Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by get-even

  1. Could we have an "Enable emoticons?" choice for PMs like the one for forum topics. It is not possible to write a PM using a list deliniated by "a), , c), etc." because "" (or "") is recognized as an emoticon.
  2. get-even

    Received_SPF: record within spam

    The spam was sent from a machine at IP, part of the CNC Group-Henan province network. It forges headers to look like it came through gmail forwarding mail from a go.com account ( go.com is owned by Disney and has a bad history of being abused by spammers). The Received_SPF is just another forged header - go.com does not use SPF. Most likely the domain her0es.net (the spamvertised domain) is operated by Leo Kuvayev (currently #2 at Spamhaus). - it uses a set of registration records he has used on dozens of other domains It is mortgage spam, so if he is following pattern, there exists a nearly identical domain named her0es.com, which was likely registered within seconds of this one, but not yet used.
  3. get-even

    Wiltel & "Pink" Contracts?

    WilTel's contracts aren't pink - they're bright red. Wiltel/WGC is a provider of last resort; Note they are also the current bandwidth provider for Brian Kramer/Expedite and AS33012 (look up the Spamhaus records about Exipdite being dropped by MCI, Broadwing, Singtel, Mzima, Anet, TimeWarner, Sprint and a few more all in the past two months. WCG gladly took them on - and I do remember when twenty+ years ago WilTel were the good guys. Notice even companies with sullied reputrations don't want to handle Expidite (who also lost almost all their IP space, because it was hijacked illegally and revoked by ARIN); Most of what is left is actually another Peters/JTel fake ISP with a fraudulent Jamaican front comapny, disconnected telephone lines, invalid email and suspended domains for all the contacts - It is amazing the *even* WCG will carry that kind of traffic.
  4. Latest multitrade group spams all use this method to avoid SpamCop. BTW. The registratations contacts' telephone number is disconnected, and the domain of the contacts' email address is falsely registered also (non-existant Washington state address - listed voice number is a fax machine in Delaware state).
  5. get-even

    No body provided error

    I have also receieve a large number of thes - It seems to be a busted worm. I tracked quite a few to a student's machine at Princeton, reported it to them, and received a very nice "thank you, we have removed the machine from our network", back. Definitely looks like someone is testing a virus, but either it is misconfigured or purposely sending empty spams.
  6. This morning, while the forums work just fine, www.spamcop.net is *almost* unreachable. It pings, and once (of a dozen attempts) I got a partial page, but all other attempts to confim spam result in the errors "Gateway Timeout The proxy server did not receive a timely response from the upstream server." and a direct telnet gives (after about two minutes, the "connect" is immediate): % telnet www.spamcop.net 80 Trying Connected to a369.g.akamai.net. Escape character is '^]'. HTTP/1.0 408 Request Time-out Server: AkamaiGHost Mime-Version: 1.0 Date: Sun, 26 Dec 2004 13:39:08 GMT Content-Type: text/html Content-Length: 163 Expires: Sun, 26 Dec 2004 13:39:08 GMT <HTML><HEAD> <TITLE>Request Timeout</TITLE> </HEAD><BODY> <H1>Request Timeout</H1> The server timed out while waiting for the browser's request.<P> </BODY></HTML> Connection closed by foreign host.
  7. get-even

    SpamCop parses site to hotmail?

    Homail is far from perfect, but they have an excellent "zero-tolerance" policy. Write a polite short (ten or fifteen line) message and add a copy of te *unmunged* spam and a copy of the 'whois' data for the domain " hycod.com" to abuse[at]hotmail.com. If the message doesn't bounce and you do get the standard "auto-reply", his account will likely be canceled within two days. Once the account is canceled, go to wdprs.internic.net a file a complaint saying that the email contacts are invalid - depending on the registrar, the domain (but probably not the site, which likely uses many domains) will be gone in a couple of weeks. Quick check, the registrar is Namebay Sam, so the domain will last a while, but the domain is also part of the taiwantelcom.com/taiwanmedialtd.com group, which despite its name operates mainly from Amsterdam - their domains are blacklisted right and left, and already the contacts' domain TAIWANTELCOM.COM and the name servers' domain, DNST.NET are on "hold" status - the first stage of already being deleted. On just this basis, you can already file a complaint at wdprs, and hycod.com should be on "HOLD" itself within three days; Note: this gang creates about 10 new domains a week (I know that at least 6 that were shut down last week). This is a large professional operation - expect more spam from different domains now that you are on their list.
  8. get-even

    Strange spam

    Notice that this domain shares the same name servers as the domains used by the Vancouver/Texas "porn" pair who control the domains: hansenmansion.info kazuyukitaki.com johnmasonmen.info cheruskialot.net heidelberga.com scottiq.info sadgencrenaz.net aretedf.com among others. This might be an "affiliate" operation since all of those seem to redirect to either or both of Squirt.tv and goodporno.net. The domain you listed, gjmatvienkoxdfg.com and the ones in my list all share the same name servers; Each uses the four name servers NS1.ANWOO.COM, NS1.BOMOFO.COM, NS1.EPOBOY.COM, and NS1.MYNAMESERVER.CA. In your case, the registrant uses a different address in Virginia, not in either Vancouver or Texas as all previuosly tied domains have. Also, your "one pixel" trick, while well known is quite different than all the others with are straight forward "porn" spams. Still, the relationship is there!
  9. Actually they are run by a small newpaper and spam for their advertisers. Primarily for not honoring remove requests *and* needing a password for removal, they will be blacklisted quite quickly. Also they have many domains trackable to them, several have false registration data - another blacklistable offence. Also, they seem to be spamming themselves (other reports can be found in search engines), not "free-email customers" (mis-)using their system. Notice, they generally do not forge headers, but anything sent to the U.S. would appear to not be CAN-spam compliant (No subject header noting an advertisement, no remove instructions in the email). You can get spam from them, if you want, by siging up, then canceling - the deluge comes quickly! This is already sufficient evidence for a few lists. If it continues after a day or two - what they say it should take, - I'll start reporting to SpamCop also. BTW. you also start getting mail from other domains which they control, you just have to dig to determine their ownership. Also. the email is such egregious spam, I'll have to open filters to let it by blocking which has already occured (i.e. my servers already refuse the mail based on blacklists they are already on *and* on content alone).
  10. They are not "too small" to be blacklisted; The process has begun (they operate a /24 netblock). You should see results within a week (some already).
  11. get-even

    New Lawsuits, anyone know who these guys are?

    Seem like Ralsky shut almost all his domains off today - It looks like he was doing the DNS and possibly the mailing for the people being sued; Maybe he'll finally get proven guilty (he always seems to get off on previous attempts to prosecute or sue him). Also, for anyone who wants to check, the info posted in this thread before, has been changed as of yesterday and/or today.
  12. get-even

    Portscan Intrusion

    A good ISP will act quickly, for one one my pipes, I had a DOS last night - within 8 minutes the ISP and AboveNet had blocked the source and the pipe was back up (it was my primary routing path and the only one I publish SPF records for, so it was a pain i the neck despite being near 3AM local time).
  13. get-even

    New Lawsuits, anyone know who these guys are?

    ICANN policy, check their web page, the registrant gets *at least* 15 days to fix the registration (unless somebody goes to the trouble of proving fraud and/or immediate harm is occurring). Besides, they've already change the data once, the addresses and telephone numbers are valid, and the email accounts listed for the contacts do work. So basically, unless Pfizer or the FBI wants to file a complaint, they get 15 days! Personally, I don;t have any of the typical data I use to get domains delisted (i.e. invalid data - provably so, with fraudluent headers on copies of email), otherwise I'd be tempted to complain myself. (I did get the name servers blacklisted in a variety of places though - for them I could "prove" fraudulent data!)
  14. get-even

    New Lawsuits, anyone know who these guys are?

    No, but notice that the registration of the DNS servers' contact email is at the now infamous 126.com (after the posting here, it seems that 126.com is also used by "customers" to). jwhois myepharmacydirect.com [Querying whois.internic.net] [Redirected to whois.godaddy.com] [Querying whois.godaddy.com] [whois.godaddy.com] ... Registrant: Domains by Proxy, Inc. Registered through: GoDaddy.com Domain Name: MYEPHARMACYDIRECT.COM Domain servers in listed order: NS0.NNNSSS.COM NS1.NNNSSSS.COM For complete domain details go to: http://whois.godaddy.com [Querying whois.internic.net] [Redirected to whois.paycenter.com.cn] [Querying whois.paycenter.com.cn] [whois.paycenter.com.cn] The Data in Paycenter's WHOIS database is provided by Paycenter ... Domain Name:nnnsss.com Registrant: zheng zhou 74 # zhong he road 450005 Administrative Contact: zheng zhou zheng zhou 74 # zhong he road zheng zhou Henan 450005 China tel: 86 371 8349581 fax: 86 371 8349581 zhenservicemed[at]126.com Technical Contact: zheng zhou zheng zhou 74 # zhong he road zheng zhou Henan 450005 China tel: 86 371 8349581 fax: 86 371 8349581 zhenservicemed[at]126.com Billing Contact: zheng zhou zheng zhou 74 # zhong he road zheng zhou Henan 450005 China tel: 86 371 8349581 fax: 86 371 8349581 zhenservicemed[at]126.com Registration Date: 2005-01-06 Update Date: 2005-01-06 Expiration Date: 2006-01-06 Primary DNS: ns0.nameserverrt.com Secondary DNS: ns1.namserverst.com So while we might not know who they are, we know who they are in business with! % jwhois NNNSSS.COM - fails, whois.directi.com has just gone offline to the world!
  15. get-even

    Portscan Intrusion

    You have received much good advice; But if you want to go further, I can tell you what I used to do (I stopped this a little over 7 years ago when attacks became too common). The first scan or attack got you in a database, the second got me to break into your machine - If a MS box, autoexec.bat was changd, if a *nix box then /etc/motd, was change to state "Your machine is probably infected with a virus, please check it and repair", the third attempt led to renaming crucial files on the machine so that it wouldn't boot and a file was left either at the top of the C: drive or in / for *nix machines with the name "Please-Cleanup" and a single line stating "This machine is being used for attacks against other internet users", The fourth offense led to disk erasure. I'm sure that this is now quite illegal (at least in the U.S.) and I certainly see thousands of port scans a day, and a few hundred real `attacks for my network (a few hundred IPs)'. I'm not recommending this, but if you wanted to, you could (fairly easily) find the needed exploits to perform these actions; Just be aware that in the most common case, the immediate attacker is an otherwise innocent party whose machine is `owned' by a real hacker (oddly a common technique once a machine is `owned' is for the hacker to secire the box so that someone else doesn't `steal' it from him) Also, the IP you gave is currently not up and is likely a DUL anyway (you have to catch them during the scan to be effective in many cases). BTW. for loafman, I do have the extensive equipment and necessary privileges to *really* backtrace the several levels typically, but I've found the `real' attacker's box (nowadays) is usually a relatively secure `BSD or SelLinux machine and the effort involved is not worth it. Besides, now, what I used to do commonly is clearly a prosecutable offense.
  16. I hate to reply to my own post, but I just reported another spam from the same site. Again, "No recent reports". Note, the wildcard DNS on the domain in the previous post and that there only one 'A' record if you follow the trail from the CNAME. % dig www.phillysayswhat.biz any [at] ; <<>> DiG 9.3.0 <<>> www.phillysayswhat.biz any [at] ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63865 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.phillysayswhat.biz. IN ANY ;; ANSWER SECTION: www.phillysayswhat.biz. 30 IN A ;; AUTHORITY SECTION: phillysayswhat.biz. 3600 IN NS ns1.realdnssystem.com. phillysayswhat.biz. 3600 IN NS ns3.autonameservers.com. phillysayswhat.biz. 3600 IN NS ns4.bighostsolutions.com. phillysayswhat.biz. 3600 IN NS ns7.bighostsolutions.com. ;; ADDITIONAL SECTION: ns4.bighostsolutions.com. 3600 IN A ns7.bighostsolutions.com. 3600 IN A ;; Query time: 504 msec ;; SERVER: ;; WHEN: Tue Feb 8 18:18:21 2005 ;; MSG SIZE rcvd: 210 Also, as I mentioned before, at least nearly a dozen other (also reported) domains refer to the same IP (it does move around, see that the TTL is only one hour for the name servers and just 30 seconds for the actual site).
  17. get-even

    Receiving and sending reports-delayed?

    I'm still waoting for the confimation messages to appear from the spam I sumbited (according the the logs on my outgoing MTA - there is an internal relay step before the mail goes out) 5 hours and 55 minutes ago; This is the longest delay I have seem yet. Is something down (I can provide times and MSGIDs to any staff member or administrator who wishes to try to track down the trouble).. And of, course there have been even a few more reports since with no confirmation either.
  18. Over a dozen attempts to report - one "almost" made it, but when I clicked on the button, I got a "upstream server response timeout" message. Tracking URL: http://www.spamcop.net/sc?id=z729692304zf4...688e7839fcec89z Other spams both before and after have processed as expected.
  19. It seem that the "No recent reports" is unreliable -I reported that site yesterday (and they are already blacklisted a few other places now). Also, wildcard DNS: % dig '*.phillysayswhat.biz' any ; <<>> DiG 9.3.0 <<>> *.phillysayswhat.biz any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62958 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ;*.phillysayswhat.biz. IN ANY ;; ANSWER SECTION: *.phillysayswhat.biz. 3577 IN CNAME www.phillysayswhat.biz. ;; AUTHORITY SECTION: phillysayswhat.biz. 3577 IN NS ns7.bighostsolutions.com. phillysayswhat.biz. 3577 IN NS ns1.realdnssystem.com. phillysayswhat.biz. 3577 IN NS ns3.autonameservers.com. phillysayswhat.biz. 3577 IN NS ns4.bighostsolutions.com. ;; ADDITIONAL SECTION: ns3.autonameservers.com. 41026 IN A ns4.bighostsolutions.com. 35877 IN A ;; Query time: 3 msec ;; SERVER: ;; WHEN: Mon Feb 7 14:12:58 2005 ;; MSG SIZE rcvd: 210 At least it is a spammer with a sense of humor - he also has been using the domain "bagelsandcreamcheese.biz" -- BTW. The actual operator is either or both of "Clever Link Trading Limited" and "Fantasy Content" of 14150 NE 20th St. Suite #99 Bellevue WA. 98007. He also has a few dozen other domains (whch I know of) that reference the same site. He tries to be legal (at least the porn part) - His "18 U.S.C. section 2257" filing copy is readable at (google cached copy, not the original) the URL: (Note: the site it was cached from "parkleah.biz" is down.)
  20. get-even

    error: couldn't parse head

    Unfortunately "mushuporkman" has been around for a long time, a real "pro" - he uses thousands of domains - All of his DNS servers are blacklisted though, so SpamAssassin should catch most of his mail (I report his `new' domains often to various forums, but none of his junk has actually made it through my mail filters for months). Again, against this guy, your best defense is SpamAssassin running the URI tests (If you have a SpamCop account enable it there - otherwise either try to get your ISP to use it - it is quite a resource hog though - or install it on your own machine - I know it *can* be done on MS boxes but I've never tried). That won't "report" him, but at least you won't get it anymore, or at least it'll be marked as "spam").
  21. get-even

    False sending date messages

    The hotmail account listed in the 'whois' data from the domain is invalid. File a report with wdprs.internic.net and with the registrar (i.e. itsyourdomain.com for this one). BTW. I've gotten blacklisted literally dozens of domains by the same registrant over the past two weeks. Getting the domain revoked is extra work I haven't (yet) bothered with (he used lots of registrars and the relatively `new' spam DNS servers {first,second,third}.cuzdns.com).
  22. get-even

    Where did this report go?

    Has anyone noticed that YesNic's whois server has been down all day, so the DNS servers domain doesn't resolve properly (ii.e. platalcia456.com). Also, the domain WAREHOUSEMED5.NET, while still functional (damn planetdomain), has already been suspended for abuse. % nslookup -type=any platalcia456.com Server: Address: ** server can't find platalcia456.com: NXDOMAIN % jwhois warehousemed5.net [Querying whois.internic.net] [Redirected to whois.planetdomain.com] [Querying whois.planetdomain.com] [whois.planetdomain.com] The data contained in the database of Primus Telecommunications Pty Ltd (PlanetDomain/PrimusDomain) is made available to assist persons in obtaining information pertaining to the domain name registration record. No guarantee of accuracy is offered or given. By submitting a search request you agree to use the data for lawful purposes, and also agree NOT to 1) use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used. Such media includes but is not limited to e-mail, telephone, facsimile, postal mail, SMS, and wireless alerts. 2) sell or redistribute the data except insofar as it has been incorporated by yourself into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties. Primus Telecommunications Pty Ltd (PlanetDomain/PrimusDomain) reserves the right to forbid access to any party who abuses the terms and conditions herein or who is deemed to have queried the database excessively, and to change these terms and conditions at any time. Domain Name: WAREHOUSEMED5.NET Reseller..............: #1 Cheap Domains Created on............: 29 Jan 2005 00:00:00 EST Expires on............: 28 Jan 2006 00:00:00 EST Record last updated on: 29 Jan 2005 00:00:00 EST Status................: ACTIVE Owner, Administrative Contact, Technical Contact, Billing Contact: W.W.W marketing INc. Carolas Espinosa (ID00160914) 1273 hudson st. ny, ny 10011 United States Phone: +1.2128653566 Email: account_frozen_spammer[at]planetdomain.com Domain servers in listed order: NS1.PLATALCIA456.COM NS2.PLATALCIA456.COM nslookup -type=any warehousemed5.net Server: Address: Non-authoritative answer: warehousemed5.net nameserver = ns1.platalcia456.com. warehousemed5.net nameserver = ns2.platalcia456.com. Authoritative answers can be found from: warehousemed5.net nameserver = ns2.platalcia456.com. warehousemed5.net nameserver = ns1.platalcia456.com. % nslookup -type=any warehousemed5.net ns1.platalcia456.com. nslookup: couldn't get address for 'ns1.platalcia456.com.': not found % nslookup -type=any warehousemed5.net ns2.platalcia456.com. nslookup: couldn't get address for 'ns2.platalcia456.com.': not found
  23. In just the past few days, I've noticed that the time between my MTA "auto-reporting" a spam and the time I receive the message to confirm it climb from a few minutes or even ten minutes, up to several hours. Today serveral came in hours after being sent (sent as attachments using the recommended "DeathToSpamDeathToSpamDeathToSpam" perl scri_pt format). This morning, one took three hours and another seven hours to appear. Is there currently a problem or overload? Note: they do all eventually seem to appear (except just one yesterday); I'm just used to checking about 10 minutes after I know the cron job will have submited them - hence my "average" reporting time says 1 hour and is probably less.
  24. get-even

    Long delays before confimation message

    My few days was probably misleading - it started for me late yesterday morning, local time (would have been night for GMT).
  25. get-even

    What is 'denied by Gorbs' Mean?

    optonline.net is a spammer. To amuse yourself look at spamhaus.net - registered to rackspace.com, another spammer. These people are just trying to catch simple mistakes and take advantage of them.