This entry will remain as a reference for those affected by TenTenTwelveCorp’s fradulent emails.

If you have received spam email appearing to be from users at aubreyturner.com or aubreyturner.org please be aware that the sender information in these emails has been forged.  I cannot remove you from the email list, since I had nothing to do with sending the spam.  The spammer simply chose my domains to include in his fradulent emails.  For an explanation of what is happening, see below for links to two articles on the topic.

If you are receiving bounces from TenTenTwelveCorp’s fraudulent emails, welcome to the club!    It seems we’ve both been Joe Jobbed by this bastard. 

For more information, please read the following posts and the comments:
F****n’ Spammers
More F-‘in spammers

It seems like a lot of people have either been spammed by “tententwelvecorp” or have been on the receiving end of a Joe Job from their spams.  The onslaught continues apace, but I’ve learned quite a bit from the comments on my earlier post.  People have been finding my site when running searches for info on this stock scammer.

There is also some new information to put out here.  Specifically, in his latest emails he’s expanded his stock picks to include Labwire (LBWR) and Southwestern Medical INC (SWNM), and in a few he’s including a phone number for people to opt-out (since his domains seem to have been suspended).  The number given is (310)598-7434.  Searching Google and doing some reverse searches didn’t turn up anything of interest (or anything linked to “Johnson Eddisson”, should he actually exist).

I’ve also gotten a few emails via the contact form from people who are wondering what’s going on.  This is most especially true for people who don’t know much about computers or email.  I’m including my answer to the latest one here in the hope that people who search for information on this spammer will find it.  I’ve tried to make it readable for the lay person, but as always, it’s difficult to talk about computers, the Internet, and email without using some amount of jargon.

The original message:

I did a search on tententwe… and noticed that you made reference to them.  I keep getting emails (addressed to me) from people who I don’t know and it said to contact info-att-tententwelvecorp.com if I wanted them to stop.  I changed the -att- to @ and tried to send the email but it didn’t work.  I don’t know a lot about the interenet.  Since it sounds like your situation might be similar, I was wondering if you could explain any of it to me?  Thank you.

My response:

What is happening here is that a spammer is using a network of infected PCs to send spam to various people.  These networks of infected PCs are often called “botnets” (from the term “robot network”).  When the PC is infected (which can occur through a virus, a worm, or a trojan) it becomes a node in the botnet and takes commands from a central controller.  In this case, the spammer is using the network of PCs to send out spam.  They do this because sending spam from a legitimate internet-connected server is a quick way to have it shut down (since this act violates the Terms of Service of almost all legitimate hosting services).  These PCs are usually connected to the internet via Cable Modem or DSL and offer a quick and anonymous method to blast out thousands of emails in a short period of time.

The other part of the problem is that the protocols used on the Internet for exchanging email don’t have any security built into them.  They were developed in an era of mutual trust when the Internet was much smaller (and only universities, the military, and very few corporations were connected).  Because the protocols are so lax, it is a simple matter for the spammer to compose a message that appears to be from someone else.  In fact, I did the same thing with the contact form that you filled out to send me your original message.  When it arrives in my Inbox it appears to be from you, even though my web server actually sent it (this is actually considered a legitimate use of the protocol, though).

Since no one likes spam, putting your real email address in the “From:” of a mass mailing is a quick way to render that email address useless.  In fact, many email providers/ISPs will cancel an account if it can be proved that the person who owns the email address actually sent the spam from it.  So, the crafty spammer will either put a bogus email in the “From:” and “Reply To:” fields, or he will put someone else’s email address in there (this is known as a “Joe Job” in that it can be a form of attack against the person whose email address was used by the spammer).

This particular spammer is just making up email addresses as he goes by picking a person’s name and then associating a made-up email address with a VALID domain (the part after the “@” sign).  An example (that I just pulled out of my Trash folder): “Rosamund Hutchins” <hfl-at-aubreyturner.org>.  There is no user named “hfl” at aubreyturner.org, and I don’t know a person named “Rosamund Hutchins.”  But anyone receiving this email will possibly think it’s from her and that it came from my domain, when in fact it came from an infected PC in Switzerland (84-72-176-238.dclient.hispeed.ch to be exact).

However, since I’ve configured a “catch all” address for the domain (i.e. any email that isn’t addressed to a particular user goes to this address), then I receive a message for every single spam email that did not make it to the destination (a “return to sender” or “bounce” email).  So my interest in finding and eradicating the owner of tententwelvecorp is because I own “aubreyturner.com” and “aubreyturner.org”, both of which have been used for the “From:” address in this spammer’s email blasts.  So far I’ve received well over 200 bounce messages.  It’s not clear at this point whether I (and the others who have been on the receiving end of these bounces) was selected because I ticked this guy off at some point in the past or whether he just randomly picked some domains.

Recent legislation in the U.S., called the “CAN-SPAM” act, requires that every commercial email have a valid “From:” address and include information on how to opt-out of the mailings.  None of this spammer’s messages conform to these requirements, so if he is in the United States, he could be liable for a civil judgement of up to $11,000 per violation.  Additionally, by pumping these stocks, he could also be in violation of various S.E.C. (Securities and Exchange Commision) rules (which could be a criminal matter).  So it’s no surprise that “info@tententwelvecorp.com” didn’t work.  His domain has probably been suspended because of the spam he’s been sending.  Further, it appears that his domain’s contact information is bogus, so it’s nearly impossible to contact him.

In his latest round of emails, he is now including a phone number, but I haven’t had time to investigate it.  My suspicion is that the number is either bogus or it belongs to someone he doesn’t like (who will get irate phone calls from people who got the emails).

So, to sum up this long-winded reply: “spammers suck.” 

Since I wrote that reply, I’ve learned (from a commenter in the original post) that the phone number actually has a message requesting you to leave your email address to have it removed.  I’m not sure I’d trust it, though.  An asshole who would use other peoples’ domains for his bounces would just as likely take the opt-out list and use it as a list of “confirmed, hot” leads…

Update:  I see from the latest bounce that he has yet another domain, senginernd.com, which redirects to a Lycos-France member page, appearing to belong to a member called “removalsystem2”.  That site contains his “disclaimer.”  I found this bit interesting:

In compliance with the Securities act of 1933, Section 17(b), the publisher of this newsletter discloses they received payment from an unaffiliated third party for the circulation of this report in the amount of $200,000. Be aware of an inherent conflict of interest resulting from such compensation due to the fact that this is a paid advertisement and is not without bias. As we have received compensation in the form of free trading securities, we may directly benefit from any increase in the price of these securities.

So it would appear that this is a “pump and dump” sort of thing, where he is trying to inflate the price and then dump his shares.  I suppose by his disclosure he thinks he’s covering his butt legally.  Perhaps he is, as I’m not a lawyer.  But it’s pretty slimy.  Also notice that his verbiage implies that this is a “newsletter” and that there are “subscribers” (a term he used earlier in the disclaimer).

Here’s the WhoIs for senginerd.com:


Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
Visit: http://www.namecheap.com/

Domain name: SENGINERND.COM

Registrant Contact:
  MTG-Experts
  Carl Bach (applewave@gmail.com)
  +1.6025413374
  Fax: +1.5555555555
  Pol Comtois Str.
  Los Angeles, CA 60981
  US

Administrative Contact:
  MTG-Experts
  Carl Bach (applewave@gmail.com)
  +1.6025413374
  Fax: +1.5555555555
  Pol Comtois Str.
  Los Angeles, CA 60981
  US

Technical Contact:
  MTG-Experts
  Carl Bach (applewave@gmail.com)
  +1.6025413374
  Fax: +1.5555555555
  Pol Comtois Str.
  Los Angeles, CA 60981
  US

Status: Locked

Name Servers:
  dns1.name-services.com
  dns2.name-services.com
  dns3.name-services.com
  dns4.name-services.com
  dns5.name-services.com
 
Creation date: 18 Oct 2005 14:43:36
Expiration date: 18 Oct 2006 14:43:36


I wonder if there’s really a “Carl Bach”?  It sounds fake.

I’m not dead.  Or at least my body continues to move about under its own power.  Allergy season just zaps the hell out of me.  And the pounding headache didn’t help.  But today seems a little better in that at least the headache is gone.

Anyhow, it seems that some “sidewindin bushwackin, hornswaglin, cracker croaker” has used one of my domains for the return address on their POS spam emailing.

So far I’ve only gotten 12 bounces, but it’s really annoying, and it’s a form of theft.  They’re stealing my resources to abdicate their own responsibility for spewing crap about some stupid penny stock.

If any of you should come across “Budget Waste Inc” or “tententwelvecorp.info”, drop a bomb on them for me.

Update:  More on this topic here.

While a bit of humiliation sounds like a good idea, you have to wonder if anything short of the stocks would do any good with the bastards who install adware (or if you really want to get their attention, the pillory).

WASHINGTON—Companies could find themselves put up for public humiliation by the U.S. Federal Trade Commission if they continue to advertise through insidious ad-serving software.

Such a move might help in the battle against adware, FTC Commissioner Jon Leibowitz said Thursday at an event here hosted by the Anti-Spyware Coalition. Adware is software that displays pop-up ads on PCs, often after Internet searches.

“I think that could have a beneficial effect,” Leibowitz said in an interview. “In this context, maybe shaming a company on how they are spending money might inure to the benefit of consumer’s privacy.”

Of course, some companies wouldn’t like this idea, because it holds them accountable for the actions of their agents (the most common excuse from companies that are using adware is that “they didn’t know”).  This would be a good incentive for companies to make sure their agents are playing by the rules.

There’s something about travel that makes me procrastinate unpacking when I return.  So after getting in from Amarillo yesterday afternoon, I walked the dog (who was a bundle of energy after being pent up in the back seat of the Avalanche for 6 hours), stopped for dinner at Sonic, and then settled in at the computer to check up on my neglected email.  Someone sent me an email asking if I was going to be continuing the gun show listings in 2006.  I had been intending to do so, but kept putting it off.

I started checking websites and adding listings, but the way it’s set up it’s kind of a PITA to add new listings.  The form has 10 items to fill in for each show.  I started fiddling with the setup and changed some of the entry fields to drop-down lists that were prepopulated with the promoters names, URLs, and phone numbers.  This was better, but still not great, since the entries weren’t linked in any way (i.e. it was up to me to make sure I didn’t pick one promoter’s phone number and another’s URL for the same entry). 

The idea of linking the information together reminded me of a new feature I’d read about in Expression Engine 1.4:  Related Entries.  This allows you to link an individual field in one weblog entry to an entry in another weblog.  Now a weblog in EE isn’t necessarily what we think of as a weblog.  It doesn’t have to be a “diary” sort of thing.  It’s really just a container for a set of records.  EE provides a standard set of fields and you can also define your own. 

I upgraded to EE 1.4 and started by creating a new “weblog” for gunshow promoters, which contained the promoter’s name, URL, and phone number.  I changed the “promoter” field in the gunshow weblog to point to the promoter weblog and modified the gunshow weblog templates to get their information from the related entry.  Now instead of filling in three entry fields, I can select one entry from a drop-down on the EE publishing form.

The issue of gunshow locations was a bit more messy than the promoter’s basic information.  In many cases a promoter has their own webpage for a given location, so I try to link to that (e.g. Bob Norman and High Caliber both use Will Rogers, and each has a separate URL, based on which promoter is running the given show).  I created another weblog for the locations and created entries for each valid combination of venue+promoter.

Finally, I changed the ending date for each show to take advantage of the new date type fields provided by EE 1.4, which allowed me to remove the custom PHP code I had been using to display the date.

All the above was accomplished in about three hours.  I didn’t set out to upgrade the EE installation and redo everything.  I just sort of got sucked in.  But at least it was a pleasant diversion to having to unpack.

So far I have to say that I’ve been fairly pleased with each new release of Expression Engine.  Each time I upgrade I find that I end up removing bits of the custom code that I had originally added to do something that EE’s creators hadn’t planned.  And the upgrades have been fairly painless in that all it takes is uploading the new files and running an upgrade script.  The only breakages I’ve had were in places where my custom code conflicted with the new EE feature that replaced it.

I received a rather alarming email from my hosting provider today, informing me that I was using an excessive amount of CPU, to the tune of 137.59 CPU minutes today.  Further, my account was now to be subject to resource monitoring (starting tonight).  The email was to inform me that I needed to start watching the resource monitor logs to find the source of the excessive usage.

Well, it didn’t take me long to find the likely source, even though I hadn’t yet been able to see the resource logs.  A quick look at the Apache access.log shows that the bastard spammers are hitting my server about 30,000 times per day trying to insert their crap into my referral logs.  The referral attack is the most common one that is launched against EE weblogs, since comment and trackback spam is much more difficult with EE.  Because of this problem I’d turned off referrers about two months ago and I’d made the old referrer template inaccessible to anyone who was not a logged in member. 

I thought (mistakenly) that by making the referral information inaccessible that the asshat spammers would lose the incentive to spam my referrer scripts and would eventually give up.  Instead, it appears that they stepped up their attempts to the point of verging on a DDOS attack.

So today I took more drastic action.  I used the .htaccess feature of EE’s Blacklist module to block these bastards before they can even hit EE, which should cut down dramatically on the number of PHP sessions and database connections.  Since about 2:00pm today 10,609 spam referral attempts have already been blocked.

While I was at it I also disabled hotlinking of all images on this domain from outside domains.  Analysis of my logs shows that there were a lot of young thug-wannabes who were linking to my gun pictures from their horribly formatted online profiles.  Some examples:
Bustmygunphilly (definitely not safe for work)
cameronknight
Bobby04
airlydzie

It’s kind of funny to see their attempts to hotlink my gun pictures replaced with this:

I’ve heard of people being addicted to video games before, but this guy may be the first to show that what might sound like a fairly harmless addiction can be deadly.

A South Korean man who played computer games for 50 hours almost non-stop died of heart failure minutes after finishing his mammoth session in an Internet cafe, authorities said on Tuesday.

The 28-year-old man, identified only by his family name Lee, had been playing online battle simulation games at the cybercafe in the southeastern city of Taegu, police said.

Or perhaps he just had a bad ticker…

A common problem faced by both Google and bloggers is that sometimes a post will unexpectedly become the number one link for a common search term, leading a gaggle of unsuspecting web users to the bloggers site.

It is certainly possible for a website to determine that a user landed there via a search engine, since the referrer URL contains the search terms and the URL of the search engine.  In fact, there is already a plugin for Expression Engine that examines the referrer field to highlight search terms in the text of the page.  It occurred to me that this could potentially be modified to redirect the user to an intermediate page for certain posts.  This page would warn the user that they had landed on a private weblog and give them the option of returning to Google or going on to the actual article.

The behavior of the plugin could be controlled through the addition of a new flag to the set of fields stored for each weblog entry.  If someone really wanted to do it nicely, a second field could be added that contained custom text to be displayed on the intermediate page for that specific post. 

I think of it as sort of like shields for your weblog.

If I don’t discover that someone has already done so, I may code up something like this when I get the time (which may be some time next winter the way things are going right now).

I saw an interesting post on Jay Allen’s comment spam weblog yesterday concerning what happens if you don’t take an active role in monitoring your weblog for spam.  It turns out that leaving spam on your site attracts more spam.  I hadn’t really given it much thought before, since I tend to be very quick to remove spam.  To me it’s a lot like online graffiti or vandalism.  I consider it a defacement to my site.

Anyhow, on further reflection, it makes sense.  The purpose of comment and trackback spam is to get the Googlebot to find it and index the links, thereby driving up the referrer count for the spamvertised site.  If you leave the crap in your weblog long enough for it to get indexed by Google, it shows the spammer that they were successful and they’ll come back to your site to leave more spam. 

An informal experiment run by one blogger showed that two spams left in one of her articles attracted 365 new spams within 24 hours.

Since I’ve been unable to reach Bitter by email, I’m despamming The Bitch Girls myself.  I’m doing it in batches, and so far I’ve removed 575 trackback spams.  I don’t know how many more there are to do, but it’s a time-consuming process, since the blacklist code rebuilds each entry as it goes.  After years of using MT, I have come to loathe rebuilds (in fact, rebuilds are the main reason I moved to EE).

Still, in the end it will be worth it to make the site less attractive to spammers, which should hopefully cut down the resources (CPU and bandwidth) being wasted by these scumsuckers.

Update:It looks like every trackback since 1/26/2005 was spam, for a total of 1030 bad trackbacks that I deleted.  There was also one comment in the last 500 that I removed (some sort of credit card spam).

Over the weekend I decided to clean out the guest room closet.  It was the place where I dumped a bunch of stuff that I wasn’t sure what to do with when I moved.  It was a case of out-of-sight, out-of-mind.  It’s also where I keep all my suitcases and extra gun cases as well as the vacuum cleaner.  So every time I wanted to get to some of those items I was confronted with the pile-o-crap in there.

One of the things I kept in there was a stack of old computers and cases.  There were two whole computers, one empty case, and one partial computer (an old K6-2 450 missing a hard drive).  I pulled all of these out and it made quite a difference in the amount of useable space.  Since I didn’t really have a use for them, and they were pretty old I decided to pull out any useful parts and ditch what was left.

I’m not sure what I’m going to do with these parts, but here’s the haul:

• Three PCI video cards (two TGUI9660’s and one unknown 3Dfx card)
• Two modems (one ISA)
• Three LNE100TX 10/100 Ethernet cards (PCI)
• A SoundBlaster 32PNP (ISA)
• Three hard drives (2.5 GB, 4.0 GB, and 1.6GB)
• Two ATX 2.0 300 watt power supplies (Antec and PC Power & Cooling)
• Three CD-ROM drives (24X to 48X)
• An ASUS P5A with a K6-2 450 and 128MB of RAM
• One full tower Inwin case (sans power supply)

Most of it isn’t very useful, but I just couldn’t bring myself to throw it out.  The hard drives I kept because I didn’t want any of the data to get out and I didn’t feel like messing with them to wipe the drives.  I suppose I could throw these parts together and make a system that could be used for web browsing and email (and probably put Linux on it, since it seems to work better with underpowered hardware than Windows, not to mention it’s a lot cheaper).  But I don’t have a need for such a system.

Anyhow, I put the two old computers and one empty case out on the street at 6:15am.  By 7:45am when I went out again both of the semi-whole computers were gone and the side of the empty case was off.  Obviously whomever took the other two decided that a completely bare case wasn’t worth messing with.

The two old computers were a Cyrix 133 (P5 equivalent) and a Pentium MMX 200, circa 1996.  So I suspect the person who took them won’t be getting quite the prize he or she expected.  Not to mention that I stripped them such that only the power supply, motherboard, processor, and memory were left.