I've seen at least two cases today of domains used in fake Rolex etc. spams that were untypically old. The oldest was
Domain Name: ALLREDMETAL.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: NS2.ALLREDMETAL.COM Name Server: NS1.ALLREDMETAL.COM Status: REGISTRAR-LOCK EPP Status: clientDeleteProhibited EPP Status: clientUpdateProhibited EPP Status: clientTransferProhibited Updated Date: 29-Jun-2006 Creation Date: 03-Apr-1997 Expiration Date: 04-Apr-2010
It is currently hosted in Russia even though it was the domain of a company in North Carolina.
It was registered years ago and paid a few years in a advance. This does not look like a spammer domain at all. Here are the contact details of the owner obtained via archive.org:
Allred Metal Stamping Works 1305 Thomasville Rd. High Point, NC 27260 M-F, 9 AM-5 PM EST 800.299.7421 336.886.5221 Fax: 336.841.6201
It almost looks like the domain registration was hijacked, because the domain was updated yesterday.
Here is the corresponding spam:
===== Received: by mx0.webpack.hosteurope.de (theta.mc1.hosteurope.de) running EXperimental Internet Mailer (even more power) using esmtp from 86-63-112-191.asta-net.com.pl ([86.63.112.191] helo=BABY) id 1FwEsI-0004E4-U8 for MYEMAILACCOUNT; Fri, 30 Jun 2006 11:01:19 +0200 Message-Id: 00d301c69c1b$88371880$343d3681@vjyssa From: "saunder mason" wilmeraguilar@purinmail.com To: "garald mckenna" <MYEMAILACCOUNT> Subject: Luxury Date: Fri, 30 Jun 2006 08:04:44 +0000
TOP BRANDS - LOW LOW PRICES
Jewelry * Handbags * Pens * Watches * Neckties * Clutches * Wallets
Leather, silk and white gold sound good? Visit our site for real photos. Everything comes with a certificate, tags and all the extras, plus a warranty.
http://allredmetal.com/luxury/
salt prairie fly frame fresh-fallen corn shocker kettle net soul-imitating vacuum vessel snow hut chlorine azide sad-seeming feed store weight-lifting hermit warbler drift bottle wife-bound game bird trip catch bore meal key desk blue-glimmering gathering coal magnifying glass tone painting ten-hour blood baptism cotton plugger jack block =====
These hijacked domains all contain several folders, with mortgage spam sites, gambling sites, fake rolex sites, etc. The oldest folder on this site almost exactly matches the site renewal date.
Here's another one:
Domain Name: MINIEXAMINER.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: NS2.MINIEXAMINER.COM Name Server: NS1.MINIEXAMINER.COM Status: ACTIVE EPP Status: ok Updated Date: 26-Jun-2006 Creation Date: 05-Apr-2001 Expiration Date: 05-Apr-2008
and
==== TOP BRANDS - LOW LOW PRICES
Jewelry * Handbags * Pens * Watches * Neckties * Clutches * Wallets
Leather, silk and white gold sound good? Visit our site for real photos. Everything comes with a certificate, tags and all the extras, plus a warranty.
http://miniexaminer.com/luxury/
pig hutch integral cover fuzzy-legged para red terra orellana rub-dub rock basin lavender grass willow acacia singing master tariff treaty grid leak Nonintercourse act slow-contact single-hung gopher plum queer-tempered transmission bands cloth doubler long-stroke ginger root big bluestem Non-egyptologist plague-smitten sab-cat vice-librarian wheat thief ====
The month/day of expiration (ignoring the year) of both domains is almost the same. Both now point to the same server in Russia. And take a look at this - "domain pending transfer":
===== Registrant Contact: DICK HUSSEY ENTERPRISES NA NA (NA) NA Fax: PO BOX 500280 MALABAR, FL 32950-0280 US
Administrative Contact: RegisterFly.com, inc. Domain Pending Transfer (transfers@registerfly.com) +1.9737362545 Fax: +1.9737361355 404 Main Street 4th Floor Boonton, NJ 07005 US
Technical Contact: NA LLC Network Solutions (customerservice@networksolutions.com) +1.8886429675 Fax: +1.5714344620 13200 Woodland Park Drive Herndon, CO 20171-3025 US =====
Anybody else noticed anything like this?
Joe Wein