Michael Lindsay

A reconstruction of an old posting from almost 15 years ago:

Back in those days, the link was hxxp://www.spam-court.com/?q=node/39, we think a total reconstruction of the site will be a technological suffering too big for us.

Here we go:

Posted November 26th, 2006 by DucksInTwoRows

As usual the best background info is at spamhaus:
www.spamhaus.org/rokso/spammer/SPM818/imedia-networks Spamhaus info on Lindsay

When digging around a bit (reasons are spam for drugs and the usual free ipods and whatever free stuff) we found a lot of domains hosted in Lindsays space:

iMedia Networks Inc. IMEDIA (NET-65-182-128-0-1)
                                  65.182.128.0 - 65.182.143.255
Siliconcompilersystemsinc.com SILICON-06 (NET-65-182-128-0-2)
                                  65.182.128.0 - 65.182.131.255

Fits very good with this one: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL40389 That listing mentions subscriberbase, which we also found when following the spam for all the "free" stuff. Silicon compilersystems is a company that no longer exists. It was bought some time ago by another company and appears to have disappeared as a result of the process. So why does Lindsay own the netblock? What we also found where that most, if not all of the spam originated from various spaces related to transpath.net. One of the questions that naturally has to be asked is: Who is controlling transpath.net? Lindsay? Subscriberbase? Someone else? Several spammers? We do not have an answer to that. But some of the netblocks seems to have belonged to now defunct companies. Which fits the pattern regarding Lindsay/Silicon compilersystems.

whois -h whois.arin.net 'TRANSPATH'
TransPath (TRANS-180)
TransPath TRANSPATH (NET-64-239-224-0-1) 64.239.224.0 - 64.239.239.255
TransPath TRANSPATH (NET-64-239-224-0-1) 64.239.224.0 - 64.239.239.255
whois -h whois.arin.net 'TRANS-180'

OrgName:    TransPath
OrgID:      TRANS-180
Address:    1950 Stemmons Freeway
Address:    Suite 1039
City:       Dallas
StateProv:  TX
PostalCode: 75207
Country:    US
Comment:
RegDate:    2005-08-24
Updated:    2006-02-09

AbuseHandle: NETWO965-ARIN
AbuseName:   Network Operations
AbusePhone:  +1-214-841-8900
AbuseEmail:  noc@transpath.net

AdminHandle: NETWO965-ARIN
AdminName:   Network Operations
AdminPhone:  +1-214-841-8900
AdminEmail:  noc@transpath.net

TechHandle: NETWO965-ARIN
TechName:   Network Operations
TechPhone:  +1-214-841-8900
TechEmail:  noc@transpath.net

Last time we checked, 214-841-8900 was a payphone located outside MacDonalds at 5403 Ross Avenue in Dallas, Texas.

The drug spam

The drug spam is a different story. The domains are/were hosted in Lindsays space. The spam however comes from what seems to be open proxies/hijacked comps or whatever. With faked headers of course.

Now let's go back in time.
Back in 2005 Lindsay himself posted this to the specialham forum, title "RX Backend For Rent":

We have developed a robust UNIX-based backend for the Pharmacy industry which we are now making available to those needing a good, fast and secure back-end system. The cost for system is 4-5% of monthly gross sales, depending on volume. Features of system include: [for the rest, visit this link to spamhaus] Back in 2004, someone using the nick "mail solution" posted the following on specialham, title "BP hosting FAST 100% uptime": For more information and immediate service please contact Shawn, Email: shawn@fonestream.com Bullet Proof Hosting - providing you 100% uptime. Move your web site to Fonestream where you will not be shut down due to pressure from anti-spam organizations. We have been successfully hosting ecommerce websites for over 5 years. Let us help you make more money with fewer problems. Please review our Bullet Proof pricing plans below: We allocate a "bandwidth pipe" at the switch level at any of the following rates: 0.5 megabit = $950 mo 1 megabit = $1400 mo 1.5 megabit = $1,850 mo 2 megabit = $2,300 mo 2.5 megabit = $2,750 mo 3 megabits = $3,200 mo 4 megabits = $3,600 mo 5 megabits = $4,000 mo 7 megabits = $4,800 mo 10 megabits = $6,000 mo Other services available IP priced as needed DNS priced as needed Domain Registration priced as needed For more information and immediate service please contact Shawn, Email: shawn@fonestream.com Date 6/10/2004 4:18:17 PM

fonestream is Lindsay. Living in the Silicon space.
Note the price: 0.5 megabit = $950 mo

Now back to 2005 again (and again nicked from spamhaus):

mlindsay0912
I'm still new here...
Posts: 3
Joined: 9/20/2005
Date 9/21/2005 11:13:41 AM
RE: Want BP / Anon Domains ?
We have BP Anon domains for $50 each. Immediate availability. Paypal is OK.
michael@trixmail.com 

Note the domain used: trixmail.com. And head over to spamhaus again.
The whois info has changed since, now trixmail.com appears to be registered to a Saundra Kinnaird. Well, still related to Lindsay:
www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK4590

Now we jump forward to 2006. In September 2006 someone using the nick "Mailstream" posted the following on bulkerforum.biz, title "Bullet Proof Hosting":

Hosting that loads faster. Technical service that you can count on.
Bullet Proof Hosting based in CA USA: We allocate a "bandwidth pipe" at the switch level at any of the following rates: 
Compliant sites:
0.5 megabit = $950 mo, (much more bandwidth available as needed) 
Non-compliant: off shore servers = $1,500 standard - $3,500 very Fast 
Please cocntact:
steve@trixmail.com 

"0.5 megabit = $950 mo", you noticed the price from another posting earlier?
Also note the "Non-compliant" part of it, we will come back to that one later (hopefully).
And the same guy also posted the following, title: "Direct Send Mail Servers":

Direct Send Mail Servers
(Based in CA USA)
Direct Send Email Servers $1,000 and up. no set up fee
Reply Email Servers $400 and up. +100.00 setup fee
DNS Servers $300 and up. +100 setup fee 
Our Mail servers are configured as:
1.8-2.4 P4 CPU or whatever you need
1 GIG PC2700RAM
CD ROM
Bandwidth 4meg., 30 IP's allocated per server, we can talk about more if needed. 
Please contact:
steve@trixmail.com 

Again someone uses the trixmail.com for mail. Which apparently is related to Lindsay. Somehow this is confirmed from other sources, someone is using emailaddresses like "andy@trixmail.com" and "andy@fonestream.com". Now you may say that there is a lot of andys out there. We are pretty confident it is the same guy. You have the clues, confirm it for yourself. There is something at trango5.com too, makes us wonder a bit about this one:

network:Class-Name:network
network:ID:NET-XO-NET-435bcf00
network:Auth-Area:67.88.0.0/13
network:Network-Name:XO-NET-435bcf00
network:Organization;I:NETWORK OUTSOURCING, INC. (246684-1)
network:IP-Network:67.91.207.0/24
network:Admin-Contact;I:XCIA-ARIN
network:Tech-Contact;I:XCIA-ARIN
network:Created:20060705
network:Updated:20060719
network:Updated-By:ipadmin@eng.xo.com

Someone is offering spammers both mailservers and hosting. The silicon hosting space is obviously a part of that solution, both for the socalled can-spam compliant guys and the illegal guys. And for the mailing part, spam has been seen coming from transpath, promoting sites in silicon space. Mostly subscriberbase. When it gets too hot (for various reasons), the illegal drug sites seems to move to China. Wonder if Lindsay controls something over there too? But he is living dangerously, new drug sites are moving in on nearby IPs. A list of some domains that earlier were hosted at 65.182.129.11, a quick look at some of those indicates they have now moved to 218.104.136.236, China.

And just for the record:

inetnum:      218.104.136.128 - 218.104.136.255
netname:      xiamen-nanguomen-corp
country:      cn
descr:        xiamen city
admin-c:      TC254-AP
tech-c:       TC254-AP
status:       ASSIGNED NON-PORTABLE
changed:      daihy@china-netcom.com 20020920
mnt-by:       MAINT-CN-ZM28
source:       APNIC

route:        218.104.128.0/20
descr:        CNCGroup CHINA169 FuJian province network
country:      CN
origin:       AS4837
mnt-by:       MAINT-CNCGROUP-RR
changed:      abuse@cnc-noc.net 20060803
source:       APNIC

person:       TECH GROUP CNC
address:      9/F, Building A, Corporate Square, No. 35 Financial Street,
address:      Xicheng District, Beijing 100032, P.R.China
country:      CN
phone:        +86-10-88093588
fax-no:       +86-10-88091442
e-mail:       tech-group@china-netcom.com
nic-hdl:      TC254-AP
mnt-by:       MAINT-CN-ZM28
changed:      zhaomq@china-netcom.com 20010917
source:       APNIC

So, is this Lindsays "non-compliant: off shore servers"? Well, it is a fact that they have moved from his silicon space to China, and using proxies/botnets for mailing is for sure not compliant. Yes, we go for that idea; 218.104.136.128 - 218.104.136.255 is most likely Lindsays space in China for "non-compliant" mailers.