Jump to content

shmengie

Members
  • Content Count

    97
  • Joined

  • Last visited

Posts posted by shmengie


  1. OMG, the criminals expand their criminality

    Recieved an e-bay spoof. This one resolves to the web-bot.

    www.access-authorization.com/ebayauth

    Maybe e-bay will step up and help fight this plight.

    Name: www.access-authorization.com

    Addresses: 12.214.117.250, 62.195.145.140, 67.176.137.127, 68.73.144.101

    69.252.161.230

    peer: ('69.252.161.230', 80)

    pcp0012142052pcs.oakrdg01.tn.comcast.net

    Address: 69.252.161.230 returned 17397 bytes

    peer: ('12.214.117.250', 80)

    12-214-117-250.client.mchsi.com

    Address: 12.214.117.250 returned 17397 bytes

    peer: ('62.195.145.140', 80)

    i145140.upc-i.chello.nl

    Address: 62.195.145.140 returned 17397 bytes

    peer: ('67.176.137.127', 80)

    c-67-176-137-127.hsd1.il.comcast.net

    Address: 67.176.137.127 returned 17397 bytes

    peer: ('68.73.144.101', 80)

    adsl-68-73-144-101.dsl.ipltin.ameritech.net

    Address: 68.73.144.101 returned 17397 bytes


  2. I almost hate new computers because the come with so much "cheezy wares".

    My first guess is it's checking for updates or something of that nature or quite possibly your laptop mfg. is outsourcing updates/alerts w/yahoo or possibly a Multimedia application trying to grab ads and/or other content.

    Though zone alarm should inform you which program is trying to get to the outside world.

    Often when I work with a new computer I spend 95% of the first two hours uninstalling all the cheezy wares. Because there are hardware specific wares typically bundled with laptops, it's difficult to start out with a delete *everything* and re-install, though this is potentially quicker than the uninstall route, it's less advantagous because it takes time to locate all the "hardware specific" stuff, in the long run.

    I recommend running thru add/remove programs and remove all of which you're not going to use and most of which you'll probably will not use. The stuff you don't know what it is, can be little bit of a gamble. If it's something you actually do need, it shouldn't be very difficlut to get back on, but it's better to reomove the rubbish when you first get started, IMO. Worst case senario, you can start completely over from scratch with the rescue disk supplied.

    Personally, I wish they'd let you install the rubbish after you turn it on, but that's not the current trend most OEM computers.


  3. This doesn't fit the topic of this thread, but here goes...

    I've just received a spam that had 3 other sites that were not really advertisements and had nothing to do with the spam. :angry: (I took the liberty of sending targeted based on the addresses that SpamCop used to send the initial reports...)
    Spamers do that often... Why??? I dunno.

    Some include anchored links around nothing so they're not visible in HTML rendered text but point to other domains??? (ones they hate?)

    Some include domains that don't resolve???

    Not sure what to do about the ones that obscate the spamvertized site by forcing a direct searchengine match thru google or yahoo. I usually report to google and/or yahoo so they recieve notification, as well as the ISP hosting the actual spamvertized site.


  4. How about every time you get a spam advertising that domain?

    It's been done, ad infinitum, spam keeps comming...

    I haven't recieved a spam referencing torrence-store.com so I have not reported it.

    Can't get China, Korea, Russia (ASIA for that matter) to quit providing web-space to spammers. Reporting seems mearly an excercise for the tenatious.

    The volume of spam I recive has dropped to 1/2 lately. It seems as though I may have been taken off "a" spammers list by reporting the torrence-family.com to everyone I could think fathom. Seems unlikely I will recieve a spam referencing the family "store."

    In order for these domains to get a hook into the DNS system, the spammer probably has to expose themself in a window of potential identification. Once the domain is running around loose on the web, they can cut the ties and enjoy pure annonimity.

    In either event, I think this spammer is a blatant criminal, using uneducated ipublic to host web pages on their computers.

    I'm tempted to take a proactive stance. If I can get a spammer shutdown, I'm inclined to do so...

    I've reported the web-bots to isps. I've tried to tell several ISPs how they could take a proactive stance. They seem to ignore my suggestions as well as the abuse reports.

    I reported several web hosting bots to an ISPs and the only rsponce I've recieved was "We don't host web sites on that address so your report is wrong." I promply replied and beleive my reply was promptly ignored.

    So if you get a spam that references a website, should you hold your breath until you get another referencing the same site? Q: Would you turn blue in the process? :ph34r:


  5. They cycle thru new zombies all the time.

    I'm guessing all the zombies communicate via an IRC ring. When one drops out (probably frequently since these hijacked computers are probably slow), a new one is more than willing to take it's place. This makes it very difficult to report to ISP's because they are contantly changing. ISPs probably don't log the web traffic, so nonexisteant logs makes reference difficult.

    nslookup[at]infected machine also reports the same addresses. Looks like dnsrecords are all set to expire as soon as they're issued.

    Web browsing the 'domain' directly doesn't tell you which host you connect to, unless you're sniffing packets. Directly referencing IPaddresses results in a disconnect/no data.

    I wrote this bare minimum web browser python scri_pt to verify each and every "server" returned web pages, by addressing server directly then issuing a get url command, should you wish to check for your own amusement.

    SpamResearch.py

    import socket
    domain = 'bullwhack.torrence-store.com'
    url = 'http://bullwhack.torrence-store.com'#/farm/?bridgewater=bwligbreak'
    domain, alias, addresses = socket.gethostbyname_ex(domain)
    command = 'GET '
    for address in addresses:
          s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
          s.connect((address,80))
          print 'peer:',s.getpeername()
          s.send(command + ' ' + url + '\n')
          result = ''
          while True:
                data = s.recv(8196)
                if not data:
                      break
                result = result + data
          s.close()
          print 'Address: %s returned %d bytes' % (address, len(result))
    #print 'Last result\n:'
    #print result
    

    Heh, if it wasn't vigilantisim (and I might get in trouble w/my isp), I'd write a scri_pt that sent an e-mail once a minute to the isp's stating that such and such computer is serving spamvertized webpages.


  6. You mentioned that you browsed this domain and were redirected to another site, but I just don't see how that's been possible, at least over the last several hours.

    31043[/snapback]

    I'd be lying to you if I said I understood how this works, but digging (and nslookup too) on the fqdn bullwhack.torrence-store.com works even tho torrence-store.com doesn't ???????

    That doesn't fit my understanding of DNS resolution. Yet, looky there.

    $ dig bullwhack.torrence-store.com
    
    ; <<>> DiG 9.1.0 <<>> bullwhack.torrence-store.com
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17281
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 5, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;bullwhack.torrence-store.com.  IN      A
    
    ;; ANSWER SECTION:
    bullwhack.torrence-store.com. 5 IN      A       68.58.110.87
    bullwhack.torrence-store.com. 5 IN      A       68.254.114.243
    bullwhack.torrence-store.com. 5 IN      A       24.94.238.113
    bullwhack.torrence-store.com. 5 IN      A       24.194.147.92
    bullwhack.torrence-store.com. 5 IN      A       67.190.24.114
    
    ;; AUTHORITY SECTION:
    torrence-store.com.     7200    IN      NS      ns4.torrence-store.com.
    torrence-store.com.     7200    IN      NS      ns5.torrence-store.com.
    torrence-store.com.     7200    IN      NS      ns1.torrence-store.com.
    torrence-store.com.     7200    IN      NS      ns2.torrence-store.com.
    torrence-store.com.     7200    IN      NS      ns3.torrence-store.com.
    
    


  7. Looks like the same criminals at work.

    All web <quote>servers<quote> are running on hijacked dsl/cable computers.

    The whois record for both torrence-family and torrence-store indicate both domaines were registered 11-Jun-2005 and last modified 26-Jun-2005.

    I don't have the energy at the moment to try and put an end to this one... Maybe tomorrow...

    Links on that page introduced "movienetworks.com" which is another domain I assume being run by these criminals, since it was registered... you guess it 11-Jun-2005.

    But it's hosted by internap.... ??? ....


  8. Hate when ppl fix stuff and don't bother to tell you.

    Reported until I was blue in the fingers on that one.

    Now I don't know how/why it was resolved, but it appears to be. If it happens again, do I have to go blue in the fingers to achieve resolution?

    FWIW... I've seen spam that resolved like that one for about 3-5 months passing by my spam reporting eyes. When I started this thread, I figured I'd try to put an end to it and tenatiously reported to everywhere/one I could fathom to get it to stop.

    Heh, I even blogged it, which made me feel a little better.

    http://spamnation.blogspot.com/

    Wish I would have assigned some blame to ISP's for the state of the spam (in the blog).


  9. These <quote> servers <quote> aren't necessiarly sending spam. They host the web page/rouge dns servers that support this domain. The domain was referenced in a spam, I kept the last three that reference it in my spam box <yet to be deleted>.

    I doubt that they send spam, themselves, unless they hare infected with additional robot/spamware.

    Frankly this avenue of spamer proliferation bugs the wooloo (not to be confused w/wazoo) out of me, becuase it offers another level of annonimity to the spamers. No specific isp is being used, but a bunch of their clients are being abused.

    Look at it this way. We can't track spam to a specific spamer who's spam was delivered by anonymous spambot infected machine.

    Now we've got a spammer that's upped the anty and uses a webbot/dnsbot infected ring of computers to deliever web pages. Although it is possible they could also deliver spam, I suspect they use their other army of infected machines for that doody.

    They have no fear of isp reprocussion, because they aren't using an isp service. They're abusing idiots w/computers that don't know their computers are being used this way.


  10. double dratz (or not)

    udowzy.torrence-family.com is now resolving again :/

    Shouldn't be too supprised that it winked out for a while. After all, the actual dns servers are viri infected zombies. The main server must have been reboot because was running to slow, or maybe the user woke up and anti-virus'd it.

    zeus:~$ dig udowzy.torrence-family.com
    
    ; &lt;&lt;&gt;&gt; DiG 9.1.0 &lt;&lt;&gt;&gt; udowzy.torrence-family.com
    ;; global options:  printcmd
    ;; Got answer:
    ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 45807
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;udowzy.torrence-family.com.    IN      A
    
    ;; ANSWER SECTION:
    udowzy.torrence-family.com. 5   IN      A       24.178.100.28
    udowzy.torrence-family.com. 5   IN      A       63.206.119.30
    udowzy.torrence-family.com. 5   IN      A       69.211.16.157
    udowzy.torrence-family.com. 5   IN      A       24.12.119.73
    udowzy.torrence-family.com. 5   IN      A       24.13.123.241
    
    ;; AUTHORITY SECTION:
    torrence-family.com.    155815  IN      NS      ns1.netsol.com.
    
    ;; Query time: 640 msec
    ;; SERVER: 192.168.1.112#53(192.168.1.112)
    ;; WHEN: Thu Jul 28 02:50:11 2005
    ;; MSG SIZE  rcvd: 149
    


  11. Do you think it's possible that TuCows came to the rescue here?

    I see the whois record for torrence-family.com last Updated Date: 26-jul-2005

    That's about right time for all records to be stale now. I sent a letter to TuCows Saturday. I suspect they have few if any weekend worriers. All day Monday it would have been working it's way thru their slew of mail... Tuesday somebody did something.

    Ratz, now I wish I had reported this to the FBI frist. Thought of them last.... :ph34r:

    I did want the FBI to track 'em down, but I suspect that may have been difficult even w/excessive resources. That's one of the most impressive spammer scheems I've seen.


  12. I recieved a spam from Taiwan. I don't know anyone over there, so it's a safe bet it was supposed to be spam. I think this falls under the category of crafty spammer, so I'm re-using this thread.

    I couldn't help but find this spam interesting. Don't know how many of you enjoy programming, but the codes used for subject/date etc... are somewhat facinating to me. It looks like the spam template was used, but no spam content replaced the macro fields.

    The subject looks like the spammers basian work-around.

    Subject: STR_RNDLEN(2-4)}{EXTRA_TIME_4} {WORD}
    Date: {DATE}
    MIME-Version: 1.0
    X-Mailer: Microsoft Office Outlook, Build 11.0.5510
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
    Thread-Index: {ALNUM[36-36]}
    Content-type: multipart/related;
            boundary="{_BOUNDARY_RELATED}"
    
    --{_BOUNDARY_RELATED}
    Content-Type: text/html;
            charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    
    {BODYHTML}
    
    --{_BOUNDARY_RELATED}
    Content-Type: image/jpg;
            name="{LC_CHAR[7-7]}.jpg"
    Content-Transfer-Encoding: base64
    Content-ID: &lt;{_UC_CHAR[20-20]}&gt;
    
    {JPEG:/home/larry/baner.jpg:q80cg8cc5}
    
    --{_BOUNDARY_RELATED}--
    
    
    
    .
    
    


  13. Crafty spammer. Their zombies are performing nameserver duties and serving up web pages.

    Using either of the ipaddresses for webpage and domain lookup produce the same results on all of the robot zombies.

    I wrote a tiny little python program and every one of them dish up the same webpage. I had thought they might be doing some kind of redirection, but that's not the case.

    I did run thru all the pages and placed a bogus order. Minor note: It sez credit card info is being gathered on secure 128-bit encryption. Lies of course. It also stated that my ip address 24.xxx.xxx.xxx was being recorded for security purposes. My ip does not begin with 24.... looked like static text. Most of the links they use end in .php? which is there to further convince ppl it's a real web server I guess.

    These zombies all collect credit card info from the unsuspecting foo that think this is legit. There must be a method of sending the credit card info back to the culprits. Probably the same way that the zombies know which other zombies are up and running.

    Very impressive trojans tho. Kudos to the spammer, they've got annonimity out the yin-yang going on here.


  14. http://www.spamcop.net/sc?id=z789394833z4e...492f5c3aaea1d4z

    Name: accurate.torrence-family.com

    Address: 71.96.15.218, 24.11.214.98, 68.203.184.97, 69.76.69.208, 70.92.245.129

    The nslookup on the the domain accurate.torrence-family.com frequently changes.

    I recieve about 3 spams a week which reference domains resolving in this fashion.

    Spamcop identifies only one of the addresses per url listed. The posted tracking url had abuse[at]rr.com for one url in the spam and abuse[at]verison.net for the other url.

    My attempts to report these zombies has fallen on deaf ears at IPSs because they don't resolve to webservers in their farms. Since the ipaddresses change frequently, they probably think I'm making this shiat up.

    I've tried to explain the issue, but voice in this matter seems to be recieved by the deaf.

    The only other thing I can think of is to complain to the registrar. I've initiated communication with Tucows but I don't have high expectations. Best they can do is cancel the domain, I suppose. What's the odds of that happening?


  15. Yeah, I knew it wouldn't last, but a day w/only 18 was a nice treat from the typical barrage of spew.

    Thursday the 21st was average, w/35 spams recieved. Guess... I didn't prey loud enough.

    As best I can gather, there is no use in trying to identify a patter to spam, it's just there in heaps or it's just there.... hopefully only a trickle.

    Nonetheless, I still look for patterns. The past three weeks Wednesday has been the lowest spammed days of the week for me. But it was only a month ago wednesdays were the worst day of the week.

    Based on the past two weeks however Thursday has been the overwhelming spam day. But this particular Thursday was average.


  16. :D I know it's bad omen, but I've enjoyed the least spam day this year with a record low of 18 spams recieved for Wednesday June 20, which is about half my daily average for the past 3 months.

    Perhaps I should kneel down and prey for a continued lull.


  17. ...But not for everyone -- for many of us, it greatly increases the probability of reporting our own ISP or e-mail provider.

    30243[/snapback]

    I'm at a loss here, how does quick reporting increase this probability?

    Guess #1: some submittions to spamcop aren't spam? and the cancel sending button is the salvation mechinisim

    Guess #2: spamcop parses e-mail identifying your isp as the sender of spam due to forwarding mechanisims in place


  18. Use the Block Lists. This will greatly reduce the spam recieved (and bandwidth consumed) and have no effect on legit e-mail.

    I do not own a server w/which to implement the Block Lists, but have stood over other's sholders while they do.

    In order to implement them read the FAQs

    http://www.spamcop.net/fom-serve/cache/290.html

    http://spamhaus.org

    --

    Quick reporting may also be a spamcop option you may want to explore. I wrote a program to report spam, much like what spam cop does. I also want to report to spamcop, so their filters would be aware of my spam sources. Quick reporting is an ideal solution for my needs.

    -Joe


  19. I have an associate degree in "data processing." Since that degree focused primairly on COBOL programming back in the late 80's I'd guess no chance of learning the intracacies of the internet there. However, I was a lab-tech in my college, which afforded me extra computer time and tinkering around with Unix.

    The Internet's childhood was spent mostly on Unix. The three letter word www caused an Internet explosion, but there's still a lot that can be learnd about the internet from Unix or it's modern day clone: Linux.

    I can't imagine what learning computer stuffs is like these days, there's soo much to take in. Being a computer enthusiast since about 1980, I've had the opportunity to slowly soak in all that I have.

    I recommend getting started with Linux ASAP... Also, learn to type w/out looking at the keyboard!


  20. I was recieving an average of about 40 spams a day. I was soo tired of it, I thought I'd try using all of the unsubscribe links... for about a day I unsubscribed. Two months later I was recieving an average of about 80 spams a day.

    Unfortunatly, I can only guess this is the consiquence of the effort. :blink:


  21. <pilot lite on>

    It wouldn't make sense to me.

    But then, neither does "everdialman"s posting.

    Somehow the address go nabbed by a spammer.

    By the sounds of it, Jank1887 was very careful not to use that address for anything other than electronic billing.

    I can't begin to fathom who is culpable for this issue.

    However, I'm sure I had nothing to do with it :o

    <pilot lite off>


  22. Today, I woke to a slight increase in spam. But this one about Microsoft is a little relief from the typical callis/teen sex/(final notice) morgage flavored spam.

    Microsoft has really peeved the spammer, cuz he's crying Microsoft spams and Microsoft products should be boycotted.

    LOL, I've only recieved spam from microsoft, when I asked for it... And when I said no more, that's what I got, no more. Spammers live in the alternate reality where what they do is to be blamed on others and no means log(yes)

    The sad part is that some ppl will agree with the spammer and continue to buy spammed products :(


  23. I'm fairly un-informed about AOL policies, however, an associate of mine has informed me that AOL is a PITA.

    If your IP or ISP's SMTP server sends too many e-mails to AOL, you or your ISP must register w/them somehow to get on their white list, otherwise emails to them bounce.

×