Google Tsunami Alert

Tsunami Transit Time for Japanese Tsunami of 11/3/11

Japanese Earthquake and Tsunami

Google Tsunami Alert
Google Tsunami Alert

Following this morning’s (using GMT) earthquake just off Japan (now set at 8.8 on the Richter Scale, but it keeps rising as more information is analysed), I noticed that the Google search page has a Tsunami warning for all to see.

I thought I’d capture it for posterity.

Enormity

This truly is an enormous event, the TV videos this morning of the wave’s advance making this perfectly clear.  How and when it finishes, we can only watch and wait as one of the great forces of nature plays out before us.

Tsunami Transit Time for Japanese Tsunami of 11/3/11
Tsunami Transit Time for Japanese Tsunami of 11/3/11

Fortunately, the Tsunami warning system seems to be doing its job, and hopefully, those countries around the Pacific and the small Pacific Islands within have had enough time to warn folks to get to high ground.  This image shows how much time they’ve got!

 

NOAA Tsunami Warning @ 10:30 GMT

This is the state of play a short time ago and the actual alert, showing wave heights and periods out at sea.  When they hit the coast, things are very, very different.

000

WEPA40 PHEB 111030

TSUPAC

TSUNAMI BULLETIN NUMBER 006

PACIFIC TSUNAMI WARNING CENTER/NOAA/NWS

ISSUED AT 1030Z 11 MAR 2011

THIS BULLETIN APPLIES TO AREAS WITHIN AND BORDERING THE PACIFIC

OCEAN AND ADJACENT SEAS…EXCEPT ALASKA…BRITISH COLUMBIA…

WASHINGTON…OREGON AND CALIFORNIA.

… A WIDESPREAD TSUNAMI WARNING IS IN EFFECT …

A TSUNAMI WARNING IS IN EFFECT FOR

JAPAN / RUSSIA / MARCUS IS. / N. MARIANAS / GUAM / WAKE IS. /

TAIWAN / YAP / PHILIPPINES / MARSHALL IS. / BELAU / MIDWAY IS. /

POHNPEI / CHUUK / KOSRAE / INDONESIA / PAPUA NEW GUINEA /

NAURU / JOHNSTON IS. / SOLOMON IS. / KIRIBATI / HOWLAND-BAKER /

HAWAII / TUVALU / PALMYRA IS. / VANUATU / TOKELAU / JARVIS IS. /

WALLIS-FUTUNA / SAMOA / AMERICAN SAMOA / COOK ISLANDS / NIUE /

FIJI / NEW CALEDONIA / TONGA / MEXICO /

KERMADEC IS / FR. POLYNESIA / PITCAIRN /

GUATEMALA / EL SALVADOR / COSTA RICA / NICARAGUA / ANTARCTICA /

PANAMA / HONDURAS / CHILE / ECUADOR / COLOMBIA / PERU

THIS BULLETIN IS ISSUED AS ADVICE TO GOVERNMENT AGENCIES. ONLY

NATIONAL AND LOCAL GOVERNMENT AGENCIES HAVE THE AUTHORITY TO MAKE

DECISIONS REGARDING THE OFFICIAL STATE OF ALERT IN THEIR AREA AND

ANY ACTIONS TO BE TAKEN IN RESPONSE.

AN EARTHQUAKE HAS OCCURRED WITH THESE PRELIMINARY PARAMETERS

ORIGIN TIME – 0546Z 11 MAR 2011

COORDINATES – 38.3 NORTH 142.4 EAST

DEPTH – 24 KM

LOCATION – NEAR EAST COAST OF HONSHU JAPAN

MAGNITUDE – 8.9

MEASUREMENTS OR REPORTS OF TSUNAMI WAVE ACTIVITY

GAUGE LOCATION LAT LON TIME AMPL PER

DART 21415 50.2N 171.8E 0845Z 0.27M / 0.9FT 52MIN

WAKE US 19.3N 166.6E 0928Z 0.39M / 1.3FT 14MIN

NAHA OKINAWA JP 26.2N 127.7E 0901Z 0.25M / 0.8FT 60MIN

SAIPAN US 15.2N 145.7E 0916Z 0.65M / 2.1FT 30MIN

TOSASHIMIZU SHIKOKU 32.8N 133.0E 0753Z 0.92M / 3.0FT 68MIN

OMAEZAKI HONSHU JP 34.6N 138.2E 0818Z 1.42M / 4.6FT 56MIN

DART 21419 44.5N 155.7E 0716Z 0.40M / 1.3FT 20MIN

DART 21413 30.5N 152.1E 0659Z 0.76M / 2.5FT 32MIN

HANASAKI HOKKAIDO J 43.3N 145.6E 0657Z 2.79M / 9.2FT 76MIN

DART 21401 42.6N 152.6E 0643Z 0.67M / 2.2FT 40MIN

DART 21418 38.7N 148.7E 0619Z 1.08M / 3.5FT 06MIN

LAT – LATITUDE (N-NORTH, S-SOUTH)

LON – LONGITUDE (E-EAST, W-WEST)

TIME – TIME OF THE MEASUREMENT (Z IS UTC IS GREENWICH TIME)

AMPL – TSUNAMI AMPLITUDE MEASURED RELATIVE TO NORMAL SEA LEVEL.

IT IS …NOT… CREST-TO-TROUGH WAVE HEIGHT.

VALUES ARE GIVEN IN BOTH METERS(M) AND FEET(FT).

PER – PERIOD OF TIME IN MINUTES(MIN) FROM ONE WAVE TO THE NEXT.

NOTE – DART MEASUREMENTS ARE FROM THE DEEP OCEAN AND THEY

ARE GENERALLY MUCH SMALLER THAN WOULD BE COASTAL

MEASUREMENTS AT SIMILAR LOCATIONS.

EVALUATION

SEA LEVEL READINGS CONFIRM THAT A TSUNAMI HAS BEEN GENERATED

WHICH COULD CAUSE WIDESPREAD DAMAGE. AUTHORITIES SHOULD TAKE

APPROPRIATE ACTION IN RESPONSE TO THIS THREAT. THIS CENTER WILL

CONTINUE TO MONITOR SEA LEVEL DATA TO DETERMINE THE EXTENT AND

SEVERITY OF THE THREAT.

A TSUNAMI IS A SERIES OF WAVES AND THE FIRST WAVE MAY NOT BE THE

LARGEST. TSUNAMI WAVE HEIGHTS CANNOT BE PREDICTED AND CAN VARY

SIGNIFICANTLY ALONG A COAST DUE TO LOCAL EFFECTS. THE TIME FROM

ONE TSUNAMI WAVE TO THE NEXT CAN BE FIVE MINUTES TO AN HOUR, AND

THE THREAT CAN CONTINUE FOR MANY HOURS AS MULTIPLE WAVES ARRIVE.

FOR ALL AREAS – WHEN NO MAJOR WAVES ARE OBSERVED FOR TWO HOURS

AFTER THE ESTIMATED TIME OF ARRIVAL OR DAMAGING WAVES HAVE NOT

OCCURRED FOR AT LEAST TWO HOURS THEN LOCAL AUTHORITIES CAN ASSUME

THE THREAT IS PASSED. DANGER TO BOATS AND COASTAL STRUCTURES CAN

CONTINUE FOR SEVERAL HOURS DUE TO RAPID CURRENTS. AS LOCAL

CONDITIONS CAN CAUSE A WIDE VARIATION IN TSUNAMI WAVE ACTION THE

ALL CLEAR DETERMINATION MUST BE MADE BY LOCAL AUTHORITIES.

BULLETINS WILL BE ISSUED HOURLY OR SOONER IF CONDITIONS WARRANT.

THE TSUNAMI WARNING WILL REMAIN IN EFFECT UNTIL FURTHER NOTICE.

THE JAPAN METEOROLOGICAL AGENCY MAY ALSO ISSUE TSUNAMI MESSAGES

FOR THIS EVENT TO COUNTRIES IN THE NORTHWEST PACIFIC AND SOUTH

CHINA SEA REGION. IN CASE OF CONFLICTING INFORMATION… THE

MORE CONSERVATIVE INFORMATION SHOULD BE USED FOR SAFETY.

THE WEST COAST/ALASKA TSUNAMI WARNING CENTER WILL ISSUE PRODUCTS

FOR ALASKA…BRITISH COLUMBIA…WASHINGTON…OREGON…CALIFORNIA.

 

Wake Island

I wonder how Wake Island is getting on?  The highest point on the island is only 20 feet and the wave should be there about now….

NOD32 gets abused by time-share touts (or something)

Today I’ve found something new, for me at least!  I’ve prattled on about how good I think NOD32 is as a piece of anti-virus software; low system utilisation, fast, effective, accurate, unobtrusive except when it needs to be…

It also has a pretty good introductory service as well, available here, say, on their UK website.  You get a fully working trial for a month and all the usual updates.   If you ever try it you won’t go back to Norton etc, guaranteed!   You’ll notice that the connection is secure and goes to the eset.co.uk website….?  Well this is where it gets interesting.

Do a search for NOD32 on Google.  You’ll be presented with various genuine ESET & NOD32 websites.  However, sprinkled here and there, and also down the list of “preferred google partner -sponsored links” (a.k.a. sites that have paid for placement) you’ll find a few oddities.  Like so:

  • http://www.gooofull.com/programa/46161

These two terrors have an astounding business model.

They get you to download the (apparently good and virus free -they claim) install file for NOD32 in several steps using SMS text to pay for each step! ( This is the same trial that you can download from ESET for nothing! ) They actually state on both sites that it’s just the trial – there is no licence!  So assuming the software works, you’ll need to renew it after a month!

If you want to cancel the nod32-net.info one, then go to the ADR Tower in Panama City, because that’s where they hang out.  gooofull is registered in the UK, but is Spanish.  Speak to Andreas here about it.  Apart from paralleling the activities of UK energy companies who penalise the low paid by forcing them to use cash-stick gas and electric meters, I can’t think of a single reason to justify Andreas’ business.

Both sites do a host of other software, similarly advertised and with the same payment model.  Now, in summary,  compare and contrast the various methods to get NOD32 on-line …….

  • Getting NOD32 for 1 month from NOD32/ESET:  Cost Nothing
  • Getting NOD32 for 1 month from NOD-32/Soletto Group:  Cost ~4 Euro
  • Getting NOD32 for 1 month from Gooofull:  Cost £6

My advice in all this and when getting any software – get it from the people that make it.  I write code.  I know what can be in it.  I certainly wouldn’t get anything except a hat from Panama!

NOD32’s renewal costs are very cheap – less than £12 for a year inc VAT.  The first payment is a bit steep for one computer, £30, but if you have 3 or 4, the cost is less than £15 per computer.

There you are.  That’s my sales pitch and I didn’t get a penny!

Scum Debt Relief Spammers from China via Live Spaces

I decided to have a small investigation on (some!) of today’s spam…  I noticed a lot of similarities in my Mailwasher Pro output:

  • Forged/spoofed “from” address
  • “Debt free” or “get out of debt” or some permutation thereof in the subject field
  • ALL have a non-obfuscated ~spaces.live.com web address as the link
  • 2 line body: e.g.
    • Let us Help you Manage your Debt. Reduce your payments up to 50%!
  • All 1.2kb in size
  • No attachments
  • All to the usual spam harvester address – a catch all I use for sign-ups of ANYTHING on the web

These are the four address links:

pdf of microsoft's spaces live userAll the genuine spaces pages look exactly the same.  The pdf is an exact copy of the web page I made using Nitro’s PDF Download add-on for Firefox.

There are two websites buried in here.

  • is the click-to link
  • is where the large central graphic is located

Clicking the follow through link instead of going to actually goes straight to Google.com!!  This must be Microsoft’s doing within the spaces.live environment.  They must be expecting this rubbish…

Going to the domain hosting the picture, actually IS a debt type site called which looks very professional and honest.  Thoughtfully, they’ve provided a “Company Info” page…..

Precision Debt Relief Company Info Page….er, apart from a large pile of advertising waffle, the only “info” is a graphic with a nice glass office block and an address in Dallas, Texas.  This is it here in Dallas:
View Larger Map

Doing a WHOIS on the site, like here, or here, we find that the website is registered/owned by a guy called Mark Compton who owns about 108 other domains according to public whois information.  Some proper company info can be found here and traced through – I haven’t the time for my investigation here and it’s not relevant for me.  I’m chasing IP address info, like so.

Doing a whois on SARIAKANDIFUL.COM such as here or here, gives us a place in China for the domain nameserver and the website is hosted in Panama! So that’s the spamming bit…

So all you need to ask yourself is:

Q.  Why does Mark Compton who has several companies and websites,

  1. advertise his services with forged email spam that
  2. links to Microsoft Live Spaces as a hook, and
  3. is nameserved from China and
  4. is hosted in Panama and
  5. has a dedicated server for his websites (IP 67.212.165.51), physical address in Chicago, apparently, and
  6. has websites registered with (cheapo) GoDaddy and
  7. has DNS nameservers (e.g. DNS1.MIDPHASE.COM) which are at http://enom.com and
  8. uses a simple anonymous yahoo email address for business correspondence?

A.  He’s trying to hide something. His name and address are clear but there’s something going on.

Q.  So why borrow money from someone who’s trying to hide his business?

A.  ?

Or am I missing something and have got it all wrong?

He hasn’t harmed me and I don’t have a connection with him?

Er… I do now!   He’s just plonked shite in my in-tray!

Combatting WordPress Trackback Comment Spam

Intro

During my little website(‘)s(‘) jiggle over the last two days, I’ve had to turn off various plugins from my WordPress powered setup. Usually, for spam combat, Simple Trackback Validation or TanTanNoodles Simple Spam Filter in combination with Akismet does the business.

During this process, I got two trackback spams, both on Saturday 24th May night, about 90 minutes apart. They didn’t manage to appear but they did get to send an admin post. They didn’t actually appear in the comments pending either – they just vaporised – which is nice, but I’ve never had that before…

Breakdown of The Spammer

They both came from IP: 195.225.176.177 which is netcathosting.com, a Russian paged outfit. http://netcathosting.com is the supposed source but a WHOIS search reveals that the contact address is at http://netcathost.com, another Russian paged outfit. This gives another contact at easyxhost.com.

Easyxhost points back to netcathosting for ownership when a WHOIS is done. A company called Phantographics pops up a lot. Their contact email is net2cat@go.com. go.com is actually registered to The Walt Disney Company! Charles in this post and Dirk with this one have some interesting info on the dodginess of Phantographics.

All three domains have an address which is IBC Tower Floor 9 on Manuel Espinosa Batista Avenue in Panama. Each domain has a separate PO Box number! (why do they bother?)

PO Box 901-2389, PO Box 901-2484, PO Box 55-2484

The IBC Tower seems to be a mish-mash of legal and not-so-legal concerns. There are shipping and other companies and even the dodgy sounding Bertrand Russell University which provides a picture of the tower, at least!

Both trackbacks were to a single old post about Rome Total War, 132/install-theme-from-rome-total-war/, probably because it had some external links picked up by a feeder or something.

Each trackback comment had a single hyperlink, to the same Google Notebook account but with different links, common in the respect of them being porn links. Accompanying the link, was a small piece of random pseudo-sense wordage to make it look like a genuine trackback, but this doesn’t appear on the account page (see further below)…

Why am I reporting this here?

Well, it’s the first instance I’ve had of this sort of spam and with links pointing back to Google Notebooks which in turn have a link pointing to a porn site. Also, I decided to trace through the spam source – just for fun!

Trojan Alert!

Link and description for Google Notebooks.

NOD32_Ftrojan
NOD32 Ftrojan

This is what happens if you follow the links from Google Notebooks. You’ll see that my anti-virus NOD32 has detected a trojan in the link. It then terminates it.

NOD32 calls it a variant of HTML/TrojanClicker.Agent.Ftrojan which doesn’t appear in search engines by itself, but the TrojanClicker, Agent and Ftrojan sub-names appear on Sophos and ESET from a couple of years back. It’s general operation is to switch off your anti-virus software as a starter…

The porn spammer and trojan launcher is here on Google Notebooks, i.e. user ID #13497754368789561429. The Google Notebook terms and conditions section 2, can just about accommodate this “person”‘s activities – apart from the bad code launcher. This I think falls foul of the phrases purposes that are legal, proper and “any activity that interferes with or disrupts Google services or servers or networks – but hey! I doubt they care.

Trojan Source Breakdown

The page that both links go to is on the domain setdevi.net/. Click the link and you’ll get a 403 Forbidden message which is kind of ironic given the nature of the postings and the subject matter of the sub pages.

setdevi.net is at IP address 194.110.161.229 It’s registrar is at EST Domains which looks cheap and nasty and is actually in China. The links actually point to debime.net which pulls out a blank page. Some cgi script makes the links hop to setdevi.net Needles to say, debime.net is also hosted at EST Domains.

If you do a whois on the est domains website, all the contact addresses are actually little png files called up from a backend database so that there are no live email links. The contact is listed as Steven Gogey and the email address is stev@angeld.com This is for the sake of completeness in case anyone wants to talk to him (if he exists). There are actually a shed load of clauses after you do a WHOIS search, forbidding the repetition of this information here except if it’s lawful.

They say in the WHOIS t&c, that I’m not supposed to load systems – but it’s okay for them to host systems and activities that do exactly that to other people’s websites and personal computers.

estdomaons whois page
estdomaons whois page

The final part of the “terms” is that by submitting a WHOIS query, I accept the terms – but I can only see the terms after I’ve run the query. See the screendump of the whois screen at left.

Even the dumbest lawyer can pull that apart.

I don’t think they’ll call.

Conclusion

What we have is a spammer setting up a trojan which will either set up a pc as a zombie host by shutting down the anti-virus and relaying the trojan on or maybe key logging for passwords, say. The spammer has hidden himself behind a round-robin of contacts based in Panama but with various names in New York, China and elsewhere. He’s probably Russian and, because he feels pretty safe, his real name is probably Vladislav Radchek.

The whole charade is built upon the initial email registration address which is easily obtained from go.com. One from hotmail or yahoo etc could just as easily have been used so it’s no slur on good ol’ Walt and his cartoon characters.

Addendum

Doing a google search on the IBC tower and it’s address or Vladislav Radchek pulled out some fellow spam inquistitors. Their results and opinions are broadly in line with mine. Please read them for extra insights into the grubby world of spam. Here are three:

  1. http://jamesfriesen.net/article.php/2007101713400524
  2. http://spamhuntress.com/
  3. http://timbuk3.com/blog/index.php?blog=2&title=test&more=1&c=1&tb=1&pb=1#c1197

Also, I’ve just recently hit on this huge list of bad guys: http://www.malwaredomainlist.com/mdl.php Now that’s gotta be a barrel of laughs.