

get-even
-
Content Count
75 -
Joined
-
Last visited
Posts posted by get-even
-
-
WilTel's contracts aren't pink - they're bright red. Wiltel/WGC is a provider of last resort; Note they are also the current bandwidth provider for Brian Kramer/Expedite and AS33012 (look up the Spamhaus records about Exipdite being dropped by MCI, Broadwing, Singtel, Mzima, Anet, TimeWarner, Sprint and a few more all in the past two months. WCG gladly took them on - and I do remember when twenty+ years ago WilTel were the good guys. Notice even companies with sullied reputrations don't want to handle Expidite (who also lost almost all their IP space, because it was hijacked illegally and revoked by ARIN); Most of what is left is actually another Peters/JTel fake ISP with a fraudulent Jamaican front comapny, disconnected telephone lines, invalid email and suspended domains for all the contacts - It is amazing the *even* WCG will carry that kind of traffic.
-
Anyway, the message is here:http://www.spamcop.net/sc?id=z759706311ze9...1e478f889201a0z
The parser says:
Finding links in message body
no links found
Latest multitrade group spams all use this method to avoid SpamCop. BTW. The registratations contacts' telephone number is disconnected, and the domain of the contacts' email address is falsely registered also (non-existant Washington state address - listed voice number is a fax machine in Delaware state).
-
Over the past week or so I've noticed a significant increase in the number of spam items trapped by flat rate mail account which, when submitted for reporting, return a "No body provided, check format of submission" error. By significant I mean that previously I'd get one or two per month now I get five or six such errors per day....
Andrew
I have also receieve a large number of thes - It seems to be a busted worm. I tracked quite a few to a student's machine at Princeton, reported it to them, and received a very nice "thank you, we have removed the machine from our network", back. Definitely looks like someone is testing a virus, but either it is misconfigured or purposely sending empty spams.
-
I have just recieved a spam e-mail that made me suspicious. It had identifying info in the body (it showed a reply to a message from my e-mail even though I (obviously) never e-mailed this guy. I stripped this info from the body before pharsing and to my surise the spamvertized site www.hycod.com pharses to a hotmail account as the site administrator. Obviously this set alarm bells ringing and I unchecked those boxes when reporting the spam.How has this happened, and why is spamcop pharsing to hotmail - surely no legitimate site administrator would use a hotmail account?
Homail is far from perfect, but they have an excellent "zero-tolerance" policy. Write a polite short (ten or fifteen line) message and add a copy of te *unmunged* spam and a copy of the 'whois' data for the domain " hycod.com" to abuse[at]hotmail.com. If the message doesn't bounce and you do get the standard "auto-reply", his account will likely be canceled within two days. Once the account is canceled, go to wdprs.internic.net a file a complaint saying that the email contacts are invalid - depending on the registrar, the domain (but probably not the site, which likely uses many domains) will be gone in a couple of weeks.
Quick check, the registrar is Namebay Sam, so the domain will last a while, but the domain is also part of the taiwantelcom.com/taiwanmedialtd.com group, which despite its name operates mainly from Amsterdam - their domains are blacklisted right and left, and already the contacts' domain TAIWANTELCOM.COM and the name servers' domain, DNST.NET are on "hold" status - the first stage of already being deleted. On just this basis, you can already file a complaint at wdprs, and hycod.com should be on "HOLD" itself within three days; Note: this gang creates about 10 new domains a week (I know that at least 6 that were shut down last week). This is a large professional operation - expect more spam from different domains now that you are on their list.
-
Notice that this domain shares the same name servers as the domains used by the Vancouver/Texas "porn" pair who control the domains:
hansenmansion.info
kazuyukitaki.com
johnmasonmen.info
cheruskialot.net
heidelberga.com
scottiq.info
sadgencrenaz.net
aretedf.com
among others. This might be an "affiliate" operation since all of those seem to redirect to either or both of Squirt.tv and goodporno.net.
The domain you listed, gjmatvienkoxdfg.com and the ones in my list all share the same name servers; Each uses the four name servers NS1.ANWOO.COM, NS1.BOMOFO.COM, NS1.EPOBOY.COM, and NS1.MYNAMESERVER.CA.
In your case, the registrant uses a different address in Virginia, not in either Vancouver or Texas as all previuosly tied domains have. Also, your "one pixel" trick, while well known is quite different than all the others with are straight forward "porn" spams. Still, the relationship is there!
-
They also run a free E-mail service. If spammers use that service, and OFIR is as reluctant to deal with their spamming costumers as they are to exercise responsible list management, they surely will end up on a blocklist sooner or later I guess. But the main reason will probably their spamming costumers and not because of themselves spamming danes who at some point voluntarily gave them their E-mail adress.Actually they are run by a small newpaper and spam for their advertisers. Primarily for not honoring remove requests *and* needing a password for removal, they will be blacklisted quite quickly. Also they have many domains trackable to them, several have false registration data - another blacklistable offence. Also, they seem to be spamming themselves (other reports can be found in search engines), not "free-email customers" (mis-)using their system. Notice, they generally do not forge headers, but anything sent to the U.S. would appear to not be CAN-spam compliant (No subject header noting an advertisement, no remove instructions in the email). You can get spam from them, if you want, by siging up, then canceling - the deluge comes quickly! This is already sufficient evidence for a few lists. If it continues after a day or two - what they say it should take, - I'll start reporting to SpamCop also. BTW. you also start getting mail from other domains which they control, you just have to dig to determine their ownership. Also. the email is such egregious spam, I'll have to open filters to let it by blocking which has already occured (i.e. my servers already refuse the mail based on blacklists they are already on *and* on content alone).
-
-
Seem like Ralsky shut almost all his domains off today - It looks like he was doing the DNS and possibly the mailing for the people being sued; Maybe he'll finally get proven guilty (he always seems to get off on previous attempts to prosecute or sue him). Also, for anyone who wants to check, the info posted in this thread before, has been changed as of yesterday and/or today.
-
Go to blackholes.us, DL the zone files for the various countries and add them to your firewall. That will stop about half the intrusions.One intrusion is nothing. Continuous banging gets a firewall block. Trying to get an ISP to trace down anything less the $10,000 in damages is a friggin waste of time in the USA, anywhere else you get laughed at. Any serious attack comes through at least three levels of trojannned machines and is almost impossible to track without Federal and/or Multinational cooperation, with a lot of network equipment that you and I could not afford.
Securing your machine and keeping it secure is the way to go. Since its a Windows box, it should be behind a firewall, not on the Internet directly. No Windows machine should be directly on the net. Only then will you be a good netizen. Even after that, you should still follow strict security practices. Windows nasty habit of treating data as executable is pervasive and allows a lot of virms to be successful.
A good ISP will act quickly, for one one my pipes, I had a DOS last night - within 8 minutes the ISP and AboveNet had blocked the source and the pipe was back up (it was my primary routing path and the only one I publish SPF records for, so it was a pain i the neck despite being near 3AM local time).
-
ICANN policy, check their web page, the registrant gets *at least* 15 days to fix the registration (unless somebody goes to the trouble of proving fraud and/or immediate harm is occurring). Besides, they've already change the data once, the addresses and telephone numbers are valid, and the email accounts listed for the contacts do work. So basically, unless Pfizer or the FBI wants to file a complaint, they get 15 days! Personally, I don;t have any of the typical data I use to get domains delisted (i.e. invalid data - provably so, with fraudluent headers on copies of email), otherwise I'd be tempted to complain myself. (I did get the name servers blacklisted in a variety of places though - for them I could "prove" fraudulent data!)
-
MS and Pfizer are going after CanadianPharmacy (www.cndpharmacy.com) andE-Pharmacy Direct (www.myepharmacydirect.com) according to this item at
The Register:
http://www.theregister.co.uk/2005/02/10/spam_lawsuit/
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL21829
and
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL20492
No, but notice that the registration of the DNS servers' contact email is at the now infamous 126.com (after the posting here, it seems that 126.com is also used by "customers" to).
jwhois myepharmacydirect.com
[Querying whois.internic.net]
[Redirected to whois.godaddy.com]
[Querying whois.godaddy.com]
[whois.godaddy.com]
...
Registrant:
Domains by Proxy, Inc.
Registered through: GoDaddy.com
Domain Name: MYEPHARMACYDIRECT.COM
Domain servers in listed order:
NS0.NNNSSS.COM
NS1.NNNSSSS.COM
For complete domain details go to:
[Querying whois.internic.net]
[Redirected to whois.paycenter.com.cn]
[Querying whois.paycenter.com.cn]
[whois.paycenter.com.cn]
The Data in Paycenter's WHOIS database is provided by Paycenter
...
Domain Name:nnnsss.com
Registrant:
zheng zhou
74 # zhong he road
450005
Administrative Contact:
zheng zhou
zheng zhou
74 # zhong he road
zheng zhou Henan 450005
China
tel: 86 371 8349581
fax: 86 371 8349581
zhenservicemed[at]126.com
Technical Contact:
zheng zhou
zheng zhou
74 # zhong he road
zheng zhou Henan 450005
China
tel: 86 371 8349581
fax: 86 371 8349581
zhenservicemed[at]126.com
Billing Contact:
zheng zhou
zheng zhou
74 # zhong he road
zheng zhou Henan 450005
China
tel: 86 371 8349581
fax: 86 371 8349581
zhenservicemed[at]126.com
Registration Date: 2005-01-06
Update Date: 2005-01-06
Expiration Date: 2006-01-06
Primary DNS: ns0.nameserverrt.com 210.77.145.123
Secondary DNS: ns1.namserverst.com
So while we might not know who they are, we know who they are in business with!
% jwhois NNNSSS.COM - fails, whois.directi.com has just gone offline to the world!
-
You have received much good advice; But if you want to go further, I can tell you what I used to do (I stopped this a little over 7 years ago when attacks became too common). The first scan or attack got you in a database, the second got me to break into your machine - If a MS box, autoexec.bat was changd, if a *nix box then /etc/motd, was change to state "Your machine is probably infected with a virus, please check it and repair", the third attempt led to renaming crucial files on the machine so that it wouldn't boot and a file was left either at the top of the C: drive or in / for *nix machines with the name "Please-Cleanup" and a single line stating "This machine is being used for attacks against other internet users", The fourth offense led to disk erasure. I'm sure that this is now quite illegal (at least in the U.S.) and I certainly see thousands of port scans a day, and a few hundred real `attacks for my network (a few hundred IPs)'.
I'm not recommending this, but if you wanted to, you could (fairly easily) find the needed exploits to perform these actions; Just be aware that in the most common case, the immediate attacker is an otherwise innocent party whose machine is `owned' by a real hacker (oddly a common technique once a machine is `owned' is for the hacker to secire the box so that someone else doesn't `steal' it from him)
Also, the IP you gave is currently not up and is likely a DUL anyway (you have to catch them during the scan to be effective in many cases).
BTW. for loafman, I do have the extensive equipment and necessary privileges to *really* backtrace the several levels typically, but I've found the `real' attacker's box (nowadays) is usually a relatively secure `BSD or SelLinux machine and the effort involved is not worth it. Besides, now, what I used to do commonly is clearly a prosecutable offense.
-
It seem that the "No recent reports" is unreliable -I reported that site yesterday (and they are already blacklisted a few other places now). Also, wildcard DNS:I hate to reply to my own post, but I just reported another spam from the same site. Again, "No recent reports". Note, the wildcard DNS on the domain in the previous post and that there only one 'A' record if you follow the trail from the CNAME.
% dig www.phillysayswhat.biz any [at]218.7.120.118
; <<>> DiG 9.3.0 <<>> www.phillysayswhat.biz any [at]218.7.120.118
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63865
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2
;; QUESTION SECTION:
;www.phillysayswhat.biz. IN ANY
;; ANSWER SECTION:
www.phillysayswhat.biz. 30 IN A 211.144.164.204
;; AUTHORITY SECTION:
phillysayswhat.biz. 3600 IN NS ns1.realdnssystem.com.
phillysayswhat.biz. 3600 IN NS ns3.autonameservers.com.
phillysayswhat.biz. 3600 IN NS ns4.bighostsolutions.com.
phillysayswhat.biz. 3600 IN NS ns7.bighostsolutions.com.
;; ADDITIONAL SECTION:
ns4.bighostsolutions.com. 3600 IN A 218.7.120.118
ns7.bighostsolutions.com. 3600 IN A 222.223.134.244
;; Query time: 504 msec
;; SERVER: 218.7.120.118#53(218.7.120.118)
;; WHEN: Tue Feb 8 18:18:21 2005
;; MSG SIZE rcvd: 210
Also, as I mentioned before, at least nearly a dozen other (also reported) domains refer to the same IP (it does move around, see that the TTL is only one hour for the name servers and just 30 seconds for the actual site).
-
I've just noticed today a long (several hours) delay in the messages being accepted by spamcop and the delay in reporting. I use quick reporting for 99% of my spam, however, so do not use that method very often.The stats page is showing about a 10 minute pause in reporting today about 3PM EST. There have been some intermittant problems the last week being worked on (mentioned in other threads here). Perhaps some problems are still being worked on or the backup is being processed. Sorry, nothing definite.
http://www.spamcop.net/spamgraph.shtml?spamstats
http://www.spamcop.net/spamgraph.shtml?spamweek
I'm still waoting for the confimation messages to appear from the spam I sumbited (according the the logs on my outgoing MTA - there is an internal relay step before the mail goes out) 5 hours and 55 minutes ago; This is the longest delay I have seem yet. Is something down (I can provide times and MSGIDs to any staff member or administrator who wishes to try to track down the trouble).. And of, course there have been even a few more reports since with no confirmation either.
-
It seem that the "No recent reports" is unreliable -I reported that site yesterday (and they are already blacklisted a few other places now). Also, wildcard DNS:
% dig '*.phillysayswhat.biz' any
; <<>> DiG 9.3.0 <<>> *.phillysayswhat.biz any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62958
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2
;; QUESTION SECTION:
;*.phillysayswhat.biz. IN ANY
;; ANSWER SECTION:
*.phillysayswhat.biz. 3577 IN CNAME www.phillysayswhat.biz.
;; AUTHORITY SECTION:
phillysayswhat.biz. 3577 IN NS ns7.bighostsolutions.com.
phillysayswhat.biz. 3577 IN NS ns1.realdnssystem.com.
phillysayswhat.biz. 3577 IN NS ns3.autonameservers.com.
phillysayswhat.biz. 3577 IN NS ns4.bighostsolutions.com.
;; ADDITIONAL SECTION:
ns3.autonameservers.com. 41026 IN A 61.240.131.209
ns4.bighostsolutions.com. 35877 IN A 218.7.120.118
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 7 14:12:58 2005
;; MSG SIZE rcvd: 210
At least it is a spammer with a sense of humor - he also has been using the domain "bagelsandcreamcheese.biz" -- BTW. The actual operator is either or both of "Clever Link Trading Limited" and "Fantasy Content" of 14150 NE 20th St. Suite #99 Bellevue WA. 98007. He also has a few dozen other domains (whch I know of) that reference the same site. He tries to be legal (at least the porn part) - His "18 U.S.C. section 2257" filing copy is readable at (google cached copy, not the original) the URL:
http://216.239.57.104/search?q=cache:b6cCg...Cyprus%22&hl=en
(Note: the site it was cached from "parkleah.biz" is down.)
-
Could we have an "Enable emoticons?" choice for PMs like the one for forum topics. It is not possible to write a PM using a list deliniated by "a),
, c), etc." because "
" (or "
") is recognized as an emoticon.
-
Over a dozen attempts to report - one "almost" made it, but when I clicked on the button, I got a "upstream server response timeout" message. Tracking URL:
http://www.spamcop.net/sc?id=z729692304zf4...688e7839fcec89z
Other spams both before and after have processed as expected.
-
Unfortunately "mushuporkman" has been around for a long time, a real "pro" - he uses thousands of domains - All of his DNS servers are blacklisted though, so SpamAssassin should catch most of his mail (I report his `new' domains often to various forums, but none of his junk has actually made it through my mail filters for months). Again, against this guy, your best defense is SpamAssassin running the URI tests (If you have a SpamCop account enable it there - otherwise either try to get your ISP to use it - it is quite a resource hog though - or install it on your own machine - I know it *can* be done on MS boxes but I've never tried). That won't "report" him, but at least you won't get it anymore, or at least it'll be marked as "spam").
-
idirect.com,Feb 6 2005, 09:46 AM]Just received the following and will likely be told by SpamCop that it is over 2 days old, when it is NOT and in fact the sender deliberately is using a stale date. I get a number of these. Is there any solution to this problem?--------------------------------------------------------------
...
http://srlmfzjp.ichbhhebfi.com/?M2OiilhmWRnofMM2g6A
The hotmail account listed in the 'whois' data from the domain is invalid. File a report with wdprs.internic.net and with the registrar (i.e. itsyourdomain.com for this one). BTW. I've gotten blacklisted literally dozens of domains by the same registrant over the past two weeks. Getting the domain revoked is extra work I haven't (yet) bothered with (he used lots of registrars and the relatively `new' spam DNS servers {first,second,third}.cuzdns.com).
-
Has anyone noticed that YesNic's whois server has been down all day, so the DNS servers domain doesn't resolve properly (ii.e. platalcia456.com). Also, the domain WAREHOUSEMED5.NET, while still functional (damn planetdomain), has already been suspended for abuse.
% nslookup -type=any platalcia456.com
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find platalcia456.com: NXDOMAIN
% jwhois warehousemed5.net
[Querying whois.internic.net]
[Redirected to whois.planetdomain.com]
[Querying whois.planetdomain.com]
[whois.planetdomain.com]
The data contained in the database of Primus Telecommunications Pty Ltd
(PlanetDomain/PrimusDomain) is made available to assist persons in
obtaining information pertaining to the domain name registration
record. No guarantee of accuracy is offered or given. By submitting a
search request you agree to use the data for lawful purposes, and also
agree NOT to
1) use the data to allow, enable, or otherwise support any marketing
activities, regardless of the medium used. Such media includes but is
not limited to e-mail, telephone, facsimile, postal mail, SMS, and
wireless alerts.
2) sell or redistribute the data except insofar as it has been
incorporated by yourself into a value-added product or service that does
not permit the extraction of a substantial portion of the bulk data from
the value-added product or service for use by other parties.
Primus Telecommunications Pty Ltd (PlanetDomain/PrimusDomain) reserves
the right to forbid access to any party who abuses the terms and
conditions herein or who is deemed to have queried the database
excessively, and to change these terms and conditions at any time.
Domain Name: WAREHOUSEMED5.NET
Reseller..............: #1 Cheap Domains
Created on............: 29 Jan 2005 00:00:00 EST
Expires on............: 28 Jan 2006 00:00:00 EST
Record last updated on: 29 Jan 2005 00:00:00 EST
Status................: ACTIVE
Owner, Administrative Contact, Technical Contact, Billing Contact:
W.W.W marketing INc.
Carolas Espinosa (ID00160914)
1273 hudson st.
ny, ny 10011
United States
Phone: +1.2128653566
Email: account_frozen_spammer[at]planetdomain.com
Domain servers in listed order:
NS1.PLATALCIA456.COM
NS2.PLATALCIA456.COM
nslookup -type=any warehousemed5.net
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
warehousemed5.net nameserver = ns1.platalcia456.com.
warehousemed5.net nameserver = ns2.platalcia456.com.
Authoritative answers can be found from:
warehousemed5.net nameserver = ns2.platalcia456.com.
warehousemed5.net nameserver = ns1.platalcia456.com.
% nslookup -type=any warehousemed5.net ns1.platalcia456.com.
nslookup: couldn't get address for 'ns1.platalcia456.com.': not found
% nslookup -type=any warehousemed5.net ns2.platalcia456.com.
nslookup: couldn't get address for 'ns2.platalcia456.com.': not found
-
I jjust posted a remark over in http://forum.spamcop.net/forums/index.php?showtopic=3558 .. but noting that this doesn't cover a "few days" time-frame. But I can also state that the other complaints / notifies / queries about this only started last night also ..????My few days was probably misleading - it started for me late yesterday morning, local time (would have been night for GMT).
-
In just the past few days, I've noticed that the time between my MTA "auto-reporting" a spam and the time I receive the message to confirm it climb from a few minutes or even ten minutes, up to several hours. Today serveral came in hours after being sent (sent as attachments using the recommended "DeathToSpamDeathToSpamDeathToSpam" perl scri_pt format). This morning, one took three hours and another seven hours to appear. Is there currently a problem or overload? Note: they do all eventually seem to appear (except just one yesterday); I'm just used to checking about 10 minutes after I know the cron job will have submited them - hence my "average" reporting time says 1 hour and is probably less.
-
Still a bit sleazy .. there doesn't seem to be any above-board place to go look at it, no web-site for instance. I suppose it's interesting that these folks have apparently teamed up and all, but ..... on the other hand ... whoah! whois -h whois.godaddy.com gorbs.com ... Coram, New York 11727 United States Registered through: Act Now Domains Domain Name: GORBS.COM Created on: 28-Feb-02 Expires on: 28-Feb-05 Last Updated on: 30-Dec-02 Administrative Contact: Smith, Ronnie countart[at]optonline.net Gorbs Corp. 1015 Old Town Rd. Coram, New York 11727 United States 631-988-2604 Fax -- 12/17/04 18:04:40 Browsing [url="http://gorbs.com/"]http://gorbs.com/[/url] Registrant: Gorbs Corp. 1015 Old Town Rd. [cut - I on't know of them] Neither having much direct connection to a BL ... but that optonline.net is 'interesting'
optonline.net is a spammer. To amuse yourself look at spamhaus.net - registered to rackspace.com, another spammer. These people are just trying to catch simple mistakes and take advantage of them.
-
You will probably have better luck with TUCOWS. Especially if you include the spam and evidence of the false whois data. Also, file ca complaint at wdprs.internic.net - It will get to TUCOWS and reinforce the chances that they take action) and the "new" wdprs auto-response invites you to file a complaint against the registrar if no action is taken) -- Just remember, in the absence of fraud, they get 15 days to "fix" things; But forged headers *do* count as fraud.
Received_SPF: record within spam
in SpamCop Lounge
Posted
The spam was sent from a machine at IP 222.136.135.217, part of the CNC Group-Henan province network. It forges headers to look like it came through gmail forwarding mail from a go.com account ( go.com is owned by Disney and has a bad history of being abused by spammers). The Received_SPF is just another forged header - go.com does not use SPF. Most likely the domain her0es.net (the spamvertised domain) is operated by Leo Kuvayev (currently #2 at Spamhaus). - it uses a set of registration records he has used on dozens of other domains It is mortgage spam, so if he is following pattern, there exists a nearly identical domain named her0es.com, which was likely registered within seconds of this one, but not yet used.