Date: Tue, 16 Apr 2013 09:11:37 -0400The spam is on a variety of topics, but one thing that makes me cross is seeing spam on this particular topic. Why? Well, this particular illness is linked to many high-paying lawsuits, and as a result advertisers can pay out a surprising amount of cash per click estimated here to be worth over $80 for some individual clicks. But in this case, they will be essentially worthless clicks to the advertiser. And who ends up paying for these worthless clicks? Well, ultimately the costs get extracted from the sufferers of this illness from their settlements.
From: "Mesothelioma"
To: [redacted]
Subject: Learn The Link Between Asbestos and Mesothelioma
5670242064119134040....02158166418942886316dc91aae549f7.02158166418942886316dc91aae549f7.5670242064119134040..02158166418942886316dc91aae549f7.. 33100457.5670242064119134040..02158166418942886316dc91aae549f7.5670242064119134040..
Learn The Link Between Asbestos and Mesothelioma
Rebosiet riwan ducufaf. 02158166418942886316dc91aae549f7 Rire ti 5670242064119134040 sasah 33100457 totetes 33100457 tela. 33100457 Woc 02158166418942886316dc91aae549f7 esic 02158166418942886316dc91aae549f7 sew 02158166418942886316dc91aae549f7 se 02158166418942886316dc91aae549f7 icin 02158166418942886316dc91aae549f7 icat 33100457 worag 33100457 ne 02158166418942886316dc91aae549f7 tedit 33100457 kodu. 02158166418942886316dc91aae549f7 Eca cehag 33100457 kose. 02158166418942886316dc91aae549f7 Adodiner 5670242064119134040 nure 33100457 bebose aleri ira 02158166418942886316dc91aae549f7 malitu noharie ituror [this crap goes on and on to try to get past spam filters]
There are three parties involved in this scam. Working backwards, the ads displayed on the landing page are run by Google, the landing page itself is owned by an outfit called Adilizer.com who claim to be based in Texas. But the spamming itself seems to be the work of one Arif Khan who is the CEO of an Indian company called Mak Media.
Let's look at when clicking on the link on that spam gets us..
hxxp:||rng172.fuldbate.us/2437a38863ab64aa3397118536dc91aae549f7
leads to
hxxp:||rng172.fuldbate.us/98F22437a38863ab64aa3397118536dc91aae549f7
leads to
hxxp:||rk3231.com/m/ec.php?k=651&kc=78236&ks=0&pc=547&tt=1&t1=yogesh&t2=&t3=&t4=&u=&u2=
leads to
hxxp:||obmedia.com/m/ec.php?k=651&kc=78236&ks=0&pc=547&tt=1&t1=yogesh&t2=&t3=&t4=&u=&u2=
leads to
hxxp:||www.myown-big-find-tool.com/
The domains myown-big-find-tool.com, obmedia.com and rk3231.com belong to Adilizer and look like they could be some sort of affiliate link. So, we can perhaps assume that Adilizer are not directly responsible for the spam.
The domain fuldbate.us is owned by Arif Khan, and rng172.fuldbate.us is hosted on 198.84.76.172 which is where this spam originates. These are the pertinent WHOIS details for the domain:
Registrant ID: FF70EC5B09E3DC10
Registrant Name: Arif Khan
Registrant Organization: Gravity Media
Registrant Address1: Bhopal
Registrant Address2: Bhopal
Registrant City: Bhopal
Registrant State/Province: MP
Registrant Postal Code: 462001
Registrant Country: India
Registrant Country Code: IN
Registrant Phone Number: +91.9425677527
Registrant Email: praveen.shukla4015@gmail.com
Registrant Application Purpose: P1
"Gravity Media" may or may not exist, but domain WHOIS details are easy to fake. But if we look at who the IP address is allocated to then we can see a bit more information.
%rwhois V-1.5:003fff:00 rwhois.hostwinds.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:Hostwinds Block-198.84.76.172/32
network:Auth-Area:198.84.76.172/32
network:Network-Name:Mak Media Network
network:IP-Network:198.84.76.172/32
network:IP-Network-Block:198.84.76.172 - 198.84.76.172
network:Customer Organization:Mak Media
network:Customer Address;I:Plot N0 4 , Kerma Tower
network:Customer City;I:BHopal
network:Customer State/Province;I:Madhya Pradesh
network:Customer Postal Code;I:462001
network:Customer Country Code;I:IN
network:Organization;I:Hostwinds LLC
network:Tech-Contact;I:abuse@hostwinds.com
network:Admin-Contact;I:abuse@hostwinds.com
network:Abuse-Contact;I:abuse@hostwinds.com
This reveals the apparently genuine organisation of Mak Media, of which Arif Khan is CEO according to his LinkedIn page. Note that there are several companies of a similar name, but this one seems to be based in Bhopal.
To quote Mr Khan, his background is of:
Intense drive and overachieving mentality with a track record of consistently meeting and exceeding goals. Dedicated work ethic, and intense desire to succeed in achieving an aggressive career and financial growth.In other words, he takes advantage of India's non-existent spam laws and blasts as many mailboxes as he can with crappy affiliate links.
Specialties: Email Marketing, lead generation,database management, email marketing, list management, Email Monetization, Affiliate Marketer!!
But the spam doesn't come from just one domain and IP. Arif Khan uses hundreds of throwaway .us addresses and multiple IPs. These are the ones I have seen in the past week:
fuldbate.us
excrep.us
buidep.us
xlitisew.us
trunalk.us
ryismeth.us
fjouck.us
duptous.us
certious.us
grembing.us
bablump.us
ghtchity.us
fluitice.us
fjoutte.us
cabatki.us
asatuary.us
echead.us
brooto.us
falert.us
eurness.us
djasynt.us
abubcum.us
emenger.us
ograst.us
hapric.us
Each one comes from a different IP address in the 198.84.76.0/24 range suballocated from Hostwinds to Mak Media. But there's something weird, because Hostwinds haven't allocated a 256-address /24 block at all.. they've allocated 256 /32 blocks of a single IP address each. This is presumably a trick to make sure that the whole /24 range doesn't get blacklisted at once.
If you are plagued with this spam and have the capability to do so, block all incoming email from and web traffic to 198.84.76.0/24 and it should effectively block it for now. And reporting any spam to abuse -at- hostwinds.com will probably do no harm.. although I suspect it will do little good.
