Current Status

This blog is not frequently updated because most case-by-case scam reports are now listed in subordinate blogs. At this point in time, most of my efforts are targeted at documenting employment scams in the Suckers Wanted blog.

2006-07-05

Job Scam: Trigon Partners Inc (trigonpartners.com)

I note in passing that there is a new name being used in an on-going string of employment scams, seemingly run by the same person or people. We've had such previous identities as "Adams Green", "Global Austrian Syndicate", and "Swiss Invest"; now we have "Trigon Partners Inc" with domain name "trigonpartners.com" (registered on 30-Jun-2006 for one year). The spam contained text as an image, and linked to http://trigonpartners.com/vacancies_form.html. I've attached a screenshot of that site as it appeared when I browsed it a short while ago.

As per the usual, the website is hosted on (or behind) a botnet. The nameservers for the domain are currently 72.9.103.51 and 154.37.3.12, of which only the former responded to my queries. I actually did two queries for "A" records at "trigonpartners.com" with slightly different results. The second result was as follows.

; <<>> DiG 9.3.1 <<>> A trigonpartners.com @72.9.103.51
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24045
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;trigonpartners.com.            IN      A

;; ANSWER SECTION:
trigonpartners.com.     1800    IN      A       68.116.254.150
trigonpartners.com.     1800    IN      A       74.135.163.127
trigonpartners.com.     1800    IN      A       172.204.41.101
trigonpartners.com.     1800    IN      A       24.99.224.131
trigonpartners.com.     1800    IN      A       66.41.110.65

;; AUTHORITY SECTION:
trigonpartners.com.     1800    IN      NS      ns1.winter-day.com.
trigonpartners.com.     1800    IN      NS      ns2.winter-day.com.

;; ADDITIONAL SECTION:
ns1.winter-day.com.     1800    IN      A       72.9.103.51
ns2.winter-day.com.     1800    IN      A       154.37.3.12

;; Query time: 412 msec
;; SERVER: 72.9.103.51#53(72.9.103.51)
;; WHEN: Wed Jul  5 15:48:16 2006
;; MSG SIZE  rcvd: 195

The first query response was different in that it included 81.184.137.110 instead of 74.135.163.127. This is fairly typical for a botnet: the "time to live" values are set at 1800 seconds (30 minutes) so that the records can be adjusted rapidly, compensating for computers in the botnet being turned off and on unpredictably.

I'm not going to bother mapping those addresses back to ISPs on this occasion. I just wanted to mention the new name, to give everyone a "heads up". If you want to see the spam image-text as received, it's archived over at Suckers Wanted.

No comments: