Jump to content

ssybesma

Members
  • Posts

    6
  • Joined

  • Last visited

Everything posted by ssybesma

  1. WOW!!! Quick SUCCESS on squashing one of the three domains. Never realized it was so easy. This is totally FUN!!! I am awaiting word on the initial spamvertised domain WorkFor375.com, as well as the end domain where the business is actually done (TrustedSurveys.com). The middle domain that the first one redirects to (TrustedSSurveys.com) is the one I just now got shut down. Like I said earlier, I should have reported the end domain first. Oh, well.) What I did on this, was go around the WhoisGuard'ed domain names and go to ARIN to find out who had the IP addresses and was able to find out who hosted the sites that way. Works REALLY great! At the end, I sent a gloating email to the email address mentioned on the end website that actually does the spamvertised business. I couldn't help myself. Why not? Steve ==================== Hello, Thank you for notifying us. I have suspended the website trustedssurveys.com. Sincerely, Ted Smith Security Specialist Endurance International Group -----Original Message----- From: Shimon Bakshi Sent: Tue 08-May-12 14:40 To: cogentabuse Subject: FW: spammer using IP address registered to you From: Steve [mailto:steve[at]vwebr.net] Sent: Tuesday, May 08, 2012 10:43 AM To: #CustomerRelations Subject: spammer using IP address registered to you Hello, Please forward this to your abuse dept or the dept that handles webhosting or IP services. The following is information regarding someone who is spamming a work-at-home scam using the domain workfor375.com, which redirects to trustedssurveys.com The domain trustedssurveys.com (note there is a doubled 's') has been obfuscated because the person is using Namecheap.com's Whoisguard service. HOWEVER, the IP address that trustedssurveys.com points to is 65.254.250.110. According to ARIN, that IP address is in your CIDR block. Can you please look into de-allocating/de-registering that IP address? I will forward the spam to you with all headers right after this email, but the domain name referred to is clearly in the spam and it redirects to the domain having the IP address in your CIDR block. Thank you, Steve Sybesma Lafayette, CO 720-934-2484 [Querying whois.arin.net] [whois.arin.net] # # Query terms are ambiguous. The query is assumed to be: # "n 65.254.250.110" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=65.254.2...amp;ext=netref2 # NetRange: 65.254.224.0 - 65.254.255.255 CIDR: 65.254.224.0/19 OriginAS: NetName: BIZLAND-FC03 NetHandle: NET-65-254-224-0-1 Parent: NET-65-0-0-0-0 NetType: Direct Allocation RegDate: 2004-01-06 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET-65-254-224-0-1 OrgName: The Endurance International Group, Inc. OrgId: EIG-12 Address: 70 Blanchard Road City: Burlington StateProv: MA PostalCode: 01803 Country: US RegDate: 2005-02-07 Updated: 2011-09-24 Ref: http://whois.arin.net/rest/org/EIG-12 OrgTechHandle: BBR189-ARIN OrgTechName: Brock, Brian OrgTechPhone: +1-781-852-3254 OrgTechEmail: bnbrock[at]maileig.com OrgTechRef: http://whois.arin.net/rest/poc/BBR189-ARIN OrgAbuseHandle: BBR189-ARIN OrgAbuseName: Brock, Brian OrgAbusePhone: +1-781-852-3254 OrgAbuseEmail: bnbrock[at]maileig.com OrgAbuseRef: http://whois.arin.net/rest/poc/BBR189-ARIN OrgNOCHandle: ENO74-ARIN OrgNOCName: EIG Network Operations OrgNOCPhone: +1-339-234-9762 OrgNOCEmail: netmon[at]maileig.com OrgNOCRef: http://whois.arin.net/rest/poc/ENO74-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
  2. OK, very good. I'll abide by the rules. I registered with knujon.com, am trying to register with complainterator.com (although their site seems to be timing out when I attempt) and I sent an email to see about having the latter two domains added to Bill Stearn's blacklist. WorkFor375.com I noticed is already on the WS list, but that doesn't stop the problem like squashing the domains will. Think I hit all the bases possible.
  3. Very EXCELLENT reply Steve (my name is Steve as well). How would I go about 'dummying' the submission to add the spamvertised website? I will check out the tools you mentioned, so that may take out the necessity of doing it that way and make my question moot. The other thing I was thinking about, is that there is probably a better strategy of reporting spamvertised websites in the case of a redirected domain and a link to a domain. I should probably go after the domain at the end of the line and work my way up, because if the domains farther out get reported last, they may not see the connection to the domain that I had to get to before that one if it was shut down already. I didn't think about that initially and reported workfor375.com first (yesterday), then the redirected domain trustedssurveys.com right afterward, and then the link from the redirected domain (trustedsurveys.com) was reported today. Shoulda did it the other way. Oops!
  4. The reporting tool is missing the spamvertised website mentioned in the headers and the body of the spam below (my email and others obfuscated for privacy reasons). The name of the domain is workfor375.com. I had to do the legwork myself and reported that domain, the domain it redirects to (trustedssurveys.com) and the domain that webpage contains a link to (trustedsurveys.com) as well as all three IP addresses to their respective hosting/allocating companies. When I used spamcop on the spam below, all it reported to was Yahoo. ============================================================ Return-path: <thezeroplan128[at]yahoo.com> Envelope-to: <OBFUSCATED FOR PRIVACY REASONS> Delivery-date: Sun, 06 May 2012 03:34:52 -0500 Received: from nm16-vm1.bullet.mail.bf1.yahoo.com ([98.139.213.131]) by server509.webhostingpad.com with smtp (Exim 4.69) (envelope-from <thezeroplan128[at]yahoo.com>) id 1SQwvY-0047HO-EC for <OBFUSCATED FOR PRIVACY REASONS>; Sun, 06 May 2012 03:34:52 -0500 Received: from [98.139.212.151] by nm16.bullet.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000 Received: from [98.139.212.240] by tm8.bullet.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000 Received: from [127.0.0.1] by omp1049.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000 X-Yahoo-Newman-Property: ymail-5 X-Yahoo-Newman-Id: 248258.25919.bm[at]omp1049.mail.bf1.yahoo.com Received: (qmail 95838 invoked by uid 60001); 6 May 2012 08:34:47 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1336293287; bh=iLdWCppUyJWwtTtwpaXIbQtCd9bWuEy8P1VLHBZrY58=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type; b=pOe5jE9noygec3LcP2Sjhym3zN39aNMDzO3lttjyLv4ZXtBfhSuAEXTLCSYnAGyeF1rOEPwYPpX/zgufkDjB9I1OX/TmpB7QA9ABKWwbAeC6uT6VgkzBlBY8CAdyhPwc2zxLGSErr9xUIu90fQDJZ0uMpQe9NnWnu+EbxLUYgXQ= DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type; b=TQtMk7TgXQUstyeoWuy4IpDHpe+J0e5rmgOjP2I/N6nxZwzXquRJTisZbxZmaTYM4d+ilUxpuaavJRvK7IUQLbz2M//u0U2W1uiGGGDX0pvZrnuKM8jX6ih4wwIvhRTCpA0SSpX0QJX5tCW1F7L7IJjnGwADG7SaBQR/2J6nKDk=; X-YMail-OSG: hkaRdlgVM1nA_VtrXS9FUDyXbNIPiQWwpyk9_qhcYl91fZx VT1v0yTlsHH.VWiJ52buboOrlac6qHn6Fe27BqOODJn4zVHpUgTRl3gnCuzq laRah9rIxXvfaymszNJgt1VbR28ikBURSt1vU10qnvMjS1.8omc7ubB6V0_a 3U5dFqmypzclf0XLA_ViVk7NNvgM.uExTBVVX2nsppmaZQMo8veRRGuYjAWi OhdDO8HXOMtn4jEXDOu9p6VG1iCJ1Cddz9_71lJZuNCpgQ7ApubIRmb3yptO 6fXZaQbNGRlbIEe_OCTmGmfgfsoPj8o3sHe.r_Dit4ngxjegnh6_lyfIz85c L40gRPiZj1FWPpROvutCUgPZeieeR5y1IyAtpZNuOXatv4pGxAy5PZuX3.uw PkURDkjX3wq8hhUSdPO5dUA36jBdNYRQIzHYv8nhp6KfoEEuU.ymszV7vetj htwBD4eh07UKioGBvrbiJ465XCcGfIFGjfOE.YD8xCnZKiaKSxX.fhlBM3_B NqFcztSaPfspD4EafY4IO4v_mnMp9x9IJ6ALhyFn0JORf2HRyZjYBtdnMVXW pWWpJ0cQ2ykCeVbe0_40MQUhpKRku3YU- Received: from [178.88.10.39] by web161802.mail.bf1.yahoo.com via HTTP; Sun, 06 May 2012 01:34:47 PDT X-Mailer: YahooMailWebService/0.8.117.340979 Message-ID: <1336293287.86220.YahooMailRC[at]web161802.mail.bf1.yahoo.com> Date: Sun, 6 May 2012 01:34:47 -0700 (PDT) From: Jake Bufton <thezeroplan128[at]yahoo.com> Reply-To: Jake Bufton <thezeroplan128[at]yahoo.com> Subject: hey, i have a question about your ad To: mikaisme at hotmail dot com [NOTE: probably a test address or a mailing list address] Cc: <OBFUSCATED FOR PRIVACY REASONS> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-spam-Status: No, score=1.7 X-spam-Score: 17 X-spam-Bar: + X-Ham-Report: spam detection software, running on the system "server509.webhostingpad.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hey, I like working with people that post ads online, since I already know that you basically know your way around a computer. I need a few people here in town for some part-time help with some online work that I have. The work is very easy, but it's too much for me to by myself, so I thought that I'd email a few people and see if you'd be interested. [...] Content analysis details: (1.7 points, 4.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [98.139.213.131 listed in list.dnswl.org] 1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [uRIs: workfor375.com] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (thezeroplan128[at]yahoo.com) 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit (jake bufton <thezeroplan128[at]yahoo.com> ) -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (thezeroplan128[at]yahoo.com) -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) [uRIs: workfor375.com] X-spam-Flag: NO Hey, I like working with people that post ads online, since I already know that you basically know your way around a computer. I need a few people here in town for some part-time help with some online work that I have. The work is very easy, but it's too much for me to by myself, so I thought that I'd email a few people and see if you'd be interested. Just go to my website for more information and to apply if you're interested: WorkFor375.com Just copy and paste the above link into your web browser. **************************************** If you don't want to receive any more email from us, just go to WorkFor375.com/remove ****************************************
×
×
  • Create New...