in Meddling, MT.Net, X-Geek

Mystery of the Infographics

Who is Peter Kim?


I’m really not sure what’s going on here but it’s gotta be something. And hold on to you hats, I’m going to be doing some serious geeking out with this post. You have been warned. 🙂

Out of the blue a few weeks ago I got an email from a complete stranger who had this to say:

From: Peter Kim hello.pkim@gmail.com
To: “Mark” blah blah blah at gmail.com
Subject: Re:SOPA and PIPA
Date: Tue, 28 Feb 2012 03:16:40 -0800

Hi Mark,

I was wondering if this is the correct contact in regards to the content on the http://markturner.net. I came across the site while searching for resources around PIPA and SOPA. I just created a graphic on the topic and was wondering if you’d be interested in taking a look, I’d love to get your thoughts.

Thanks in advance for your time.

Peter

Well, I don’t normally have Copious Free Time to be dicking around with critiquing infographics. But what the heck, I decided to humor the guy and answer:

Hi Peter,

Yes, I’d be happy to take a look at your graphic. Thanks for writing!

Regards,
Mark

Three days go by until I get this response:

Subject: Re: SOPA and PIPA
From: Peter Kim hello.pkim@gmail.com
To: Mark Turner blah blah blah at mark turner dot net

Hi Mark,

The info-graphic I was talking about lives here:
http://www.paralegal.net/hypocrisy-in-hollywood/

I think viewers of your site would enjoy the graphic. So if you decide to share it, please let me know. Would love your thoughts as well!

Thanks,

Peter

Three more days go by and I haven’t responded to Peter, though I’ve looked at the infographic. Peter sends me this email:

Date: Wed, 7 Mar 2012 02:16:20 +0800
Subject: Re: SOPA and PIPA
From: Peter Kim hello.pkim@gmail.com
To: Mark Turner blah de blah blah blah at this domain dot net

Hi Mark,

Hope things are going well. Just wanted to follow up and see if you had a chance to look at that info-graphic. Again, would love your thoughts.

Thank you!

Peter

Persistent bastard, this Peter. I decide I’m not going to respond and go about my merry business. Then tonight what do I find in my inbox but this:

Date:Wed, 14 Mar 2012 15:32:42 -0700
From:Tony Shin itstonyshin@gmail.com
To:blah blah blah at gmail.com
Subject:Quick Note

Hi Mark,

I came across your site while searching for blogs and posts talking about the TSA and wanted to reach out see if you think your readership would be interested in taking a look at an infographic my team and I built which focuses on how faulty the TSA has become and a waste of government spending.

If you’re interested, I’d love to connect. Thanks!


Tony Shin
@ohtinytony
Facebook.com/tony.shin40

What. The. Fuck. Where on my resume does it say I’m a professional infographic proofreader? It doesn’t. And no, Tony, I don’t believe you just “happened” to come across my blog.

I did a little Google sleuthing and turned up Tony’s TSA infographic. It is styled very similarly to Peter’s infographic on SOPA/PIPA. Not only that, Tony’s infographic can be found at a website called www.onlinecriminaljusticedegree.com, while Peter’s is hosted at www.paralegal.net. I’ll get into more of the domain stuff in a minute.

I decided to take a look at the message headers between Peter and Tony’s messages. Right away I noticed something odd: both of the initial messages from Peter and Tony were ostensibly sent from Gmail but on closer inspection did not go through Gmail’s servers at all. Instead they were sent through bulk SMTP mail services, SMTP.COM and PANDASENT.COM:

Peter’s:

Delivered-To: blah blah blah at gmail.com
Received: by 10.229.6.65 with SMTP id 1csp102561qcy;
Tue, 28 Feb 2012 03:16:42 -0800 (PST)
Received: by 10.68.201.201 with SMTP id kc9mr3873926pbc.17.1330427802230;
Tue, 28 Feb 2012 03:16:42 -0800 (PST)
Return-Path: hello.pkim@gmail.com
Received: from node-sl2054.smtp.com (node-sl2054.smtp.com. [50.23.177.86])
by mx.google.com
with ESMTP id f3si21161565pbp.217.2012.02.28.03.16.41;
Tue, 28 Feb 2012 03:16:42 -0800 (PST)

Tony’s:

Delivered-To: blah blah blah at gmail.com
Received: by 10.229.107.34 with SMTP id z34csp30123qco;
Wed, 14 Mar 2012 15:32:47 -0700 (PDT)
Received: by 10.68.223.97 with SMTP id qt1mr782644pbc.6.1331764364764;
Wed, 14 Mar 2012 15:32:44 -0700 (PDT)
Return-Path: itstonyshin@gmail.com
Received: from node-sl2055.smtp.com (node-sl2055.smtp.com. [50.23.177.87])
by mx.google.com
with ESMTP id g9si441821pbd.221.2012.03.14.15.32.44;
Wed, 14 Mar 2012 15:32:44 -0700 (PDT)

Interestingly, both of Peter’s to subsequent messages came through Google proper:

Return-Path: hello.pkim@gmail.com
X-Original-To: blah blah blah at markturner daht net
Delivered-To: blah blah blah at markturner daht net
X-Received-SPF: pass (maestro: domain of gmail.com designates 209.85.215.43 as permitted sender) client-ip=209.85.215.43; envelope-from=hello.pkim@gmail.com; helo=mail-lpp01m010-f43.google.com;
Received: from mail-lpp01m010-f43.google.com (mail-lpp01m010-f43.google.com [209.85.215.43])
by maestro.markturner.net (Postfix) with ESMTPS id B4C1613FB7
for blah blah blah at markturner daht net; Tue, 6 Mar 2012 13:16:20 -0500 (EST)
Received: by lagr15 with SMTP id r15so7693973lag.30
for blah blah blah at markturner daht net; Tue, 06 Mar 2012 10:16:20 -0800 (PST)
Received-SPF: pass (google.com: domain of hello.pkim@gmail.com designates 10.152.132.130 as permitted sender) client-ip=10.152.132.130;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of hello.pkim@gmail.com designates 10.152.132.130 as permitted sender) smtp.mail=hello.pkim@gmail.com; dkim=pass header.i=hello.pkim@gmail.com
Received: from mr.google.com ([10.152.132.130])
by 10.152.132.130 with SMTP id ou2mr23430901lab.44.1331057780389 (num_hops = 1);
Tue, 06 Mar 2012 10:16:20 -0800 (PST)

Why would the first message come through a bulk SMTP service and the others through Google? One reason might be this person was taking a “shotgun” approach, contacting several website owners at a time, something that Google would surely flag as spam.

I decided to take a closer look at the domains that hosted the content. Peter’s domain name was registered with Dotster (and hidden with a privacy front company):

Domain Name: PARALEGAL.NET
Registrar: DOTSTER, INC.
Whois Server: whois.dotster.com
Referral URL: http://www.dotster.com
Name Server: NS1.PARALEGAL.NET
Name Server: NS2.PARALEGAL.NET
Status: ok
Updated Date: 21-jul-2011
Creation Date: 01-sep-1997
Expiration Date: 31-aug-2012

Registrant:
c/o PARALEGAL.NET
P.O. Box 821650
Vancouver, WA 98682
US

Registrar: DOTSTER
Domain Name: PARALEGAL.NET
Created on: 01-SEP-97
Expires on: 31-AUG-12
Last Updated on: 30-JAN-12

Administrative Contact:
VNbOre@PRIVACYPOST.COM
c/o PARALEGAL.NET
P.O. Box 821650
Vancouver, WA 98682
US
+1.360-449-5933

Technical Contact:
DqSjvY@PRIVACYPOST.COM
c/o PARALEGAL.NET
P.O. Box 821650
Vancouver, WA 98682
US
+1.360-449-5933

Domain servers in listed order:
NS1.PARALEGAL.NET
NS2.PARALEGAL.NET

Tony’s domain is registered with a privacy front company, too:

Domain Name: ONLINECRIMINALJUSTICEDEGREE.COM
Registrar: MONIKER

Registrant [3540877]:
Moniker Privacy Services ONLINECRIMINALJUSTICEDEGREE.COM@monikerprivacy.net
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US

Billing Contact [3540877]:
Moniker Privacy Services ONLINECRIMINALJUSTICEDEGREE.COM@monikerprivacy.net
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US
Phone: +1.9549848445
Fax: +1.9549699155

Technical Contact [3540877]:
Moniker Privacy Services ONLINECRIMINALJUSTICEDEGREE.COM@monikerprivacy.net
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US
Phone: +1.9549848445
Fax: +1.9549699155

Domain servers in listed order:

NS2343.HOSTGATOR.COM
NS2344.HOSTGATOR.COM

Record created on: 2004-09-23 11:53:15.98
Database last updated on: 2011-06-21 20:31:34.86
Domain Expires on: 2014-09-23 11:53:15.98

It seems on the surface that not a lot that can be learned from this information. Still, a few tricks reveals some interesting information. For instance, both of these websites are hosted with the same hosting provider:

nslookup www.paralegal.net
Server: 192.168.3.252
Address: 192.168.3.252#53

Non-authoritative answer:
www.paralegal.net canonical name = paralegal.net.
Name: paralegal.net
Address: 69.56.165.182

whois 69.56.165.182:

NetRange: 69.56.128.0 – 69.56.255.255
CIDR: 69.56.128.0/17
OriginAS: AS36420, AS30315, AS13749, AS21844
NetName: NETBLK-THEPLANET-BLK-7
[snip]

…and Tony’s:

nslookup www.onlinecriminaljusticedegree.com
Server: 192.168.3.252
Address: 192.168.3.252#53

Non-authoritative answer:
www.onlinecriminaljusticedegree.com canonical name = onlinecriminaljusticedegree.com.
Name: onlinecriminaljusticedegree.com
Address: 174.121.11.9

whois 174.121.11.9

NetRange: 174.120.0.0 – 174.123.255.255
CIDR: 174.120.0.0/14
OriginAS: AS36420, AS30315, AS13749, AS21844
NetName: NETBLK-THEPLANET-BLK-16

So if two infographic requests weren’t coincidential enough, both of these sites seem to be hosted by the same provider. Indeed, they are in the same datacenter:

9 ae13.bbr02.eq01.dal03.networklayer.com (173.192.18.134) 57.084 ms 55.253 ms 55.696 ms
10 po32.dsr02.dllstx3.networklayer.com (173.192.18.231) 57.471 ms po32.dsr01.dllstx3.networklayer.com (173.192.18.229) 57.131 ms po32.dsr02.dllstx3.networklayer.com (173.192.18.231) 57.147 ms
11 * * te2-4.dsr02.dllstx2.networklayer.com (70.87.255.126) 71.054 ms
12 * te5-1.car12.dllstx6.networklayer.com (70.87.254.226) 52.947 ms *

… and …

9 ae13.bbr02.eq01.dal03.networklayer.com (173.192.18.134) 54.392 ms * *
10 po32.dsr01.dllstx3.networklayer.com (173.192.18.229) 50.816 ms 51.236 ms po32.dsr02.dllstx3.networklayer.com (173.192.18.231) 50.410 ms
11 te3-2.dsr02.dllstx2.networklayer.com (70.87.253.134) 56.934 ms te4-4.dsr02.dllstx2.networklayer.com (70.87.255.134) 56.397 ms te3-1.dsr02.dllstx2.networklayer.com (70.87.255.130) 55.691 ms
12 te1-2.car09.dllstx2.networklayer.com (70.87.254.94) 57.272 ms 57.695 ms te1-1.car09.dllstx2.networklayer.com (70.87.254.90) 57.377 ms

So what’s going on here? Is it some sort of sophisticated astroturf campaign? Some kind of search-engine optimization stunt? What’s the purpose? Plenty of other bloggers have posted the infographic, why ask to post it on my site?

And who are Peter Kim and Tony Shin? Tony’s Twitter account is full of posts, but are they Tony’s own or of a bot that copies and pastes others’ Tweets to appear human?

What’s up with these two similar websites, paralegal.net and onlinecriminaljusticedegree.com? Both use similar icons (i.e. dull ones) and both seem to be using a particular SEO plug-in, judging by a look at the HTML source:

!– All in One SEO Pack 1.6.13.1 by Michael Torbert of Semper Fi Web Design[303,372]
link rel=”canonical” href=”http://www.onlinecriminaljusticedegree.com/crime-scene-investigator/” /

!– /all in one seo pack —

Anyone else on the Internet get emails from these gentlemen and have anything to add?

Update 10:49 PM: On his (supposed) Google Plus page, Tony Shin posted a link to another infographic website called educationnews.org. This site’s apparently hosted in Los Angeles. Same SEO plug-in as the other sites, though!

!– All in One SEO Pack 1.6.13.4 by Michael Torbert of Semper Fi Web Design[435,457]

Also, one of Tony Shin’s Google Plus friends is named Peter Kim.

Also, looks like onlineschools.org is also one of their sites, as is the accompanying Twitter account.