Final Straw

The Spam

Who are the spammers?

Their Host

Their Domains

Host-related spams

Why am I doing this?

What can YOU do?

Updates

The Final Straw

Updates

October 11th

I noticed from my server log files that people are revisiting this site to check for updates. There's not a lot to add at the moment that would be central to the aim of this site. The scam itself and the web server that hosted it are history. Pressure by concerned technologists, rather than any action by law enforcement has brought about an effective shutdown of that particular server, although the central organiser and the various spammers are operating elsewhere now.

The machine hosting ns1.freewebhostingcentral.com is now infected with the Nimda virus/worm. I wouldn't advise anybody to explore it. It's basically owned by the universe now, so it could be used for any sort of exploit. Better to leave it alone until its physical owner pulls the plug.

I had kept one last link in the moneytrail in reserve. That was the fact the spammer who ran the donation fraud used 1shoppingcart.com (MerchantID=19376) for his normal Viacream operation. (He used merchant ID 20144 at the same service for the donation fraud.)

Apart from that the only possibly interesting thing to add would be a record of my communications with the domain registries involved. Basically, despite being told that some domains that were registered through them were involved in a particularly repulsive fraud, and that the registration details were suspect (most of which would violate their stated Terms Of Service) - they simply were not interested in doing anything. No money in it for them, just potential hassle.

Some of the other spammers who were using the host server can be seen spamming away in other places. A mixture of commercial greed (not talking about the spammers here!) and weak flabby politicians will ensure that there will be no end to the stream of spam and fraud that clogs up our mailboxes.

 

September 26th

The nameservers ns1.freewebhostingcentral.com and ns2.freewebhostingcentral.com appear to be having trouble. They no longer resolve the domain names that they used to serve.

 

September 25th (d)

Details on freewebhostingcentral.com being assembled at the Spamhaus project's ROKSO (Register Of Known Spam Operations) - http://www.spamhaus.org/rokso/search.lasso?evidencefile=1667

Meanwhile, at their nameservers :
ns1.freewebhostingcentral.com is serving up a copy of the spam site, with spam subdirectories in place
ns2.freewebhostingcentral.com is serving up a site for 21qingdao.com

ns2.freewebhostingcentral.com is at IP 202.110.195.84 , which is also what 21qingdao.com resolves to. So I've added a domain page for 21qingdao.com

The email account of the registered domain owner (fushanhome@public.qd.sd.cn) had been disabled by Postmaster@public.qd.sd.cn

September 25th (c)

Added information on additional domain names that were served by the spammers own nameserver - ns1.freewebhostingcentral.com Other Domains page

 

September 25th (b)

Added links to NANAE abuse Sightings per domain in the Spams page

 

September 25th (a)

China Netcom seems to be blocking packets to the current IP's of the host.

The nameservers are still up and running:
211.167.114.130 ns1.freewebhostingcentral.com Shanghai, China Cable OnLine Network PUDONG1 POP.
202.110.195.84 ns2.freewebhostingcentral.com (China) shandong qingdao furuitai chenxi business company

The spammers will find a new IP for the host and point their nameservers at it. Back in business!
If the nameserver IP's get nuked, then they just find new IP#s for those and point their domain registrations at the new servers. - And so on and on.

The spams are still rolling in.

 

September 24th

A new domain has been registered and used in a spam run:-
freehostcentral.net

It points to the same current host as do the other domains for the scam-nest.

 

September 24th

A block of IP's controlled by China Netcom used by the spam nest were blackholed by MAPS following failure of the Chinese to deal with the abuse. A systems administrator threatened propose all of China Netcom space for blacklisting. In response, China Netcom said that they had dealt with the problem.
So our spammers just moved to a different block of China Netcom space.

Currently:
freewebhostingcentral.com
e-webhostcentral.com
online-ggii1994.com
- are all alive and well at 210.83.165.227

freewebco.net
- route to 210.83.166.112 encounters problems at the second hop within China Netcom Corp

Blacklisting all of China Netcom would be a great idea. They just won't take effective action. We'd have to get the spammers hosting Falun Gong for that to happen.

Blacklisting domains (quickly) would also be a great idea.

 

September 23rd

Restructured the site to make the multiplicity of domain names clearer.
Information on registry complaints and on new domains to follow

 

September 20th

A new domain name is being referenced in spams :- http://www.online-ggii1994.com
This is at (OK, you're way ahead of me) 210.83.165.20 , which is the same host as www.e-webhostcentral.com
All the scams as for the the other domains exist (well, it is the same set of pages and server)

Whois info for, online-ggii1994.com:

ggii, 23455 So Main, Alpharetta, GA 30004, US

Administrative, Technical and Billing Contact:
Johnson, Albert ajohnson@youngagain.org
23455 So Main, Alpharetta, GA 30004, US 770-664-7958

Domain servers in listed order:
NS1.FREEWEBHOSTINGCENTRAL.COM 211.167.114.130
NS2.FREEWEBHOSTINGCENTRAL.COM 202.110.195.84

Record last updated on 13-Sep-2001.
Record expires on 22-Apr-2002.
Record Created on 22-Apr-2001.

If the contact details are not bogus, then the contact is up to his ears in fraud and should be visited by local law enforcement.
If the details are bogus, then the domain should be suspended.

The domain is being used in breach of DirectNIC policies. Complaint sent to DirectNIC on September 20th.

The 'ggii' and 'Alpharetta' combination is interesting. Try a Google search on that http://www.google.com/search?hl=en&q=ggii+Alpharetta&btnG=Google+Search and you should get a few pages listing websites that push the Bible-CD and records of mailing lists and message boards in which the same Bible-CD is being spamvertised.

The Bible-CD is one of the scams running on the nest of domains that hosted the WTC Red Cross fraud. It's not entirely clear as yet if the entire collection of scams on the host is being run by a single individual or by a group. But we have the situation of a domain name belonging to one of the hosted scams being pointed at the physical host in China. Looking at the history, we have a series of domain names being released gradually into spam runs. As each domain name comes under pressure of complaints, the new ones take over. This might imply that if the law can pin one of the scams on an individual, then they either have or are very close to the person who ran the Red Cross fraud.

 

September 20th

The search engines begin to pick up pages whose owners were duped by the Red Cross fraud in the emotive atmosphere following the terrorist attacks. With the best intentions, they added links to the (scam) page from their own pages.

 

September 18th

The host-related spams continue. New spams are switching to the e-webhostcentral.com domain.

This is at 210.83.165.20 , in the control of China Netcom Corp.

The home page http://www.e-webhostcentral.com is a page that simply displays "This site was disabled!" - a really lame attempt to avoid complaints! Everything beneath it, which would be the pages that are being spamvertised, is still operating.

The subdirectory structure is the same as for freewebhost.net and freewebhostingcentral.com (of course - it's the same operation)
The /viacream directory (which held the fraud in question) is still there, although the /viacream/SurvivorFund.html page is gone.

Whois info for, e-webhostcentral.com:

Registrant: Free Web Hosting Central, 800 5th Ave, Seattle, WA 98104, US
Administrative Contact: Voo, Tom tomvoo5000@yahoo.com, 800 5th Ave, Seattle, WA 98104, US, +1.2063299845
Technical Contact: Domain, Direct dnstech@domaindirect.com, 96 Mowat Avenue, Toronto, ON M6K 3M1, CA +1.4165350123
Billing Contact: Voo, Tom tomvoo5000@yahoo.com, 800 5th Ave, Seattle, WA 98104, US, +1.2063299845

Record last updated on 17-Sep-2001. Record expires on 05-Sep-2002. Record Created on 05-Sep-2001.

Domain servers in listed order:
NS1.FREEWEBHOSTINGCENTRAL.COM 211.167.114.130
NS2.FREEWEBHOSTINGCENTRAL.COM 202.110.195.84

The domain registration violates the Tucows (Domain Direct) conditions on use of the domain and on accuracy of registrant details

Status of freewebco.net

Access (to 210.83.165.22) was being blocked for a while within China Netcom Corp. Currently it is pingable but the web server is not responding on port 80

Status of freewebhostingcentral.com
Access ( to 210.83.163.165) still blocked within China Netcom Corp

 

 

| Final Straw | The Spam | Who are the spammers? | Their Host | Their Domains |
Host-related spams | Why am I doing this? | What can YOU do? | Updates |