Feedback: December 2003, Published: January 2004
This month some information from the USA, once again, draws attention to the Your1Host spammers. As it turns out they probably should be called the uMondo spammers (or maybe the Ion Entertainment spammers -- they have many names). The Your1host saga continues because It seems that some registrars are tardy about taking action against known spammers.
This has prompted me to send the following e-mail to bulkregister.com:
Subject: False address for Your1host.net Sirs, I would like to draw your attention to a matter which requires urgent action on your behalf. This is in regard to the domain Your1Host.net which is registered by your organisation. The contact information that is given for Your1Host.net is: 10061 Riverside Dr. Toluca Lake, CA 91602 US Phone:: 818-506-4388 The information supplied is false and/or misleading. The Toluca Lake Chamber of Commerce lists this address and phone number as belonging to a mail and shipping franchise known as "Mail Boxes Etc." The organisation Your1Host is a well known "front" for an extensive spam operation. A search for Your1host+spam" brings up 22 hits in Google, many of which include comprehensive and well-documented samples of spam. These are from reputable organisations all around the world. Sincerely etc,
In the meantime it seems to be business as usual for the Your1Host spammers, who operate under the names uMondo LLC and Ion Entertainment LLC (and probably many other names).
After receiving the information about uMondo, I checked their web site. The home page had a login screen surrounded by a large amount of graphics. The webhost, like all the others in this stable, was Microsoft-IIS. And, from memory, the home page was similar in appearance to some of the sites which had been associated with Your1host.net. Visitors can sign up with uMondo, which mainly entails giving them your contact information (including e-mail address). They promise to respect your privacy ... <sarcasm> So I guess you don't have anything to worry about there!</sarcasm>
If I could set aside objectivity and make a gratuitous comment, I will add that what I saw of their site had the appearance of a typical spammers' nest.
LLC stands for Limited Liability Company and may be equivalent to our Australian Pty. Ltd.
In The Gospel According to Google, the address 4804 Laurel Canyon #119 is described as a "PMB", which I believe is an American Acronym for Private Mail Box, in Valley Village, California. In the USA, such mail facilities seem to operate as private franchises. I don't know how much (or how little) regulation is imposed on these services.
In the past however, it seems that PMB 119 at 4804 Laurel Canyon Blvd has been used by such dubious domains as: PowerfulPorn.com, GoodCleanPorn.com, Fu69ck.com, PornOfficebox.com. No prizes for guessing what those domains might have been selling.
In addition to the domains mentioned in the previous newsletter, the following domains are closely associated with umondo.biz, and are part of this spam gang:
10packs.com Daddys-Little-Girls.com eShy.com GetAWife.net IonEnt.com MondoCable.com MondoDepot.com MondoDrugs.com MondoLibrary.com MondoMagazines.com MondoMeds.com MondoParty.com MondoRegister.com MondoRX.com MondoSavings.com MondoServices.com MondoStore.com MondoTemplates.com MondoVacations.com Ultra-Fast.com
Most of these are set up in a similar manner and, except for 10pack.com, they share the same address (PMB 119, 4804 Laurel Canyon Blvd). There are only 4 variants of contact info, with two names, Zack Thomas and Danny Alexander, as follows:
10packs support@10packs.com Pestalozzi St., 6900 Lugano Lugg, Bridge HR1 GB Phone- 011-44-208-7289011 Danny and Zack Danny Alexander Zack Thomas Zack Thomas 4804 Laurel Canyon #119 Valley Village, California 91405 United States 8183040700 Fax --
The name Danny Alexander is often associated with Ion Entertainment (IonEnt.com), another LLC that shares the PMB in Valley Village. There is a company called Ion Entertainment in California (IonEntertainment.com), but there is no obvious connection between the firms.
The name servers that they prefer are ns1.xodns.com, ns2.xodns.com, ns1.qwdns.com and ns2.qwdns.com. There are other domains associated with the uMondo spammers and when I get the time I will try to list them all. QWDNS.com and XODNS.com, which provide the name servers, seem to have a key role in the scheme of things. Both these domains have funky looking contact information.
The contact information for QWDNS.com is:
support@qwdns.com QW DNS 6633 San Felipe St Houston, TX 77057 US Phone: 818-475-5429
There does not appear to be a yellow pages (or any) listing for a firm called QW DNS. The phone number is not a Texas Number. Instead this phone service seems to be located in the San Fernando Valley, which by a not so remarkable conicidence, is where the uMondo PMB (in Valley Village) is also located. This same phone number appears in the contact details for Forwardhosting.net, another member of this spammers' nest (as previously documented). Google queries for a company called QW DNS return no result. In summary, the address appears to be false. Or it may be a convenient drop point. Bulkregister.com have been notified of this fact.
The Registration details for XODNS.com are as follows:
Simon McNelsonn 4000 William Armstrong Drive Newcastle-upon-Tyne, IR NE4 7YA IE
The sponsoring registrar of uMondo LLC is GO DADDY SOFTWARE, INC. GoDaddy.com seem to be a budget US registrar. Whois lists their address in Arizona. I have notified them about their unsavoury client.
The UK connection might mean that this is a multi-national spam hub.
Perhaps other PMB customers who use the mailbox address at Laurel Canyon Blvd might want to express their discontent with sharing facilities with spammers.
Overalll, this seems to be a complex, intermeshed group with many parent organisations and child entities (and maybe even some grand children?). And I have only scraped the surface. It would seem to be a major gang of spammers. I am not familiar with laws regarding disclosure of correct information for LLCs in California, but in Victoria (Australia), false information on websites and/or false contact and address information on registration details would incur penalties under Company Law.
Furthermore I would expect that many of the activities carried out by uMondo and its' progeny are illegal.
Feedback:
Hints for this month:
- How to make a specific colour transparent (in GIMP)
- Where to get Zip/Unzip
- Can't locate Test/More.pm in @INC
- Reading multiple lines with the shell
How to make a specific colour transparent (in GIMP)
Date: Tue, 2 Dec 2003 11:59:33 +1100 From: Gerry Patterson * Choose the layer selection tool (Layers, Channels & Paths from the Right-Click Menu). * Right-click the layer and select "add alpha channel". * Over the image, right-click and select: "Select/select by color". * Click the colour (over the image) of the selected image. * Right-click the image and select "Edit/Cut". Select "Cut". This removes the colour selected from layer (which effectively makes it transparent)
Identity of "MX Your1host.net" spammers
From: Bernie (USA) Date: Sat, 6 Dec 2003 01:19:17 EST Hi, I found and read your "PGTS Journal, July 2003" newsletter (http://www.pgts.com.au/cgi-bin/pgtsj?file=pgtsj0307f). Like you, I have been searching for the identity of what you call the "MX Your1host.net spammers." I have now discovered their real identity. See below, and please do with this information what you wish: The individual(s) is/are known as uMondo, LLC. The main web site is http://www.umondo.biz. (The following information can be found by Whois lookup at http://www.checkdomain.com/cgi-bin/checkdomain.pl?domain=umondo.biz): Registrant: uMondo, LLC Administrative, Billing, and Technical Contact: Ryan Fellman (GODA-23312779) support@umondo.com uMondo, LLC 4804 Laurel Canyon #119 Vallley Village, California 91607 United States Phone: +1.8183040700 Name Servers: NS1.QWDNS.COM NS2.QWDNS.COM (NOTE: Ryan Fellman can also be reached at rythaman@sbcglobal.net and 1-818-335-2558.) Best of luck. Ed: Thanks for the info, Bernie. This is a right regular tim of worms. And it's hard to know where to begin. This little nest of spammers appear to have been very busy in the past year. The convoluted trail of domains is a tribute to their energy and enterprise. It's a pity to see so much effort devoted to anti-social ends. (and most probably using anti-social means) There is a Harris Fellman, who was listed as the owner of Ion Entertainment (one of the many organisations in this spam gang). For more details, see my comments at the start of this document.
Where to get Zip/Unzip
Date: Mon, 22 Dec 2003 03:09:56 +1100 From: Gerry Patterson This question comes up whenever I want a copy of the Zip/Unzip utility. Where is it? I always make the same mistake of looking at GNU sites and finding lots of copies of gzip. Then after searching with Google, I remember ... Info-Zip. How could I forget these guys? http://www.info-zip.org/pub/infozip/ Thanks Info-Zip! Here is the way I install them on a FreeBSD System Download the latest tars (as of the time of writing zip23.tar.gz and unzip550.tar.gz) and unpack them in the work area) cd zip-2.3 make clean make generic make install (even though there were a few warnings) For unzip, it was a little different ... Starting once again from the work directory: cd unzip-5.50 cp unix/Makefile . make clean make freebsd make install
Can't locate Test/More.pm in @INC
Date: Mon, 22 Dec 2003 03:37:03 +1100 From: Gerry Patterson While installing from CPAN the following error came up: Can't locate Test/More.pm in @INC There was a long list of what is included in @INC. For some reason, some CPAN downloads fail with this message (most times they just prepend the necessary package to the list and get on with it) The package that is required is: Test::More So just install Test::More and then retry the command.
Reading multiple lines with the shell
Date: Tue, 23 Dec 2003 01:58:25 +1100 From: Gerry Patterson A trick which is very handy in shell scripts for fetching multiple lines from a file or command (rather than stdin) is as follows: #!/bin/bash while read x ; do if [ -f $x ] ; then cat $x >> $OUTPFILE fi done < "${TMPDIR}/filelist" This code reads a line from a file (${TMPDIR}/filelist). If the first word is a legitimate regular file, then the contents of the file are appended to $OUTPFILE.
Time to sell Microsoft?
From: Matthew Gurney Date: Tue, 30 Dec 2003 06:43:57 +1100 (EST) Just read your article regarding the similarity of MS now and IBM in 80s/90s. Makes a lot of sense. I am actually a fan of MS, I have a bit of their stock. I think I will sell it and move to something else, but with the current trend towards Linux, which I know will succeeed, which will bring greater acceptance of Open Source in general, eg mySQL (Noticed you were DBA's), looks like long term, software monoplies are going to be hard to come by. Hmm, perhaps SAP or PeopleSoft?? Ed: Matthew connected via a dial-in line from British Telecom. He is not the only one considering ditching Microsoft. As this is written, the Israel government announced their intention to install open source software on future desktop platforms.