Spyware Warrior :: View topic - Looking for more website links?

Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances

FAQ :: Search :: Memberlist :: Usergroups :: Register

Profile :: Log in to check your private messages :: Log in

Looking for more website links?

Spyware Warrior Forum Index -> Spam

View previous topic :: View next topic

Author

Message

olliver
Expert Developer

Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

Posted: Wed Aug 05, 2009 12:33 am Post subject: Looking for more website links?

Some "Jeff" wants to exchange links with my spamtrap and leave the impression that his spam isn't spam because it's a one-time mailing. Of course, a one-time mailing sent to 30,000,000 addresses is still spam, because it was sent in bulk and to addresses that did not ask for it.

Headers:

Quote:

Delivered-To: <spamtrap>
Received: by 10.223.110.146 with SMTP id {snip};
Tue, 4 Aug 2009 04:04:19 -0700 (PDT)
Received: by 10.103.174.18 with SMTP id {snip};
Tue, 04 Aug 2009 66:66:66 -0700 (PDT)
Return-Path: <signup@linksroom.com>
Received: from artemis.krystal.co.uk (artemis.krystal.co.uk [77.72.0.162])
by mx.google.com with ESMTP id g1si5908289muf.16.2009.08.04.66.66.66;
Tue, 04 Aug 2009 66:66:66 -0700 (PDT)
Received-SPF: neutral (google.com: 77.72.0.162 is neither permitted nor denied by best guess record for domain of signup@linksroom.com) client-ip=77.72.0.162;
Authentication-Results: mx.google.com; spf=neutral (google.com: 77.72.0.162 is neither permitted nor denied by best guess record for domain of signup@linksroom.com) smtp.mail=signup@linksroom.com
Message-Id: <{snip}SMTPIN_ADDED@mx.google.com>
Received: from [92.2.166.44] (helo=JEFF-DESKTOPPC)
by artemis.krystal.co.uk with esmtpa (Exim 4.69)
(envelope-from <signup@linksroom.com>)
id {snip}
for <spamtrap>; Tue, 04 Aug 2009 66:66:66 +0100
From: "Jeff" <signup@linksroom.com>
Subject: Looking for more website links?
To: <spamtrap>
Content-Type: multipart/alternative; charset="utf-8"; boundary="{snip}"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Organization: LinksRoom.com
Date: Tue, 4 Aug 2009 66:66:66 +0100
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - artemis.krystal.co.uk
X-AntiAbuse: Original Domain - {snip}
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - linksroom.com
X-Source:
X-Source-Args:
X-Source-Dir:

The mail body:

Quote:

This is a multi-part message in MIME format

--{snip}
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

We're giving away FREE 'Unlimited Link Exchange' accounts. Just use t=
he following link within the next 7 days to create your FREE account, =
on registration you will automatically be upgraded.=20
http://www.linksroom.com/?pg=3Dregister=20
Please note - You may register up to 10 domains on a single account an=
d our directory will be made available from Monday 10th August.=20
Regards
Registration Team
www.linksroom.com
This is a one time email, you will not receive any further corresponde=
nce from us.=20

--{snip}
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type=
>
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.18813"></HEAD>
<BODY>
We're giving away FREE 'Unlimited Link Exchange' accounts.  Ju=
st use the following link within the nex=
t 7 days to create your FREE account, on registration =
you will automatically be upgraded. <A href=3D"http://www.lin=
ksroom.com/?pg=3Dregister">http://www.linksroom.com/?pg=3Dregister</A>=
=20
Please note - You may register up to 10 domains on=
a single account and our directory will be made available from Monday=
10th August. 
Regards
Registration Team <A href=3D"http://www.linksroom.com">www.links=
room.com</A>
This is a one time email, you will n=
ot receive any further correspondence from us. </BODY>=
</HTML>

--{snip}--

If it's such an irresistible offer, then I ask myself why "Jeff" has to hide behind the usual spammer shield:

Quote:

Domain name: linksroom.com

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()

Fax:
PMB 368, 14150 NE 20th St - F1
C/O linksroom.com
Bellevue, WA 98007
US

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (tjjldqnm@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O linksroom.com
Bellevue, WA 98007
US

Technical Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (tjjldqnm@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O linksroom.com
Bellevue, WA 98007
US

Status: Locked

Name Servers:
ns1.krystal.co.uk
ns2.krystal.co.uk

The sending address is home to quite a few domains:
http://www.robtex.com/ip/77.72.0.162.html

mailswerver:
77.72.0.162 -> artemis.krystal.co.uk
spam domain:
linksroom.com -> 77.72.0.162

So we have the problem that for blocking one spammer, there are hundreds of legitimate domains that would be affected, too. Spammers love this sort of setup, because it provides them with a human shield

Quote:

inetnum: 77.72.0.0 - 77.72.1.255
netname: KRYSTAL
descr: Olympians
country: GB
admin-c: KNOC3-RIPE
tech-c: KNOC3-RIPE
status: ASSIGNED PA
mnt-by: KRYSTAL-MNT
source: RIPE # Filtered

role: Krystal NOC
address: Alta Vista, Hr Warberry Rd, Torquay, Devon, TQ1 1SD
e-mail: noc {curly sign} krystal.co.uk
admin-c: KRYS1-RIPE
admin-c: KRYS2-RIPE
tech-c: KRYS1-RIPE
tech-c: KRYS2-RIPE
mnt-by: KRYSTAL-MNT
nic-hdl: KNOC3-RIPE
source: RIPE # Filtered

"Jeff"'s home connection:
92.2.166.44 -> host-92-2-166-44.as43234.net

Quote:

inetnum: 92.0.0.0 - 92.15.255.255
netname: CPWBBSERV-NET
descr: Carphone Warehouse Broadband Services
country: GB
admin-c: GJB18-RIPE
admin-c: PM58-RIPE
tech-c: GJB18-RIPE
tech-c: PM58-RIPE
status: ASSIGNED PA
mnt-by: OPAL-MNT
source: RIPE # Filtered

Quote:

Welcome to LinksRoom.com

Sign up to our spam free link exchange service and within minutes you’ll be logged into your FREE unlimited link exchange account with full access to our link exchange directory (from 10th August).

(emphasis mine)
source: www.linksroom.com

A spammer advertising a spam-free link exchange and using spam to build up the site... Wink

MysteryFCM
Malware Expert

Joined: 28 Aug 2004
Last Visit: 01 Mar 2013
Posts: 841
Location: Tyne & Wear, UK

Posted: Thu Aug 06, 2009 1:49 pm Post subject:

Ya gotta love these idiots, lol _________________ Regards Steven Burn I.T. Mate / hpHosts it-mate.co.uk / hosts-file.net

Display posts from previous:

	Spyware Warrior Forum Index -> Spam	All times are GMT - 8 Hours
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum