Here’s the spam from WSACorp, as it appears in the inbox.

Don’t worry, I’ve disabled the links.

Note that a visit to the Kansas Secretary of State’s website confirms that address, but more on that later.

From: AHanson@WSACorp.com                                                Sent: Tue 6/3/2003 12:49 PM
To: [REDACTED]
Cc:
Subject: Your Resume Submittal?

Dear Job Seeker,

I saw your resume online and felt that my firm, WSACorp, might be able to help you. I know how difficult this market can be for a professional at your level. Recently, WSACorp helped place a couple of people whose results I thought might be of interest to you.

Dennis was a general manager, downsized from his company during consolidation. He wanted to stay in Colorado or Utah, but preferred not to be in Denver or Salt Lake City. He selected WSACorp to write his resume and produce a targeted mailing to 3,000 companies. Within 2 weeks, he accepted a position at a 40% increase with a company in Logan, Utah. You can see his resume by visiting WSACorp.com.

Jayne was a consultant with a sales and marketing background earning $175K. WSACorp mailed 3,800 letters. She had 20+ calls and accepted a $300K package offer from a major US corporation. You can see her resume by visiting WSACorp.com.

These are only 2 examples of our recent success, but you can see many more by visiting our Website at www.wsacorp.com.

If you wish to accelerate your job search, perhaps you should take advantage of WSACorp's offer to provide you a NO OBLIGATION resume critique and market evaluation. We have been writing resumes since 1976, and we are in-tune with the current market conditions. Don't delay. This time of year generally provides a bubble of hiring that you do not want to miss. To quote Dennis, "I wish I had started doing this 20 years ago."

Give me a call or send me an email, and I will be happy to set a time to have you visit with one of our Senior Advisors for your free resume critique.

Sincerely,
Anna Hanson, Scheduling Coordinator
WSA Corporation
11933 Johnson Drive, Shawnee, KS 66216
Toll Free Phone: 1-800-972-2677 (913-631-3800)
Toll Free Fax: 1-877-972-3294 (913-631-9898)
www.wsacorp.com
 

Here’s the spam as it appears in the inbox.

Don’t worry, I’ve disabled the links.

Note the long text at the bottom beginning with “You are receiving…”.  If this were a legitimate email, that text would have been sent AS text.  What spammers are doing now is sending the text as a graphical image.  That way, a text-based filter that would have automatically trashed any email with text like “you have opted-in to receive” won’t work.

From: randyu10d@email.com.cn                                     Sent: Fri 5/2/2003 6:21 PM
To: Undisclosed.Recipients@oracle.icm.co.kr
Cc:
Subject: print cartridges, 8o% off today.    e

Next, I look at the email headers.  Sometimes they’re revealing.  But here, as you can see, it’s from a nonsense email address that doesn’t immediately tell you who the sender or the beneficiary of the spam actually are.

“.cn” means China, incidentally.  You could create a filter in Outlook that automatically trashes any email with a .cn in it and you’d be pretty safe.

X-Apparently-To: [REDACTED] via 66.218.79.74; 04 May 2003 09:27:32 -0700 (PDT)
X-YahooFilteredBulk: 61.82.164.54
Return-Path: <randyu10d@email.com.cn>
Received: from 61.82.164.54  (EHLO oracle.icm.co.kr) (61.82.164.54)
  by mta121.mail.scd.yahoo.com with SMTP; 04 May 2003 09:27:31 -0700 (PDT)
Received: from www.email.com.cn ([61.82.164.173])
          by oracle.icm.co.kr (8.11.6/8.11.6) with ESMTP id h4327W402643;
          Sat, 3 May 2003 11:07:37 +0900
Message-ID: <0000111b31c8$000048a2$000041a2@www.email.com.cn>
To: <Undisclosed.Recipients@oracle.icm.co.kr>
From: randyu10d@email.com.cn
Subject: print cartridges, 8o% off today.    e
Date: Fri, 02 May 2003 18:21:15 01700
MIME-Version: 1.0
Content-Type: text/html;
          charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: AOL 5.0 for Windows sub 138
Sensitivity: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 
 

Next, look at the html source code.  There has to be a link in here… look for whatever follows “<A HREF=”.  That indicates where the link points… i.e., the spammer’s website.  Note that you’ll sometimes see “<IMG SRC=”.  That indicates the server for the images (see next example), which may or may not be the same… particularly in the case of affiliate programs.

Anyway, in this simple case, Ignore everything after the .com… the destination website is www.34bolohouse.com.

But alleged spammers are doing tricky things these days to disguise the website identification… see “Spammer Tricks” towards the end of this page.

<HTML>
<div align="center">
  <TABLE WIDTH=450 BORDER=0 CELLPADDING=0 CELLSPACING=0><!-- u vmiwca zeavss dfwxy-->
    <TR>
    <TD> <A HREF="http://www.34bolohouse.com/r17.html"> <IMG SRC="http://www.34bolohouse.com/images/1.gif" WIDTH=290 HEIGHT=50 BORDER=0></A><!-- v gymqq ouftj zcu--></TD>
    <TD ROWSPAN=4> <A HREF="http://www.34bolohouse.com/r17.html"> <IMG SRC="http://www.34bolohouse.com/images/2.gif" WIDTH=118 HEIGHT=183 BORDER=0></A><!-- k zojjdsad mtdonwep ptboo--></TD>
    <TD ROWSPAN=4> <A HREF="http://www.34bolohouse.com/r17.html"> <IMG SRC="http://www.34bolohouse.com/images/3.gif" WIDTH=42 HEIGHT=183 BORDER=0></A><!-- l spwgbx vrb--></TD>
    </TR>
    <TR>
    <TD> <A HREF="http://www.34bolohouse.com/r17.html"><!-- x evtfqaql bxifgs--> <IMG SRC="http://www.34bolohouse.com/images/4.gif" WIDTH=290 HEIGHT=51 BORDER=0></A></TD>
    </TR>
    <TR><!-- g wjtvl gekjm wwun-->
    <TD> <A HREF="http://www.34bolohouse.com/r17.html"> <IMG SRC="http://www.34bolohouse.com/images/5.gif" WIDTH=290 HEIGHT=51 BORDER=0></A></TD><!-- y imauafemi pwhiwyqk-->
    </TR>
    <TR>
    <TD> <A HREF="http://www.34bolohouse.com/r17.html"> <IMG SRC="http://www.34bolohouse.com/images/6.gif" WIDTH=290 HEIGHT=31 BORDER=0><!-- o kzzdjo--></A></TD>
    </TR>
    <TR>
    <TD COLSPAN=3><!-- c sazmkct xzahiph zot--> <A HREF="http://www.34bolohouse.com/r17.html"> <IMG SRC="http://www.34bolohouse.com/images/7.gif" WIDTH=450 HEIGHT=68 BORDER=0></A></TD>
    </TR><!-- l eqitkhz jlxehhs j-->
    <TR>
    <TD COLSPAN=3> <A HREF="http://www.34bolohouse.com/r17.html"> <IMG SRC="http://www.34bolohouse.com/images/8.gif" WIDTH=450 HEIGHT=51 BORDER=0></A><!-- t oaxyux sooxwf ajoqab a--></TD>
    </TR>
    <TR>
    <TD COLSPAN=3> <A HREF="http://www.34bolohouse.com/r17.html"><!-- k csjlm--> <IMG SRC="http://www.34bolohouse.com/images/9.gif" WIDTH=450 HEIGHT=49 BORDER=0></A></TD>
    </TR>
    <TR><!-- d msvzel xvrd-->
    <TD COLSPAN=3> <A HREF="http://www.34bolohouse.com/r17.html"> <IMG SRC="http://www.34bolohouse.com/images/10.gif" WIDTH=450 HEIGHT=48 BORDER=0></A></TD><!-- s zjkziig yadusar gwz-->
    </TR>
    <TR>
    <TD COLSPAN=3> <A HREF="http://www.34bolohouse.com/r17.html"> <IMG SRC="http://www.34bolohouse.com/images/11.gif" WIDTH=450 HEIGHT=101 BORDER=0><!-- z vvqje sounc aaidw --></A></TD>
    </TR>
  </TABLE>
  <br>
</div>
<div align="center">
  <table width="117" border="0" cellpadding="0" cellspacing="0">
    <tr>
      <td width="117" height="20" valign="top">
        <div align="center"><a href="http://www.34bolohouse.com/s17.html"><img src="http://www.34bolohouse.com/s40.gif" width="409" height="170" border="0"></a></div>
      </td>
    </tr>
  </table>
</div>
</BODY>
</HTML>
 

Now it’s time for a WhoIs lookup.  I usually start with Whois.com, since they can often grab registration information from other registrars’ databases.  See sample to the right:

If Whois.com doesn’t have the information or if it doesn’t accept the code entry – which often happens – then try Internic.  That site won’t have the registration data but it will tell you who the registar is – spammers often use bulkregister, dotster, enom, godaddy, and tucows.  Then go that that website and do a WhoIs lookup.

The WhoIs lookup will tell you the domain name you just searched on (34bolohouse.com), who the registar is (10-Domains.com); and phone number/address/email.  Often the address is fake and/or a PO Box at The UPS Store (formerly Mailboxes Etc.).  You can check that at http://go.mappoint.net/ups/PrxInput.aspx

You should forward a copy of the spam to abuse@[registar.com] and tell them that the domain holder is a spammer and the domain name should be cancelled.  I’ve done this successfully a couple times.

Incidentally, get used to seeing Florida in WhoIs lookups… I think about 2/3 of my domestic spam is from Florida.  As an aside, one great way to stop the spam problem would be to cut all Internet connections to the Sunshine State.  Too bad we probably can’t do that. 
 

http://www.networksolutions.com/en_US/whois/index.jhtml






Domain Name: 34BOLOHOUSE.COM
Registered by: $10-Domains
Domain Registration as low as 6.75
Visit: www.10-Domains.com
Cheap domain registration and Hosting

The Data in Parava Networks' WHOIS database is provided by Parava Networks for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Parava Networks does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to Parava Networks (or its systems). Parava Networks reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.

Registrant:
Greg Numark
2198 Princeton St.
Sarasota FL 34231
US

EvoClix
gregn@evoclix.com
+1.9419545922
Domain Name Created On: 2002-11-05 11:01:00.0
Domain Name Expires On: 2003-11-04 23:00:00.0

Name Servers:
Name Server 1: ns1.theinkspot4u.com
Name Server 2: ns2.theinkspot4u.com
 

Finally, go to the Secretary of State website for whatever state you’ve determined the spammer is located in and search on the business name.

If you can’t find a business name on the WhoIs lookup, sometimes you can go to the website and click links like “Contact,” “About Us,” or even “Privacy” or “Legal” – and sometimes you’ll see a company name that you can find with the Secretary of State.

Click here for my list of Secretary of State websites.

Often the Secretary of State website has good (i.e., not UPS Store) addresses for the business.  More importantly, they have addresses for Registered Agents.  When suing an alleged spammer (or any corporate entity for that matter), you can have papers served on the Registered Agent instead of the alleged spammer. 

http://ccfcorp.dos.state.fl.us/corpweb/inquiry/cormenu.html

Florida Profit


EVO CLIX, INC.


PRINCIPAL ADDRESS
2198 PRINCETON STREET
SARASOTA FL 34237


MAILING ADDRESS
2198 PRINCETON STREET
SARASOTA FL 34237
 

Registered Agent

Officer/Director Detail

Here’s the spam, as it appeared in my inbox.

Don’t worry, I’ve disabled the links.
 

From: Football Madness [em@emailselections.com]                   Sent: Tue 7/29/2003 7:20 PM
To: [REDACTED]
Cc:
Subject: Free 4-Room DIRECTV System Installed

You must use promo code LABCD to receive this special promotion!

If you do not wish to receive special presents from our affiliates in the future, you may delete your email from our list by clicking here
 

Here’s the message header, referencing emailselections.com.   

X-Apparently-To: [REDACTED] via 66.218.79.81; 29 Jul 2003 18:20:20 -0700 (PDT)
X-YahooFilteredBulk: 64.253.207.32
Return-Path: <4-729031-yahoo.com?[REDACTED]@stderr.emailselections.com>
Received: from 64.253.207.32  (HELO select2.emailselections.com) (64.253.207.32)
  by mta127.mail.sc5.yahoo.com with SMTP; 29 Jul 2003 18:20:16 -0700 (PDT)
From: Football Madness <em@emailselections.com>
Subject: Free 4-Room DIRECTV System Installed
To: [REDACTED]
X-Mailer: 3.1.76-XP/NG [Jun 30 2003, 07:15:19]
MIME-Version: 1.0
Content-Type: multipart/alternative;
           boundary="------------105951693432265";
           class-id=4:19L6KLYhLuJ0Lcrr4Zru:729031
Date: Tue, 29 Jul 2003 21:20:12 EST
Message-ID: <244$6vfz8fFbfhNJfL00P70h@select2.emailselections.com>
 

Here’s the WhoIs lookup, showing that emailselections.com is registered to Ultimate Corner in St. Louis, MO.

http://www.networksolutions.com/en_US/whois/index.jhtml





emailselections.com

Domain Name.......... emailselections.com
Creation Date........ 2003-07-16
Registration Date.... 2003-07-16
Expiry Date.......... 2004-07-16
Organisation Name.... UltimateCorner
Organisation Address. P.O. Box 28336
Organisation Address.
Organisation Address. St. Louis
Organisation Address. 63146
Organisation Address. MO
Organisation Address. UNITED STATES

Name Server.......... DNS1.CYBERXHOST.NET
Name Server.......... NAME2.CYBERXHOST.NET


The previous information has been obtained either directly from the
registrant or a registrar of the domain name other than Network Solutions.
Network Solutions, therefore, does not guarantee its accuracy or completeness. 
 

Look up Ultimate Corner with the MO Secretary of State and you find full legal information.

Incidentally, Ultimate Corner has admitted to violating California's 2003 anti-spam law by not starting subject line with “ADV:”, 2) continuing to send spam even after I notified them to stop, and 3) increasing the rate of spamming after I unsubscribed via weblink and their own systems confirmed I would be removed from their database.

https://www.sos.mo.gov/BusinessEntity/soskb/csearch.asp



 

Here’s the HTML source code for the email.  Note that emailselections.com appears here too… and the numbers & codes that follow the domain name – which I redacted here – are what the alleged spammer uses to track YOU specifically.

The alleged spammer is routing the click through the emailselections.com website to put an affiliate tracking code on your click… in other words, when you click the link it redirects you though emailselections.com, adds an affiliate ID, and then sends you to the principal’s website.  So you might not know who the principal beneficiary is…

Except…

Also in the code is the URL for the principal – expertsatellite.com.  The “img src=” just before it means that the email is grabbing the image from the expertsatellite.com servers, instead of the spammer hosting the images himself. 

The point is, you now know who’s benefiting from the spam… the “principal.”

<html>
<body BGCOLOR="#FFFFFF">
<table WIDTH="323" BORDER="0" CELLPADDING="0" CELLSPACING="0" ALIGN="CENTER"><tr></tr><tr>
<td><img src="http://www.expertsatellite.com/email/nfl_stripes_email.gif" width="450" height="486" border="0" usemap="#Map"></td>
</tr><tr><td><div ALIGN="CENTER"><font FACE="Verdana, Arial, Helvetica, sans-serif" SIZE="1"><b>You must use</b></font><font SIZE="1" FACE="Verdana, Arial, Helvetica, sans-serif"><b> promo code <font COLOR="#3333FF"><u>LABCD</u></font> to receive this special promotion!</b> </font></div></td></tr></table><br>

<map name="Map">

<area shape="rect" coords="305,143,372,152" href="http://emailselections.com:8080/track?m=[REDACTED]&l=0&.e=[REDACTED]" target="_blank">
<area shape="rect" coords="7,156,448,480" href="http://emailselections.com:8080/track?m=[REDACTED]&l=0&.e=[REDACTED]" target="_blank">
<area shape="rect" coords="3,371,5,375" href="http://emailselections.com:8080/track?m=[REDACTED]&l=0&.e=[REDACTED]">
<area shape="rect" coords="5,4,445,138" href="http://emailselections.com:8080/track?m=[REDACTED]&l=0&.e=[REDACTED]" target="_blank">
</map>
</body>
</html><P><FONT size=2><FONT face=Verdana>If you do not wish to receive special presents from our affiliates in the future, you may delete your email from our list by <a href="http://emailselections.com/unsub.php?e=[REDACTED]&m=[REDACTED]">clicking here</a> <FONT color=#000000><P/>
<br>
<br><font color='#ffffff' face='arial,helvetica' size='-5' style='font-size: 1px;'>TM: <4;2x51q5JU5jRr5eYY8TYj;729031></font>
emg src="http://emailselections.com:8080/clickopen?msgid=[REDACTED]&email=[REDACTED]" width="1" height="1" alt="">

 
So now, a WhoIs lookup on expertsatellite.com shows:

http://www.networksolutions.com/en_US/whois/index.jhtml





expertsatellite.com


Organization:
      Jaserp Satellite, Inc.
      Expert Satellite
      1060 Millbury St
      Worcester, MA 01607
      US
      Phone: 508-752-7230
      Fax..: 508-752-9964
      Email: webmaster@expertsatellite.com

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com

Domain Name: EXPERTSATELLITE.COM

     Created on..............: Tue, Apr 03, 2001
     Expires on..............: Sat, Apr 03, 2004
     Record last updated on..: Wed, Apr 09, 2003

Domain servers in listed order:
   NS5.ZONEEDIT.COM                                  not needed       
   NS7.ZONEEDIT.COM                                  216.111.123.5    
   NS14.ZONEEDIT.COM                                 209.126.159.80   
 

Look up “Expert Satellite” on the Massachusetts Secretary of State website and you’ll see:

http://www.sec.state.ma.us/cor/coridx.htm

Here’s the spam, as it appeared in my inbox.

Don’t worry, I’ve disabled the links. 

From: Steaks of St. Louis [em@emailselections.com]                          Sent: Tue 8/19/2003 8:14 PM
To: [REDACTED]
Cc:
Subject: Get a free Cookbook and Andria's Steak
 

Here’s the HTML source code.

I already traced emailselections.com to Ultimate Corner of St. Louis, MO (in example 3).

Let’s focus on steaksofstlouis.com, the beneficiary.

 
<html>
<body bgcolor="#ffffff">
<table width="500" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#ffffff">
<tr>
<td><a href="http://www.steaksofstlouis.com/?promo_id=11846" target="_blank">
<img src="http://www.emailselections.com/Steaks/email_030716_r1_c1.jpg" width="279" height="400" border="0">
<img src="http://www.emailselections.com/Steaks/email_030716_r1_c2.gif" width="221" height="400" border="0"></a></td>
</tr>
</table>
</body>
</html><P><FONT size=2><FONT face=Verdana>If you do not wish to receive special presents from our affiliates in the future, you may delete your email from our list by <a href="http://emailselections.com/unsub.php?e=[REDACTED]&m=[REDACTED]">clicking here</a> <FONT color=#000000><P/>
<br>
<br><font color='#ffffff' face='arial,helvetica' size='-5' style='font-size: 1px;'>TM: <4;9s25u2eK2MYD29bb7.bM;1246031></font>
<img src="http://emailselections.com:8080/clickopen?msgid=[REDACTED]&email=[REDACTED]" width="1" height="1" alt="">
 

Here’s the WhoIs lookup.  The registrant is Crown Foods, which can be traced through the Missouri Secretary of State website, coming right up.

But look at the bottom: the domain servers are “epointmarketing.com.”  What that means is, Crown Foods may own the domain name “steaksofstlouis.com” but you wouldn’t necessarily expect a food company to be very tech-savvy.  It looks like Crown Foods allows the www.steaksofstlouis.com website to be hosted by epointmarketing.  Let’s go find ‘em.

http://www.networksolutions.com/en_US/whois/index.jhtml






steaksofstlouis.com


Registrant:
Crown Foods, Inc. (STEAKSOFSTLOUIS-DOM)
5243 Manchester
St Louis, MO 63110
US

Domain Name: STEAKSOFSTLOUIS.COM

Administrative Contact, Technical Contact:
Lotz, Karla (KLB311) lotzk@CROWNFOODS.COM
Crownfoods
5432 Manchester Ave
St.Louis, MO 63100
US
(314) 645-5300 fax: 999 999 9999

Record expires on 15-Mar-2004.
Record created on 11-Sep-2002.
Database last updated on 20-Aug-2003 11:20:43 EDT.

Domain servers in listed order:

NS.EPOINTMARKETING.COM 64.119.192.25
NS2.EPOINTMARKETING.COM 64.119.192.26
 

Here’s the legal information on Crown Foods, which is actually a previous name… current name is M.C.S. Investments, Inc..

Now, on to epointmarketing… 

 
https://www.sos.mo.gov/BusinessEntity/soskb/csearch.asp



 

A WhoIs lookup on the Tucows domain registrar website – opensrs.org – for epointmarketing.com shows the following.

Guess what, the address 8170 South Eastern Ave in Las Vegas is a UPS Store.  A pretty clear indicator that ePoint Marketing is NOT a legitimate business.

But, on the assumption that the company really is incorporated in Nevada, let’s go to the Nevada Secretary of State website and find them.

http://opensrs.org/cgi-bin/whois.cgi
 

OpenSRS Whois Lookup Utility

Whois info for, EPOINTMARKETING.COM:


Registrant:
 ePoint Marketing, Inc.
 8170 South Eastern Ave
 Suite 4-506
 Las Vegas, NV 89123
 US

Domain name: EPOINTMARKETING.COM


Administrative Contact:
    Webmaster, Webmaster  webmaster@epointmarketing.com
    8170 South Eastern Ave
    Suite 4-506
    Las Vegas, NV 89123
    US
    702-407-0062
Technical Contact:
    Webmaster, Webmaster  webmaster@epointmarketing.com
    8170 South Eastern Ave
    Suite 4-506
    Las Vegas, NV 89123
    US
    702-518-3972    Fax: 702-518-3950


Registration Service Provider:
    This company may be contacted for domain login/passwords,
    DNS/Nameserver changes, and general domain support questions.


 Registrar of Record: TUCOWS, INC.
 Record last updated on 28-Mar-2003.
 Record expires on 08-Dec-2004.
 Record Created on 08-Dec-2001.

Domain servers in listed order:
    NS.EPOINTMARKETING.COM   64.119.192.25
    NS2.EPOINTMARKETING.COM   64.119.192.26

And here’s the full legal information.

http://sos.state.nv.us/corpsrch.asp