The Final Straw
Who are the spammers?
The email itself does not tell us much, but it does bring us to a website host where the money trail begins.
It would be highly unusual for From's and Reply-to's to be genuine. I've even seen spam runs that have used one of my addresses as sender.
The same applies to any 'Remove' addresses or links.
It seems to have originated at PPPa55-ResaleOmaha1-1R7240.dialinx.net [126.96.36.199]. A complaint to that ISP will join a large queue, and eventually the account involved may get suspended. In the meantime the spammer can use the account to spew. The spammer will very likely be untraceable. It's not uncommon for them to use stolen credit card numbers to open accounts.
The spammer only needs the account for a short time.
Email accounts are part of a war of attrition. Abuse departments of large ISP's are so overloaded with complaints than nothing ever gets done in time to have any effect.
For instance - A while back, I became suspicious that Yahoo were responding 'too quickly' to abuse complaints. I sent "have a nice day" to firstname.lastname@example.org, and sure enough, after a while an email came back to say that they had suspended 'the account' having investigated my complaint and other complaints about the same 'account'. They don't do that anymore. Your complaints just go into a huge hole and might get attention sometime.
The Belgian portal site would only be culpable in that it is set up to allow anyone from the outside to relay bulk mail through it. ('only' - duh!)
The website host
The host domain used in the spam was freewebco.net, which is set up to look like a free hosting service but is actually a fairly well-known front for a professional spamming operation. See the 'Their Host' link for information on their front page.
freewebco.net is but one of many domain names that point to the same host.
There will be no help from the host, as the host is part and parcel of the fraud.
However, there will be a money trail left by the host having to pay domain registries for the numerous domain names pointing to the host.
The money trail
The only hope of tracing them is to try follow the money. In this case the money trails lead from:
- The spamvertised web page linked to a payment service at 1shoppingcart.com (MerchantID=20144). That Merchant ID would appear to have been blocked by them, but there would have been a money trail from them to the fraudsters that law enforcement could follow.
- The URL of the spamvertised page was http://www.freewebco.net/viacream/SurvivorFund.html
This means that that the fraud was being run directly by whoever ran the /viacream directory. The normal spamvertised page within that directory also linked to the payment service at 1shoppingcart.com, but in this case the MerchantID was 19376.
- The domain registries used to register the domain names
- Trails from a selection of other spams related to the host