Anonymous
11-08-2007, 11:48 PM
Ok,
go to the teaparty.org page and click "view source"
find where it says
<form method="post" action="http://www.aweber.com/scripts/addlead.pl">
See the root domain of that?
www.aweber.com
check out that site...
right on the front page
"Learn About the Most Reliable, Easiest,
Cost Effective Tool to Capture Visitor Sign Ups,
Send Unlimited Follow Ups and Newsletters
Increasing Your Profits."
Now, it is possible he is just using this to track a mailing list, but there are many more, far simpler ways to do this...it's very improbable. Can I get another opinion on this?
Here (http://upload2.net/page/download/dpNRPF19ZqZAWe9/teapartyorg.txt.html)is a copy of the source just incase.
Update - Proof .Net and .Org are the same
From the TeaParty.Net source
<frameset border=0 rows="100%,*" noresize>
<frame marginwidth=0 marginheight=0 frameborder=0 framespacing=0 name="TOPFRAME" src="http://www.teaparty07.org"
noresize>
</frameset>
The Missing Proof
Okay, if this is phishing he should have other sites out there, and he is likely to use the same tracking service.
do you see:
<input type="hidden" name="meta_web_form_id" value="1374910195">
This looks like his tracking number. We need to find this in other known phishing sites. I'm looking for a way to search within HTML.
Action
Notice that alot of his Content are just hot-linked from other sites.
background="http://www.ronpaulnation.com/toys/rpn800x600.jpg"
src="http://www.studentsoftheworld.info/sites/country/img/13343_boston-tea-party-762868.jpg"
src="http://www.amoeba.com/dynamic-images/blog/image.jpg"
src="http://www.myoops.org/twocw/mit/NR/rdonlyres/History/21H-104JFall-2004/EAE5387B-6D4C-470C-BB54-3BD866DE5CD0/0/chp_bostontparty.jpg" src="http://www.defenseindustrydaily.com/images/MISC_Boston_Tea_Party_lg.jpg"
background="http://www.htflag.com/media/watermark1.jpg"
src="http://www.blingyblob.com/countdown/BlingyCountdown18.swf"
http://www.ronpaulpresident2008.com/images/bumper_stickers_cagepress/ron_paul_400px.jpg
Without explicit permission hot-linking is infact illegal. If this is proven we need to contact these people and have them move or take down or block these images.
Suspects
Now i'm not saying any of these people are guity, but they do have some early connection to it.
sassyami (http://digg.com/users/sassyami) - Submitted site to DIGG
Rad Joe (http://www.ronpaulforums.com/showthread.php?t=33020&highlight=teaparty07.org&page=2) - Possibly the first submission to this site. I have roughly tracked him down.
Notes
-the whois information is Protected by Protected Domain Services at 125 Rampart Way, Denver, Colorado. I'm looking for more information
-When was this site first created? If we can find a post around the same time, thats a likely suspect.
go to the teaparty.org page and click "view source"
find where it says
<form method="post" action="http://www.aweber.com/scripts/addlead.pl">
See the root domain of that?
www.aweber.com
check out that site...
right on the front page
"Learn About the Most Reliable, Easiest,
Cost Effective Tool to Capture Visitor Sign Ups,
Send Unlimited Follow Ups and Newsletters
Increasing Your Profits."
Now, it is possible he is just using this to track a mailing list, but there are many more, far simpler ways to do this...it's very improbable. Can I get another opinion on this?
Here (http://upload2.net/page/download/dpNRPF19ZqZAWe9/teapartyorg.txt.html)is a copy of the source just incase.
Update - Proof .Net and .Org are the same
From the TeaParty.Net source
<frameset border=0 rows="100%,*" noresize>
<frame marginwidth=0 marginheight=0 frameborder=0 framespacing=0 name="TOPFRAME" src="http://www.teaparty07.org"
noresize>
</frameset>
The Missing Proof
Okay, if this is phishing he should have other sites out there, and he is likely to use the same tracking service.
do you see:
<input type="hidden" name="meta_web_form_id" value="1374910195">
This looks like his tracking number. We need to find this in other known phishing sites. I'm looking for a way to search within HTML.
Action
Notice that alot of his Content are just hot-linked from other sites.
background="http://www.ronpaulnation.com/toys/rpn800x600.jpg"
src="http://www.studentsoftheworld.info/sites/country/img/13343_boston-tea-party-762868.jpg"
src="http://www.amoeba.com/dynamic-images/blog/image.jpg"
src="http://www.myoops.org/twocw/mit/NR/rdonlyres/History/21H-104JFall-2004/EAE5387B-6D4C-470C-BB54-3BD866DE5CD0/0/chp_bostontparty.jpg" src="http://www.defenseindustrydaily.com/images/MISC_Boston_Tea_Party_lg.jpg"
background="http://www.htflag.com/media/watermark1.jpg"
src="http://www.blingyblob.com/countdown/BlingyCountdown18.swf"
http://www.ronpaulpresident2008.com/images/bumper_stickers_cagepress/ron_paul_400px.jpg
Without explicit permission hot-linking is infact illegal. If this is proven we need to contact these people and have them move or take down or block these images.
Suspects
Now i'm not saying any of these people are guity, but they do have some early connection to it.
sassyami (http://digg.com/users/sassyami) - Submitted site to DIGG
Rad Joe (http://www.ronpaulforums.com/showthread.php?t=33020&highlight=teaparty07.org&page=2) - Possibly the first submission to this site. I have roughly tracked him down.
Notes
-the whois information is Protected by Protected Domain Services at 125 Rampart Way, Denver, Colorado. I'm looking for more information
-When was this site first created? If we can find a post around the same time, thats a likely suspect.