Archive for the ‘spammers’ Category

27
Aug

Tracking down a Spammer

   Posted by: Scrivener

It’s hard enough finding meaningful employment these days without dealing with resume thieves, and unscrupulous offshore companies. I used to think that it was only the indian (intentionally not capitalized) recruiters who were flagrant frauds, but it seems that the scam artists are now sitting on the beach, sipping mojitos, while running conning job searchers. Recently, I answered an ad for a Delphi position in Austin Texas posted on www.dice.com. There always seems to be a Delphi requirement in Austin, however the shady, offshore, way away, in Bangalore Punjabi scammers of Encora usually are the guilty party so I wasn’t immediately alarmed.

I submitted a resume and cover letter, then groaned inwardly when I learned the company had an offshore headquarters. But, it was located in Costa Rica so it should be okay—right? I was further reassured when first I spoke to a very nice lady (good English) and an account manager (who also spoke good English.) after our conversation the manager asked for a Word-formatted version of my resume since I always send resumes as .pdf files (and you should too.) The manager said that he wanted his team to make some adjustments to it and would email me the revised version before sending it off to the client. His excuse sounded reasonable so I assented and sent him the requested document.

Everything sounded good. Well, as good as it gets in this job market anyway.

A couple of days passed; I heard nothing back from the company about my ‘revised’ resume but I did receive several job-scam emails from curiously enough Costa Rica. Also, curiously I still hadn’t heard back from the company nor were they returning my emails. In an extraordinary lapse of my usual proclivity towards suspicion, I passed the email off as a mere coincidence that days before I was corresponding with what I thought was a legitimate business from Costa Rica and now I was getting spam from Costa Rica. After all, according to my latest self-given tarot reading, I’m supposed align more with the element of Water and thus nurture a more loving and trusting attitude toward people.

Screw that.

I still like my dog better than I like most people, and I definitely trust my dog more than I trust people.

I know, I’m a Wiccan High Priest and the stereotypical portrayal of Wiccans is that they’re full of love and light, think only loving thoughts, and send out only good energy, while hopping and frolicking in the clover with all the other New Age fluffy bunnies. Well, to borrow a line from John Travolta in the movie, Michael, I’m not that kind of witch. Actually, I consider myself a warlock (don’t get your cottontails all twisted you lot of fluffy bunnies) but that is a topic for another article.

The following day, I had three more scam emails from the same Costa Rican ISP (Internet Service Provider). That’s when I decided to track this piece of whale dung down and see if I couldn’t at least get his internet account banned at his ISP.

In the indented paragraphs that follow, I’ve pasted excerpts from the email headers, Whois information from internic and several registrars, plus some traceroute information. How I did all of that is beyond the scope of this weblog article but I promise to explain the techniques I used in a subsequent posting.

My email to several abuse email addresses began thus:

I have been receiving 3 to 4 emails a day from this account or a similarly geographically located account, all for non-existent jobs or to act as an agent selling stolen goods or information, or money laundering schemes. The host server is located at 201.200.140.41.

These emails began after I answered a job ad on dice.com with a company (formalized.com) located in Costa Rica. I don’t think I’m receiving the spam directly from this company; perhaps the offshore personnel who process the resumes sold my email address. I only use that email address to reply to job postings so I know that any spam sent to that address has have ultimately begun with a reply to an employer. I have copied them on this email in case they wish to mount their own investigation.

I’ve broken down my analysis of the email headers below so that perhaps seeing the anatomy of these email headers will help track down spammers who are plaguing your inboxes.

——————————————————————————————-

Email Header info

——————————————————————————————-

Received: (qmail 12284 invoked from network); 25 Aug 2010 01:38:48 -0000

My Mail Server

—————-

Received: from unknown (HELO p3pismtp01-028.prod.phx3.secureserver.net) ([10.6.12.38])

(envelope-sender <bantoinee@hotmail.com>)

by p3plsmtp05-05.prod.phx3.secureserver.net (qmail-1.03) with SMTP

for <insert your email address here>; 25 Aug 2010 01:38:48 -0000

X-IronPort-Anti-Spam-Result: AkcCAFoRdExBNr7XlGdsb2JhbACDF49jKY0WFQEBAQEJCwgJEQMfrB88iFuJB4EigyJzBIQwgXiGPg

Hotmail servers

—————-

Received: from bay0-omc4-s13.bay0.hotmail.com ([65.54.190.215])

by p3pismtp01-028.prod.phx3.secureserver.net with ESMTP; 24 Aug 2010 18:38:47 -0700

Received: from BAY110-DS5 ([65.54.190.199]) by bay0-omc4-s13.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);

Tue, 24 Aug 2010 18:38:47 -0700

Originating IP

—————-

X-Originating-IP: [201.200.140.41] ß Trace this IP and you will find the country and city of origin of the spammer where he logged onto the internet.

Registrant information for IP address 201.200.140.41

—————————————————————

NetRange: 201.0.0.0 – 201.255.255.255

CIDR: 201.0.0.0/8

OriginAS:

NetName: LACNIC-201

NetHandle: NET-201-0-0-0-1

Parent:

NetType: Allocated to LACNIC

NameServer: TINNIE.ARIN.NET

NameServer: NS3.AFRINIC.NET

NameServer: SEC1.AUTHDNS.RIPE.NET

NameServer: NS2.DNS.BR

NameServer: SEC3.APNIC.NET

NameServer: NS2.LACNIC.NET

NameServer: NS.LACNIC.NET

NameServer: NS-LACNIC.NIC.MX

OrgName: Latin American and Caribbean IP address Regional Registry

OrgId: LACNIC

Address: Rambla Republica de Mexico 6125

City: Montevideo

StateProv:

PostalCode: 11400

Country: UY

RegDate: 2002-07-27

Updated: 2007-01-09

Ref: http://whois.arin.net/rest/org/LACNIC

ReferralServer: whois://whois.lacnic.net

OrgTechHandle: LACNIC-ARIN

OrgTechName: LACNIC Whois Info

OrgTechPhone: 999-999-9999

OrgTechEmail: whois-contact@lacnic.net

OrgTechRef: http://whois.arin.net/rest/poc/LACNIC-ARIN

Specific IP Allocation Information via lacinc.net

——————————————————–

inetnum: 201.200.136/21

status: reallocated

owner: ESCAZU

ownerid: CR-ESCA-LACNIC

responsible: Desarrollo de la Red – ICE

address: 100032, 1, 1

address: 1 – Oeste -

country: CR

phone: +506 22207465 []

owner-c: REJ

tech-c: REJ

abuse-c: REJ

created: 20080901

changed: 20080901

inetnum-up: 201.192/12

nic-hdl: REJ

person: Desarrollo de la Red – DT-DEP-ICE

e-mail: gspam@ICE.GO.CR
ß By all means spam theses bastards. They said they couldn’t do anything about spam even though this is the listed abuse email address for this registrar.

address: 10032-1000 San José, Costa Rica, 10032, San José

address: 10032-100 – San José – cr

country: CR

phone: +506 22423703 []

created: 20041004

changed: 20100526

X-Originating-Email: [bantoinee@hotmail.com]

Message-ID: <BAY110-DS566415E2FC19466B9A411BE840@phx.gbl>

Return-Path: bantoinee@hotmail.com

From: <bantoinee@hotmail.com>

To: <email address obfuscated>

Reply-To: hire.manager@eurodirectinvestmail.com <– see registrar info for this domain below

Subject: perfect vacancy 1282700968

Date: Wed, 25 Aug 2010 05:49:32 +0400

MIME-Version: 1.0

X-Priority: 3

X-MSMail-Priority: Normal

Importance: Normal

X-Mailer: Microsoft Windows Live Mail 14.0.8064.206

X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8064.206

Content-Type: text/plain;

charset=”utf-8″

Content-Transfer-Encoding: binary

X-OriginalArrivalTime: 25 Aug 2010 01:38:47.0643 (UTC) FILETIME=[43118AB0:01CB43F6]

X-Nonspam: None

The registrar information for the return email address and the domain of that email address is listed below this line.

Domain name: eurodirectinvestmail.com

————————————————–

IP Address 195.226.218.28 (Italy)

Registrar bizcn.com

Registrant Contact:

CarleLonger

Carle Longer info@eurodirectinvestmail.com

+1.7077631573 fax: +1.7077631573

227 Alta Dr.

94954 CA Petaluma

us

Administrative Contact:

Carle Longer info@eurodirectinvestmail.com

+1.7077631573 fax: +1.7077631573

227 Alta Dr.

94954 CA Petaluma

us

Technical Contact:

Carle Longer info@eurodirectinvestmail.com

+1.7077631573 fax: +1.7077631573

227 Alta Dr.

94954 CA Petaluma

us

Billing Contact:

Carle Longer info@eurodirectinvestmail.com

+1.7077631573 fax: +1.7077631573

227 Alta Dr.

94954 CA Petaluma

us

DNS:

ns1.data-centr.lv

ns2.data-centr.lv

Created: 2010-08-24

Expires: 2011-08-24

It wouldn’t surprise me if this contact information is totally bogus since eurodirectemail.com is registered by a Chinese registrar (bizcn.com). This low-life-bottom-feeder knows that the Chinese won’t do anything about spam.

One final note, I warned spammers that I would publish their email addresses for spam bots to harvest. Come hither spam bots, I have a couple tasty tidbits (pun intended—tidbits, bits, bytes—get it) for you: jim.mchood@formalized.com and marnie.barranco@formalized.com.

I did copy the company in Costa Rica on this email. Strangely enough, the spam from Costa Rican scammers has suddenly stopped and the company their still won’t return my emails. So come hither spam bots and acquire the addresses of your new friends, and please send them your love and my warmest regards.

25
Jun

Come Hither Spam Bots

   Posted by: Scrivener Tags: ,

It always amazes me that when you call a spammer on the carpet for wasting your server bandwidth, wasting your time, and just being a waste of air in general,  often you’ll get an indignant email back accusing you of being rude and hurting their feelings.

Obviously these poor souls need some love. So, to help them to get the attention they need, and to soothe their bruised feelings which I so callously trampled, I’m going to start posting their email addresses here so that every spam bot and spider on the web can collect their email addresses thus ensuring that they’ll soon have an inbox overflowing with good thoughts, warm feelings, and offers for all the Canadian Viagra they can use.

Please write these people, they desperately want to hear from you.

ASLetts@ameriplan.net