ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
ROKSO
The Register of Known Spam Operations
Pavka / Artofit

Evidence Menu:

Pavka / Artofit Index


Country: Russian Federation
State:
A Russian gang who have been spamming for years. Started with porn, now into many types of spam, always via hijacked PCs. Part of a large criminal group involving ROKSO spammers Leo Kuvayev & Alex Blood. Also see "Yambo Financials" ROKSO.


Pavka / Artofit SBL Listings History
Current SBL Listings
Archived SBL Listings

whitebill.com


Newsgroups: news.admin.net-abuse.email
Subject: Re: Where is irdvd.siamsuki.com ? Foonet!
Date: Fri, 20 Jun 2003 10:44:52 -0400
Message-ID: <MPG.195ce7ca9bfa01e4989981@news.cloud9.net>
References: <3ef24ce0$1_2@nntp2.nac.net> <20030620075002.02197.00000804@mb-m12.aol.com>

In article <20030620075002.02197.00000804@mb-m12.aol.com>,
frederi108@aol.com says...
> > >[frame src="https://secure.whitebill.com/cgi-bin/join.cgi
> > ?sub_id=AS912672067658589449&site_id=SI372007427759487213"]

So in the spirit of "follow the money", WTF is whitebill? The have a
website. Sort of. One page that says they're a billing service, using a
golfball as a logo (?). Created 5/19/03, with no google hits except this
thread. No other customers? And a shaky looking registration... a city in
Iowa named "Iowa", with a New York City phone number? The zip 50010
matches for Ames, Iowa (Iowa State University). The contact email info is
self-referential since bluecharge.com has the same info (and no google or
web hits). Anyone else ever heard of either of them?

Checking server [whois.crsnic.net]
Checking server [whois.opensrs.net]
Results:
Registrant:
Credit Courier, LLC
2501 North Loop Drive
Building 1
Suite 615
Iowa, IA 50010
US

Domain name: WHITEBILL.COM

Administrative Contact:
Department, Domain domains@bluecharge.com
2501 North Loop Drive
Building 1
Suite 615
Iowa, IA 50010
US
212-937-2176
Technical Contact:
Department, Domain domains@bluecharge.com
2501 North Loop Drive
Building 1
Suite 615
Iowa, IA 50010
US
212-937-2176


Registrar of Record: TUCOWS, INC.
Record last updated on 19-May-2003.
Record expires on 31-May-2004.
Record Created on 31-May-2002.

Domain servers in listed order:
NS2.ZONEEDIT.COM 64.247.9.98
NS3.ZONEEDIT.COM 209.61.140.1

bluecharge.com has the same reg info, except for the nameservers:

Domain servers in listed order:
NS1.EVERYDNS.NET 209.75.39.141
NS2.EVERYDNS.NET 216.218.240.206

Iowa state records at <http://www.sos.state.ia.us/corp/corp_search.asp> has a listing for Credit Courier, however:

CREDIT COURIER, LLC
Corp No. 269286
Chapter CODE 490A DOMESTIC LIMITED LIABILITY COMPANY

State of Inc. IA
Filing Date Aug 29, 2002
Effective Date Aug 29, 2002
Expiration Date PERPETUAL
Type Legal
Status Active
Modified No
CREDIT COURIER, LLC
Registered Agent or Reserving Party
Full Name ANDRIY IGNATOV
Address ISU RESEARCH PK
City, ST, Zip AMES, IA, 500108283
Home Office
Full Name
Address ISU RESEARCH PK
City, ST, Zip AMES, IA, 500108283

Interestingly, though in Iowa, the TOS from their https server "customer" page says, in part: " The TOS and the relationship between you and
WhiteBILL shall be governed by the laws of the State of California
without regard to its conflict of law provisions. You and WhiteBILL agree
to submit to the personal and exclusive jurisdiction of the courts
located within the county of Santa Clara, California." Why is that? And
the TOS itself makes no mention of spam, UCE, porn, or much of anything,
other than saying that they won't be held responsible for whatever you
do. Perhaps that's standard for internet credit services - I haven't
looked at others.

And, who's Andriy? A Ukranian MBA candidate, graduating with a masters in
accounting in the fall of 2002, according to Google's web search.

What about the netblock he lives in? Uh oh. "Creative Internet
Techniques" AKA FOONET

secure.whitebill.com resolves to 65.116.89.252
mail.whitebill.com (0) 65.116.89.253
www.whitebill.com resolves to 65.116.89.254

CREATIVE INTERNET TECHNIQUES QWST-65-116-88 (NET-65-116-88-0-1)
65.116.88.0 - 65.116.95.255

OrgName: CREATIVE INTERNET TECHNIQUES
OrgID: CRTV
Address: 3982 POWELL ROAD
Address: SUITE 225
City: POWELL
StateProv: OH
PostalCode: 43065
Country: US

NetRange: 65.116.88.0 - 65.116.95.255
CIDR: 65.116.88.0/21
NetName: QWST-65-116-88
NetHandle: NET-65-116-88-0-1
Parent: NET-65-112-0-0-1
NetType: Reallocated
Comment:
RegDate: 2002-03-12
Updated: 2002-03-12

TechHandle: CA544-ARIN
TechName: Admin, CIT
TechPhone: +1-740-881-0323
TechEmail: ip-admin@foonet.net

OrgTechHandle: CA544-ARIN
OrgTechName: Admin, CIT
OrgTechPhone: +1-740-881-0323
OrgTechEmail: ip-admin@foonet.net

____________________________________________


Newsgroups: news.admin.net-abuse.email
Subject: Re: Where is irdvd.siamsuki.com ? Foonet!
Date: 20 Jun 2003 10:19:58 -0700
Message-ID: <e2a2dbed.0306200919.2bc1069e@posting.google.com>
References: <3ef24ce0$1_2@nntp2.nac.net> <20030620075002.02197.00000804@mb-m12.aol.com> <MPG.195ce7ca9bfa01e4989981@news.cloud9.net>

Neil <neil@m-nospam-logics.com> wrote in message news:<MPG.195ce7ca9bfa01e4989981@news.cloud9.net>...
> In article <20030620075002.02197.00000804@mb-m12.aol.com>,
> frederi108@aol.com says...
> >
> > >[frame src="https://secure.whitebill.com/cgi-bin/join.cgi
> > > ?sub_id=AS912672067658589449&site_id=SI372007427759487213"]
>
> So in the spirit of "follow the money", WTF is whitebill?

Thanks. FWIW, the soskam.net/porevo.net/terra.es kiddy porn spammer
is also a front for (excuse me, "customer of") whitebill:

Fetching http://www.soskam.net/youngfuck/join.html ...
GET /youngfuck/join.html HTTP/1.1

Host: www.soskam.net

Connection: close

User-Agent: Sam Spade 1.14



HTTP/1.1 200 OK

Date: Fri, 20 Jun 2003 17:11:50 GMT

Server: Apache/1.3.27 (Unix) rus/PL30.17

Content-Length: 784

Last-Modified: Wed, 18 Jun 2003 18:59:18 GMT

ETag: "62480-310-3ef0b686-koi8-r"

Connection: close

Content-Type: text/html; charset=koi8-r

Vary: accept-charset, user-agent



<html>
<head>

<SCRIPT>
<!--
var lang = navigator.systemLanguage;
if (lang == "rus") top.location =
"http://www.terra.es/personal9/pelandi23/index.html";
//-->
</SCRIPT>

<title>!!! VERY HOT FUCKING !!!</title>

</head>
<body background="bg.jpg" bgcolor="00006f" text="#ffffff" link="white"
vlink="white" alink="white">
<!--img src="http://www.porevo.net/cgi-bin/top.cgi?youngfuck" height=1
width=1><br-->

<center>

<font color="red" size=+3><b>!!! VERY HOT FUCKING !!!</b></font>



<br><br><br><br>

<table>
<tr><td>

<a href="https://secure.whitebill.com/cgi-bin/join.cgi?site_id=SI423897319625500833"><font
color="white" size="+3">Get access here</font></b></a><br><br>

</td></tr>
</table>
<br><br><br>


<br><br><br><br>



<br><br><br><br><br><br><br><br><br>

</body>

-Darren



Related URLs

Original NANAE thread


The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is: https://www.spamhaus.org/rokso/evidence/ROK3177/

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2016 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy