Last updated on November 20th, 2015
I decided to have a small investigation on (some!) of today’s spam… I noticed a lot of similarities in my Mailwasher Pro output:
- Forged/spoofed “from” address
- “Debt free” or “get out of debt” or some permutation thereof in the subject field
- ALL have a non-obfuscated ~spaces.live.com web address as the link
- 2 line body: e.g.
- Let us Help you Manage your Debt. Reduce your payments up to 50%!
- All 1.2kb in size
- No attachments
- All to the usual spam harvester address – a catch all I use for sign-ups of ANYTHING on the web
These are the four address links:
There are two websites buried in here.
- is the click-to link
- is where the large central graphic is located
Clicking the follow through link instead of going to actually goes straight to Google.com!! This must be Microsoft’s doing within the spaces.live environment. They must be expecting this rubbish…
Going to the domain hosting the picture, actually IS a debt type site called which looks very professional and honest. Thoughtfully, they’ve provided a “Company Info” page…..
….er, apart from a large pile of advertising waffle, the only “info” is a graphic with a nice glass office block and an address in Dallas, Texas. This is it here in Dallas:
View Larger Map
Doing a WHOIS on the site, or here, we find that the website is registered/owned by a guy called Mark Compton who owns about 108 other domains according to public whois information. Some proper company info can be found here and traced through – I haven’t the time for my investigation here and it’s not relevant for me. I’m chasing IP address info, like so.,
So all you need to ask yourself is:
Q. Why does Mark Compton who has several companies and websites,
- advertise his services with forged email spam that
- links to Microsoft Live Spaces as a hook, and
- is nameserved from China and
- is hosted in Panama and
- has a dedicated server for his websites (IP 18.104.22.168), physical address in Chicago, apparently, and
- has websites registered with (cheapo) GoDaddy and
- has DNS nameservers (e.g. DNS1.MIDPHASE.COM) which are at http://enom.com and
- uses a simple anonymous yahoo email address for business correspondence?
A. He’s trying to hide something. His name and address are clear but there’s something going on.
Q. So why borrow money from someone who’s trying to hide his business?
Or am I missing something and have got it all wrong?
He hasn’t harmed me and I don’t have a connection with him?
Er… I do now! He’s just plonked shite in my in-tray!