Tag Archive: NC

Massive Spam Hit for Centurion Wealth Circle Pyramid Scheme

Massive Spam Hit

Willie R

Centurion Wealth Circle Spam Deluge

Centurion Wealth Circle Spam Deluge

Over the weekend, I received over 600 spams from someone called Willie R (with a number appended to the name) to my gmail account which I now use for my spam-trapping on an old email address that I use for registrations and the like…  See the screenshot of one page above!

Centurion Wealth Circle

On checking out a sample I found that most point back to Centurion Wealth Circle with a small array of other dubious links included.  The spams I got had almost identical formats (except for differing ‘from’ addresses).  The differences were in a couple of links.  These are the two spam  types:

Type 1: Includes Link to AutoXten.com

CWC Spam Type 1

CWC Spam Type 1

Type 2: Includes Link to TextAdBrokers.com

CWC Spam Type 2

CWC Spam Type 2

The amazing thing taken straight from http://textadbrokers.com/?premier1 is the spelling mistake for their prime selling point!  Under the headline “What is TextAdBrokers?” we see:

TAB was created as the premier Partner for marketing and distribution For the newly created contextual advertising Platform hitcralwer.com

hitcralwer.com (or HitCrawler.com) has already spawned a long chain on Scam.com that starts with a scam warning, then features server outages, lawyer warnings, lawyer bebunkings and various personal threats and revelations about the contributors.  For me, this is all very entertaining stuff, but the key facts for me are that;

  1. I have been heavily spammed, all links tending to the same source and all pointers pointing to the same destination(s).
  2. TAB’s own blurb can’t even spell correctly!

From that, you’ll gather which side of the honesty fence I think this lot come from…!

Willie R Burke kindly leaves his address in one spam type as “41 Merker Dr, Edison, NJ 08837”.  This ties in with the WHOIS of the source.  However, I don’t see why I should have to follow THEIR suggestion to stop the spam coming from them.  After all, I have over 600! The suggestion is not everywhere, but only on some of the pointers.

Five domains are in nearly every spam, (from those that I checked in my deluge.)

These are;

  1. http://vd.autoxten.com
    • –  Under their earnings disclaimer, they claim “that AutoXTen is not a get rich quick scheme but is a business” and that “all customers are essentially purchasing advertising”….?
  2. http://www.centurionwealthcircle.com/?register
    •  – considering the deluge I just got, their spam policy takes some beating!  e.g. “Unsolicited commercial email (UCE), while regarded as legal in some jurisdictions, is regarded as spam by most Internet service providers (ISPs), and may not be used to promote CWC”.  Larry Harper, take note!  I am not prepared to wade through 600 email headers just to prove that your spam policy works…  You do it.  Start with the source.  YOU!
    • Pyramid Details

      CWC Pyramid Details


      Their business model is based on buying “tokens”, keeping them as a “portfolio” or something for a bit, and then cashing in 50% of the “investment” at some ill-defined “maturity” point.  Although they claim otherwise, this is classic pyramid scheme technology.  They make clear the exponential growth that potentially exists in their own blurb, and ONLY pyramid schemes promise exponential growth.

  3. http://www.makemoneyonline-free.org/
    • – here I find out that I “have been invited to join ClixSense by robbie1201”.  Oh really!  Thanks for nowt robbie.  It’s a site called “ClikSense, advertising that pays” but the domain name remains the same.  On their user agreement, point 10, Spam Policy, they helpfully remind Robbie and Willie R that “Spamming is a federal crime. Any member caught Spamming will not only have their account terminated immediately and lose any past, present and future earnings, but shall also be held liable for spamming as we shall cooperate with any authorities and investigations that may arise from the spamming incident. ClixSense may fine your account up to $5 per spam email reported from you email address.”    I don’t think they were listening!
  4. http://www.homebasedtelesalesjobs.com/

The registrant of  http://infinityleadsystem.com/ is;

5802 Bob Bullock C1 Unit 328C-195
Laredo, TX 78041-8813

However, the server is located in Quebec, Canada!

Why this should be so when so may sites (like mine here) are served from the massive data centres in the US (like Texas, say!) is beyond me.  But I find the Canadian connection strangely comforting.


It stinks.  From the initial deluge to burrowing through the various “systems”; it stinks.  Leave it well alone folks.  Any business of note should NOT  be resorting to Spam for new business.  The scale of this spam deluge emphasises the non-credibility of these charlatans much more than their cheesy website offering ever could.

The fact that most domains were hidden “for privacy” plus the fact that the websites are almost incomprehensible as they struggle to disguise their real motives and modus operandi are just bonuses!

Related Posts:

Comments are closed

Probable DDOS attack Using SQL Injection on my Websites

Over the last day, my sites have been really slow and twice to my knowledge have tripped out.  I’ve been getting a mysql error message like so when I try to resolve the problem in phpAdmin;

MySQL: ERROR 1040: Too many connections

I tried hosting chat support (as I’m in a hurry) but the connection kept dropping.  During this process Google came to the fore and pushed me down several avenues of investigation.

This was one result, http://rackerhacker.com/2008/06/24/mysql-error-1040-too-many-connections/ from the web, and another from the horse’s mouth http://dev.mysql.com/doc/refman/5.0/en/too-many-connections.html

I then proceeded to check my WordPress plugins but couldn’t because the server wasn’t responding.  When it finally fired back up after quarter of an hour (!), I immediately disabled some OpenID plugins I’ve been playing with on one site and checked my databases were okay.

They were, but during the process I noticed that Wassup was the biggest table – unusually so.  Looking at some of the references in an extended list in the GUI, I noticed that several (random, as far as I could tell), post addresses were extre-e-e-e-e-mely long, terminating in some form of code.  Like so (It’s manually wrapped to fit into my theme);

http://strangelyperfect.tv/68/70s-mixer/?;[email protected]%20

CHAR(4000);[email protected]=CAST(0x4445434C4152452040542



























437572736F72%20AS%20CHAR(4000));EXEC(@S);  (addendum: clickable link removed as I’m using this plugin now)

If you copy & paste and try the link it won’t work now (read on for later ;-) ) but the correct link here does;


Before my fix, the first link took the user to the correct page and it displayed in the browser address bar with the long link.  My suspicions were now being raised because the page displayed okay.  This must be all the WordPress updating I’ve done.  It was a couple of updates back the the thing had some SQL Injection resistance built in.  It appears to fall over gracefully by ignoring duff requests.

So I chucked the “extra” part of the link into Google like so.   There are over 6k hits.

These posts got me thinking:




and a neat fix that I’ve implemented I found here.

http://www.ravenphpscripts.com/postp122652.html (link removed as they’ve gone a bit funny all of a sudden)

What I’ve done is added the suggested code to my .htaccess file, like so:

# Added, protect from SQL Injection (sourced from) http://www.ravenphpscripts.com/postp122652.html
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.+DECLARE(%20)+@ [NC]
RewriteRule ^.* – [F,L]

This has done the trick.  Anything banging into my site with that in the string, is rejected.  I haven’t implemented a polite screen.  It just gets the standard response from my host as you’d have found with the first of my links above.

It’ll probably need twiddling in future but it’s okay for now.

Another similar link was:


/?;[email protected]%20CHAR(4000);[email protected]=CAST(0x4445434



























which should point to:


This was especially troublesome as the post title was long anyway so it looked in the browser address bar that everything was okay!

Related Posts:

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me