[SURBL-Discuss] Rolex spam on hijacked domains

Joe Wein joewein at pobox.com
Fri Jun 30 16:13:16 CEST 2006


I've seen at least two cases today of domains used in fake Rolex etc. spams
that were untypically old. The oldest was

   Domain Name: ALLREDMETAL.COM
   Registrar: ENOM, INC.
   Whois Server: whois.enom.com
   Referral URL: http://www.enom.com
   Name Server: NS2.ALLREDMETAL.COM
   Name Server: NS1.ALLREDMETAL.COM
   Status: REGISTRAR-LOCK
   EPP Status: clientDeleteProhibited
   EPP Status: clientUpdateProhibited
   EPP Status: clientTransferProhibited
   Updated Date: 29-Jun-2006
   Creation Date: 03-Apr-1997
   Expiration Date: 04-Apr-2010

It is currently hosted in Russia even though it was the domain of a company
in North Carolina.

It was registered years ago and paid a few years in a advance. This does not
look like a spammer domain at all. Here are the contact details of the owner
obtained via archive.org:

Allred Metal Stamping Works
1305 Thomasville Rd.
High Point, NC 27260
M-F, 9 AM-5 PM EST
800.299.7421
336.886.5221
Fax: 336.841.6201

It almost looks like the domain registration was hijacked, because the
domain was updated yesterday.

Here is the corresponding spam:

=====
 Received: by mx0.webpack.hosteurope.de (theta.mc1.hosteurope.de) running
EXperimental Internet Mailer (even more power) using esmtp
 from 86-63-112-191.asta-net.com.pl ([86.63.112.191] helo=BABY)
 id 1FwEsI-0004E4-U8
 for MYEMAILACCOUNT; Fri, 30 Jun 2006 11:01:19 +0200
Message-Id: <00d301c69c1b$88371880$343d3681 at vjyssa>
From: "saunder mason" <wilmeraguilar at purinmail.com>
To: "garald mckenna" <MYEMAILACCOUNT>
Subject: Luxury
Date: Fri, 30 Jun 2006 08:04:44 +0000

TOP BRANDS - LOW LOW PRICES

Jewelry * Handbags * Pens * Watches * Neckties * Clutches * Wallets

Leather, silk and white gold sound good? Visit our site for real photos.
Everything comes with a certificate, tags and all the extras, plus a
warranty.

http://allredmetal.com/luxury/

salt prairie fly frame fresh-fallen
corn shocker kettle net soul-imitating
vacuum vessel snow hut chlorine azide
sad-seeming feed store weight-lifting
hermit warbler drift bottle wife-bound
game bird trip catch bore meal
key desk blue-glimmering gathering coal
magnifying glass tone painting ten-hour
blood baptism cotton plugger jack block
=====

These hijacked domains all contain several folders, with mortgage spam
sites, gambling sites, fake rolex sites, etc. The oldest folder on this site
almost exactly matches the site renewal date.

Here's another one:

   Domain Name: MINIEXAMINER.COM
   Registrar: ENOM, INC.
   Whois Server: whois.enom.com
   Referral URL: http://www.enom.com
   Name Server: NS2.MINIEXAMINER.COM
   Name Server: NS1.MINIEXAMINER.COM
   Status: ACTIVE
   EPP Status: ok
   Updated Date: 26-Jun-2006
   Creation Date: 05-Apr-2001
   Expiration Date: 05-Apr-2008

and

====
TOP BRANDS - LOW LOW PRICES

Jewelry * Handbags * Pens * Watches * Neckties * Clutches * Wallets

Leather, silk and white gold sound good? Visit our site for real photos.
Everything comes with a certificate, tags and all the extras, plus a
warranty.

http://miniexaminer.com/luxury/

pig hutch integral cover fuzzy-legged
para red terra orellana rub-dub
rock basin lavender grass willow acacia
singing master tariff treaty grid leak
Nonintercourse act slow-contact single-hung
gopher plum queer-tempered transmission bands
cloth doubler long-stroke ginger root
big bluestem Non-egyptologist plague-smitten
sab-cat vice-librarian wheat thief
====

The month/day of expiration (ignoring the year) of both domains is almost
the same. Both now point to the same server in Russia. And take a look at
this - "domain pending transfer":

=====
Registrant Contact:
   DICK HUSSEY ENTERPRISES
   NA NA (NA)
   NA
   Fax:
   PO BOX 500280
   MALABAR, FL 32950-0280
   US

Administrative Contact:
   RegisterFly.com, inc.
   Domain Pending Transfer (transfers at registerfly.com)
   +1.9737362545
   Fax: +1.9737361355
   404 Main Street
   4th Floor
   Boonton, NJ 07005
   US

Technical Contact:
   NA
   LLC Network Solutions (customerservice at networksolutions.com)
   +1.8886429675
   Fax: +1.5714344620
   13200 Woodland Park Drive
   Herndon, CO 20171-3025
   US
=====

Anybody else noticed anything like this?

Joe Wein



More information about the Discuss mailing list