Unsubscribe Experiment Part II
In our First Unsubscribe from SPAM Experiment we were unable to stop the the SPAM flood of Degree Spam originated by Eclipse Media / Degree Spam from Education Dynamics Spammer.
Let’s continue the unsubscribe experiment by identifying and tracking another spam entity.
This time we have unsubscribed from entities who localize their addresses in Utah.
First Unsubscription was from a Spammer who sent us more degree spam: this one is advertising Medical Transcriptions Degree
Received: from [74.55.10.100] (helo=mx1.pansound.com)
by -redacted- with smtp (Exim 4.69)
(envelope-from <adkg@pansound.com>)
id -redacted-
for -redacted-; Thu, 18 Jun 2009 -redacted-
Received: from mx4.pansound.com ([74.55.10.98])
by mx1.pansound.com (8.13.8/8.13.8) with STMP id vnjgcpre;
for < -redacted->; Thu, 18 Jun 2009 -redacted-
Content-Language: en-us
Message-Id: < -redacted-@mx1.pansound.com>
The spam is the typical affiliate showshoe spam that looks like this
Spam from 223 W Bulldog Blvd #551 Provo, UT 84604
The intermediary domain redirected to the textag.com site with this landing link
forms.nextag.com/goto.jsp?url=/serv/main/buyer/education.jsp?doSearch=n&tm=y&search=education_text_links_95_h8a5d&S=23471&p=5548&node4
We are going to assume that S=23471 in that link is the affiliate ID
Another spam mail promoting the same Medical transcription degree
also redirected to NexTag and had a little different affiliate ID s=23393
forms.nextag.com/goto.jsp?url=/serv/main/buyer/education.jsp?doSearch=n&tm=y&search=education_text_links_95_h8a57&s=23393&p=5548&node4
The Spam looked like this
Medical Transcription Training SPAM
Unsubcscribe Image Link
and this Spam was received as
Received: from [216.1.192.99] (helo=mx27.greatwesterninc.com)
by-redacted- with smtp (Exim 4.69)
(envelope-from <kaylarokmh@greatwesterninc.com>)
id -redacted-
for-redacted- ; Thu, 18 Jun 2009 -redacted-
Received: from mx7.greatwesterninc.com ([216.1.192.79])
by mx27.greatwesterninc.com (8.13.8/8.13.8) with STMP id -redacted- ;
for <-redacted- >; Thu, 18 Jun 2009 -redacted-
From: MedicalTranscriptionist <kaylarokmh@greatwesterninc.com>
Subject: {Definitely Spam?} Train for your medical transcription degree online.
As expected the domain name greatwesterninc.com has Canadian entiry owner admin info
Registration Service Provided By: SANDECS
Contact: +800.2952614
Domain Name: GREATWESTERNINC.COM
Registrant:
N/A
Steve Smith
9 Jenkins Lane
Ajax
Ontario,L1S 3N7
CA
Tel. +011.9056868831
Creation Date: 25-Jun-2008
Expiration Date: 25-Jun-2009
Domain servers in listed order:
ns1.greatwesterninc.com
ns0.greatwesterninc.com
Administrative Contact:
N/A
Steve Smith
9 Jenkins Lane
Ajax
Ontario,L1S 3N7
CA
Tel. +011.9056868831
and the IP address this SPAM originated and host on 216.1.192.79 has a typical SPAM Reputation profile at SenderBase.
So we went to the unsubscribe link given at the domain pansound.com and unsubscribed the email address (the email address never subscribed or bought anything on line, it is a service email address given on one of our websites so it was obviously harvested by a bot) Here is the unsubscribe screen and the confirmation of the unsubscribe.
Unsubscribe from Spam Screen
Unsubscribed confirmation screen
Some additional lookups on the identity of the spammer:
The address given by this spammer appears to be UPS Store drop box according to a consumer who had a fraudulent credit card charge originating from a drop box by entity called loseweightsystems.com at that location and another unhappy consumer who was ripped off by Vinitti Cash Flow System claiming drop box that location.
The domain used for the spam landing page and unsubscribe page has fake contact information, for example the ZIP code given by the “Owner/Admin” J0T 1T0 is in Quebec, not in Manitoba.
Registration Service Provided By: RIDGECREST CONSULTING
Contact: +1.8014434741
Domain Name: PANSOUND.COM
Registrant:
N/A
Jim Kanner ()
2155 94A St
Waterville
Manitoba,J0T 1T0
CA
Tel. +1.2508887398
Creation Date: 10-Jun-2009
Expiration Date: 10-Jun-2010
Domain servers in listed order:
ns1.pansound.com
ns0.pansound.com
Administrative Contact:
N/A
Jim Kanner
2155 94A St
Waterville
Manitoba,J0T 1T0
CA
Tel. +1.2508887398
The IP address 74.55.10.98 has a POOR repulation in Senderbase.
This address also looks up to Red Mountain Media, which is one of the identities this hard core spammer assumes
http://www.redmtnmedia.com/contact.html
Contact Us (the spammer contact info)
Address: Red Mountain Media, 223 W Bulldog Blvd #551, Provo, UT 84604
Support: support@redmtnmedia.com
Sales: sales@redmtnmedia.com
Will a spammer who hides under fake identities, thousands of IP’s and domains, UPS drop boxes in shady neighbourhoods honor the unsubscribe request? We shall report the results right here.
====================
UPDATE 6-25-2009
====================
Unsubscribing from Provo, UT Spammer has not worked thus far. Spam continues to arrive to the email address that unsubscribed from this Spam, see the lastest spam sample here.
====================
UPDATE 7-11-2009
====================
Spam from “Provo Utah” Spammer continues to hammer the email address that never subscribed and was unsubscribed from this hard core spam operation weeks ago. The unsubscribed email address continues to receive education – degree related spam – see sample here, as well as the never ending barage of other related spam this Provo, Utah Snowshoe spammer hurls at American consumers by millions.
Thus far, based on all of our unsubscribe efforts, 0% of unsubscribe was successful. The email address continues to receive spam and the amount of spam has increased.
You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
One effective way to deal with spammers and with corporations who hire these spammers is to utilize CAN SPAM act.
Did you know that each spam mail you receive can be worth HUNDREDS of DOLLARS in legal damages due to you?
That’s why CAN SPAM Act was created. CAN SPAM exists for victims of spam : yes -> you can hire a lawyer and go after the spammer and the corporation who hired the spamer to spam you.
We suggest that you file your complaint with Federal Trade Commission:
FTC Deals specifically with the Spammers who do not comply with CAN-SPAM act and you can file your complaint with FTC against the Spammer here. In the FTC complaint form, use option that the complaint is Internet Related and in sub menu choose Other Internet Practices, next screen will give you option to choose SPAM oriented complaint, with options such as Cannot Unsubscribe. etc….
Read this:
http://www.baltimoresun.com/business/bal-bz.spam28nov28,0,3180236.story
A company who can help you in tracking the spammers and eliminate spam:
http://www.stop-spam.org
A good resource to learn more:
http://www.maawg.org/home
Example of recent Class Action Spam Settlement:
http://www.infoworld.com/d/security-central/valueclick-pay-29-million-settle-spam-complaint-276
You and your attorney may find wealth of legal precedent information on pursuing Spamments here
unsubcribe me from this list……
I’ve been receiving a new flood of spam with an interesting signature. It has a usual unsubscribe message:
To not recieve anymore. Please visit this link.
223 W Bulldog Blvd #551 Provo, UT 84604
But I was surprised Postini did not mark it as trash. After a bit of research, I found two interesting attributes of all the spam:
1 – The unsubscribe message above was not text, but was an image. It was also to a different URL each time.
2 – A somewhat weird header was used, apparently to out-fox spam filters:
X-Spamshield-Status-Data: Skipped, authenticated user
.. so to knock it out until Postini gets hip, I just added the latter header to my mail client’s filter, moving it to the spam folder.
I’d be interested if anyone else receives these.
Owen,
millions of victims receive this unwanted spam just as you describe it
The 223 W Bulldog Blvd #551 Provo, UT 84604 spammer deploys many tricks in the book to try to evade your spam filters: an image instead of text, different domains, different IP addresses from which the emails originate, lots of garbage text hidden in the email message, the inability for a victim to unsuscribe from their mailings…. those are all tell tell signs of snowshoe spammer.
So how do I make it stop? Spambully was useless. How do I make him go away? Clearly he’s a parasite who deserves to be stomped.
Dear Amy
I, too, have been scammed by Purelift and would like to know the reaction ( or better still ‘action’) your letter produced.
Ida M. Jacob
The source of the spam emails is the company in your DNS query above:
Registration Service Provided By: RIDGECREST CONSULTING
This company is in the DNS lookup for all the domains being used.
Their company website with contact information is here:
http://www.ridgecrestconsult.com
I recommend filing a complaint directly with them. If they don’t remove you immediately, then file a complaint with the state of Utah, the Utah BBB, and the FTC.
Yes, indeed, stomped! I’m all with Amy. I receive more spam from this guy than regular, wanted email. I spend hours to separate his crap from the email I want. It’s simply unbelievable. How does one stop such a pest?
I have opted out, sent cease and desist letters to no avail. I have also filed FTC complaints. Not only that, I go to the service and/or company they are marketing and file a complaint with them and against them with the FTC.