A Light Analysis of Referral Spammers

So; more tales from the “Account Terminated” swamp. I’m looking through my referrer spam from the last 24 hours and I decide to do a little whois checking.

Update: A regularly updated text file containing the 10 most recent domains to hit my servers is available here: http://boakes.org/referral-spam-domains

A few things I noticed:

Owner Jane Phill lives at “61 Street, Tel Aviv, Israel, IL, 49992″ according to the reachcasino.com information but at “61 Street, NYC NY, US, 10024″ according to the goapplyonline.com information. It’s a pretty safe bet that this is therefore a false address.
Owner Thomas Reece lives at “249 W 89 Street, NYC, NY, US, 10024″ according to the crepesuzette.com listing; a nicely similar address to Jane Phill’s false NYC address (and now also Randy Bill’s).
online-deals-4u.info has a different owner, but look (!) the admin contact is (as in the other cases) a “contact##@support-24×7.biz” entry – AND the IP address resolves to the same machine.
The admin contact for every one of these domains is an email address at “team-support-24×7.net” which is owned by a “Monika Stanes” (MS2183-GANDI) the team-support-24×7.net domain is administrered by gandi.net.
Cheat-Elite.com has a different owner, but just happens to resolve to the same address as Jane Phill’s domains – and hey look, it’s administered by good old team-support-24×7.net.
Try actually visiting the administrators web site… www.support-24×7.biz, team-support-24×7.net, support-4u.net, top-support.net – spot the common thread? Yep – it’s gandi.net. the one exception here is “marketing-support.info which currently has no DNS entry, so a quick whois lookup on them and (ahem) bingo it’s spammers registrar of choice gandi.net, again.
The server IP address for freakycheats.com (Thomas Reece) is the same as for most of Jane Phill’s domains, so as of 2005-02-02 we can see a definite link between these false identities.
As of St Patrick’s Day 2005 our old friend Jane Phill has turned up again, and now she’s working for “Marketing Ltd” and has registered 15 new poker-related domains.

About the Servers

It’ s possible to find out a little more about the servers which are being redirected to (rather than just the whois information on the domain name)…

219.150.118.16	The most prevalent IP address which is associated with several “domain owners” is assigned by CHINATELECOM-ha.
216.171.143.122	This one appears to be US based.
161.58.59.8	This one’s a Verio Customer.
64.234.220.141	And this little piggy is hosted by WebStream in the USA.

The table of ne’er-do-well’s and their domains.

Website	Owner	Admin Contact	IP resolves to…	Date of check
1st-advantage-credit-repair.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
123-home-improvement-equity-loans.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
acceptcreditcardsrealtime.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
all-calmortgage.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
alumnicards.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
credit-cards-credit-cards-credit-cards.net	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-21
creditsharpie.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
exclaim4creditcardprocessingmerchantaccount.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
fast-cash-quick-money-easy-loan.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-21
goapplyonline.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
hasslerenterprises.net	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
home-equity-loans-mortgage-refinancing.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
internet-merchant-account-pro.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
lowest-interest-rate-credit-cards-online.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
lowinterestratecreditcards.net	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
mortgagemarketinginc.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	216.171.143.122	2005-01-20
mortgagequestaz.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
ps2cool.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-21
reachcasino.com	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
repaircreditonline.net	Jane Phill	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	219.150.118.16	2005-01-20
tecrep-inc.net	Jane Phill	Madisyn, Trevin (NIC-15252) contact4@support-24×7.biz	219.150.118.16	2005-01-25
chat-nett.com	Phill Davis	Madisyn, Trevin (NIC-15252) contact4@support-24×7.biz	219.150.118.16	2005-02-04
terashells.com	David Lee	Daisy, Meghan (NIC-14050) contact26@support-24×7.biz	219.150.118.16	2005-02-04
911easymoney.com	Thomas Reece	Brycen, London (NIC-17655) contact70@team-support-24×7.net	161.58.59.8	2005-01-20
condodream.com	Thomas Reece	Reece, Thomas (NIC-21871) contact100@team-support-24×7.net	64.234.220.141	2005-01-20
crepesuzette.com	Thomas Reece	Reece, Thomas (NIC-21871) contact100@team-support-24×7.net	161.58.59.8	2005-01-20
flafeber.com	Thomas Reece	Reece, Thomas (NIC-21871) contact100@team-support-24×7.net	64.234.220.141	2005-01-20
freakycheats.com	Thomas Reece	Reece, Thomas (NIC-21871) contact100@team-support-24×7.net	219.150.118.16	2005-02-02
mediavisor.com	Reece, Thomas	Reece, Thomas (NIC-21871) contact100@team-support-24×7.net	64.234.220.141	2005-01-20
royalmailhotel.com	Thomas Reece	Sandra, Drake (NIC-13522) contact76@support-24×7.biz	64.234.220.141	2005-01-20
spoodles.com	Thomas Reece	Reece, Thomas (NIC-21871) contact100@team-support-24×7.net	64.234.220.141	2005-01-20
sportsparent.com	Thomas Reece	Reece, Thomas (NIC-21871) contact100@team-support-24×7.net	161.58.59.8	2005-01-20
stmaryonline.org	Reece, Thomas	Reece, Thomas (moniker21871) contact100@team-support-24×7.net	64.234.220.141	2005-01-20
cheat-elite.com	Susan Hanes	Gloria, Elisabeth (NIC-17237) contact77@team-support-24×7.net	219.150.118.16	2005-01-20
online-deals-4u.info	Angie Ashanti	Angie Ashanti (C6716231-LRMS) contact11@support-24×7.biz	219.150.118.16	2005-01-20
rulo.biz	Philip Ivan	Philip Ivan (MONIKER15251) contact3@support-24×7.biz	219.150.118.16	2005-01-22
best-buy-site-4u.info	Rogelio Victor	Rogelio Victor (C6717792-LRMS) contact95@support-24×7.biz	219.150.118.16	2005-01-24
psxtreme.com	Randy Bill	Dalia, Rylee (NIC-15667) contact1@marketing-support.info	219.150.118.16	2005-02-02
yelucie.com	Robert	Graham, Harry (NIC-18451) contact62@support-4u.net	219.150.118.16	2005-02-06
crescentarian.net	Dan	Titus, Taryn (NIC-20220) contact49@top-support.net	219.150.118.16	2005-02-06
6q.org	Ernest Darius	Ernest Darius (moniker16004) contact66@marketing-support.info	219.150.118.16	2005-02-10
smsportali.net	Lee	Michaela, Adan (NIC-15253) contact5@support-24×7.biz	219.150.118.16	2005-02-10
future-2000.net	Jim Fox	Leonel, Morgan (NIC-21487) mail29@support-2000.net	219.150.118.16	2005-02-12
ronnieazza.com	Susan Lee	Evelin, Porter (NIC-14080) contact56@support-24×7.biz	219.150.118.16	2005-02-12
highprofitclub.com	Kareem Adrienne	Adrienne, Kareem (NIC-10459) karadr56@tech-corner.us	67.184.17.116	2005-03-06
doobu.com	Jaylene Nicolette	Nicolette, Jaylene (NIC-13114) contact11@support-24×7.biz	67.184.17.116	2005-03-06
poker-tables-best-deals.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
texas-holdem-poker-now.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
poker-online-anytime.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
pacific-poker-top-place.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
how-to-play-poker-quick.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
poker-hands-secrets.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
poker-games-top-ranked.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	09.59.165.114	2005-03-17
world-series-of-poker-1996.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
poker-rules-easy-4u.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
wsop-allabout.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
free-poker-great-value.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
free-texas-hold-em-best-deals.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
party-poker-leading-site.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
samiuls.com	Mark Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
world-poker-tour-1998.com	Marketing Ltd	Phill, Jane (NIC-8754) contact61@support-4u.net	209.59.165.114	2005-03-17
vpshs.com	Phill	Phill, Jane (NIC-8754) contact61@support-4u.net	219.150.118.16	2005-03-18
ca-america.com	Jane Ltd	Dario, Ashlee (NIC-16233) contact43@marketing-support.info	67.184.17.116	2005-03-19
vrajitor.com	James	Katy, Kyra (NIC-18205) contact5@support-4u.net	219.150.118.16	2005-03-21
ro7kalbe.com	Bill Ltd	Jaylon, Juan (NIC-16724) contact53@marketing-support.info	219.150.118.16	2005-03-21
bnetsol.com	Bob Ltd	Lilliana, Meredith (NIC-13722) contact78@support-24×7.biz		2005-03-21
registrarprice.com	Sam	Sarina, Emma (NIC-14805) contact84@support-24×7.biz		2005-03-21
buy-2005.com	Margo	Emilee, Lindsey (NIC-15936) contact81@marketing-support.info		2005-03-22
buy-2005-top.com	Bill owe	Jacob, Jarvis (NIC-17691) contact3@team-support-24×7.net		2005-03-24

9 Comments

Ann Elisabeth says:

23/01/2005 at 21:08

I believe I tracked down the spammer’s real identity. On my blog, today.

Appreciate the table with whois info. I’ve found that info tends to change after a while for some domains.

Reply
Paulo Querido says:

12/02/2005 at 01:53

I clean up my blog platform everyday. I have thousands of spam-comments and trackbacks. I did the same you did: some whois-work.
Laws just don’t work, I’d like to fight back spammers. I have some ideas, like trying some near-DoS on their websites.
Any clues about this and other ways of fighting them back?

Reply
Rich says:

18/03/2005 at 11:53

There are several possibilities, but mounting a DoS attack is not the solution.
- Itâ€™s ethically and morally wrong.
- Itâ€™s a waste of bandwith.
Iâ€™m keeping this log so that there is a record, somewhere, that can help provide a trail which will show the history and association of these spam messages when we do eventually get them into a court. If, on that day, the law is ineffective, then the law must be changed. I cannot, and will not condone vigilante justice.

Reply
Spamhuntress says:

18/03/2005 at 22:12

Well, I guess you should lobby for better spam laws in Bulgaria, because that’s where they are…

Meanwhile, I’m doing my best to make their tactics more expensive. Having a bit of luck, I hope, but still not enough. Getting them banned in Google, for starters. Educating bloggers and anyone else I can get hold of.

Asking admins to tell their friends to check their servers to make sure they’re not open proxies.

That sort of thing. Apart from getting Google to play ball, it’s still an uphill battle. It’s a numbers game. The more noise we make, the more the issue will be thought of as important.

Reply
Jon says:

11/04/2005 at 23:13

Any angle on the single related entity – Gandi.net ? Seeing that they manage to throw a spammer in jail the other day (I hope some of his fellow inmated have/had email addresses) – I wonder how long it’ll be before this sort of spamming is deemed worth a stint in the slammer.

Any judges with wordpress blogs =) ?

Reply
Jarad says:

27/05/2005 at 15:42

seems Jane Phill has a few more I didn’t see in the list…

razordude.net, juris-net.com, http://www.teriandersonandassoc.com and i’m sure a million others…

Reply
Chris says:

09/06/2005 at 19:03

You can add: play-e-poker.com, shivapage.com, e-poker-777.com,
sheratonnorthcharleston.com, texas-hold-em-world.com, e-online-poker-777.com, lisaandjamie.com, bentrecords.net, warrenzanes.com, pileband.com.

2 interestings thing is the pattern of traffic; They seem to run a spam campaign for either 1 or 2 site mixed, generally for 24 hours. More interesting though was that at least on our server (Sun1 Enterprise server) the log entries show a 200 success but – bytes transmitted every single time, which for this server means that the remote disconnected pretty early in the session. Has anyone else noticed this type of activity? If consistent with other servers, it should be fairly easy to use that type of activity to generate dynamic block lists for a router, firewall or webserver.

Reply
rich boakes says:

10/06/2005 at 09:26

Indeed – I’ve also seen some of these. Anyone interested in knowing what the latest spam domain I’m seeing are should refer to this automatically (regularly) generated text file which lists the latest referral spam domains: http://boakes.org/referral-spam-domains

Reply