Search Engine Optimization & Web Hosting Solution

TOKYO (MacHouse) - A cyber scum organization has sent out at least 2 spam messages in the past 62 hours or so. One is titled ‘Fight for your self-perfection!’ (See Screenshot 01.) Another message is titled ‘Face your new mate without fear.’ (See Screenshot 02.)

Screenshot 01 - Source: MacHouse

Screenshot 02 - Source: MacHouse

If you read the beginning of each message, you may get some idea about what these spam messages are all about. They are sent to advertise a male organ enhancement produce called VPXL. Four domains are hosted at the same IP location and host identical web content. Both messages imply that Microsoft Corporation and its Windows Live are involved. But chances are that it is a Chinese crime organization behind the spam messages. These four websites are obviously installed to scam Internet users.

Screenshot 03 - Source: MacHouse

Screenshot 04 - Source: MacHouse

Screenshot 03 shows the source code of the first spam message. The spam message shown in Screenshot 01 implies that sender’s e-mail address is cyril@rojaha.com. Accordingly, Screenshot 03 shows its mail server as mail.rojaha.com. The website with this domain (Screenshot 05 is a screenshot of its index page.) is hosted in the Netherlands. The name of the web hosting company is ADEPTEO. (See Screenshot 06.) And the IP location is 77.240.0.57. It looks like the header highlighted in purple shown in Screenshot 03 is manipulated. If it came from mail.rojaha.com, the time difference would be shown as +1, not +4. Rather, the message is likely to originate from vlz.ru. The IP location is 83.239.161.121. (Screenshot 07 shows a screenshot of the website at www. biz.ru.) This IP address is traced to Volgograd, Russia. And the time difference is +4.

Screenshot 05 - Source: www.rojaha.com

Screenshot 06 - Source: www.adepteo.net

Screenshot 07 - Source: www.biz.ru

As for the second spam message, its source code indicates that the header is also manipulated. Screenshot 02 indicates that sender’s address might be Georgia@ashidome.com. However, it’s likely that the origin of the spammer goes with the IP address of 85.97.198.35 (See Screenshot 04.), which can be traced to Turkey.

So why do we say that the Chinese are involved with these spam messages? Actually, we have no evidence to present for the moment that the Chinese are involved in sending the spam messages. However, the way that the four male organ enhancement websites are installed all point to the involvement of a Chinese crime organization. So we naturally imply that the same Chinese crime organization is sending the spam messages.

Screenshot 08 - Source: Completeshois.com

Screenshot 09 - Source: Completeshois.com

The domains of the male organ enhancement websites are

pliayen.com: IP location - 218.61.19.49 (China)

hanevel.com: IP location - 218.61.19.49 (China)

pnealte.com: IP location - 218.61.19.49 (China)

dimanez.com: IP location - 218.61.19.49 (China)

Screenshot 08-11 show their domain registrations.

Screenshot 10 - Source: Completeshois.com

Screenshot 11 - Source: Completeshois.com

As you see these domain registrations, the domains of pliayen.com, hanevel.com, pnealte.com and dimanez.com are all registered through notorious Chinese domain registrar called Xin Net Technology Corporation. Xin Net Technology Corporation is believed to work with Chinese crime organizations and help them register spam domains and deceive Internet users.

Screenshot 12 - Source: dimanez.com

Screenshot 13 - Source: dimanez.com

Screenshot 14 - Source: dimanez.com

Finally, let’s take a look at one of the websites advertised on the spam messages. Screenshot 12 shows the index page of the website hosted at dimanez.com. It appears that there is one product called ‘VPXL’ that they claim are selling. You can find its order page at http://dimanez.com/order.php. (See Screenshot 13.) See Screenshot 14 shows its checkout page. It’s a fake online store because

the page handling credit card information has no security layer

The GeoTrust and Hacker Safe labels contain no hyperlinks to the websites of the issuers.

********** ********** ********** ********** ********** ********** ********** **********

MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?