[SURBL-Discuss] Rolex spam on hijacked domains
Joe Wein
joewein at pobox.com
Fri Jun 30 16:13:16 CEST 2006
I've seen at least two cases today of domains used in fake Rolex etc. spams
that were untypically old. The oldest was
Domain Name: ALLREDMETAL.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS2.ALLREDMETAL.COM
Name Server: NS1.ALLREDMETAL.COM
Status: REGISTRAR-LOCK
EPP Status: clientDeleteProhibited
EPP Status: clientUpdateProhibited
EPP Status: clientTransferProhibited
Updated Date: 29-Jun-2006
Creation Date: 03-Apr-1997
Expiration Date: 04-Apr-2010
It is currently hosted in Russia even though it was the domain of a company
in North Carolina.
It was registered years ago and paid a few years in a advance. This does not
look like a spammer domain at all. Here are the contact details of the owner
obtained via archive.org:
Allred Metal Stamping Works
1305 Thomasville Rd.
High Point, NC 27260
M-F, 9 AM-5 PM EST
800.299.7421
336.886.5221
Fax: 336.841.6201
It almost looks like the domain registration was hijacked, because the
domain was updated yesterday.
Here is the corresponding spam:
=====
Received: by mx0.webpack.hosteurope.de (theta.mc1.hosteurope.de) running
EXperimental Internet Mailer (even more power) using esmtp
from 86-63-112-191.asta-net.com.pl ([86.63.112.191] helo=BABY)
id 1FwEsI-0004E4-U8
for MYEMAILACCOUNT; Fri, 30 Jun 2006 11:01:19 +0200
Message-Id: <00d301c69c1b$88371880$343d3681 at vjyssa>
From: "saunder mason" <wilmeraguilar at purinmail.com>
To: "garald mckenna" <MYEMAILACCOUNT>
Subject: Luxury
Date: Fri, 30 Jun 2006 08:04:44 +0000
TOP BRANDS - LOW LOW PRICES
Jewelry * Handbags * Pens * Watches * Neckties * Clutches * Wallets
Leather, silk and white gold sound good? Visit our site for real photos.
Everything comes with a certificate, tags and all the extras, plus a
warranty.
http://allredmetal.com/luxury/
salt prairie fly frame fresh-fallen
corn shocker kettle net soul-imitating
vacuum vessel snow hut chlorine azide
sad-seeming feed store weight-lifting
hermit warbler drift bottle wife-bound
game bird trip catch bore meal
key desk blue-glimmering gathering coal
magnifying glass tone painting ten-hour
blood baptism cotton plugger jack block
=====
These hijacked domains all contain several folders, with mortgage spam
sites, gambling sites, fake rolex sites, etc. The oldest folder on this site
almost exactly matches the site renewal date.
Here's another one:
Domain Name: MINIEXAMINER.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS2.MINIEXAMINER.COM
Name Server: NS1.MINIEXAMINER.COM
Status: ACTIVE
EPP Status: ok
Updated Date: 26-Jun-2006
Creation Date: 05-Apr-2001
Expiration Date: 05-Apr-2008
and
====
TOP BRANDS - LOW LOW PRICES
Jewelry * Handbags * Pens * Watches * Neckties * Clutches * Wallets
Leather, silk and white gold sound good? Visit our site for real photos.
Everything comes with a certificate, tags and all the extras, plus a
warranty.
http://miniexaminer.com/luxury/
pig hutch integral cover fuzzy-legged
para red terra orellana rub-dub
rock basin lavender grass willow acacia
singing master tariff treaty grid leak
Nonintercourse act slow-contact single-hung
gopher plum queer-tempered transmission bands
cloth doubler long-stroke ginger root
big bluestem Non-egyptologist plague-smitten
sab-cat vice-librarian wheat thief
====
The month/day of expiration (ignoring the year) of both domains is almost
the same. Both now point to the same server in Russia. And take a look at
this - "domain pending transfer":
=====
Registrant Contact:
DICK HUSSEY ENTERPRISES
NA NA (NA)
NA
Fax:
PO BOX 500280
MALABAR, FL 32950-0280
US
Administrative Contact:
RegisterFly.com, inc.
Domain Pending Transfer (transfers at registerfly.com)
+1.9737362545
Fax: +1.9737361355
404 Main Street
4th Floor
Boonton, NJ 07005
US
Technical Contact:
NA
LLC Network Solutions (customerservice at networksolutions.com)
+1.8886429675
Fax: +1.5714344620
13200 Woodland Park Drive
Herndon, CO 20171-3025
US
=====
Anybody else noticed anything like this?
Joe Wein
More information about the Discuss
mailing list