The spam’s return address was “Naughty or Nice Singles” [naughty@naughty]. (Interesting, I’ve got my server set to accept invalid return addresses. Note to self – fix that!). The received line was musti14.local (unknown [220.127.116.11]). That IP currently doesn’t resolve to anything. Let’s see which domain names are related to this spam.
The body of the message loaded images from http://images.intermarkmedia.com and from http://unsub.copeac.com/. They host their own DNS so the trail ends there.
The links within the body were tagged with affiliate and other tracking codes. The links went to synthebyte.com. Visiting synthebyte.com leads to rocketprofit.com. Looking at whois records for those two domains leads to supernamehosts.com, clearflow.com, hotrocketinc.com. An email contact in whois leads to traffixinc.com. DNS then leads to infinames.com, which refers to infiknowledge.com. Rocketprofit.com leads to hotrocketinc.com, which leads to five name servers at name-services.com, the name servers for the eNom registrar.
Intermarkmedia.com and Copeac.com have the same address in Woodbury, NY.
Rocketprofit.com whois is in Hicksville, NY; although their web site refers to the same address in Pearl River NY as Clearflow.com, Supernamehosts.com, and Synthebyte.com.
Traffixinc.com, Infiknowledge.com and Infinames.com are at the same address in New Brunswick, Canada.
Hotrocketinc.com is in Mineola, NY.
Whois records for these domains, as of August 8, 2007:
A complaint has been submitted to the Federal Trade Commission.