Let’s continue the unsubscribe experiment by identifying and tracking another spam entity.

This time we have unsubscribed from entities who localize their addresses in Utah.

First Unsubscription was from a Spammer who sent us more degree spam: this one is advertising Medical Transcriptions Degree

Received: from [74.55.10.100] (helo=mx1.pansound.com)
by -redacted- with smtp (Exim 4.69)
(envelope-from <adkg@pansound.com>)
id  -redacted-
for  -redacted-; Thu, 18 Jun 2009 -redacted-
Received: from mx4.pansound.com ([74.55.10.98])
by mx1.pansound.com (8.13.8/8.13.8) with STMP id vnjgcpre;
for < -redacted->; Thu, 18 Jun 2009  -redacted-
Content-Language: en-us
Message-Id: < -redacted-@mx1.pansound.com>

The spam is the typical affiliate showshoe spam that looks like this

Spam from 223 W Bulldog Blvd #551 Provo, UT 84604

The intermediary domain redirected to the textag.com site with this landing link

forms.nextag.com/goto.jsp?url=/serv/main/buyer/education.jsp?doSearch=n&tm=y&search=education_text_links_95_h8a5d&S=23471&p=5548&node4

We are going to assume that S=23471 in that link is the affiliate ID

Another spam mail promoting the same Medical transcription degree

also redirected to NexTag and had a little different affiliate ID s=23393

forms.nextag.com/goto.jsp?url=/serv/main/buyer/education.jsp?doSearch=n&tm=y&search=education_text_links_95_h8a57&s=23393&p=5548&node4

The Spam looked like this

Medical Transcription Training SPAM

Unsubcscribe Image Link

and this Spam was received as

Received: from [216.1.192.99] (helo=mx27.greatwesterninc.com)
by-redacted- with smtp (Exim 4.69)
(envelope-from <kaylarokmh@greatwesterninc.com>)
id -redacted-
for-redacted- ; Thu, 18 Jun 2009 -redacted-
Received: from mx7.greatwesterninc.com ([216.1.192.79])
by mx27.greatwesterninc.com (8.13.8/8.13.8) with STMP id -redacted- ;
for <-redacted- >; Thu, 18 Jun 2009 -redacted-
From: MedicalTranscriptionist <kaylarokmh@greatwesterninc.com>

Subject: {Definitely Spam?} Train for your medical transcription degree online.

As expected the domain name  greatwesterninc.com has Canadian entiry owner admin info

Registration Service Provided By: SANDECS
Contact: +800.2952614

Domain Name: GREATWESTERNINC.COM

Registrant:
N/A
Steve Smith
9 Jenkins Lane
Ajax
Ontario,L1S 3N7
CA
Tel. +011.9056868831

Creation Date: 25-Jun-2008
Expiration Date: 25-Jun-2009

Domain servers in listed order:
ns1.greatwesterninc.com
ns0.greatwesterninc.com

Administrative Contact:
N/A
Steve Smith
9 Jenkins Lane
Ajax
Ontario,L1S 3N7
CA
Tel. +011.9056868831

and the IP address this SPAM originated and host on 216.1.192.79 has a typical SPAM Reputation profile at SenderBase.

So we went to the unsubscribe link given at the domain pansound.com and unsubscribed the email address (the email address never subscribed or bought anything on line, it is a service email address given on one of our websites so it was obviously harvested by a bot) Here is the unsubscribe screen and the confirmation of the unsubscribe.

Unsubscribe from Spam Screen

Unsubscribed confirmation screen

Some additional lookups on the identity of the spammer:

The address given by this spammer appears to be UPS Store drop box according to a consumer who had a fraudulent credit card charge originating from a drop box by entity called loseweightsystems.com at that location and another unhappy consumer who was ripped off by Vinitti Cash Flow System claiming drop box that location.

The domain used for the spam landing page and unsubscribe page has fake contact information, for example the ZIP code given by the “Owner/Admin” J0T 1T0 is in Quebec, not in Manitoba.

Registration Service Provided By: RIDGECREST CONSULTING
Contact: +1.8014434741

Domain Name: PANSOUND.COM

Registrant:
N/A
Jim Kanner        ()
2155 94A St
Waterville
Manitoba,J0T 1T0
CA
Tel. +1.2508887398

Creation Date: 10-Jun-2009
Expiration Date: 10-Jun-2010

Domain servers in listed order:
ns1.pansound.com
ns0.pansound.com

Administrative Contact:
N/A
Jim Kanner
2155 94A St
Waterville
Manitoba,J0T 1T0
CA
Tel. +1.2508887398

The IP address 74.55.10.98 has a POOR repulation in Senderbase.

 

This address also looks up to Red Mountain Media, which is one of the identities this hard core spammer assumes

http://www.redmtnmedia.com/contact.html

Contact Us (the spammer contact info)

Address: Red Mountain Media, 223 W Bulldog Blvd #551, Provo, UT 84604
Support: support@redmtnmedia.com
Sales: sales@redmtnmedia.com

Will a spammer who hides under fake identities, thousands of IP’s and domains, UPS drop boxes in shady neighbourhoods honor the unsubscribe request?  We shall report the results right here.

====================

UPDATE 6-25-2009

====================

Unsubscribing from Provo, UT Spammer has not worked thus far.   Spam continues to arrive to the email address that unsubscribed from this Spam,  see the lastest spam sample here.

====================

UPDATE 7-11-2009

====================

Spam from “Provo Utah” Spammer continues to hammer the email address that never subscribed and was unsubscribed from this hard core spam operation weeks ago. The unsubscribed email address continues to receive education – degree related spam – see sample here, as well as the never ending barage of other related spam this Provo, Utah Snowshoe spammer hurls at American consumers by millions.

Thus far, based on all of our unsubscribe efforts, 0% of unsubscribe was successful.  The email address continues to receive spam and the amount of spam has increased.