BBB Spam FAIL / domain.com

Here's a normal looking BBB spam, which typically would lead to malware:

From:     Milford Finn risk@bbb.org
Date:     5 March 2012 10:42
Subject:     BBB have recieved a customer complaint about your company.


Business Owner/Manager,
One of your business customers has filed a complaint with The Better Business Bureau concerning the negative experience he had with your company. The consumer complaint is attached below. Please submit your response to this matter as within 21 days. The most efficient way to provide your response is by using the Online Complaint system. Please follow the following link to access the above-mentioned customer complaint and submit your response to it:
BBB complaint center

Use the following data to login:

Case ID: #2478119
Password: 65950

The Better Business Bureau  acts in the role of a a neutral third party, and helps you resolve your customer disputes fast and efficiently. We develop and support online Reliability reports on American companies, open to the Public and used by millions of business customers. A satisfactory customer report can have a pronounced positive impact on your business.

We hope for your immediate attention to this matter.

Sincerely,
Kenyon Frye
Dispute Counselor 

Except the idiot spammers have forgotten to include the domain name and have left if at what is presumably the default of domain.com:

Unfortunately, next time the spammers will probably get it right.. in the meantime, here are some example subjects being used in this attack:

• Better Business Bureau needs your urgent attention. 
• Better Business Bureau customer complaint. 
• BBB have recieved a customer complaint about your company. 
• Your company is accused of illegal financial transactions.

Malformed "nacha5_sbj}" spam leads to malware

Some stupid spammer has screwed up their campaign:

Date:      Fri, 9 Feb 2012 20:07:15 +0430
From:      payment@nacha.org
Subject:      nacha5_sbj}
Attachments:     nacha.jpg

The following information concerns the ACH transfer that was originally effectuated by you or any other person on 02-02-2012.

Transaction ID:
    89024101013314
Transaction status:    declined
Supplementary information:    Please read the detailed report

Faithfully,
Violette Coirs.

2012 NACHA - The Electronic Payments Association

This is a system generated email. Please do not respond.

The malicious payload is synergyledlighting.net/main.php?page=4e4959105994cf84  hosted on 131.94.130.132 (Florida International University, US) and 173.236.78.113 (Singlehop, US). That same domain was found in this spam, although one of the IPs has changed since then.

The Florida International University IP address gives a clue as to what is going on here - these servers are most likely hacked rather than rented. This also explains why some IPs have seemingly legitimate sites on them. Still, blocking access to these IPs is the safest thing to do.

"Acid Free Coffee" spam.. again.

Another spam run promoting "acid free coffee", but this time the spammers are trying a trick to avoid detection.

From:      "Acid Free Coffee" [ppingu84@yahoo.com]
Subject:      Acid Free Coffee

I just discovered this amazing coffee. Its incredibly smooth and rich like nothing I have ever tasted before. Google Acid Free Coffee or click here http://tinyurl.com/6otas83 to search it. This is really worth your time.

The link really does go to Google, specifically https://www.google.com/search?sourceid=chrome&ie=UTF-8&q=acid+free+coffee .. and who is the first result for acid free coffee? It's Tylers Coffees who have been seen before in this spam run.

Tylers Coffees deny having anything to do with it.. or at least someone claiming to be Tylers Coffees denied it in the comments to the previous post: "we are sorry about all this. We have our IT looking in to it. IT WAS NOT SENT BY US. Thank you for your support please email us for a free bag of coffee we again a very sorry for the incovinces"

This time the spam came from 173.192.141.86, an IP address belonging to Softlayer Technologies in the US, but suballocated to an Indian outfit called ucvhost.com.


According to Tylers Coffees Facebook page, other people are seeing exactly the same thing:

My personal opinion is that "acid free coffee" sounds like some sort of beverage made from snake oil, but if people want to buy it then that is fair enough.. however, if Tylers Coffees really are promoting a brand through spam then is both unethical and illegal.

"INTUIT INC" malicious spam and {int_link} fail

A new version of a familiar spam that is meant to have a malicious payload:

Date:      Thu, 25 Jan 2012 20:43:03 +0100
From:      "INTUIT INC." [onlinebanking@ealerts.bankofamerica.com]
Subject:      Your tax information needs verification.

Dear Sir/Madam,

In our continuing effort to assure that exact information is being kept up on our systems, as well as to provide you better quality of service; INTUIT INC. has taken part in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or Employer Identification Number, that is indicated on your account is different from the information on file with the IRS.

In order to check and update your account, please enter the secure section.

Yours sincerely,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

OK, the sharp eyed amongst you will have noticd that "INTUIT" and "bankofamerica.com" are two different entities. What you can't see is that the moron spammer has sent out all the links pointing to just http://{int_link}/ rather than remembering to include the spam URL. No doubt the next version of this will have a malicious payload, so take care.

Tylers Coffees (tylerscoffees.com) tastes of spam

Here's an annoying spam I have been getting lately:

From:      "Coffee News" [news.coffee@yahoo.com]
Subject:      Check out this coffee

       
Acid Free Coffee
A little cup of java can mean a big problem for stomachs. Acid levels in coffee, as well as impurities and resins, may wreak havoc on the digestive tract. Our customers with sensitive stomachs are relieved to learn that they can still continue enjoying a great cup of coffee whenever they want.

Benefits of an acid free coffee are tooth enamel is protected and teeth are stronger leading to fewer cavities.
    for $5
      
Where it Comes From


The Finest hand-picked Arabica beans are shipped from South America to our roasting factory in Arizona.We use Swiss Water Based Process to decaffeinate our Arabica coffee beans
Read more
How We Make It
       
We use a “Z-Roasting” process that optimizes the time the coffee beans are cooked; the result is high levels of caffeine and free of acid. Benefits of an acid free coffee are tooth enamel is protected and teeth are stronger leading to fewer cavities.
Read more
Regular vs. Decaf
       
Regular: Rockets you forward with level of caffeine that exceeds most other coffee brands.

Decaf: Same great taste as the regular coffee minus the rocket energy, so that you can finally take that sleep you deserve.

Either way - you will LOVE IT !!

Read more

If you want us to take you off our mailing list, please click on the link below
Not interested anymore? Unsubscribe here.

I've seen this several times, to begin with they were trying to use tinyurl.com to mask their URL, but they're pretty good at terminating spammers.

Subsequent runs use the domain justcoffee-noacid.com in the emails. Although the domain has anonymous WHOIS details, it's notable that the spammer is using Piradius Net, a black hat web host from Malaysia as a host. We've seen these guys before.

justcoffee-noacid.com has a miminal amount of content, and depending on which link you click through, you either get redirected to tylerscoffees.com or you get a spammy page tempting you to click through.

In all cases the spam comes through 118.123.6.123  in China.

tylerscoffees.com is a website belonging to Tylers Coffee, a firm in Arizona.

The domain is registered to:

      ornsteins, ian  ian@innovativeformulations.com
      1810 s 6th ave
      tucson, Arizona 85713
      United States
      (520) 628-1553      Fax -- (520) 628-1580

The company seems to be legitimate (although personally I have doubts about their claims over "acidic coffee"), but it looks like someone has decided to try some web site promotion without fully checking what was being done. Spamming out from China via a black hat host in Malaysia is one very easy way to damage your brand..

Spam: "Federal Tax payment canceled / Rejected Federal Tax payment " and twistloft.com

There's nothing particularly new with this IRS spam, but because spammers are stupid, all the examples that I have seen today have an invalid link and cannot be clicked through.

Here is a sample:

Date:      Mon, 5 Dec 2011 11:29:03 +0100
From:      Bernadine_Woody@irs.gov
Subject:      Federal Tax payment canceled

Your Tax payment (ID: 6318017800684), recently from your bank account was rejected by the your financial institution.

Canceled Tax transfer
Tax Transaction ID:     6318017800684
Reason for rejection     See details in the report below
FederalTax Transaction Report     tax_report_6318017800684.pdf (Adobe Acrobat Reader Document)

How does IRS e-file work?
A. You or your tax professional, prepare your tax return. In many cases, the tax professional is also the Electronic Return Originator (ERO) who is authorized to file your return electronically to the IRS. Ask your tax professional to file your return through IRS e-file.
You sign your electronic tax return by either using a Self-Select PIN for e-file for a completely paperless return, or by signing Form 8453, U.S. Individual Income Tax Transmittal for an IRS e-file Return.See " If the return is electronic, how do I sign it?" for more information.
After you sign the return using a Self-Select PIN or Form 8453,the ERO transmits the return to the IRS or to a third-party transmitter who then forwards the entire electronic record to the IRS for processing. Once received at the IRS, the return is automatically checked by computers for errors and missing information. If it cannot be processed, it is sent back to the originating transmitter (usually the ERO) to clarify any necessary information. After correction, the transmitter retransmits the return to the IRS. Within 48 hours of electronically sending your return to IRS, the IRS sends an acknowledgment to the transmitter stating the return is accepted for processing. This is your proof of filing and assurance that the IRS has your return information. The Authorized IRS e-file Provider then sends Form 8453 to the IRS.
If due a refund, you can expect to receive it in approximately three weeks from the acknowledgment date - even faster with Direct Deposit (half the time as when filed on paper). If you owe tax, see "What if I owe Money?" for payment options available this year.


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

After debugging the invalid URL and going through a couple of hacked legitimate sites, we find the malicious payload on twistloft.com/main.php?page=111d937ec38dd17e (The Wepawet report is here, do not visit this site unless you know what you are doing), hosted on 65.254.63.228. Blocking access that IP and domain name might be prudent.

Spammers are stupid

What's wrong with this spam?

Date:      Thu, 1 Dec 2011 17:55:30 +0900
From:      "LinkedIn" [linkedin@em.linkedin.com]
To:      Victim
Subject:      So now you're on LinkedIn: What's next?

The ACH transaction (ID: 730771521612), recently sent from your checking account (by you or any other person), was canceled by the other financial institution.
Rejected transfer
Transaction ID:     730771521612
Reason of rejection     See details in the report below
Transaction Report     report_730771521612.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

Yup.. the headers are for a LinkedIn themed spam, the body is a NACHA themed one with a link to a malicious file. The bad guys are sending out so many of these that they must be getting confused.

The link goes through a number of legitimate hacked sites and eventually ends up at biggestamigo.com on 92.55.144.82 in Romania (I would recommend blocking the whole 92.55.144.0/24 block at least, or even 92.55.144.0/21 if you want to be on the safe side). The payload looks like a typical exploit kit.

Some work-at-home scams to avoid

Only a real idiot would send spam to a spamcop.net address. Here is a real idiot:

From: Rock Cruit Management 3dhgubesch@hochrather.at
Reply-To: 3dhgubesch@hochrather.at
date    21 November 2011 18:03
subject    Rock Zone Management: Your Job Application is Pending
   
Give the time of day [redacted]


Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application,
but can not do so until you complete our internal application.

The pay range for available positions range from $35.77 per hour to $57.62 per hour.
Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:

http://widg.me/VocOw

Also, the following perks are potentially available:

- Paid Time Off
- Health Benefits Package
- Higher than average salaries
- Tuition Reimbursement
- Extensive 401(k)program

Please take the time to follow the directions and complete the entire application process.

--------------------------------------------------------------------------------

Best Regards,

Rock Cruit Management

In this case, the email originated from 200.74.5.198 in Chile. A second sample was from 31.175.175.182 in Poland.

Clicking through the "widg.me" shortcut leads to a site called rockcruitmanagement.com which looks like a recruitment site at first glance, but in fact is just an entry doorway to a very dubious work-at-home scheme. The domain is WhoisGuard protected, but there are several other crappy sites also hosted on 216.38.13.210 of a similar theme.

A tip - if you get a spam email like this, forward it to the web hosts at abuse -at- gigenet.com and perhaps this will be shut down.

All the sites try to hide their identity, but we can trace them back through their Google Analytics ID of UA-1504952 and AdSense ID of pub-286423930919881 to websitedesignbrisbane.org ("Jetstream Web Design + SEO") in Brisbane, Australia. I haven't been able to trace who is behind this company, and in fact it seems doubtful that there is a company at all.. but still, this seems to be the origin of the spam. The registration details for that domain are:

Registrant ID:6050DF1BFA437FB2
Registrant Name:Jetstream Online
Registrant Organization:Jetstream
Registrant Street1:4/11 Emperor st
Registrant Street2:
Registrant Street3:
Registrant City:Annerley
Registrant State/Province:QL
Registrant Postal Code:4103
Registrant Country:AU
Registrant Phone:+61.431714098
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:jetstream2@gmail.com

All the following domains are connected, most are work-at-home or survey sites that are deceptive in their pitch. I would recommend avoiding them.

123tickets.info
1insuranceauto.info
1insurancelife.info
2airticket.info
2airtickets.info
2freejb.info
2freesw.info
2insuranceauto.info
2insurancelife.info
3insuranceauto.info
3insurancelife.info
4insuranceauto.info
4insurancelife.info
5insuranceauto.info
5insurancelife.info
6insuranceauto.info
7insuranceauto.info
adultversionyoutube.com
air340.info
air747.info
aircomp747.info
airdelta.info
airfly380.info
airfly747.info
auctionsbrisbane.com
bagsflyfree.info
bagsflysw.info
bornmarketer.com
buyyourhouse.com.au
claimair380.info
claimair747.info
claimairticket.info
claimfly.info
claimfly747.info
claimjetticket.info
claimprize.org
claimprizenow.com
claimprizenow.com
claimtickets.info
comp747.info
dailyhotlocal.com
dealcomparisons.com
delta747.info
deltafly.info
deltawin.info
facescams.com
fastwebs.com.au
fly380.info
flybagsfree.info
flyfreenow.info
flyfreesw.info
flyjet747.info
flysw.info
flyswtoday.info
flyticket747.info
flytickets747.info
godsofrain.com
gojb.info
gojblue.info
gojetblue.info
healthcrooks.com
homesaleconnect.com
ifly380.info
ifly747.info
ilovesw.info
ispycpv.com
ispyhq.com
ispyppv.com
jb747.info
jettickets.info
locallunchbreak.com
mydoorhandles.com
myebizprofits.com
myusgrant.com
news8daily.info
news9daily.info
newsdailyreport.com
newsdailyreport.info
officialdeals.info
officialpromos.info
officialrooibostea.com
outsourcing.cm
perfectposturenow.com
rockcrownmanagement.com
rockcruitmanagement.com
rockcruitmanagement.com
rockdimemanagement.com
rockfacemanagement.com
rockfishmanagement.com
rockgrademanagement.com
rockgradereview.com
rockgrandmanagement.com
rockgroupmanagement.com
rockheartmanagement.com
rockhopemanagement.com
rockhousemanagement.com
rockkingmanagement.com
rockmountmanagement.com
rockmountreview.com
rockroundmanagement.com
rockshiftmanagement.com
rockshoremanagement.com
rocksmithmanagement.com
rocktapmanagement.com
rocktowermanagement.com
rockviewmanagement.com
rockworthmanagement.com
rockzonemanagement.com
shippingcontaineraustralia.com
subwayrocks.info
swfly.info
swflyfree.info
swflyfree.info
swisgreat.info
swrocks.info
termitecontrolbrisbane.com
ticket747.info
tickets365.info
tickets380.info
tickets747.info
top3workfromhome.com
torrent4cash.com
tpass.info
tripsreservation.info
turbopottytraining.info
turbotoilettraining.com
utube-com.com
utubevideoclip.net
utube-videos.org
utubevideosite.com
utubezz.com
vacationinus.info
websitedesignbrisbane.org
windelta.info
winflyfree.info
winflytickets.info
winswfree.info
winticketsnow.info
wu-longforlife.com
zbuyerhomes.com

The Register blunders, hands itself into the ICO

Oops.

From: The Register marketing@theregister.co.uk
Date: 24 October 2011 18:28
Subject: Apologies from The Register
       
Hello,

This morning the name and email address you used to register for The
Register was mistakenly sent to 3,521 individuals, also readers of
The Register.

We've contacted them asking them to delete the email and respect your
privacy.

We are of course terribly sorry for this error and have reported
ourselves to the ICO. Our initial statement is here:

http://www.theregister.co.uk/2011/10/24/email_blunder/

You are free to edit or delete your account details here:

http://account.theregister.co.uk/register/

If you have any questions or would just like to rant at us please
send emails to mailto:data@theregister.co.uk


Best Regards
The Register

There's a couple of interesting things here - one is that The Register did the decent thing and reported the breach, it will be interesting to see the ICO's reaction when they ignore more serious breaches all the time. The second one is that the email address I used to err register is unique to The Register. Will I start getting spam as a result of it being sent out to 3521 people, or would it require more.

Anyway, Kudos to The Register for coming clean. You can read more about it here.

talkhard.com spam from scam.com

Here's an oddity:

From: funforumcommuity@yahoo.com funforumcommuity@yahoo.com
Date: 7 October 2011 11:02
Subject: [RE] New message board you will like

Hey I figured you would like this new forum I found. There's no ads, its uncensored, and they are doing a hundred dollar contest this month. Check it out.

http://www.talkhard.com

The mail originates from 208.86.2.42 which is mail.scam.com. The mail headers read:

Received: from unknown (HELO srv349.rackco.com) (208.86.2.42)
  by ********** with SMTP; 7 Oct 2011 15:26:45 -0000
Received: from apache by srv349.rackco.com with local (Exim 4.69)
    (envelope-from )
    id 1RC7Gd-0001vk-RA
    for **********; Fri, 07 Oct 2011 06:02:59 -0400
To: **********
Subject: [RE] New message board you will like
From: "funforumcommuity@yahoo.com"
Message-ID: <201110071059.42eccb836871@scam.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Sender: Apache
Date: Fri, 07 Oct 2011 06:02:59 -0400

Not very classy, scam.com!

Phishtank FAIL: paypal.de

paypal.de is pretty obviously a legitimate PayPal domain, registered to eBay and hosted on 66.211.168.83 in eBay's address space. However, Phishtank thinks that it is a phish.. well, OK, false positives happen.. but the problem here is that it has been manually verified as a phish which really does show a weakness in the Phishtank verification system. It's not the first time it has happened.

So, if you are in Germany and find that paypal.de is blocked, then this is the reason why.

Sky survey boll*cks

I'm feeling quite sweary this week, so here's a stupid email from a market research company who are pretending not to be doing it for Sky (I know it's for Sky because it uses an email address only used to sign up to Sky). It's b*llocks basically.

From: Tpoll Broadband Survey helpdesk@tpoll.net
Date: 22 July 2011 16:19
Subject: A survey about your broadband provider

Dear Mr Dynamoo

A well-known broadband provider has commissioned us here at Tpoll, an independent market research agency, to talk to people about their opinions and experiences with their TV and broadband providers.

The broadband provider in question is very keen to properly understand their customers’ needs, how well the products and services they offer are meeting their needs, and how they compare to other providers. They have asked Tpoll to investigate and we have invited you to take part in an online survey to share your thoughts and opinions.

This survey is organised and run under the rules of the Market Research Society. All responses will be strictly confidential and results will only be looked at on an aggregated level so please be as honest as you can with your answers.

Your answers will be very much appreciated and will be extremely valuable in shaping the products and services the provider offers.

Please click on the link below to start the survey - it should take 10 to 15 minutes to complete.

Click here to begin

Many Thanks,

Elizabeth Green



Tpoll Market Intelligence

So.. you want me to spend 15 minutes doing market research for Sky - a company that I don't use for broadband - just to help them shape their business? I did very much enjoy telling them that I don't have a TV or broadband access. Maybe this will screw up their survey.

Is this spam? It's hard to tell. I have a pre-existing relationship with Sky, but I'm pretty sure I didn't opt-in for this. It would be much more honest if Sky just admitted that they were behind it. Although perhaps their relationship with Rupert Murdoch's empire might be driving them to keep it quiet..

Etisalat - f*ck you very much

If you've never heard of Etisalat then you are probably lucky. Etisalat is the monopoly telecoms provider in the UAE, and like all monopoly providers it is basically crap.

Why am I bothered? Well, after receiving this same spam 4386 times with no sign of a let-up, then I thought it might be nice if Etisalat educated their customer. Unfortunately, Etisalat's abuse mailbox doesn't work, presumably because it is packed full of complaints and nobody from Etisalat can manage to shift their fat sweaty arses enough to look at it.

Now, not getting a response to abuse complaints is pretty typical and not really worth commenting on. However, I was eventually able to get a response from customer support. And it looked promising!

Thank you for contacting Etisalat Customer Care Center.

Further to your email, please accept our sincere apologies for any inconvenience happened. We had escalated the issue to the concerned department and will update you soon after we receive a reply. Kindly bear with us for the delay. reference number 388135

Once again we thank you for contacting us and looking forward to serving you in the future. For any further clarification please contact Etisalat Customer Care Center.

Great.. I thought. Better late than never. So I waited.. and the next reply was basically a "fuck you" from Etisalat:

Thank you for contacting Etisalat Customer Care Center.
Kindly enable sufficient anti spam settings or add filters in your email to overcome the situation.
Once again we thank you for contacting us and looking forward to serving you in the future. For any further clarification please contact Etisalat Customer Care Center.

Wait.. what? The solution to Etisalat allowing customers to spam is.. basically to block email from Etisalat? So basically it is just too much effort for Etisalat to actually do anything. Maybe the airconditioning is broken in the Etisalat support offices and their arses are just too fat and sweaty today..

Anyway, 86.96.226.150 is the culprit to block but if you follow Etisala's own recommendations then block email coming in from 86.96.226.0 - 86.96.239.255 (86.96.224.0/20) just to be on the safe side.

And Etisalat, in the words of the FCC Song, f*ck you very much.

Sapphire Town Real Estate (sapphiretown.com) suck

I don't normally post twice on one spammer, but the idiots at Sapphire Town Real Estate seem to have hit new levels of stupidity with this spam that they have now sent 283 times, apparently about 1% into a dictionary attack (so I can expect to see it 28,000 more times!)

If they are this stupid when it comes to doing business then I would advise giving them a wide berth.

Update: now 4386 times and counting!

Sapphire Town Real Estate "Labour Camps" spam. Just add slaves.

This spam for labour camps was so important to the sender that they sent it 300 times (and counting). Just add slaves, I guess. And in jolly Comic Sans too! Originating IP is 86.96.226.150 in the UAE, all attempts at contacting their abuse department bounce. Classy.

From: Sapphire Town Real Estate stre@emirates.net.ae
Reply-To: info@sapphiretown.com
To: Redacted
Date: 4 July 2011 19:12
Subject: Labour Camps

Dear Valued Customer,

We offer a wide variety of labour camps for rent in ALMUHAISNAH 2^nd (Sonapour), AL QUOZ, JEBEL ALI and DIP with your exact requirements and reasonable price.

Labour Camp in Al Quoz Total Rooms               = 295 Supervisors Rooms     = 5 Kitchen                      = 7 Dining                        =7 Toilet                        =117 Showers                    =117 Parking for 14 buses and 25 cars Price                 = AED 1,250 All Inclusive	Labour camp in Al Muhaisnah 2nd Total Rooms      = 140 Kitchen              = 3 Dining                = 3 Showers            = 60 Toilets               = 60 Price                 = AED 1,200 All Inclusive
Labour Camp for Rent in DIP phase 1 Total Room          = 70 Kitchen & Dining =2 Toilet & Showers = 50 Price                 = AED 1,600 All Inclusive	Labour Camp for Rent in Jebel Ali Ind.3 Total Rooms             = 200 Kitchen & Dining      = 4 Toilets & Showers    = 160 TV, First Aid, Gym & Service Room Price                 = AED 1,400 All Inclusive

• Labour Camps & Warehouses for Sale.
• Residential Building For sale in Bur Dubai.

If you have any questions or concerns, please email us directly stre@eim.ae Or call 050-3479984///04-2576603
This E-mail has been sent to you as a person interested in the information enclosed. If you have received this e-mail in error please notify the originator of the Email If you want your Email to be removed PLEASE reply to info@sapphiretown.com to ''Remove from list''. We sincerely apologize for the possible inconvenience. 

Wanna buy an aircraft carrier?

Because we British have decided that we don't need to have aircraft carriers, because we're not bombing anywhere in particular at the moment.. apart from Libya.. and maybe a few other countries that we noticed along the way, then we've put the ex-flagship Ark Royal up on an auction site.

What cracks me up is the "Add to Wishlist" and "Add to Cart" buttons on the bottom.

Before you get over excited, these pocket aircraft carriers are mostly suitable for helicopters or V/STOL jets which aren't included in the price.

"Debt Advice UK" Sussex

You know when you are dealing with a dodgy outfit when they robo-call your mobile from a supressed number with a recorded message that starts "Please do not hangup" and then blabbers on about debt management, inviting you to press "2" to talk to an adviser.

The dodginess continued when the "adviser" at the other end could not confirm the name of the company he worked for (he claimed not to know!) except for a name of "Debt Advice UK" and didn't give any address other than "Sussex". There is no company in the UK of this name, and since I'm TPS registered then they should not even have been calling.

The hidden phone number, blatant disregard of TPS and refusal to give a company name or address definitely has all the hallmarks of something highly unethical.

If anyone has details of these scumbags, please feel free to add a comment!

It's 30 for a reason, part 2

This guy claims that he was doing 20mph before he demolished about 15 metres of fencing, two gateposts and one gate before hitting my house.. backwards. I am largely disinclined to believe him.

I don't know what you have to do to pass a driving test in Lithuania where this guy hails from. I suspect driving backwards into a house isn't part of the test though.

But.. this isn't the first time that this has happened either. Three years ago we were lucky not to be picking body parts out of the garden after this accident.

And the speed limit? 30 miles per hour. It's 30 for a reason..

Massive yourfreeworld.com / downlinegoldmine.com spam run

Sometimes it is difficult to tell if a spam run is a Joe Job, or if the spammer is really a moron.

Over the past few hours, a massive spam run has been caught by several spamtraps and has also been spammed out heaving to spamcop.net email addresses:

From: Rohit Seth - YourFreeWorld <seth@yourfreeworld.com>
Date: 8 November 2010 07:39
Subject: Amazing New MLM Scripts, Mass Mailers, Downline Builders
   
- Hide quoted text -
Check out our amazing range of money making matrix scripts, bulk emailers, safelists, banner ad scripts and downline builders.

Check out our latest additions too by bookmarking our site and checking it often.

Our ingenious affiliate program integrates your ClickBank ID into your affiliate link. So when someone comes to our page and conducts a search for any ClickBank product, YOU can make up to 75% commissions with very little effort!

"Imagine earning commissions hand over fist 24 hours a day, 7 days a week, 365 days of the year -- even while you're sleeping! This is truly a no-effort style affiliate program that maximises multiple income streams."

http://www.yourfreeworld.com

or make monster cash for the holidays by becoming a reseller of our fantastic scripts, it's that simple!

http://www.downlinegoldmine.com

If you are ready to start to MAKE MONEY online, Downlinegoldmine.com is the place to do it! We will give you the keys to build your Downline, to create your own Downline Program and to learn winning techniques so that you can sit back and let the earnings begin!

From the desk of Rohit Seth
Delhi
India

WHOS details are consistent with the message:
  Registrant :
    Name: Rohit kumar Seth
    Organization: Dr. M.Seth & Co.
    Address: S-5,Naveen Shahdara
    City: Delhi
    State: DE
    Postal Code: 110032
    Country: IN
    Phone: +91.0112232
    Fax:
    Email: rolovedeep@yahoo.com


The originating IP is 64.244.62.22 [Point North Networks / XO Communications, US] pointing to two spamvertised sites, downlinegoldmine.com on 72.29.67.174 and yourfreeworld.com on 66.7.201.119  [both at Hostime, Orlando].

Almost all MLMs are some sort of scam, and these are two sites promoting MLMs. But these sites also promote "safe email sendlists", but clearly sending hundreds of spam emails to spamtraps is clearly a poor definition of "safelist".. it's almost as if this activity is deliberately designed to generate spam complaints..

..and here's the thing. There's no evidence linking 64.244.62.22 to the alleged sender, and sending massive amounts of the same email to SpamCop.net addresses is either a massively stupid move, or it could be a deliberate attack on these sites by an unknown party.

In my opinion, both yourfreeworld.com and downlinegoldmine.com look like crappy sites that are worth avoiding. 

MySuperShares.com spam

In my view, all MLM schemes are almost always scams.. and MySuperShares.com seems to be just another MLM scheme, this time selling "ads" that only seem to display on the MySuperShares.com site. But the real carrot is the promise of downlines if you sign someone else up.. in other words, a thin product offering with a concentration on signing up other members rather than selling a real product.

The scheme itself is based in Australia, and I am no expert in Australian law. So, let's assume that this type of MLM scheme is legal in Australia for now.

Still, this particular email seemed unusually brazen..

From: MySuperShares.com <webmaster@mysupershares.com>
Reply-To: webmaster@mysupershares.com
Date: 28 October 2010 13:30
Subject: MySuperShares.com Confirmation Email
   
Dear 4612_210 4080_759,

Thank you for creating your account with MySuperShares.com.

To activate your account, please click the link below:

http://www.mysupershares.com/confirm.php?username=0000_000&id=00000

Once you have completed this step, you will be able to
login to your account.

Kind regards

Eva Browne-Paterson & Jullieanne Matheson
MySuperShares.com

The originating IP is 174.122.14.226, MySuperShares.com is hosted on 174.122.14.227 (i.e. the next IP address), so it indicates that the mail is genuinely from MySuperShares.com. Let's look at the WHOIS details for that domain:


Registrant:
   EvieB.com
   1 Keswick Island Drive
   Keswick Island, Queensland 4740
   Australia

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: MYSUPERSHARES.COM
      Created on: 13-Oct-10
      Expires on: 13-Oct-11
      Last Updated on: 13-Oct-10

   Administrative Contact:
      Browne-Paterson, Eva  evieb@evieb.com
      EvieB.com
      1 Keswick Island Drive
      Keswick Island, Queensland 4740
      Australia
      411569782      Fax -- 749658019

   Technical Contact:
      Browne-Paterson, Eva  evieb@evieb.com
      EvieB.com
      1 Keswick Island Drive
      Keswick Island, Queensland 4740
      Australia
      411569782      Fax -- 749658019

   Domain servers in listed order:
      NS1.MYFREESAFELIST.COM
      NS2.MYFREESAFELIST.COM


It's unusual for fraudsters to include their real contact details in the WHOIS, in fact everything checks out as being legitimate, it you check out the MLM business model.

There are a few possibilities:

1. The people running the site are really stupid and think that this is a good way to get signups (rather than getting your site nuked)
2. Someone is using MySuperShare.com's own system to perform a Joe Job with deliberately false signups.
3. Someone thinks that they can make money by gaming MySuperShare.com's system with fake signups.

My best bet is that it is the #2 or #3 option, because I really don't think that the site operators are so stupid as to try spamming like this. Does that mean that it is a legitimate programme? Well, put it this way.. do you really think that it is feasible to make money by selling nothing of value?

Update:it does appear that someone is targetting these MLM "get rich quick" sites as another site called Rev2Share.com has also been hit.