 |
|
 |
|
|
 |
New Russian Spam Gang (aka Leo Kuvayev and Vladislav Khokholkov) spamming technique... |
 |
 |
|
|
04-28-05 07:48 AM
It seems the Russian Spam Gang has become either more crafty or more
timid... a friend kept getting spammed several times per day with this,
so asked me to take a look at them.
The RSG now sends spam with no links in the body, containing only
gibberish text. They attach an HTML file which contains the actual
advertisement with the link to their spamvertised site. I think this is
kind of self-defeating... most people know by now not to open
attachments from people they don't know, and the real newbies don't even
know *how* to open the attachments (and even if they do, they know
enough not to visit any sites advertised in spam), and the people who
will report them know to look for this... their return rate on this type
of spam has got to be dismally low.
They are munging the URL in a new way, too. Here's an example:
http://zgfebmufbj.org&olbuspv3e...urdahjcikj.com/
This, of course, leads to:
http://www.purdahjcikj.com/ES001/ (Fake viagra) (ErectionShop)
As we all know, they use specific URL appendages for each of their 21
sub-websites on each spamvertised domain. These spamvertised domains
correspond to specific vendors selling their wares via spam:
==========
/AN038/index2.php (Prescription drugs) (MedChoiceLabs AKA
DirectPrescriptions, Inc. AKA Direct RX)
/BA012/ (Teen Porn) (Beauty Angel)
/EB013/ (Porn) (Eternal Beauty)
/ES001/ (Fake viagra) (ErectionShop)
/MB006/ (Online Casino) (Mad Bonus Casino)
/MC021/ (Penile enlargement) (MedChoiceLabs)
/MS020/ (Mortgage quotes) (MortgageShop)
/NG005/ (Online Casino) (Net-Gaming Casino)
/OD043/ (Pirated software) (OEMcd)
/OE017/ (Pirated software) (OEMcd)
/OE031/ (Pirated software) (OEMcd)
/OE032/ (Pirated software) (OEMcd)
/OE033/ (Pirated software) (OEMcd)
/OE039/ (Pirated Software) (OEMcd)
/OT016/ (Teen Porn) (Outspoken Teen Porn)
/PB019/ (Prescription drugs) (Pharmoze)
/PH009/ (Prescription drugs) (Pharmoze)
/PH035/ (Cialis, Tadalafil) (Pharmoze)
/PH036/ (Cialis, Tadalafil) (Pharmoze)
/RB037/ (Counterfeit watches) (Replica Bazaar)
/RX040/ (Prescription Drugs) (RX Pharmacy)
==========
dns www.purdahjcikj.com
Canonical name: www.purdahjcikj.com
Addresses:
218.104.167.77
200.149.11.62
200.149.11.61
222.51.98.172
==========
whois -h whois.completewhois.com www.purdahjcikj.com ...
[DOMAIN whois information for WWW.PURDAHJCIKJ.COM ]
Domain Name: PURDAHJCIKJ.COM
Namespace: ICANN Unsponsored Generic TLD - http://www.icann.org
TLD Info: See IANA Whois - http://www.iana.org/root-whois/com.htm
Registry: VeriSign, Inc. - http://www.verisign-grs.com
Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM -
http://www.directnic.com
Whois Server: whois.directnic.com
Name Server[from whois+dns, dns ip]: DOG.CCPATONCEJK.BIZ
200.149.11.62
Name Server[from whois+dns, dns ip]: TSURT.CCPATONCEJK.BIZ
218.104.167.78
Status: ACTIVE
Updated Date: 26-apr-2005
Creation Date: 26-apr-2005
Expiration Date: 26-apr-2006
[whois.directnic.com]
Registrant:
NA
Borovskoe shosse 25, 2
Moscow, MSK 119633
RU
79268710023
Domain Name: PURDAHJCIKJ.COM
Administrative Contact:
Mahmutov, Ibragim ibragimmahmutov@mail.ru
Borovskoe shosse 25, 2
Moscow, MSK 119633
RU
79268710023
Technical Contact:
Mahmutov, Ibragim ibragimmahmutov@mail.ru
Borovskoe shosse 25, 2
Moscow, MSK 119633
RU
79268710023
Record expires on 04-26-2006
Record created on 04-26-2005
Domain servers in listed order:
DOG.CCPATONCEJK.BIZ 202.99.172.145
TSURT.CCPATONCEJK.BIZ 200.149.11.62
==========
Could this be Ruslan Ibragimov of SEND-SAFE.COM, a PIS of Leo Kuvayev?
SuN Tsu (AKA Damien 'Damo the Lame-O'), giving instructions on morphing:
http://groups-beta.google.com/group...8a612b6799dc064
"...model morphs on characters that you are familiar with,
RL/Tele/cart00n, mimicking the vocabulary and sentence construction of
the character used as the model."
Kooks morph, it's a fact of life... and mentally diseased, criminally
minded stalking kooks morph a lot...
--
When will the stalker kook 'SuN Tsu' / 'BananaNanae' / 'Joe' / 'Joe
Banana' / 'JB' / 'AOL Spam Trap' / 'LobbyFerret1' / 'Damien65 [at]
aol.com' / 'ATIU 33' / 'Banana Rama' / 'Sightings' / 'nanasreport [at]
aol.com' / 'Kook Management Capital Hills' apologize for his false
accusations and spam-friendly behavior?
http://groups-beta.google.com/group...62b7339da47e17a
http://groups-beta.google.com/group...c555f8
1
http://groups-beta.google.com/group...ed38ae
8
http://groups-beta.google.com/group...00ee0f
e
NANAE newbies: For your own protection you should kill-file Sun Tsu.
(You'll have to kill-file him four times, he's posting with four email
accounts).
[ Post a follow-up to this message ]
|
|
|
 |
|
 |
|
 |
|
|
|
Re: New Russian Spam Gang (aka Leo Kuvayev and Vladislav Khokholkov) spamming techniqu |
|
|
|
|
05-01-05 11:15 PM
In article <jx%be.2282$zu.1620@newssvr13.news.prodigy.com>, "Spam
Reporting" <FROM:@hillscapital.com> says...
> It seems the Russian Spam Gang has become either more crafty or more
> timid... a friend kept getting spammed several times per day with this,
> so asked me to take a look at them.
>
> The RSG now sends spam with no links in the body, containing only
> gibberish text. They attach an HTML file which contains the actual
> advertisement with the link to their spamvertised site. I think this is
> kind of self-defeating... most people know by now not to open
> attachments from people they don't know, and the real newbies don't even
> know *how* to open the attachments (and even if they do, they know
> enough not to visit any sites advertised in spam), and the people who
> will report them know to look for this... their return rate on this type
> of spam has got to be dismally low.
html spam is pretty common; Outlook displays .html attachments by
default. html spam looks much better than text spam and obfuscation and
java tricks are much easier when using html spam. I have seen spam that
had text that told the user to replace their mail client because it
displayed the text instead of the html.
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
 |
|
|
Some more info on the RSG |
|
|
|
|
05-18-05 12:05 PM
I'm a student Informatics from Belgium, and I'm working for 3 months (its my
last week!!) in a hospital in Bruges where I'm working on a paper about spa
m.
We get a lot of spam here in the hospital and lots of them (especially Viagr
a and software spam) looks the same. When I tried to track down the website
s they are advertising for, I came to the same conclusions that 1/3 of our s
pam is registered with the same names that are all linked to each other.
Alexandr Zhamelgo
Constance Edwards
James Harris
LZ DNS Hosting
Anatoliy Perenskiy
They all use Domain Name Servers listed on the names of Zhamelgo and Edwards
(naexsectem.com / mdhelenagn.com / dfnwlnweb.biz / ddagraniale.com / aicstr
ungcb.biz / fnrgewr.com / ccpatoncejk.biz / ibyunmn.com / confinfodll.com /
zaramotu.com)
I found also 3 other 'sub domains':
/EB046/ e-book on dogtraining
/OE041/ pirated software...
/RX044/ pharmacy...
I also looked on http://www.webhosting.info for possible other domains hoste
d on the same IP. Most of them weren't listed, but there was one IP that re
turned 86 domains (some doubbles) and almost all of them were prepared with
the same 20 websites. For more info search for the ip's: 202.99.172.145 and
218.7.112.241 (located in china)
But their business is even more than only selling viagra and typical spamstu
ff. They are also into Phishing! I have a mail here that's faking Southtru
st Bank! Domain: confinfo.dll, registered on the name of Constance Edwards.
A quick Google search tells us that this isn't the only scam the RSG is re
sponsible for, they also faked Charter One Bank.
I can only find one link between everything I found out and Leo Kuvayev (that was on Spamh
aus' Rosko List). He seems to have registered once with http://www.consume
raffairs....a_spammers.html)
Most of what I found out, I did yesterday. But when I came to work today I
couldn't visit any of their websites! Could this be the cause of legal acti
ons, or did they just block my IP?
Anyway, eveyone can send me info on this RSG or other spaminfo or tips to [email]rautje@pi.
be">whois@multitrade-corp.com[/
email] as emailaddress. And multitrade-corp.com is registered by Constance
Edwards...
But there still is some hope, Leo seems to have some legal problems:
"The action came after Massachusetts Attorney General Tom Reilly, relying partly on inf
ormation provided by Microsoft, filed a lawsuit against Leo Kuvayev and six other indiv
iduals with Massachusetts ties accused of running an elaborate spam operation in violat
ion of state and federal consumer protection laws." (12/05/05- http://www.consume
raffairs....a_spammers.html)
Most of what I found out, I did yesterday. But when I came to work today I
couldn't visit any of their websites! Could this be the cause of legal acti
ons, or did they just block my IP?
Anyway, eveyone can send me info on this RSG or other spaminfo or tips to [email]rautje@pi.
be (my spam address, will probably be closed by the end of june), because so
me more info for in my paper for school would be very nice! I also have inf
o on the domains, or more info on those people if anyone is interested.
grtz Nick
PS. Don't mind my English, but I'm really trying...
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: Some more info on the RSG |
|
|
|
|
05-19-05 10:29 PM
quote:
Originally posted by Nick Rau
....snip
I came to the same conclusions that 1/3 of our spam is registered with the
same names that are all linked to each other.
Alexandr Zhamelgo
Constance Edwards
James Harris
LZ DNS Hosting
Anatoliy Perenskiy
....snip...
grtz Nick
PS. Don't mind my English, but I'm really trying...
Nobody minds your English - purrrrfect ;-)
Since the start of Leo's woes, the spam from him has drasticaaly increased
in volume! Anybody notice it?
My own info I gathered on this.
---------------------------------------------------------------
Some info you may wish to use? Extract from search on domains used by Leo Kuvayev re a
complaint on bad whois to Yesnic, but may help other parties. Also http://www.spam
haus.org/rok...okso_id=ROK5137
I am currently looking at the link between him and :
Zhamelgo, Alexandr aazhago@yahoo.com
Profsoyuznaya 25-1, 31
Moscow, MSK 117418
RU
+7.0956995731
Fax:+61.294750668
Appears to be one and same, or extremely closely associated.
Also Linked:
Mahmutov, Ibragim ibragimmahmutovv@yahoo.com
Borovskoe shosse 25, 2
Moscow, MSK 119633
RU
79268710023
Unfortunately this spammer has opened a new Yahoo account: ibragimemail@yahoo.com[/e
mail] (after I put Yahoo! wise ;-)
Administrative Contact:
Mahmutov, Ibragim [email]ibragimemail@yahoo.com
Borovskoe shosse 25, 2
Moscow, MSK 119633
RU
79268710023
Domain Name: WAGOGOIFMFA.COM
This user habitually and fraudulently supplies details of existing companies
that do not belong to him in his whois details, as is shown below complete
with real address owners following: (It would appear all records have fax =
+1.302-338-7956 ???)
Domains at Yesnic:
egold-access.com - 27 Nottingham Road,UK +1.718-213-4074, +1.302-338-7956
intmedcorp.com - P.O. Box 351019 NY,USA +1.718-213-4074, +1.302-338-7956
bestoemz.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302-33
8-7956
filesetup.com (On hold) - 27 Nottingham Road,UK +1.718-213-4074, +1.302-33
8-7956
dllconf.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302-338
-7956
sixteehbng.com - 27 Nottingham Road,UK +1.718-213-4074, +1.302-338-7956
sheenier.net - P.O. Box 351019 NY,USA +1.718-213-4074, +1.302-338-7956
multitrade-corp.com (On Hold)- 1094 SE St Patricks Court WA USA, +1.302-338
-7956, +1.302-338-7956
aeroseddicc.com - 27 Nottingham Road,UK +1.718-213-4074, +1.302-338-7956
fdrindck.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302-33
8-7956
frapped.net - P.O. Box 351019 NY,USA +1.718-213-4074, +1.302-338-7956
aimarcoal.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302-3
38-7956
jjrelatumjl.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302
-338-7956
coderlbgfc.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302-
338-7956
lettmdeli.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302-3
38-7956
kaquipperlk.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302
-338-7956
ibyunmn.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302-338
-7956
maydaypay.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302-3
38-7956
skytech-inc.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302
-338-7956
wamu2u.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302-338-
7956
custconf.com - P.O. Box 351019 NY,USA +1.718-213-4074, +1.302-338-7956
spx2k.net - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302-338-7
956
us2k.net - P.O. Box 351019 NY,USA +1.718-213-4074, +1.302-338-7956
MDHELENAGN.COM (ON HOLD) - 1094 SE St Patricks Court WA USA, +1.302-338-795
6, +1.302-338-7956
bhphoebeie.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302-
338-7956
bmnewingdk.com - 1094 SE St Patricks Court WA USA, +1.302-338-7956, +1.302-
338-7956
PAISHNKMD.COM - 27 Nottingham Road,UK +1.718-213-4074, +1.302-338-7956
+1.718-213-4074 is a New York USA number
+1.302-338-7956 is a Delaware USA number
Mail addresses used
edwards@mail333.com,
c.edwards@safe-mail.net,
leimomi01@tom.com
Real address owners of Leo's whois details:
27 Nottingham road is that of a real UK bank, NatWest. Their tel nr is +44 (0) 116 255
3041 : http://www.multimap.com/clients/bro...=457&reclimit=1
1094 SE St Patricks Court That is a real address of a Land & Marine Products/Mason & Associates, r
eal tel nr is +1 360-895-4001 : http://www.jasonscradle.com/ , http://www.seattleb
oatshow....ow=26/index.cfm etc
P.O. Box 351019 NY,USA is that of a real company as well, a souvenier shop Kalinka Gift
, tel +1-718-368-4128: http://www.kalinkagift.com/howto.aspx
Note that these domain usages range from spam to more serious offences such
as fraud/phising sites:
http://www.antiphishing.org/phishin...
on.html (phising site)
http://www.joewein.de/sw/fraud-intmedcorp.htm
http://leaf.dragonflybsd.org/mailar...2/msg00334.html (anothe
r phishing site)
http://www.antionline.com/history/t...p/267406-1.html (phising site)
This party in in reality Leo Kuvayev, an American Russian, living in Newton Boston and
his gang: See http://www.spamhaus.org/rokso/evide...okso_id=ROK5137
He is currently in trouble in the USA for this activities. Leo has been char
ged : "..with advertisements for illegal and dangerous products, such as cou
nterfeit prescription drugs and pirated software, as well as advertisements
for pornography."
http://seattlepi.nwsource.com/local...La
wsuit
Cheers
E
__________________
If I had a dime for every spam I received, I would be rich.
If I had a dime for every spam site shut, I would still be rich.
So, theoretically, I am rich without spamming...
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Sponsored Links |
|
|
|
|
 |
All times are GMT. The time now is 11:30 AM. |
 |
|
|
 |
|
 |
|
|
 |
|
Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
|
|
|
|
Medical and Health forum | Computer Games Reviews | Graphics design forum
|
 |
|
 |
|
