Waller Truck Co. Fraud
Report
Active
Domain
Don't Bear Internet Fraud
Home
Bobbear Icon

Waller Truck Co. Logo.

A stolen identity from the real Waller Truck Co is just the latest in a long line of criminal fraud aliases from the same money laundering mule/phishing criminals, who are also using a website stolen from the genuine American Waller Truck Company. Basically all the criminal has done is take the stolen Waller Truck Company site, alter some text, (e.g. the location), and insert a money mule fraud job.
The genuine Waller Truck Company have nothing whatsoever to do with this fraud. Their genuine website is here and the criminal's bogus website is currently here. The genuine Waller Truck Company have posted a warning of this criminal's activities on their contact details page.

The bogus Waller Truck Co. website is generally zombie botnet hosted and the spam is zombie botnet distributed. Some of the criminal's current domain registrations are provided by the internet domain registrar Nic.ac of Christchurch, Dorset, UK who has failed to respond to a single abuse report concerning these criminals even though their activities are clearly precluded in the Nic.ac 'Domain Rules'. This registrar also registered fraud domains for the Cronos Investment fraudster and the Draper Investment fraudster before them and also ignored abuse reports relating to those criminals. They are fully aware of this criminality but, as they put it, "do not get involved".

Current Zombie Botnet Host(s)

 
The ethical majority of service providers, (all credit to them), act within 1-24 hours of being informed of the criminal abuse of their system, (the best in less than 1 hour), but there are unfortunately a few that do not, for one reason or another.

Waller Truck Co : Evidence of Criminal Fraud

i) The Waller Truck Co. criminal fraudsters have stolen the website of the genuine Waller Truck Company as detailed above - this fraud is exactly the same as his original Harvey Investment, Draper Investment, Cronos Investment frauds etc with a new company as the victim.

ii) The genuine Waller Truck Company have posted a warning of this criminal's activities on their contact details page.

iii) The bogus Waller Truck Co. website is zombie botnet hosted as demonstrated by the DNS data below.

iv) The genuine Waller Truck Co. location is in Excelsior Springs, MO, USA. The criminals have a bogus address in Canberra Australia on their stolen website. This address does not appear in a Google search.

v) The criminal's site is spamvertising the following 'Regional Sales Manager' money mule job under the Company - Job Opportunities menu tab which does not appear on the genuine site:

1. Regional Sales Manager

Status: Part-time
Job description:

  • Work as a member of a group, helping to enlarge a base of customers in countries all over the world and liaise with head office on a daily basis;
  • Deliver high standards of customer service ensuring high delivery speed and quality of orders;
  • Manage a part of a sales cycle – ensure fast remittance of payments through your bank account and then - through world wide Western Union system and calculate fees at each step;
  • Create and maintain positive relationships with existing clients that result in new customers, lead to and maximise opportunities for expansions and renewals to enhance revenue stream.
    Employees should be able to perform:
  • Excellent spoken English & communication skills (oral and written).
  • Professional approach on the phone conversations
  • PC literate: Microsoft Outlook and Word as a minimum
  • Proven ability to communicate effectively at all levels in a relaxed confident manner.
  • Extroverted and outgoing, with a positive outlook.
  • Significant attention to detail.
  • Excellent organisational skills.
  • Customer focused.
  • Focused on own personal goals, integrating the achievement of company objectives.
  • Ability to work unsupervised No previous sale or accounting experience is necessary, though it will be valued.
    Your Personal situation must allow you to travel around your place 1-2 hours a day on company assignments( that would be particularly trips to the bank and Western Union branches)


  • vi) If you click on "Apply for this position" on the above page you eventually get to an application form page which has a fake .gif Verisign certificate, ('Verify' doesn't work - it just takes you to the Verisign non-SSL info. page). The application form requests all your bank details.

    vii) The 
    Waller Truck Co. criminal uses lots of recently registered domains, with newly registered ones appearing all the time as the spamvertized ones are suspended by responsible registrars.

    viii) All domains 
    have totally different bogus whois data although they are used for the same fraud website.

    ix) The Waller Truck Co. spam contains forged header information and the usual bayesian filter avoidance code that irrefutably link it to the Cronos Investment, Draper Investment, Harvey Investment, Adamant Global, Sydney Car Centre and all this criminal's many other aliases along with the 'rockphish' phishing criminals.

    x) The criminals prolific spam is zombie botnet distributed as is easily demonstrated by the source IPs.

    xi) The criminal's spams are all signed by different random names - they appear to have an infinite number of fake 'employees'.


    The above evidence clearly demonstrates beyond any doubt that this stolen Waller Truck Co. website has been set up by money laundering and phishing criminals purely for the purpose of spamvertising an illegal money laundering 'mule' job and is undoubtedly just a stolen copy of the genuine Waller Truck Co. site and is directly related to Cronos Investment, Draper Investment, Harvey Investment, Adamant Global, Sydney Car Centre and the rest of the money laundering/phishing criminal fraudsters' aliases documented here. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of site theft, copyright offences, criminal money laundering activity and spamming - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

    Do not be misled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'rockphish' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering them and aiding and abetting their criminal 'phishing' fraud activities.
    Waller Truck Co. Fraudsters - current hosting details.

    Current Main Domains, Hosts and  Registrars
    Domain


    watrco.ac
    Registrar


    Nic.ac
    Host IP Network /Botnet Nameserver Host


    Host IP/Botnet Nameserver IP




    See table below for the full list of known active & suspended main domains used by this criminal.
    Current Zombie Botnet Nameserver Domains and Registrars

    regtoo.comREGISTER.COM, INC.
    iprintworld.com - IA Registry/Spiritdomains

    List of all known domains used

    Domain

    wtrc.cc
    watrc.cc
    walltco.ac
    walltr.ac
    walltrco.ac
    wtruck.cc
    wallc.ac
    trwa.ac
    watrco.ac
    wlertr.ac
    wallt.ac
    wallco.cc
    waecom.ac
    wtrco.ac
    waco.nu
    waltr.nu
    walc.nu
    wal.la
    wtr.la
    wallertruckco.ph
    wal.ph
    wa.kg
    wal.kg
    wtr.kg
    wtrc.la
    walc.la
    wlt.ph
    walc.ph
    wll.kg
    wc.la
    watr.la
    wll.la
    wac.ph
    wtrk.org
    wltc.la
    wtrco.com
    wlt.kg
    wcc.ph
    wlk.kg
    wtc.kg
    wco.kg
    waltrc.com
    wt.gs
    wlt.gs
    wc.gs
    wtcm.ph
    wtk.ph
    wtru.la
    watco.la
    wrto.la
    wltk.la
    wtrk.la
    wtt.la
    wcc.la
    wlrt.ph
    wtco.ph
    waltru.com
    watrk.com
    wtru.ph
    wt.tl
    wlt.tl
    wtru.kg
    wlrt.kg
    wcc.kg
    wtruk.org
    waller-truck.com
    wl-tr.net
    wl-tr.com
    wtcom.net
    wllcm.com
    wltc.biz
    wrt.tl
    walr.tl
    waltr.biz
    wwtrk.net
    wwtrk.biz
    wwtrk.com
    wwtrc.com
    wwtrc.net

    Nameserver Domains

    box-pr.com
    newlookgame.com
    nsters.com
    vip73.com
    imaxq.com
    thelastwall.com
    seensonline.com
    tthroot.com
    gloriale.com
    regtoo.com
    iprintworld.com

    Status

    Parked
    Parked
    Parked
    DNS Error
    Domain Unavailable
    DNS Looped
    Parked
    DNS Error
    Active
    DNS Error
    Parked
    Parked
    DNS Error
    DNS Error
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    DNS Error
    DNS Looped
    DNS Error
    Suspended
    Suspended
    Suspended
    Suspended
    DNS Error
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    DNS Error
    Suspended
    DNS Error
    DNS Error
    DNS Error
    Suspended
    Suspended
    Suspended
    Suspended
    DNS Error
    DNS Error
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Unhosted
    Unhosted
    Unhosted
    Suspended
    Suspended
    Suspended
    Unhosted
    Unhosted
    Unhosted
    Suspended
    Parked
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Suspended
    Active
    Active




    Parked
    Parked
    Active
    Parked
    Active
    Suspended
    Suspended
    Active
    Active
    Active
    Active

    Registrar

    REGISTER.COM, INC.
    REGISTER.COM, INC.
    Nic.ac
    Nic.ac
    Nic.ac
    REGISTER.COM, INC.
    Nic.ac
    Nic.ac
    Nic.ac
    Nic.ac
    Nic.ac
    REGISTER.COM, INC.
    Nic.ac
    Nic.ac
    Nic.nu
    Nic.nu
    Nic.nu
    www.la
    www.la
    domains.ph
    domains.ph
    domain.kg
    domain.kg
    domain.kg
    www.la
    www.la
    domains.ph
    domains.ph
    domain.kg
    www.la
    www.la
    www.la
    domains.ph
    IA Registry/Spiritdomains
    www.la
    IA Registry/Spiritdomains
    domain.kg
    domains.ph
    domain.kg
    domain.kg
    domain.kg
    IA Registry/Spiritdomains
    Nic.gs
    Nic.gs
    Nic.gs
    domains.ph
    domains.ph
    www.la
    www.la
    www.la
    www.la
    www.la
    www.la
    www.la
    domains.ph
    domains.ph
    IA Registry/Spiritdomains
    IA Registry/Spiritdomains
    domains.ph
    Nic.tl
    Nic.tl
    domain.kg
    domain.kg
    domain.kg
    IA Registry/Spiritdomains
    COMPUTER SERVICES LANGENBACH GMBH (JOKER.COM)
    IA Registry/Spiritdomains
    IA Registry/Spiritdomains
    IA Registry/Spiritdomains
    IA Registry/Spiritdomains
    IA Registry/Spiritdomains
    Nic.tl
    Nic.tl
    IA Registry/Spiritdomains
    IA Registry/Spiritdomains
    IA Registry/Spiritdomains
    IA Registry/Spiritdomains
    IA Registry/Spiritdomains
    IA Registry/Spiritdomains




    REGISTER.COM, INC.
    IA Registry/Spiritdomains
    TODAYNIC.COM, INC
    REGISTER.COM, INC.
    IA Registry/Spiritdomains
    IA Registry/Spiritdomains
    Estdomains
    REGISTER.COM, INC.
    REGISTER.COM, INC.
    REGISTER.COM, INC.
    IA Registry/Spiritdomains



    Please notify me of any errors or domains not listed here.

    Notes for Registrars

    i) The  Waller Truck Co. criminal uses his own nameserver domains to control his zombie botnets or provide his DNS. By definition there can be no legitimate domains using his dedicated botnet nameservers & his conventional nameserver domains are always very recently registered. This provides an ideal database search option for you to identify and delete all of this criminal's fraud domains without any risk of hurting an innocent domain. Current criminal's botnet nameservers - ns1.regtoo.com and ns1.iprintworld.com

    ii) All of the criminal's domains have different false whois registration data.

    iii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension is preferred, please.

    The Spam Headers

    Return-Path: <ndvlwgdq@norika-fujiwara.com>
    Received: from mwinf3106.me.freeserve.com (mwinf3106.me.freeserve.com)
        by mwinb3406 (SMTP Server) with LMTP; Tue, 27 Nov 2007 11:56:35 +0100
    X-Sieve: Server Sieve 2.2
    Envelope-to: xxxxxxx@xxxxxxxxx
    Received: from me-wanadoo.net (localhost [127.0.0.1])
        by mwinf3106.me.freeserve.com (SMTP Server) with ESMTP id xxxxxxxxxxxxx
        for <xxxxxxx@xxxxxxxxx>; Tue, 27 Nov 2007 11:56:35 +0100 (CET)
    Received: from e181068023.adsl.alicedsl.de (e181068023.adsl.alicedsl.de [85.181.68.23])
        by mwinf3106.me.freeserve.com (SMTP Server) with SMTP id xxxxxxxxxxxxx
        for <xxxxxxx@xxxxxxxxx>; Tue, 27 Nov 2007 11:56:34 +0100 (CET)
    X-ME-UUID: xxxxxxxxx@xxxxxxxxxxxxxxx
    Received: from buydomains.com (EHLO pimpedhost.com.danga.com [108.45.115.102])
            by logansvideos.com with SMTP id 9OICZN9FWY
            for <xxxxxxx@xxxxxxxxx>; Tue, 27 Nov 2007 02:56:42 -0800
    Received: from purinmail.com [12.165.104.127]
            by d21c.com with SMTP id A9W5DELW09
            for <xxxxxxx@xxxxxxxxx>; Tue, 27 Nov 2007 13:47:42 +0300
    From: "Waller Truck Co" <ndvlwgdq@norika-fujiwara.com>
    To: "Bob" <xxxxxxx@xxxxxxxxx>
    X-MSMail-Priority: 3 (Normal)
    Subject: vacant position in the waller Truck Co.
    User-Agent: MIME-tools 5.503 (Entity 5.501)
    X-Mailer: MIME-tools 5.503 (Entity 5.501)
    X-Priority: 3 (Normal)
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
        boundary="--8JDQ.BSQ_AJ8WZ"
    Message-Id: <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
    Date: Tue, 27 Nov 2007 11:56:34 +0100 (CET)

    Recipient & message id munged.

    The first thing to notice is the spam source IP. Reading from the bottom upwards, (following the routing as is the norm when parsing headers), the first two of the received lines (red) can be rejected as unsafe, almost certainly forged. The actual trusted source IP that cannot be forged is the one received by the recipients email provider (Freeserve) and that is in this line (green):

    Received: from e181068023.adsl.alicedsl.de (e181068023.adsl.alicedsl.de [85.181.68.23])

    In this received line the source IP address is 85.181.68.23 the reverse DNS (RDNS) for which correctly indicates e181068023.adsl.alicedsl.de which confirms that the source address is genuine.

    In the above RDNS sender identity note the letters adsl. These stand for Asymmetric Digital Subscriber Line and tell you for sure that the spam has come from an end user's computer on an ADSL network in Germany, (from the whois data for the IP address). "Well", you say, "there's your criminal". Unfortunately not - he or she may be guilty of criminal stupidity by not having a firewall or clicking on the latest nude pictures of Britney Spears, but unfortunately probably not criminal fraud - he/she is just one of tens of thousands of 'zombies' - computers that have been infected with a zombie virus or worm. What it does tell you for certain is that the Waller Truck Co. spammer uses a zombie botnet to distribute his spam in exactly the same way as Sydney Car Centre, Harvey Invest, Draper Invest, Cronos Invest, Adamant Global and all the rest of these criminals.

    Lastly, ndvlwgdq@norika-fujiwara.com is not "Waller Truck Co." & the spam has not come from that address - this is just another forged email address. Incidentally, never 'bounce' spam back to the 'sender' as it only bounces back to a forged address which, if real, will only belong to an innocent third party who will understandably be a little peeved with you and if you do it a lot you could get your ISP's SMTP IP range blacklisted and they will be even more upset with you & could justifiably close your account.


    The Spam Content

    The
    Waller Truck Co. spam headers contain many different forged/bogus 'From' & 'Return Path' addresses & various forged 'Receive' lines. The subject lines vary  & all indicate that there is a job opportunity to be had. There is - an illegal job as a money laundering 'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit proceeds into your account and forwarding it on via Western Union or Moneygram for a percentage cut. Needless to say it is these mules that will probably feel the full weight of the law while the remote money launderers are safe. The bogus or stolen funds in the mules account may well also be recovered, leaving them with large losses.

    This is the content of an actual Waller Truck Co. scam spam:

    Since its establishment in 1959, Waller Truck Co., Inc. has centered its family-owned trucking business on : QUALITY, FAIRNESS, HONESTY and UNCOMPROMISING CUSTOMER SERVICE.

    Waller Truck Co. is the largest provider of outsourced workplaces for individuals all over the world. The company provides more than 100,000 clients with flexible and cost-effective range of goods and services using help of regional associates at prestigious locations in business hubs and capital cities around the globe.

    The only way that we can ensure our customers receive the highest standard of quality and service is to hire individuals who share our vision, dedication and entrepreneurial spirit. Due to our rapid expansion, we are seeking Regional Sales Managers in the UK.
    If you love hard work but hate routine, if you are adventurous but responsible, if you have great communications skills, are interested in international sales and like a challenge, this job is for you.

    Vacancy offered is a part-time or second employment. You'll be supposed to work from home, but at the same time Your Personal situation must allow you to travel around your place 1-2 hours a day on company assignments (that would be particularly trips to the bank and Western Union branches).
    While implementing Company's assignments You shall be working as a member of a group, helping to enlarge a base of our customers in countries all over the world and liaise with head office on a daily basis. You'll be responsible for delivering high standards of customer service ensuring high delivery speed and quality of orders. That would particularly be done through managing a part of a sales cycle - ensuring fast remittance of payments through your bank account and then - through world wide Western Union system and calculating fees at each step.
    To sum up - Your mission in the company would be to create and maintain positive relationships with existing clients that result in new customers, lead to and maximize opportunities for expansions and renewals to enhance revenue stream.

    To become a Regional Sales Manager You should be able to perform: excellent spoken English & communication skills, significant attention to detail, excellent organizational skills and ability to work unsupervised. You shall be extroverted and outgoing, with a positive outlook, customer focused and focused on own personal goals, integrating the achievement of company objectives.
    Having joined in our team, You'll enjoy a wide range of benefits we can offer! For example, a base salary with generous commissions (10% out of each payment you've dealt with) and expenses, as well as flexible timetable, that will allow you to chose the most suitable time to deal with company assignments.
    If You are interested in a position offered and for the rewards you want, when you want them visit our website to apply.

    We are waiting you hearing from you asap.
    Any questions are welcome.
    Yours sincerely, Susanne Park

    0x4360, 0x09, 0x99170691, 0x77747211, 0x830, 0x93, 0x2565 08L3 V3K end: 0x40, 0x194, 0x81694240, 0x49554301, 0x10, 0x809, 0x563, 0x12, 0x1245, 0x0616, 0x568, 0x86, 0x083, 0x4446 0x4162, 0x1, 0x3, 0x27951472, 0x0, 0x6929, 0x8952, 0x0, 0x6242 cvs: 0x78, 0x3, 0x08788330, 0x4, 0x4573, 0x78, 0x4, 0x7532, 0x5869, 0x18, 0x38, 0x3926, 0x38 1JD: 0x5, 0x26264233, 0x3927, 0x326, 0x657, 0x53 define: 0x19, 0x4, 0x3, 0x6389, 0x82, 0x8821, 0x05, 0x211, 0x4063, 0x9, 0x50, 0x19247006 0x04 define: 0x7, 0x89403738, 0x3, 0x3594

    7UEL: 0x41, 0x173 include: 0x634, 0x4257, 0x608, 0x1, 0x41, 0x043, 0x36040292, 0x9108, 0x4, 0x9859, 0x4556, 0x649 close: 0x7, 0x661, 0x836, 0x02896758, 0x7540, 0x8806, 0x80, 0x05951947, 0x3, 0x9, 0x5827, 0x53926262, 0x219, 0x22, 0x933 include Y2G. engine: 0x029, 0x43, 0x7, 0x54483207, 0x2, 0x9955, 0x57, 0x965, 0x83, 0x8, 0x0, 0x48562979, 0x7186, 0x18 0x6, 0x668, 0x01577066, 0x02559513, 0x25, 0x90, 0x37336060, 0x159, 0x11, 0x98091727, 0x834, 0x6516, 0x42626111, 0x7, 0x24860948 interface end 6ID include 0x405, 0x798, 0x4, 0x0315, 0x15, 0x12144716, 0x219 0x3, 0x886, 0x93, 0x5603, 0x77, 0x10, 0x1, 0x670 stack: 0x82, 0x27888534, 0x328, 0x0, 0x73599437, 0x2747, 0x3, 0x24, 0x70, 0x08303767, 0x842, 0x4545, 0x4, 0x57

    stack: 0x9 0x11, 0x799, 0x96, 0x0, 0x4111, 0x3723, 0x3929, 0x1, 0x30031920, 0x4 0x30512981, 0x9978, 0x2, 0x2, 0x1876, 0x87, 0x9, 0x930, 0x22, 0x06657916, 0x16, 0x9477, 0x92, 0x1, 0x76736360 exe: 0x1, 0x6214, 0x3511, 0x6, 0x850, 0x88, 0x3, 0x1 IOY, 2DZW, GG31, engine, SVMG, ZF6U, UCPQ, VLG source: 0x09, 0x9, 0x82080843, 0x5710, 0x628, 0x420, 0x21, 0x1618, 0x5 0x92, 0x5, 0x31872249, 0x513, 0x23736325, 0x070, 0x32254334 Z830: 0x39, 0x1330, 0x84, 0x204, 0x88, 0x12776713, 0x5, 0x41065236, 0x7, 0x75610534, 0x1786, 0x4690, 0x13682074 0PT7, source, hex, interface, api, QVYQ, LOF, media N0Z: 0x41, 0x7233, 0x40219514, 0x3, 0x81, 0x09433954

    Note the usual Bayesian filter avoidance 'code', commonly used by these criminals and the 'rockphish' scammers alike.


    The Zombie Botnet

    How I am searching:

    Searching for wtrc.cc A record at h.root-servers.net [128.63.2.53]: Got referral to c3.nstld.com. (zone: cc.)
    Searching for wtrc.cc A record at c3.nstld.com. [192.26.92.32]: Got referral to NS2.BOX-PR.COM. (zone: wtrc.cc.)
    Searching for wtrc.cc A record at NS2.BOX-PR.COM. [24.55.193.11]: Timed out. Trying again.
    Searching for wtrc.cc A record at NS1.BOX-PR.COM. [72.36.142.251]: Reports wtrc.cc. Response:
    Domain Type Class TTL Answer
    wtrc.cc. A IN 1800 87.248.80.48
    wtrc.cc. A IN 1800 89.76.132.4
    wtrc.cc. A IN 1800 83.21.218.125
    wtrc.cc. A IN 1800 86.199.158.26
    wtrc.cc. A IN 1800 87.6.38.46
    wtrc.cc. NS IN 1800 ns1.box-pr.com.
    wtrc.cc. NS IN 1800 ns2.box-pr.com.
    ns1.box-pr.com. A IN 1800 72.36.142.251
    ns2.box-pr.com. A IN 1800 24.55.193.11

    Looking up at the 2 wtrc.cc. parent servers:

    Server Response Time
    ns1.box-pr.com [72.36.142.251]  83.21.218.125 86.199.158.26 87.248.80.48 87.6.38.46 89.76.132.4 15ms
    ns2.box-pr.com [24.55.193.11] Timeout  

    The data shows a standard zombie botnet where the nameserver ns1.box-pr.com hosted by Layered Technologies, Inc., on IP 72.36.142.251 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

    These criminals are experienced liars, thieves and professional confidence tricksters. Do not be fooled - do not believe them. The evidence of criminal fraud is undeniable. I'd like to thank the many honest & ethical hosts who have disconnected these fraudsters within an hour of receiving an abuse report, (several in c. 20 minutes). However, the zombie botnet controlling nameservers seem to be occasionally hosted by Colocation/VPS service providers who do not respond to criminal fraud abuse reports. The honest & ethical SPs will respond with an immediate, (preferably not 24 hours or 48 hours & certainly not never...), disconnection on receipt of a criminal abuse report, having considered the evidence below & investigated, but more and more frequently service providers stall or simply ignore abuse reports. This latter minority of uncaring & unethical hosts are aiding and abetting criminal fraud and the victims suffer because of it.

    Blocking The spam

    I have had quite a few queries about how to block the criminal's spam in Outlook Express. Fortunately they are easily detected using the OE 'Mail Rules' (Tools - Message Rules - Mail).

    Rules based on the From, To etc addresses will never work as the header data is all forged. The message body remains constant, however & that can be used to detect them.

    Use the rule "Where the message body contains specific words" and use 
    "Waller Truck Co." as the search item then choose 'delete' (or whatever action you prefer) as the action then that will definitely detect every single one of these spams.
    If you find this site helpful then please feel free to link to it on your website by inserting the following HTML code, (opens site in new window):
    <a href="http://www.bobbear.co.uk" target="_blank">Money Laundering Fraud Websites</a>
    Fraud Blog Initial entry 27th. November 2007
    Domains
    wtrc.cc and watrc.cc received in spams.
    Later -
    Domains wtrc.cc and watrc.cc & box-pr.com all parked by Register.com so unless the criminal has other domains that I'm not aware of, he is off-line. Please let me know if you know of any resolving domains for this criminal. Unfortunately the quick suspension of the Register.com domains prevented Layeredtech seeing the zombie botnet, but they'll be back....

    28th. November 2007
    ...and so they are - three new domains received in spam this morning - both on the Layeredtech hosted zombie botnet using a new nameserver domain, (newlookgame.com -
    IA Registry/Spiritdomains):

    walltco.ac
    walltr.ac
    walltrco.ac

    DNS Data:

    Looking up at the 2 walltr.acwalltco.ac parent servers:

    Zombie Botnet Server 'A' Response (Zombie Site Host IPs)
    ns1.newlookgame.com [72.36.142.251] 203.109.99.2 24.131.207.248 80.41.157.216 89.139.122.94 98.195.139.5
    ns2.newlookgame.com [67.74.11.71] Timeout

    The data shows a standard zombie botnet where the nameserver ns1.newlookgame.com hosted by Layered Technologies, Inc., on IP 72.36.142.251 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

    The latest domains are registered with the registrar Nic.ac which has a history of registering domains for the Draper Investment fraudster, the Cronos Investment fraudster criminals and ignoring every single abuse report.

    Later - Layeredtech have disconnected the criminals nameserver ns1.newlookgame.com [72.36.142.251] and the criminal has now set up a new botnet hosted by a UK company called No Wires Ltd of Nether Poppleton, YORK on IP 193.33.179.162:

    DNS Data:

    Looking up at the 2 walltr.ac,
    walltrco.ac, wallc.acwalltco.ac parent servers:

    Zombie Botnet Server 'A' Response (Zombie Site Host IPs)
    ns1.newlookgame.com [193.33.179.162] 78.52.86.17 79.179.165.137 83.5.10.48 84.114.167.165 92.80.44.201
    ns2.newlookgame.com [67.74.11.71] Timeout

    The data shows a standard zombie botnet where the nameserver ns1.newlookgame.com hosted by No Wires Ltd of Nether Poppleton, YORK, UK, on IP 193.33.179.162 is acting as a zombie botnet controller 'herding' the rotating zombies, (as evidenced by RDNS data), in the 'A' records list which are hosting the fraud site (as evidenced by TRACERT data), using the listed domains.

    29th. November 2007
    New domain reported by site contact - wallc.ac once again on the No Wires Ltd zombie botnet.

    Later - new domain reported (trwa.ac) on new network:

    Looking up at the 2 trwa.ac. parent servers:

    Server Response
    ns1.nsters.com [200.72.139.67] 81.1.255.134
    ns3.nsters.com [202.74.32.13] Timeout

    The host on this one is :

    netname:        ZSTTK-NET
    descr:          JSC "Zap-Sib TransTeleCom"


    Once again this site thief, criminal fraudster and spammer is registering his criminal domains with the Registrar Nic.ac, (aka nic.io, nic.sh, nic.tm, UWhois.com, the Internet Computer Bureau and 'InOne' , a 'one-stop' networking business. Unfortunately this company has failed to respond to any abuse reports submitted.
    30th. November 2007
    Another new domain received in this morning's spam - watrco.ac once again registered with the criminal registrar Nic.ac on another 'new' network:
    Looking up at the 2 trwa.ac. parent servers:

    Server Response
    ns1.nsters.com [200.72.139.67] 81.10.22.174
    ns3.nsters.com [202.74.32.13] Timeout

    The host on this one is :

    IP: 81.10.22.174
    netname: TEData-ADSL-Pool
    descr: TE Data ADSL Pool
    RDNS: host-81.10.22.174.tedata.net


    Which is quite interesting - that data (ADSL) tells me that the crook is now using individual zombied machines (81.10.22.174) as his site host and the real villain in the piece is the zombie controller ns1.nsters.com [200.72.139.67] which by definition is using a criminal registered nameserver domain, (nsters.com - Todaynic), hosted by:

    IP: 200.72.139.67

    owner: ENTEL CHILE S.A.
    ownerid: CL-ECSA-LACNIC


    That individual zombie machine in the table above will probably change at a preset interval - I haven't noticed what the interval is, yet.

    Abuse teams please note.

    The criminal appears to have moved his multiple IP botnet to:

    DNS Data:

    Looking up at the 2 walltr.ac,
    walltrco.ac, walltco.ac, wallt.ac , wallco.cc, & wallc.ac parent servers:

    Zombie Botnet Server 'A' Response (Zombie Site Host IPs)
    ns1.newlookgame.com [83.142.48.60] 217.150.135.96 80.145.103.3 85.250.32.14 86.107.254.131 87.11.105.56
    ns2.newlookgame.com [67.74.11.71] Timeout

    The data shows a standard zombie botnet where the nameserver ns1.newlookgame.com hosted by INTERNETONDEMAND-LTD, on IP 83.142.48.60 is acting as a zombie botnet controller 'herding' the rotating zombies, (as evidenced by RDNS data), in the 'A' records list which are hosting the fraud site (as evidenced by TRACERT data), using the listed domains.

    Later - New domains received in spam - watrco.ac & waecom.ac, trwa.ac and new domain wlertr.ac notified to me by site contact.
    Looking up at the 2 watrco.ac. parent servers:

    Server Response
    ns1.nsters.com [200.72.139.67]  81.3.139.250
    ns3.nsters.com [202.74.32.13] Timeout

    The host on this one (IP: 81.3.139.250) is :

    org:          ORG-ZP1-RIPE 81.3.139.250
    netname:      RU-PETERSTAR-20020419
    descr:        ZAO PeterStar

    Later - new domain notified by site contact -
    wallt.ac on the INTERNETONDEMAND-LTD zombie botnet.
    Later - New domain noticed in the wild - 
    wallco.cc on the INTERNETONDEMAND-LTD zombie botnet.

    1st. December 2007
    Another month and the registrar Nic.ac is still making money from spammers and criminal fraudsters - new .ac domain received in spam this morning - 
    waecom.ac on the ZAO PeterStar network above.
    The criminal has ten known active domains at the moment, nine of them registered with nic.ac - he simply doesn't need another registrar when he's found one that appears to be quite happy to aid and abet his criminal activities by ignoring all abuse reports.

    4th. December 2007
    The criminal has a new nameserver domain, but the same host in INTERNETONDEMAND-LTD

    Looking up at the 2 
    walltr.ac,
    walltrco.ac, walltco.ac, wallt.ac , & wallc.ac parent servers:

    Zombie Botnet Server 'A' Response (Zombie Site Host IPs)
    ns1.vip73.com [83.142.48.60] 82.32.251.252 89.132.228.167 89.132.89.169 89.136.176.120 89.25.160.101
    ns2.vip73.com [20.77.85.10] Timeout

    The data shows a standard zombie botnet where the nameserver ns1.vip73.com hosted by INTERNETONDEMAND-LTD of Unit 18 Liversedge West Yorkshire, on IP 83.142.48.60 is acting as a zombie botnet controller 'herding' the rotating zombies, (as evidenced by RDNS data), in the 'A' records list which are hosting the fraud site (as evidenced by TRACERT data), using the listed domains.

    6th. December 2007
    Another .ac domain received in spam - wtrco.ac. I'm not going to waste my time reporting it - the owner of Nic.ac, Paul M Kane, is apparently happy to continue to make money out of criminal fraudsters and spammers with seemingly no regard for the victims of this criminal fraudster.

    DNS Details:
    Looking up at the 2 wtrco.ac,
    watrco.ac, waecom.ac, trwa.ac & wlertr.ac. parent servers:

    Server Response
    ns1.nsters.com [200.72.139.67]  81.16.94.132
    ns3.nsters.com [202.74.32.13] Timeout

    The IP 81.16.94.132 belongs to Novgorod ADSL Network so it looks like another single zombie as it has an RDNS of xdsl-94-ppp132.tts.nov.ru. It's being controlled by the controller ns1.nsters.com on 200.72.139.67 which is an ENTEL CHILE S.A. IP who ignore abuse reports so it's a complete waste of time reporting to them. The same seems to be true for
    INTERNETONDEMAND-LTD of Unit 18 Liversedge West Yorkshire who have also ignored all abuse reports so far. The criminal has chosen his suppliers wisely, especially with the UK registrar Nic.ac who has a full house of the criminals active domains, (the first time I've known that happen - a shameful record, I think).

    I am ashamed to say that it is both a UK registrar and a UK ISP that are the main sponsors of these criminals at the moment and I apologise to their victims.

    8th. December 2007
    The zombie botnet host IP 83.142.48.60 appears to be dead this morning, so perhaps someone 
    finally got through to  INTERNETONDEMAND-LTD.
    Needless to say, all of the criminal's .ac domain registrations are still active.

    9th. December 2007
    It looks as though
    INTERNETONDEMAND-LTD.are still hosting this criminal fraudster - it's just the nameserver domain vip73.com that has been parked by Register.com. Thanks guys for being one of the few ethical bright spots in the current list of this criminal's suppliers. The criminal's zombie botnet is now back up using the newly registered nameserver domain imaxq.com (Spiritdomains - 03-dec-2007).

    Network DNS Data:


    Looking up at the 2 
    walltr.ac,
    walltrco.ac, walltco.ac, wallt.ac , & wallc.ac parent servers:

    Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
    ns1.imaxq.com [83.142.48.60] 78.55.196.69 82.57.33.194 84.236.122.83 86.101.18.154 87.0.37.129
    ns2.imaxq.com [20.31.85.15] Timeout

    The data shows a standard zombie botnet where the nameserver ns1.imaxq.com hosted by INTERNETONDEMAND-LTD of Unit 18 Liversedge West Yorkshire, on IP 83.142.48.60 is acting as a zombie botnet controller 'herding' the rotating zombies, (as evidenced by IP RDNS data), in the 'A' records list which are hosting the fraud site (as evidenced by domain TRACERT data), using the listed domains.

    The domains 
    wtrco.ac, watrco.ac, waecom.ac, trwa.ac & wlertr.ac are all timing out ATM which is a little odd as the ENTEL CHILE S.A./Novgorod ADSL network appears to be intact from the DNS inf.

    Spam received using domain
    walltrco.ac - he's got plenty of choice from his .ac domains...

    11th. December 2007
    The criminal's .ac domains are all still all resolving despite numerous notifications of the abuse to Nic.ac. It has been determined by a challenge-response method that Nic.ac undoubtedly do receive the communications addressed to them so there is no doubt that they are fully aware of these criminals and their activity but continue to provide them with .ac domains as they previously did for the Cronos Investment and Draper Investment money laundering & phishing criminals before them and continue to ignore all requests for suspension. It should be borne in mind that the evidence from the zombie botnet distributed spam suggests that these criminals are also the 'rockphish' phishing criminals.

    The zombie botnet controller ns1.imaxq.com [83.142.48.60] is still operating courtesy of  
    INTERNETONDEMAND-LTD and no response has been received from the company, but hopefully there should be some response soon as some very welcome help has been kindly offered from the side of UK law enforcement to resolve this issue.

    Confirmation of Nic.ac's position on abuse has been received from them by a friend. To sum up they have no enforced Acceptable Use Policy or Abuse Policy of their own - to use their own words: "we do not get involved at all". Their abuse policy is administered solely by WIPO, and appears to be limited to intellectual property issues only, and in any event a complaint to WIPO under the procedure regarding a .ac domain has to be accompanied by a $500 initial fee, which is obviously effectively going to prohibit the normal reporting of fraud, spam etc domains.


    12th. December 2007

    The INTERNETONDEMAND-LTD IP has now been shut down and the criminal has moved his botnet to 66.79.171.146

    DNS Data (walltr.ac, walltrco.ac, walltco.ac & wallc.ac):

    How I am searching:

    Searching for walltr.ac A record at m.root-servers.net [202.12.27.33]: Got referral to NS3.ICB.CO.UK. (zone: ac.)
    Searching for walltr.ac A record at NS3.ICB.CO.UK. [217.199.188.61]: Got referral to NS1.IMAXQ.COM. (zone: walltr.ac.)
    Searching for walltr.ac A record at NS1.IMAXQ.COM. [66.79.171.146]: Reports walltr.ac. Response:
    Domain Type Class TTL Answer
    walltr.ac. A IN 1800 89.34.222.4
    walltr.ac. A IN 1800 89.136.176.120
    walltr.ac. A IN 1800 75.181.12.180
    walltr.ac. A IN 1800 86.105.153.174
    walltr.ac. A IN 1800 86.107.101.225
    walltr.ac. NS IN 1800 ns2.imaxq.com.
    walltr.ac. NS IN 1800 ns1.imaxq.com.
    ns1.imaxq.com. A IN 1800 66.79.171.146
    ns2.imaxq.com. A IN 1800 20.31.85.15

    Looking up at the 2 walltr.ac. parent servers:

    Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
    ns1.imaxq.com [66.79.171.146]  75.181.12.180 86.105.153.174 86.107.101.225 89.136.176.120 89.34.222.4
    ns2.imaxq.com [20.31.85.15] Timeout - dummy nameserver (never resolves).

    The IP belongs to Managed Solutions Group, Inc. of Fremont CA

    The data shows a standard zombie botnet where the nameserver ns1.imaxq.com hosted by Managed Solutions Group, Inc. of Fremont CA on IP 66.79.171.146 is acting as a zombie botnet controller 'herding' the rotating zombies, (as evidenced by IP RDNS data), in the 'A' records list which are hosting the fraud site (as evidenced by domain TRACERT data), using the listed domains. The nameserver domain imaxq.com has been registered by the criminals with SPIRITDOMAINS/IAREGISTRY
    13th. December 2007
    The above Managed Solutions Group, Inc. zombie botnet is still functional, hosting domains walltr.ac, walltrco.ac, walltco.ac & wallc.ac
    For some reason he's split off domain
    wallt.ac on to its own network, although it's showing a Nownet login/parking page at the moment:

    Looking up at the 2 wallt.ac parent servers:

    Server Response
    ns7.01isp.com [218.16.121.3]  61.238.149.50
    ns8.01isp.net [203.169.164.16]  61.238.149.50

    The IP 61.238.149.50 belongs to City Telecom (H.K.) Ltd.

    The five domains wtrco.ac, waecom.ac, trwa.ac & wlertr.ac are now on a new network as follows:

    Looking up at the 2 wlertr.ac. parent servers:

    Server Response
    ns1.yesnsok.com [200.72.139.67]  202.103.49.198
    ns5.yesnsok.com [0.0.0.0] Timeout

    The IP  202.103.49.198 belongs to The Dongpu Information Technology Company, in ShiYan city Hubei Province. The nameserver IP 200.72.139.67 is the usual ENTEL CHILE S.A. IP - they have not responded to abuse reports.

    15th. December 2007
    New domains reported to me by site contact: waco.nu and waltr.nu Looks like the criminal is branching out to Niue domains. For these two domains he's using his old Cronos botnet, albeit on a new IP:

    DNS Data for waco.nu and waltr.nu and
    walc.nu and wal.la
    How I am searching:

    Searching for waco.nu A record at c.root-servers.net [192.33.4.12]: Got referral to NS0.TELIA.NIC.nu. (zone: nu.)
    Searching for waco.nu A record at NS0.TELIA.NIC.nu. [212.181.91.4]: Got referral to ns1.thelastwall.com. (zone: waco.nu.)
    Searching for waco.nu A record at ns1.thelastwall.com. [65.38.67.41]: Reports waco.nu. Response:
    Domain Type Class TTL Answer
    waco.nu. A IN 1800 78.88.96.150
    waco.nu. A IN 1800 78.96.20.179
    waco.nu. A IN 1800 79.176.233.30
    waco.nu. A IN 1800 85.204.210.35
    waco.nu. A IN 1800 89.137.159.82
    waco.nu. NS IN 1800 ns2.thelastwall.com.
    waco.nu. NS IN 1800 ns1.thelastwall.com.
    ns1.thelastwall.com. A IN 1800 65.38.67.41
    ns2.thelastwall.com. A IN 1800 67.82.17.59

    Looking up at the 2 waco.nu. parent servers:

    Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
    ns1.thelastwall.com [65.38.67.41]  78.88.96.150 78.96.20.179 79.176.233.30 85.204.210.35 89.137.159.82
    ns2.thelastwall.com [67.82.17.59] Timeout

    The data shows a standard zombie botnet where the nameserver ns1.thelastwall.com hosted by Globale Internet InfoAccess of Mont-Royal, Canada, on IP 65.38.67.41 is acting as a zombie botnet controller 'herding' the rotating zombies, (as evidenced by IP RDNS data), in the 'A' records list which are hosting the fraud site (as evidenced by domain TRACERT data), using the listed domains.

    The five domains wtrco.ac, watrco.ac, waecom.ac, trwa.ac & wlertr.ac are now on a new network as follows:

    Looking up at the 2 wlertr.ac. parent servers:

    Server Response
    ns1.yesnsok.com [200.72.139.67] 81.16.94.132
    ns5.yesnsok.com [85.11.183.83] [Reports no A record (NXDOMAIN)]

    The IP 81.16.94.132 belongs to The Novgorod ADSL Network. The nameserver IP 200.72.139.67 is the usual ENTEL CHILE S.A. IP - they have not responded to abuse reports.

    16th. December 2007
    Two new domains notified to me by a site contact - walc.nu and wal.la, (both on the Globale Internet InfoAccess zombie botnet
    ), so the criminal is branching out to .la domains. At $200 a punt, he's not ordering these for the beauty of the city... Still, when you're using stolen funds to buy them, the cost doesn't matter, I guess...

    17th. December 2007
    New .la domain notified to me by site contact - wtr.la
    Globale Internet InfoAccess must have taken action as there is a new botnet host - (74.62.155.11). Network details:

    DNS Data for
    wal.ph, wa.kg, wal.kg, wtrc.la, walc.la

    How I am searching:

    Searching for wa.kg A record at l.root-servers.net [199.7.83.42]: Got referral to ns.kg. (zone: kg.)
    Searching for wa.kg A record at ns.kg. [195.38.160.36]: Got referral to NS2.THELASTWALL.COM. (zone: wa.kg.)
    Searching for wa.kg A record at NS2.THELASTWALL.COM. [67.82.17.59]: Timed out. Trying again.
    Searching for wa.kg A record at NS1.THELASTWALL.COM. [74.62.155.11]: Reports wa.kg. Response:
    Domain Type Class TTL Answer
    wa.kg. A IN 1800 77.81.74.80
    wa.kg. A IN 1800 80.98.118.108
    wa.kg. A IN 1800 80.98.250.13
    wa.kg. A IN 1800 82.30.9.238
    wa.kg. A IN 1800 82.36.215.196
    wa.kg. A IN 1800 85.66.49.199
    wa.kg. A IN 1800 85.66.183.180
    wa.kg. NS IN 1800 ns2.thelastwall.com.
    wa.kg. NS IN 1800 ns1.thelastwall.com.
    ns1.thelastwall.com. A IN 1800 74.62.155.11
    ns2.thelastwall.com. A IN 1800 67.82.17.59

    Looking up at the 2 wa.kg. parent servers:

    Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
    ns1.thelastwall.com [74.62.155.11]  77.81.74.80 80.98.118.108 80.98.250.13 82.30.9.238 82.36.215.196 85.66.183.180 85.66.49.199
    ns2.thelastwall.com [67.82.17.59] Timeout

    The data shows a standard zombie botnet where the nameserver ns1.thelastwall.com hosted by