| Scammer details | |
|---|---|
| Name: | Cemon & Shawn Lewis |
| Telephone: | 021-979-0301 |
| Cellphone: | 073-209-3942 |
| Facimile: | 086-671-5926 |
| Email addresses: | [email protected] |
| Address: | 34 Symphony Villas Schubert ave, Durbanville, Cape Town, 7550 |
[back to the name and shame list]
This intrepid duo of spammers first got my attention early in 2005. And when I mean early, it was literally a 4-in-the-morning-early. They make use of fax broadcasting to peddle their wares. When asked about this, the reply was simply "because your number is in the phone book". Now, since I know how to use google, and since their contact details are freely available on the internet, I invite you to contact them and express your dissatisfaction, should you receive any of their spams.
So, this first fax wasn't, in fact, about weight loss. It was a "get rich quick" scam. I kid you not. Now, I kept the fax, but it has since gotten lost in the mounds of paperwork on my desktop. So you'll have to take my word for it, sorry.
Now, today (at midday, this time) I received a new one, which looked very similar. I've scanned it in for your perusal: Drink Tea And Lose Weight!. Incredible, don't you think? Now, I've been drinking tea since I was very small, and I doubt it has done anything for my weight situation. I wonder what miraculous remedy they have... Also notice that the second testimonial on the fax is from Cemon herself! I wonder what she's been doing with all that "tons of energy" she's got now.....
So the investigation begins... Firstly, who owns FatandFedup.com? Lets see what whois says:
$ jwhois fatandfedup.com
[Querying whois.internic.net]
[Redirected to whois.enom.com]
[Querying whois.enom.com]
[whois.enom.com]
Registration Service Provided By: eNom, Inc.
Contact: [email protected]
Visit:
Domain name: fatandfedup.com
Administrative Contact:
-
Shawn Lewis ([email protected])
+27.27825632802
Fax:
Po Box 2565
Durbanville, 7551
ZA
Billing Contact:
-
Shawn Lewis ([email protected])
+27.27825632802
Fax:
Po Box 2565
Durbanville, 7551
ZA
Technical Contact:
-
Shawn Lewis ([email protected])
+27.27825632802
Fax:
Po Box 2565
Durbanville, 7551
ZA
Registrant Contact:
-
Shawn Lewis ([email protected])
+27.27825632802
Fax:
Po Box 2565
Durbanville, 7551
ZA
Status: Locked
Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com
Creation date: 15 May 2002 18:54:55
Expiration date: 15 May 2006 18:54:55
$ host www.fatandfedup.com
www.fatandfedup.com has address 63.251.83.56
www.fatandfedup.com mail is handled by 20 eforward4.name-services.com.
www.fatandfedup.com mail is handled by 20 eforward3.name-services.com.
www.fatandfedup.com mail is handled by 20 eforward4.name-services.com.
www.fatandfedup.com mail is handled by 20 eforward3.name-services.com.
www.fatandfedup.com mail is handled by 10 eforward2.name-services.com.
www.fatandfedup.com mail is handled by 10 eforward2.name-services.com.
$ jwhois 63.251.83.56
[Querying whois.arin.net]
[whois.arin.net]
Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1)
63.251.0.0 - 63.251.255.255
eNom PNAP-WDC-ENOM-RM-01 (NET-63-251-83-32-1)
63.251.83.32 - 63.251.83.63
$ telnet www.fatandfedup.com 80
Trying 63.251.83.56...
Connected to www.fatandfedup.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.fatandfedup.com
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Thu, 12 May 2005 15:18:40 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: private
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Via: 1.1 ctb-cache1 (NetCache NetApp/5.5R6D36), 1.1 ctb-cache2 (NetCache NetApp/5.5R6D27)
268
<html><head>
<title></title></head>
<!-- Redirection Services Redirector2A-DAL H1 -->
<frameset rows='100%, *' frameborder=no framespacing=0 border=0>
<frame src="http://newdietco.com/indira" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src="/?a8734haka8dr781346=true" NAME=a33 frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
<noframes>
<h2>Your browser does not support frames. We recommend upgrading your browser.</h2><br><br>
<center>Click <a href="http://newdietco.com/indira">here</a> to enter the site.</center>
</noframes></html>
Connection closed by foreign host.
Now, obviously I want to do the Right Thing™, so I try and call him up using his given telephone number. The cellphone, 082-563-2802, belongs to a lady claiming to have no knowledge of any Shawn Lewis.
So, dead-end there. However, our spammer is using enom.com's forwarding service, to redirect people to newdietco.com/indira. Let's see what this delivers:
$ jwhois newdietco.com
[Querying whois.internic.net]
[Redirected to whois.directnic.com]
[Querying whois.directnic.com]
[whois.directnic.com]
Registration and WHOIS Service Provided By: directNIC.com
Intercosmos Media Group, Inc. provides the data in the directNIC.com
Registrar WHOIS database for informational purposes only. The information
may only be used to assist in obtaining information about a domain name's
registration record.
directNIC makes this information available "as is," and does not guarantee
its accuracy.
Registrant:
richlife
p.o. box 1206
hartbeespoort
0216
brits, nw 0216
ZA
27 12 2530253
Fax:27 12 2530721
Domain Name: NEWDIETCO.COM
Administrative Contact:
warner, howard [email protected]
p.o. box 1206
hartbeespoort
0216
brits, nw 0216
ZA
27 12 2530253
Fax:27 12 2530721
Technical Contact:
warner, howard [email protected]
p.o. box 1206
hartbeespoort
0216
brits, nw 0216
ZA
27 12 2530253
Fax:27 12 2530721
Record last updated 11-11-2003 03:33:03 AM
Record expires on 02-17-2006
Record created on 02-17-2002
Domain servers in listed order:
NS0.DIRECTNIC.COM 204.251.10.100
NS1.DIRECTNIC.COM 206.251.177.2
$ host www.newdietco.com
www.newdietco.com has address 206.251.184.101
www.newdietco.com mail is handled by 10 iris2.directnic.com.
www.newdietco.com mail is handled by 10 iris1.directnic.com.
$ jwhois 206.251.184.101
[Querying whois.arin.net]
[whois.arin.net]
I-55 INTERNET SERVICES I55-BLK-2 (NET-206-251-160-0-1)
206.251.160.0 - 206.251.191.255
Zipa, LLC I55-ZIPA-8 (NET-206-251-184-0-1)
206.251.184.0 - 206.251.184.255
# ARIN WHOIS database, last updated 2005-05-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
$ GET -e www.newdietco.com/indira
Connection: close
Date: Thu, 12 May 2005 15:41:07 GMT
Via: 1.1 ctb-cache1 (NetCache NetApp/5.5R6D36), 1.1 ctb-cache2 (NetCache NetApp/5.5R6D27)
Server: tigershark/3.0.118 (dn10.directnic.com)
Content-Length: 349
Content-Type: text/html
Content-Type: text/html; charset=ISO-8859-1
Client-Date: Thu, 12 May 2005 15:55:44 GMT
Client-Peer: 206.251.184.101:80
Client-Response-Num: 1
Title: newdietco.com
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<TITLE>newdietco.com</TITLE>
</HEAD>
<FRAMESET rows="100%,*" border=0 frameborder=0 framespacing=0>
<FRAME name=top src="http://www.richlife.co.za/newdietco/indira" noresize>
</FRAMESET>
</HTML>
$ GET -e http://www.richlife.co.za/newdietco/indira
Cache-Control: private
Date: Thu, 12 May 2005 15:54:04 GMT
Server: Microsoft-IIS/6.0
Content-Length: 711
Content-Type: text/html
Client-Date: Thu, 12 May 2005 15:58:29 GMT
Client-Peer: 196.31.215.134:80
Client-Response-Num: 1
Set-Cookie: ASPSESSIONIDQQSBTBQQ=CAPLJGFBCMBNJPEAFIKBIEFP; path=/
Title: Loose that fat FOREVER!!
X-Meta-Description: The only 100% natural & proven way to lose weight and keep it off forever!! It's not a diet, but a weight management plan making use of meal replacement.
X-Meta-Keywords: lose, weight, nutrition, health, kilogram, pounds, fat, weightloss, diet, life, good, healthy, herbalife, supplement, meal replacement, habbits, 100%, natural, management, gain, maintain, good, herbs, herbal, protien drink mix, shake, shape, fiber,
X-Powered-By: ASP.NET
<head>
<meta name="Keywords" content="lose, weight, nutrition, health, kilogram, pounds, fat, weightloss, diet, life, good, healthy, herbalife, supplement, meal replacement, habbits, 100%, natural, management, gain, maintain, good, herbs, herbal, protien drink mix, shake, shape, fiber,">
<meta name="Description" content="The only 100% natural & proven way to lose weight and keep it off forever!! It's not a diet, but a weight management plan making use of meal replacement.">
<title>Loose that fat FOREVER!!</title>
</head>
<Body onLoad="MyForm.submit();">
<Form Action="../retail.asp" Method="Post" Name="MyForm">
<Input type = "Hidden" Value="newdietco\indira" Name="Username">
</Form>
</Body>
Paydirt! We've found the spammer's hideout, but it seems to be a reseller-type setup. So I'm assuming the operators of richlife.co.za are legit, and indira is the name of a reseller of theirs. Let's find out more...
$ jwhois richlife.co.za
The CO.ZA simple whois server
Your query has generated the following reply:-
Search on richlife (.co.za)
Match: One
Domain: richlife.co.za
Accounting info....
Date |Type| Cost |Invoices are E-Mail to....|Paid Date |ICnt| TrkNo |Billing Info
1998-04-06| N | 200.00|[email protected] |1998-09-16| 3 | 15698|WNA
2000-05-12| R | 50.00|[email protected] |2000-07-06| 1 | 94726|WNA
2001-05-03| R | 50.00|[email protected] |2001-06-14| 2 | 155762|WNA
2001-12-11| U | 0.00|[email protected] |2001-12-11| 0 | 0|IDWS
2002-05-03| R | 50.00|[email protected] |2002-06-07| 2 | 216323|IDWS
2003-05-02| R | 50.00|[email protected] |2003-07-08| 3 | 281000|IDWS
2004-05-03| R | 50.00|[email protected] |2004-05-18| 1 | 354785|IDWS
2004-07-06| U | 0.00|[email protected] |2004-07-06| 0 | 0|Web Online
2004-10-28| U | 0.00|[email protected] |2004-10-28| 0 | 0|Web Online
2005-05-03| R | 50.00|[email protected] | NOT PAID | 1 | 444915|Web Online
Flashing RED indicates that payment has not been received - please
confirm with the UniForum SA accounting department, [1][email protected], should this
not be according to your records. You have been sent 1 invoices/statements.
(Info:- Historical info exists - the oldest or 'original' is last) ...
richlife <-- The info shown below
[2]richlife.1
[3]richlife.2
[4]richlife.3
0a. lastupdate : 2004-10-28 12:33:11+02
0b. emailsource : [email protected]
0c. emailposted : Wed, 27 Oct 2004 12:23:26 +0200
0d. emailsubject : UPDATE: richlife.co.za - 2004-10-27
0g. historycount : 4
0h. invoiceno : 0
0i. contracttype : NEW
0j. rcsversion : $Revision: 1.105 $ $Date: 2004/07/08 13:12:58 $
1a. domain : richlife.co.za
1b. action : U
2a. registrant : Jacobus du Preez
2b. registrantpostaladdress: PO Box 452, Hartbeespoort, Hartbeespoort, North-West,
2c. registrantstreetaddress: Belmonte 51,Maiana Street, Brummeria, Pretoria,
2d. amount : 0.00
2e. paymenttype : I
2f. billingaccount : Web Online
2g. billingemail : [email protected]
2i. invoiceaddress : P.O. Box 1264, Wingate Park, 0153
2j. registrantphone : 0128040029
2k. registrantfax : 0123760079
2l. registrantemail : [email protected]
2n. vat :
3a. operationaldate : 2004/10/28 12:33:11
3b. cname :
3c. cnamesub1 :
3d. cnamesub2 :
4a. admin : Web Online, Accounts
4b. admintitle : Accounts Department
4c. admincompany : Web Online
4d. adminpostaladdr : P.O. Box 1264, Wingate Park, 0153
4e. adminphone : +27.0861666555
4f. adminfax : +27.0866801585
4g. adminemail : [email protected]
4h. adminnic :
5a. tec : Web Online, Support
5b. tectitle : Support Department
5c. teccompany : Web Online
5d. tecpostaladdr : P.O. Box 1264, Wingate Park, 0153
5e. tecphone : +27.0861666555
5f. tecfax : +27.0866801585
5g. tecemail : [email protected]
5h. tecnic :
6a. primnsfqdn : dns9.webonline.biz
6b. primnsip : 196.30.15.153
6e. secns1fqdn : dns2.webonline.biz
6f. secns1ip : 216.127.84.49
6i. secns2fqdn :
6j. secns2ip :
6m. secns3fqdn :
6n. secns3ip :
6q. secns4fqdn :
6r. secns4ip :
8a. netblock1start :
8b. netblock1end :
8c. netblock2start :
8d. netblock2end :
8e. netblock3start :
8f. netblock3end :
9a. description1 : WebOnline is a South Africa based
9b. description2 : Hosting Provider, specializing in
9c. description3 : website hosting at affordable prices.
9d. description4 : www.webonline.biz
9e. description5 :
9f. description6 :
References
1. mailto:[email protected]
2. http://whois.co.za/cgi-bin/Whatelse.sh?File=richlife.1
3. http://whois.co.za/cgi-bin/Whatelse.sh?File=richlife.2
4. http://whois.co.za/cgi-bin/Whatelse.sh?File=richlife.3
So, I phone up poor old Jacobus du Preez mentioned above. This actually works(!), and according to him, he's just the technical guy for richlife. I get given Howard Warner's (also mentioned in newdietco.com's whois) cell number, which also actually works! I'm feeling better already! I get to speak to Howard, who promises action after I send him the details via email. This was the afternoon of 12 May 2005. Still, I haven't heard anything from him, so I'm starting to think that this operation will harbour spammers amid complaints.
Now, you may ask how this links back to Shawn Lewis & co... Fair enough, I'll elucidate: When I received the first fax, it spamvertised dumpyourboss.co.za, using a similar tactic of fax broadcasting, crappy graphics design and premium-rated telephone numbers (by the way, the 086- and 088- range isn't "Telkom Rates", but it is misleading advertising!). Also, what stood out what the re-use of the little 'hand-written' note in an obvious script font at the top: "I thought this may intrest(sic) you!" — this was used in both faxes. Finally, notice that the contact details for fatandfedup.com uses dumpyourboss.co.za too! Let's see what further investigation delivers:
$ jwhois dumpyourboss.co.za
The CO.ZA simple whois server
Your query has generated the following reply:-
Search on dumpyourboss (.co.za)
Match: One
Domain: dumpyourboss.co.za
Accounting info....
Date |Type| Cost |Invoices are E-Mail to....|Paid Date |ICnt| TrkNo |Billing Info
2004-03-27| N | 150.00|[email protected] |2004-05-31| 3 | 346733|Hetzner Africa
2005-04-01| R | 50.00|[email protected] |2005-04-29| 1 | 437925|Hetzner Africa
Flashing RED indicates that payment has not been received - please
confirm with the UniForum SA accounting department, [1][email protected], should this
not be according to your records. You have been sent 0 invoices/statements.
0a. lastupdate : 2004-03-27 09:53:04+02
0b. emailsource : [email protected]
0c. emailposted : 27 Mar 2004 07:53:01 -0000
0d. emailsubject : Domain Registration New:dumpyourboss.co.za
0g. historycount : 1
0h. invoiceno : 346733
0i. contracttype : NEW
0j. rcsversion : $Revision: 1.103 $ $Date: 2004/03/26 07:30:52 $
1a. domain : dumpyourboss.co.za
1b. action : N
2a. registrant : Shine the way 151 cc
2b. registrantpostaladdress: 34 Symphony Villas Schubert ave, Durbanville 7550, South Africa
2c. registrantstreetaddress: 34 Symphony Villas Schubert ave, Durbanville 7550, South Africa
2d. amount : 150.00
2e. paymenttype : I
2f. billingaccount : Hetzner Africa
2g. billingemail : [email protected]
2i. invoiceaddress : P.O. Box 3450, Durbanville, 7551
2j. registrantphone : +27219750606
2k. registrantfax : None
2l. registrantemail : [email protected]
2n. vat :
3a. operationaldate : 2004/03/27 09:53:04
3b. cname :
3c. cnamesub1 :
3d. cnamesub2 :
4a. admin : lewis, Shawn
4b. admintitle : Manager
4c. admincompany : Shine the way 151 cc
4d. adminpostaladdr : 34 Symphony Villas Schubert ave, Durbanville 7550, South Africa
4e. adminphone : +27219750606
4f. adminfax : None
4g. adminemail : [email protected]
4h. adminnic :
5a. tec : Administrator, Domain
5b. tectitle : Domain Administrator
5c. teccompany : Hetzner Africa
5d. tecpostaladdr : P.O. Box 3450, Durbanville, 7551
5e. tecphone : +27 21 975 7930
5f. tecfax : +27 21 975 7931
5g. tecemail : [email protected]
5h. tecnic :
6a. primnsfqdn : ns20a.your-server.co.za
6b. primnsip : 196.7.147.20
6e. secns1fqdn : nsa.second-ns.co.za
6f. secns1ip : 196.7.150.34
6i. secns2fqdn :
6j. secns2ip :
6m. secns3fqdn :
6n. secns3ip :
6q. secns4fqdn :
6r. secns4ip :
8a. netblock1start :
8b. netblock1end :
8c. netblock2start :
8d. netblock2end :
8e. netblock3start :
8f. netblock3end :
9a. description1 : Commercial
9b. description2 :
9c. description3 :
9d. description4 :
9e. description5 :
9f. description6 :
References
1. mailto:[email protected]
A-ha! So now we another number in Durbanville: 021-975-0606. However, this one just gives an 'invalid number' tone, so another dead-end. Shawn is really hard to get hold of!
Emailing Hetzner about the problem is rather fruitless, in terms of getting the account stopped, but we do get some more information on the elusive Shawn:
From: "Maryanne Smith - Hetzner Africa" <[email protected]> Sent: Thursday, January 13, 2005 3:36 PM Subject: Re: FAX SPAM: "Get Stinking Rich" Dear xxxxxxxxxxx Thank you for contacting Hetzner Africa. We sympathise with your complaint, however, the message you refer to was not submitted via electronic mail, but via a faxline. Our Acceptable Use Policy does not cover this means of unsolicited advertising and an unsolicited fax message would not fall within our jurisdiction. It would be most swiftly dealt with by contacting the sender directly. I have contacted my client who owns 'dumpyourboss.co.za' and he has mentioned that his modus operandi is to contact the recipient via telephone and then to submit the fax if requested. Further to this, after reviewing the fax message it was noted that the phase "I thought this may interest you!" would not be included in his fax message. My client would be willing to assist you, possibly via fax number comparison. Herewith his contact details: Shawn Lewis Cell: 0732093942 Should you require further assistance in this matter please do not hesitate to contact me. Kind regards, Maryanne Smith Help Desk Manager Hetzner Africa Tel: +27 21 970 2000 Fax: +27 21 970 2001 E-mail: [email protected] http://www.hetzner.co.za/index.php?id=245 [ * Awarded Top 50 ICT Companies status in SA - 2003/4] [ * Awarded Top 300 National Companies status - 2004/5/6]
As an aside, I did think a bit higher of Hetzner before this; supporting and protecting spam operations like this isn't good business practice... This complaint was sent in January, and I see the operation is still running strongly. Luckily, I had the foresight to ask for more information about his offering then, in an attempt to get his contact details. From one of his solicitations then:
Date: 3 Feb 2005 09:17:02 -0000 Subject: Real Life Solutions From: [email protected] This email message is in response to your request for more information. If you no longer wish to receive emails from us, please click on the link at the end of the email and we will remove your email immediately. [..snip commercial for brevity...] We look forward to working with you and to helping you become financially secure in your own successful home-based business. Yours sincerely, Shawn Lewis [email protected] 0219790301 0866715926 34 Symphony Villas Schubert ave, Durbanville, Cape Town, ZA, 7550
I'm guessing it would be rather hard to run a business if your customers are fed the wrong contact details. Right, so now we have (hopefully) enough info to get ahold of dear Shawn. Unfortunately, when I tried the cellphone supplied by Hetzner, it was busy or something, and I just forgot about it until today. So, after being re-motivated, I finally call and get hold of Shawn on his Durbanvill landline! The conversation went something like this:
Me: Is this Shawn Lewis?
Shawn Lewis: Yes?
Me: Do you operate fatandfedup.com?
SL: Yes?
Me: I'd like to know why I'm receiving junk faxes advertising this site.
SL: That would be because your number is in the phonebook.
Me: I'm sorry, that answer simply isn't good enough.
...slight pause...
Me: Do you know that there are privacy laws that regulate these things?
SL: (Immediate change of tone) What's your number?
Me: It's xxx-xxxx.
SL: Very well, I'll let Telkom know. Bye
Me: Err, OK.
I must say, I was a bit flabbergasted at the end; was he going to ask Telkom to remove my fax number from their telephone books?! All-in-all, not really a satisfying response, since he made no explicit offer to remove me from his lists.
Now, the big question is: will these scumbags abide by the rules? Only time will tell, I guess...