Who is Gemma Brown who is collecting spam and chain letters for a research project?What's the connection between "research-project.org" and "who-remembers-me.com"?
Here is a chain letter that was forwarded to me recently, minus hundreds of email addresses to which this had already been forwarded:
From: Gemma Brown
Variations of this email have been circulating since early 2004, using different email accounts at the same domain (firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, etc.).
Here is an almost identical email sent almost a year later:
X-Apparently-To: SPAMRECIPIENT via 220.127.116.11; Tue, 12 Sep 2006 16:14:41 -0700 X-YahooFilteredBulk: 18.104.22.168 X-Originating-IP: [22.214.171.124] Authentication-Results: mta190.mail.mud.yahoo.com from=research-project.org; domainkeys=neutral (no sig) Received: from 126.96.36.199 (HELO mail.research-project.org) (188.8.131.52) by mta190.mail.mud.yahoo.com with SMTP; Tue, 12 Sep 2006 16:14:41 -0700 Received: (qmail 7172 invoked by uid 0); 12 Sep 2006 23:23:02 -0000 Date: 12 Sep 2006 23:23:02 -0000 To: SPAMRECIPIENT Subject: This is a reply to the mail you sent me. Content-type: text/html From: Gemma Brown <firstname.lastname@example.org> Reply-To: <email@example.com> Content-Length: 1019
So who is behind research-project.org? The website itself does not provide any help, because it's only contains the message:
This site is currently under construction.
Here are the registration details of the domain:
Domain ID:D106284645-LROR Domain Name:RESEARCH-PROJECT.ORG Created On:10-May-2005 08:25:49 UTC Last Updated On:24-Sep-2005 04:16:29 UTC Expiration Date:10-May-2007 08:25:49 UTC Sponsoring Registrar:eNom, Inc. (R39-LROR) Status:OK Registrant ID:5AF7592DC33529F7 Registrant Name:Research Project Registrant Organization:Research Project Registrant Street1:Office 255 Registrant Street2:111 Piccadilly Registrant Street3: Registrant City:Manchester Registrant State/Province:England Registrant Postal Code:M1 2HX Registrant Country:GB Registrant Phone:+44.7899848114 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:firstname.lastname@example.org Admin ID:CBBBDABDC3627FA2 Admin Name:Gail Jones Admin Organization:ukfast.net Ltd Admin Street1:The Mezzanine, Abbey House Admin Street2:32 Booth St Admin Street3: Admin City:Manchester Admin State/Province: Admin Postal Code:M2 4AB Admin Country:GB Admin Phone:+1.441619095160 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:email@example.com Tech ID:CBBBDABDC3627FA2 Tech Name:Gail Jones Tech Organization:ukfast.net Ltd Tech Street1:The Mezzanine, Abbey House Tech Street2:32 Booth St Tech Street3: Tech City:Manchester Tech State/Province: Tech Postal Code:M2 4AB Tech Country:GB Tech Phone:+1.441619095160 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:firstname.lastname@example.org Name Server:NS0.UKFAST.NET Name Server:NS1.UKFAST.NET
The Royal Mail postcode finder has a dozen entries listed for "111 Picadilly", but all but one are listed as in a building called "Rodwell Tower" with a postcode of M1 2HY. The only other one is a firm called "Mail Boxes etc" which coincidentally has the a postcode of M1 2HX. In other words, "Office 255" is likely to be "Post Office Box 255" at "Mail Boxes etc".
According to this thread the domain was registered using an email address from the domain "who-remembers-me.com", a site about which there are numerous spam complaints. This is not the current contact address. Maybe the owner did not want to show any connection to that domain and changed it later?
Here are some mail headers from a "Gemma Brown" spam email sent to a mailing list:
Received: from unknown (HELO mail.research-project.org) (184.108.40.206) by mta6.grp.scd.yahoo.com with SMTP; 16 Jun 2005 09:50:23 -0000 Received: (qmail 19605 invoked by uid 0); 16 Jun 2005 09:53:05 -0000 Date: 16 Jun 2005 09:53:05 -0000 Message-ID: <20050616095305.19604.qmail@...> To: emailaddress Content-type: text/html X-Originating-IP: 220.127.116.11 From: Gemma Brown &lr;email@example.com> Reply-To: <gemma20@@research-project.org> Subject: This is a reply to the mail you sent me. (Ref. U3KM0FX90D3)
The IP address matches the company that hosts the website. They can be contacted via firstname.lastname@example.org:
inetnum: 18.104.22.168 - 22.214.171.124 netname: UKFAST descr: See UKFAST-MNT for contact details country: GB admin-c: NL202-RIPE tech-c: NL202-RIPE status: ASSIGNED PA mnt-by: UKFAST-MNT mnt-lower: UKFAST-MNT mnt-routes: UKFAST-MNT remarks: Abuse reports should be sent to email@example.com source: RIPE # Filtered person: Neil Lathwood address: Abbey House address: 32 Booth Street address: Manchester address: M2 4AB phone: +44 845 458 4545 fax-no: +44 870 458 4545 e-mail: firstname.lastname@example.org nic-hdl: NL202-RIPE source: RIPE # Filtered
Here is a "who-remembers-me" spam that we received:
From: "Customer Services" <email@example.com>
Received: from mail.wrmweb-1.co.uk (wrmweb-1.co.uk [126.96.36.199]) by fence.pobox.com (Postfix) with SMTP id 87AF91E549 for <firstname.lastname@example.org>; Thu, 24 Nov 2005 23:08:47 -0500 (EST) Received: (qmail 22957 invoked by uid 0); 25 Nov 2005 04:20:02 -0000 Date: 25 Nov 2005 04:20:02 -0000 Message-ID: <email@example.com> To: firstname.lastname@example.org Subject: Your friend has entered you into our tell a friend link. (5YJYKX80KYO) From: Customer Services <email@example.com> Reply-To: <firstname.lastname@example.org>
Both the research-project.org and the who-remembers-me.com spam use an 11 character alphanumeric reference number in the subject line. And as you can see from the message headers the sending IP addresses are very close:
Traffic on who-remembers-me.com was very moderate until about three months after research-project.org started gathering email addresses, then it started picking up. I don't know how much of that traffic is related to "your friend wants to recommend this site" kind of spam and if these are really friends' recommendations or have been fabricated using addresses obtained elsewhere. While I don't have any clearcut proof that research-project.org is gathering addresses to drive business to who-remembers-me.com, I do have some suspicion...
Domain registration for "who-remembers-me.com":
Domain Name: WHO-REMEMBERS-ME.COM Registrar: TOTALREGISTRATIONS Whois Server: whois.totalregistrations.com Referral URL: http://www.totalregistrations.com Name Server: NS1.WHO-REMEMBERS-ME.COM Name Server: NS2.WHO-REMEMBERS-ME.COM Status: ACTIVE Updated Date: 01-may-2005 Creation Date: 22-may-2003 Expiration Date: 22-may-2006 >>> Last update of whois database: Fri, 25 Nov 2005 02:25:39 EST <<< The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Registrant: Julien Robert Billington Kylemore Road, P O Box 50718 London London NW6 2PT UK Domain Name: who-remembers-me.com Administrative Contact: Domains Team (DT00047-TR) Donhost Limited 1 Heather Court Doncaster South Yorkshire DN2 5YL GB phone: +44(0)8707414151 fax: email@example.com Technical Contact: Domains Team (DT00047-TR) Donhost Limited 1 Heather Court Doncaster South Yorkshire DN2 5YL GB phone: +44(0)8707414151 fax: firstname.lastname@example.org Record updated on 03-May-2005 Record expires on 22-May-2006 Record created on 22-May-2003 Domain servers in listed order: ns1.who-remembers-me.com 188.8.131.52 ns2.who-remembers-me.com 184.108.40.206
Domain registration for "wrmweb-1.co.uk":
Domain Name: wrmweb-1.co.uk Registrant: who-remembers-me.com Registrant's Address: 30 Keyoemore Road London NW6 2PT GB Registrant's Agent: ukfast.net Ltd [Tag = UKFAST] Relevant Dates: Registered on: 11-Apr-2005 Renewal Date: 11-Apr-2007 Registration Status: Registered until renewal date. Name servers listed in order: ns0.ukfast.net 220.127.116.11 ns1.ukfast.net 18.104.22.168 WHOIS database last updated at 09:50:01 25-Nov-2005