Who are the WinPopUP Culprits?
Extort - To obtain from another by coercion.
It is Ironic that 90% of the messenger spam I see is promoting
products to block messenger spam. They'll keep broadcasting
their message until I purchase their products? Sounds like
extortion to me! This business plan of theirs is even more
surprising considering that it is easy and free to disable
the Microsoft service which allows such messages to be received
in the first place. (Click here
to test your computer for vulnerability to Windows PopUP spam
and information on how to rectify that vulnerability.)
Aside from noting the huge proportion of pop-ups that promote
tools to prevent pop-ups, my investigation yielded interesting
information about the offending companies and their products.
What I initially thought was ten to twenty different companies/products
really appears to be three or four compaines using a wide
variety of names (ie, messagestop.net, messengerbegone.com,
destroyads.com, directadstopper.com, messengerdestroyer.com,
endads.com, defeatmessenger.com, messagebasher.com, broadcastblocker.com,
messengerstopper.com) to advertise just three or four unique
products. Many of these products seem to corelate back to
P.O. boxes in San Diego, California, so I suspect the true
number of companies may even be smaller.
The Investigation
Starting at about 2pm Eastern today I fired up my packet
analyzer so I could capture specific details of exactly what
kinds of Messenger spam my computer (using Comcast Cable modem)
is receiving. After 90 minutes I had received three Messenger
Spams. Further analysis revealed that all three of the IP
addresses that I caught sending me spam have been detected
by hundreds of myNetWatchman Agents.
PopUp Spam One
The first popup i received was promoting a Messenger-spam
blocking application and directed me to www.DirectAdStopper.com.
Using the packet analyzer I was able to determine that the
message was actually sent from an IP address of 202.131.221.61
— a system in Guangzhou China. After surfing to the
above web site I was offered to purchase "Messenger Killer"
for the low, low price of $24.95.
The website mentioned above, hosted at IP 204.174.223.15,
is owned by NetNation Internet Inc., a web hosting company
in Vancouver. Clicking the 'Buy Now' link directed me to a
payment processing site, www.onlineamericanpaymentprocessing.com/order_killmessenger.pl,
whose IP address (64.177.254.3) is owned by Alabanza, Inc.
Details of this incident, as reported by myNetWatchman Agents
can be seen here.
PopUp Spam Two
A short while later I received a second popup, this time
directing me the site www.messengerdestroyer.com . The message
comes from 204.15.192.64 (also in China). This site is hosted
at the exact same IP as DirectAdStopper.com (204.174.223.15).
In this case I was offered a product called "Messenger
Blocker" for $29.95 — but a web-coupon offered
a few screens later saves me $5.00, making this as good a
deal as Messenger Killer! Clicking the 'Buy Now' link forwarded
me to the same payment site as above.
Details of this incident, as reported by myNetWatchman Agents
can be seen here.
PopUp Spam Three
A few minutes passed before I got a third popup, this one
from 210.5.22.10 (China yet again), directing me to www.endads.com.
This domain is hosted at 216.17.101.160, owned by a web hosting
company in San Diego called Phatservers.net. 'Buy Now' link
directed me to 64.94.118.66, an address hosted by the large
ISP Internap.
Details of this incident, as reported by myNetWatchman Agents
can be seen here.
|
