Jump to content

shmengie

Members
  • Content Count

    97
  • Joined

  • Last visited

Community Reputation

0 Neutral

About shmengie

  • Rank
    Member
  1. shmengie

    Pinned FAQ pointers

    It's not necessiarly a better idea, but makes sense to me: Instead of having forum.spamcop.net point directly to this bullitenboard, have a two choice/path links to either enter the board or view faqs laid out in FAQ fashion. There's are many boards. And I personally don't feel comfortable with a FAQs posted on bulliten board systems. I suspect that is why there are a few complaints. This sounds like a lot of web work to me, so i wouldn't necessiarly recommend it, unless you've got time coming out of the wazzo, for such implementation. I wouldn't expect you to have soo much ambition, unless you're being paid to maintain this information. Then I would expect it. All things considered, I think it is all well and good. Don't take the complaints too personally, ppl whine. It's a part of our nature.
  2. shmengie

    vronaholiday.com, what the F....

    A new domain popped up on the spam-dar today. ineedu2nite<dot>com Same speel... botnet enabled. The domains I've reported to enom, valneedbreaks, vronaholiday, qazwinner are still operational, AFAICT, so i reported enom to ICANN. I figure it is not worth while expecting any action.
  3. shmengie

    vronaholiday.com, what the F....

    I found this spam a little interesting. http://www.spamcop.net/sc?id=z822460225za1...98736812e39ac2z The domain afunfakes<dot>com does not appear to be hosted by the botnet, but the spam bears a striking resemblance to the recent deluge of botnet referenced spams. Random(ized) machine name, is the first clue. Second clue is the fact that it's advertizing a live smut cam. The whois info appears slightly different, tho bogus, nonetheless.
  4. shmengie

    vronaholiday.com, what the F....

    In case you Redstone or orion might find it useful, here's the python scri_pt I use to verify this botnet. It also contaions a list of other domains used by this botnet, many of which have been closed by their registrars. I've only recently reported adultactioncam/cash to their registrars, but they aren't hosted in this fashion, so i have no idea what may come of that. Tucows is pretty good about shutting down spammed domains. Yesnic closed one set of domains, but the most recent onces, seem to be left unattended by them. It's funny dates4funz.com registered at directi.com was reported. They effectively told me to write the spammers and complain because they were only registrars. I told 'em I didn't think it would be in my best intrest to do that. Then they said there was no "A" record... Duh... The spammers seemed to have dropped that domain in favor of vrona and vallneed.... so i guess it doesn't matter. I'm hoping google will step up to the plate and help with this foobaz. I wrote them today, because ns1 & ns2.google.com were referenced in one of the whois infos for the rogue domains. I doubt it, but nobody else (namely the FBI or one of the big ISPs whos customers are infected) will step up to the plate and tackle this issue. """ SpamResearch.py minmal web surfer helps verify virus infected computers are hosting rogue domain web-sites. It runs nslookup on the domain of an url, web queries each ip listed, reports ip, reverse DNS lookup and size of web result for each address. """ import socket, sys #url = 'http://bogus.torrence-family.com/drugs' #url = 'http://www.access-authorization.com/ebayauth/' #url = 'http://bullwhack.torrence-store.com/farm/?bridgewater=bwligbreak' #url = 'http://www.nelema.com/ph/' #url = 'http://www.teljar.com/u.php' #url = 'http://www.pexetr.com/pt/' #url = 'http://mnm.datesulook4.com/extra/angelsweet3/getmeoff.php' #url = 'http://ucvihi.datesulook4.com/extra/angelsweet3/getmeoff.php' #url = 'http://oimt.datesulook4.com/extra/angelsweet3/getmeoff.php' #url = 'http://qgqsb.datecravings.com/extra/angelsweet3' url = 'http://ns.cucumberdns.net' url = 'http://ubseiz.flower-bed.biz' url = 'http://ns1.cucumberdns.com' url = 'http://asdf.vronaholiday.com' url = 'http://www.DATES4FUNZ.COM' url = 'http://ns1.postik.net' url = 'http://ns1.vronaholiday.com' url = 'http://nbzrw.vronaholiday.net/extra/brokenlove3/' url = 'http://bpx.vallneedbreaks.com/ja1' url = 'http://ns1.vewwopy.com' url = 'http://ns1.toperyip.com/ja1' if len(sys.argv) &gt;= 2: # use 1st parameter if one passed, url = sys.argv[1] # instead of hard coded url dstart = url.find('//') + 2 dend = url.find('/', dstart) if dend == -1: dend = len(url) domain = url[dstart:dend] print url domain, alias, addresses = socket.gethostbyname_ex(domain) print domain, alias command = 'GET' for address in addresses: print "%-16s" % address , try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((address,80)) s.send(command + ' ' + url + '\n') result = '' while True: data = s.recv(8196) if not data: break result = result + data s.close() print '%-45s' % socket.gethostbyaddr(address)[0] , print 'returned %d bytes' % len(result) except: print 'Failed' print 'Last result\n:' print result Moderator edit: change {code} to {codebox} to save screen space
  5. shmengie

    vronaholiday.com, what the F....

    It's interesting, valneedbreaks was spammed to me to, today. October 24, 2005, Monday 12:00pm -500 Breaking news! url = 'http://ns1.toperyip.com/ja1' url = 'http://ns1.vewwopy.com' http://ns1.toperyip.com/ja1 ns1.toperyip.com [] 68.63.20.36 pcp01567266pcs.hlcrs201.al.comcast.net returned 201 bytes These two new domains both resolve to the same ip address and were referenced in the whois info for vallneedbreaks. I'm betting this ip address is being used to establish the dns hosts for this virus. The two tucows domains are listed as dns servers for vallneedbreaks.com, but are not yet being used AFAICT. But there is a lot of guessing in that statement.
  6. shmengie

    vronaholiday.com, what the F....

    This is that virus hosted gig. There are about 20 to a million computers infected with this virus/trojan. It must use some kind of irc ring to keep track of which computers are infected. There's no way to shut this thing down, other than report the domain names used to the registrars, because it's not actually hosted by any given isp. If you nslookup the domain, you'll get 5 ip addresses. These addresses change frequently. They've switched form past behaviour somewhat. They used to use the same domain name for their name servers. Now they have 3 domains that are listed as the DNS server domains. All of which are also hosted on virus/trojaned computers. If you look up the DNS servers, you get about 20. Every computer listed is dsl/cable, so i assume it is safe to assume this is a virus/trojan at work. I've reported all the domains I could identify to their registrars. Unfortunatly, yesnic.com and the other enom. appear to be very slow to respond. Porn, ebay phishing and a few other scams have been hosted in this fashion, by these criminals. Notify the FBI, maybe they'll listen, if enough people complain. They seemed to have ignored my reports. I've run to everyone I can think of in regard to this issue. Nobody seems to understand or worse, they simply don't care. http://nbzrw.vronaholiday.net/extra/brokenlove3/ nbzrw.vronaholiday.net [] 68.61.247.99 pcp01188935pcs.strl401.mi.comcast.net returned 42825 bytes 68.63.20.36 pcp01567266pcs.hlcrs201.al.comcast.net returned 42825 bytes 12.217.64.216 12-217-64-216.client.mchsi.com returned 42825 bytes 24.10.176.110 c-24-10-176-110.hsd1.ut.comcast.net returned 42825 bytes 24.92.42.34 cpe-24-92-42-34.nycap.res.rr.com returned 42825 bytes The one time I followed links on one of their scams, it said it was collecting bank account information via secure https, thought it didn't. The bank info was returned to the virus infected machines. Anyone stupid enough to give real bank account information will undoubtedly suffer consequences.
  7. shmengie

    vronaholiday.com, what the F....

    Thanks Wazoo, Guess it just took a while for that information to be published. I moaned at enom in regard to this fact. -Joe
  8. shmengie

    vronaholiday.com, what the F....

    Well, you can report all the infected machines until you turn blue... ISPs have a hard enough time resloving spamming client issues. Clients hosting DNS/Webservice trojans/viri, seem to go un-attended. I'm tempted to write a report bot, but fear the consequences of such an endevor. I guess it will require contacting the admin of the root servers, and get this thing delisted. Argh, I don't feel like taking on that much work. -- Oh, FWIW, traceroute is unimportant. Your tracing route to only one of the infected hosts, which is likely ad DSL/cable subscriber. The DNS servers are all virus/trojan servers too. I've reported the domains that they live by (ns1.cucumberdns.net, ns2.postik.net, ns2.cucumberdns.com) to yesnic.com But yesnic.com is slow to respond. Well, they don't bother responding to me. They did eventually take down the last set of domains i reported tho. (listen2me.net and alwaysfirst1.net) were the first set of DNS servers I discovered proping up the virus/trojan hosted web servers. Seems these criminials have changed from one set of infected hosts providing both DNS and Web services, to now using one set for DNS and another set for Web services, or they just use different domain names for the differing services. You probably can still query the web servers for DNS info. I doubt the trojan cares which domain it responds from/to.
  9. I can't locate a registrar for this domain. It's a virus/trojan hosted domain, so you need to prefix the domain with anything.. nslookup spammer.vronaholiday.com locates the usual 4-5 virus infected machines. I cannot locate the registrar, so I cannot combat this bastage. ![at]#$%[at]#!
  10. shmengie

    I'm a spammer . . . NOT!

    I can't speak for wazoo, but i know its hard to deal with the same questions repeated often. I used to work with a girl in a bank office building. She would ask the same question 4 - 5 times before, the next week would roll in and a new question received the same treatment. Though you haven't aske the same here, yourself, it bares similiarity. In the end, it is 100% probable a virus is the conduit, to which you have been inducted into the realm of increased spam. Unfortunatly, that says very little for you personally, other than you another victem. The virus does not need to exist on your equipment for it to have this affect. Someone who has you in their address book or has received mail with your address in it, is likely comprimised. It's important to be aware of the state of your own equipment, but there is little you can do to protect your e-mail sent from falling into the abyss. It sux. nuff said. Hate spammers, because they love it.
  11. shmengie

    I'm a spammer . . . NOT!

    You know.... McAfee is good. But it aint perfect. None of the virus scanners are. Norton may be the worst, but for some reason I placed a false trust in it. A friend of mine had cought a virus or actuall very many. Norton was kept uptodate, so I had asssumed it was something else that stopped his mahcine from booting. He reported no unusual circumstance, he shutdown as usual and next boot it simply refused. The registry was corrupted, and the best guess I could fathom was that it was not being closed properly. I took his word, that he was doing everything proper, and resolved the registry issue, which was no easy chore. All was well for a few months and the same thing happened again. Again, virus updates in place, no unusual circumstance, etc. etc... The registry again was corrupted. Turns out several virus were infecting this machine. Yet norton said it was clean. clamwin.com's free antivirus found the most abuses of this machine. Microsoft's beta spyware found a couple. and avg's personal free virus detection found one or two that clamwin ignored. I can't stand either norton or mcafee, they are very intrusive, but the are more complete solutions than clamwin. Avg seems quite good, but nearly as annoying as norton and mcaffe. I hardly ever remember to run a virus scanner on my machine, but *I know* I keep it clean. I never-ever click on attachments I don't know exactly what their purpose is. I don't allow rogue browser add-ins to ever be installed. (ok, I caved and let flash on board, but I hate it, so I uninstall it every so often too. I've got a peppy machine, but flash simply eats too much memory). I've been a computer geek for 20 and some odd number of years. I can get away with this act of stupidity. I would never recommend to another. The moral, unless you know your machine is clean, it's possible it is not. Right now, there are spambots, several domains and name servers hosted on virus infected machines. Its discusting! I can't put an end to it, which is very frustrating.
  12. shmengie

    Now I've done it

    Muahahahahahahahaha!!! Brainstorm! Thunderbird files spams nicely into a folder for me. I've been cutting and pasting spams into my reporting machine. But!!! I've been doing it the hard way! I can read the Thunderbird Junk file and completely automating spam reporting. Althought it's a relatively simple task to cut/paste, it is time consuming. Complete automation requires better filtering tho, I've used the cut/paste method to avoid reporting mis-files. Hmmm... I'll get this figured out and spend less time reporting yet!
  13. shmengie

    Now I've done it

    I may be grasping at straws here. Starting to believe that someone I know has recently contracted a new infection or strain or trojan and this e-mail has consiquently ended up has ended up on a new (to me) spammer's list. There is also a possibility that one ISP has changed their filtering practices.... hmmm. Although these spams seem to be more legit than my past experiences, validity has not been researched to verify one way or another. Saw a few addresses today originate and containing links that resolve to the same domain. Time must be allocated to research who what where when. This seems to be an atypical spammer tactic. The to/from addresses used are old, names changed since, etc... So I'm still guessing at what's going on. Ratz man! I don't want to be in the 100-150 spams a day league. It's got me thinking about ways to re-write my reporting machine to further expedite the reporting process.
  14. shmengie

    Now I've done it

    My Junk mail reception has increased 3 fold the past two days. The volume of typical spam seems average. There's a slew of what I can only considered to be spam, but its origin apears to be from a semi - legitimate sources. I must have really aggrevated a spammer. In turn, they have some sort of web crawler running around the web signing me up to be spammed by domaines who accept e-mail addresses on their webpages. I feel a little guilty reporting all this rubbish as spam, but I didn't subscribe for this crud. Today, I've recieved 50 spams and it's not even Noon yet. For the past 30 days I've been enjoying a relatively low volume of spam, with a maximum of 34 spams in one day and as few as 9 on several days. Oy! Am I the only victem? Is there any others being harrassed in this fashion? -Joe
  15. shmengie

    onguardonline.gov

    The government and some partners put this one together. Probably nothing new for most of you. I think it's a good thing. The next time you encounter a newb who needs to know potential online issues, you can point them here http://onguardonline.gov
×