In early May, our honeypots started picking up a lot of health insurance spam.

The visible From: field always contained a known health insurer. Typically, Blue Cross, Fortis, Humana, Pacificare or United Health.

The Subject: line rotated:

  • $38 Health Coverage;
  • Affordable health insurance;
  • Consumers scramble to get health insurance;
  • Health coverage as low as 38 per month;
  • Health ins as low as thrity-eight dollars per month;
  • Major companies respond to Cover the Uninsured week;
  • States push for reduced Health costs;
  • Top insurance carriers at the best prices, or;
  • why hea1thinsurance is so expensive.

The message body copy rotated as well. A representative pitch:
Hi, yourname@honeypot, look what I found!!!

My best friend just got hea1thinsurance for only 43 a month in Florida. He just turned 30.

He went to this website and got 5 quotes from big companies like Blue Cross, Humana, Pacificare and a few others I’ve never heard of.

If you need hea1thinsurance, this has fast and is easy on the wallet : http://www.thespammer’sinsurancesalessite

I live in Chicago and got insured for only 38 a month!

The opt-out address embedded in each pitch was consistently:
Correos 32s02g Cl ‘G’ Manzana H Lt-19
Urbanizacion Lucyana Carabayllo, Lima06

One of at least seven domains was mentioned in each pitch: atlasweave.com, barelymaple.com, dailyaverage.com, ferrystand.com, fourbeit.com, jyump.com or preslate.com. In turn, all of these domains use domain name servers at either unitedhostingservices.com, netcomnet.com, flixnet.net or integernet.com.

When we used our WHOIS Lookup by Domain tool, we found the contact information listed for barelymaple.com, ferrystand.com, fourbeit.com, jyump.com, preslate.com, unitedhostingservices.com, netcomnet.com, flixnet.net and integernet.com was

Contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457

That’s all anybody gets when they run a whois query, if a spammer subscribes to Tucows Whois Privacy Service [pdf]. When you call the listed phone number, a recording tells you that inbound calls are not accepted, then directs you to the contactprivacy.com website.

The spammer neglected to use Tucows Whois Privacy Service for atlasweave.com and dailyaverage.com. Here’s what we got:

Registrant, Administrative and Technical Contacts:
United Hosting Services SA
MZ H Lote 19 Enace
Carabayllo, Lima LIMA06
PE
+011.5114617309

Registration Service Provider:
UQHost, hostmaster@uqhost.com
303-496-0265
http://uqhost.com

A visit to United Hosting Services’ website revealed an anonymous page with an opt-out link to globaloptout.com, which is, like uqhost.com and unitedhostingservices.com, protected by Tucows Whois Privacy Service. Uqhost.com has an unlisted number answered by a “we’ll get back to you” recording and no website, but netcomnet.com and integernet.com and most of the sites we’ve discussed display an opt-out page titled PrivacySure, while flixnet.net is a page under construction with an opt-out link to privacysure.com, where you see (again) an opt-out page titled PrivacySure. Like its brethern, privacysure.com is protected by Tucows Whois Privacy Service.

In case you’re wondering, Tucows reserves the right to desert a sinking ship by piously ripping away a perpetrator’s cover “to avoid financial loss or legal liability or if Tucows believes that the Registrant is using the Whois Privacy Service to conceal its involvement with illegal, illicit, objectionable or harmful activities or to transmit SPAM, viruses, worms or other harmful computer programs.”

Surprised? Don’t be.

Most all the registrars do it… not that they should.