Jump to content
Sign in to follow this  
mrmaxx

mounthard.com

Recommended Posts

For some reason, I can't resolve the IP here at home and neither can SpamCop. However, Traceroute.org from a Russian server, does trace it to 85.120.94.61. Unfortunately, it appears that the spammer owns the entire net block from what I can find on the web. The upstream appears to be tinet.net. Recommend we forward this crap automatically (even if SpamCop can't resolve it) to abuse[at]tinet.net.

Not sure how the spammer plans on getting US customers if we can't resolve their IP address, but it seems to be working from outside the USA. <_<

I neglected to get the report URL, however, here's another domain name, growshuge.com, that is owned by the same spammer: http://mailsc.spamcop.net/mcgi?action=gett...rtid=5781147644

Edited by mrmaxx

Share this post


Link to post
Share on other sites

Robtex.com currently resolves it mrmaxx (ignoring the cover page "No Results") and hitting the "Go directly to information page" link, confirming the IP address you found. It is yet another domain in the yandex.ru empire with nameservers ns1.greenxx.ru and ns2.greenxx.ru which are slightly lame at the moment. According to just-ping.com it resolves throughout most of the US (and most of the rest of the world). I'm thinking there might just have been a "momentary glitch" and that, in time, it will be back to full service (we can hardly wait :P - sorry).

The website is not coming up at all according to watchmouse.com but the literal (http:// 85.120.94.61/) looks like it presently works as a "side door" to the secure (https) viagrow.net webserver. Tempting to think it is all a bit of unintentional bungling on the network side and they'll get it right soon enough. The IP-address is shared with *.viagrow.ru, *.wowmonster.ru, blowboner.com, blowhuge.com, growsboner.com, mountnow.com, viagrow.ru, and www.wowmonster.ru and maybe others. I think I'm picking up some sort of trend or tendency here, maybe it is even worse than General Jack D. Ripper thought :D

Can only conclude you are absolutely right - it should be reported and probably not direct to the Romanian hosting network (S.C. Arnet Connection S.R.L.) which is maybe complicit on the balance of probablity - haven't checked Spamhaus though. I don't think SC indulges such contortions though (a consideration of catch-as-catch-can record maintenance), but would be delighted to learn otherwise. This is maybe more the territory of The Complainterator?

Share this post


Link to post
Share on other sites

[snip]

Can only conclude you are absolutely right - it should be reported and probably not direct to the Romanian hosting network (S.C. Arnet Connection S.R.L.) which is maybe complicit on the balance of probablity - haven't checked Spamhaus though. I don't think SC indulges such contortions though (a consideration of catch-as-catch-can record maintenance), but would be delighted to learn otherwise. This is maybe more the territory of The Complainterator?

Yeah. That's why I suggested the upstream, tinet.net. :D According to a quick/dirty Google Search it appears that the hoster *may* be the spammer and they just bought themselves a /24 so they'd have some room to jump servers around if one IP gets blocked. I sent a manual complaint to tinet.net since they refuse user-copied submissions.

Here's your answer: http://www.spamhaus.org/sbl/query/SBL118978:

Ref: SBL118978

85.120.94.0/23 is listed on the Spamhaus Block List (SBL)

85.120.94.0/23 is listed on the Don't Route or Peer List (DROP)

2012-03-28 14:07:05 GMT | SR15 | tinet.net

dedicated cybercriminal spammer block

The *entire* /23 is listed...so why can't we just have SC report that entire /23 block up to the peer, Tinet.net?

Edited by mrmaxx

Share this post


Link to post
Share on other sites

Fixed!

Thanks!

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

SC is still not resolving this so it can be reported. Is there anything we can do about that?

Share this post


Link to post
Share on other sites

SC is still not resolving this so it can be reported. Is there anything we can do about that?

Pings are still a bit ratty but the website is now responding (from Perth and most other places) though with responses often in the hundreds of milliseconds range.

Initiating server query ...

Looking up IP address for domain: mounthard.com

The IP address for the domain is: 85.120.94.61

Connecting to the server on standard HTTP port: 80

[Connected] Requesting the server's default page.

The server returned the following response headers:

HTTP/1.1 200 OK

Date: Sun, 03 Jun 2012 20:20:34 GMT

Server: Apache/2.2.14 (Ubuntu)

X-Powered-By: PHP/5.3.2-1ubuntu4.5

Landing: http:// www.growsvery.com

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 9126

Connection: close

Content-Type: text/html

Query complete.

"growsvery.com"! another side entry!

I think the DNS record is healing itself/propagating and SC should start picking it up. Unless they somehow block SC lookups. I'm not even sure if they could do that with an entire /23?

Share this post


Link to post
Share on other sites

Pings are still a bit ratty but the website is now responding (from Perth and most other places) though with responses often in the hundreds of milliseconds range."growsvery.com"! another side entry!

I think the DNS record is healing itself/propagating and SC should start picking it up. Unless they somehow block SC lookups. I'm not even sure if they could do that with an entire /23?

Well, I got another one that I suspect belongs to this spammer...hurrywow.com, which is not resolving. :( Manual report sent to abuse[at]tinet.net

Got another one that's not resolving: hurrysized.com -- also 85.120.94.61

Share this post


Link to post
Share on other sites

Querying those on port 80 resolves for me at the moment. I get "Landing: http://www.hurrygrew.com" from hurrysized.com. Just endless, isn't it? Just as it looks like getting to normal DNS resolution promulgated and cached they throw in another domain name. And that's just using one IP address. Only 509 to go before they have to retrace their steps.

http://www.intodns.com/ does a DNS health check from cached records for any of these. It ain't pretty. I suppose the upside is the realisation that they're not turning themselves inside out just for fun - the pressure from the anti-spamming community (now including you) is presumably what makes these contortions necessary.

Share this post


Link to post
Share on other sites

Querying those on port 80 resolves for me at the moment. I get "Landing: http://www.hurrygrew.com" from hurrysized.com. Just endless, isn't it? Just as it looks like getting to normal DNS resolution promulgated and cached they throw in another domain name. And that's just using one IP address. Only 509 to go before they have to retrace their steps.

http://www.intodns.com/ does a DNS health check from cached records for any of these. It ain't pretty. I suppose the upside is the realisation that they're not turning themselves inside out just for fun - the pressure from the anti-spamming community (now including you) is presumably what makes these contortions necessary.

Well, I'm getting another that I have to go outside to resolve. Currently my trick is to go to some central or eastern-european site on traceroute.org to get it to resolve, then coming back here. Doesn't help because tinet won't accept user-copied reports, but oh, well..

Anyway, another one is lastsized.com

Share this post


Link to post
Share on other sites

Well, I'm getting another that I have to go outside to resolve.

My hotmail account is being bombed by yahoo on a child porn site hosted by ovh.net (which appears rouge).

Went outside of SpamCop as messages are ignored by both Yahoo and OVH had child porn spammer kicked out of Germany, Netherlands but has found OVH.net in France who do nothing. Months ago I reported site to pedophile reporting site in France had this reply today. (site is still up)

Hello,

Thank you for your report.

As this pornographic page is hoted in France and does not comply with French legislation, it was reported to the French police.

Best regards,

L'équipe Point de contact.net - Assistance contre les contenus illégaux

http://www.pointdecontact.net

Share this post


Link to post
Share on other sites

http://www.pointdecontact.net seems like a good contact for serious criminality cases with French associations petzl - we shall see. OVH.net seem to have gone totally rogue as you suggest, they had a lousy reputation before, even without adding (suspected) kiddy porn.

http://www.webhostingtalk.com/showthread.php?t=868688

http://www.spamhaus.org/sbl/listings/ovh.net

No immediate result you say, but I wouldn't be giving up on it too soon in any event - it would typically take time before the police might act, compounded by a different legal system in France with evidence requirements probably even more rigorous than in the "adversarial" system with which most of us are more familiar.

mrmaxx's Russian/Ukrainian/Romanian friends seem to be into porn as well (Robtex warns - or promises :blink: - that a high proportion of the sites hosted under the AS number involved are porn or "sensitive"). But porn per se may not be illegal most places.

Share this post


Link to post
Share on other sites

http://www.pointdecontact.net seems like a good contact for serious criminality cases with French associations petzl - we shall see. OVH.net seem to have gone totally rogue as you suggest, they had a lousy reputation before, even without adding (suspected) kiddy porn.

It is child porn

(in Australia this is defined by any one under 18 or looking under 18, Germany seems to have under 18 then under 14? OVH.net France has both type, trouble is for me in Australia just checking child porn site is an offense no excuses AFAIK the sites do not indicate illegle content just "teen"). I had in this case the German Police and the Dutch police shut those sites down but spammer has found a friend in ovh.net? France has taken longer, I do think as you suggest the French Police are more thorough as when police make a charge you have to prove innocence of guilt (not innocent until proven guilty).

Beauty about SpamCop is all spam and reports are held by SpamCop for a time (90 days?) and available to anyone for asking, The spammer keeps sending and I don't give up.

Edited by petzl

Share this post


Link to post
Share on other sites

New domain name which is not resolving: flushpenis.com. I was able to traceroute it back to 188.132.163.213, which should be reported to abuse[at]dedicatedturk.com

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×