Mail Wiper and their "Marketing" techniques
This is a report of my research and personal experience with the software developing and marketing company known as Mail Wiper, Inc and it's CEO, Rob Martinson.
MailWiper, Inc. is registered as a domestic profit company in the state of Georgia http://www.state.ga.us/cgi-bin/pub/corp/corpsearch?corpid=0232894 which includes public record contact information.
MailWiper is also the owner of an email spamming website known as Eskrawl.com. This site will show up as a "page not found" site but may still be active in email spamming, as noted at http://www.whitis.com/mailwiper.htm and documented in the public records at http://www.state.ga.us/cgi-bin/pub/corp/corpsearch?corpid=0114479
Also, from the information provided in this public record lawsuit http://www.arbforum.com/domains/decisions/118398.htm leads me to believe this is one and the same Rob Martinson, CEO of MailWiper, Inc., although I cannot say for sure, as there may be more than one Rob Martinson located in Atlanta, GA engaged in the practice of spamming....but what are the chances of that?
SpyWiper may be trying to change the name of their product to SpyDeleter. See http://tired-of-spam.home.comcast.net/spydeleter.html for more information.
On Saturday, November 22, 2003 my computer was infiltrated with what I believe to be a spyware designed to advertise for Mail Wiper, Inc. My default homepage in IE, which had been previously set on the CNN website, was hijacked and changed to a page with the address of http://default-homepage-network.com/index2.html. When this page loaded, it prompted two pop-ups to appear on the screen and also caused the CD ROM drive door to open. The first pop-up stated "WARNING! If your CD rom drive opens, you desperately need to rid your system of spyware pop-ups immediately. Spyware programmers can control your computer hardware if you fail to protect your computer right at this moment! Download Spy Wiper now!" The second pup-up stated "If your notepad launched and is displaying this message, then spyware programmers can control applications on your computer and it is urgent that you download Spy Wiper immediately. Do not allow spyware programs to damage your insecure computer." (See examples below). An attempt to close the warning pup-ups triggered pornographic pup-ups to appear. When all the pop-up windows were finally closed, a webpage displaying advertising for Spy Wiper in image format was left, bearing the name and address of Mail Wiper, Inc., 8725 Roswell Rd., #104, Atlanta, GA 30350 at the bottom and no opt-out link.
An attempt to reset my IE browser default homepage back to CNN worked......temporarily. The Spy Wiper advertisement page reinstated itself throughout the day, causing me to have to repeatedly reset the default home page. I contacted Mail Wiper, Inc. from their website requesting instructions on how to remove the problem. I was forced at that time to contact them through their sales department link because this company does not allow email contact from the website unless the person has an invoice number (required field). I explained this in my letter and assumed my request would be forwarded to the appropriate department. Instead I received a response from the Sales Department containing instructions on "how to reset my default home page in the browser". This was not my request, nor was it the answer to my problem. Aside from already knowing how to reset a default homepage in a browser for 10 years now, I had at that time had plenty of practice since the Spy Wiper advertisement had reinstated itself repeatedly throughout the day.
Following is the response I received to my request for instructions on how to remove the SpyWiper advertisement:
Received: from mail.mailwiper.com
([64.94.3.244])
by sccrmxc12.(sccrmxc12) with
SMTP
Mon, 24 Nov 2003 04:27:47
+0000
X-Originating-IP:
[64.94.3.244]
Received: (qmail 10465 invoked
by uid 0); 24 Nov 2003 04:24:47 -0000
Received: from unknown (HELO
localhost.localdomain) (64.25.0.241)
by mail.mailwiper.com with
SMTP; 24 Nov 2003 04:24:47 -0000
Subject: Your inquiry
From: Spy Wiper Sales
To: (not disclosed so that
this email address will not be harvested by spammers)
Content-Type: text/plain
Mime-Version: 1.0
X-Mailer: Ximian Evolution
1.4.4
Date: Sun, 23 Nov 2003
23:27:47 -0500
Content-Transfer-Encoding:
7bit
This email has been sent to you so
we
can help you. There are
homepage fixing
instructions below:
IMPORTANT NOTICE:
If this is a complaint
regarding Internet
advertising, please note that
Spy Wiper
does not own the Website that
you visited and
who is responsible for
changing your homepage.
If our advertisement had never
been placed on
that advertising network, you
would still be
seeing popup ads.
HOMEPAGE FIXING INSTRUCTIONS:
Please check your Browser
homepage to see
if it has been changed. To
check it in Microsoft
Internet Explorer please click
on "Tools" then
"Internet Options".
Then change it back to what
you want it to be.
Then do not hit enter but be
sure you click on
"Apply" and then "Ok" at the bottom of the
screen
after changing it, or it will
not change for you.
Please reboot your PC once you are finished.
Thank you
Spy Wiper Sales Department
The IMPORTANT NOTICE paragraph denied all responsibility and claiming that I "visited" the website which hijacked my browser, which is untrue. Mail Wiper made a quick denial on the grounds that as long as they don't own a website, they are not responsible for what their hired advertising does.
Over the next couple of days in my attempts to locate and remove the source of the hijack, I began to notice something strange. The browser stayed set and operated correctly until I opened a chat program called Paltalk. When I opened the Paltalk program, Paltalk operated as usual but the next time the IE browser was opened, it defaulted back to the Spy Wiper advertisement page. At first I thought this must have been my imagination so I tested it several times and without fail, it was the opening of Paltalk that triggered the browser hijack to activate. Paltalk is a program I have been using for 3 years without any problems so I did not see this program as being the fault of what was currently happening, moreover, they seemed to be the portal and trigger for what was happening.
This left me with only two possible explanations. A) Somehow an affiliate or hired advertising company of Mail Wiper, Inc. had discovered a way to channel code through the Paltalk program or, B) that Paltalk itself had allowed their program to be used for this sort of advertising technique for monetary reasons. I tend to believe the former, not the latter, since Paltalk has two forms of usage, paid or unpaid subscriptions. Unpaid subscriptions are subject to pup-up and banner advertising while paid subscriptions are not. I am a paid member and do not receive pup-ups or banners on the program. The other reason is because I have this program installed on two separate computers with the same account name, yet this had only happened on one machine.
At this point I had discovered more information through searches about the company, Mail Wiper, Inc., including Rob Martinson's email address (rob@mailwiper.com) so I issued a response to the email I received from his Sales Department directly to Mr. Martinson and again requested instructions on how to remove the source of the hijack, adding the additional information I had discovered about Paltalk. I am still waiting for a response back from him.
My search on this company also turned up a wealth of information concerning their business practices and people who have listed them as spammers and placed them on boycott lists. The most informative site I have located on them is at http://www.whitis.com/mailwiper.htm . Apparently, Mail Wiper, Inc. supports the marketing technique of spamming people, then offering a solution to get rid of the spam. This technique has probably been around awhile....create a problem or be a part of the problem, then sell the solution. In the case of Mail Wiper, Inc., they hire other spamming companies to create a problem and offer the solution so they can later deny responsibility by saying they don't own that site and it wasn't them who spammed or hijacked you. True, they're only the ones who paid someone else to do it.
Also, I was able to locate other internet users who had experienced the same Spy Wiper browser hijacking that I did at http://www.tommytrojan.blogspot.com/2003_11_23_tommytrojan_archive.html#106969957540138115
http://computing.net/security/wwwboard/forum/7859.html
http://www.netrn.net/spywareblog/ (This is an EXCELLENT site for up-to-date info on all spyware, hijackers, trojans, etc.)
http://www.dslreports.com/forum/remark,8636984~root=security,1~mode=flat
http://forums.zonelabs.com/zonelabs/board/message?board.id=CommonPrograms&message.id=1821
http://khyron_4.tripod.com/PEvans/coercion.html
Sites that have black listed them as spammers are:
http://www.theddz.com/thelist.htm
http://www.geocities.com/spamresources/prospam.htm
http://www.amhosting.com/spam.txt
Washington correspondent for CNET News, Declan McCullagh, also mentions them as known spammers in his articles http://www.zdnet.com/2100-1107_2-1010062.html
These are only a few of the postings I found concerning Mail Wiper and Spy Wiper. There are numerous posts in forums complaining about their email spamming and browser hijacking.
Mail Wiper, Inc's CEO, Rob Martinson granted a radio interview several months ago in KLAY 1180 AM radio station's WebTalkGuys show.
During this interview, Mr. Martinson states "This whole business came about because we have a goal. We didn't want children and grown-ups seeing awful pornography e-mails." "I was hearing in the industry that children were getting hit with pornography and that even though they didn't want it in their email, then they would go delete them and they would pop up on their screens and they would go straight into the websites and I just felt that, that was very evil and it was time for someone to bring that to an end and there's just some horrible, awful pornography spams that are running around the internet so I've dedicated my life to getting rid of it."
Although his "goal and life's dedication" sounds very admirable, it must be limited to email spam only, because he doesn't seem concerned about hiring advertising companies that hijack your browser to promote his company, backed with pornographic pup-ups.
Perhaps it would be appropriate to mention here that I am a 50 year old woman who has never visited a pornographic website and who has never had a pornographic pop-up appear on my computer screen until the closure of Spy Wiper's advertising pop-ups triggering them to appear. Yet in Mail Wiper's email response, they brush aside my complaint about the pornographic pop-ups their pop-ups triggered with "If our advertisement had never been placed on that advertising network, you would still be seeing pop-ups." Again, they skirt around the fact that pop-ups received from visiting certain websites are not comparable to pop-ups received during a browser hijack, nor do they seem concerned with the nature of the pop-ups.
Mr. Martinson also discusses people's reaction to his email marketing during this interview with the phrase "when people receive an email from us sent out from an opt-in list...." What he fails to mention is tha his hired advertising companies hijack browsers without the users consent and certainly not by opt-in choice. Unlike an email that can be deleted, the SpyWiper hijack resides on the user's computer until technical support is enlisted to remove it.
Two days after the initial infection of my computer, on November 24, 2003, something new developed. At this point I had been leaving Paltalk offline to avoid a browser hijack. I used the browser twice without problems, going only to ZDNet and CNN (the default page). Upon opening the browser for the third time, it was hijacked again and defaulted to http://default-homepage-network.com/index6.htm. Notice the different extension, index6 instead of index2. The advertisement was different, no pop-up windows appeared, and the CD rom drive door stayed shut, but it still demanded that I purchase Spy Wiper, was still in image format, and provided no opt-out link. (See example)
Several variations of file searches proved fruitless for some reason, the files refused to show in the list. Then I ran a file find search using the keyword of the extension *.lnk (for link). I found two files on the computer, one in My Documents, the other in Windows Recent. Both were named spywiper.htm. Upon viewing the properties of these files, I noticed that although they were both named spywiper.htm, the MS DOS names were different. The MS DOS names were SPYWIP~4.lnk. I deleted both files and it seemed to take care of the problem. Also, both files bore the creation dates of November 23, 2003, which may explain why they didn't come up in previous searches on the 22nd during the initial attack.
I still suspected a now-dormant hijack initiater was residing on my computer so I acquired a security scanner program to run tests on the system. This program located a suspicious URL Search Hook and rated it harmful. Implementing URL Search Hooks is one of many methods used in browser hijacking. This file is now removed and, unfortunately, I didn't think to view it first so I can't testify to it's creation and installation on my system. Therefore, I can't associate it directly or say for certain that it was the culprit of my hijack, but I strongly suspect that it was.
To date, I have still not heard back from Mr. Martinson. So far, my IE browser has operated normally.
If you have been hijacked by SpyWiper, please download CWShredder at http://www.spywareinfo.com/~merijn/files/cwshredder.zip and run it. If you still experience problems after that, download HijackThis from http://www.spywarewarrior.com/files/hijackthis.zip and post the log file at http://spywarewarrior.com for assistance in removing it.
SPYWIPER MAKES AN INTERESTING CHANGE: After the installation of Sygate Firewall on my computer, I decided to actually plug in the original default home page used to market SpyWiper (http://default-homepage-network.com/index2.html) that hijacked my browser the first time around. The firewall worked well in stopping the hardware CD rom hijacking and blocking anything harmful but I noticed that the SpyWiper page that loaded no longer has MailWiper, Inc.'s contact info at the bottom (see screen shot above where it used to be displayed). MailWiper must be hoping no one makes the connection to them now.
UPDATE: I received a report from someone that they were hijacked by SpyWiper using http://default-homepage-network.com/spypop4.html,which caused their CD rom drive door to open.
UPDATE: As of December 26th, MailWiper, Inc has changed their whois registration information to:
Registrant:
Mailwiper Inc.
PO Box 500517
Atlanta, Ga 31150
US
Registrar: DOTSTER
Domain Name: MAILWIPER.COM
Created on: 09-MAY-02
Expires on: 09-MAY-04
Last Updated on: 26-DEC-03
Administrative, Technical Contact:
Master, Host postmaster@mailwiper.com
Mailwiper Inc.
PO Box 500517
Atlanta, Ga 31150
US
111-111-1111 (my
instincts tell me this is fake) (NOTE: After filing complaints to
InterNic, this has been changed back to their fax number of
770-518-1519)
Domain servers in listed order:
UDNS1.ULTRADNS.NET
UDNS2.ULTRADNS.NET
Seems either they don't want their street address of 8725 Roswell Rd., #104 showing anymore or have moved, and want no phone contact.
MailWiper, Inc. also owns the domains, mailwiper.net and mailwiper.org. which contained the same false registry information.
UPDATE: I just received an email from someone who was hijacked by SpyWiper who has informed me that the hijack deliberately disabled her content advisor, which she had intentionally set up to protect her 11 year old child from seeing anything adverse while online. Rob Martinson claimed in his radio interview that his mission in life was to protect children from seeing porn, yet he markets his products through marketing companies that flood the user with pornographic popups and disables child-security functions on the user's computer.
UPDATE: The notorious history of Rob Martinson, CEO of MailWiper, Inc., and the man behind the SpyWiper and SpyDeleter browser hijackings: http://atlanta.creativeloafing.com/2004-08-12/cover.html A long, but very informative article which contains Rob's history, his prison terms for drug possession, his spamming days, previous and pending lawsuits against him, and his mug shot. A must read!
IMPORTANT UPDATE: Great news!! It seems all our hard work has paid off! The FTC has brought a case against Seismic Entertainment. Hopefully this will be the downfall of these notorious companies and an example to those currently practicing unethical internet marketing. Read the case here: http://yro.slashdot.org/comments.pl?sid=124892&threshold=3&commentsort=0&tid=123&mode=nested&cid=10471703
News articles and public opinion
can be found here:
http://netrn.net/spywareblog/index.php
http://story.news.yahoo.com/news?tmpl=story2&u=/nm/tech_spyware_dc
http://www.theunionleader.com/articles_showfast.html?article=45220
http://www.sacbee.com/24hour/technology/story/1719298p-9530248c.html
http://news.com.com/FTC+takes+aim+at+alleged+spyware+distributor/2100-7350_3-5403438.html?tag=cd.top
http://www.seacoastonline.com/news/10_8special2.htm
http://www.thewmurchannel.com/news/3794373/detail.html
PDF versions of the case can be found here: http://www.cdt.org/privacy/spyware/spywiper/
For all those who have been victimized by these companies, this is the day we've been waiting for. Let's keep our fingers crossed that justice will be done.
This website will be updated regularly with any new developments. Anyone wishing to contact me for inquiries or to relate their experiences with Mail Wiper, Inc. or any other hijacking may do so at nomorespyware@yahoo.com.