OOPS -- Doug's pr0n spam part TWO: OK, I made a mistake in my analysis. The website is set up to be able to tell I'm using Sam Spade's browser, and if so to feed the Apache install pages. If you click on that link on an unsecured machine with IE, you get REDIRECTED to the real porn page, which is still up. Crap.
It redirects to http://%77%77w.%6e%65%74m%61i%6cs%2e%63%6f%6d/%6De%6D%62%65r%73%2F%77e%62c%61% 6Dz/%6F%75%72%63am.%68t%6D%6C, another Unicoded web site that decodes to 66.46.145.35, which is www.netmails.com. Of course, it's actually a user page there, namely http://www.netmails.com/members/webcamz/ourcam.html. That's the page being spammed. You need to LART their ISP. The abuse address for netmails.com is [EMAIL PROTECTED], oddly enough. I hope you get action with them. The problem is, they may be in cahoots with the bozos running the porn site. You have plenty of ammunition to get the site pulled -- (1) spam; (2) deliberately misleading subject; (3) forged headers; (4) relay rape; (5) Korean redirect, probably hacked (the Korean doesn't know); (6) encoded URLS; -- this violates every TOS agreement in the world. If they won't yank it, they are spammers themselves. Maybe they will, though. If not, you need to go upstream. Netmails.com's upstream is attcanada.ca, which is bad news, because they LOVE their spammers and refuse to do anything about them. You know, Spamcop will do all that work for you. I fed your spam in, and they recommend LARTing [EMAIL PROTECTED], which is Korea -- but they are blind to complaints, so forget it, and straight to [EMAIL PROTECTED] Be careful, though; Spamcop also picked up YOUR upstream, based on [EMAIL PROTECTED] being in the message, as well as spamcon.org (at [EMAIL PROTECTED])! LARTing those folks would be dumb, since they're not the spammer. Spammers are getting better and better about tricking Spamcop into LARTing the user too. Watch those checkboxes. They also picked up [EMAIL PROTECTED], for the sender's address [EMAIL PROTECTED] Normally I don't bother with these, since there's no freakin' way to prove that they had anything to do with it. There's no reason why they'd FAKE a "sexparty.com" address, but nobody's going to kill them on this evidence, unfortunately. But feel free to LART away. What probably happened is a ring of interlocking throwaways. He's got his porn up on the netmails.com site, but if that gets pulled he just opens up another free website on one of the other 999,999,999 free hosting places; he's got his redirect up on the hacked Korean site (where some grade school administrator is starting to wonder why his network is so slow), which he can also replace in a moment -- that's how these shits operate. Unfortunately the actual webcam site is hidden -- when you click on it, you run a program, which is a little scary. For some strange reason, I'm a little reluctant to download a program called "sorority.exe". It could be a virus masquerading as porn. Could be a modem dialer set to call a $100/minute 900 number. Could be anything. This is how the world ends, not with a bang but with a webclick.... I really like the html on the porn site that has the "people currently viewing" the webcam as a random number + 150. These people would lie about the time of day, I swear it. _______________________________________________ spamcon-general mailing list [EMAIL PROTECTED] http://mail.spamcon.org/mailman/listinfo/spamcon-general#subscribers Subscribe, unsubscribe, etc: Use the URL above or send "help" in body of message to [EMAIL PROTECTED] Contact administrator: [EMAIL PROTECTED]
