The Final Straw
I noticed from my server log files that people are revisiting this site to check for updates. There's not a lot to add at the moment that would be central to the aim of this site. The scam itself and the web server that hosted it are history. Pressure by concerned technologists, rather than any action by law enforcement has brought about an effective shutdown of that particular server, although the central organiser and the various spammers are operating elsewhere now.
The machine hosting ns1.freewebhostingcentral.com is now infected with the Nimda virus/worm. I wouldn't advise anybody to explore it. It's basically owned by the universe now, so it could be used for any sort of exploit. Better to leave it alone until its physical owner pulls the plug.
I had kept one last link in the moneytrail in reserve. That was the fact the spammer who ran the donation fraud used 1shoppingcart.com (MerchantID=19376) for his normal Viacream operation. (He used merchant ID 20144 at the same service for the donation fraud.)
Apart from that the only possibly interesting thing to add would be a record of my communications with the domain registries involved. Basically, despite being told that some domains that were registered through them were involved in a particularly repulsive fraud, and that the registration details were suspect (most of which would violate their stated Terms Of Service) - they simply were not interested in doing anything. No money in it for them, just potential hassle.
Some of the other spammers who were using the host server can be seen spamming away in other places. A mixture of commercial greed (not talking about the spammers here!) and weak flabby politicians will ensure that there will be no end to the stream of spam and fraud that clogs up our mailboxes.
The nameservers ns1.freewebhostingcentral.com and ns2.freewebhostingcentral.com appear to be having trouble. They no longer resolve the domain names that they used to serve.
September 25th (d)
Details on freewebhostingcentral.com being assembled at the Spamhaus project's ROKSO (Register Of Known Spam Operations) - http://www.spamhaus.org/rokso/search.lasso?evidencefile=1667
Meanwhile, at their nameservers :
The email account of the registered domain owner (email@example.com) had been disabled by Postmaster@public.qd.sd.cn
September 25th (c)
Added information on additional domain names that were served by the spammers own nameserver - ns1.freewebhostingcentral.com Other Domains page
September 25th (b)
Added links to NANAE abuse Sightings per domain in the Spams page
September 25th (a)
China Netcom seems to be blocking packets to the current IP's of the host.
The nameservers are still up and running:
The spammers will find a new IP for the host and point their nameservers at it. Back in business!
The spams are still rolling in.
A new domain has been registered and used in a spam run:-
It points to the same current host as do the other domains for the scam-nest.
A block of IP's controlled by China Netcom used by the spam nest were blackholed by MAPS following failure of the Chinese to deal with the abuse. A systems administrator threatened propose all of China Netcom space for blacklisting. In response, China Netcom said that they had dealt with the problem.
Blacklisting all of China Netcom would be a great idea. They just won't take effective action. We'd have to get the spammers hosting Falun Gong for that to happen.
Blacklisting domains (quickly) would also be a great idea.
Restructured the site to make the multiplicity of domain names clearer.
A new domain name is being referenced in spams :- http://www.online-ggii1994.com
Whois info for, online-ggii1994.com:
ggii, 23455 So Main, Alpharetta, GA 30004, US
Administrative, Technical and Billing Contact:
Domain servers in listed order:
Record last updated on 13-Sep-2001.
If the contact details are not bogus, then the contact is up to his ears in fraud and should be visited by local law enforcement.
The domain is being used in breach of DirectNIC policies. Complaint sent to DirectNIC on September 20th.
The 'ggii' and 'Alpharetta' combination is interesting. Try a Google search on that http://www.google.com/search?hl=en&q=ggii+Alpharetta&btnG=Google+Search and you should get a few pages listing websites that push the Bible-CD and records of mailing lists and message boards in which the same Bible-CD is being spamvertised.
The Bible-CD is one of the scams running on the nest of domains that hosted the WTC Red Cross fraud. It's not entirely clear as yet if the entire collection of scams on the host is being run by a single individual or by a group. But we have the situation of a domain name belonging to one of the hosted scams being pointed at the physical host in China. Looking at the history, we have a series of domain names being released gradually into spam runs. As each domain name comes under pressure of complaints, the new ones take over. This might imply that if the law can pin one of the scams on an individual, then they either have or are very close to the person who ran the Red Cross fraud.
The search engines begin to pick up pages whose owners were duped by the Red Cross fraud in the emotive atmosphere following the terrorist attacks. With the best intentions, they added links to the (scam) page from their own pages.
The host-related spams continue. New spams are switching to the e-webhostcentral.com domain.This is at 188.8.131.52 , in the control of China Netcom Corp.
The home page http://www.e-webhostcentral.com is a page that simply displays "This site was disabled!" - a really lame attempt to avoid complaints! Everything beneath it, which would be the pages that are being spamvertised, is still operating.
The subdirectory structure is the same as for freewebhost.net and freewebhostingcentral.com (of course - it's the same operation)
Whois info for, e-webhostcentral.com:
Registrant: Free Web Hosting Central, 800 5th Ave, Seattle, WA 98104, US
Record last updated on 17-Sep-2001. Record expires on 05-Sep-2002. Record Created on 05-Sep-2001.
Domain servers in listed order:
The domain registration violates the Tucows (Domain Direct) conditions on use of the domain and on accuracy of registrant details
Status of freewebco.net
Access (to 184.108.40.206) was being blocked for a while within China Netcom Corp. Currently it is pingable but the web server is not responding on port 80
Status of freewebhostingcentral.com