| Scammer details | |
|---|---|
| Name: | Gerhan J Maree |
| Telephones: | 021-919-0550 021-919-0804 |
| Cellphone: | 082 777 0550 |
| Email addresses: | [email protected] [email protected] |
[back to the name and shame list]
This loser has been spamming South Africa via email, trying to peddle their slimming product called EverSlim. I happened to get a copy through being subscribed via a LUG:
From [email protected] Sun Aug 21 03:01:17 2005
Return-Path: <[email protected]>
Received: from murder ([unix socket])
by xxxx.xxxxxxx.co.za (Cyrus v2.2.12-Gentoo) with LMTPA;
Sun, 21 Aug 2005 03:01:43 +0200
X-Sieve: CMU Sieve 2.2
Received: from localhost (localhost [127.0.0.1])
by xxxx.xxxxxxx.co.za (Postfix) with ESMTP id C3D6ECEC57
for <[email protected]>; Sun, 21 Aug 2005 03:01:43 +0200 (SAST)
Received: from xxxx.xxxxxxx.co.za ([127.0.0.1])
by localhost (xxxx.xxxxxxx.co.za [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 26797-04 for <[email protected]>;
Sun, 21 Aug 2005 03:01:40 +0200 (SAST)
Received: from mail2.sun.ac.za (mail2.sun.ac.za [146.232.64.14])
by xxxx.xxxxxxx.co.za (Postfix) with ESMTP id 011F0CA911
for <[email protected]>; Sun, 21 Aug 2005 03:01:35 +0200 (SAST)
Received: from sulug.sun.ac.za ([146.232.66.22])
by mail2.sun.ac.za with esmtp (Exim 4.34)
id 1E6eDD-0002kB-Fx; Sun, 21 Aug 2005 03:01:23 +0200
Received: from sulug.sun.ac.za (localhost.localdomain [127.0.0.1])
by sulug.sun.ac.za (Postfix) with ESMTP id BC9AB7AFCF;
Sun, 21 Aug 2005 03:01:22 +0200 (SAST)
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from mail2.sun.ac.za (mail2bb.sun.ac.za [146.232.128.59])
by sulug.sun.ac.za (Postfix) with ESMTP id 212297AFD1
for <[email protected]>; Sun, 21 Aug 2005 03:01:17 +0200 (SAST)
Received: from c5-26-1.ctn.dial-up.net ([196.26.133.26] helo=sun.com)
by mail2.sun.ac.za with smtp (Exim 4.34) id 1E6eD4-0002i5-KD
for [email protected]; Sun, 21 Aug 2005 03:01:16 +0200
From: Health Coach <[email protected]>
To: sulug <[email protected]>
X-Priority: 3
X-MSMail-Priority: Normal
mime-version: 1.0
content-type: multipart/mixed;
boundary="qzsoft_directmail_seperator"
Message-ID: <[email protected]>
Date: Sun, 21 Aug 2005 03:01:17 +0200 (SAST)
Subject: [Sulug] Slimming and Dieting is a Billion Dollar Industry
X-BeenThere: [email protected]
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Stellenbosch University Linux Users Group Mail List <[email protected]>
List-Id: Stellenbosch University Linux Users Group Mail List
<sulug.sulug.sun.ac.za>
List-Unsubscribe: <http://sulug.sun.ac.za/mailman/listinfo/sulug>,
<mailto:[email protected]?subject=unsubscribe>
List-Archive: <http://www.sulug.sun.ac.za/pipermail/sulug>
List-Post: <mailto:[email protected]>
List-Help: <mailto:[email protected]?subject=help>
List-Subscribe: <http://sulug.sun.ac.za/mailman/listinfo/sulug>,
<mailto:[email protected]?subject=subscribe>
Sender: [email protected]
Errors-To: [email protected]
X-Virus-Scanned: amavisd-new at xxxxxxx.co.za
Status: R
X-Status: NC
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
--qzsoft_directmail_seperator
Content-Type: text/plain;
charset="DEFAULT"
Content-Transfer-Encoding: base64
WW91IGtub3cgaG93IG1hbnkgZGlldHMgeW91IGhhdmUgdHJpZWQgdGhhdCBmYWlsZWQuCgpZb3Ug
a25vdyBob3cgbXVjaCBtb25leSB5b3UgaGF2ZSB3YXN0ZWQgb24gaG9wZWxlc3Mgc2xpbW1pbmcg
c3ByZWVzLgoKRGlldHMgYXJlIGhhcm1mdWwgYW5kIGluc3VmZmljaWVudCwgYW5kIGRpZXQgdmVu
ZG9ycyBnZW5lcmFsbHkgcmlwIG9mZiB0aGUgY29uc3VtZXJzLiAKCk1vc3QgZGlldHMgZG9uJ3Qg
d29yaywgdGhleSBhcmUgZGVzaWduZWQgdG8gc2VsbCBjb25zdW1hYmxlcyAtIGluIHRoZSBmb3Jt
IG9mIHNsaW1taW5nIHBpbGxzIGFuZCBtZWFsIHJlcGxhY2VtZW50cy4gCgpUaGUgbG9uZ2VyIHlv
dSBiZWxpZXZlIGluIHRoZWlyIHBvdGVudGlhbCByZXN1bHRzLCB0aGUgbG9uZ2VyIHlvdSB3aWxs
IHVzZSB0aGVtLgoKSSBIQVZFIFRIRSBTSU1QTEUgU09MVVRJT04gVE8gQU4gRUNPTk9NSUMgSEVB
TFRIIFBMQU4gVEhBVCBXSUxMIFNPTFZFIFlPVVIgT1ZFUldFSUdIVCBQUk9CTEVNIFBFUk1BTkVO
VExZLgoKCklmIHlvdSB3YW50IG1vcmUgaW5mb3JtYXRpb24sIHBsZWFzZSBjbGljayBoZXJlLCBh
bmQgc3VibWl0IHRoZSBtYWlsOiAKbWFpbHRvOnNsaW1taW5nQGFuYW56aS5jby56YT9zdWJqZWN0
PVNsaW1taW5nCgoKCgoKCgoKClRPIFVOU1VCU0NSSUJFIFBMRUFTRSBDTElDSyBIRVJFIAptYWls
dG86c2xpbW1pbmdAYW5hbnppLmNvLnphP3N1YmplY3Q9UExFQVNFIFVOU1VCU0NSSUJFISEK
--qzsoft_directmail_seperator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Sulug mailing list
[email protected]
http://sulug.sun.ac.za/mailman/listinfo/sulug
--qzsoft_directmail_seperator--
The message is nicely base64-encoded, meaning that many spam filters won't catch it. In its gory detail, is states:
You know how many diets you have tried that failed. You know how much money you have wasted on hopeless slimming sprees. Diets are harmful and insufficient, and diet vendors generally rip off the consumers. Most diets don't work, they are designed to sell consumables - in the form of slimming pills and meal replacements. The longer you believe in their potential results, the longer you will use them. I HAVE THE SIMPLE SOLUTION TO AN ECONOMIC HEALTH PLAN THAT WILL SOLVE YOUR OVERWEIGHT PROBLEM PERMANENTLY. If you want more information, please click here, and submit the mail: mailto:[email protected]?subject=Slimming TO UNSUBSCRIBE PLEASE CLICK HERE mailto:[email protected]?subject=PLEASE UNSUBSCRIBE!!
They seem to be using a “bulk email marketing tool” called DirectMail from QZSoft, a dodgy Chinese software house. Sending a message to the supplied address immediately replies with the following (since they seem to be using Ananzi Mail's auto-reply feature):
Return-Path: <[email protected]> From: "Graham Tomlinson" <[email protected]> Date: Wed, 24 Aug 2005 11:44:37 +0200 Message-ID: <[email protected]> X-Autogenerated: Reply MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" To: "xxxxxxxxxxxx" <[email protected]> Subject: Re: Slimming In-Reply-To: <[email protected]> Please visit http://everslim.net for your Permanent Slimming Solution, and Make a Fortune while you are at it.So now we at least have a lead to follow, which happily gives us a contact:
$ jwhois everslim.net
[Querying whois.internic.net]
[Redirected to whois.tmagnic.net]
[Querying whois.tmagnic.net]
[whois.tmagnic.net]
Whois Server Version 2.0 at whois.tmagnic.net
Database contains ONLY .COM, .NET , .TV , .WS domains and registrars.
Owner Contact:
The Manager The Manager
Universal Trust
P O Box 5000 Tygervalley
Cape Town, Za, 7536, South Africa
RACE Name: everslim.net
Punycode Name: everslim.net
Unicode Name: everslim.net
Status: REGISTRAR-LOCK
Admin Contact
Gerhan Maree (GM619-ABC)
Universal Trust
[email protected]
P. O. Box 4350 Tygervalley
Tygervalley, Za, 7536, South Africa
phone: +27 219190550
Technical Contact, Zone Contact
Domain Administrator (DA1-ABC)
Hetzner Pty Ltd
[email protected]
P.O. Box 3450
Durbanville, South Africa, 7551, South Africa
phone: +27 21 970 2000
fax: +27 21 970 2001
Record last updated on: 2005-02-02 13:09:09
Record expires on: 2006-02-02 07:09:08
Domain servers in listed order:
ns1a.your-server.co.za
nsa.second-ns.co.za
Another Hetzner spamsite. They really seem to be quite spammer-friendly these days.... Digging deeper, we discover that Gerhan Maree has been dabbling in the property market as well; from the two listings they have there, he seems to be the contact for them.
$ jwhois propicor.com
[Querying whois.internic.net]
[Redirected to whois.tmagnic.net]
[Querying whois.tmagnic.net]
[whois.tmagnic.net]
Whois Server Version 2.0 at whois.tmagnic.net
Database contains ONLY .COM, .NET , .TV , .WS domains and registrars.
Owner Contact:
Universal Trust
P.O. Box 4350
Tygervalley, South Africa, 7536, South Africa
RACE Name: propicor.com
Punycode Name: propicor.com
Unicode Name: propicor.com
Status: REGISTRAR-LOCK
Admin Contact
The Manager (TM896-ABC)
Universal Trust
[email protected]
P.O. Box 4350
Tygervalley, Za, 7536, South Africa
phone: +27 21 919 0804
fax: +27 21 919 0804
Technical Contact, Zone Contact
Domain Administrator (DA1-ABC)
Hetzner Pty Ltd
[email protected]
P.O. Box 3450
Durbanville, South Africa, 7551, South Africa
phone: +27 21 970 2000
fax: +27 21 970 2001
Record last updated on: 2005-03-23 10:27:08
Record expires on: 2005-09-08 07:03:14
Domain servers in listed order:
ns1a.your-server.co.za
nsa.second-ns.co.za
Everything seems to be pointing back at unibro.co.za:
$ jwhois unibro.co.za
The CO.ZA simple whois server
Your query has generated the following reply:-
Search on unibro (.co.za)
Match: One
Domain: unibro.co.za
Accounting info....
Date |Type| Cost |Invoices are E-Mail to....|Paid Date |ICnt| TrkNo |Billing Info
2001-03-13| N | 200.00|[email protected] |2001-05-29| 3 | 147259|Hetzner Africa
2001-06-02| U | 0.00|[email protected] |2001-06-02| 0 | 0|Hetzner Africa
2002-04-02| R | 50.00|[email protected] |2002-05-02| 1 | 211589|Hetzner Africa
2003-04-02| R | 50.00|[email protected] |2003-04-25| 1 | 276325|Hetzner Africa
2003-05-01| U | 0.00|[email protected] |2003-05-01| 0 | 0|Hetzner Africa
2004-04-01| R | 50.00|[email protected] |2004-04-30| 1 | 349377|Hetzner Africa
2005-03-23| U | 0.00|[email protected] |2005-03-23| 0 | 0|Hetzner Africa
2005-04-01| R | 50.00|[email protected] |2005-04-29| 1 | 437910|Hetzner Africa
Flashing RED indicates that payment has not been received - please
confirm with the UniForum SA accounting department, [1][email protected], should this
not be according to your records. You have been sent 0 invoices/statements.
(Info:- Historical info exists - the oldest or 'original' is last) ...
unibro <-- The info shown below
[2]unibro.1
[3]unibro.2
[4]unibro.3
0a. lastupdate : 2005-03-23 14:46:38+02
0b. emailsource : [email protected]
0c. emailposted : Tue, 22 Mar 2005 14:32:30 +0200
0d. emailsubject : Domain Registration Update: unibro.co.za
0g. historycount : 4
0h. invoiceno : 0
0i. contracttype : NEW
0j. rcsversion : $Revision: 1.107 $ $Date: 2005/02/01 11:51:24 $
1a. domain : unibro.co.za
1b. action : U
2a. registrant : Universal Trust
2b. registrantpostaladdress: PO Box 4350, Tygervalley, 7536
2c. registrantstreetaddress: PO Box 4350, Tygervalley, 7536
2d. amount : 0.00
2e. paymenttype : I
2f. billingaccount : Hetzner Africa
2g. billingemail : [email protected]
2i. invoiceaddress : P.O. Box 3450, Durbanville, 7551
2j. registrantphone : +27 21 9190804
2k. registrantfax : +27 21 9190804
2l. registrantemail : [email protected]
2n. vat : 4630185538
3a. operationaldate : 2005/03/23 14:46:38
3b. cname :
3c. cnamesub1 :
3d. cnamesub2 :
4a. admin : Administrator, Domain
4b. admintitle : The Manager
4c. admincompany : Universal Trust
4d. adminpostaladdr : PO Box 4350, Tygervalley, 7536
4e. adminphone : +27 21 9190804
4f. adminfax : +27 21 9190804
4g. adminemail : [email protected]
4h. adminnic :
5a. tec : Administrator, Domain
5b. tectitle : Domain Administrator
5c. teccompany : Hetzner Africa
5d. tecpostaladdr : P.O. Box 3450, Durbanville, 7551
5e. tecphone : +27 21 970 2000
5f. tecfax : +27 21 970 2001
5g. tecemail : [email protected]
5h. tecnic :
6a. primnsfqdn : ns1a.your-server.co.za
6b. primnsip : 196.7.147.235
6e. secns1fqdn : nsa.second-ns.co.za
6f. secns1ip : 196.7.150.34
6i. secns2fqdn :
6j. secns2ip :
6m. secns3fqdn :
6n. secns3ip :
6q. secns4fqdn :
6r. secns4ip :
8a. netblock1start :
8b. netblock1end :
8c. netblock2start :
8d. netblock2end :
8e. netblock3start :
8f. netblock3end :
9a. description1 :
9b. description2 :
9c. description3 :
9d. description4 :
9e. description5 :
9f. description6 :
References
1. mailto:[email protected]
2. http://whois.co.za/cgi-bin/Whatelse.sh?File=unibro.1
3. http://whois.co.za/cgi-bin/Whatelse.sh?File=unibro.2
4. http://whois.co.za/cgi-bin/Whatelse.sh?File=unibro.3
Maybe more helpful would be the original co.za domain registration info for unibro.co.za.
Finally, one wonders whether this is the same Gerhan Maree from Bethal who matriculated in 1976? This would mean our scammer is probably having a mid-life crisis at the moment.