Finding spammers

I know it is not easy to identify spammers. But they do leave some traces: when you register a domain, you must use a valid e-mail address. Unfortunately it is not difficult to register a domain using name like “John Doe”. E-mail address does not necessarily reveal the identity of the person.

I’m not an expert in spam, but I have been following this ongoing diet spam campaign, because it involves hi-jacked accounts and hacked web-sites. One domain name turned out to be interesting: trygarciniacambogia.org – it is registered to one “Josh Green” using email address joshgreen4@live.com. Same “Josh” has registered several other related domains such as com-june.us, com-11.us and com-may.us.

These domains share the same A-record: 173.255.197.247 – meaning the websites are hosted on that IP address. The hosting company in question is Linode. Linode offers VPS hosting only so this IP address is probably dedicated to one customer. Disclaimer: Linode is not related to diet spam: it just happens to be one hosting company used by the spammers.

Why is “Josh” more interesting than “Edward Johnson”, a person who also has registered many diet spam domains? Because I have not seen any spam links pointing directly to trygarciniacambogia.org. It is certainly related: link trygarciniacambogia.org/garcinia.php redirects to a site that you don’t want to visit. Domain A-record is also different: 198.58.104.37 – another Linode IP address.

I checked other domains hosted on this IP address:

  • referer.be
  • msbnc.com.referer.be
  • com.referer.be

Belgium domain name “referer.be” next to diet spam domain – this looks interesting! So who has registered this domain? Dns.be gives the following response:

referer-be-whoiskylef1337(at)gmail(.)com – doesn’t sound like “Josh” or “Edward”.  Search engines do not give any results about this Leet Kyle. Facebook search with the e-mail address returns one match: “Kyle Ferguson”. No picture, no nothing – apparently an elusive person.

One Pinterest account seems to match: http://pinterest.com/kylef1337/wedding-photography/ – these “photographs” are clearly spam:

kylef-pinterestThe oldest pin “awesome ice cream” was posted 26 weeks ago. That makes it the oldest diet spam entry I have seen.

I could not find any other suitable online profiles for Leet Kyle.

What does referer.be tells us? It is a redirect service using format: referer.be/blank/google.com – that would perform a simple redirect to Google. There are other similar services like anonym.to.

But this service has some hidden features. For example, referer.be/2/ redirects to garciniacambogiaselect.com. referer.be/3/ seems to be broken: it stops at hcatracker.com – site owned by HitCPA, “an Highly Exclusive Network”. This tells about one possible business model: pay per click advertising.

It seems diet spammers are also into “make money online / from home” – kind of schemes. Referer.be/2/ leads to a non-diet related spam site:

wealthk-it-spam

Conclusions: “Leet Kyle” is possibly one person involved in this spam campaign. Yet another “Jane” or “John Doe”. On the other hand, he could be a victim whose Linode account has been hacked. In any case, referer.be behavior is very suspicious so I would stay clear of this site.

4 thoughts on “Finding spammers

  1. Pingback: Expert Tries to Track Down Individuals Behind Massive Diet Spam Campaign | CISSP 2 CISSP

  2. Pingback: Expert Tries to Track Down Individuals Behind Massive Diet Spam Campaign | Cyber Security Infotech(P) Ltd

Leave a Reply

Your email address will not be published. Required fields are marked *