in Follow-Up, Meddling, MT.Net, X-Geek

More strangeness

An apparently fake user registered on my blog this morning:

New user registration on your site Mark Turner dot Net:

Username: BethOverton

E-mail: beth.overton@jazzmusicianspace.com

This could very well be related to the infographic mystery as jazzmusicianspace.com uses the same nameservers as paralegal.net:

dig paralegal.net

; <<>> DiG 9.7.1-P2 <<>> paralegal.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57446 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;paralegal.net. IN A ;; ANSWER SECTION: paralegal.net. 14400 IN A 69.56.165.182 ;; AUTHORITY SECTION: paralegal.net. 49189 IN NS sns236.websitewelcome.com. paralegal.net. 49189 IN NS sns235.websitewelcome.com. ;; ADDITIONAL SECTION: sns236.websitewelcome.com. 14400 IN A 67.18.12.210 sns235.websitewelcome.com. 14400 IN A 67.18.3.45

JazzMusicianSpace.com’s whois record points to a search-engine optimization company in Atlanta called Response Mine:

Registrant:
Response Mine Interactive, LLC.
3390 Peachtree Road NE
Suite 800
atlanta, GA 30326
United States

Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: JAZZMUSICIANSPACE.COM
Created on: 19-Jan-12
Expires on: 19-Jan-13
Last Updated on: 24-Jan-12

Administrative Contact:
Robbins, K. domainrenewal@responsemine.com
Response Mine Interactive, LLC.
3390 Peachtree Road NE
Suite 800
atlanta, GA 30326
United States
+1.4042330370 Fax — +1.4042330302

Technical Contact:
Robbins, K. domainrenewal@responsemine.com
Response Mine Interactive, LLC.
3390 Peachtree Road NE
Suite 800
atlanta, GA 30326
United States
+1.4042330370 Fax — +1.4042330302

Domain servers in listed order:
SNS293.WEBSITEWELCOME.COM
SNS294.WEBSITEWELCOME.COM

Note that the jazzmusicianspace.com site has only been registered with Response Mine for less than two months.

Oh, and the user registered on my site from the IP address 208.76.53.164:

7 64.213.78.149 (64.213.78.149) 25.826 ms TeG1-4.ar4.DCA3.gblx.net (208.49.195.129) 26.273 ms 26.319 ms
8 ellada-projects-bv.ethernet3-7.ar4.mia1.gblx.net (64.209.106.66) 48.627 ms 47.243 ms 47.431 ms
9 208.76.53.164 (208.76.53.164) 49.527 ms 47.544 ms 46.661 ms

This IP address appears to be part of a web anonymizer proxy called “Hide My Ass!”:

Posted 22 January 2012 – 12:37 PM
@talbashan

[attachment=119:Vigor_2110-2.jpg]

1- Enable L2TP
2- Server address 208.76.53.164
3- Username YOUR_HMA_USERNAME
4- Password YOUR_PPTP_PASSWORD (NOT HMA PASSWORD)

This is how LT2P is configured on a DD-WRT router: http://www.flickr.co…in/photostream/

I don’t know much about your Vigor router, sorry, I hope I am not misleading you.

Just let me know how it goes.

Good luck!

P.S.

It’s worth you read this thread:

http://forums.whirlp…archive/1540863

Interestingly, the IP shows up in as another Google search, this one associated with yet another education website (now apparently defunct) called usededucationresource.com.

amysherlock112@yahoo.com|64.145.82.152|http …
www.clickingmarket.com/SteveFunk/tpoint120_20111220041239.txt
Dec 19, 2011 – … 00:00:00|Shavon Banks| adammurrayss@yahoo.com|208.76.53.164|http://useducationresource.com/usfr/index.php|2011-12-19 …

ClickingMarket.Com is registered to the same privacy-protecting registrar (Moniker) that onlinecriminaljusticedegree.com uses. Coincidence?

Update: On Monday, I got a similar fake user. This domain is a GoDaddy one but has the same websitewelcome.com nameservers:

New user registration on your site Mark Turner dot Net:

Username: RachelFranklin

E-mail: rachel@affordablechristmaslights.org

Name Server:SNS293.WEBSITEWELCOME.COM
Name Server:SNS294.WEBSITEWELCOME.COM

“Rachel” tried to register from two different IP addresses, 173.208.197.126 and 66.85.134.110 (from two hours prior). I assume this is the Hide My Ass! anonymizer in action again.