AlphaCentauri

Members
  • Content count

    79
  • Joined

  • Last visited

Community Reputation

0 Neutral

About AlphaCentauri

  • Rank
    Member

Contact Methods

  • Website URL
    http://ksforum.inboxrevenge.com/
  • ICQ
    0
  1. Sorry to be late to this discussion! I am a member of an antispam forum whose members get a LOT of these "joe jobs." We try to keep each other informed of them. We don't want to report an innocent site for spam the owner didn't send. It's usually easy to tell the joe jobs, but it helps us to be able to compare notes. The joe jobs are specifically targeted at email addresses most likely to lead to them being blacklisted. So any email address [at]spamcop.net is likely to be flooded with copies of these spams, as are any addresses used for spam reporting. We have been posting notices of some of the joe jobs in this thread: http://ksforum.inboxrevenge.com/viewtopic.php?f=1&t=2818 The thread is meant as a means of informing antispammers, as well as being a link that site owners can use in their own defense when they are victims. There is additional discussion in the registered-member-only forums. (The public thread is closed to comments.) In some cases, the site being "advertised" is conducting illegal activity. Even if the domain isn't reported for spam, the joe job will attract attention to the site and can lead to its being shut down. We're not really interested in being tools in the dirty wars among criminals, nor in defending them when they are suffering because of unwanted attention to their illegal activities. So when we were getting a lot of email about those sorts of sites, we got lax in keeping the thread updated. We'll try to do better about posting the other spam samples, though.
  2. Actually, that thread hasn't been updated in a while. The announcements of the most recent versions will be at http://ksforum.inboxrevenge.com/ . You will need to register to read the "Tools" forum. The current version is 23.01. Updates include things like suppressing emails that ask registrars and hosts to delete their own nameservers (early versions assumed users would be able to spot those themselves) and also include the contact email addresses of more recently abused registrars. In this case, however, singlehop.com is a hosting service, not a registrar, so that isn't where your report would be sent. The reason Complainterator chooses registrars is that spamvertised domains often are kicked off one host and move immediately to another, with no interruption of cash flow, or else they are hosted on hacked servers and already move around on their own. For instance, the sites called "My Canadian Pharmacy," "Canadian Health&Care Mall," and "Canadian Family Pharmacy" (none of which involve any real pharmacists or any real Canadians) move from one IP address to another every few hours, most of which are large hacked Unix servers at places like universities, or in one instance, Microsoft: http://krebsonsecurity.com/2010/10/pill-ga...onsecurity-com/ In that case, most of the hosts will not even recognize that they are hosting these sites, because the trojan has a name similar to a legitimate Unix process and because it only relays files from yet another server -- the one you find when you look up the IP address for the spamvertised domain name will not actually have any of the website files in its directories.
  3. Ah, thanks. So how do you see the accuracy of dul.dnsbl versus the Spamhaus PBL list?
  4. Not a lot of people rely on the SORBS blocklist, because of their reputation for being over aggressive. The blocklist is used as a weapon against ISPs that host spammers, rather than as a useful tool for people who want to filter spam. And SORBS doesn't remove listings unless the user satisfies their criteria, no matter how old the listing. I've seen a dynamic IP address blocklisted when the explanation was a single spam received from that IP address two years earlier. What use is that entry on the blocklist, when the source of the spam is surely no longer logged into that address, has hopefully run an antivirus scan by now, and has no way of knowing the blocklist was ever added to his former IP address? Spamcop's system of auto-aging listings based on the number/duration of abuse incidents makes much more sense.
  5. I also suggest that you check out the InboxRevenge forum. The spectacular demise of Blue Frog made people aware that this is about a lot more than just nuisance emails. Internet crime is big business and spam is only one part of it. We composed an open letter to the US FTC chairman discussing those issues, and they will be equally pertinent to the incoming Cyber Czar: http://ksforum.inboxrevenge.com/viewtopic.php?f=9&t=2574 Just as Spamcop is primarily working on alerting ISP's to compromised machines emailing spam, the members at InboxRevenge concentrate on educating registrars about the criminal nature of the domains advertised in spam. While registrars normally don't like to get involved in policing the content of websites, the fact that a site is engaged in illegal activity makes it almost certain it was registered with fake information. A registrar can suspend sites with fraudulent registrations, and we believe it has a responsibility to do so lest it be seen as an active participant in criminal activity.
  6. I can't help but think some of it is spam filtering services sniping at one another -- they see it as to their advantage that people using other services get more spam. So whichever service filters for Verizon doesn't want Ironport to get spam reports and won't whitelist emails sent to their address. A similar issue came up with phish takedown services being asked to cooperate rather than have the person reporting the phish have to track down the correct place to report phish spoofing each particular brand. Ironically, it was Cyveillance complaining, when they used to benefit from our volunteer reporting efforts submitting spam to spamcop. It's too bad, since they could view it as an opportunity. Rather than refusing to whitelist outgoing mail addressed to other spam reporting services, they could use the fact that someone is reporting them as evidence to include those signatures in their own databases, especially given the fact that they were missed on the way in.
  7. Knujon has been having the same problem and is trying to negotiate with Verizon management. Given the fact that this ought to be a no-brainer, it's not encouraging that this wasn't resolved with a five minute phone call. I mean, Verizon had to let the spam in for their subscribers to have it in the first place.
  8. I notice that some of the worst sources of spam, like the free hosting products from Microsoft and Google, don't accept Spamcop reports. That ticks me off, obviously. It would be one thing if they were doing a such a stellar job of removing abusive accounts that the spammers stopped registering new ones. But their response is more than slow enough to allow the spammers to get all the traffic they're likely to get from a spam run. On the other hand, since Spamcop sends one report for each spam report it receives, and since there are likely to be multiple problem user accounts active at any one time, each receiving a barrage of Spamcop reports, I can see the abuse staff might find it too much trouble to sort through to find the unique ones. Assuming Spamcop can get the ISP's that currently refuse Spamcop reports to negotiate at all, what if there were two private reporting addresses for an ISP to receive Spamcop reports, in a three step process: 1. New reports. When Spamcop receives spam from a source of spam or advertising a URL, they are sent to private address #1. 2. In progress. After the ISP responds to Spamcop's first reports to acknowledge receipt and say the problem is being addressed, all subsequent Spamcop reports go to private address #2. Any subsequent reports to address #1 are going to be new issues and easy for the ISP to recognize. 3. Resolved. -In the case of a source of spam, this should mean no further spam is being sent from that IP. Spamcop would continue to do as it does now and notify the spam reporter that the ISP has indicated that the spam will cease. Any spam sent after the issue is supposedly resolved goes back to address #1. -In the case of a spamvertised URL, the ISP would post a parked page at that URL that is constant for all Spamcop shutdowns. It might have information for the visitors clicking through, telling them about the type of risk they were taking, linking to sites like the Spamwiki with information about scams and how they operate, but it would be a fixed source code. Spamcop checks, finds that precise page at the URL, then stops reporting the spamvertised URL, even if spammer continue to mail for it. The main catch would be if/when the domain registrars shut down the whole domain. (That's obviously the ultimate goal to prevent the spammer from just moving his domain and all its traffic to a new ISP.) If the registrars set a domain to clientHold, fine, Spamcop can confirm that. But if they leave a domain alive but assume control over it themselves and post their own parked page (many benefit from pay per click ads on those pages), the ISP doesn't have any say in that. There would need to be an alternate procedure to confirm the URL is no longer hosted by that ISP. That problem wouldn't apply to Google and Microsoft of course.
  9. Just an update here: Since Castlecops.com has been put down, the Complainterator support forums are at http://ksforum.inboxrevenge.com in the "Tools" forum. There is also a thread for successful removals which runs 54 pages long.
  10. There's a wiki being rebuilt at battlespam.info. The "all pages" link is at http://wiki.battlespam.info/index.php/Special:AllPages. The immediate need is for volunteers to reverse-format the html cached copies to wiki formatting and sort through which links need to stay within the new wiki, and which ones really do refer to castlecops. A lot of stuff had been allowed to get out of date during the last year of CC, too, so it's not just a mirrored copy of the wiki.
  11. Well, whatever everyone did, kiosuoyon.cn is now dead. Sometimes the parser fails because the site really has been shut down. The Spamcop parser runs into problems because .cn domains may load very slowly. But the spammers run into problems because of that, too. So it's a good problem to have. The Spamcop parser also has problems with 1. Canadian Pharmacy sites -- Their botnet will have 20 different IP numbers for a domain at one time, and Spamcop's parser only will return one. The IP addresses change every 5 minutes (literally) (and the nameservers change about every 24 hours). So by the time your report gets to the domain host, the site is somewhere else. As you can imagine, the Spamcop blocklist has difficulty with the originating IP numbers as well, as there are so many bots involved that each infected computer may only send a few spams, never getting reported often enough to be listed and often only being logged into a dynamic IP at the time anyway. The spammer registers thousands of domains (literally) for the same site. They're being registered in China right now because the Hong Kong registrar HKDNR realized who they were dealing with and deleted the registration for 1250+ different domain names. Now antispammers are working on alerting bizcn.com, Xinnet and Beijing Innovative Linkage Technologies to see if they will crack down on those registrations as well. 2. MyCanadianPharmacy and similar sites. The malware infection that allows those sites to be hosted inserts a list of IPs that are not allowed to ping them. Ironport (Spamcop) is one of them, so the parser sees the site as "not found." Visa, Mastercard, various law enforcement agencies and some active antispammers also have their IP's on the list. There is a lot of information about how these sites work at http://www.spamtrackers.eu/wiki/index.php?title=Main_Page One of the most effective ways to fight these itinerant spam site is to remove domain and nameserver registration - they can move their sites as often as they want, but if the registration for the domain and the glue for the nameservers is gone, no one can connect to them. There is an automated tool at http://thecarpcstore.com/phpbb2/viewtopic.php?t=967 to send reports to registrars about spamvertised sites.
  12. Unfortunately, it now has nameservers ns0.lestem.com and ns1.lestem.com which are alive and well and just waiting for kemooon.com to find a new hosting service. (And it's still with AIT.)
  13. Some of us have started using a program called Complainterator, written by an anti-spammer well known on the Castlecops website and posted here: http://thecarpcstore.com/phpbb2/viewtopic.php?t=575 It just automates the process of looking up the nameservers for the URL, then writing a very courteous and informative letter about how to shut off the nameserver. Shutting down the nameserver stops spam to multiple spam sites. For instance, if you enter kikaq.hk into the program, it finds out that its nameservers are NS1.AMYLACEOUSWER.COM NS1.NOHOEVENTS.COM NS2.CHARTEREDBOL.COM NS2.UNSELDOMDIG.COM These are registered with BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN reporting addresses: liwei[at]dns.com.cn, zhaifeng[at]dns.com.cn, huyan[at]dns.com.cn, abuse[at]anti-spam.cn, spam[at]ccert.edu.cn MONIKER ONLINE SERVICES, INC. reporting address: not preloaded in program; you have to look one up at ICANN and enter it in the program BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN reporting address: same as above DSTR ACQUISITION VII, LLC reporting address: support[at]registerapi.com Then it composes an email on your mail program to tell them: and writes a separate letter for each nameserver address. If you look up the nameservers on these addresses that Spamcop can't parse, you will see the same names keep coming up: tonsilsbot.com, groupron.com, amylaceouswer.com, belikeyous.com, etc. and the same registrars: Beijing Innovative Linkage Technology (the Chinese government, I think) and Moniker.com (a Florida company which specializes in registrations for people who only want the URL less than 5 days so they can give it up without having to pay, and for people who want anonymous registrations). Complaints about nameservers for spamvertised domains do not replace Spamcop reporting, which concentrates on notifying people who can shut down the machines actually sending the spam (especially important now that most spam is sent from malware infected computers owned by innocent home and business users who are not tech savvy enough to realize it until someone files a Spamcop report). And it is only for people who are brave enough to send email from their own addresses and therefore let the registrars know who they are (which they probably can figure out from Spamcop reports too, even though they are munged). Some registrars are better than others at shutting down the nameservers, and since the nameservers I mentioned above are still operating, Moniker and Beijing aren't among the better ones. And someone is cooperating with the spammers, since the address I first used to send reports is getting far less spam than my other addresses, even though they are all spam ads for spamvertised sites on these same servers, i.e., the address in my "from" address in my complaint was removed from the spammer's list. (The email complaint doesn't indicate which address the actual spam was sent to). I expect there may be some type of retaliation if enough people begin to participate to seriously inconvenience the spammers, as there was with the Blue Frog debacle. But I lived through that, so I'll stick my neck out for this.
  14. I have noticed a large number of spams lately, mostly for MyCanadianPharmacy, for which SpamCop cannot find where to send a report for the spamvertised website. A typical parse: ...Resolving link obfuscation http://wununi.umer.hk/?95556205 Host wununi.umer.hk (checking ip) IP not found ; wununi.umer.hk discarded as fake. Tracking link: http://wununi.umer.hk/?95556205 No recent reports, no history available Cannot resolve http://wununi.umer.hk/?95556205 ... They mostly follow the pattern of subdomain.domain.extension/?longnumber If I go to a whois site, I can find information on umer.hk or whatever site it is. I will find there is indeed information on the domain, generally someone's yahoo or hotmail email address, so not very promising as far as finding someone interested in policing the site. There is also information about nameservers, and it will list several, such as NS1.PERCEIVABLENUT.COM NS2.TRANSITSTARS.COM NS1.OURBOYCOT.COM NS2.GRISAILLESAG.COM Tracing the whois on those may lead from one nameserver to another, though it usually ends up at moniker.com, a site which advertises itself as providing privacy to domain owners (so spammers can't harvest their whois info to send them spam!). Is it useful to send reports to these registrars which are concealing contact info/abuse addresses? If, as in MyCanadianPharmacy, they are violating U.S. narcotic laws by selling narcotics without prescriptions, and if, as in moniker.com, they are located inside the U.S., is moniker responsible for making sure the sites they are shielding are not carrying on illegal activities?
  15. I have been getting a ton of spam from MyCanadianPharmacy lately that SpamCop is having trouble dealing with. The URLs in the body each return with a message like the following: Resolving link obfuscation http://nonsense.someurl.com/12345 Host nonsense.someurl.com (checking ip) IP not found ; nonsense.someurl.com discarded as fake. But if you check out the URL, it does lead to the spamvertised site, so apparently someone on the internet can find what IP number that URL goes to. If you watch it load, all the images are loading from IP 217.170.77.210 on each of the various spamvertised sites. Putting that IP in Spamcop's parser gives the following: Parsing input: 217.170.77.210 host 217.170.77.210 (getting name) no name host 217.170.77.210 = db2.sorenssystem.com (old cache) host 217.170.77.210 (getting name) no name host 217.170.77.210 = db2.sorenssystem.com (old cache) Routing details for 217.170.77.210 [refresh/show] Cached whois for 217.170.77.210 : admin[at]internet33.com Using abuse net on admin[at]internet33.com abuse net internet33.com = abuse[at]rtcomm.ru, abuse[at]eltel.net, abuse[at]alfahost.net, postmaster[at]internet33.com, abuse[at]rt.ru Using best contacts abuse[at]rtcomm.ru abuse[at]eltel.net abuse[at]alfahost.net postmaster[at]internet33.com abuse[at]rt.ru Reports disabled for abuse[at]rtcomm.ru Using abuse#rtcomm.ru[at]devnull.spamcop.net for statistical tracking. Statistics: 217.170.77.210 not listed in bl.spamcop.net More Information.. 217.170.77.210 not listed in dnsbl.njabl.org 217.170.77.210 not listed in dnsbl.njabl.org 217.170.77.210 not listed in cbl.abuseat.org 217.170.77.210 not listed in dnsbl.sorbs.net Reporting addresses: abuse[at]eltel.net abuse[at]alfahost.net postmaster[at]internet33.com abuse[at]rt.ru Anybody know what's actually going on and how they manage to make the parser believe the URL is fake?