In Pursuit Of A Spammer

Kyle writes "Over at DSL Reports, We are currently pursuing a spammer from the West Palm Beach, Florida area. This wouldn't normally be news, but we think Slashdot readers may be interested in just how successful we have been. What's more interesting is that the spammer appears to be posting in the thread."

Re:9 pages?

Someone sent a couple of spam messages to a forum. Apparently they picked the wrong forum because now the whole rat-pack is trying to track down the sender.

Using google, who-is databases, other directories, some luck and some pluck they have unearthed all details of that guy (Name, address, phone number, company he works for, color of his underwear and so on).

Being a rather slow day on Slashdot, it makes it as one of the stories of the day.

Re:9 pages?

[peter_gzowski]

Summary:

Dslreports maintains an anti-spam forum, which discusses spam-fighting techniques. A recently registered user, AntiSpamCard, posts to the forum advertising its spam-fighting product, AntiSpamCard. This violates the rules of the forum, so another user, AmeritechTech, looks up the domain registration information (registration service: RegistryFly.com). It is full of false information (mostly na, na, na filled in everywhere). AntiSpamCard claims that false info is RegistryFly's fault. Further investigation leads AmeritechTech to believe AntiSpamCard are, in fact, spammers. The evidence:

- Privacy statement on antispamcard.com states that they have an opt-out policy on receiving info
- Domain listed as unwelcome here and here

From these sites, AmeritechTech discovers that antispamcard.com and putamericatowork.com are both owned by Brad Heckman in Palm Beach, FL. IP address for antispamcard.com seems to be within a block assigned to Crescive, Inc. (not to be confused with some car company), which is also mentioned on antispamcard.com. The host for this block of IPs is traci.net. Traci.net has a strict anti-spam policy. Name servers also appear to be owned by Brad, and hosted by traci.net. Registration of the domain names of the name servers also has na, na, na filled into most fields. Putamericatowork.com turns out to be hosted by aitcom.net, which has a very strict anti-spam policy. AmeritechTech also claims Brad owns spaminsurance.com, but I'm not sure why. IP in the same block (which it is) and identical layouts (can't check, antispamcard.com /.'ed), I think.

After various emails to the various hosting companies, antispamcard.com and spaminsurance.com magically have valid registration information. AmeritechTech also gets an email from Brad from igpbrad@hotmail.com (remember that email) saying the registration info is updated. Antispamcard.com registered to Brad, spaminsurance.com registered to Chad Deckard. Same guy? Associates? Who knows, but there seems to be a link (in later posts, this is contested by "mystery poster" Ry2k, but the link seems pretty strong). Hunting around for Chad Deckard stuff turns up claims on this board that he's associated with a scam to sell Kazaa "Gold", which is really just Kazaa Lite, but with a 9.95 price tag, plus it harvests your email. The site's still up, but I couldn't repeat the behaviour claimed by the message poster (posted back on Sept. 11, 2002) that takes you to infogeneratorpro.com, which seems to be the site registered to Chad. Also conspicuous is that Chad's name shows up on putamericatowork.com, a site owned by Brad (link). Also VERY conspicuous is that Brad emailed from igpbrad@hotmail.com, i.e. InfoGeneratorPro? Maybe a coincidence...

Some more looking uncovers other domains in Chad's name: infogenerator.com, usub.net, and finder-network.com. This is along with spaminsurance.com and infogeneratorpro.com. About this time Ry2k shows up to claim that Kazaa Gold was just a client of Chad's, and when Chad found out what they were doing, the account was eliminated. Ry2k claims to be a former employee of Chad's, and warns the forum of tarnishing the good name of legitimate businesses in their persuit of spammers. I go to bullet mode, as it's getting late, and I'm tired:

- Reverse look-ups on contact info for antispamcard.com produce a fax number registered to infogenerator.com.
- Domain name servers (safeidentity.net) for antispamcard.com has contact info updated to Crescive, Inc.
- Someone points out that RegisarFly.com may be shady, something about "using CNAME for their MX records". Maybe someone can fill me in...
- google groups turns up complaints about spam from