Final Straw

The Spam

Who are the spammers?

Their Host

Their Domains

Host-related spams

Why am I doing this?

What can YOU do?


The Final Straw


October 11th

I noticed from my server log files that people are revisiting this site to check for updates. There's not a lot to add at the moment that would be central to the aim of this site. The scam itself and the web server that hosted it are history. Pressure by concerned technologists, rather than any action by law enforcement has brought about an effective shutdown of that particular server, although the central organiser and the various spammers are operating elsewhere now.

The machine hosting is now infected with the Nimda virus/worm. I wouldn't advise anybody to explore it. It's basically owned by the universe now, so it could be used for any sort of exploit. Better to leave it alone until its physical owner pulls the plug.

I had kept one last link in the moneytrail in reserve. That was the fact the spammer who ran the donation fraud used (MerchantID=19376) for his normal Viacream operation. (He used merchant ID 20144 at the same service for the donation fraud.)

Apart from that the only possibly interesting thing to add would be a record of my communications with the domain registries involved. Basically, despite being told that some domains that were registered through them were involved in a particularly repulsive fraud, and that the registration details were suspect (most of which would violate their stated Terms Of Service) - they simply were not interested in doing anything. No money in it for them, just potential hassle.

Some of the other spammers who were using the host server can be seen spamming away in other places. A mixture of commercial greed (not talking about the spammers here!) and weak flabby politicians will ensure that there will be no end to the stream of spam and fraud that clogs up our mailboxes.


September 26th

The nameservers and appear to be having trouble. They no longer resolve the domain names that they used to serve.


September 25th (d)

Details on being assembled at the Spamhaus project's ROKSO (Register Of Known Spam Operations) -

Meanwhile, at their nameservers : is serving up a copy of the spam site, with spam subdirectories in place is serving up a site for is at IP , which is also what resolves to. So I've added a domain page for

The email account of the registered domain owner ( had been disabled by

September 25th (c)

Added information on additional domain names that were served by the spammers own nameserver - Other Domains page


September 25th (b)

Added links to NANAE abuse Sightings per domain in the Spams page


September 25th (a)

China Netcom seems to be blocking packets to the current IP's of the host.

The nameservers are still up and running: Shanghai, China Cable OnLine Network PUDONG1 POP. (China) shandong qingdao furuitai chenxi business company

The spammers will find a new IP for the host and point their nameservers at it. Back in business!
If the nameserver IP's get nuked, then they just find new IP#s for those and point their domain registrations at the new servers. - And so on and on.

The spams are still rolling in.


September 24th

A new domain has been registered and used in a spam run:-

It points to the same current host as do the other domains for the scam-nest.


September 24th

A block of IP's controlled by China Netcom used by the spam nest were blackholed by MAPS following failure of the Chinese to deal with the abuse. A systems administrator threatened propose all of China Netcom space for blacklisting. In response, China Netcom said that they had dealt with the problem.
So our spammers just moved to a different block of China Netcom space.

- are all alive and well at
- route to encounters problems at the second hop within China Netcom Corp

Blacklisting all of China Netcom would be a great idea. They just won't take effective action. We'd have to get the spammers hosting Falun Gong for that to happen.

Blacklisting domains (quickly) would also be a great idea.


September 23rd

Restructured the site to make the multiplicity of domain names clearer.
Information on registry complaints and on new domains to follow


September 20th

A new domain name is being referenced in spams :-
This is at (OK, you're way ahead of me) , which is the same host as
All the scams as for the the other domains exist (well, it is the same set of pages and server)

Whois info for,

ggii, 23455 So Main, Alpharetta, GA 30004, US

Administrative, Technical and Billing Contact:
Johnson, Albert
23455 So Main, Alpharetta, GA 30004, US 770-664-7958

Domain servers in listed order:

Record last updated on 13-Sep-2001.
Record expires on 22-Apr-2002.
Record Created on 22-Apr-2001.

If the contact details are not bogus, then the contact is up to his ears in fraud and should be visited by local law enforcement.
If the details are bogus, then the domain should be suspended.

The domain is being used in breach of DirectNIC policies. Complaint sent to DirectNIC on September 20th.

The 'ggii' and 'Alpharetta' combination is interesting. Try a Google search on that and you should get a few pages listing websites that push the Bible-CD and records of mailing lists and message boards in which the same Bible-CD is being spamvertised.

The Bible-CD is one of the scams running on the nest of domains that hosted the WTC Red Cross fraud. It's not entirely clear as yet if the entire collection of scams on the host is being run by a single individual or by a group. But we have the situation of a domain name belonging to one of the hosted scams being pointed at the physical host in China. Looking at the history, we have a series of domain names being released gradually into spam runs. As each domain name comes under pressure of complaints, the new ones take over. This might imply that if the law can pin one of the scams on an individual, then they either have or are very close to the person who ran the Red Cross fraud.


September 20th

The search engines begin to pick up pages whose owners were duped by the Red Cross fraud in the emotive atmosphere following the terrorist attacks. With the best intentions, they added links to the (scam) page from their own pages.


September 18th

The host-related spams continue. New spams are switching to the domain.

This is at , in the control of China Netcom Corp.

The home page is a page that simply displays "This site was disabled!" - a really lame attempt to avoid complaints! Everything beneath it, which would be the pages that are being spamvertised, is still operating.

The subdirectory structure is the same as for and (of course - it's the same operation)
The /viacream directory (which held the fraud in question) is still there, although the /viacream/SurvivorFund.html page is gone.

Whois info for,

Registrant: Free Web Hosting Central, 800 5th Ave, Seattle, WA 98104, US
Administrative Contact: Voo, Tom, 800 5th Ave, Seattle, WA 98104, US, +1.2063299845
Technical Contact: Domain, Direct, 96 Mowat Avenue, Toronto, ON M6K 3M1, CA +1.4165350123
Billing Contact: Voo, Tom, 800 5th Ave, Seattle, WA 98104, US, +1.2063299845

Record last updated on 17-Sep-2001. Record expires on 05-Sep-2002. Record Created on 05-Sep-2001.

Domain servers in listed order:

The domain registration violates the Tucows (Domain Direct) conditions on use of the domain and on accuracy of registrant details

Status of

Access (to was being blocked for a while within China Netcom Corp. Currently it is pingable but the web server is not responding on port 80

Status of
Access ( to still blocked within China Netcom Corp



| Final Straw | The Spam | Who are the spammers? | Their Host | Their Domains |
Host-related spams | Why am I doing this? | What can YOU do? | Updates |