jwSpamSpy Recent spam domains Spam domain blacklist
Links joewein.de joewein.net Contact |
|
|
Who is Gemma Brown who is collecting spam and chain letters for a research project?
What's the connection between "research-project.org" and "who-remembers-me.com"?Here is a chain letter that was forwarded to me recently, minus hundreds of email addresses to which this had already been forwarded:
From: Gemma Brown
Date: 10/16/05 21:51:46
To: emailaddress
Subject: Your e-mail address. (Ref. ATEMIF81PPZ)
Hi - emailaddress
Please be assured that you will not receive this e-mail again, it is a one off mailing!
Recently I received a chain letter (A piece of mail that was forwarded to me) that contained your e-mail along with several other peoples.
I thought that as your e-mail address was contained in one of these chain letters (forwards) you might have others that you would be willing to send to me. I know that this might sound a bit bizarre but I can assure you that this is a serious request. I am involved in a research project that is based over the next year, we are analysing Internet mail and trying to come up with some fairly accurate results as far as trends and patterns are concerned, we also need some accurate data regarding the type of mail that circulates around the internet, we know that 69% of all mail is Spam but what we don’t know is what % of that Spam accounts for chain mail (forwards of any type, something that has been forwarded to you, a piece of mail that has formed part of a chain).
I would be very grateful if you would be kind enough to forward absolutely anything and everything that remotely resembles chain mail, forwards of any type (even the rude ones). This project is based over the next year and I need at least 500,000 forwards for this project to be a success, so please keep them coming the more the better and don’t worry I have some pretty huge mail boxes to cope with this.
I would be most grateful if you would be kind enough to forward this e-mail to all your friends & family as I need as many as I can get my hands on for the project to be successful
Please send all chain mail (forwards) to the following address. gemma25@research-project.org
Everyone that helps will receive a copy of our results and findings in January of next year so please help if you can.
Thanks
Gemma
Reference No - (ATEMIF81PPZ)
You will only receive this mail the once, it will not be sent to you again and your e-mail address will not be passed on, however to conform to the law we must give you the opportunity to have your e-mail removed from our list. Please reply with the word delete to have your address removed.
Variations of this email have been circulating since early 2004, using different email accounts at the same domain (gemma3@research-project.org, gemma4@research-project.org, gemma15@research-project.org, gemma17@research-project.org, etc.).
Here is an almost identical email sent almost a year later:
From gemma38@research-project.org (September 2006)
Hi wendalls0312
Sent from Gemma Brown.
I recently received a chain letter (A piece of mail that had been forwarded to me) that had your e-mail address in it along with several other peoples.
I thought that as your mail address was on one of these chain letters (forwards) you may have others that you would be willing to send to me. I know that this might sound like a daft request but I can assure you that this is a serious request. I am involved in a university project that is based over a year and we are analysing Internet mail, we are trying to ascertain trends and patterns to come up with some fairly accurate statistics regarding the type of mail that circulates around the internet, we know that 70% of all mail is spam but what we don’t know is what percentage of that spam accounts for chain mail (forwards of any type, something that has been forwarded to you, a piece of mail that has formed part of a chain).
Please send absolutely anything and everything that remotely resembles chain mail, forwards of any type (even the rude ones). My project is based over a year and I need one million forwards for this project to be a success, so please keep them coming and don’t worry I have some pretty huge mail boxes.
I would be grateful if you would be kind enough to forward this piece of mail to all your friends as I need as much help as I can get.
Please send all chain mail (forwards) to the following address. gemma38@research-project.org
Everyone that helps will receive a copy of our results and findings in January of next year so please help if you can.
Thanks
Gemma
You will only receive this mail the once, it will not be sent to you again and your e-mail address will not be passed on, however to conform to the law we must give you the opportunity to have your e-mail removed from our list. Please reply with the word delete to have your address removed.
Message headers:
X-Apparently-To: SPAMRECIPIENT via 68.142.207.115; Tue, 12 Sep 2006 16:14:41 -0700 X-YahooFilteredBulk: 81.201.138.87 X-Originating-IP: [81.201.138.87] Authentication-Results: mta190.mail.mud.yahoo.com from=research-project.org; domainkeys=neutral (no sig) Received: from 81.201.138.87 (HELO mail.research-project.org) (81.201.138.87) by mta190.mail.mud.yahoo.com with SMTP; Tue, 12 Sep 2006 16:14:41 -0700 Received: (qmail 7172 invoked by uid 0); 12 Sep 2006 23:23:02 -0000 Date: 12 Sep 2006 23:23:02 -0000 To: SPAMRECIPIENT Subject: This is a reply to the mail you sent me. Content-type: text/html From: Gemma Brown <gemma38@research-project.org> Reply-To: <gemma38@research-project.org> Content-Length: 1019
So who is behind research-project.org? The website itself does not provide any help, because it's only contains the message:
This site is currently under construction.
Please call again.
Here are the registration details of the domain:
Domain ID:D106284645-LROR Domain Name:RESEARCH-PROJECT.ORG Created On:10-May-2005 08:25:49 UTC Last Updated On:24-Sep-2005 04:16:29 UTC Expiration Date:10-May-2007 08:25:49 UTC Sponsoring Registrar:eNom, Inc. (R39-LROR) Status:OK Registrant ID:5AF7592DC33529F7 Registrant Name:Research Project Registrant Organization:Research Project Registrant Street1:Office 255 Registrant Street2:111 Piccadilly Registrant Street3: Registrant City:Manchester Registrant State/Province:England Registrant Postal Code:M1 2HX Registrant Country:GB Registrant Phone:+44.7899848114 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:elizabeth@research-project.org Admin ID:CBBBDABDC3627FA2 Admin Name:Gail Jones Admin Organization:ukfast.net Ltd Admin Street1:The Mezzanine, Abbey House Admin Street2:32 Booth St Admin Street3: Admin City:Manchester Admin State/Province: Admin Postal Code:M2 4AB Admin Country:GB Admin Phone:+1.441619095160 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:us-auth@ukfast.net Tech ID:CBBBDABDC3627FA2 Tech Name:Gail Jones Tech Organization:ukfast.net Ltd Tech Street1:The Mezzanine, Abbey House Tech Street2:32 Booth St Tech Street3: Tech City:Manchester Tech State/Province: Tech Postal Code:M2 4AB Tech Country:GB Tech Phone:+1.441619095160 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:us-auth@ukfast.net Name Server:NS0.UKFAST.NET Name Server:NS1.UKFAST.NET
The Royal Mail postcode finder has a dozen entries listed for "111 Picadilly", but all but one are listed as in a building called "Rodwell Tower" with a postcode of M1 2HY. The only other one is a firm called "Mail Boxes etc" which coincidentally has the a postcode of M1 2HX. In other words, "Office 255" is likely to be "Post Office Box 255" at "Mail Boxes etc".
According to this thread the domain was registered using an email address from the domain "who-remembers-me.com", a site about which there are numerous spam complaints. This is not the current contact address. Maybe the owner did not want to show any connection to that domain and changed it later?
Here are some mail headers from a "Gemma Brown" spam email sent to a mailing list:
Received: from unknown (HELO mail.research-project.org) (81.201.138.87) by mta6.grp.scd.yahoo.com with SMTP; 16 Jun 2005 09:50:23 -0000 Received: (qmail 19605 invoked by uid 0); 16 Jun 2005 09:53:05 -0000 Date: 16 Jun 2005 09:53:05 -0000 Message-ID: <20050616095305.19604.qmail@...> To: emailaddress Content-type: text/html X-Originating-IP: 81.201.138.87 From: Gemma Brown &lr;gemma20@research-project.org> Reply-To: <gemma20@@research-project.org> Subject: This is a reply to the mail you sent me. (Ref. U3KM0FX90D3)
The IP address matches the company that hosts the website. They can be contacted via abuse@ukfast.net:
inetnum: 81.201.138.0 - 81.201.138.255 netname: UKFAST descr: See UKFAST-MNT for contact details country: GB admin-c: NL202-RIPE tech-c: NL202-RIPE status: ASSIGNED PA mnt-by: UKFAST-MNT mnt-lower: UKFAST-MNT mnt-routes: UKFAST-MNT remarks: Abuse reports should be sent to abuse@ukfast.net source: RIPE # Filtered person: Neil Lathwood address: Abbey House address: 32 Booth Street address: Manchester address: M2 4AB phone: +44 845 458 4545 fax-no: +44 870 458 4545 e-mail: neil.lathwood@ukfast.net nic-hdl: NL202-RIPE source: RIPE # Filtered
Here is a "who-remembers-me" spam that we received:
From: "Customer Services" <info@wrmweb-1.co.uk>
To: <joewein@pobox.com>
Sent: Friday, 25 November, 2005 13:20
Subject: Your friend has entered you into our tell a friend link. (5YJYKX80KYO)
Hello joewein
Friend Ref – (5YJYKX80KYO)
Please do not reply to this e-mail, as it will not get answered, if you have any questions or need any help please use the support link on our home page (http://www.who-remembers-me.com/p_support.html).
Your e-mail address has been entered into the www.Who-Remembers-Me.com “Tell a friend” link by one of your friends in order for us to send you a short note recommending this web-site as they feel it maybe of interest to you.
Who-Remembers-Me.com is a very simple and easy to use web-site that is designed to enable everyone to find old friends from the past or present, right from your very childhood to the present day world-wide, from old school, college and university friends to past work mates and old neighbours (or neighbors – let’s not forget our friends in North America!) that used to live in the same street, estate or neighbourhood as you. Maybe you were a member of a local sports team or club and would like to look-up old team mates, what ever you have done and wherever you have been you can now find all them old friends and acquaintances.
Find old friends and acquaintances now with Who-Remembers-Me.com, read their profile see what they have been doing and what they are doing now, get in touch or just indulge in a little nostalgia and remember. Click the following link or copy and past it into your web browser to go directly to our site. (http://www.Who-Remembers-Me.com)
Recommend this site now to all your friends by clicking on the following “tell a friend” link!
http://www.who-remembers-me.com/?page=tellfriend
Who-Remembers-Me.com
P O Box 50718
London
England
NW6 2PT
We take Internet security very seriously and have provided a link below in order for you to remove your e-mail address from our database. We never buy or sell e-mail addresses, the e-mail addresses that are obtained through our tell a friend link are strictly used for that purpose and that purpose only and are never divulged to anyone else.
http://www.who-remembers-me.com/remove.php
Message headers:
Received: from mail.wrmweb-1.co.uk (wrmweb-1.co.uk [81.201.138.79]) by fence.pobox.com (Postfix) with SMTP id 87AF91E549 for <joewein@pobox.com>; Thu, 24 Nov 2005 23:08:47 -0500 (EST) Received: (qmail 22957 invoked by uid 0); 25 Nov 2005 04:20:02 -0000 Date: 25 Nov 2005 04:20:02 -0000 Message-ID: <20051125042002.22955.qmail@mail.wrmweb-1.co.uk> To: joewein@pobox.com Subject: Your friend has entered you into our tell a friend link. (5YJYKX80KYO) From: Customer Services <info@wrmweb-1.co.uk> Reply-To: <info@wrmweb-1.co.uk>
Both the research-project.org and the who-remembers-me.com spam use an 11 character alphanumeric reference number in the subject line. And as you can see from the message headers the sending IP addresses are very close:
- research-project.org - 81.201.138.87
- who-remembers-me.com - 81.201.138.79
Traffic on who-remembers-me.com was very moderate until about three months after research-project.org started gathering email addresses, then it started picking up. I don't know how much of that traffic is related to "your friend wants to recommend this site" kind of spam and if these are really friends' recommendations or have been fabricated using addresses obtained elsewhere. While I don't have any clearcut proof that research-project.org is gathering addresses to drive business to who-remembers-me.com, I do have some suspicion...
Domain registration for "who-remembers-me.com":
Domain Name: WHO-REMEMBERS-ME.COM
Registrar: TOTALREGISTRATIONS
Whois Server: whois.totalregistrations.com
Referral URL: http://www.totalregistrations.com
Name Server: NS1.WHO-REMEMBERS-ME.COM
Name Server: NS2.WHO-REMEMBERS-ME.COM
Status: ACTIVE
Updated Date: 01-may-2005
Creation Date: 22-may-2003
Expiration Date: 22-may-2006
>>> Last update of whois database: Fri, 25 Nov 2005 02:25:39 EST <<<
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Registrant:
Julien Robert
Billington
Kylemore Road, P O Box 50718
London
London
NW6 2PT
UK
Domain Name: who-remembers-me.com
Administrative Contact:
Domains Team (DT00047-TR)
Donhost Limited
1 Heather Court
Doncaster
South Yorkshire
DN2 5YL
GB
phone: +44(0)8707414151
fax:
domains@donhost.co.uk
Technical Contact:
Domains Team (DT00047-TR)
Donhost Limited
1 Heather Court
Doncaster
South Yorkshire
DN2 5YL
GB
phone: +44(0)8707414151
fax:
domains@donhost.co.uk
Record updated on 03-May-2005
Record expires on 22-May-2006
Record created on 22-May-2003
Domain servers in listed order:
ns1.who-remembers-me.com 81.21.69.241
ns2.who-remembers-me.com 81.21.69.242
Domain registration for "wrmweb-1.co.uk":
Domain Name:
wrmweb-1.co.uk
Registrant:
who-remembers-me.com
Registrant's Address:
30 Keyoemore Road
London
NW6 2PT
GB
Registrant's Agent:
ukfast.net Ltd [Tag = UKFAST]
Relevant Dates:
Registered on: 11-Apr-2005
Renewal Date: 11-Apr-2007
Registration Status:
Registered until renewal date.
Name servers listed in order:
ns0.ukfast.net 81.201.128.133
ns1.ukfast.net 81.201.143.133
WHOIS database last updated at 09:50:01 25-Nov-2005
|