Saturday, March 15, 2003

Tales from the Spam Crypt

I'm getting reports that one-on-onechat may have a second (or third?) web address (granted, this report is 3 months out of data, but I've been busy, really!).

------------------------------------------------------------
Date: Thu, 26 Dec 2002 19:40:18 -0800 (PST)
From: "jimmy"
Subject: More Questions on fake personals site

Mighty Hand, check this out if you will...

I responded to a personals ad on yahoo, figured she was too good to be true, but "what the heck" I said, "why not", I can block the profile if it's a faker. Five days later I get an email back that seems pretty normal untill the end when she says she uses a site she calls www.safedates.net as a way of getting to talk to people safely. I think, hmmmmm, so I keep reading only to find that she's not had much luck with the personals, she's been accused of being a porn site, but since I seem real to just give her a call via this site. So I go to it only to find it looks very suspicious (no other info besides a pretty picture and some basic stats). They also accept all major credit cards at 3.95/min. I looked for more info on it and not much comes up. Then I see it is part of "one-on-onechat" so I searched that and found you. Just thought you may like to know that it looks like they have a new name. Too bad, she seemed good on paper;)

------------------------------------------------------------
Demon Internet DIG Tool
previous posting about DNS querying

Well, trying to use DIG on safedates.net results in zero records being returned. Apparently, mediaserve.net has their DNS server configured so that it won't return zone information to the 'general public'. This is rather suspicious, and seems to be a "what are you trying to hide" flag in my book. In fact, their website is non-existent as all I got back were the opening and closing HTML tag. So I went with plan B, which was to tracert www.safedates.net (which resolves to 66.240.177.79). Interesting what that final IP address identified as, ne? BTW, www.safedates.net is "temporarily offline" now.

Well, actually, just because two web domains resolve to the same IP address doesn't actually make them twins. You see, web servers are able to handle multiple domains hosted on a single server by looking at the URL request and returning the files for the proper domain.

------------------------------------------------------------
17 101 ms 101 ms 101 ms border1.ge3-1-bbnet1.ext1a.lax.pnap.net [216.52.255.31]
18 102 ms 104 ms 101 ms broadspire-2.border1.ext1a.lax.pnap.net [63.251.209.66]
19 110 ms 103 ms 104 ms xxxcoeds.com [66.240.177.79]

------------------------------------------------------------
Doing the same with www.one-on-onechats.com leads to similar results, but a slightly different IP address. So, while the web sites aren't identical, it's possible that they're both hosted at the same server farm. Even more interesting is that www.one-on-onechat.com is also "temporarily offline" (identical message as the safedates.net site, redirects to http://66.240.179.34/).

------------------------------------------------------------
17 101 ms 102 ms 101 ms border1.ge4-1-bbnet2.ext1a.lax.pnap.net [216.52.255.95]
18 102 ms 102 ms 101 ms broadspire-2.border1.ext1a.lax.pnap.net [63.251.209.66]
19 104 ms 102 ms 103 ms one-on-onechat.com [66.240.177.145]

Labels: Spam

posted by Wuphon's at 11:40 AM