Lately I've been seeing some unusual spams. The subject lines refer to investment - 'offer for investors', 'want to invest?', and so on - and their bodies consist of just two lines, a single line of text promising the usual vast riches, followed by the URL of a website (a different site in each case). The sites indicated are about 'high-yield investing', a term that I hadn't seen before, but which sounds spammy as hell.
There are two curious things about the spams. The first was that in some cases the URL isn't the URL of any existing site: rather, it is the URL of a site belonging to a registrar or a hosting service, with a domain name tacked on the end. The second is that there doesn't seem to be any connection between the sites mentioned - no similarities in site design, in their WHOIS entries, or even their hosting services. If they are all run by the same spammer, he's gone to unusual lengths to make them seem different. The only common link is the topic - 'high-yield investment'.
I currently receive a steady trickle of similar spams. All of them relate to 'high-yield' investment, and most of the sites referenced are either investment services (some fairly dubious-looking) or forums, although one was someone's blog. The blog has an entry in which the owner of the site protests that he isn't sending the spam. Some of the other sites carry similar denials or claims that they are being subjected to denial-of-service attacks.
Lately, the spams have started to include additional lines giving an address and some phone numbers. The address seems to be the same in each case, and appears to be that of a building managed by Star Office Space, which rents office space to a number of companies. The telephone number given has a 630 area code, which corresponds to the location of the building mentioned. Spammers have a fondness for leased office space - bulkmailer bandwidthnoc uses 'virtual offices' rented from another office space company in all its domain registrations - but it's unclear to me whether this address is the real 'payload' of the spam, or if it's just another third-party that the sender has decided to drag into the mess.
The curiously-broken URLs might be explained by spammer stupidity. It could just be a programming or templating error in their custom ratware. But the point of the exercise remains mysterious. Did they lose all their money in a failed 'high-yield' investment and decide to joe-job the entire industry by way of retaliation? Are the sites that they're really spamming for hidden somewhere in among the others? Is it an attempt to get anti-spammers to waste time reporting these sites? Or is the 'payload' really something else, such as the address and phone numbers that have just started appearing in their spams?
I'm still puzzled by this one, but here's a list of domains that have appeared in recent spams, plus their IP addresses. If there's a pattern here, I can't tell what it is.
| Domain | IP |
|---|---|
| offshare-project.com | ... |
| soloinvestment.com | 85.112.149.168 |
| bestprofitforyou.com | 70.86.229.151 |
| tkcinvest.com | 72.20.21.210 |
| amybank.com | 0.0.0.0 |
| goldentime.biz | 72.18.133.40 |
| cleanhyip.com | ... |
| advantage-hyip.com | ... |
| lifetime-returns.com | 64.202.163.217 |
| wizard-hyip.com | 208.64.226.42 |
| alphasurf.biz | 216.69.166.46 |
| fx-experts.com | 69.65.96.229 |
| investdot.com | 209.249.221.105 |
| fxinvestmentgroup.com | 216.15.150.233 |
| hyipsayes.info | 216.40.33.17 |
| onepercent-hyip.com | 66.29.54.95 |
| sorcex.com | 212.112.242.206 |
| hyip-system.com | 195.128.175.20 |
| egold-union.com | 206.161.120.40 |
| megacashforum.com | 66.97.172.76 |
| private-investors-union.com | 200.105.43.22 |
| nakedwealth.com | ... |
| hyipdiscussion.com | 67.15.156.102 |
| ahyip4u.com | ... |
| hyipinvestment.com | 196.40.84.155 |
| hyipranks.com | 198.31.50.215 |
| wonderfulhyip.com | ... |