Jump to content

shmengie

Members
 View Profile  See their activity

  • Content Count

    97

  • Joined

  • Last visited

Posts posted by shmengie

  1. Posted

    Thanks for the info guys.

    Meryln led me to the path of understanding.

    The NetRange: 134.86.0.0 - 134.86.255.255 appears to be hijacked by a group of known spammers. According to traceroute, they're operating in Brazil, which appears to the latest safe-harbor for spammers.

    Silicon Complier systems must have owned this net range once in the past, and it hasn't be dished out to another organization, which appears how it got hijacked, and why I as asking about 'em.

    We definatly need to get Brazil on board with the rest of the world...

  2. Posted · Edited by shmengie

    Who is this, are they DOA?

    I'm getting spams websites in this neighborhood of addresses, and it's really urking me because I can't complain.

    I even tried calling the 801 # and it's a fast busy signal... arageaefja;lkje

    OrgName: Silicon Compiler Systems

    OrgID: SCS-1

    Address: 7090 South Union Park Avenue

    Address: Suite 200

    City: Midvale

    StateProv: UT

    PostalCode: 84047

    Country: US

    NetRange: 134.86.0.0 - 134.86.255.255

    CIDR: 134.86.0.0/16

    NetName: SCS

    NetHandle: NET-134-86-0-0-1

    Parent: NET-134-0-0-0-0

    NetType: Direct Assignment

    Comment:

    RegDate: 1989-04-19

    Updated: 1991-01-03

    TechHandle: KM131-ARIN

    TechName: Miller, Kevin

    TechPhone: +1-801-320-8032

    TechEmail: kmiller[at]mhz.com

  6. Posted · Edited by StevenUnderwood

    http://www.spamcop.net/sc?id=z737565409zce...be3f63a1f55320z

    None of these URLs were diagnosed by SC

    Thunderbird, however displayed many clickables.

    http://briny.tehexpertz.com/a/209120/minuteman

    http://posit.beatrxbillz.com/a/209120/waters

    http://embroidery.beatrxbillz.com/a/209120/grosvenor

    http://funeral.beatrxbillz.com/a/209120/alcove

    http://shipbuilding.beatrxbillz.com/a/209120/aggravate

    http://transmogrify.beatrxbillz.com/a/209120/commiserate

    http://droplet.beatrxbillz.com/a/209120/ar

    http://polloi.beatrxbillz.com/a/209120/trw

    http://dreary.beatrxbillz.com/a/209120/aeneid

    http://kalmuk.beatrxbillz.com/a/209120/note

    They all resolve to

    Address: 210.245.235.152

    Abuse contact for 210.245.235.152: anson28[at]hotmail.com

    The [at]hotmail.com abuse contact cought me off guard.

    Huge spam text removed as it exists within the Tracking URL provided above.

  7. Posted

    Soeey .. no Tracking URL provided to look at logic used .... but on the other hand, how can you even begin to consider this as a valid URL?  What you have provided is nothing more than a set of three blocks of characters.

    24884[/snapback]

    :blink::lol::D I hope you percievied my intention of humor in the previous post.

    That quote quote Url quote quote did come in a spam. I don't understand why the spammer did that. Guess most ppl wouldn't even have seen it. I only saw it cuz I looked at the source. It wasn't visible in the Thunderbird rendered e-mail.

    I only posted it here cuz you cought me beeing a goof at the beginning of this thread.

    Now that I realize I'm not worthy of posting in this forum, I'll stop :o

  8. Posted

    Here's a reply I received from Easynet UK, after I queried about my reporting style.

    This may shed some light on why reporting is good.

    On Sat, Feb 26, 2005 at 05:46:18PM -0500, Joe Brown wrote:

    >> Hi,

    >>

    >> I'm glad you appreciate my reporting.  I hope that my reports are not

    >> too excessive and that you find them adequatly informative.

    Hi Joe

    Your report was excellent, and contained the information needed in

    order for us to take effective action.  A worrying trend is that many

    Unsolicited Bulk Email recipients appear to no longer report spam

    received; this greatly cuts down our and other providers' ability to

    identify and deal with abuse related to our networks.

    Please keep reporting spam, it really is appreciated.

    Kind regards

    Anthony Edwards

    --

    Easynet UK Abuse Team - Easynet Ltd

  9. Posted · Edited by shmengie

    Well, here's one that SC didn't find! :P

    <br>

    Web Site: www vinobleinc com<br>

    <br>

    Although, I don't see this URL being worthy a feture request... I hunted it down by hand. :unsure:

    I figure if I keep posting on this thread, I'll seem totally insane or a genius ;)

  11. Posted · Edited by shmengie

    I noticed the tag in http://www.spamcop.net/sc?id=z736926310zfa...c3cac24cf72067z

    <a href="http://%61%6c%6c%73%6f%66%74%73%2e%6e%65%74" target="_blank">

    Does not seem to be recognized by SC as an URL

    http://allsofts.net

    Name: allsofts.net

    Address: 195.47.196.142

    Thunderbird displayed the URL properly rendered, yet my reporting software didn't lidentify it until I added some more code... Took me a while to decrypt it.

    Maybe you will appreciate this Python code which is capable of locating and decoding these refrences.

        http2 = re.compile(r'''(?&lt;!src\=)(?&lt;!src\=['"])(?&lt;!src\=3d['"])(?P&lt;url&gt;http\:[/]*(?:%[0-9|a-f]{2,2})+)(?!'&gt;&lt;/a&gt;)(?!"&gt;&lt;/a&gt;)(?!&gt;&lt;/a&gt;)''', re.IGNORECASE)
    http2refs = http2.findall(clip)
    percents = re.compile(r'(%[0-9|a-f]{2,2})')
    for i in range(len(http2refs)):
        for digi in percents.findall(http2refs[i]):
            http2refs[i]=http2refs[i].replace(digi,-hacker-string.atoi(digi[1:],16)))
    HReferences += http2refs

  12. Posted · Edited by shmengie

    I just wanna know it's REALLY making a difference, as it sure doesn't feel that way when I don't see a bit of difference in my in baskets...

    24747[/snapback]

    I've never been a paid member of spamcop, so I don't know what kinds of reports you recieve in that event.

    I have, however, been sending reports out my door to ISPs daily (averaging 50 per day) reports. I recieve about 1-3 replies a week, that don't seem to be automated, regarding my reports.

    I rather enjoyed this one:

    Bonjour,

    Nous contactons actuellement notre client afin qu il

    resolve au plus vite le probleme.

    Merci de nous avoir signale le probleme.

    Cordialement,

    -------------

    Hello,

    We're contacting our customer to resolve the probleme on his

    network.

    Thank you for reporting to us this problem.

    Regards,

    -------------------------------------------------------------------------

    Type of Abuse: spam Mail,IP=62.23.87.78, 26 Feb 2005 02:38:45 +0400

    Offenders IP: 62.23.87.78

    Date of Offence: Sat, 26 Feb 2005 02:38:45 +0400

    Anti-virus software may help prevent this type of abuse.

    Here are a few free anti-virius solutions you may want to

    inform your customers:

      AVG 7.0 Free edition (for home users):

      http://free.grisoft.com/freeweb.php/doc/2/lng/us/tpl/v5

      Microsoft's "Spy-ware" tool:

      http://www.microsoft.com/athome/security/s...re/default.mspx

      Calmwin free anti-virus software for everyone:

      http://www.clamwin.com/

    Offending E-mail:

    >From - Thu Feb 24 13:45:10 2005

    ....

  13. Posted

    I recieved this email (around 2005-02-01 (Feb. 1st)) and reported 217.148.2.204 to message[at]shlink.ch

    After reporting the spam, I've recieved virus in the mail from 217.148.7.200

    To date 17 emails containing a virus.

    That seems a little too coincidental to me.

    Reporting to message[at]shlink.ch seems to be a waste of time. How else might I follow up on this?

    From - Mon Jan 31 23:46:23 2005

    Return-Path: <jzxjnmutuebfkw[at]webmail.co.yu>

    Received: from CPQ15484134982 (range20-204.shlink.ch [217.148.2.204])

    by zeus.[protected] (8.11.2/8.11.2) with SMTP id j114dt411044

    for <joe[at][protected]>; Mon, 31 Jan 2005 23:39:55 -0500

    Received: from inverse.rockbridge.net ([65.118.241.21])

    by alden.passagen.se (Sun Java System Messaging Server 6.1 HotFix 0.02 (built Aug 27 2004)) with ESMTP id <0B9H00JI640LN75[at]alden.passagen.se> for

    joe[at][protected] (ORCPT joe[at][protected]); Mon, 31 Jan 2005 22:32:52 -0600 (IST)

    Received: from payday

    (bayonne.rockbridge.net ([202.108.86.72])

    by inverse.rockbridge.net (MOS 3.5.5-GR) with ESMTP id DET50635 (AUTH evasive) ; Tue, 01 Feb 2005 03:30:52 -0100 (IST)

    Date: Mon, 31 Jan 2005 21:37:52 -0700

    From: "Rudolph Gill" <jzxjnmutuebfkw[at]webmail.co.yu>

    To: <joe[at][protected]>

    Subject: Accumu|ate at these |evels with breakOut |OOming

    Message-ID: <677234736229.AHW81955[at]childhood.passagen.se>

    MIME-Version: 1.0

    Content-Type: text/plain; charset="UTF-8"

    Content-Transfer-Encoding: 7Bit

    X-UIDL: Vi<"!)N,!!bnP!!cc_"!

    Penny Stock Flyer's |ast choice on Jan 21 was VTYC at .06 with an

    immediate target of .22, it hit .27 in 4 days.

    Next Immediate Penny Stock Flyer:

    American IDC Corp. OTC: ACNI

    Price: .04 - Near 52-week Low, Load-up Ear|y

    Projected to Trip|e in 7 Days

    ....

  14. Posted · Edited by shmengie

    ...use an insecure browser. Be very scared.  :ph34r:  :lol:

    I think IE is insecure... I even tried uninstalling it. Add/remove programs/Windows components, IE used to be listed there for uninstallation.

    After Uninstalling it, it is still on my computer, becuse I can still get windows update which requires it, but I think it did remove the icon from the desktop, and shuffeled a few other files around. Kinda wish I would have taken a full inventory, b4 and after. I was reluctant to uninstall ie, but it seems my reluctance was for naught.

    Me thinks Microsoft also blieves in the spammer rulez.

    Ran windows update (haven't for a while) There's a cumulative patch for IE which isn't installed on my computer, go figure. :blink:

  15. Posted · Edited by shmengie

    There are a couple of inherit problem with whitelists...

    * Everyone must sign up to join them.

    None can commuincate until all parties of a communication channel are subscribed.

    * They're not bullet proof

    What happens when a someone makes the effort to disrupt the service. 1000 spammers who acqurie 1000 valid accounts can lodge a lot of complaints.

    What about a conspiracy? if someone doesn't like what someone else does... Who gets blocked, who doesn't?

    * administration and judication would be a nightmare

    Someone has which reports are valid or not. Otherwise ppl will be unjustly removed

    If it was as simple as we wish, it would have been done.

    In an ideal world, no problem it could work. But then, in an ideal world, would it be needed in the first place?

  16. Posted

    Luv ur signature petzl

    I'm a little curious if you are familiar with the sourceforge project Calm or specifically clamwin:

    http://www.clamwin.com/

    http://sourceforge.net/projects/clamwin/

    I'm currently checking out AVG tho.

    So far, AVG is performing nicely, it found the 10 viri I had stored for later inspection. (it's only 3 different versions of same strain) It's curious, after I reported a spam to a specific site in China, I've been recieving viri form a neighboring ip addy.

    I wonder what that's all about... :unsure:

  18. Posted

    I've recenlty gotten into the habbit of forwarding stock picks to enforcement[at]sec.gov

    Any spam that mentions Microsoft products gets forwarded to piracy[at]microsoft.com

    I've hunted for a pfizer contact, but have been unable to locate an address to forward viagra related messages.

  19. Posted

    Unless you are a top-notch computer security researcher, I recommend that you do not intentionally infect your computer with a virus. If you do not know precisely what you are doing, you can easily do more harm than good.
    I wouldn't infect my working computers... That would be more trouble than it's worth. But I may have access to a couple of old 98 machines that have nothing better to do :/ (I'm not top notch, but know enough)

    Thanks for the replies and the heads up on isc.scans.org

    I need to break from this line of thinking... I'm not getting paid to do this work, I need to concentrate on work that will get me paid.

    I'm not the only one aware of the web bugs... My main reason for posting. It was bugging me, that I didn't turn up any info searching the web, but I wasn't using the proper keywords... I got a little over excited too when I realized what the silly e-mails are potentially good for.

    It seems like ISP's should to actively scan their network traffic and contact infected clients. If they would do that, 90% of the spam could be halted.

  20. Posted

    You understand the point of the web bug correctly, although it may not necessarily be virus/trojan related. It generates an entry in the logs of the web server that is hosting that picture. It's not called a weblog, though. A weblog (or blog for short) is an Internet-based diary.

    I can't concieve of any reason to send out nonsense spams that have the web bug, other than to identify targets for the virus/trojans.

    I've been collecting the viri sent to me, but have yet to take the time to see what their purpose in life is. Althought I suspect their primary reason for being is to proxy spam, I have yet to verify this suspicion.

    With that in mind, has anyone actively sought the virus and recorded where it reports to?

    My interests is identifying the originating IP.

    If I had the time, I'd also like to learn how to identify computers with the spam proxy agents, and figure out how to have them send reports on themself to their ISP's. <- that would be awesome.

  21. Posted · Edited by shmengie

    swingspacers

    I don't think you understand the point I'm driving at.

    The point I was trying to get across is this: I don't have a problem with that spam... But guessing at it's purpose, I finally realized why it exists (it's been bugging me for a while)...

    I think it's a feeler spam, searching for e-mail clients that are suseptiable to trojan/viri spam proxy agents. The image content is irrelevant... The fact that the img src=http://gjmatvienkoxdfg.com/bdfadbb619845f8e312afd7d7/inexplicable.jpg generates a weblog that probably identifies my address to the spammer.

    Now the spammer suspectes that I'm fool enough to use an email client that fetches images off the web, which is possiblly suseptable to infection.

    I don't know, off the top of my head, if the weblog also includes the web client that retrieved the picture, but probably does. In that event, they've got all the information they need to know who to send the virus/trojan to.

    I think it would be prudent to use this information against the responsible party and prosecute to the full extent of every law possible. I'm inclined to dig up an old outlook client and forward that e-mail to myself, then wait and see what viri comes my way.... with a good packet sniffer, I could determine when it calls home to say it's ready to proxy spam. Then sniff out the source of spam and forward to the proper officials.

    After a breif googling on this topic, to no avail, I brought it here for discussion.

    re: tracking

    For a sophisticated spammer, it's very easy to track successful spam... all they need to do is include a unique identifier in an url, and when that url is hit, a quick database lookup for the weblog, shows which e-mail (addressee) is the duck.

    If a spammer (which I seriously doubt) cares about who reported spam, they can do the same thing inside or outside of an web url, embed a unique identifier anywhere in the spam, and they would achieve the same result. I suspect spammers are too busy finding their next ISP, rather than worry about me reporting their spam.

    re: spamcop

    I grew tired of using spamcop to report spam. It takes too long to process the bulk of mail I recieve. 50~ a day. Instead I wrote a little scri_pt to facilitate my reporting process. Now days I always send spam reports to the ISP of the originating spam and where possible report websites referenced in the spam.

    A spammer is now directly sending viri my way, but I can live with that.

  22. Posted

    I mentioned to my roomate a week or so ago, that that spam he recieved contained a link to an image. I guessed it was some sort of counter. Since neither of our e-mailers display links to offsite images, I tought little of it at the time.

    Today, I recieved yet another nonsence spam, and tracked down the link.

    <IMG

    src=3d"http://gjmatvienkoxdfg=2ecom/bdfadbb619845f8e312afd7d7/inexplicabl=

    e=2ejpg" border=3d0>

    which decodes to:

    http://gjmatvienkoxdfg.com/bdfadbb619845f8...nexplicable.jpg

    Name: gjmatvienkoxdfg.com

    Address: 61.128.196.155

    [informations about 61.128.196.155 ]

    IP range : 61.128.128.0 - 61.128.255.255

    Infos : CHINANET Chongqing Province Network

    Infos : Data Communication Division

    Infos : China Telecom

    Country : China (CN)

    Abuse E-mail : abuse[at]cta.cq.cn

    Source : APNIC

    After careful thought, I realized this link isn't to count me, because my e-mailer won't display the image. But I bet anything that whom-ever is identified by the /bdfadbb619845f8e312afd7d7/ section of that link who's emailer does display or tries to display that image, will recive the malware/spam proxy software that can infect their computer.

    I believe chinanet is a spammers safe-haven, so this makes a lot of sense to me.

    What I haven't figured out: how do I combat this issue?

×