Welcome to the Canary Trap

Mortgage and Credit Companies that buy leads from Spammers

Credit Counseling Express
U.S. Credit Management
Debt Solutions International

Debt Solutions International again

Heritage Management
Dana Capital
(three unnamed) re: freeloanquote.net
Guaranteed Home Mortgage Company
Foundation Leads (via gibox.com: three callers)

National Lead Exchange, also gibox.com
Lead Source, also gibox.com
M Leads
Home Team Mortgage
Home Funds Direct
Leadership Financial
Southern Star Mortage

E-Leads (or E-leadz, Eleadz)

America's Mortgage Associates also obtained a lead from this source, Eleadz.
BLS Funding (said I had "too much time on my hands")

Dana Funding (also from seventimesthree.com)
Impax
Quickenloans.com

These companies are listed here to enable their managers to identify the spammers from whom they are buying leads. The names shown below (e.g. "Richard Head," "Boris Foulenov") provide unique tracing information to help the companies identify these spammers and discontinue doing business with them.

What is a canary trap?

A canary trap is a counterintelligence technique that is used for exposing spies. Suppose you have four people in positions of trust, and you think one is betraying you. You entrust each with secret information, but you give each a unique version of the information. If the information later shows up in the possession of the enemy, you know who to put on trial for treason.

This technique also might be usable for privacy issues. Suppose you give your address to organizations or companies A, B, C, and D, each of which promises not to share the information with junk mailers. Your real address is 123 Pine Road, Anytown PA 17002. But you give organization A the additional line, "Attention Department 1," Organization B "Attention Department 2," or something similar.

Then if you get junk mail addressed to "Department 2," you know that Organization B has not respected your privacy and has sold your address to junk mailers. You can treat Organization B accordingly (discontinuing purchases from them if they're a business, quitting if they're an organization, and possibly warning everyone you know about their practices).

Thus, any phone call asking for "Dick Head" proves that the mortgage or credit company got this information from outoutforyouandme.com.

10/7/03 I received a call from Credit Counseling Express, asking for "Richard Head," which showed Credit Counseling Express' connection with this spammer. The manager said he would "look into it."

123awayoutofdebt.com, outoutforyouandme.com, and reducebillsandgetoutofdebt.com (see at right) seem to be the same organization. All trace back to Haninternet in Korea, which may have even shut down the first two domains (as of 9/6/03) for Internet abuse.

Awayoutofdebtfast

www.awayoutofdebtfast.com resolves to 61.252.159.20

whois -h magic awayoutofdebtfast.com

awayoutofdebtfast.com is registered with NETWORK SOLUTIONS, INC. - redirecting to whois.networksolutions.com

Registrant:
J Marketing (NXKTORCQYD)
   133 rue gregoire
   petion ville, haiti wi
   HT

   Domain Name: AWAYOUTOFDEBTFAST.COM

   Administrative Contact:
      J M, J M  ( 35346024P) webgost2000@hotpop.com
      133 rue gregoire
      petion ville, haiti wi
      HT
      0115092572325
   Technical Contact:
      Network Solutions, Inc.  (HOST-ORG) customerservice@networksolutions.com
      21355 Ridgetop Circle
      Dulles, VA 20166
      US
      1-888-642-9675 fax: 123 123 1234

   Record expires on 06-Jul-2004.
   Record created on 06-Jul-2003.
   Database last updated on 12-Sep-2003 23:08:18 EDT.

   Domain servers in listed order:

    NS1.LMIHOSTING.COM           61.252.159.18
   NS2.LMIHOSTING.COM           61.251.19.195

query: 61.252.159.20

# ENGLISH

KRNIC is not ISP but National Internet Registry similar with APNIC.
The IP address is allocated and still held by the following ISP, or
they did not update whois information after assigning to end-user.

Please see the following ISP contacts for relevant information
or network abuse complaints.

[ ISP Organization Information ]
Org Name      : HANINTERNET
Service Name  : HANINTERNET
Org Address   : SK Twintech A 1009, 345-9 Kasan Kumchon

[ ISP IP Admin Contact Information ]
Name          : YoungDong Kim
Phone         : +82-2-860-8143
Fax           : +82-2-852-8535
E-Mail        : iservice haninternet.co.kr

[ ISP IP Tech Contact Information ]
Name          : Raeeun Yeo
Phone         : +82-2-860-8144
Fax           : +82-2-852-8535
E-mail        : ip haninternet.co.kr

9/2/03 I received a call from Credit Counseling Express, from an individual who represented himself as Patrick McCarthy. He asked for "Michael Hunt," which showed Credit Counseling Express' connection with this spammer. He also defended the practice of spamming, stating that one can just delete unwanted messages, and he asked whether I had better things to do with my time.
9/6/03 I received a call from U.S. Credit Management, also asking for "Michael Hunt." Their person also was very indignant and suggested that I "just hit delete" (or the equivalent). He said he got this information ("Michael Hunt") from a "reputable" source from which he obtained numerous valid leads. I offered to E-mail him evidence that his source is a spammer but he wasn't interested, and he was upset about my "wasting his time." Well, the spammer from which he obtains his leads has wasted plenty of my time.

The following shows just how "reputable" www.reducebillsandgetoutofdebt.com is.

www.reducebillsandgetoutofdebt.com resolves to 61.252.159.20

whois -h magic reducebillsandgetoutofdebt.com

reducebillsandgetoutofdebt.com is registered with NETWORK SOLUTIONS, INC. - redirecting to whois.networksolutions.com

Registrant:
J Marketing (HGVJZYVSHD)
   133 rue gregoire
   petion ville, haiti wi
   HT

   Domain Name: REDUCEBILLSANDGETOUTOFDEBT.COM

   Administrative Contact:
      J M, J M  (35346024P) webgost2000@hotpop.com [not a valid E-mail address]
      133 rue gregoire
      petion ville, haiti wi
      HT
      0115092572325
   Technical Contact:
      Network Solutions, Inc.

http://whois.nic.or.kr/ lookup of the IP address shows that this "reputable firm" has to find Web hosting in Korea, perhaps because U.S. service providers will take it down for Internet abuse. Haninternet, in fact, may have terminated two of this individual's domains (see at left) for Internet abuse. Furthermore, the spamvertized Web page has no telephone contact information or street address. Someone who has to business anonymously from Korea is obviously a bad actor.

query: 61.252.159.20

# ENGLISH

KRNIC is not ISP but National Internet Registry similar with APNIC.
The IP address is allocated and still held by the following ISP, or
they did not update whois information after assigning to end-user.

Please see the following ISP contacts for relevant information
or network abuse complaints.

[ ISP Organization Information ]
Org Name      : HANINTERNET
Service Name  : HANINTERNET
Org Address   : SK Twintech A 1009, 345-9 Kasan Kumchon

I understand from news.admin.net-abuse.email that "Adam Henry" is police shorthand for "Assh**e," as denoted by AH.

www.slashmonthlypayments.com resolves to 61.251.19.197

whois -h whois.networksolutions.com slashmonthlypayments.com

Registrant:
Slash Monthly Payments, Inc. (FVATIWCVKD)
   1200 Boca Raton Blvd.
   Boca Raton, FL 33432
   US

   Domain Name: SLASHMONTHLYPAYMENTS.COM

   Administrative Contact:
      Admin, Domain  ( 35497563P) xxxadultdirect@hotmail.com
      Slash Monthly Payments, Inc.
      1200 Boca Raton Blvd.
      Boca Raton, FL 33432
      US
      561-368-1242
   Technical Contact:
      Network Solutions, Inc.

http://whois.nic.or.kr/ query: 61.251.19.197

# ENGLISH

KRNIC is not ISP but National Internet Registry similar with APNIC.
The IP address is allocated and still held by the following ISP, or
they did not update whois information after assigning to end-user.

Please see the following ISP contacts for relevant information
or network abuse complaints.

[ ISP Organization Information ]
Org Name      : Bittel
Service Name  : Bittel
Org Address   : 613 LG Palace, 165-8, Donggyodong, Mapogu, Seoul, Korea

Yet another reputable credit counseling service that has to base its Web site offshore- with a really reputable service provider, as shown here:

  abuse@bittel.net
    SMTP error from remote mailer after RCPT TO:<abuse@bittel.net>:
    host mail.bittel.net [210.97.240.2]: 550 <abuse@bittel.net>... User unknown

Full headers of the spam (showing just how "reputable" this organization is)

From - Sun Sep 07 12:40:03 2003
X-UIDL: 19W0Yo1do3NZFlr0
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Status:  U
Return-Path: <marymillerszggmffe@kyros.net>
Received: from mail.kyros.net ([212.97.55.19])
	by killdeer (EarthLink SMTP Server) with ESMTP id 19W0Yo1do3NZFlr0
	Sun, 7 Sep 2003 07:57:03 -0700 (PDT)
Received: from mail.kyros.net [218.123.56.83] by mail.kyros.net
  (SMTPD32-7.07) id A6DB68F00C8; Sun, 07 Sep 2003 16:55:23 +0200
To: <bower>

A telephone call was received from Debt Solutions International on September 28, which said it got leads from "several different sources." The caller was not overly interested in pursuing the issue of obtaining leads from a spammer.

manaboutleads.com resolves to 216.53.142.41

www.manaboutleads.com resolves to 216.53.142.41

Mail for manaboutleads.com is handled by manaboutleads.com (0) 216.53.142.41

whois -h magic manaboutleads.com

manaboutleads.com is registered with GO DADDY SOFTWARE, INC. - redirecting to whois.godaddy.com

Too bad for manaboutleads.com. (They were, in fact, terminated.)

A WARNING TO POTENTIAL SPAMMERS

"Go Daddy Software, Inc. does not tolerate UBE (Unauthorized Bulk Email) and will not allow our servers or services to be used for such purposes."

(Remember Boris Badenov, a joke modification of Boris Godenov, from the Bullwinkle cartoons?) I've also assigned Boris to http://mailbx.net/debt/?bilge, which is registered to the same individual.

(See also the one at left)

debtzap.biz resolves to 216.53.142.41

www.debtzap.biz resolves to 216.53.142.41

Mail for debtzap.biz is handled by debtzap.biz (0) 216.53.142.41

  Search results for: 216.53.142.41  
                 
OrgName:    MPInet
OrgID:      MPRD
Address:    1101 N. Keller Rd.
Address:    Suite B
City:       Orlando
StateProv:  FL
PostalCode: 32810
Country:    US

NetRange:   216.53.128.0 - 216.53.255.255
CIDR:       216.53.128.0/17
NetName:    MPRD-MPINET
NetHandle:  NET-216-53-128-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.MPINET.COM
NameServer: NS2.MPINET.COM
Comment:    For abuse and/or spam complaints, please email
Comment:    abuse mpinet.com.
RegDate:    1999-06-10
Updated:    2003-01-06

TechHandle: IAS6-ARIN
TechName:   IP Admin Services
TechPhone:  +1-407-660-7900
TechEmail:  ipadmin mpinet.com

OrgTechHandle: IAS6-ARIN
OrgTechName:   IP Admin Services
OrgTechPhone:  +1-407-660-7900
OrgTechEmail:  ipadmin mpinet.com

I received a call from Ron Dague at Heritage Management on 10/17/03. When I suggested that he stop dealing with spammers, he told me he was not in a decisionmaking position. When I asked him to put me through to someone who was, he said he wouldn't do that because he didn't think they wanted to deal with the issue.

www.anewwayouforyou.com resolves to 61.252.159.20

whois -h magic anewwayouforyou.com

Registrant:
J Marketing (HLAFVIJQBD)
   133 rue gregoire
   petion ville, haiti wi
   HT

   Domain Name: ANEWWAYOUFORYOU.COM

   Administrative Contact:
       M., J.  (35346024P) webgost79@yahoo.com
      133 rue gregoire
      petion ville, haiti wi
      HT
      0115092572326

deliversint.com resolves to 218.22.14.106

www.deliversint.com resolves to 218.22.14.106

Yet another reputable offshore company

Administrative Contact:
zhu hai
zhu hai
2189 maihui road
zhu hai Guangdong 519075
China
tel: 86 0756 2630101
fax: 86 0756 2630101
terywangd1@yahoo.com.cn

premieres4.com resolves to 218.22.14.106

www.premieres4.com resolves to 218.22.14.106
(same as deliversint)

10/27/03 I received a call from Steve at Dana Capital asking for Jacques Cass
I E-mailed a copy of the spam to Dana Capital as proof that this site was indeed advertised by spam.

bettertra.com resolves to 218.22.14.107

www.bettertra.com resolves to 218.22.14.107

inetnum:      218.22.0.0 - 218.23.255.255
netname:      CHINANET-AH
descr:        CHINANET Anhui province network

person:       Chinanet Hostmaster
address:      No.31 ,jingrong street,beijing
address:      100032
country:      CN
phone:        +86-10-66027112
fax-no:       +86-10-66027334
e-mail:       hostmaster ns.chinanet.cn.net
e-mail:       anti-spam ns.chinanet.cn.net
nic-hdl:      CH93-AP
mnt-by:       MAINT-CHINANET
changed:      hostmaster ns.chinanet.cn.net 20021016

Guaranteed Home Mortgage Company (11/4/03), this 
one went to you.

freeloanquote.net resolves to 202.104.197.58

www.freeloanquote.net resolves to 202.104.197.58

Mail for freeloanquote.net is handled by mail.freeloanquote.net (10) 202.104.197.58

whois -h whois.enom.com freeloanquote.net

Registration Service Provided By: Active-Domain Co.
Contact: admin active-domain.com

Domain name- freeloanquote.net

Name servers-
    DNS1.NAME-SERVICES.COM
    DNS2.NAME-SERVICES.COM
    DNS3.NAME-SERVICES.COM
    DNS4.NAME-SERVICES.COM
    DNS5.NAME-SERVICES.COM

Created- Jan 09 2003 00:00:00
Expires- Jan 09 2004 00:00:00

Registrant Contact-
   Net Marketing
   Net Marketing   (netmarketing@freeloanquote.net)
   555 555 5555
   FAX- none
   NA
   NA, CA NA
   US

inetnum:      202.104.197.32 - 202.104.197.63
netname:      LD-HY-LTD
descr:        LUODIN HUYI CO.LTD
country:      CN
admin-c:      WZW5-AP
tech-c:       WZW5-AP
mnt-by:       MAINT-CHINANET-GD
changed:      ipadm gddc.com.cn 20020114
status:	      ASSIGNED NON-PORTABLE
source:       APNIC
changed:      hm-changed apnic.net  20020827

person: WANG ZI WEIZYUA
address: NO.28,INDUSTRY 3 RO.,LUODING
country: CN
phone: +86-766-3839445
fax-no: +86-766-3826777
e-mail: ipuser gddc.com.cn
nic-hdl: WZW5-AP
mnt-by: MAINT-CHINANET-GD
changed: ipadm gddc.com.cn 20020114
source: APNIC

I got THREE calls for "Merde deCambronne." I E-mailed a copy of the spam to the three companies that called me, and I sent the following to them. (Theloanpage.com may well be obtaining these leads in good faith, but will hopefully stop patronizing freeloanquote.net as a result of this.)

Per our discussion, here is the spam E-mail that led to you getting the contact "Merde deCambronne." The ONLY possible source for this name (and my phone number) is freeloanquote.net, which was advertised in the spam. (The lady who called me also mentioned theloanpage.com. See http://samspade.org/t/lookat?a=theloanpage.com, this contact information looks accurate). As you can see, the owner of freeloanquote.net has provided inaccurate contact information in his registration records because he obviously does not want to be contacted about spam (and I have reported him to his registrar for doing this). In addition, his Web domain is based in China because it would obviously be shut down for spamming if it was based in the United States.

I am not sure if you want to continue doing business with someone who provides phony contact information in his registration records and bases his operations in China.

topten-ranking.com <http://samspade.org/t/refer?a=topten-ranking.com> 
resolves to 61.172.244.181 <http://samspade.org/t/refer?a=61.172.244.181>

www.topten-ranking.com 
<http://samspade.org/t/refer?a=www.topten-ranking.com> resolves to 
61.172.244.181 <http://samspade.org/t/refer?a=61.172.244.181>


Registrant:
   Eric M (TOPTEN-RANKING-COM-DOM 
<http://samspade.org/t/whois?
a=TOPTEN-RANKING-COM-DOM&server=whois.dotregistrar.com>)
   12 Chung Cheng Rd., <http://samspade.org/t/refer?a=Rd.,> Hsin Chuang
   Taipei Hsien, TW 00002
   Taiwan
   886-2-8992-1221
   yesme2800@yahoo.com.tw 
<http://samspade.org/t/refer?a=yesme2800@yahoo.com.tw>

   Domain Name: TOPTEN-RANKING.COM 
<http://samspade.org/t/refer?a=TOPTEN-RANKING.COM>

   Administrative Contact:
      Eric M yesme2800 yahoo.com.tw 
<http://samspade.org/t/refer?a=yesme2800@yahoo.com.tw>
      12 Chung Cheng Rd., <http://samspade.org/t/refer?a=Rd.,> Hsin Chuang
      Taipei Hsien, TW 00002
      Taiwan
      886-2-8992-1221

   Technical Contact, Zone Contact:
      Eric M yesme2800 yahoo.com.tw 
<http://samspade.org/t/refer?a=yesme2800@yahoo.com.tw>
      12 Chung Cheng Rd., <http://samspade.org/t/refer?a=Rd.,> Hsin Chuang
      Taipei Hsien, TW 00002
      Taiwan
      886-2-8992-1221

inetnum:      61.172.244.0 - 61.172.244.255
netname:      GAMANIA-DIGITAL
descr:	      GAMANIA DIGITAL ENTERTAINMENT CO.,LTD
country:      CN

beyounghgh.biz resolves to 218.65.120.163 219.147.174.6 219.147.174.7 218.65.86.24

www.beyounghgh.biz resolves to 218.65.120.163 219.147.174.6 219.147.174.7 218.65.86.24

inetnum:      218.64.0.0 - 218.65.127.255
netname:      CHINANET-JX
country:      CN
descr:        CHINANET jiangxi province network
descr:        China Telecom
descr:        No.31,jingrong street
descr:        Beijing 100032


e-mail:       hostmaster public1.nc.jx.cn
trouble:      send spam reports to hostmaster public1.nc.jx.cn
trouble:      and abuse reports to hostmaster public1.nc.jx.cn

Debt Solutions International called me on November 12 2003
and asked for Mot deCambronne.

www.gibox.com resolves to 61.252.159.20
whois -h magic gibox.com

gibox.com is registered with COMPUTER SERVICES LANGENBACH
GMBH DBA JOKER.COM - redirecting to whois.joker.com

whois -h whois.joker.com gibox.com

domain: gibox.com status: production organization: DRUGSTORE INC owner: Richard Xue email: pharmstop@yahoo.com title: President address: BB 49 LOT 73 city: TW state: HONG KONG

query: 61.252.159.20

# ENGLISH

KRNIC is not ISP but National Internet Registry similar with APNIC.
The IP address is allocated and still held by the following ISP, or
they did not update whois information after assigning to end-user.

Please see the following ISP contacts for relevant information
or network abuse complaints.

[ ISP Organization Information ]
Org Name      : HANINTERNET
Service Name  : HANINTERNET
Org Address   : SK Twintech A 1009, 345-9 Kasan Kumchon

I received a call on 11/12 asking for Louis Benjamin.
The caller said he got the lead from Foundation Leads
(which I can't find on the Internet, due to the
prevalence of the phrase, "foundation leads.")

Two more calls, also 11/12, asking for Louis Benjamin. (The name of one is not
given because it appears that the company does wish to discontinue relations
with the spammer.

All callers were made aware of the fact that they obtained this lead from a spammer.

"National Lead Exchange," "Lead Source," and "M Leads"
was named as the source for "Louis Benjamin" by one mortgage company.
National Lead Exchange was informed of this, but "lead source" could not
be found with a Google search.

Another call was received on 11/14/03. The caller was informed of the
lead's source and the fact that the domain is based in Korea.

Home Team Mortgage called for Louis Benjamin on 12/02/03
Home Funds Direct called on 12/03/03 and cited "Debroux" as the source. (They state that they stopped using the source in question.)
Leadership Financial called on 12/13/03 for Louis Benjamin
Southern Star Mortgage called on 12/30/03 for Louis Benjamin
A person called on 5/7/04 and said Oromel Home Mortgage gave them the name "Louis Benjamin."

seventimesthree.com resolves to 64.85.73.31

www.seventimesthree.com resolves to 64.85.73.31

Mail for seventimesthree.com is handled by 127.0.1.50 (0) 127.0.1.50

Search results for: 64.85.73.31


OrgName:    Cable & Wireless
OrgID:      EXCW
Address:    3300 Regency Pkwy
City:       Cary
StateProv:  NC
PostalCode: 27511
Country:    US

ReferralServer: rwhois://rwhois.exodus.net:4321/

NetRange:   64.85.64.0 - 64.85.127.255
CIDR:       64.85.64.0/18
NetName:    SE2-1
NetHandle:  NET-64-85-64-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS01.EXODUS.NET
NameServer: DNS02.EXODUS.NET
NameServer: DNS03.EXODUS.NET
NameServer: DNS04.EXODUS.NET

Two calls indicated E-Leads (Eleadz?) as the source of
this lead (11/13/03)
Dana Funding in New York called on 11/14/03.
A copy of the spam E-mail advertising seventimesthree.com
was sent to them.
America's Mortgage Associates received Merde de Tete from
E-leadz, and requested a copy of the spam E-mail to assist
them in terminating their relationship with the spammer.
BLS Funding (12/5/03) got the name from 
Refinance.com or Fastcash.com

(Same owner as gibox.com)

www.dock1.com resolves to 61.252.159.20

whois -h magic dock1.com

dock1.com is registered with COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM - redirecting to whois.joker.com

whois -h whois.joker.com dock1.com

domain: dock1.com status: production organization: DRUGSTORE INC owner: Richard Xue email: pharmstop@yahoo.com title: President address: BB 49 LOT 73 city: TW state: HONG KONG postal-code: 000000 country: CN

query: 61.252.159.20

# ENGLISH

KRNIC is not ISP but National Internet Registry similar with APNIC.
The IP address is allocated and still held by the following ISP, or
they did not update whois information after assigning to end-user.

Please see the following ISP contacts for relevant information
or network abuse complaints.

[ ISP Organization Information ]
Org Name      : HANINTERNET
Service Name  : HANINTERNET
Org Address   : SK Twintech A 1009, 345-9 Kasan Kumchon

[ ISP IP Admin Contact Information ]
National Financial Group called on 12/09/03 and cited Impax as the 
source of "Hans Dungesser." They provided me with an E-mail address
to which to send the spam that advertises dock1.com.
a representative of Quicken Loans called on 12/11/03 and asked for
Hans Dungesser. He did not seem interested in pursuing the spam issue.

E-mail:

Uncle Romulus' Antispam Home Page



visitors since 20 August 2003