Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Publicly available spam tool

Publicly available spam tool

  • Comments 9

A colleague alerted me to a spamming tool available on the web at the following web URL:

http://verify-email. org

It's a page that allows someone to enter in an email address and it will tell you whether or not that email address is live.  In essence, this is the non-techy spammer way of checking for a valid RCPT TO address in the SMTP command.  If it comes back positive, the email address is live, and if it comes back negative, the email address is not and therefore the spammer can remove it off their list.

How do I know it's a spam tool?  Well, besides thinking of almost no legitimate uses for this web tool, the WHOIS information is suspicious.  The registrant lives in Moldova but has a phone number registered to a North American address.  Even if he screwed up and meant Maryland, the area code resolves to no actual area code in the United States.

The site was created in July, so it's fairly new.  This in itself is not the clincher but combined with everything else, I think we can be rest assured that a spammer set up this page in order for himself (and possibly other spammers, I can't imagine why) to verify his spamming lists.

Leave a Comment
  • Please add 8 and 1 and type the answer here:
  • Post
  • PingBack from http://www.artofbam.com/wordpress/?p=8826

  • Or umm...to collect email addresses. If so you've just linked from a high pagerank site providing the site a ton of traffic! I'd bet that any live mail address entered ends up on a spam list.

  • > and if it comes back negative, the email address is

    > not and therefore the spammer can remove it off

    > their list.

    Huh?  Why would a spammer _ever_ bother removing an old dead e-mail address from their list?  It's not as though the spammer had to pay for bounces.

    In the late 1990's I happened to glance at the SMTP log of a machine that I had used in the early 1990's, and noticed a bunch of spams addressed to an address that I had had in the early 1990's.  Obviously the bounces went to forged "from" addresses, helping irritate any of those victims whose addresses were still live.

    However, this spam tool could still be useful in searching for new e-mail addresses to add to a list.  I wonder if the occasional spates of received 0-length e-mails with partial headers had come from that tool.

    > phone number registered to a North American address

    [...]

    > resolves to no actual area code in the United States

    Umm, last I recall, there used to be some North American addresses whose area codes weren't in the United States...

  • Anyway, he didn't mean Maryland.  Three parts of his address consistently say Moldova.  Also Moldova's country code is 373, so it looks like maybe his registration might be intended to be accurate.  The only necessary correction is to format the telephone number without the +1.  One possibility might be +373.2.77.1726

    Registrant Name:Alexandr Zaharov

    Registrant Organization:Alexandr Zaharov

    Registrant Street1:Chisinau 60 MD Box 2274

    Registrant City:Chisinau

    Registrant State/Province:NA

    Registrant Postal Code:MD2060

    Registrant Country:MD

    Registrant Phone:+1.3732771726

    But, although the domain name's owner is in Moldova, the site is in the US.

    OrgName:    ThePlanet.com Internet Services, Inc.

    OrgID:      TPCM

    Address:    1333 North Stemmons Freeway

    Address:    Suite 110

    City:       Dallas

    StateProv:  TX

    PostalCode: 75207

    Country:    US

  • > Huh?  Why would a spammer _ever_ bother removing an

    > old dead e-mail address from their list?  It's not

    > as though the spammer had to pay for bounces.

    Sending mail to live addresses makes sense for the spammer.

    1. You have to send out fewer mails.  Less mails means less chance of detection.

    2. You can append multiple good lists together, they can command a higher premium in the underground economy.

  • >> Even if he screwed up and meant Maryland, the area

    >> code resolves to no actual area code in the United

    >> States.

    > Umm, last I recall, there used to be some North

    > American addresses whose area codes weren't in the

    > United States...

    What I meant was that the +1 international area code is for Canada/US, and I omitted Canada as a possibility of where the spammer was located, since we all know Canadians are too polite to spam.

  • Since there's been no more news, today I took the risk of looking at the site itself.  Just by looking at the site itself there isn't any way to prove whether it's honest or not, but I didn't see any obvious problem with it.  Furthermore they conduct sales through a partner located in the US.  The US has its share of operations like "Russian Business Network", or maybe more than its share, but still this one doesn't look obviously suspicious.

    I tried two experiments with e-mail addresses which I think probably don't exist.  In one case, a very famous multinational spam operator (a big famous spam provider in both Japan and the US) confirmed that the queried address doesn't exist.  In the other case, a big famous ordinary company, which I have not observed any problems with, confirmed that the queried address exists!  I'm guessing that the latter company probably gives a positive answer to everything in order to avoid assisting spammers.

  • The same day Terry and I discussed this site, I created a new email address specifically to test it.

    Since then, I've received 11 spams at that address in three days, all through zombies, and all from some nice folks who want to help me sell my timeshare or give me a payday advance.

    As if we needed any further evidence, he's also selling the PHP script that runs it for only $24.95. The Buy Now link takes you to a buy page at plimus.com, and informs you that for support issues regarding Email Verification PHP Script, you should write to contacts@email-unlimited.com (AKA Live Software, author of various bulk emailing products).

    One of the touted features of their software is "Send 30000 emails weekly and never be convicted of spamming."

    Any further questions? <g>

  • > Since then, I've received 11 spams at that address

    > in three days

    By itself that doesn't mean much.

    When I created a Yahoo US e-mail account, but had not used it yet, it started off with two spams in its inbox.  Therefore I never even started using it for its intended purpose as a regularly used e-mail accout, though now I occasionally use it for some other purpose.

    Your other paragraphs are pretty informative though.

Page 1 of 1 (9 items)