Jump to content

shmengie

Members
  • Content Count

    97
  • Joined

  • Last visited

Everything posted by shmengie

  1. shmengie

    [Resolved] Those crafty spammers

    Wow, that was quick. Guessing that e-bay contacted tucows regarding that domain. I didn't. access-authorization.com 02-Jul-2005 torrence-family.com 11-Jul-2005 torrence-store.com 11-Jul-2005 Looks like this zombie was designed for the e-bay spoof, and the other scams were added as an afterthought. Shortly (about 2 days) after I wrote tucows about the torrence-family.com it became inactive. That record does not reflect the "spamming" incident. The two inactive have NS1.NETSOL.COM as their domain server on the whois record. Currently torrence-store.com is still active and lists the "current" zombies as the domain servers. Since this site is picking on the w3ird0s who like to see ppl and farm animal sex, I haven't been in a hurry to see it shutdow. I'm hoping the FBI is investigating this issue, but I doubt it.
  2. shmengie

    [Resolved] Those crafty spammers

    In the past, spoofs have pointed to a specific IP address, which didn't resolve to a domain name. This one doesn't appear to be a random ip address, because you'll see the "a somewhat convincing domain name" in the address bar of your browser. Because this "website" is hosted on zombied machines, it is not possible for "officials" to identify or track down the criminal responsible. This is a somewhat unprecidented level of anonimity afforded to these criminals by this virus/trojan/zombie.
  3. shmengie

    [Resolved] Those crafty spammers

    OMG, the criminals expand their criminality Recieved an e-bay spoof. This one resolves to the web-bot. www.access-authorization.com/ebayauth Maybe e-bay will step up and help fight this plight. Name: www.access-authorization.com Addresses: 12.214.117.250, 62.195.145.140, 67.176.137.127, 68.73.144.101 69.252.161.230 peer: ('69.252.161.230', 80) pcp0012142052pcs.oakrdg01.tn.comcast.net Address: 69.252.161.230 returned 17397 bytes peer: ('12.214.117.250', 80) 12-214-117-250.client.mchsi.com Address: 12.214.117.250 returned 17397 bytes peer: ('62.195.145.140', 80) i145140.upc-i.chello.nl Address: 62.195.145.140 returned 17397 bytes peer: ('67.176.137.127', 80) c-67-176-137-127.hsd1.il.comcast.net Address: 67.176.137.127 returned 17397 bytes peer: ('68.73.144.101', 80) adsl-68-73-144-101.dsl.ipltin.ameritech.net Address: 68.73.144.101 returned 17397 bytes
  4. shmengie

    Need help with my new laptop

    I almost hate new computers because the come with so much "cheezy wares". My first guess is it's checking for updates or something of that nature or quite possibly your laptop mfg. is outsourcing updates/alerts w/yahoo or possibly a Multimedia application trying to grab ads and/or other content. Though zone alarm should inform you which program is trying to get to the outside world. Often when I work with a new computer I spend 95% of the first two hours uninstalling all the cheezy wares. Because there are hardware specific wares typically bundled with laptops, it's difficult to start out with a delete *everything* and re-install, though this is potentially quicker than the uninstall route, it's less advantagous because it takes time to locate all the "hardware specific" stuff, in the long run. I recommend running thru add/remove programs and remove all of which you're not going to use and most of which you'll probably will not use. The stuff you don't know what it is, can be little bit of a gamble. If it's something you actually do need, it shouldn't be very difficlut to get back on, but it's better to reomove the rubbish when you first get started, IMO. Worst case senario, you can start completely over from scratch with the rescue disk supplied. Personally, I wish they'd let you install the rubbish after you turn it on, but that's not the current trend most OEM computers.
  5. shmengie

    [Resolved] Those crafty spammers

    This doesn't fit the topic of this thread, but here goes... Spamers do that often... Why??? I dunno. Some include anchored links around nothing so they're not visible in HTML rendered text but point to other domains??? (ones they hate?) Some include domains that don't resolve??? Not sure what to do about the ones that obscate the spamvertized site by forcing a direct searchengine match thru google or yahoo. I usually report to google and/or yahoo so they recieve notification, as well as the ISP hosting the actual spamvertized site.
  6. shmengie

    [Resolved] Those crafty spammers

    It's been done, ad infinitum, spam keeps comming... I haven't recieved a spam referencing torrence-store.com so I have not reported it. Can't get China, Korea, Russia (ASIA for that matter) to quit providing web-space to spammers. Reporting seems mearly an excercise for the tenatious. The volume of spam I recive has dropped to 1/2 lately. It seems as though I may have been taken off "a" spammers list by reporting the torrence-family.com to everyone I could think fathom. Seems unlikely I will recieve a spam referencing the family "store." In order for these domains to get a hook into the DNS system, the spammer probably has to expose themself in a window of potential identification. Once the domain is running around loose on the web, they can cut the ties and enjoy pure annonimity. In either event, I think this spammer is a blatant criminal, using uneducated ipublic to host web pages on their computers. I'm tempted to take a proactive stance. If I can get a spammer shutdown, I'm inclined to do so... I've reported the web-bots to isps. I've tried to tell several ISPs how they could take a proactive stance. They seem to ignore my suggestions as well as the abuse reports. I reported several web hosting bots to an ISPs and the only rsponce I've recieved was "We don't host web sites on that address so your report is wrong." I promply replied and beleive my reply was promptly ignored. So if you get a spam that references a website, should you hold your breath until you get another referencing the same site? Q: Would you turn blue in the process?
  7. shmengie

    [Resolved] Those crafty spammers

    They cycle thru new zombies all the time. I'm guessing all the zombies communicate via an IRC ring. When one drops out (probably frequently since these hijacked computers are probably slow), a new one is more than willing to take it's place. This makes it very difficult to report to ISP's because they are contantly changing. ISPs probably don't log the web traffic, so nonexisteant logs makes reference difficult. nslookup[at]infected machine also reports the same addresses. Looks like dnsrecords are all set to expire as soon as they're issued. Web browsing the 'domain' directly doesn't tell you which host you connect to, unless you're sniffing packets. Directly referencing IPaddresses results in a disconnect/no data. I wrote this bare minimum web browser python scri_pt to verify each and every "server" returned web pages, by addressing server directly then issuing a get url command, should you wish to check for your own amusement. SpamResearch.py import socket domain = 'bullwhack.torrence-store.com' url = 'http://bullwhack.torrence-store.com'#/farm/?bridgewater=bwligbreak' domain, alias, addresses = socket.gethostbyname_ex(domain) command = 'GET ' for address in addresses: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((address,80)) print 'peer:',s.getpeername() s.send(command + ' ' + url + '\n') result = '' while True: data = s.recv(8196) if not data: break result = result + data s.close() print 'Address: %s returned %d bytes' % (address, len(result)) #print 'Last result\n:' #print result Heh, if it wasn't vigilantisim (and I might get in trouble w/my isp), I'd write a scri_pt that sent an e-mail once a minute to the isp's stating that such and such computer is serving spamvertized webpages.
  8. shmengie

    [Resolved] Those crafty spammers

    I'd be lying to you if I said I understood how this works, but digging (and nslookup too) on the fqdn bullwhack.torrence-store.com works even tho torrence-store.com doesn't ??????? That doesn't fit my understanding of DNS resolution. Yet, looky there. $ dig bullwhack.torrence-store.com ; <<>> DiG 9.1.0 <<>> bullwhack.torrence-store.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17281 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 5, ADDITIONAL: 0 ;; QUESTION SECTION: ;bullwhack.torrence-store.com. IN A ;; ANSWER SECTION: bullwhack.torrence-store.com. 5 IN A 68.58.110.87 bullwhack.torrence-store.com. 5 IN A 68.254.114.243 bullwhack.torrence-store.com. 5 IN A 24.94.238.113 bullwhack.torrence-store.com. 5 IN A 24.194.147.92 bullwhack.torrence-store.com. 5 IN A 67.190.24.114 ;; AUTHORITY SECTION: torrence-store.com. 7200 IN NS ns4.torrence-store.com. torrence-store.com. 7200 IN NS ns5.torrence-store.com. torrence-store.com. 7200 IN NS ns1.torrence-store.com. torrence-store.com. 7200 IN NS ns2.torrence-store.com. torrence-store.com. 7200 IN NS ns3.torrence-store.com.
  9. shmengie

    [Resolved] Those crafty spammers

    Their dns setup is hosed by design. You can't run an illegitimate operation and avoid beinig tracked down if you leave a trail point to you.
  10. shmengie

    [Resolved] Those crafty spammers

    Looks like the same criminals at work. All web <quote>servers<quote> are running on hijacked dsl/cable computers. The whois record for both torrence-family and torrence-store indicate both domaines were registered 11-Jun-2005 and last modified 26-Jun-2005. I don't have the energy at the moment to try and put an end to this one... Maybe tomorrow... Links on that page introduced "movienetworks.com" which is another domain I assume being run by these criminals, since it was registered... you guess it 11-Jun-2005. But it's hosted by internap.... ??? ....
  11. shmengie

    [Resolved] Those crafty spammers

    Hate when ppl fix stuff and don't bother to tell you. Reported until I was blue in the fingers on that one. Now I don't know how/why it was resolved, but it appears to be. If it happens again, do I have to go blue in the fingers to achieve resolution? FWIW... I've seen spam that resolved like that one for about 3-5 months passing by my spam reporting eyes. When I started this thread, I figured I'd try to put an end to it and tenatiously reported to everywhere/one I could fathom to get it to stop. Heh, I even blogged it, which made me feel a little better. http://spamnation.blogspot.com/ Wish I would have assigned some blame to ISP's for the state of the spam (in the blog).
  12. shmengie

    [Resolved] Those crafty spammers

    These <quote> servers <quote> aren't necessiarly sending spam. They host the web page/rouge dns servers that support this domain. The domain was referenced in a spam, I kept the last three that reference it in my spam box <yet to be deleted>. I doubt that they send spam, themselves, unless they hare infected with additional robot/spamware. Frankly this avenue of spamer proliferation bugs the wooloo (not to be confused w/wazoo) out of me, becuase it offers another level of annonimity to the spamers. No specific isp is being used, but a bunch of their clients are being abused. Look at it this way. We can't track spam to a specific spamer who's spam was delivered by anonymous spambot infected machine. Now we've got a spammer that's upped the anty and uses a webbot/dnsbot infected ring of computers to deliever web pages. Although it is possible they could also deliver spam, I suspect they use their other army of infected machines for that doody. They have no fear of isp reprocussion, because they aren't using an isp service. They're abusing idiots w/computers that don't know their computers are being used this way.
  13. shmengie

    [Resolved] Those crafty spammers

    double dratz (or not) udowzy.torrence-family.com is now resolving again :/ Shouldn't be too supprised that it winked out for a while. After all, the actual dns servers are viri infected zombies. The main server must have been reboot because was running to slow, or maybe the user woke up and anti-virus'd it. zeus:~$ dig udowzy.torrence-family.com ; &lt;&lt;&gt;&gt; DiG 9.1.0 &lt;&lt;&gt;&gt; udowzy.torrence-family.com ;; global options: printcmd ;; Got answer: ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 45807 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;udowzy.torrence-family.com. IN A ;; ANSWER SECTION: udowzy.torrence-family.com. 5 IN A 24.178.100.28 udowzy.torrence-family.com. 5 IN A 63.206.119.30 udowzy.torrence-family.com. 5 IN A 69.211.16.157 udowzy.torrence-family.com. 5 IN A 24.12.119.73 udowzy.torrence-family.com. 5 IN A 24.13.123.241 ;; AUTHORITY SECTION: torrence-family.com. 155815 IN NS ns1.netsol.com. ;; Query time: 640 msec ;; SERVER: 192.168.1.112#53(192.168.1.112) ;; WHEN: Thu Jul 28 02:50:11 2005 ;; MSG SIZE rcvd: 149
  14. shmengie

    [Resolved] Those crafty spammers

    Do you think it's possible that TuCows came to the rescue here? I see the whois record for torrence-family.com last Updated Date: 26-jul-2005 That's about right time for all records to be stale now. I sent a letter to TuCows Saturday. I suspect they have few if any weekend worriers. All day Monday it would have been working it's way thru their slew of mail... Tuesday somebody did something. Ratz, now I wish I had reported this to the FBI frist. Thought of them last.... I did want the FBI to track 'em down, but I suspect that may have been difficult even w/excessive resources. That's one of the most impressive spammer scheems I've seen.
  15. shmengie

    [Resolved] Those crafty spammers

    I recieved a spam from Taiwan. I don't know anyone over there, so it's a safe bet it was supposed to be spam. I think this falls under the category of crafty spammer, so I'm re-using this thread. I couldn't help but find this spam interesting. Don't know how many of you enjoy programming, but the codes used for subject/date etc... are somewhat facinating to me. It looks like the spam template was used, but no spam content replaced the macro fields. The subject looks like the spammers basian work-around. Subject: STR_RNDLEN(2-4)}{EXTRA_TIME_4} {WORD} Date: {DATE} MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: {ALNUM[36-36]} Content-type: multipart/related; boundary="{_BOUNDARY_RELATED}" --{_BOUNDARY_RELATED} Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit {BODYHTML} --{_BOUNDARY_RELATED} Content-Type: image/jpg; name="{LC_CHAR[7-7]}.jpg" Content-Transfer-Encoding: base64 Content-ID: &lt;{_UC_CHAR[20-20]}&gt; {JPEG:/home/larry/baner.jpg:q80cg8cc5} --{_BOUNDARY_RELATED}-- .
  16. shmengie

    Russia’s Biggest Spammer Brutally Murdered

    ppl die, its a fact of life. If karma had anything to do with it all spammers would be dead already. Being that this particular incident could have happened to a nicer guy, I'm glad it didn't... But then when it happens to nicer guys, you typically don't hear about it
  17. shmengie

    [Resolved] Those crafty spammers

    Crafty spammer. Their zombies are performing nameserver duties and serving up web pages. Using either of the ipaddresses for webpage and domain lookup produce the same results on all of the robot zombies. I wrote a tiny little python program and every one of them dish up the same webpage. I had thought they might be doing some kind of redirection, but that's not the case. I did run thru all the pages and placed a bogus order. Minor note: It sez credit card info is being gathered on secure 128-bit encryption. Lies of course. It also stated that my ip address 24.xxx.xxx.xxx was being recorded for security purposes. My ip does not begin with 24.... looked like static text. Most of the links they use end in .php? which is there to further convince ppl it's a real web server I guess. These zombies all collect credit card info from the unsuspecting foo that think this is legit. There must be a method of sending the credit card info back to the culprits. Probably the same way that the zombies know which other zombies are up and running. Very impressive trojans tho. Kudos to the spammer, they've got annonimity out the yin-yang going on here.
  18. shmengie

    Bad Idea

    I know it's bad omen, but I've enjoyed the least spam day this year with a record low of 18 spams recieved for Wednesday June 20, which is about half my daily average for the past 3 months. Perhaps I should kneel down and prey for a continued lull.
  19. shmengie

    Bad Idea

    Yeah, I knew it wouldn't last, but a day w/only 18 was a nice treat from the typical barrage of spew. Thursday the 21st was average, w/35 spams recieved. Guess... I didn't prey loud enough. As best I can gather, there is no use in trying to identify a patter to spam, it's just there in heaps or it's just there.... hopefully only a trickle. Nonetheless, I still look for patterns. The past three weeks Wednesday has been the lowest spammed days of the week for me. But it was only a month ago wednesdays were the worst day of the week. Based on the past two weeks however Thursday has been the overwhelming spam day. But this particular Thursday was average.
  20. shmengie

    Block and whitelist our domain

    I'm at a loss here, how does quick reporting increase this probability? Guess #1: some submittions to spamcop aren't spam? and the cancel sending button is the salvation mechinisim Guess #2: spamcop parses e-mail identifying your isp as the sender of spam due to forwarding mechanisims in place
  21. shmengie

    Block and whitelist our domain

    Use the Block Lists. This will greatly reduce the spam recieved (and bandwidth consumed) and have no effect on legit e-mail. I do not own a server w/which to implement the Block Lists, but have stood over other's sholders while they do. In order to implement them read the FAQs http://www.spamcop.net/fom-serve/cache/290.html http://spamhaus.org -- Quick reporting may also be a spamcop option you may want to explore. I wrote a program to report spam, much like what spam cop does. I also want to report to spamcop, so their filters would be aware of my spam sources. Quick reporting is an ideal solution for my needs. -Joe
  22. shmengie

    Question for knowledgeable members

    I have an associate degree in "data processing." Since that degree focused primairly on COBOL programming back in the late 80's I'd guess no chance of learning the intracacies of the internet there. However, I was a lab-tech in my college, which afforded me extra computer time and tinkering around with Unix. The Internet's childhood was spent mostly on Unix. The three letter word www caused an Internet explosion, but there's still a lot that can be learnd about the internet from Unix or it's modern day clone: Linux. I can't imagine what learning computer stuffs is like these days, there's soo much to take in. Being a computer enthusiast since about 1980, I've had the opportunity to slowly soak in all that I have. I recommend getting started with Linux ASAP... Also, learn to type w/out looking at the keyboard!
  23. shmengie

    Getting removed from unsolicited E-mails

    I was recieving an average of about 40 spams a day. I was soo tired of it, I thought I'd try using all of the unsubscribe links... for about a day I unsubscribed. Two months later I was recieving an average of about 80 spams a day. Unfortunatly, I can only guess this is the consiquence of the effort.
  24. shmengie

    who would spam a sneakemail?

    <pilot lite on> It wouldn't make sense to me. But then, neither does "everdialman"s posting. Somehow the address go nabbed by a spammer. By the sounds of it, Jank1887 was very careful not to use that address for anything other than electronic billing. I can't begin to fathom who is culpable for this issue. However, I'm sure I had nothing to do with it <pilot lite off>
  25. shmengie

    Microsoft's fan club

    Today, I woke to a slight increase in spam. But this one about Microsoft is a little relief from the typical callis/teen sex/(final notice) morgage flavored spam. Microsoft has really peeved the spammer, cuz he's crying Microsoft spams and Microsoft products should be boycotted. LOL, I've only recieved spam from microsoft, when I asked for it... And when I said no more, that's what I got, no more. Spammers live in the alternate reality where what they do is to be blamed on others and no means log(yes) The sad part is that some ppl will agree with the spammer and continue to buy spammed products
×