Discussion:
goohle.us "Lover Spy" spammer: no longer showing his billing processor
(too old to reply)
Spamless
2003-09-26 23:19:51 UTC
Permalink
The goohle.us "Lover Spy" spammer

Spam posted in NANAS: Subject:
Read your LOVER's EMAILS with new SPY Software. k sgn8h6241xp781

He used to send one to his credit card or online check payment services.

He lost his Credit Card service and last night his page indicated:

"We are unable to take credit cards at this time."

Then he host his online Check service and today his site indicates:

"We currently are unable to take e-Checks."

However, apparently he has obtained credit card service from a provider
which allows him to harvest the credit card data and submit it himself (his
site used to send one to "https://" encrypted sites run by the payment
services to handle your data securely).

Now, the credit card data is submitted to
http://www.lover-spy.com/process_cc.php

(the spamvertized URL, http://www.goohle.us?afil=1025 and www.lover-spy.com
are both at IP address 195.85.231.180 on nik.ru)

NOTE: You may not be able to reach the spamvertized URL
"http://www.goohle.us?afil=1025" At the moment the root servers for
the *.us domain ([a-c].gtld.biz) do not have a nameserver listed for
goohle.us. On the other hand, the registrar, enom.com, does have
nameservers listed for the domain which work and authoritatively and
non-recursively resolve www.goohle.us as an alias for the Canonical
NAME goohle.us at IP address 195.85.231.180. It is up. It is just
unreachable except to those who really try to find it.
Frank Nospam
2003-09-30 14:39:03 UTC
Permalink
Post by Spamless
The goohle.us "Lover Spy" spammer
Also owns gootle.us and probably other misspellings of google.

The listed address is in Australia, and the hosting is in Russia.
This clearly violates the official policy of the .us registry.
Is NeuStar willing to revoke fraudulent domains, and if so who
should we contact?

-F.
Henrietta K Thomas
2003-09-30 17:24:00 UTC
Permalink
Post by Frank Nospam
Post by Spamless
The goohle.us "Lover Spy" spammer
Also owns gootle.us and probably other misspellings
of google.
The listed address is in Australia, and the hosting is in Russia.
This clearly violates the official policy of the .us registry.
Is NeuStar willing to revoke fraudulent domains, and if so who
should we contact?
goofle.us appears to be correctly registered at
www.whois.us. Owner listed as Broadcast Advertiser,
Inc., P.O. Box 322, Haines City, 33845-0322, United States.
(I have no idea where Haines City is).
Post by Frank Nospam
All domain names are subject to certain additional
domain name registration rules. For details, please
visit our site at www.whois.us.
Suggest you go there and find out how to lodge
a complaint if you think there is fraud involved.

Hope this helps,

Henrietta K. Thomas
us.* hierarchy coordinator
***@earthlink.net
www.usenetnews.us
Frank Nospam
2003-09-30 18:39:31 UTC
Permalink
Post by Henrietta K Thomas
Post by Frank Nospam
Also owns gootle.us and probably other misspellings
The listed address is in Australia, and the hosting is in Russia.
goofle.us appears to be correctly registered at
P.O. Box 322, Haines City, 33845-0322, United States.
(I have no idea where Haines City is).
Answer: it's in America's spam capital, of course. Florida!

Hmm... working through the alphabet should only take a couple minutes:
http://www.whois.us/whois.cgi?TLD=us&WHOIS_QUERY=goozle.us

Jeff Romelus, Romelus Hosting, 250 George St, Sydney AU:
gooble, goohle, gootle, gooyle

Mike Basil, Broadcast Advertiser Inc, PO Box 322, Haines City FL:
goofle

Google Inc, 2400 Bayshore, Mountain View CA:
google

John Taylor, OurHGHOrders, 321 SW 654th St, Miami FL:
goovle

To quote Sesame Street: one of these things is not like the others.

-F.
redc1c4
2003-09-30 22:15:42 UTC
Permalink
Post by Henrietta K Thomas
Post by Frank Nospam
Post by Spamless
The goohle.us "Lover Spy" spammer
Also owns gootle.us and probably other misspellings
of google.
The listed address is in Australia, and the hosting is in Russia.
This clearly violates the official policy of the .us registry.
Is NeuStar willing to revoke fraudulent domains, and if so who
should we contact?
goofle.us appears to be correctly registered at
www.whois.us. Owner listed as Broadcast Advertiser,
Inc., P.O. Box 322, Haines City, 33845-0322, United States.
(I have no idea where Haines City is).
Post by Frank Nospam
All domain names are subject to certain additional
domain name registration rules. For details, please
visit our site at www.whois.us.
Suggest you go there and find out how to lodge
a complaint if you think there is fraud involved.
Hope this helps,
Henrietta K. Thomas
us.* hierarchy coordinator
www.usenetnews.us
i thought us.config was an inappropriate place to discuss spam.....

redc1c4,
or is that just another rule that only applies to the hoi polloi?
--
A Troop - 1st Squadron
404th Lemming Armored Cavalry

"Velox et Capillatus!"
Spamless
2003-10-01 01:45:28 UTC
Permalink
Post by Henrietta K Thomas
Post by Frank Nospam
Post by Spamless
The goohle.us "Lover Spy" spammer
Also owns gootle.us and probably other misspellings
of google.
The listed address is in Australia, and the hosting is in Russia.
This clearly violates the official policy of the .us registry.
Is NeuStar willing to revoke fraudulent domains, and if so who
should we contact?
goofle.us appears to be correctly registered at
www.whois.us. Owner listed as Broadcast Advertiser,
Inc., P.O. Box 322, Haines City, 33845-0322, United States.
(I have no idea where Haines City is).
An interesting observation.

The order form has a value:

[input name="ra" type="hidden" id="ra2"
value="http://67.121.215.89/paid_swreg_LOVERSPY.asp"]

In the first spam run I got, where he had a credit card
and check processor to which he sent one for payment, the credit
card processor *did* redirect to that for the final response.

The URL: http://67.121.215.89/paid_swreg_LOVERSPY.asp
(without sending data) is still up and returns:

Error in Transaction.


OrgName: Pac Bell Internet Services
CIDR: 67.112.0.0/12
CustName: Enrique Perez
NetRange: 67.121.215.88 - 67.121.215.95
Address: 268 Bush St
City: San Francisco
StateProv: CA
w***@ccwf.cc.utexas.edu
2003-10-01 02:30:28 UTC
Permalink
quoting Henrietta
Post by Spamless
The goohle.us "Lover Spy" spammer
also owns GOOTLE.US (and probably other misspellings of "GOOGLE")
Broadcast Advertiser,Inc., P.O. Box 322, Haines City, 33845-0322, US
(I have no idea where Haines City is).
<drum roll>.... *FLORIDA* !

(<chuckle> that was FUN! :)
--
/"\ ASCII... ._. || Stop Verisign DNS Abuse Petition
\ / on Usenet /v\ || www.whois.sc/verisign-dns
X ANYTHING ELSE /( )\ || "Don't Mess With Penguins!!"
/ \ IS BLOAT !! ^^ ^^ || OPT-OUT is *E*V*I*L*
shiksaa
2003-10-01 03:05:49 UTC
Permalink
Post by w***@ccwf.cc.utexas.edu
quoting Henrietta
Post by Spamless
The goohle.us "Lover Spy" spammer
also owns GOOTLE.US (and probably other misspellings of "GOOGLE")
Broadcast Advertiser,Inc., P.O. Box 322, Haines City, 33845-0322, US
(I have no idea where Haines City is).
<drum roll>.... *FLORIDA* !
(<chuckle> that was FUN! :)
<http://216.239.57.104/search?q=cache:S18EseGtCFQJ:member.atlantic.net/~rgb/bulletproofmailing-com.html+%22Box+322%22%2Bhaines&hl=en&ie=UTF-8>
Post by w***@ccwf.cc.utexas.edu
20,000 fresh emails for only $20.00
or 30 days Subscription $450
FOR AMOUNTS EXCEEDING PAYINGFAST'S LIMITS - - YOU MAY SEND OTHER MONEY ORDERS or MULTIPLE
BARBARA WILSON, P.O. BOX 322, HAINES CITY, FL 33845-0322 USA
1,000 FRESH EMAIL ADDRESSES--JUST $1!
(50,000,000 available--just order multiples)
EMAILED to you PROMPTLY!
Barbara A. Wilson
P.O. Box 322
Haines City, FL 33845-0322
USA
However, lots of hits for Mike Basil using the same PO Box:

<http://groups.google.com/groups?q=broadcastadvertiser.com&hl=en&lr=&ie=UTF-8&sa=G&scoring=d>

<http://groups.google.com/groups?q=+%22mike+basil%22+group:*abuse*&hl=en&lr=&ie=UTF-8&sa=G&scoring=d>

And Vernon has it tagged to: Peter Zielczynski Broadcast Advertiser
Inc
--
Susan (Shiksaa) would be the person to talk to.
I swear, she's so good at ferreting out spammers,
she really ought to work for the CIA or Interpol or
something. -Steve Sobol in email 9.9.03
Henrietta K Thomas
2003-10-01 04:45:08 UTC
Permalink
Post by w***@ccwf.cc.utexas.edu
quoting Henrietta
Post by Spamless
The goohle.us "Lover Spy" spammer
also owns GOOTLE.US (and probably other misspellings of "GOOGLE")
Broadcast Advertiser,Inc., P.O. Box 322, Haines City, 33845-0322, US
(I have no idea where Haines City is).
<drum roll>.... *FLORIDA* !
(<chuckle> that was FUN! :)
Nice to see you again, Werner. Do you have any
idea why this thread was crossposted to us.config?
w***@ccwf.cc.utexas.edu
2003-10-01 06:58:25 UTC
Permalink
The GOOHLE.US "Lover Spy" spammer also owns GOOTLE.US (and others)
GOOFLE.US appears to be correctly registered at www.whois.us
...irrelevance snipped...
Nice to see you again, Werner. Do you have any idea why this thread was
crossposted to us.config?
hi Henrietta. it wasn't explained, but the fellow who posted the
first follow-up in the thread apparently thought that the fact that
a domain in the *.US "hemisphere" got mentioned was reason enough
for cross-posting. Everyone else just posted follow-ups.

Was there reason to think that wrong? I (and everyone else, I guess)
felt like, okey, maybe someone there cares...
--
/"\ ASCII... ._. || Stop Verisign DNS Abuse Petition
\ / on Usenet /v\ || www.whois.sc/verisign-dns
X ANYTHING ELSE /( )\ || "Don't Mess With Penguins!!"
/ \ IS BLOAT !! ^^ ^^ || OPT-OUT is *E*V*I*L*
edward ohare
2003-10-01 10:04:58 UTC
Permalink
Post by w***@ccwf.cc.utexas.edu
The GOOHLE.US "Lover Spy" spammer also owns GOOTLE.US (and others)
GOOFLE.US appears to be correctly registered at www.whois.us
Nice to see you again, Werner. Do you have any idea why this thread was
crossposted to us.config?
hi Henrietta. it wasn't explained, but the fellow who posted the
first follow-up in the thread apparently thought that the fact that
a domain in the *.US "hemisphere" got mentioned was reason enough
for cross-posting. Everyone else just posted follow-ups.
Was there reason to think that wrong? I (and everyone else, I guess)
felt like, okey, maybe someone there cares...
Yes, but not for the reasons you might presume. Just as this thread
appeared, HT proclaimed discussion of spam off topic for us.config.
But she appears to have enjoyed participating in this thread.

Probably a nice diversion from having to ignore questions about why
she thinks moderating a group over the wishes of the groupers is a
good idea.
w***@ccwf.cc.utexas.edu
2003-10-01 15:16:25 UTC
Permalink
edward ohare responded to me in this thread...
Post by edward ohare
The GOOHLE.US "Lover Spy" spammer also owns GOOTLE.US (and others)
GOOFLE.US appears to be correctly registered at www.whois.us
Nice to see you again, Werner. Do you have any idea why this thread was
crossposted to us.config?
hi Henrietta. It wasn't explained, but the fellow who posted the first
follow-up in the thread apparently thought that mentioning a domain in
*.US was good (enough) reason to cross-post. Everyone else just followed
Was there reason to think that wrong? I (and everyone else, I guess)
felt like, okey, maybe someone there cares...
Yes, but not for the reasons you might presume. Just as this thread
appeared, HT proclaimed discussion of spam off topic for us.config.
But she appears to have enjoyed participating in this thread.
oh... <chuckle>... you guys giving Henrietta a hard time again?!?

I vaguely remember this to be "an old bone" and I really want to
have no part of it -- other than remarking that being a moderator
one occassionally gets sniped at like that by people who are not
happy with being able to voice their opinions lots of other places,
but who think they *must* say it *here* -- and that's just why
there is a moderator, to tell you *no, not HERE*...

people who have problems with that have TMTOTH...
Post by edward ohare
Probably a nice diversion from having to ignore questions about why she
thinks moderating a group over the wishes of the groupers is a good idea.
why should she want/care to? once a froup is moderated --unless it
was started with a charter that allows dethroning-- the moderator
*owns* it, is rather free to interpret the charter (if there is one)
any old way s/he wants to (in what to approve and how much of it)

I let my announce group die when it was just getting gazillions
of spam, no posts that fit within (my) charter framework...
(I hadn't volunteered to be a journalist, producing content,
just a moderator, an editor in other words)...
...and while I managed to think of it as a spam honey-pot for the
longest time (to quickly react and report, trying to stop spammers
cold -- except, of course, that's not how ISPs work, *they* don't
*react* until days later, most of them, if at all) sloshing through
the onslaught of spam simply got old and pointless...
..understand how that works, what I mean? The job *is* to say *NO*
or *let me help you improve what you are trying to communicate so
it fits*...

my froup? CSMA = comp.sys.mac.announce (you can find a little info
about it still at <http://ccwf.cc.utexas.edu/~werner/explain> )

now give Henrietta a bit of a break, think "thanks" every once in
a while, for trying to keep a froup free of chit-chat (like this :)
--
/"\ ASCII... ._. || Stop Verisign DNS Abuse Petition
\ / on Usenet /v\ || www.whois.sc/verisign-dns
X ANYTHING ELSE /( )\ || "Don't Mess With Penguins!!"
/ \ IS BLOAT !! ^^ ^^ || OPT-OUT is *E*V*I*L*
edward ohare
2003-10-01 15:51:37 UTC
Permalink
Post by w***@ccwf.cc.utexas.edu
edward ohare responded to me in this thread...
Post by edward ohare
Yes, but not for the reasons you might presume. Just as this thread
appeared, HT proclaimed discussion of spam off topic for us.config.
But she appears to have enjoyed participating in this thread.
oh... <chuckle>... you guys giving Henrietta a hard time again?!?
Yes. But not for sport.