The Final Straw

The spammer's front

The host home page(s)

At the time of the terrorist attacks the host home page (regardless of the domain used to access it) looked like this:

	Hire us to build/maintain your site and we will give you FREE hosting forever! Find out why over 1,000 businesses have decided to host with us.
		WE build you a custom 10 page site for only $199(1 form included) We maintain and make changes to your site for only $19/month. 50 MB space and unlimited bandwidth for your first 12 months. Your own domain name only $10 per year or a FREE virtual name. Add other freatures to your sites like streaming media and auctions. 5 POP3 accounts are included with every site (get 10 $5/month) For more info and to get started today, send for MORE INFO to: New Customers Support for existing customers: Support Send your comments to the President of Free Web Host Central Report abuse The "FREE Web Host Central" website is being redesigned and will be back up soon. If you need to make payment then send to billing and request the payment link. We currently accept Visa, MC, and PayPal Our new site will feature free content and tools for your websites! We will be poviding content for you to incorporate into your sites so that you may have your own "portal". This content will consist of news, stock quotes, horoscopes, games, and many more powerful tools that will keep your customers comming back for more!

The new "Free Web Hosting Central" website will feature several free resource departments which will aid in promoting your online business. We want your input to make our services more valuable for your business. Suggestions

The links on the page were to various techie.com email addresses. Techie.com is a free-email service owned by mail.com. Before the time of the WTC attacks, those email addresses has already been suspended as being linked to spamming by the people who run the techie.com mail server.
I suspect that those addresses were bogus from the start anyway. If they were important for the operation of 'the business', they wouldn't have used a free-email service. They would know that adresses would be nuked very soon after the spam runs for the site began. They even had the cheek to list an abuse contact. There's a story behind that one (it used to be abuse@techie.com), but that's not particularly relevant here.

The apparent 'Free Hosting' business is just a front for a specialist spamming operation. The front allows the spammers a measure of plausible deniability if the heat built up too much on one of the sub-spams. If pressed by some entity that they would have to respond to (like an ISP or a registry), they could claim that they had been taken advantage of by a client.

They have recently added a layer of plausibility by amending the contact email addresses to their own domain. They have now hidden the fact that for many weeks, the contact addresses were bogus.

Plausible deniability?

Given :

the history presented here
the multiplicity of domain names with different declared (forged) registrants
the fact that the 'viacream' spammer directory was left on the server even after things got hot and the Red Cross fraud page was deleted from that directory
the fact that their stated business model is one of them offering free hosting in return for payments for building and maintenance of the pages

- their involvement in premeditated, systematic fraud is not particularly deniable.

Obfuscation

At various stages, they attempted to divert attention by petending that the host had been taken down by an ISP. For example on September 18th , http://www.e-webhostcentral.com showed a page that simply displayed "This site was disabled!" - a really lame attempt to avoid complaints by convincing the unwary that action has been taken! Everything beneath it, which would be the pages that are being spamvertised, was still operating.

Unfortunately, as will be seen from my exchanges with DirectNIC, this sort of lame trick can work if the the brief of the person looking at it is to drop the matter as soon as excuse to do so can be found.