In early May, our honeypots started picking up a lot of health insurance spam.
The visible From: field always contained a known health insurer. Typically, Blue Cross, Fortis, Humana, Pacificare or United Health.
The Subject: line rotated:
- $38 Health Coverage;
- Affordable health insurance;
- Consumers scramble to get health insurance;
- Health coverage as low as 38 per month;
- Health ins as low as thrity-eight dollars per month;
- Major companies respond to Cover the Uninsured week;
- States push for reduced Health costs;
- Top insurance carriers at the best prices, or;
- why hea1thinsurance is so expensive.
Hi, yourname@honeypot, look what I found!!!My best friend just got hea1thinsurance for only 43 a month in Florida. He just turned 30.
He went to this website and got 5 quotes from big companies like Blue Cross, Humana, Pacificare and a few others I’ve never heard of.
If you need hea1thinsurance, this has fast and is easy on the wallet : http://www.thespammer’sinsurancesalessite
I live in Chicago and got insured for only 38 a month!
The opt-out address embedded in each pitch was consistently:
Correos 32s02g Cl ‘G’ Manzana H Lt-19
Urbanizacion Lucyana Carabayllo, Lima06
One of at least seven domains was mentioned in each pitch: atlasweave.com, barelymaple.com, dailyaverage.com, ferrystand.com, fourbeit.com, jyump.com or preslate.com. In turn, all of these domains use domain name servers at either unitedhostingservices.com, netcomnet.com, flixnet.net or integernet.com.
When we used our WHOIS Lookup by Domain tool, we found the contact information listed for barelymaple.com, ferrystand.com, fourbeit.com, jyump.com, preslate.com, unitedhostingservices.com, netcomnet.com, flixnet.net and integernet.com was
Contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457
That’s all anybody gets when they run a whois query, if a spammer subscribes to Tucows Whois Privacy Service [pdf]. When you call the listed phone number, a recording tells you that inbound calls are not accepted, then directs you to the contactprivacy.com website.
The spammer neglected to use Tucows Whois Privacy Service for atlasweave.com and dailyaverage.com. Here’s what we got:
Registrant, Administrative and Technical Contacts:
United Hosting Services SA
MZ H Lote 19 Enace
Carabayllo, Lima LIMA06
PE
+011.5114617309Registration Service Provider:
UQHost, hostmaster@uqhost.com
303-496-0265
http://uqhost.com
A visit to United Hosting Services’ website revealed an anonymous page with an opt-out link to globaloptout.com, which is, like uqhost.com and unitedhostingservices.com, protected by Tucows Whois Privacy Service. Uqhost.com has an unlisted number answered by a “we’ll get back to you” recording and no website, but netcomnet.com and integernet.com and most of the sites we’ve discussed display an opt-out page titled PrivacySure, while flixnet.net is a page under construction with an opt-out link to privacysure.com, where you see (again) an opt-out page titled PrivacySure. Like its brethern, privacysure.com is protected by Tucows Whois Privacy Service.
In case you’re wondering, Tucows reserves the right to desert a sinking ship by piously ripping away a perpetrator’s cover “to avoid financial loss or legal liability or if Tucows believes that the Registrant is using the Whois Privacy Service to conceal its involvement with illegal, illicit, objectionable or harmful activities or to transmit SPAM, viruses, worms or other harmful computer programs.”
Surprised? Don’t be.
Most all the registrars do it… not that they should.
5 comments
Comments feed for this article
June 7th, 2006 at 7:42 am
thewebguy
why pick on tucows for something that nearly every registrar offers? private domain registration is an effort to STOP spam, so that no one can browse through whois records and mine email addresses.
if you have ever registered a domain without using some sort of spam protection, try it and see what kind of spam you start getting.
June 7th, 2006 at 9:47 am
BJ Gillette
@thewebguy.
Why pick on Tucows? Factual illustration. Note the last sentence in our article: “Most all the registrars do it.”
In my spammer tracking experience, virtually every professional spam operation hides behind the privacy shields rented out by registrars.
Businesses who own domains ought to be reachable. Nobody needs registrars to help them hide.
Those who eschew public interaction can set their spam filters appropriately.
June 7th, 2006 at 4:44 pm
cando
After that the registrars learn like making the monies from the squatters of Domain Name, they chase the commerce. This protection of privacy is a similar sense to make the monies from the spammers.
June 12th, 2006 at 12:12 pm
Serena Giddens
Tucows does more than that to aid Spammers. It’s an ICANN-mandated regulation (and part of every registrar’s own TOS) that you must provide valid contact information for the WHOIS databases Internet-wide (or utilize a proxy registration service). But I can tell you first-hand that I have contacted Tucows numerous times related to a domain registration registered through them because that registered domain’s contact information is completely false. (I had need to contact the domain owner due to copyright infringements they were directly commiting against SERENA’s WORLD. Tucows patently refused to even acknowledge those communications from me whatsoever, let alone take the appropriate action against the domain registration’s owner for violating their TOS and ICANN’s for false contact information. Reason? I believe it’s because the violator’s domain is through a reseller of theirs that has thousands and thousands of domains through them and also hosts the violating domain - and they don’t wish to “rock the boat”.
Bottom line is: A domain registration through Tucows can easily have completely false information and Tucows cares not. Naturally this open up a huge can of worms for the illegally and/or immorally bent snakes in the grass.
June 15th, 2006 at 9:03 am
BJ Gillette
Hi Serena.
Unfortunately, this type of behaviour is not limited to Tucows.
I’m baffled that ICANN would go along with the theory that legitimate businesses operating in the public sphere (ie, Web) need to have their identities protected.