Jump to content


  • Content Count

  • Joined

  • Last visited

Posts posted by get-even

  1. No, that line was not put there by Postini.  That is what I figured.


    The spam was sent from a machine at IP, part of the CNC Group-Henan province network. It forges headers to look like it came through gmail forwarding mail from a go.com account ( go.com is owned by Disney and has a bad history of being abused by spammers). The Received_SPF is just another forged header - go.com does not use SPF. Most likely the domain her0es.net (the spamvertised domain) is operated by Leo Kuvayev (currently #2 at Spamhaus). - it uses a set of registration records he has used on dozens of other domains It is mortgage spam, so if he is following pattern, there exists a nearly identical domain named her0es.com, which was likely registered within seconds of this one, but not yet used.

  2. WilTel's contracts aren't pink - they're bright red. Wiltel/WGC is a provider of last resort; Note they are also the current bandwidth provider for Brian Kramer/Expedite and AS33012 (look up the Spamhaus records about Exipdite being dropped by MCI, Broadwing, Singtel, Mzima, Anet, TimeWarner, Sprint and a few more all in the past two months. WCG gladly took them on - and I do remember when twenty+ years ago WilTel were the good guys. Notice even companies with sullied reputrations don't want to handle Expidite (who also lost almost all their IP space, because it was hijacked illegally and revoked by ARIN); Most of what is left is actually another Peters/JTel fake ISP with a fraudulent Jamaican front comapny, disconnected telephone lines, invalid email and suspended domains for all the contacts - It is amazing the *even* WCG will carry that kind of traffic.

  3. Anyway, the message is here:


    The parser says:

    Finding links in message body

    no links found


    Latest multitrade group spams all use this method to avoid SpamCop. BTW. The registratations contacts' telephone number is disconnected, and the domain of the contacts' email address is falsely registered also (non-existant Washington state address - listed voice number is a fax machine in Delaware state).

  4. Over the past week or so I've noticed a significant increase in the number of spam items trapped by flat rate mail account which, when submitted for reporting, return a "No body provided, check format of submission" error.  By significant I mean that previously I'd get one or two per month now I get five or six such errors per day.




    I have also receieve a large number of thes - It seems to be a busted worm. I tracked quite a few to a student's machine at Princeton, reported it to them, and received a very nice "thank you, we have removed the machine from our network", back. Definitely looks like someone is testing a virus, but either it is misconfigured or purposely sending empty spams.

  5. I have just recieved a spam e-mail that made me suspicious. It had identifying info in the body (it showed a reply to a message from my e-mail even though I (obviously) never e-mailed this guy. I stripped this info from the body before pharsing and to my surise the spamvertized site www.hycod.com pharses to a hotmail account as the site administrator. Obviously this set alarm bells ringing and I unchecked those boxes when reporting the spam.

    How has this happened, and why is spamcop pharsing to hotmail - surely no  legitimate site administrator would use a hotmail account?  :(  :(


    Homail is far from perfect, but they have an excellent "zero-tolerance" policy. Write a polite short (ten or fifteen line) message and add a copy of te *unmunged* spam and a copy of the 'whois' data for the domain " hycod.com" to abuse[at]hotmail.com. If the message doesn't bounce and you do get the standard "auto-reply", his account will likely be canceled within two days. Once the account is canceled, go to wdprs.internic.net a file a complaint saying that the email contacts are invalid - depending on the registrar, the domain (but probably not the site, which likely uses many domains) will be gone in a couple of weeks.

    Quick check, the registrar is Namebay Sam, so the domain will last a while, but the domain is also part of the taiwantelcom.com/taiwanmedialtd.com group, which despite its name operates mainly from Amsterdam - their domains are blacklisted right and left, and already the contacts' domain TAIWANTELCOM.COM and the name servers' domain, DNST.NET are on "hold" status - the first stage of already being deleted. On just this basis, you can already file a complaint at wdprs, and hycod.com should be on "HOLD" itself within three days; Note: this gang creates about 10 new domains a week (I know that at least 6 that were shut down last week). This is a large professional operation - expect more spam from different domains now that you are on their list.

  6. Name:  gjmatvienkoxdfg.com


    Notice that this domain shares the same name servers as the domains used by the Vancouver/Texas "porn" pair who control the domains:









    among others. This might be an "affiliate" operation since all of those seem to redirect to either or both of Squirt.tv and goodporno.net.

    The domain you listed, gjmatvienkoxdfg.com and the ones in my list all share the same name servers; Each uses the four name servers NS1.ANWOO.COM, NS1.BOMOFO.COM, NS1.EPOBOY.COM, and NS1.MYNAMESERVER.CA.

    In your case, the registrant uses a different address in Virginia, not in either Vancouver or Texas as all previuosly tied domains have. Also, your "one pixel" trick, while well known is quite different than all the others with are straight forward "porn" spams. Still, the relationship is there!

  7. They also run a free E-mail service. If spammers use that service, and OFIR is as reluctant to deal with their spamming costumers as they are to exercise responsible list management, they surely will end up on a blocklist sooner or later I guess. But the main reason will probably their spamming costumers and not because of themselves spamming danes who at some point voluntarily gave them their E-mail adress.


    Actually they are run by a small newpaper and spam for their advertisers. Primarily for not honoring remove requests *and* needing a password for removal, they will be blacklisted quite quickly. Also they have many domains trackable to them, several have false registration data - another blacklistable offence. Also, they seem to be spamming themselves (other reports can be found in search engines), not "free-email customers" (mis-)using their system. Notice, they generally do not forge headers, but anything sent to the U.S. would appear to not be CAN-spam compliant (No subject header noting an advertisement, no remove instructions in the email). You can get spam from them, if you want, by siging up, then canceling - the deluge comes quickly! This is already sufficient evidence for a few lists. If it continues after a day or two - what they say it should take, - I'll start reporting to SpamCop also. BTW. you also start getting mail from other domains which they control, you just have to dig to determine their ownership. Also. the email is such egregious spam, I'll have to open filters to let it by blocking which has already occured (i.e. my servers already refuse the mail based on blacklists they are already on *and* on content alone).

  8. I noticed today a HUGE drop in spam volume. I wonder why....


    Seem like Ralsky shut almost all his domains off today - It looks like he was doing the DNS and possibly the mailing for the people being sued; Maybe he'll finally get proven guilty (he always seems to get off on previous attempts to prosecute or sue him). Also, for anyone who wants to check, the info posted in this thread before, has been changed as of yesterday and/or today.

  9. Go to blackholes.us, DL the zone files for the various countries and add them to your firewall.  That will stop about half the intrusions.

    One intrusion is nothing.  Continuous banging gets a firewall block.  Trying to get an ISP to trace down anything less the $10,000 in damages is a friggin waste of time in the USA, anywhere else you get laughed at.  Any serious attack comes through at least three levels of trojannned machines and is almost impossible to track without Federal and/or Multinational cooperation, with a lot of network equipment that you and I could not afford.

    Securing your machine and keeping it secure is the way to go.  Since its a Windows box, it should be behind a firewall, not on the Internet directly.  No Windows machine should be directly on the net.  Only then will you be a good netizen.  Even after that, you should still follow strict security practices.  Windows nasty habit of treating data as executable is pervasive and allows a lot of virms to be successful.


    A good ISP will act quickly, for one one my pipes, I had a DOS last night - within 8 minutes the ISP and AboveNet had blocked the source and the pipe was back up (it was my primary routing path and the only one I publish SPF records for, so it was a pain i the neck despite being near 3AM local time).

  10. Nice!  Thanks

    The sitrs are still up!  You would think GoDaddy would revoke the false registration.


    ICANN policy, check their web page, the registrant gets *at least* 15 days to fix the registration (unless somebody goes to the trouble of proving fraud and/or immediate harm is occurring). Besides, they've already change the data once, the addresses and telephone numbers are valid, and the email accounts listed for the contacts do work. So basically, unless Pfizer or the FBI wants to file a complaint, they get 15 days! Personally, I don;t have any of the typical data I use to get domains delisted (i.e. invalid data - provably so, with fraudluent headers on copies of email), otherwise I'd be tempted to complain myself. (I did get the name servers blacklisted in a variety of places though - for them I could "prove" fraudulent data!)

  11. MS and Pfizer are going after CanadianPharmacy (www.cndpharmacy.com) and

    E-Pharmacy Direct (www.myepharmacydirect.com) according to this item at

    The Register:






    No, but notice that the registration of the DNS servers' contact email is at the now infamous 126.com (after the posting here, it seems that 126.com is also used by "customers" to).

    jwhois myepharmacydirect.com

    [Querying whois.internic.net]

    [Redirected to whois.godaddy.com]

    [Querying whois.godaddy.com]




    Domains by Proxy, Inc.

    Registered through: GoDaddy.com


    Domain servers in listed order:



    For complete domain details go to:


    [Querying whois.internic.net]

    [Redirected to whois.paycenter.com.cn]

    [Querying whois.paycenter.com.cn]


    The Data in Paycenter's WHOIS database is provided by Paycenter


    Domain Name:nnnsss.com


    zheng zhou

    74 # zhong he road


    Administrative Contact:

    zheng zhou

    zheng zhou

    74 # zhong he road

    zheng zhou Henan 450005


    tel: 86 371 8349581

    fax: 86 371 8349581


    Technical Contact:

    zheng zhou

    zheng zhou

    74 # zhong he road

    zheng zhou Henan 450005


    tel: 86 371 8349581

    fax: 86 371 8349581


    Billing Contact:

    zheng zhou

    zheng zhou

    74 # zhong he road

    zheng zhou Henan 450005


    tel: 86 371 8349581

    fax: 86 371 8349581


    Registration Date: 2005-01-06

    Update Date: 2005-01-06

    Expiration Date: 2006-01-06

    Primary DNS: ns0.nameserverrt.com

    Secondary DNS: ns1.namserverst.com

    So while we might not know who they are, we know who they are in business with!

    % jwhois NNNSSS.COM - fails, whois.directi.com has just gone offline to the world!

  12. That IP originates from China, I doubt reporting it would do anything.  You should be grateful you have only received 1 intrusion, our servers receive thousands a day.  Much of this is nothing and yes some are serious.  What kind of scan was it?


    You have received much good advice; But if you want to go further, I can tell you what I used to do (I stopped this a little over 7 years ago when attacks became too common). The first scan or attack got you in a database, the second got me to break into your machine - If a MS box, autoexec.bat was changd, if a *nix box then /etc/motd, was change to state "Your machine is probably infected with a virus, please check it and repair", the third attempt led to renaming crucial files on the machine so that it wouldn't boot and a file was left either at the top of the C: drive or in / for *nix machines with the name "Please-Cleanup" and a single line stating "This machine is being used for attacks against other internet users", The fourth offense led to disk erasure. I'm sure that this is now quite illegal (at least in the U.S.) and I certainly see thousands of port scans a day, and a few hundred real `attacks for my network (a few hundred IPs)'.

    I'm not recommending this, but if you wanted to, you could (fairly easily) find the needed exploits to perform these actions; Just be aware that in the most common case, the immediate attacker is an otherwise innocent party whose machine is `owned' by a real hacker (oddly a common technique once a machine is `owned' is for the hacker to secire the box so that someone else doesn't `steal' it from him)

    Also, the IP you gave is currently not up and is likely a DUL anyway (you have to catch them during the scan to be effective in many cases).

    BTW. for loafman, I do have the extensive equipment and necessary privileges to *really* backtrace the several levels typically, but I've found the `real' attacker's box (nowadays) is usually a relatively secure `BSD or SelLinux machine and the effort involved is not worth it. Besides, now, what I used to do commonly is clearly a prosecutable offense.

  13. It seem that the "No recent reports" is unreliable -I reported that site yesterday (and they are already blacklisted a few other places now).  Also,  wildcard DNS:

    I hate to reply to my own post, but I just reported another spam from the same site. Again, "No recent reports". Note, the wildcard DNS on the domain in the previous post and that there only one 'A' record if you follow the trail from the CNAME.

    % dig www.phillysayswhat.biz any [at]

    ; <<>> DiG 9.3.0 <<>> www.phillysayswhat.biz any [at]

    ;; global options: printcmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63865

    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2


    ;www.phillysayswhat.biz. IN ANY


    www.phillysayswhat.biz. 30 IN A


    phillysayswhat.biz. 3600 IN NS ns1.realdnssystem.com.

    phillysayswhat.biz. 3600 IN NS ns3.autonameservers.com.

    phillysayswhat.biz. 3600 IN NS ns4.bighostsolutions.com.

    phillysayswhat.biz. 3600 IN NS ns7.bighostsolutions.com.


    ns4.bighostsolutions.com. 3600 IN A

    ns7.bighostsolutions.com. 3600 IN A

    ;; Query time: 504 msec

    ;; SERVER:

    ;; WHEN: Tue Feb 8 18:18:21 2005

    ;; MSG SIZE rcvd: 210

    Also, as I mentioned before, at least nearly a dozen other (also reported) domains refer to the same IP (it does move around, see that the TTL is only one hour for the name servers and just 30 seconds for the actual site).

  14. I've just noticed today a long (several hours) delay in the messages being accepted by spamcop and the delay in reporting.  I use quick reporting for 99% of my spam, however, so do not use that method very often.

    The stats page is showing about a 10 minute pause in reporting today about 3PM EST.  There have been some intermittant problems the last week being worked on (mentioned in other threads here).  Perhaps some problems are still being worked on or the backup is being processed.  Sorry, nothing definite.




    I'm still waoting for the confimation messages to appear from the spam I sumbited (according the the logs on my outgoing MTA - there is an internal relay step before the mail goes out) 5 hours and 55 minutes ago; This is the longest delay I have seem yet. Is something down (I can provide times and MSGIDs to any staff member or administrator who wishes to try to track down the trouble).. And of, course there have been even a few more reports since with no confirmation either.

  15. Got the following error:

    Tracking link: http:// what.phillysayswhat. biz/ 736460/ chws/fullpage.php

    No recent reports, no history available

    got sigalarm, taking too long to process, aborted.

    Perhaps you can wait a few minutes and reload?

    Any suggestions?


    It seem that the "No recent reports" is unreliable -I reported that site yesterday (and they are already blacklisted a few other places now). Also, wildcard DNS:

    % dig '*.phillysayswhat.biz' any

    ; <<>> DiG 9.3.0 <<>> *.phillysayswhat.biz any

    ;; global options: printcmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62958

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2


    ;*.phillysayswhat.biz. IN ANY


    *.phillysayswhat.biz. 3577 IN CNAME www.phillysayswhat.biz.


    phillysayswhat.biz. 3577 IN NS ns7.bighostsolutions.com.

    phillysayswhat.biz. 3577 IN NS ns1.realdnssystem.com.

    phillysayswhat.biz. 3577 IN NS ns3.autonameservers.com.

    phillysayswhat.biz. 3577 IN NS ns4.bighostsolutions.com.


    ns3.autonameservers.com. 41026 IN A

    ns4.bighostsolutions.com. 35877 IN A

    ;; Query time: 3 msec

    ;; SERVER:

    ;; WHEN: Mon Feb 7 14:12:58 2005

    ;; MSG SIZE rcvd: 210

    At least it is a spammer with a sense of humor - he also has been using the domain "bagelsandcreamcheese.biz" -- BTW. The actual operator is either or both of "Clever Link Trading Limited" and "Fantasy Content" of 14150 NE 20th St. Suite #99 Bellevue WA. 98007. He also has a few dozen other domains (whch I know of) that reference the same site. He tries to be legal (at least the porn part) - His "18 U.S.C. section 2257" filing copy is readable at (google cached copy, not the original) the URL:

    (Note: the site it was cached from "parkleah.biz" is down.)

  16. Unfortunately "mushuporkman" has been around for a long time, a real "pro" - he uses thousands of domains - All of his DNS servers are blacklisted though, so SpamAssassin should catch most of his mail (I report his `new' domains often to various forums, but none of his junk has actually made it through my mail filters for months). Again, against this guy, your best defense is SpamAssassin running the URI tests (If you have a SpamCop account enable it there - otherwise either try to get your ISP to use it - it is quite a resource hog though - or install it on your own machine - I know it *can* be done on MS boxes but I've never tried). That won't "report" him, but at least you won't get it anymore, or at least it'll be marked as "spam").

  17. idirect.com,Feb 6 2005, 09:46 AM]Just received the following and will likely be told by SpamCop that it is over 2 days old, when it is NOT and in fact the sender deliberately is using a stale date. I get a number of these. Is there any solution to this problem?





    The hotmail account listed in the 'whois' data from the domain is invalid. File a report with wdprs.internic.net and with the registrar (i.e. itsyourdomain.com for this one). BTW. I've gotten blacklisted literally dozens of domains by the same registrant over the past two weeks. Getting the domain revoked is extra work I haven't (yet) bothered with (he used lots of registrars and the relatively `new' spam DNS servers {first,second,third}.cuzdns.com).

  18. Has anyone noticed that YesNic's whois server has been down all day, so the DNS servers domain doesn't resolve properly (ii.e. platalcia456.com). Also, the domain WAREHOUSEMED5.NET, while still functional (damn planetdomain), has already been suspended for abuse.

    % nslookup -type=any platalcia456.com



    ** server can't find platalcia456.com: NXDOMAIN

    % jwhois warehousemed5.net

    [Querying whois.internic.net]

    [Redirected to whois.planetdomain.com]

    [Querying whois.planetdomain.com]


    The data contained in the database of Primus Telecommunications Pty Ltd

    (PlanetDomain/PrimusDomain) is made available to assist persons in

    obtaining information pertaining to the domain name registration

    record. No guarantee of accuracy is offered or given. By submitting a

    search request you agree to use the data for lawful purposes, and also

    agree NOT to

    1) use the data to allow, enable, or otherwise support any marketing

    activities, regardless of the medium used. Such media includes but is

    not limited to e-mail, telephone, facsimile, postal mail, SMS, and

    wireless alerts.

    2) sell or redistribute the data except insofar as it has been

    incorporated by yourself into a value-added product or service that does

    not permit the extraction of a substantial portion of the bulk data from

    the value-added product or service for use by other parties.

    Primus Telecommunications Pty Ltd (PlanetDomain/PrimusDomain) reserves

    the right to forbid access to any party who abuses the terms and

    conditions herein or who is deemed to have queried the database

    excessively, and to change these terms and conditions at any time.

    Domain Name: WAREHOUSEMED5.NET

    Reseller..............: #1 Cheap Domains

    Created on............: 29 Jan 2005 00:00:00 EST

    Expires on............: 28 Jan 2006 00:00:00 EST

    Record last updated on: 29 Jan 2005 00:00:00 EST

    Status................: ACTIVE

    Owner, Administrative Contact, Technical Contact, Billing Contact:

    W.W.W marketing INc.

    Carolas Espinosa (ID00160914)

    1273 hudson st.

    ny, ny 10011

    United States

    Phone: +1.2128653566

    Email: account_frozen_spammer[at]planetdomain.com

    Domain servers in listed order:



    nslookup -type=any warehousemed5.net



    Non-authoritative answer:

    warehousemed5.net nameserver = ns1.platalcia456.com.

    warehousemed5.net nameserver = ns2.platalcia456.com.

    Authoritative answers can be found from:

    warehousemed5.net nameserver = ns2.platalcia456.com.

    warehousemed5.net nameserver = ns1.platalcia456.com.

    % nslookup -type=any warehousemed5.net ns1.platalcia456.com.

    nslookup: couldn't get address for 'ns1.platalcia456.com.': not found

    % nslookup -type=any warehousemed5.net ns2.platalcia456.com.

    nslookup: couldn't get address for 'ns2.platalcia456.com.': not found

  19. In just the past few days, I've noticed that the time between my MTA "auto-reporting" a spam and the time I receive the message to confirm it climb from a few minutes or even ten minutes, up to several hours. Today serveral came in hours after being sent (sent as attachments using the recommended "DeathToSpamDeathToSpamDeathToSpam" perl scri_pt format). This morning, one took three hours and another seven hours to appear. Is there currently a problem or overload? Note: they do all eventually seem to appear (except just one yesterday); I'm just used to checking about 10 minutes after I know the cron job will have submited them - hence my "average" reporting time says 1 hour and is probably less.

  20. Still a bit sleazy .. there doesn't
     seem to be any above-board place to go look at it, no web-site for instance.  I
     suppose it's interesting that these folks have apparently teamed up and all, but .....
    on the other hand ... whoah!
    whois -h whois.godaddy.com gorbs.com ...   Coram, New York 11727
       United States
       Registered through: Act Now Domains
       Domain Name: GORBS.COM
          Created on: 28-Feb-02
          Expires on: 28-Feb-05
          Last Updated on: 30-Dec-02
       Administrative Contact:
          Smith, Ronnie  countart[at]optonline.net
          Gorbs Corp.
          1015 Old Town Rd.
          Coram, New York 11727
          United States
          631-988-2604      Fax -- 
    12/17/04 18:04:40 Browsing [url="http://gorbs.com/"]http://gorbs.com/[/url]
       Gorbs Corp.
       1015 Old Town Rd.
    [cut - I on't know of them]
    Neither having much direct connection to a BL ... but that optonline.net is 'interesting'


    optonline.net is a spammer. To amuse yourself look at spamhaus.net - registered to rackspace.com, another spammer. These people are just trying to catch simple mistakes and take advantage of them.

  21. Yeah. Figured as much. I sent hinet a LART asking them to close ALL websites from this spammer. Doubt it'll do much good, but who knows.


    You will probably have better luck with TUCOWS. Especially if you include the spam and evidence of the false whois data. Also, file ca complaint at wdprs.internic.net - It will get to TUCOWS and reinforce the chances that they take action) and the "new" wdprs auto-response invites you to file a complaint against the registrar if no action is taken) -- Just remember, in the absence of fraud, they get 15 days to "fix" things; But forged headers *do* count as fraud.