Jump to content

Search the Community

Showing results for tags 'zombie hacked bogon spam'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Discussions & Observations
    • Announcements
    • Start Here - before you make your first Post
    • How to use .... Instructions, Tutorials
    • Going to make your first post here?
    • SpamCop Reporting Help
    • SpamCop Blocklist Help
    • SpamCop Email System & Accounts
    • Mailhost Configuration of your Reporting Account
    • New Feature Request
    • SpamCop Lounge
    • Geek/Tech Things
    • Suggested Tools and Applications
    • Testing
    • FAQ Under Construction

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests

Found 1 result

  1. Hello: I don't know lots about networks, and here is my problem: Since February I am receiving tons of spam. The messages have a link like: http://zzzzz.standida.com/c.php?aid=xxx&lid=yyyy where x,y,z are message specific numbers (zzzzz seems to identify the target email). The link redirects to another link like http://xtremehealthfit.com/jajbua71u/WWWW/?e=mail[at]something.com&s=XXXXXX And finally, it takes to an offending site (porn, scam, dating....) Spamers are using lots of different domains, but they all point to an IP in AS36263. The most used IP is 67.159.200.132. But other addresses are used, and seems hackers control several entire subnetworks in this AS; since all IPs are in netblocks asigned to "Forona": Subnet 98.142.176.0/20 98.142.176.0 98.142.191.254 Proxy route for FORONA by MZIMA Subnet 173.195.96.0/20 173.195.96.0 173.195.111.254 Forona Technologies Subnet 64.234.112.0/20 64.234.112.0 64.234.127.254 Proxy route for forona technologies by mzima Subnet 216.10.64.0/20 216.10.64.0 216.10.79.254 Forona Technologies Subnet 67.159.192.0/20 67.159.192.0 67.159.207.254 Forona technologies [Full info here: http://ipinfo.io/AS36263] Now, if you check routing tables for this AS you will find sometihing like: show ip bgp 67.159.200.132 3277 39710 9002 3356 3361 36263 286 3356 3361 36263 7018 2828 3361 36263 Which means that all routes have to pass through AS3361 before reaching the "backbone" Now, if you make a trace you will find that the last hops look like this: (Info from http://ipduh.com/ip/traceroute/) 4.53.145.146 4.53.145.146 AS3356 (Level3 com) [*] [*] [*] [*] [*] [*] unused-216-168-56-242.forest.net. 216.168.56.242 AS11739 67.159.200.132 67.159.200.132 AS36263 I expected to find AS3361 between AS3356 and AS36263, but I found AS11739 (registered to Digital Forest, dfcolo.com), which according to ipinfo.io does not have IP addresses. However, AS3361 does have IP addresses, and AS3361 is registered to Spectrum Networks / Digital Fortress (dfcolo.com, which also is listed in AS36263) So we have here a zombie network, used for SPAMING. And looks exactly like the case of "McColo" (Sounds like DFColo!! ) which involved grave cybercrime (See https://en.wikipedia.org/wiki/Brian_Krebs ) As I stated, I am not a network expert. I would like to ask your help for ending with this posible cybercrime. I sent information to ICANN / ARIN but seems I was ignored. Maybe I could contact Brian Krebs, but I would like to have other options. Do you think it would work contacting level3.com? Thanks.
×