Jump to content

Lonelyhearts scammers are in top gear


rconner

Recommended Posts

Posted

I'm getting an awful lot (and I do mean awful) of messages like this one (tracking link) asking for mail back to the following domains:

  • HonorMinistries.info
  • HonorHoles.info
  • OldGloryShirts.info

Very large volume for me (about 10-20 per day over the last couple days, although Google suggests that they've been at it for awhile.

These fine fellows set up their own domains with their own MX hosts which are presumably used to receive mail from the suckers. Right now, all three MX hosts are listed at the same IP in China.

SpamCop catches a lot of them, but many slip through, so I set a filter in SC Webmail to trash any mails that have these domains in the body.

The domains seem to have phony registrant data (try to hold down your shock at this), so i reported them to eNom. I'm not expecting any sort of immediate response, but will check back in a few days.

-- rick

Posted

Can't get to my usual tools (half the US seems to be off air from here) but are you seeing the .com.au bit? Have to be/supposed to be a registered business to use .com.au - suggest complaint to ACMA as well. Supposedly have to be resident to do that but worth rattling their cage IMO.

H:\>nslookup

...

> HonorHoles.info

...

Non-authoritative answer:

Name: HonorHoles.info.com.au

Addresses: 212.100.254.39, 212.100.254.40, 69.20.9.187, 69.20.9.188

Posted

Can't get to my usual tools (half the US seems to be off air from here) but are you seeing the .com.au bit?

I do not get the .com.au in my lookup, also I just get one IP which is not on the list above. Puzzling; I can't get any whois data at all for HonorHoles.info.com.au. Does Oz have a national-level whois service for this sort of thing?

-- rick

Posted
I do not get the .com.au in my lookup, also I just get one IP which is not on the list above. Puzzling; I can't get any whois data at all for HonorHoles.info.com.au. Does Oz have a national-level whois service for this sort of thing?
See http://www.robtex.com/dns/info.com.au.html which includes honorholes.info.com.au in "hostnames sharing ip with a-records". No - there's no national whois that I know of though someone surely monitors registrations (no bureaucratic niche goes unfilled in these parts).

Further oddity, getting a "regular" result using nslookup from another location (same ISP):

C:\Documents and Settings\Steve>nslookup

...

> honorholes.info

...

Non-authoritative answer:

Name: honorholes.info

Address: 218.23.28.98

>

If it weren't for the robtex result above I would be wondering about that earlier data.

Posted

Hmm ... still getting the ...info.com.au detail with nslookup from the other location. I guess

  • this is not just a transitory connectivity issue
  • when nslookup says "Non-authoritative answer" it means it
  • it tries really, really hard for a result
  • since domain info.com.au isn't sending you spam it's all a red herring but...
  • either the unlikely name "honorholes" has some strange attraction or the honorholes.info domain has a backup standing by

OldGloryShirts.info similarly returns a OldGloryShirts.info.com.au result presently, HonorMinistries.info returns NXD.

BUT

HonorHoles.info.

OldGloryShirts.info.

HonorMinistries.info.

all return "regular" results - it's just the thing about operating within a VPN or whatever (nslookup requires a trailing "." to work properly in this environment, dunno why offhand). Steven Underwood highlighted that some time ago, I seem to now recall. I had forgotten.

Posted
(...) it's just the thing about operating within a VPN or whatever (nslookup requires a trailing "." to work properly in this environment, dunno why offhand). Steven Underwood highlighted that some time ago, I seem to now recall. I had forgotten.

Only thing I can offer is that to be very strict, host names require a dot at the very end (e.g., "HonorHoles.info."), where the final dot stands for what I think is called the "null domain" (i.e., the master set that consists of all possible TLDs and their children).

Just got four more from these guys right in a row, their MX is still at the same address for me (218.23.28.98 in Anhui Telecom block).

-- rick

SpamCop catches a lot of them, but many slip through, so I set a filter in SC Webmail to trash any mails that have these domains in the body.
For everyone's future reference, this did not do what I thought it would. Apparently any mail that passes through SpamCop filters gets forwarded directly to me at my secret drop, without passing through the SC webmail filters. I don't use webmail very often, preferring to POP from my secret drop instead.

My ISP (Verizon) has some user defined filtering, but it cannot be used to examine message bodies, so no luck there. Best I could do was to have Apple Mail put the messages into a separate folder if they contain the offending domains. At least this way I can keep an eye on how many I get (that SpamCop doesn't catch).

Normally, SpamCop is all over botnet mail like ugly on an ape (sorry, apes). Seems like a surprising number of these don't get caught. Maybe they're just picking me out for special abuse, so they are not part of a general attack.

-- rick

Posted
I do not get the .com.au in my lookup, also I just get one IP which is not on the list above. Puzzling; I can't get any whois data at all for HonorHoles.info.com.au. Does Oz have a national-level whois service for this sort of thing?

whois HonorHoles.info.com.au

.au is a domain of Australia

(international dialing code 61)

Searches for .au can be run at http://www.aunic.net/cgi-bin/whois.aunic

whois -h whois.aunic.net info.com.au ...

Domain Name: info.com.au

Last Modified: 18-Oct-2004 13:31:59 UTC

Registrar ID: Melbourne IT

Registrar Name: Melbourne IT

Status: ok

Registrant: INFODOTCOM PTY LTD

Registrant ID: OTHER 094 860 698

Eligibility Type: Other

Registrant ROID: C2114836-AR

Registrant Contact Name: Roy Mackenzie

Registrant Email: Visit whois.ausregistry.com.au for Web based WhoIs

Tech ID: 681407799

Tech Name: Roy Mackenzie

Tech Email: Visit whois.ausregistry.com.au for Web based WhoIs

Name Server: ns0.info.com

Name Server: ns6.info.com

dns HonorHoles.info.com.au

Canonical name: HonorHoles.info.com.au

Addresses:

212.100.254.39

212.100.254.40

69.20.9.187

69.20.9.188

Dig HonorHoles.info.com.au[at]208.67.220.220 ...

Non-authoritative answer

Recursive queries supported by this server

Query for HonorHoles.info.com.au type=255 class=1

HonorHoles.info.com.au A (Address) 69.20.9.187

HonorHoles.info.com.au A (Address) 69.20.9.188

HonorHoles.info.com.au A (Address) 212.100.254.39

HonorHoles.info.com.au A (Address) 212.100.254.40

Browsing http://HonorHoles.info.com.au/

Fetching http://HonorHoles.info.com.au/ ...

GET / HTTP/1.1

Host: HonorHoles.info.com.au

Connection: close

Socket Error

ns1.dnsreal.com reports the following MX records:

Preference Host Name IP Address

5 mail1.honorholes.info 218.23.28.98

No MX records found for HonorHoles.info.com.au

dig HonorHoles.info [at] 208.67.220.220

Dig HonorHoles.info[at]ns1.dnsreal.com (218.23.28.98) ...

Authoritative Answer

Recursive queries supported by this server

Query for HonorHoles.info type=255 class=1

HonorHoles.info SOA (Zone of Authority)

Primary NS: HonorHoles.info

Responsible person: postmaster[at]HonorHoles.info

serial:2006092200

refresh:10800s (3 hours)

retry:3600s (60 minutes)

expire:604800s (7 days)

minimum-ttl:38400s (100 hours)

HonorHoles.info NS (Nameserver) ns1.dnsmanage.info

HonorHoles.info NS (Nameserver) ns2.dnsmanage.biz

HonorHoles.info NS (Nameserver) ns2.dnsmanage.info

HonorHoles.info NS (Nameserver) ns1.dnsmanage.biz

HonorHoles.info MX (Mail Exchanger) Priority: 5 mail1.HonorHoles.info

HonorHoles.info A (Address) 218.23.28.98

ns1.dnsmanage.biz A (Address) 218.23.28.98

ns1.dnsmanage.info A (Address) 218.23.28.98

ns2.dnsmanage.biz A (Address) 218.23.28.98

ns2.dnsmanage.info A (Address) 218.23.28.98

mail1.HonorHoles.info A (Address) 218.23.28.98

Dig HonorHoles.info[at]ns2.dnsreal.com (218.23.28.98) ...

Authoritative Answer

Recursive queries supported by this server

Query for HonorHoles.info type=255 class=1

HonorHoles.info SOA (Zone of Authority)

Primary NS: HonorHoles.info

Responsible person: postmaster[at]HonorHoles.info

serial:2006092200

refresh:10800s (3 hours)

retry:3600s (60 minutes)

expire:604800s (7 days)

minimum-ttl:38400s (100 hours)

HonorHoles.info NS (Nameserver) ns1.dnsmanage.biz

HonorHoles.info NS (Nameserver) ns1.dnsmanage.info

HonorHoles.info NS (Nameserver) ns2.dnsmanage.biz

HonorHoles.info NS (Nameserver) ns2.dnsmanage.info

HonorHoles.info MX (Mail Exchanger) Priority: 5 mail1.HonorHoles.info

HonorHoles.info A (Address) 218.23.28.98

ns1.dnsmanage.biz A (Address) 218.23.28.98

ns1.dnsmanage.info A (Address) 218.23.28.98

ns2.dnsmanage.biz A (Address) 218.23.28.98

ns2.dnsmanage.info A (Address) 218.23.28.98

mail1.HonorHoles.info A (Address) 218.23.28.98

Dig HonorHoles.info[at]208.67.220.220 ...

Non-authoritative answer

Recursive queries supported by this server

Query for HonorHoles.info type=255 class=1

HonorHoles.info NS (Nameserver) ns2.dnsreal.com

HonorHoles.info NS (Nameserver) ns1.dnsreal.com

Posted
...Does Oz have a national-level whois service for this sort of thing?
Just to answer the query when previously I couldn't - I see http://whois.ausregistry.com.au/whois/whois_local.jsp?

Thanks for the other responses Rick, I see the same A=MX=218.23.28.98 with fake domain registration (ain't no Applestone Road *anywhere* in AZ according to some - good thing too, peaches have stones, apples have seeds f'Pete's sake, makes as much sense as "dogcalf" or "kangarookitten" :D). Whatever - others in the stable being Simoldglory.info, GloryLandUsa.info, Engineride.info and ShineBal.info

...Searches for .au can be run at http://www.aunic.net/cgi-bin/whois.aunic...
Thanks for that, and all the detail.
Posted
(...) peaches have stones, apples have seeds f'Pete's sake, makes as much sense as "dogcalf" or "kangarookitten" :D).
You'd be impressed at the goofy names that real estate developers hereabouts can come up with in order to impart a sort of country-squire feel to a string of McMansions (not that I assume that these guys are living in even a McMansion). I wouldn't dismiss this street name out hand, in other words.

However, I noted that the zip code is in a small town in the far west of Arizona (Tempe is in the SE corner of the state), and I also failed to find the street name anywhere in the zip. Also, the telphone was assigned to a Texas telco, two states to the east; it did not appear to be a cell or VoIP number, so it seems bogus to me.

Just to be clear, did you see any spam asking for replies to the .com.au domains, or were they just odd byproducts of the search? Looks like the lookup you got was somehow confusing the .info TLD for the info.com.au domain.

BTW, the Clarus the Dogcow (Wikipedia link) was a small icon used in very old versions of Mac OS for various purposes (such as helping the user set the right page orientation for printing). There is no record, however, of any offspring from Clarus.

-- rick

Posted
...However, I noted that the zip code is in a small town in the far west of Arizona (Tempe is in the SE corner of the state), and I also failed to find the street name anywhere in the zip. Also, the telphone was assigned to a Texas telco, two states to the east; it did not appear to be a cell or VoIP number, so it seems bogus to me. ...
As phony as a three-dollar bill is the general consensus around the internet.
...Just to be clear, did you see any spam asking for replies to the .com.au domains, or were they just odd byproducts of the search? Looks like the lookup you got was somehow confusing the .info TLD for the info.com.au domain. ...
Purely from/artifact of the nslookup Rick. nslookup is clearly an overachiever in some circumstances.
...BTW, the Clarus the Dogcow (Wikipedia link) was a small icon used in very old versions of Mac OS for various purposes (such as helping the user set the right page orientation for printing). There is no record, however, of any offspring from Clarus.
Now you're scaring me - recalling Clarabelle the cow was a Disney character, Goofy (and the Beagle Boys) are dogs, visions of unholy hybridisation1 come to mind. Never mind Clarus's offspring, who were her parents? :blink:

1hmm, looks like the word "misconsegregation"2 got thrown out of the dictionary, trust me, it used to exist - sheesh you're getting old when you outlast words - whole languages even, also battleships, major automobile manufacturers, breweries, specific skyscrapers and the days when "computers" used to be people.

2 (on edit) Ah, probably because it was a mis-spelling of miscegenation. Doesn't really apply to species mixing (that's the "unholy" bit) but on the other hand, if they talk and wear clothes ...

On the plus side, I feel much younger now.

Posted
...Ah, probably because it was a mis-spelling of miscegenation. ...
Apropos of which I note the following sage advice - http://www.dearauntnettie.com/archives/archives-0006.htm

6-26-2000

Dear Aunt Nettie:

I have a PC and my fiancée has a Mac. Is there any hope for this relationship?

-- Miscegenated in Mobile

Dear Miscegenated,

Oh, you starry-eyed young people! Always thinking you can overcome society's laws and traditions.

I've seen so many youngsters start down this primrose path, only to come to ruin when they realize the full extent of the differences between them. It's worse in your kind of situation, when the man has the PC and the woman the Mac.

How are you going to explain to her what crashes are, or lockups, freezes and blue screens? Can a sweet young thing ever comprehend the PC male's need for updates, upgrades and patches and fixes? Will she realize her error when she finds out that you consider it perfectly normal to restart half a dozen times a day? Will she understand when you topple over with zero free system resources? Will she be scandalized the first time she sees you using the obscene three-fingered gesture to invoke CTRL-ALT-DEL? And what about the physical differences? What will she think of the second button on your mouse-- or the wheel, for heaven's sake!

But the greatest tragedy of all is if there are children. Unable to find peace at home, many of these poor tykes are driven into the streets, where they become easy marks for dealers in Linux, BeOS or other immoral systems and creeds.

Remember what the Good Book says: "Someday the lion will lie down with the lamb in peace, but until then, haul ass, lambchop."

Posted

Apropos of which I note the following sage advice - http://www.dearauntnettie.com/archives/archives-0006.htm

First off, "miscongregation" should be a word if it is not, as should "misconjugation" (as in a botched conjugal visit).

Second, the Aunt Nettie is an oldie but a goodie. I can recall reading a piece at about that time that made the claim that MS-DOS (pre-Windows) people were like protestants and Mac people like Catholics:

  • The PC people were communicating directly with the computer via command lines, and pretty much had the freedom to shape their own destines, down to "del c:*.*" They could program in BASIC if they liked, or might even be able to snag a DeSmet C compiler. Their "sanctuaries" were as austere as Quaker meeting houses, consisting only of lines of green ASCII text and basic line art.
  • The Mac people received all their wisdom from others (i.e., Cupertino) and were not in direct control (lacking so much as a console window). They had to commune with the OS through an intermediary (the "Finder") which provided ornate windows and even icons (which, back then, were strictly from church). They were not allowed to "program" their computers with anything more dangerous than the horribly hobbled Macintosh Pascal, unless they paid big bucks and signed the secret oaths to get into the MPW developers' program.

Nowadays, it seems as though this comparison may have flipped, or at least evened out...today, Windows does not encourage the congregants to muck about with the stuff behind the curtain, while Apple now has reversed their 1984 stance by giving away a complete set of development tools with every Mac OS purchase, and providing an Xterm-style console window along with full-up BSD and multiple command shells.

BTW, just to return to topic a bit, I've been free of Lonelyhearts spam for about 36 hours now, although the three domains still appear to be intact and working. The same crew may have moved on to pharm, however, to judge by the fact that they use the same botched headers.

-- rick

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...