Sponsored by..

Tuesday, 5 August 2014

.us scumbag spammers strike again

This low-life scumbag spammers are the same people I wrote about here and are playing around in the scummy end of the affiliate marketing business.

The spamvertised domains are:

readcriminalsearch.us
pluscarsearch.us
bumpcredit.us
expectlowmortgage.us
citizensmedicare.us
closedfoodstorage.us


All of these are registered with fake WHOIS details:

Registrant ID:                               28B5829EB467EADA
Registrant Name:                             Colleen Fenn
Registrant Organization:                     na
Registrant Address1:                         2555 W Lawrence Ave
Registrant City:                             Chicago
Registrant State/Province:                   IL
Registrant Postal Code:                      60625
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.7739070654
Registrant Email:                            colleenfennf342@yahoo.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11


Originating IPs for email are:

109.201.135.21
109.201.135.35
109.201.135.47
109.201.135.108
109.201.148.11
109.201.148.24

All of these IPs are in the same 109.201.128.0/19 block allocated to:

organisation:   ORG-NE3-RIPE
org-name:       NForce Entertainment B.V.
org-type:       LIR
address:        NFOrce Entertainment BV
address:        Postbus 1142
address:        4700BC
address:        Roosendaal
address:        NETHERLANDS
phone:          +31206919299
fax-no:         +31206919409
abuse-mailbox:  abuse@nforce.com
admin-c:        PT3315-RIPE
admin-c:        JH24522-RIPE
admin-c:        NFAR
tech-c:         NFTR
mnt-ref:        MNT-NFORCE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        MNT-NFORCE
mnt-by:         RIPE-NCC-HM-MNT
abuse-c:        NFAB
source:         RIPE # Filtered


You might want to block the /24s or even the whole /19 belonging to these people. Up to you.

UPDATE:  a second wave of spam has started from 77.93.204.105 in the Czech Republic:

organisation:   ORG-EA808-RIPE
org-name:       Exmasters.com
org-type:       OTHER
address:        Exmasters.com
address:        Milos Kalerta
address:        Fricova 1102,26301 Dobris,Czech Republic
phone:          +420 603 114414
abuse-mailbox:  abuse@exmasters.com
mnt-ref:        MASTER-MNT
mnt-ref:        MASTER-MNT
mnt-by:         MASTER-MNT
admin-c:        EC6938-RIPE
tech-c:         EC6938-RIPE
abuse-c:        EC6938-RIPE
source:         RIPE # Filtered


The spamvertised sites themselves are parked on 98.124.199.1 and  98.124.198.1 (eNom). There are several hundred thousand sites parked on these servers, blocking those IPs might have unexpected consequences.

The spam emails generated do not identify the true sender, and given that the email list they are using was originally generated from a forced UNSUBSCRIBE link then I would bet that trying to unsubscribe will just lead to more spam.

Here are some examples:

From:     Background_Archives [records.archive@readcriminalsearch.us]
Date:     5 August 2014 14:22
Subject:     Hi, Your background check is available online. Notice: 1718629

Date:  05-August-2014
-----------------------------
Notice No. 1718629
-----------------------------
Attention:  [redacted]

Past criminal records are now online because of new privacy laws.

Find out if your records are available online:
http://find.readcriminalsearch.us


0pt-off this request_ http://halt.readcriminalsearch.us
Av. Conselheiro Aguiar, 312 _ Pina
Recife _ PE
51011--031, Brazil
PO box: _0913


==================================================

From:     Best-AutoPrice [car.liquidation.event@pluscarsearch.us]
Date:     5 August 2014 14:12
Subject:     Hey, Summer Price Reduction on All New Vehicles. Notice: 5370643


Local Auto Notice:  5370643
*****************************************

US Car and Truck Dealer are Liquidating Auto Inventories

Shopping for a new or used car?

Now is the time to take advantage of Summer Discounted Automotive Prices:

Go Here To View what's in-stock near you: http://limited.pluscarsearch.us


Modify_your notification_preferences: http://end.pluscarsearch.us
PO Box No. 6498
PELAYO_ 80
-28004--MADRID_MADRID

==================================================

From:     Go_Triple_Score.22692335 [score.report.476@bumpcredit.us]
Date:     5 August 2014 14:04
Subject:     Re: Has Your Score Recently Changed? Update: 24174301

RE: Your TransUnion Score may have recently changed.
----------------------------------------------------.
Date:  August 2014 Score Update
----------------------------------------------------.
Update # 24174301
----------------------------------------------------.

Dear [redacted],

The reason that we are reaching out to you today is to make you aware that your score may have been changed based on a number of recent transactions.


Go here now to find out how your score was affected by these updates: http://trynow.bumpcredit.us

Your Score Generation Time: 47 Seconds

Regards,
Marcie D.
2014 Score Defender

Cancel_this email_notification: http://stop.bumpcredit.us
Suite 4753-24B  Moorefield Rd  Johnsonville _Wellington 6037 New Zealand

==================================================

From:     HARP_Qualify.24513021 [Andrea.Casey@expectlowmortgage.us]
Date:     5 August 2014 14:51
Subject:     Fwd: HARP Program: Lower Rates May Be Available Rpt: 14579829


[redacted],

Are your home payments weighing you down?

This may be your last-chance to Re-mortgage. Lock in a low -rate today before rates rise.

Find out how you may be Eligible to lower your monthly-payment. No -registration or -login necessary.


Get competitive rates quotes from Top Lenders and Save --
http://joinnow.expectlowmortgage.us


Andrea Casey
Harp Eligibility Team

Report: 14579829

Control your_advertising status_here --- http://end.expectlowmortgage.us
or mail to:
Suite 4753-24B Moorefield Rd_Johnsonville Wellington_6037 New Zealand

==================================================

From:     enrollment_period.7469835 [future.enrollment.451@citizensmedicare.us]
Date:     5 August 2014 14:42
Subject:     Hey, Medicare Enrollment Begins Soon. Notice #17904389

Notice:  Medicare Open Enrollment Starts Soon
**********************************************************

Medicare Recipient:  [redacted]

Open Enrollment for 2015 Medicare Programs begins October 15, 2014 to December 7, 2014.

You can only change your Medicare or Prescription Drug plan during this Annual Election Period.  .

Find the best, most affordable Medicare plan.

**Aetna, Humana, BlueCross, AARP and more**


Don't Miss Your Chance to Change Plans.  Find the Best Plan & Save up to 40% Online: http://reservenow.citizensmedicare.us

Notice: 17904389


Opt-off this request: http://leave.citizensmedicare.us
Dundrum Town Centre,Dundrum
Dublin 16, Ireland
PO Box, No. 309

==================================================


From:     ASOTV-MrLid.11390255 [organized.mr.lid@closedfoodstorage.us]
Date:     5 August 2014 15:06
Subject:     Hey, The only food storage container of its kind ID: 16462768


==================================================
From:     Best-AutoPrice [car.liquidation.event@car-truck-searches01.us]
Date:     5 August 2014 15:42
Subject:     Hey, Summer Price Reduction on All New Vehicles. Notice: 21892282

Local Auto Notice:  21892282
*****************************************

US Car and Truck Dealer are Liquidating Auto Inventories

Shopping for a new or used car?

Now is the time to take advantage of Summer Discounted Automotive Prices:

Go Here To View what's in-stock near you: http://start.car-truck-searches01.us

Modify_your notification_preferences: http://stop.car-truck-searches01.us
PO Box No. 6498
PELAYO_ 80
-28004--MADRID_MADRID
When you follow the clickthroughs you can see the the victim is being bounced around what in my opinion look like several very low quality ad networks.

http://find.readcriminalsearch.us/
http://navytrkn.com/?a=125&c=9034&s1=nf805
http://genetix420.com/?a=125&c=9034&s1=nf805&ckmguid=7aba1f24-2e05-4757-a6cf-f288466d0695
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389

http://limited.pluscarsearch.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=nf805
http://www.auto-price-finder.com/welcome?id=544&subid=273567460&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&landing=nonbrand&amp=&c1=&rh=www.auto-price-finder.com&id=544&li=3&alt_exp=new&alt_ab=&rd=1
http://www.auto-price-finder.com/new/car_non_branded?c1=&land=y

http://trynow.bumpcredit.us/
http://network.adsmarket.com/click/jmZsmWOdqZmKaWmZYMp6w4iQap1koX-Vi2KYmmKhg5qJkHKcYKR7w49icZVinA?dp=nf805

http://joinnow.expectlowmortgage.us/
http://silvertrkn.com/?a=125&c=7570&s1=nf805
http://genetix420.com/?a=125&c=7570&s1=nf805&ckmguid=c7633716-4790-4104-ac97-5360ffa8f1c1
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389

http://reservenow.citizensmedicare.us/
http://affiliate.adgtracker.com/rd/r.php?sid=7748&pub=331259&c1=nf805
http://www.medicare-providers.net/plans/index.php?Referrer=FM&Subreferrer=331259&Subid=273569127&utm_source=flex&utm_medium=email&utm_content=medicare&utm_campaign=24560

http://requestnow.closedfoodstorage.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6396&pub=331259&c1=nf805
http://comperz.com/click.ashx?CID=243834&AFID=156909&SID=273569713&AffiliateReferenceID=331259
http://www.vacationrome.net?subid=243834

http://start.car-truck-searches01.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=exm80
http://www.auto-price-finder.com/welcome?id=544&subid=273575551&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&landing=nonbrand&amp=&c1=&rh=www.auto-price-finder.com&id=544&li=3&alt_exp=new&alt_ab=&rd=1
http://www.auto-price-finder.com/new/car_non_branded?c1=&land=y

I'm not accusing the affiliate networks involved of soliciting sales through spam, but these are a lit of all the domains in use in case you want to do something with them:

affiliate.adgtracker.com
affiliate.gwmtracker.com
comperz.com
find.readcriminalsearch.us
genetix420.com
joinnow.expectlowmortgage.us
limited.pluscarsearch.us
navytrkn.com
network.adsmarket.com
pixel.autoaffiliatenetwork.com
requestnow.closedfoodstorage.us
reservenow.citizensmedicare.us
silvertrkn.com
start.car-truck-searches01.us
trynow.bumpcredit.us
valuedealshopper.com
www.auto-price-finder.com
www.enzjptkr.com
www.medicare-providers.net
www.vacationrome.net


3 comments:

Bob Cohen said...

How do I blacklist the entire block?

I tried:

206.190.137.* REJECT
109.201.148.* REJECT
77.93.204.* REJECT

Conrad Longmore said...

@Bob: well, they've moved on to:
217.23.14.153
217.23.14.13

..they have a LOT of resources but seem to be burning them quite quickly.

Bob Cohen said...

So how do I block these douche bags?