Jump to content

shmengie

Members
  • Content Count

    97
  • Joined

  • Last visited

Everything posted by shmengie

  1. I can't locate a registrar for this domain. It's a virus/trojan hosted domain, so you need to prefix the domain with anything.. nslookup spammer.vronaholiday.com locates the usual 4-5 virus infected machines. I cannot locate the registrar, so I cannot combat this bastage. ![at]#$%[at]#!
  2. shmengie

    PriceWatch

    FWIW: I use http://www.pricewatch.com, which usually finds execellent prices. Moderator edit: this post was originally a reply to a different thread. A link to the original thread can be found in Jeff G. post below.
  3. shmengie

    Pinned FAQ pointers

    It's not necessiarly a better idea, but makes sense to me: Instead of having forum.spamcop.net point directly to this bullitenboard, have a two choice/path links to either enter the board or view faqs laid out in FAQ fashion. There's are many boards. And I personally don't feel comfortable with a FAQs posted on bulliten board systems. I suspect that is why there are a few complaints. This sounds like a lot of web work to me, so i wouldn't necessiarly recommend it, unless you've got time coming out of the wazzo, for such implementation. I wouldn't expect you to have soo much ambition, unless you're being paid to maintain this information. Then I would expect it. All things considered, I think it is all well and good. Don't take the complaints too personally, ppl whine. It's a part of our nature.
  4. shmengie

    vronaholiday.com, what the F....

    A new domain popped up on the spam-dar today. ineedu2nite<dot>com Same speel... botnet enabled. The domains I've reported to enom, valneedbreaks, vronaholiday, qazwinner are still operational, AFAICT, so i reported enom to ICANN. I figure it is not worth while expecting any action.
  5. shmengie

    Now I've done it

    My Junk mail reception has increased 3 fold the past two days. The volume of typical spam seems average. There's a slew of what I can only considered to be spam, but its origin apears to be from a semi - legitimate sources. I must have really aggrevated a spammer. In turn, they have some sort of web crawler running around the web signing me up to be spammed by domaines who accept e-mail addresses on their webpages. I feel a little guilty reporting all this rubbish as spam, but I didn't subscribe for this crud. Today, I've recieved 50 spams and it's not even Noon yet. For the past 30 days I've been enjoying a relatively low volume of spam, with a maximum of 34 spams in one day and as few as 9 on several days. Oy! Am I the only victem? Is there any others being harrassed in this fashion? -Joe
  6. shmengie

    vronaholiday.com, what the F....

    I found this spam a little interesting. http://www.spamcop.net/sc?id=z822460225za1...98736812e39ac2z The domain afunfakes<dot>com does not appear to be hosted by the botnet, but the spam bears a striking resemblance to the recent deluge of botnet referenced spams. Random(ized) machine name, is the first clue. Second clue is the fact that it's advertizing a live smut cam. The whois info appears slightly different, tho bogus, nonetheless.
  7. shmengie

    vronaholiday.com, what the F....

    In case you Redstone or orion might find it useful, here's the python scri_pt I use to verify this botnet. It also contaions a list of other domains used by this botnet, many of which have been closed by their registrars. I've only recently reported adultactioncam/cash to their registrars, but they aren't hosted in this fashion, so i have no idea what may come of that. Tucows is pretty good about shutting down spammed domains. Yesnic closed one set of domains, but the most recent onces, seem to be left unattended by them. It's funny dates4funz.com registered at directi.com was reported. They effectively told me to write the spammers and complain because they were only registrars. I told 'em I didn't think it would be in my best intrest to do that. Then they said there was no "A" record... Duh... The spammers seemed to have dropped that domain in favor of vrona and vallneed.... so i guess it doesn't matter. I'm hoping google will step up to the plate and help with this foobaz. I wrote them today, because ns1 & ns2.google.com were referenced in one of the whois infos for the rogue domains. I doubt it, but nobody else (namely the FBI or one of the big ISPs whos customers are infected) will step up to the plate and tackle this issue. """ SpamResearch.py minmal web surfer helps verify virus infected computers are hosting rogue domain web-sites. It runs nslookup on the domain of an url, web queries each ip listed, reports ip, reverse DNS lookup and size of web result for each address. """ import socket, sys #url = 'http://bogus.torrence-family.com/drugs' #url = 'http://www.access-authorization.com/ebayauth/' #url = 'http://bullwhack.torrence-store.com/farm/?bridgewater=bwligbreak' #url = 'http://www.nelema.com/ph/' #url = 'http://www.teljar.com/u.php' #url = 'http://www.pexetr.com/pt/' #url = 'http://mnm.datesulook4.com/extra/angelsweet3/getmeoff.php' #url = 'http://ucvihi.datesulook4.com/extra/angelsweet3/getmeoff.php' #url = 'http://oimt.datesulook4.com/extra/angelsweet3/getmeoff.php' #url = 'http://qgqsb.datecravings.com/extra/angelsweet3' url = 'http://ns.cucumberdns.net' url = 'http://ubseiz.flower-bed.biz' url = 'http://ns1.cucumberdns.com' url = 'http://asdf.vronaholiday.com' url = 'http://www.DATES4FUNZ.COM' url = 'http://ns1.postik.net' url = 'http://ns1.vronaholiday.com' url = 'http://nbzrw.vronaholiday.net/extra/brokenlove3/' url = 'http://bpx.vallneedbreaks.com/ja1' url = 'http://ns1.vewwopy.com' url = 'http://ns1.toperyip.com/ja1' if len(sys.argv) &gt;= 2: # use 1st parameter if one passed, url = sys.argv[1] # instead of hard coded url dstart = url.find('//') + 2 dend = url.find('/', dstart) if dend == -1: dend = len(url) domain = url[dstart:dend] print url domain, alias, addresses = socket.gethostbyname_ex(domain) print domain, alias command = 'GET' for address in addresses: print "%-16s" % address , try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((address,80)) s.send(command + ' ' + url + '\n') result = '' while True: data = s.recv(8196) if not data: break result = result + data s.close() print '%-45s' % socket.gethostbyaddr(address)[0] , print 'returned %d bytes' % len(result) except: print 'Failed' print 'Last result\n:' print result Moderator edit: change {code} to {codebox} to save screen space
  8. shmengie

    vronaholiday.com, what the F....

    It's interesting, valneedbreaks was spammed to me to, today. October 24, 2005, Monday 12:00pm -500 Breaking news! url = 'http://ns1.toperyip.com/ja1' url = 'http://ns1.vewwopy.com' http://ns1.toperyip.com/ja1 ns1.toperyip.com [] 68.63.20.36 pcp01567266pcs.hlcrs201.al.comcast.net returned 201 bytes These two new domains both resolve to the same ip address and were referenced in the whois info for vallneedbreaks. I'm betting this ip address is being used to establish the dns hosts for this virus. The two tucows domains are listed as dns servers for vallneedbreaks.com, but are not yet being used AFAICT. But there is a lot of guessing in that statement.
  9. shmengie

    vronaholiday.com, what the F....

    This is that virus hosted gig. There are about 20 to a million computers infected with this virus/trojan. It must use some kind of irc ring to keep track of which computers are infected. There's no way to shut this thing down, other than report the domain names used to the registrars, because it's not actually hosted by any given isp. If you nslookup the domain, you'll get 5 ip addresses. These addresses change frequently. They've switched form past behaviour somewhat. They used to use the same domain name for their name servers. Now they have 3 domains that are listed as the DNS server domains. All of which are also hosted on virus/trojaned computers. If you look up the DNS servers, you get about 20. Every computer listed is dsl/cable, so i assume it is safe to assume this is a virus/trojan at work. I've reported all the domains I could identify to their registrars. Unfortunatly, yesnic.com and the other enom. appear to be very slow to respond. Porn, ebay phishing and a few other scams have been hosted in this fashion, by these criminals. Notify the FBI, maybe they'll listen, if enough people complain. They seemed to have ignored my reports. I've run to everyone I can think of in regard to this issue. Nobody seems to understand or worse, they simply don't care. http://nbzrw.vronaholiday.net/extra/brokenlove3/ nbzrw.vronaholiday.net [] 68.61.247.99 pcp01188935pcs.strl401.mi.comcast.net returned 42825 bytes 68.63.20.36 pcp01567266pcs.hlcrs201.al.comcast.net returned 42825 bytes 12.217.64.216 12-217-64-216.client.mchsi.com returned 42825 bytes 24.10.176.110 c-24-10-176-110.hsd1.ut.comcast.net returned 42825 bytes 24.92.42.34 cpe-24-92-42-34.nycap.res.rr.com returned 42825 bytes The one time I followed links on one of their scams, it said it was collecting bank account information via secure https, thought it didn't. The bank info was returned to the virus infected machines. Anyone stupid enough to give real bank account information will undoubtedly suffer consequences.
  10. shmengie

    vronaholiday.com, what the F....

    Thanks Wazoo, Guess it just took a while for that information to be published. I moaned at enom in regard to this fact. -Joe
  11. shmengie

    vronaholiday.com, what the F....

    Well, you can report all the infected machines until you turn blue... ISPs have a hard enough time resloving spamming client issues. Clients hosting DNS/Webservice trojans/viri, seem to go un-attended. I'm tempted to write a report bot, but fear the consequences of such an endevor. I guess it will require contacting the admin of the root servers, and get this thing delisted. Argh, I don't feel like taking on that much work. -- Oh, FWIW, traceroute is unimportant. Your tracing route to only one of the infected hosts, which is likely ad DSL/cable subscriber. The DNS servers are all virus/trojan servers too. I've reported the domains that they live by (ns1.cucumberdns.net, ns2.postik.net, ns2.cucumberdns.com) to yesnic.com But yesnic.com is slow to respond. Well, they don't bother responding to me. They did eventually take down the last set of domains i reported tho. (listen2me.net and alwaysfirst1.net) were the first set of DNS servers I discovered proping up the virus/trojan hosted web servers. Seems these criminials have changed from one set of infected hosts providing both DNS and Web services, to now using one set for DNS and another set for Web services, or they just use different domain names for the differing services. You probably can still query the web servers for DNS info. I doubt the trojan cares which domain it responds from/to.
  12. shmengie

    I'm a spammer . . . NOT!

    I can't speak for wazoo, but i know its hard to deal with the same questions repeated often. I used to work with a girl in a bank office building. She would ask the same question 4 - 5 times before, the next week would roll in and a new question received the same treatment. Though you haven't aske the same here, yourself, it bares similiarity. In the end, it is 100% probable a virus is the conduit, to which you have been inducted into the realm of increased spam. Unfortunatly, that says very little for you personally, other than you another victem. The virus does not need to exist on your equipment for it to have this affect. Someone who has you in their address book or has received mail with your address in it, is likely comprimised. It's important to be aware of the state of your own equipment, but there is little you can do to protect your e-mail sent from falling into the abyss. It sux. nuff said. Hate spammers, because they love it.
  13. shmengie

    I'm a spammer . . . NOT!

    You know.... McAfee is good. But it aint perfect. None of the virus scanners are. Norton may be the worst, but for some reason I placed a false trust in it. A friend of mine had cought a virus or actuall very many. Norton was kept uptodate, so I had asssumed it was something else that stopped his mahcine from booting. He reported no unusual circumstance, he shutdown as usual and next boot it simply refused. The registry was corrupted, and the best guess I could fathom was that it was not being closed properly. I took his word, that he was doing everything proper, and resolved the registry issue, which was no easy chore. All was well for a few months and the same thing happened again. Again, virus updates in place, no unusual circumstance, etc. etc... The registry again was corrupted. Turns out several virus were infecting this machine. Yet norton said it was clean. clamwin.com's free antivirus found the most abuses of this machine. Microsoft's beta spyware found a couple. and avg's personal free virus detection found one or two that clamwin ignored. I can't stand either norton or mcafee, they are very intrusive, but the are more complete solutions than clamwin. Avg seems quite good, but nearly as annoying as norton and mcaffe. I hardly ever remember to run a virus scanner on my machine, but *I know* I keep it clean. I never-ever click on attachments I don't know exactly what their purpose is. I don't allow rogue browser add-ins to ever be installed. (ok, I caved and let flash on board, but I hate it, so I uninstall it every so often too. I've got a peppy machine, but flash simply eats too much memory). I've been a computer geek for 20 and some odd number of years. I can get away with this act of stupidity. I would never recommend to another. The moral, unless you know your machine is clean, it's possible it is not. Right now, there are spambots, several domains and name servers hosted on virus infected machines. Its discusting! I can't put an end to it, which is very frustrating.
  14. shmengie

    Now I've done it

    Muahahahahahahahaha!!! Brainstorm! Thunderbird files spams nicely into a folder for me. I've been cutting and pasting spams into my reporting machine. But!!! I've been doing it the hard way! I can read the Thunderbird Junk file and completely automating spam reporting. Althought it's a relatively simple task to cut/paste, it is time consuming. Complete automation requires better filtering tho, I've used the cut/paste method to avoid reporting mis-files. Hmmm... I'll get this figured out and spend less time reporting yet!
  15. shmengie

    Now I've done it

    I may be grasping at straws here. Starting to believe that someone I know has recently contracted a new infection or strain or trojan and this e-mail has consiquently ended up has ended up on a new (to me) spammer's list. There is also a possibility that one ISP has changed their filtering practices.... hmmm. Although these spams seem to be more legit than my past experiences, validity has not been researched to verify one way or another. Saw a few addresses today originate and containing links that resolve to the same domain. Time must be allocated to research who what where when. This seems to be an atypical spammer tactic. The to/from addresses used are old, names changed since, etc... So I'm still guessing at what's going on. Ratz man! I don't want to be in the 100-150 spams a day league. It's got me thinking about ways to re-write my reporting machine to further expedite the reporting process.
  16. shmengie

    onguardonline.gov

    The government and some partners put this one together. Probably nothing new for most of you. I think it's a good thing. The next time you encounter a newb who needs to know potential online issues, you can point them here http://onguardonline.gov
  17. shmengie

    No disrespect

    I bet the plaintiff was overweight and they were pronouncing it keyMOO slobby. LOL Sorry, I go now.
  18. shmengie

    Is it really doing any good?

    I've gotten into the habbit of sending reports directly to isp's myself. I don't munge. I may have had an increase in spam because of this, but that's a *grey* area, because there is no way to actually correlate spam volume to real world activities, other than guesstimation. It didn't seem like the volume of spam increased because of self reporting. It did seem like the volume of spam substantially increased when I tried unsubscribing from sapmmers via their links. I was getting so much, I figured it couldn't get worse. I was wrong All of my isp's are using blocking lists, so the volume of spam I recieve has returned to about the level of 3-4 years ago. :-/ On the bright side, reporting spam directly, I get a few spits of good news. These guys impressed me, but they may be over eager to shutdown spammers. none-the-less one report and bing-bang-boom, resolved. Tho this address did resolve to 2 other isps as well as this one (I think). It's somewhat unsual for a spamer to host one domain on mutiple isp's.
  19. shmengie

    [Resolved] Those crafty spammers

    Recieved a responce from yesnic.com Monday. The new site was down, but then Tuesday I recieved a new spammed url whose domain is also registered with Yesnic... http://www.pexetr.com/pt/ Wish someone would handle this zombie infestation.
  20. http://www.spamcop.net/sc?id=z789394833z4e...492f5c3aaea1d4z Name: accurate.torrence-family.com Address: 71.96.15.218, 24.11.214.98, 68.203.184.97, 69.76.69.208, 70.92.245.129 The nslookup on the the domain accurate.torrence-family.com frequently changes. I recieve about 3 spams a week which reference domains resolving in this fashion. Spamcop identifies only one of the addresses per url listed. The posted tracking url had abuse[at]rr.com for one url in the spam and abuse[at]verison.net for the other url. My attempts to report these zombies has fallen on deaf ears at IPSs because they don't resolve to webservers in their farms. Since the ipaddresses change frequently, they probably think I'm making this shiat up. I've tried to explain the issue, but voice in this matter seems to be recieved by the deaf. The only other thing I can think of is to complain to the registrar. I've initiated communication with Tucows but I don't have high expectations. Best they can do is cancel the domain, I suppose. What's the odds of that happening?
  21. shmengie

    Is Yahoo loosing it?

    What the ?????? I stumbled upon shopping.yahoo.com while analyzing prices for http://snapgear.store.yahoo.com/ (which btw, are some pretty awesome little VPN/firewall devices). Anyhow, if you use firefox, like me, the site looks totally broke. I almost wrote cyberguard to tell them, but checked it out with IE and everything looked okay. I thought that was totally unacceptable. So I wrote yahoo, guessing [at] addresses I came up with marketing[at]yahoo.com and that has been bouncing back to the wrong mail server every 10 minutes, since. They don't even bother to include a 550 error. I thought yahoo was an Internet based company? Don't they know the rules???? WT? I guess that explains why I never bothered with yahoo much in the past. And certainly explains why I won't bother in the future.
  22. shmengie

    Is Yahoo loosing it?

    Hi Andrew, ![at]#$^[at]!#$ never occurred to check Firefox settings. This reasonablly sensible setting in firefox does break yeahoo store. Tools/Options/Web Features [x] Load images [x] for the originating web site only Unchecking "for the originating web site only" fixes the issue I encountered. It's been soo long since I checked that, I don't remember doing it, and now feel caddywampus for having unchecked it. -- Howver, I'm still reciving bounces for my incorrectly addressed marketing[at]yahoo.com complaint. Guess I'm gotta to kick my mailserver and tell it to quit trying to send, because it's not recieving the blow-back. -- I've formed the opinion Yeahoo is much smarter than I, because they have the art of misdirection employed well beyond my short term imagination.
  23. shmengie

    Is it really doing any good?

    There are alternatives to e-mail. Some better than others, but none are globally acceptable as a replacement. What I'm referring to is instant messaging. These applications are quite popular, not as wrought w/spam as e-mail and achieve the same basic functionality, and then some... However, Paranoid in his/her not so paranoid idssertation explained the state of affairs quite well, IMO.
  24. shmengie

    [Resolved] Those crafty spammers

    I had already sent an e-mail to abuse[at]yesnic.com After parusing their website, that's the only abuse address I could assertain. Since it was probably late Friday GMT when I sent the e-mail, I don't expect to see the domain go down until sometime next week, if they to file my report under spam. :-/ If that doesn't happen, I'll follow Jeff's (err.. aahh... did someone say, apostrophe?) advice
  25. shmengie

    [Resolved] Those crafty spammers

    Two new domains showed up today, hosted on compromised computers: www.nelema.com www.teljar.com pheromones anyone? Appears that the criminals have switched from Tucows to YESNIC for registrar. Domain Name: NELEMA.COM Registrar: YESNIC CO. LTD. These two were registered 10-Aug-2005
×