Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Future Investor Clubs of America Kids and Teens Programs

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Mon May 04, 2009 3:30 am    Post subject: Future Investor Clubs of America Kids and Teens Programs Reply with quote

My spamtrap has been receiving its share of "mail blasts" that seemed to be intended for US citizens, though the trap should appear as non-US even to the densest trailer-trash-spammer.

Quote:
Delivered-To: <spamtrap>
Received: by 10.229.95.194 with SMTP id e2cs197146qcn;
Mon, 4 May 2009 66:66:66 -0700 (PDT)
Received: by 10.103.213.10 with SMTP id p10mr3286391muq.49.6666666666666;
Mon, 04 May 2009 66:66:66 -0700 (PDT)
Return-Path: <brendabmmilesko@excite.com>
Received: from excite.com ([213.254.143.61])
by mx.google.com with SMTP id j9si15278228mue.51.2009.05.04.66.66.66;
Mon, 04 May 2009 66:66:66 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning brendabmmilesko@excite.com does not designate 213.254.143.61 as permitted sender) client-ip=213.254.143.61;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning brendabmmilesko@excite.com does not designate 213.254.143.61 as permitted sender) smtp.mail=brendabmmilesko@excite.com
Received: from [73.142.109.203] by mail.gimmicc.net with NNFMP; Mon, 04 May 2009 66:66:66 +0400
Received: from smtp.doneohx.com ([Mon, 04 May 2009 66:66:66 +0400])
by mail.gimmicc.net with LOCAL; Mon, 04 May 2009 66:66:66 +0400
Received: from mailout.endmonthnow.com ([98.43.60.168]) by smtp18.yenddx.com with NNFMP; Mon, 04 May 2009 66:66:66 +0400
Received: from smtp18.yenddx.com [163.66.93.45] by public.micromail.com.au with LOCAL; Mon, 04 May 2009 66:66:66 +0400
Message-ID: <xxxxxxxx@excite.com>
Date: Mon, 04 May 2009 66:66:66 +0400
Reply-To: "William Thornsmidth" <brendabmmilesko@excite.com>
From: "William Thornsmidth" <brendabmmilesko@excite.com>
User-Agent: AOL 8.0 for Windows US sub 230
MIME-Version: 1.0
To: <spamtrap>,
<victim 1>,
<victim 2>,
<victim 3>
Subject: Future Investor Clubs of America Kids and Teens Programs.
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

<html>

<head>

</head>

<body>
<font color="#FFFFFF">[snipped tagging]</font><br>
<font face="Microsoft Sans Serif">
</font>
<font face="Arial, Helvetica, sans-serif">
<div>
<br>
The Future Investor Clubs of America (FICA)&nbsp;founded in January 1997,
is a <br>
<span style="cursor: pointer; -moz-background-clip: -moz-initial;
-moz-background-origin: -moz-initial; -moz-background-inline-policy:
-moz-initial; background:" class="yshortcuts" id="lw_1240013491_0">
financial intelligence training</span> network designed to introduce
students
ages 8-19 <br>
to the world of business and finance at an early age in a fun and
exciting
way.
</div>
<div>
Since 1997 thousands of students have benefited from our training
programs and
</div>
<div>
events! FICA is dedicated to &quot;Training Tomorrow's Investors
Today&quot; �. <br>
<br>
Our education and training system consist of many exciting and
informative
programs and events
</div>
<div>
such as: <br>
<br>
&nbsp;</div>
<div>
Future Investor Clubs of America Members Online Network!<br>
Future Investor Clubs <span class="yshortcuts" id="lw_1240013491_1">
Introductory Training!<br>
Wall Street</span>
<span style="cursor: pointer; border-bottom: 1px dashed rgb(0, 102, 204)"
class="yshortcuts" id="lw_1240013491_2">
Summer Camps</span>!<br>
Young Investor Clubs!<br>
Young Analyst Clubs!<br>
Young Executives Clubs!<br>
Financial Whiz Kids/Teens Challenge &amp; Competitions!<br>
Whiz Kids/Teens Online e-Learning Network!<br>
<span class="yshortcuts" id="lw_1240013491_3">Financial Literacy
News</span>
Online!<br>
International Training and Tours!</div>
<div>
<br>
To learn more Click visit:
<a rel="nofollow" target="_blank" href="http://www.ficaworld.com/"
style="text-decoration: none">
<span class="yshortcuts" id="lw_1240013491_4">www.ficaworld.com</span></a
><br>
&nbsp;<br>
The Future Investor Clubs of America (FICA) would like to invite you and
or
<br>
students ages 8-19 to become a member today. <br>
<br>
&nbsp;</div>
<div>
As a FICA Member you will enjoy the following20benefits:<br>
<br>
&nbsp;</div>
<div>
FICA Club Annual Membership! <br>
FICA Club Prize Drawings! <br>
FICA Club Online Guide! <br>
FICA Club Members Online Training Network!20<br>
FICA Club Membership Certificate! <br>
FICA Club *Workshops Invitation <br>
FICA Club *Camps &amp; Conferences Invitation<br>
FICA Club *e-Learning
<span style="cursor: pointer; border-bottom: 1px dashed rgb(0, 102, 204)"
class="yshortcuts" id="lw_1240013491_5">
Access Network</span> <br>
&nbsp;</div>
<div>
<br>
FICA Membership and Subscribership Network. Become A Member Today!<br>
<a rel="nofollow" target="_blank" href="http://ficaconnect.com/"
style="text-decoration: none">
<span class="yshortcuts" id="lw_1240013491_6">http://ficaconnect.com</spa
n></a></div>
<div>
<br>
FICA Kids &amp; Teens ages-8-19 Wall Street Summer Camp. Learn More!<br>
<a rel="nofollow" target="_blank"
href="http://www.futureinvestorsclub.com/index-wallstcamp.cfm"
style="text-decoration: none">
<span class="yshortcuts" id="lw_1240013491_7">
http://www.futureinvestorsclub.com/index-wallstcamp.cfm</span></a></div>
<div>
<br>
To Learn more about our programs Contact Us:<br>
<a rel="nofollow" target="_blank"
href="http://www.futureinvestorsnetwork.com/contact.html"
style="text-decoration: none">
<span class="yshortcuts" id="lw_1240013491_8">
http://www.futureinvestorsnetwork.com/contact.html</span></a></div>
<div>
&nbsp;</div>
<div>
Yours In Success<br>
Sandra Perkins-Program Director</div>
<div>
<br>
To Unsubscribe or to be removed from our&nbsp;list please contact us:<br>
<a rel="nofollow" target="_blank"
href="http://www.futureinvestorsnetwork.com/contact.html"
style="text-decoration: none">
http://www.futureinvestorsnetwork.com/contact.html</a></div>
</font>
<p>&nbsp;</p>
<div>
<br>
&nbsp;</div>
<p>&nbsp;</p>
<p>
<font face="Microsoft Sans Serif" size="1"><strong
style="font-weight:400">.</strong></font><font face="Microsoft Sans Serif"
size="-2">&nbsp;</font></p>
<p>


<font face="Microsoft Sans Serif">

<script type="text/javascript">
var sc_project=4078532;
var sc_invisible=1;
var sc_partition=49;
var sc_click_stat=1;
var sc_security="1823b569";
</script>

<script type="text/javascript"
src="http://www.statcounter.com/counter/counter.js"></script><noscript>
<div class="statcounter"><a title="site stats"
href="http://www.statcounter.com/" target="_blank"><img class="statcounter"
src="http://c.statcounter.com/4078532/0/1823b569/1/" alt="site stats"
></a></div></noscript>

</font>
</font>
</p>
<font color="#FFFFFF">[snipped tagging]</font>
</body>

</html>


Let's go through this one by one. The email headers are quite badly faked and whoever sent this ...ehm... excremental message (to remain family friendly Wink) has already broken CAN-spam-compliance by doing this.

The actual sender, 213.254.143.61, is a compromised machine somewhere in Turkey that apparently isn't supposed to be sending anything at all, because port 25 (SMTP) isn't open:

Quote:
$ telnet 213.254.143.61 25
Trying 213.254.143.61...
telnet: connect to address 213.254.143.61: Connection refused
telnet: Unable to connect to remote host


and its rDNS configuration doesn't look too hot either:

213.254.143.61 -> 61.drx.host.143.254.213.in-addr.arpa
61.drx.host.143.254.213.in-addr.arpa -> NXDOMAIN

were this an actual mailswerver, it would experience rather excremental delivery rates, because a high percentage of mailswervers do check for valid domain pointers (like mine), some even require that both A and PTR resolve to the same name.

whois record:
Quote:
inetnum: 213.254.128.0 - 213.254.148.255
netname: DEKSAR
descr: Static IP Address space for Barracuda customers
country: TR
admin-c: DEXR2-RIPE
tech-c: DEXR2-RIPE
status: ASSIGNED PA
mnt-by: DEXAR-MNT
mnt-lower: DEXAR-MNT
mnt-routes: DEXAR-MNT
mnt-domains: DEXAR-MNT
source: RIPE # Filtered


Already listed at CBL and Spamcop:

Quote:
213.254.143.61 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 18 hours.
Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
* SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems
(these factors do not directly result in spamcop listing)

* DNS error: 213.254.143.61 is 61.drx.host.143.254.213.in-addr.arpa. but 61.drx.host.143.254.213.in-addr.arpa. has no DNS information

Because of the above problems, express-delisting is not available

http://www.spamcop.net/w3m?action=checkblock&ip=213.254.143.61

Quote:
IP Address 213.254.143.61 is currently listed in the CBL.

It was detected at 2009-05-04 05:00 GMT (+/- 30 minutes), approximately 5 hours ago.

http://cbl.abuseat.org/lookup.cgi?ip=213.254.143.61

So this would be strike two concerning CAN-Spam-compliance.

Strike three is the lack of a postal address that clearly states who is responsible for the spamrun. Just pointing to some website does not make it Can-Spam-Compliant, especially when all you can see is an anonymous contact form without any further information:
http://www.futureinvestorsnetwork.com/contact.html

And let's not forget strike four: Sending an email blast to spamtraps harvested by some random spamware.

There is a nice detail the spammer overlooked whilst creating his template. He included references to a CSS class, yet his html code does not contain any definition for this class. However, it does contain an UNIX timestamp which apparently indicates the last time the template was updated:

Quote:
<span class="yshortcuts" id="lw_1240013491_8">


1240013491 equates to Sat, 18 Apr 2009 00:11:31 UTC, so assuming this to be an US spam outfit, the template would have been saved during the late afternoon/early evening hours.

Another give away is the statcounter account:
Quote:
var sc_project=4078532;
var sc_invisible=1;
var sc_partition=49;
var sc_click_stat=1;
var sc_security="1823b569";


The variable "sc_project" denotes the campaign's id, which leads straight to the spammer.

Anyway, now let's focus on the beneficiary of the spamrun:

ficaworld.com

ficaworld.com -> 64.202.189.170 (GoDaddy hosting)

Quote:
Registrant:
Future Investors Club
876 Sand Creek Circle
Weston, Florida 33327
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FICAWORLD.COM
Created on: 12-Jan-05
Expires on: 12-Jan-10
Last Updated on: 18-Jan-09

Administrative Contact:
Parks, Frank ficaworld curly sign aol.com
Future Investors Club
876 Sand Creek Circle
Weston, Florida 33327
United States
9542171353 Fax -- 9543842745

Technical Contact:
Parks, Frank ficaworld curly sign aol.com
Future Investors Club
876 Sand Creek Circle
Weston, Florida 33327
United States
9542171353 Fax -- 9543842745

Domain servers in listed order:
NS19.DOMAINCONTROL.COM
NS20.DOMAINCONTROL.COM



ficaconnect.com

ficaconnect.com -> 208.109.138.41 (GoDaddy Hosting)

Quote:
Future Investor Clubs of America, Inc.
11310 S. Orange Blossom Tr. #244
Orlando, Florida 32837
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FICACONNECT.COM
Created on: 28-Dec-05
Expires on: 28-Dec-09
Last Updated on: 20-Dec-08

Administrative Contact:
Parks, Frank ficaworld curly sign aol.com
Future Investor Clubs of America, Inc.
11310 S. Orange Blossom Tr. #244
Orlando, Florida 32837
United States
+1.4079684108 Fax --

Technical Contact:
Parks, Frank ficaworld curly sign aol.com
Future Investor Clubs of America, Inc.
11310 S. Orange Blossom Tr. #244
Orlando, Florida 32837
United States
+1.4079684108 Fax --

Domain servers in listed order:
NS41.DOMAINCONTROL.COM
NS42.DOMAINCONTROL.COM


futureinvestorsclub.com

futureinvestorsclub.com -> 64.202.189.150 (GoDaddy Hosting)


Quote:
Registrant:
Future Investors Club
876 Sand Creek Circle
Weston, FL 33127
US

Domain Name: FUTUREINVESTORSCLUB.COM

------------------------------------------------------------------------
Promote your business to millions of viewers for only $1 a month
Learn how you can get an Enhanced Business Listing here for your domain name.
Learn more at http://www.NetworkSolutions.com/
------------------------------------------------------------------------

Administrative Contact:
Parks, Frank ficaworld curly sign aol.com
Future Investor Clubs of America, Inc.
11310 S. Orange Blossom Trail 244
Orlando, FL 32837
US
407-968-4108 fax: 407-888-9177

Technical Contact:
Future Investors Club ficaworld curly sign aol.com
876 Sand Creek Circle
Weston, FL 33127
US
(954)217-1359 fax: (954)384-2746

Record expires on 11-Jun-2011.
Record created on 11-Jun-2001.
Database last updated on 4-May-2009 06:38:55 EDT.

Domain servers in listed order:

NS5.SECURESERVER.NET
NS6.SECURESERVER.NET


This one has not been registed with GoDaddy for a change, however it does use GoDaddy's nameservers

futureinvestorsnetwork.com

futureinvestorsnetwork.com -> 72.167.131.196 (GoDaddy hosting)

Quote:
Registrant:
Future Investors Club of America, Inc.
11310 S. Orange Blossom Trail #244
Orlando, Florida 32837
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FUTUREINVESTORSNETWORK.COM
Created on: 24-Jun-03
Expires on: 24-Jun-10
Last Updated on: 09-Apr-09

Administrative Contact:
Parks, Frank ficaworld curly sign aol.com
Future Investors Club of America, Inc.
11310 S. Orange Blossom Trail #244
Orlando, Florida 32837
United States
4079684108 Fax --

Technical Contact:
Parks, Frank ficaworld curly sign aol.com
Future Investors Club of America, Inc.
11310 S. Orange Blossom Trail #244
Orlando, Florida 32837
United States
4079684108 Fax --

Domain servers in listed order:
NS01.DOMAINCONTROL.COM
NS02.DOMAINCONTROL.COM


All domains use GoDaddy's mailswervers for shared hosting plans:
mailstore[0-9].secureserver.net
smtp.secureserver.net

Honestly, I'm not too surprise to see an organisation dedicated to conditioning children and youths to the rules of a capitalist society also embracing Opt-Out spam involving can spam violations and even compromised machines as far away as in Turkey (from the sender's perspective). Apart from that, one has to seriously consider whether an organisation that acts so amorally and irresponsibly would be the right one to get one's children involved with. Most parents are hopefully more interested in raising children that will act responsibly and ethically in their later lives.

O.
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group