Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Trackstick/GoogleEarthStore Opt-out spam

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
PostPosted: Wed Aug 15, 2007 8:28 am    Post subject: Trackstick/GoogleEarthStore Opt-out spam Reply with quote
These twits scraped an email of mine from some website that has *never* ever been used for any kind of subscription, so the "you signed up at one of our partners" excuse won't exactly fly here.

Email headers:
Quote:
Delivered-To: <redacted>
Received: by 10.115.90.9 with SMTP id s9cs169170wal;
Tue, 14 Aug 2007 15:07:03 -0700 (PDT)
Received: by 10.114.197.1 with SMTP id u1mr3456792waf.1187129221986;
Tue, 14 Aug 2007 15:07:01 -0700 (PDT)
Return-Path: <unsubscribe@trackstick.com>
Received: from MUSKRAT2 (71-95-178-70.static.mtpk.ca.charter.com [71.95.178.70])
by mx.google.com with ESMTP id j6si11075530wah.2007.08.14.15.06.56;
Tue, 14 Aug 2007 15:07:01 -0700 (PDT)
Received-SPF: neutral (google.com: 71.95.178.70 is neither permitted nor denied by best guess record for domain of unsubscribe@trackstick.com) client-ip=71.95.178.70;
Received: from HP-1 ([71.95.178.68]) by MUSKRAT2 with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 14 Aug 2007 15:07:02 -0700
From: Trackstick Sales<sales@trackstick.com>
To: <redacted>
Message-Id: <[snipped]@trackstick.com>
Subject: Super Trackstick now available online.
Date: Tue, 14 Aug 2007 15:06:55 -0700
MIME-Version: 1.0
Reply-To: sales@trackstick.com
Content-Type: multipart/related; boundary="RelatedBoundary.33333333.33333333"
Return-Path: unsubscribe@trackstick.com

Seems to be sent from a static Charter account in California (71.95.178.70 -> 71-95-178-70.static.mtpk.ca.charter.com) and consistent with the spamvertised domain info, so the headers may be even real. The address is already blacklisted at CBL (and thus automatically at Spamhaus' XBL, too):
http://cbl.abuseat.org/lookup.cgi?ip=71.95.178.70

The mail body consists of html in epical lenghth:
Quote:
<HEAD>
<TITLE>Untitled Document</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1"><LINK
href="http://www.googleearthstore.com/css/main.css" type=text/css
rel=stylesheet>
<META content="MSHTML 6.00.2900.3086" name=GENERATOR>
</HEAD>
<BODY>
<P><STRONG><FONT color=#000000 size=4>Dear Friend, </FONT></STRONG></P>
<P><FONT size=4><FONT color=#000000>The Super </FONT>Trackstick is now available. </FONT></P>
<TABLE borderColor=#ffffff cellSpacing=0 cellPadding=20 width=650 align=center bgColor=#ffffff border=1>
<TBODY>
<TR>


<TD><BR>
<A href="http://www.googleearthstore.com/Default.asp"></A><IMG src="cid:logo.JPG"></A><IMG height=1 src="cid:Divider_Horizontal.gif" width="100%" align=top vspace=6> </TD></TR></TBODY></TABLE>
<TABLE cellSpacing=5 cellPadding=5 width="100%" border=0>


<TBODY>
<TR>
<TD><A href="http://www.googleearthstore.com/ProductDetails.asp?ProductCode=2-STS"><IMG src="cid:2-STS-2T.jpg" border=0></A> </TD>
<TD><FONT face="Arial, Helvetica, sans-serif" size=2><A href="http://www.googleearthstore.com/ProductDetails.asp?ProductCode=2-STS">Super Trackstick GPS Tracking System</A> The Super Trackstick is the perfect tool for individuals, law enforcement and government agencies looking for a way to track anything that moves. , <FONT color=#cc0000><B>$269.00</B> <FONT size=+0><BR><BR>
<DIV align=right><A href="http://www.googleearthstore.com/ShoppingCart.asp?ProductCode=2-STS"><IMG src="cid:btn_addtocart.gif" border=0></A> </DIV><BR><IMG src="cid:Bullet_MoreInfo.gif" border=0> <A href="http://www.googleearthstore.com/ProductDetails.asp?ProductCode=2-STS">Read more about this product</A> </FONT></FONT></FONT></TD></TR></TBODY></TABLE>

Then follows a long sequence of empty html tags to hide the unsubscribe link from lazy people who don't want to scroll for ages Wink
Quote:
<P>Click Here to <a href="mailto:unsubscribe@trackstick.com?Subject=Unsubscribe-[snipped identifier]">unsubscribe</a></P></BODY>

The usual question about why I'm to unsubscribe from something I didn't ask for in the first place applies here, of course.

Cui bono?

Two spamvertised targets here:
trackstick.com

Quote:
Registrant:
Telespial Systems
1460 Bluejay Circle
Weston, FL 33327
US

Domain Name: TRACKSTICK.COM

Administrative Contact, Technical Contact:
H, Richard richard@trackstick.com
Telespial Systems
827 Hollywood Way #554
Burbank, CA 91505
US
818-554-0025 fax: 123 123 1234


Record expires on 02-Aug-2009.
Record created on 02-Aug-2005.
Database last updated on 15-Aug-2007 10:13:37 EDT.

Domain servers in listed order:

NS1.LNHI.NET
NS2.LNHI.NET 65.36.160.56


Fortunately the ip address is within a SWIP'ed range which allows us to see more than usual:
Quote:
CustName: TelePlus LLC
Address: 14512 Southwest 12 Lane
City: Miami
StateProv: FL
PostalCode: 33184
Country: US
RegDate: 2006-10-02
Updated: 2006-10-02

NetRange: 208.112.17.0 - 208.112.17.255
CIDR: 208.112.17.0/24
NetName: TELEPLUSLLC
NetHandle: NET-208-112-17-0-1
Parent: NET-208-112-0-0-1
NetType: Reassigned
Comment:
RegDate: 2006-10-02
Updated: 2006-10-02

Teleplus LLC seem to be in reality CallingCardPlus.com and quite interesting:
http://www.ripoffreport.com/reports/0/186/RipOff0186776.htm
The whois for the domain seems to confirm the owner's nationality:
Quote:
Domain CallingCardPlus.com

Date Registered: 2007-4-15
Date Modified: 2005-3-5
Expiry Date: 2010-4-14
DNS1: ns1.lnhi.net
DNS2: ns2.lnhi.net

Registrant

TelePlus LLC
14512 sw 12 LN
Miami, FL (US)
33184

Administrative Contact

TelePlus, LLC
Amr Ibrahim
14512 sw 12 lane
miami (US)
33184
3057728557
3054363689
aibrahim at callingcardplus.com

Technical Contact

TelePlus, LLC
Amr Ibrahim
14512 sw 12 lane
miami
US
33184
3057728557
3054363689
aibrahim at callingcardplus.com

Strangely there's nowhere mentioned that Callingcardplus.com would also host websites. The supposed main website at "teleplusllc.com" only shows the famous "coming soon" screen we know from the likes of Emil Kacpersky and friends already Wink

Telespial Systems address in Weston, Florida appears to operate in stealth mode. There's no hint in Google for that address nor does any of the registered domains to any other location but:
Quote:
617 N Myers St
Burbank, CA 91506
(818) 554-0025

Which, however differs from the admin contact that points to: 827 Hollywood Way #554. However this street is not even near 617 N Myers St which leaves the only conclusion that one of these two alternatives is bogus. Also it appears strange that a company doesn't reveal its actual location but instead resorts to an anonymous contact form and a phone number as the only contact. Which raises the question about whom Mister Richard is hiding from...

googleearthstore.com
First off, this fine bidniz is in no way associated with Google Inc, just to avoid rumours about Google entering the MSL, the Mainsleaze Spam League Wink

Quote:
Registrant:
HBC Holdings
ATTN: GOOGLEEARTHSTORE.COM
c/o Network Solutions
P.O. Box 447
Herndon, VA. 20172-0447


Domain Name: GOOGLEEARTHSTORE.COM

Administrative Contact, Technical Contact:
HBC Holdings xn5py8rx3a2@networksolutionsprivateregistration.com
ATTN: GOOGLEEARTHSTORE.COM
c/o Network Solutions
P.O. Box 447
Herndon, VA 20172-0447
570-708-8780


Record expires on 20-Jan-2010.
Record created on 20-Jan-2007.
Database last updated on 15-Aug-2007 10:09:44 EDT.

Domain servers in listed order:

NS3.VOLUSION.COM 65.61.137.154
NS4.VOLUSION.COM 65.61.137.157

and it's even an anonymised bidniz, in most cases a strong spammer indicator (there's no reason to play hide and seek for a legit store, is it?). Remember that the opt out spam attempted to download quite a few things from this address. And also keep in mind that the unsubscribe link points to Mister Richard's trackstick.com domain.
Whois ip address:
Quote:
CustName: Volusion, Inc.
Address: 1736 Erringer Road
Address: Suite 202
City: Simi Valley
StateProv: CA
PostalCode: 93065
Country: US
RegDate: 2007-04-04
Updated: 2007-04-04

NetRange: 66.216.117.0 - 66.216.117.255
CIDR: 66.216.117.0/24
NetName: RSPC-94418-1175724581
NetHandle: NET-66-216-117-0-1
Parent: NET-66-216-64-0-1
NetType: Reassigned
Comment:
RegDate: 2007-04-04
Updated: 2007-04-04

Volusion appears to be specialised on offering shopping cart software and ecommerce solutions. Part of these offers is a combined website and shop hosting for web entrepreneurs.

Their policy states little tolerance for any spam bidniz:
Quote:
Volusion actively monitors our mail servers for abuse. Any customer found to be using Volusion mail servers to send spam will be immediately cut off from use of Volusion services.

http://www.volusion.com/support/KB_Article.asp?ID=202
Note that they do insist on solicitations initialised by the recipient. Which clearly rules out Opt-out spam.

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group