.net. If you feel compelled to use their service, please donate if you can.

Scam Message WhatsApp

Posted on

Spammer Alert: x-celerated.com

UPDATE 4:
This spammer also related to wreese2013@hotmail.com.
The first spam reported to us is coming from ldirect.us domain
Definitely related to thegrapekiwi@gmail.com.
The phone number given as administrative contact 1.5037469135 seems to be used a lot for spam domain names.

UPDATE 3:
This spammer is also related to thegrapekiwi@gmail.com which is in the Register of Known Spam Operation (ROKSO).
Source: The Spamhaus Project

UPDATE 2:
Also related with Xcelerate

cherwo.co.uk (Registered on: 21-Mar-2013)

Domain name:
cherwo.co.uk

Registrant:
EvoMedia

Registrant type:
Non-UK Corporation

Registrant’s address:
PO Box 025250 #52990
Miami
FL
33102
United States

Registrar:
eNom, Inc. [Tag = ENOM]
URL: http://www.enom.com

UPDATE:
Based on recent findings, tslater@x-celerated.com spammer is related to admin@sevenquest.com spammer.

We’ve been getting requests to investigate a particular round of spam emails a few weeks ago. The spam seems to be using domain names with the same registration information.

Administrative Contact:
Xcelerate
Tom Slater (tslater@x-celerated.com)
+1.7733288013
Fax: +1.5555555555
1608 S. Ashland Ave
Chicago, IL 60608
US

Partial list of domains registered with email tslater@x-celerated.com through enom.com / namecheap.com:

  • abovearrange.co.uk (Registered on: 27-Dec-2012)
  • acceptgrand.com (creation date: 06-mar-2013)
  • acceptjust.com (creation date: 14-mar-2013)
  • acceptmatter.com (creation date: 14-mar-2013)
  • alongsidethrough.co.uk (registered on: 18-Mar-2013)
  • appledefine.co.uk (Registered on: 27-Dec-2012)
  • behindbelow.co.uk (registered on 18-Mar-2013)
  • buyseem.com (creation date: 21-feb-2013)
  • consideringplus.co.uk (registered on: 18-Mar-2013)
  • dowould.com (creation date: 15-mar-2013)
  • fixuntil.com (creation date: 14-mar-2013)
  • drawnegotiate.co.uk (Registered on: 27-Dec-2012)
  • eitherthose.co.uk (Registered on: 07-Mar-2013)
  • excludingdown.co.uk (registered on 18-Mar-2013)
  • explainlist.com (creation date: 18-mar-2013)
  • findgive.com (creation date: 14-mar-2013) *BLOCKED DUE TO SPAM*
  • fixuntil.com (creation date: 14-mar-2013)
  • insuredegree.net (creation date: 11-mar-2013)
  • measureease.co.uk (registered on: 16-mar-2013)
  • mindget.net (creation date: 11-dec-2012)
  • needwith.com (creation date: 13-mar-2013)
  • organiseevent.us (Domain Registration Date: Oct-10-2012)
  • readeach.com (creation date: 15-mar-2013)
  • sandez.co.uk (registered on: 21-mar-2013)
  • sellstill.com (creation date: 13-mar-2013) *BLOCKED DUE TO SPAM*
  • startenough.co.uk ( Registered on: 09-Mar-2013)
  • studybehind.co.uk (Registered on: 30-Dec-2012)
  • succeedthe.co.uk (Registered on: 03-Mar-2013)
  • talkterm.com (creation date: 15-mar-2013)
  • teachthree.com (creation date: 13-mar-2013)
  • telloffice.com (creation date: 06-mar-2013)
  • usealways.co.uk  (Registered on: 03-Mar-2013)
  • userepeat.co.uk (Registered on: 30-Dec-2012)
  • yourher.co.uk (Registered on: 07-Mar-2013)
  • returning-home.info (expired)
  • iseaadapt.com (expired)
  • actrevise.com (expired)
  • adaptpoint.com (expired)

The domain x-celerated.com was registered through DreamHost:

Registrant Contact:
x-celerated.com Private Registrant x-celerated.com@proxy.dreamhost.com
A Happy DreamHost Customer
417 Associated Rd #324
Brea, CA 92821
US
+1.7147064182

x-celerated

We informed DreamHost of our findings on x-celerated.com, and we received a reply:

Unfortunately, we provide neither hosting services, nor email services, for any of these domains. The same is true for x-celerated.com, for which we are only the
registrar.

We looked into the address of Xcelerate’s Tom Slater. It is a mailbox service by Earth Class Mail in Chicago.

A Virtual Presence In Chicago
Street and PO Box addresses available:

Street Address
1608 S Ashland Ave.
Chicago, Illinois 60608-2013
Just $14.95 per month in addition to Monthly subscription fees
Will-call pickup not available

PO Box
PO Box 803338
Chicago, IL 60680-3338
Included in your monthly subscription fee

We cross referenced the phone number 773-328-8013 and the addresses from Earth Class Mail. We found a domain using Earth Class Mail service and the phone number 773-328-8013.

Administrative Contact:
TruTech
Mike Young (admin@techtru.com)
+1.7733288013
Fax: +1.7733288013
PO Box 803338
Chicago, IL 60680
US

The domain techtru.com was registered through enom.com / namecheap.com on August 27, 2012.

We called the number 773-328-8013 and we got the automated voicemail:

You’ve been forwarded to the voicemail for *text to speech voice* “xcelerate”.

It seems that Xcelerate is a shell company for the spammer to hide behind.

Spoofing the sender’s email address can be done. In this case Xcelerate / x-celerated.com is highly likely to be involved. Consider the following patterns:

  • The Domain Names are registered through enom.com / namecheap.com
  • Each Domain Name is composed of two English dictionary words that seemed to be randomly chosen
  • Registration info of the Domain Names are the same
  • The Domain Names are recently registered / created
  • The voicemail for 773-328-8013 mentions “Xcelerate”

If you would like to fight these spammer, use services like SpamCop.net and report them. SpamCop.net provides free service; we encourage you to subscribe to their service for a nominal fee. After all, they are providing a great service.

——-

Disclaimer:
We use SpamCop.net service.

Posted on

SpamCop.net

The evil admin forwarded me a message from a reader just a few minutes ago.

I’m writing to see if you’ve been able to make any headway on the “milkcheesedns.com” spammer that you posted about several times this year. I’ve been receiving a large amount of this junk mail through one of my accounts and it’s practically unbearable. There’s a new domain name every day and my email host isn’t doing anything to improve their filters. The WHOIS records of these offending domains all point back to eNom.com / namecheap.com. I’ve tried contacting eNom, as you did, but my results were the same — their abuse form is broken and they don’t seem very cooperative to begin with. Can you offer any suggestions on how this jerk can be stopped? Besides the registrar and the usual “abuse@___.com” address, which is useless, what else can be done? I appreciate your thoughts.

Fighting spammer is an ongoing battle. We suggest users to create accounts at SpamCop.net and report the spam.

Posted on

Spammer Alert: 1stinLineHosting, Cooma Hosting and 5th Ave. Hosting.

Note:
We have opted not to add http links of the spammer domain names in this post. You can alway copy and paste the address to check them out.

Follow up to the post “Spammer Alert: milkcheesedns.com

Offending domain names registered by 5thavehost.com:

  • nimbleloaf.com
  • synergizeroom.com
  • statestructure.com
  • dynamicfrog.com

All four domain names above are using the following name servers:

ns1.mobilegroble.com
ns2.mobilegroble.com

mobilegroble.com is registered by coomahosting.com.

Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.com

Domain name: mobilegroble.com

Registrant Contact:
CoomaHosting
Domains Support ()

Fax:
PO Box 80333
Chicago, IL 60680-3338
US

Administrative Contact:
CoomaHosting
Domains Support (domains@coomahosting.com)
+1.8475050848
Fax: +1.5555555555
PO Box 80333
Chicago, IL 60680-3338
US

Technical Contact:
CoomaHosting
Domains Support (domains@coomahosting.com)
+1.8475050848
Fax: +1.5555555555
PO Box 80333
Chicago, IL 60680-3338
US

Status: Locked

Name Servers:
dns1.registrar-servers.com
dns2.registrar-servers.com
dns3.registrar-servers.com
dns4.registrar-servers.com
dns5.registrar-servers.com

Creation date: 13 Apr 2012 00:25:00
Expiration date: 12 Apr 2013 16:25:00

Offending domain names registered by coomahosting.com:

  • marketexpertsextra.com
  • behavedetailsextra.com
  • adapttipslifetime.com
  • dancelifetimelifetime.com

The four domain name registered by coomahosting.com are also using mobilegroble.com name servers.

Then it gets more complicated. Spam emails that came from the domain names above are using different mail server as shown in the header. For example:

Received: from cowsbucketcast.org ([84.201.8.123])

There are tons of different domain names both used by 5thavehost.com and coomahosting.com, and they are registered by 1stinlinehosting.com.

  • cowsbucketcast.org
  • timehotwood.org
  • fatherbrakebushes.org
  • frogzephyrmint.com
  • boundarychannelbeam.net
  • snakeopiniongirl.net
  • cameraspadetoad.net
  • soundenginejoke.com
  • playgroundinstrumentlace.com
  • middlebraketongue.org
  • plotladybugreward.net
  • marketveilmatch.org
  • teethgood-byelumber.net
  • spadesunmeasure.org
  • yardwristgoose.net
  • northballoonpancake.org
  • lineboatscomfort.com
  • errorrainstormanger.org
  • laborerlibrarycough.org
  • yardwristgoose.net
  • raintrainbone.com
  • mlifeprogression.com

milkcheesedns.com has something to do with this spammer, for example:

Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.com

Domain name: yardwristgoose.net

Registrant Contact:
1stinlinehost
Inline First ()

Fax:
1608 S. Ashland Ave.
Chicago, IL 60608
US

Administrative Contact:
1stinlinehost
Inline First (domains@1stinlinehosting.com)
+1.3128782798
Fax: +1.5555555555
1608 S. Ashland Ave.
Chicago, IL 60608
US

Technical Contact:
1stinlinehost
Inline First (domains@1stinlinehosting.com)
+1.3128782798
Fax: +1.5555555555
1608 S. Ashland Ave.
Chicago, IL 60608
US

Status: Locked

Name Servers:
ns1.milkcheesedns.com
ns2.milkcheesedns.com

Creation date: 01 Mar 2012 06:14:00
Expiration date: 28 Feb 2013 22:14:00

Note the name servers:

Name Servers:
ns1.milkcheesedns.com
ns2.milkcheesedns.com

whois milkcheesedns.com:

Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.com

Domain name: milkcheesedns.com

Registrant Contact:
5th AVE Hosting
Trev Itamar ()

Fax:
PO Box 96503
Washington, DC 20090
US

Administrative Contact:
5th AVE Hosting
Trev Itamar (domains@5thavehost.com)
+1.3235270448
Fax: +1.3235270448
PO Box 96503
Washington, DC 20090
US

Technical Contact:
5th AVE Hosting
Trev Itamar (domains@5thavehost.com)
+1.3235270448
Fax: +1.3235270448
PO Box 96503
Washington, DC 20090
US

Status: Locked

Name Servers:
dns1.registrar-servers.com
dns2.registrar-servers.com
dns3.registrar-servers.com
dns4.registrar-servers.com
dns5.registrar-servers.com

Creation date: 28 Feb 2012 00:07:00
Expiration date: 27 Feb 2013 16:07:00

It goes back to 5thavehost.com.

UPDATE:

5thavehost.com also registers:

  • beaverguineafowl.com
  • deskactions.info
  • appointfrightfullyvainly.com
  • structureshare.com
  • riflemilk.com
  • organizationcommand.com
  • oryxgiraffe.com
  • castlovinglyblissfully.com
  • relationfire.com
  • measureoriginate.com
  • ratseahorse.com
  • nightstemgatekeeper.info
  • menbandwidth.info
  • chancelookhorizontal.info
  • massnegotiate.com
  • butterflykudu.com
  • TinUserCentric.info
  • cattleplatypus.com
  • waterbuffalowren.com
  • dogfishchamois.com
  • ChurchDrillDown.info
  • CoreExcellence7086.info
  • TouchBaseEvolve8179.info
  • CrushBeliefSimplify.info
  • AppleBenchmark.info
  • locketfade.com
  • armyart.info
  • sealjaguar.com
  • holistichighlight1028.info
  • softlycallout22.info
  • structureshare.com
  • locketfade.com
  • good-byeeventparadigmshift.info
  • constraintsleverage2433.info
  • meerkatcoyote.com
  • talkrespectsustainable.info
  • covershockvalueadded.info
  • micepositivemomentum.info
  • goosekangaroo.com
  • armysynergistically.info
  • siloprocessmanagement5599.info
  • fancompensation.info
  • respectpicklegametheory.info
  • metricsmilestonesmatureonboarding7716.info
  • thingspressures.info
  • curtainrightsize.info
  • questioninglyusercentric71.info
  • manscalable.info
  • systemthoughtful.info
  • veincowstreadlightly.info
  • fogmonthconstraints.info
  • starfanmatrixorganization.info
  • thrilltablethat.info
  • generatepressures7282.info
  • windowbuttonstate.info
  • governorrevenuegrowth.info
  • ironpartner.info
  • yamcallout.info
  • controlministerincome.info
  • digestionhospitalfoster.info
  • drumcustomercentric.info
  • substancemastery.info
  • mapassessment.info
  • loudlycorevalues52.info
  • loftilyprocessmanagement20.info
  • coachgovernance4307.info
  • sadlyrecommendation23.info
  • parentprocess.info
  • tacklemastery9217.info
  • innovativeactions2319.info
  • integrateimplement9802.info
  • serviceenvironmentgolden8482.info
  • downsizeexecute7598.info
  • ideatecouch7251.info
  • partnergolden6939.info
  • outcomessynergy9448.info
  • teamworkadvantage1073.info
  • verticalidea5460.info
  • granularsilo7326.info

The domain names in this group are using professdns.com as name server.

Name Server: NS1.PROFESSDNS.COM
Name Server: NS2.PROFESSDNS.COM

/UPDATE

It is clear that 5thavehost.com, 1stinlinehosting.com and coomahosting.com are run by the same individual or individuals.

Contact phone numbers based on whois information on each domain:

  • 1stinlinehosting.com | 973-718-4005 | It turns out to b e a fax line.
  • 5thavehost.com |214-296- 9397 | It turns out to be a fax line.
  • coomahosting.com | 786-350-1567 | It turns out to be a number for ADES Emergency locksmith.
    The same phone number is also used to register other domain names with email fifithave@gmail.com. All sampled domain names registered to this email address already expired or terminated.

Contact phone number from the respective sites:

  • 1stinlinehosting.com | 312-878-2798 | It is going to a voicemail system.
  • coomahosting.com | 847-505-0848 | It is going to a voicemail system, and the voice is the same with the one for 1stinlinehosting.com.
  • 5thavehost.com | 202-505-1004 | It is going to a voicemail system in one ring, no options to leave any messages.

Contact phone number for 5thavehost.com from “whois nimbleloaf.com” is 323-527-0448, which is registered to Robert McGee in Los Angeles. The first part of the message says:

“Thank you for calling 3rd cloud hosting.”

It is the same voice from the 1stinlinehosting.com and coomahosting.com!

There is 3rdcloudhosting.com, and whois provide the following information:

Registration Service Provided By: PLANET ONLINE
Contact: +1.8887654932
Website: http://www.planetonline.net

Domain Name: 3RDCLOUDHOSTING.COM

Registrant:
3rdcloudhosting
Domain Admin        (admin@3rdcloudhosting.com)
PO Box 3109
#88657
Houston
Texas,77253
US
Tel. +214.2969397

Creation Date: 20-Aug-2010
Expiration Date: 20-Aug-2012

Domain servers in listed order:
ns1.planetonline.net
ns2.planetonline.net
ns3.planetonline.net
ns4.planetonline.net

That number 214-296-9397 is the same number listed in 5thavehost.com whois information.

It is clear that all four domain names are related and likely run by the same individual. Who is this Robert McGee person, the name registered to 323-527-0448?

If you’re receiving spam email from the domains listed in this post or somehow related to 1stinlinehosting.com, coomahosting.com and 5thavehost.com; please let us know. Don’t forget to report the spam to:

Do run whois query to find out more about the domain name registration.