Jump to content
Sign in to follow this  
dra007

Need Help

Recommended Posts

can anyone help me finding the upstream ISP for 82.76.216.52 ...This IP has sent me viruses daily for the last 3 months. The request for assistance to their abuse desk was answered immediately with another virus (below). I already reported them to ORBB, nothing seems to stop them.

This is a confirmation from ORDB.org

You have submitted the following hosts for checking by the ORDB.org system.

Will test:  82.76.216.52. Your comment: the abuse desk of this IP answers to my queries with more viruses

Thank you for using ORDB.org

Return-Path: <bbb[at]zzz.org>

Received: from mb1i1.ns.pitt.edu (mb1i1.ns.pitt.edu [136.142.185.161])

          by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4)

          ID <OAA20883[at]imap.srv.cis.pitt.edu> for < B) [at]imap.pitt.edu>;

          Sat, 3 Jul 2004 14:25:50 -0400 (EDT)

From: bbb[at]zzz.org

Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462)

id <01LC10INXWLC00KHPB[at]mb1i1.ns.pitt.edu> for B) [at]imap.pitt.edu; Sat,

3 Jul 2004 14:25:50 EDT

Received: from imap.pitt.edu ([82.76.216.52]) by pitt.edu (PMDF V5.2-32 #41462)

with ESMTP id <01LC10IJM8HS00GPJX[at]mb1i1.ns.pitt.edu> for  B) [at]imap.pitt.edu;

Sat, 03 Jul 2004 14:25:49 -0400 (EDT)

Date: Sat, 03 Jul 2004 21:25:41 +0300

Subject: Re: Your text

To:  B) [at]imap.pitt.edu

Message-id: <01LC10IKZZWY00GPJX[at]mb1i1.ns.pitt.edu>

MIME-version: 1.0

Content-type: multipart/mixed; boundary="Boundary_(ID_qy6J5bQ4jvEuseQOsK4HSQ)"

X-Priority: 3

X-MSMail-priority: Normal

This is a multi-part message in MIME format.

--Boundary_(ID_qy6J5bQ4jvEuseQOsK4HSQ)

Content-type: text/plain; charset="Windows-1252"

Content-transfer-encoding: 7bit

Here is the file.

--Boundary_(ID_qy6J5bQ4jvEuseQOsK4HSQ)

Content-type: text/plain; name=replaced.txt

Content-disposition: attachment

Content-transfer-encoding: 7BIT

IMPORTANT: An attachment included with this message has been automatically

removed by the University's electronic mail systems because such attachments

may contain computer viruses, worms, or other potentially malicious software

code.  If you were expecting to receive a message from this sender including

an attached executable file (.exe), batch file (.bat), or others, and you

know the identity of the sender, you should contact the sender to make other

arrangements to receive the file.

Please contact the Technology Help Desk at 412 624-HELP [4357] for additional

information or assistance.  Further information on message attachment removal

is available online at http://technology.pitt.edu/security/index.html.  Thank

you.

--Boundary_(ID_qy6J5bQ4jvEuseQOsK4HSQ)--

Share this post


Link to post
Share on other sites

I found some interesting additional information about the ISP serving the above IP:

An accompanying mail was sent to the following addresses which

are thought to be responsible for domain(s), IP blocks, ASN, or

nameservers associated with the origin point:

    iq[at]rdsnet.ro

Message abstract:

  Message ID: <b08401c454f8$2bffa65d$9c7ad457[at]umfxipb>

  Originating IP address:

      80.96.34.178 ()

  ASN: 8708

  ASN Description: Romania Data Systems S.A.

  CIDR: 80.96.32.0/19

  The following (if any) queryable spam-related information is

  associated with the originating IP and/or domain:

 

IP 80.96.34.178 () is known to SpamHaus as a source or relay of

spam.

See: http://www.spamhaus.org/

   

Classification(s):

  - Illegal 3rd party exploits, including proxies, worms and trojans.

For more information on this host, see:

    http://www.spamhaus.org/query/bl?ip=80.96.34.178

Please address these issues.

  - Composite Blocklist: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=80.96.34.178

  - DSBL Proxy:        http://dsbl.org/listing?ip=80.96.34.178

  Additional resources of possible interest:

    http://www.senderbase.org/?searchBy=ipaddr...ng=80.96.34.178

    http://openrbl.org/lookup?i=80.96.34.178

    http://groups.google.com/groups?scoring=d&...8+group:*abuse*

Share this post


Link to post
Share on other sites

An update to my attempt to contact the ofending site, a direct response in which I am advised to contact their lawyer! The ordacity of this spam gang is beyond believe. Can anyone help me find the upstream ISP of this idiot?

Share this post


Link to post
Share on other sites

http://bgp.potaroo.net/cgi-bin/as-report?as=AS8708

Report for AS8708

Name - RDSNET Romania Data Systems S.A.

AS Adjancency Report

In the context of this report "Upstream" indicates that there is an adjacent AS that lines between the BGP table collection point (in this case at AS4637) as the specified AS. Similarly, "Downstream" referes to an adjacent AS that lies beyond the specified AS. This upstream / downstream categorisation is strictly a description relative topology, and should not be confused with provider / customer / peer inter-AS relationships

48 AS8708 RDSNET Romania Data Systems S.A.

Adjacency: 61 Upstream: 2 Downstream: 59

Upstream Adjacent AS list

AS3356 LEVEL3 Level 3 Communications

AS3549 GBLX Global Crossing Ltd.

07/04/04 00:57:20 Slow traceroute 82.76.216.52

Trace 82.76.216.52 ...

67.17.65.58 RTT: 132ms TTL:176 (so2-0-0-2488M.ar2.FRA3.gblx.net ok)

67.17.159.102 RTT: 133ms TTL:176 (Romania-Data-Systems.so-1-3-2.ar2.FRA3.gblx.net ok)

193.231.252.233 RTT: 161ms TTL:176 (buh1-gsr1-p6-0.rdsnet.ro bogus rDNS: host not found [authoritative])

193.231.252.75 RTT: 167ms TTL:176 (buch1-qos.rdslink.ro bogus rDNS: host not found [authoritative])

193.231.252.73 RTT: 163ms TTL:176 (buh1-cr1-vlan4.rdsnet.ro bogus rDNS: host not found [authoritative])

82.76.241.5 RTT: 162ms TTL:176 (No rDNS)

82.76.216.52 RTT: 182ms TTL:110 (No rDNS)

Share this post


Link to post
Share on other sites

Interesting Wazoo, thank you...am I to understand that

Upstream Adjacent AS list

    AS3356    LEVEL3 Level 3 Communications

    AS3549    GBLX Global Crossing Ltd.

Those two above are upstream ISPs as well? I get spam from both daily (and they obviously don't act on it) ...I just need to find the ISP upstream of RDSNET Romania Data Systems S.A.

...ask why the abuse desk of Data System is so abusive...and whether anyone can take some action to stop the trojan flow from the downstream ISP. I got a dozen netzky attachments from them today alone and this has been going on for some time..

Also note that they have no reverse DNS...however ORDB could not get past their firewall...

Edited by dra007

Share this post


Link to post
Share on other sites

As stated in the "definition" .. the next level up reads as;

11 AS4637 REACH Reach Network Border AS

Adjacency: 250 Upstream: 0 Downstream: 250

Then we drop down to what you asked for;

48 AS8708 RDSNET Romania Data Systems S.A.

Adjacency: 61 Upstream: 2 Downstream: 59

Upstream Adjacent AS list

AS3356 LEVEL3 Level 3 Communications

AS3549 GBLX Global Crossing Ltd.

So lets say that Reach owns the optic fiber inter-continental network, Level3 and Glbx buy their bandwidth from them, sell it to others .... I offered a tracroute from my end and at that time, the connection path went through Glbx, then to RDS ... so, with those data points, the upstream of the connection I showed is Glbx ....

OrgAbuseHandle: GBLXA-ARIN

OrgAbuseName: GBLX-Abuse

OrgAbusePhone: +1-800-404-7714

OrgAbuseEmail: abuse[at]gblx.net

OrgNOCHandle: GBLXN-ARIN

OrgNOCName: GBLX-NOC

OrgNOCPhone: +1-800-404-7714

OrgNOCEmail: gc-noc[at]gblx.net

and just to flush out the data bits;

6 AS3549 GBLX Global Crossing Ltd.

Adjacency: 496 Upstream: 8 Downstream: 488

Upstream Adjacent AS list

AS1221 ASN-TELSTRA Telstra Pty Ltd

AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd

AS1239 SPRN Sprint

AS4637 REACH Reach Network Border AS

AS5693 INTELE-13 InteleNet Communications, Inc.

AS27354 LAYER LayerOne Holdings, Inc.

AS10026 ANC Asia Netcom Corporation

AS701 UU UUNET Technologies, Inc.

Share this post


Link to post
Share on other sites

Thank you Wazoo, I appreciate your help. I am geeting a picture of the Data System being a cover for spam and abuse. My knowledge is limited at this point, but it also seems that they may exploit upstream servers to send spam. I will see if my query to their help/abuse desk will remain silent. All I was able to get from them in the past were automated replies.

PS. Interestingly, just after typing the first paragraph I got an e-mail from tim[at]rdsnet.ro

arguing around the following link (IP in question) that my complains should not go to him. In the same vein he shows a lot of bravado, saying he is not afraid of American laws and is not planing to come to US. He ends up blaming US spammers for my grief. I do not follow that logic. I don't know what to make of this.

--------------------

edited July 6,

tim[at]rdsnet.ro whose real name is Bogdan Surdu (tr. the deaf), has been sighted as an originator of the VIAGRA spams that we all hate so much! This particular spam looks awfuly familiar!

Edited by dra007

Share this post


Link to post
Share on other sites
they may exploit upstream servers to send spam

not really much exploitation. At this level, spam is probably jusr a very small percentage of all traffic routed, so the cost of actually doing something to filter/block it out is probably seen as more expensive than just continuing to pay the bandwidth bill.

that my complains should not go to him

Technically, this is correct. That address is listed as being one who "handled some data changes" ... actual tech points of contact, issues and complaints would go to the only contact address offered, possibly the owner (?) at iq <at> rdsnet.ro ... but, as you'll notice in the RIPE listing, hostmaster <at> rnc.ro shows up all over the place ... going to www.rnc.ro shows the blurb;

RNC is a national project co-ordinated and established by Department of Research, Ministry of Education and Research targeted on the objectives related to research and development activity.

Also the line; WHOIS.ROTLD.RO - the new WHOIS server for .ro domains ..... from there, http://www.rnc.ro/new/finra.shtml lists and defines what is supposed to be in the registration fields, leading one to search out the admin-c and tech-c addresses, as these are the folks that should have some control (?) over what happens on their network.

Share this post


Link to post
Share on other sites

I find it interesting that some of these domains, supposedly funded by western grants (at least in part), are also listed in ROKSO:

Since November, 2003, a spam gang has been operating out of Romania. They

routinely host some of the worst ROKSO spammers in what has come to be known

as "clustering," where a group of spammers will flock from place-to-place as

a cluster. Spammers include Alan Ralsky, LMIHosting, Oromar Mollica,

Evidence-Eliminator, Webfinity (Python), Tim Goyetche, Damon DeCrescenzo,

and others.

Their MO is to get a new SWIP, usually a /23, but sometimes a /24 or /22,

get a new ASN, and get an established Romanian network to announce them (and

to colocate their servers). As soon as they are "up," the spammers pile on,

just as in their previous incarnation. This is evidently done by paying

hosts to turn a blind eye, as the spam complaints roll in immediately for

spamvertised websites and bulletproof DNS, but the hosting continues

indefinitely, or takes small detours as they play hide-and-seek games with

the routing.

There have been (as of this writing) 83 SBL listings directly related to

this gang. Some of the more notable listings include these:

/snip

81.180.202.0/23 rdsnet.ro

SBL16436 Linux Security Systems - Telecom SRL

/snip

195.225.144.0/22 rdsnet.ro

SBL16274 SC System Area SRL (systemarea.ro) / LSS-HOLDING

193.27.196.0/23 rdsnet.ro

SBL16273 SC System Area SRL (systemarea.ro)

/snip

141.85.14.0/23 rdsnet.ro

SBL15988 ABOUT-ARTS.COM

193.25.188.0/23 rdsnet.ro

SBL15606 HORADONET

/snip

193.27.84.0/23 rdsnet.ro

SBL14522 SC DELTA ELECTRIC IMPEX SRL [AS31088]

193.27.72.0/23 rdsnet.ro

SBL14260 ElDorado Networks (AS31039)

193.19.114.0/23 rdsnet.ro

SBL14124 Virtual NET (AS31007)

81.180.87.0/24 rdsnet.ro

SBL14123 SC SOROCAM SRL (AS31007)

80.97.54.0/24 rdsnet.ro

SBL12726 SC MW Trade Groupage SRL (AS29203)

81.180.103.0/24 rdsnet.ro

SBL12725 SC MW Trade Groupage SRL (AS29203)

/snip

81.180.85.0/24 rnc.ro

SBL10758 Webfinity/Dynamic Pipe

18n-ready.com; www.hackedpasses.net; www.stop-payingforporn.com

Strangely enough the person I exchanged e-mails which also signs as Tim (one of the spammers:<tim[at]extreme.ro>Sent: Sunday, July 04, 2004 5:59 AM)

...coincidence perhaps...He claims his IP was spoofed in the offending e-mails...

Edited by dra007

Share this post


Link to post
Share on other sites

Update.

I got two mixed replies from RNC. Basically they claim they do not have any authority in the issue, but if the request comes from the responsible ISP they may do something. Seems at this stage everybody is passing the hot potato.

I got a few more viruses since yesterday, they seem to be stuck on Netsky:

UNIVERSITY OF PITTSBURGH's virus protection service has detected a potential

email virus. This suspicious message has been quarantined in

your UNIVERSITY OF PITTSBURGH Message Center:

    From: cameliamaier[at]k.ro

    Subject: Re: Extended Mail

    Virus: W32/Netsky.p[at]MM!zip

You can read the message without infecting your computer.

Click on the link to access your UNIVERSITY OF PITTSBURGH Message Center:

It comes from an IP that answered to my abuse requests claiming inocence..

and this one below, I got this morning from the IP in the above thread which also claims inocence:

Return-Path: <someone[at]somewhere.com>

Received: from mb2i1.ns.pitt.edu (mb2i1.ns.pitt.edu [136.142.185.162])

          by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4)

          ID <WAA14181[at]imap.srv.cis.pitt.edu> for < :rolleyes: [at]imap.pitt.edu>;

          Sun, 4 Jul 2004 22:55:40 -0400 (EDT)

From: someone[at]somewhere.com

Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462)

id <01LC2WM47Q2O004WY0[at]mb2i1.ns.pitt.edu> for  :rolleyes: [at]imap.pitt.edu; Sun,

4 Jul 2004 22:55:40 EDT

Received: from imap.pitt.edu ([82.76.216.52]) by pitt.edu (PMDF V5.2-32 #41462)

with ESMTP id <01LC2WLZCKDQ0051E3[at]mb2i1.ns.pitt.edu> for  :rolleyes: [at]imap.pitt.edu;

Sun, 04 Jul 2004 22:55:36 -0400 (EDT)

Date: Mon, 05 Jul 2004 05:55:27 +0300

Subject: Re: Hello

To:  :rolleyes: [at]imap.pitt.edu

Message-id: <01LC2WLZOT5C0051E3[at]mb2i1.ns.pitt.edu>

MIME-version: 1.0

Content-type: multipart/mixed; boundary="Boundary_(ID_TKXF8EPXTFhmNaX8BzvmKw)"

X-Priority: 3

X-MSMail-priority: Normal

This is a multi-part message in MIME format.

--Boundary_(ID_TKXF8EPXTFhmNaX8BzvmKw)

Content-type: text/plain; charset="Windows-1252"

Content-transfer-encoding: 7bit

Please read the attached file.

--Boundary_(ID_TKXF8EPXTFhmNaX8BzvmKw)

Content-type: text/plain; name=replaced.txt

Content-disposition: attachment

Content-transfer-encoding: 7BIT

IMPORTANT: An attachment included with this message has been automatically

removed by the University's electronic mail systems because such attachments

may contain computer viruses, worms, or other potentially malicious software

code.  If you were expecting to receive a message from this sender including

an attached executable file (.exe), batch file (.bat), or others, and you

know the identity of the sender, you should contact the sender to make other

arrangements to receive the file.

Please contact the Technology Help Desk at 412 624-HELP [4357] for additional

information or assistance.  Further information on message attachment removal

is available online at http://technology.pitt.edu/security/index.html.  Thank

you.

--Boundary_(ID_TKXF8EPXTFhmNaX8BzvmKw)--

PS. I filed a complaint with the agency that deals with fraud (https://www.efrauda.ro/admin/default.htm). Hope that will have some results.

Edited by dra007

Share this post


Link to post
Share on other sites

That Romania Data Systems has a pretty inflated name for an abusive ISP. I got a bounce and another virus from them after sending reports to various agencies:

__________________

(edited July 6)

There is a lot of data here on spamspew funneled out of

Romania Data Systems. I am sure spam like that was recieved by most people here. You will note they have a connection with both Korean and Brazilian webadvertized sites.

___________________

Hi. This is the qmail-send program at rdsnet.ro.

I'm afraid I wasn't able to deliver your message to the following addresses.

This is a permanent error; I've given up. Sorry it didn't work out.

<abuse[at]rdsnet.ro>:

Return-Path: <staff[at]list.cashculture.com>

Received: from mb2i1.ns.pitt.edu (mb2i1.ns.pitt.edu [136.142.185.162])

          by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4)

          ID <MAA06517[at]imap.srv.cis.pitt.edu> for < ;) [at]imap.pitt.edu>;

          Mon, 5 Jul 2004 12:03:52 -0400 (EDT)

From: staff[at]list.cashculture.com

Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462)

id <01LC3O5BJSB4004PTZ[at]mb2i1.ns.pitt.edu> for  ;) [at]imap.pitt.edu; Mon,

5 Jul 2004 12:03:51 EDT

Received: from imap.pitt.edu ([82.76.216.52]) by pitt.edu (PMDF V5.2-32 #41462)

with ESMTP id <01LC3O555FB8004XVM[at]mb2i1.ns.pitt.edu> for  ;) [at]imap.pitt.edu;

Mon, 05 Jul 2004 12:03:50 -0400 (EDT)

Date: Mon, 05 Jul 2004 19:03:35 +0300

Subject: Re: Excel file

To:  ;) [at]imap.pitt.edu

Message-id: <01LC3O55DTMW004XVM[at]mb2i1.ns.pitt.edu>

MIME-version: 1.0

Content-type: multipart/mixed; boundary="Boundary_(ID_E3Wf3DBDMQ1FjPiRiVzowQ)"

X-Priority: 3

X-MSMail-priority: Normal

This is a multi-part message in MIME format.

--Boundary_(ID_E3Wf3DBDMQ1FjPiRiVzowQ)

Content-type: text/plain; charset="Windows-1252"

Content-transfer-encoding: 7bit

Please have a look at the attached file.

--Boundary_(ID_E3Wf3DBDMQ1FjPiRiVzowQ)

Content-type: text/plain; name=replaced.txt

Content-disposition: attachment

Content-transfer-encoding: 7BIT

IMPORTANT: An attachment included with this message has been automatically

removed by the University's electronic mail systems because such attachments

may contain computer viruses, worms, or other potentially malicious software

code.  If you were expecting to receive a message from this sender including

an attached executable file (.exe), batch file (.bat), or others, and you

know the identity of the sender, you should contact the sender to make other

arrangements to receive the file.

Please contact the Technology Help Desk at 412 624-HELP [4357] for additional

information or assistance.  Further information on message attachment removal

is available online at http://technology.pitt.edu/security/index.html.  Thank

you.

--Boundary_(ID_E3Wf3DBDMQ1FjPiRiVzowQ)--

Edited by dra007

Share this post


Link to post
Share on other sites

Well done dra007 - I shall harbour no more suspicions that you might be just a little paranoid, those damned Transylvanians really have tracked you down to Pennsylvania. Seriously though, I for one will be interested in how this all turns out. This is the first actual (as opposed to mythical) case of its type I know of.

Share this post


Link to post
Share on other sites

Thank you Farelf. For all I know I might be related to Vlad the Impaler aka Dracula myself, so they might get a dose of their own medicine. And I am not talking Viagra. Bytheway, Dracula was a real medieval king (1400's) named so because he belonged to a Crusader's Order of the Dragon (dracul=the devil or dragon in Romanian). I filed complains with everyone including their Ministry of Informatics/Computer Networking and FTC on this side of the ocean.

Edited by dra007

Share this post


Link to post
Share on other sites

I still don't understand how dra007 knows that the abuse desk is sending hir viruses. The viruses come from the same IP address but that does not mean that the abuse desk is sending them to hir on purpose - or anyone, for that matter, viruses generally are randomly generated and the owner of the machine does not know they are being sent.

However, if s/he creates enough stir, perhaps someone else will see that there really is a problem with both spammers and viruses on this network. The squeaky wheel gets the grease and not everyone has time to track down addresses to complain to.

Miss Betsy

Share this post


Link to post
Share on other sites

Well, the update is that I got another attack, this time from the site dealing with their Research and Development. My suspicions were only confirmed, they are all corrupted and in kahutz with each other. In fact the rnc (http://www.rnc.ro/new/finra.shtml) site has been listed in ROKSO before:

81.180.85.0/24 rnc.ro

SBL10758 Webfinity/Dynamic Pipe

18n-ready.com; www.hackedpasses.net; www.stop-payingforporn.com

Here is their footprint:

Received: from source ([217.156.87.150]) by exprod7mx53.postini.com ([12.158.38.251]) with SMTP;

Tue, 06 Jul 2004 01:00:49 EDT

From: lohn[at]k.ro

To: :ph34r: [at]pitt.edu

Subject: Re: document_all

Date: Tue, 6 Jul 2004 08:04:34 +0300

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0016----=_NextPart_000_0016"

X-Priority: 3

X-MSMail-Priority: Normal

X-pstnvirus: W32/Netsky.p[at]MM

boundary="

--------------------------------------------------------------------------------

Date: Tue, 6 Jul 2004 08:04:34 +0300

From: lohn[at]k.ro

To:  :ph34r: [at]pitt.edu

Subject: Re: document_all

Please read the attached file!

Attachments:

application/octet-stream

Received: from source ([217.156.87.150]) by exprod7mx5.postini.com ([12.158.38.251]) with SMTP;

Tue, 06 Jul 2004 00:00:14 CDT

From: grv[at]aol.com

To: :ph34r: [at]pitt.edu

Subject: Mail Delivery (failure :ph34r: [at]pitt.edu)

Date: Tue, 6 Jul 2004 08:03:57 +0300

MIME-Version: 1.0

Content-Type: multipart/related;

type="multipart/alternative";

boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"

X-Priority: 3

X-MSMail-Priority: Normal

X-pstnvirus: Exploit-MIME.gen.c

boundary="

--------------------------------------------------------------------------------

Date: Tue, 6 Jul 2004 08:03:57 +0300

From: grv[at]aol.com

To: :ph34r: [at]pitt.edu

Subject: Mail Delivery (failure :ph34r: [at]pitt.edu)

Content-Type: application/octet-stream

Content-Transfer-Encoding: base64

VmlydXMgdmFyaWFudCBkZXRlY3RlZCBhbmQgZGVsZXRlZC4=

__________________________________________

Tracking details

Display data:

"whois 217.156.87.150[at]whois.ripe.net" (Getting contact from whois.ripe.net)

Backup contact notify = hostmaster[at]rnc.ro

pn2940-ripe = nicol[at]tts.ro

whois.ripe.net 217.156.87.150 = nicol[at]tts.ro

whois: 217.156.87.0 - 217.156.87.255 = nicol[at]tts.ro

Routing details for 217.156.87.150

Using last resort contacts nicol[at]tts.ro

I have exchanged e-mails with nicol[at]tts.ro already. Again claims inocence. Seems rule number one applies here again!! Funny they have the ordacity to spoof aol in their header.

Edited by dra007

Share this post


Link to post
Share on other sites

Ms Betsy, I would like to believe that there are an incredible large number of coincidences. However, I get the viruses as soon as I complain to their abuse desk. For the most part my inquiries to them have remained unanswered or answered with more abuse. If anything, they are guilty of being unresposive to what seems to be a problem (read my ROKSO quote). And they cannot claim a language barrier, I wrote to them in their mother's tongue.

This is not something that started yesterday, it has been going on for several months. I keep a meticulous record of its history. One day it may come up handy in court.

Edited by dra007

Share this post


Link to post
Share on other sites

As coincidences go, I got another virus soon after posting here:

Reports routes for 82.76.216.52:

routeid:11160204 82.76.0.0 - 82.79.255.255 to:

nadriang[at]rdsnet.ro

Administrator found from whois records

routeid:11160203 82.76.0.0 - 82.79.255.255 to:

tim[at]extreme.ro

Administrator found from whois records

routeid:11160202 82.76.0.0 - 82.79.255.255 to:

dragosv[at]rdsnet.ro

Administrator found from whois records

routeid:11160201 82.76.0.0 - 82.79.255.255 to:

andii[at]rdsnet.ro

Administrator found from whois records

Same IP that advised me to contact their lawyer:

Return-Path: <toadervictor[at]yahoo.com>

Received: from mb2i1.ns.pitt.edu (mb2i1.ns.pitt.edu [136.142.185.162])

          by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4)

          ID <MAA24984[at]imap.srv.cis.pitt.edu> for < :) [at]imap.pitt.edu>;

          Tue, 6 Jul 2004 12:00:14 -0400 (EDT)

From: toadervictor[at]yahoo.com

Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462)

id <01LC52B5LTQ80050XL[at]mb2i1.ns.pitt.edu> for  :) [at]imap.pitt.edu; Tue,

6 Jul 2004 12:00:13 EDT

Received: from imap.pitt.edu ([82.76.216.52]) by pitt.edu (PMDF V5.2-32 #41462)

with ESMTP id <01LC52B1MPJU00595N[at]mb2i1.ns.pitt.edu> for  :) [at]imap.pitt.edu;

Tue, 06 Jul 2004 12:00:08 -0400 (EDT)

Date: Tue, 06 Jul 2004 18:59:58 +0300

Subject: Re: Your bill

To:  :) [at]imap.pitt.edu

Message-id: <01LC52B1UDIK00595N[at]mb2i1.ns.pitt.edu>

MIME-version: 1.0

Content-type: multipart/mixed; boundary="Boundary_(ID_pDMysrn1SaWu4gtghqCOdQ)"

X-Priority: 3

X-MSMail-priority: Normal

This is a multi-part message in MIME format.

--Boundary_(ID_pDMysrn1SaWu4gtghqCOdQ)

Content-type: text/plain; charset="Windows-1252"

Content-transfer-encoding: 7bit

Please read the attached file.

--Boundary_(ID_pDMysrn1SaWu4gtghqCOdQ)

Content-type: text/plain; name=replaced.txt

Content-disposition: attachment

Content-transfer-encoding: 7BIT

IMPORTANT: An attachment included with this message has been automatically

removed by the University's electronic mail systems because such attachments

may contain computer viruses, worms, or other potentially malicious software

code.  If you were expecting to receive a message from this sender including

an attached executable file (.exe), batch file (.bat), or others, and you

know the identity of the sender, you should contact the sender to make other

arrangements to receive the file.

Please contact the Technology Help Desk at 412 624-HELP [4357] for additional

information or assistance.  Further information on message attachment removal

is available online at http://technology.pitt.edu/security/index.html.  Thank

you.

--Boundary_(ID_pDMysrn1SaWu4gtghqCOdQ)--

My bill they say. I guess they see this as a payback time.

Edited by dra007

Share this post


Link to post
Share on other sites

I don't doubt that they have been unresponsive or that viruses are coming from that IP address. It does seem like a high number of coincidences. A few spammers do take the time to respond to individual spam complaints, I believe.

And I certainly hope that your complaints are taken seriously since being unresponsive to viruses cannot be seen in any other light than irresponsible.

BTW, how do you know that they are mostly Netsky? I don't see anything in the IT Dept's message that identifies the attachment. Or have you been comparing them with the known subjects of Netsky?

Miss Betsy

Share this post


Link to post
Share on other sites

Ms Betsy,

See my previous posts in this thread, I can check the attachments at my help desk, they are eiter Netsky or Mime exploits. Thanks god they are holding them. Unfortunately some do get through occasionally and are detected by my antispam software. They went as far as spoofing trusted NIH addresses to get past the virus filter on my server:

UNIVERSITY OF PITTSBURGH's virus protection service has detected a potential

email virus. This suspicious message has been quarantined in

your UNIVERSITY OF PITTSBURGH Message Center:

    From: cameliamaier[at]k.ro

    Subject: Re: Extended Mail

    Virus: W32/Netsky.p[at]MM!zip

You can read the message without infecting your computer.

Click on the link to access your UNIVERSITY OF PITTSBURGH Message Center:

Those severs are notorious for sending trojans as listed in ROTSKO/spamhouse, and they are widely known as a spam gang...

Edited by dra007

Share this post


Link to post
Share on other sites

Well folks, my suspicion that the above abusive IP is a source of spam has just been confirmed:

-------- Original Message -------- Subject:  [spamCop (80.96.34.178) id:1053453133]Overage $3579

Date:  3 Jun 2004 10:14:56 -0000

From:  1053453133[at]reports.spamcop.net

To:  iq[at]rdsnet.ro

[ SpamCop V1.324  ]

This message is brief for your comfort.  Please use links below for details.

Email from 80.96.34.178 / 3 Jun 2004 10:14:56 -0000

80.96.34.178 is an open proxy, more information:

http://www.spamcop.net/mky-proxies.html

http://www.spamcop.net/w3m?i=z1053453133zd...78631406335057z

[ Offending message ]

Return-Path:

Delivered-To: x

Received: (qmail 5750 invoked from network); 3 Jun 2004 10:14:56 -0000

Received: from unknown (192.168.1.101)

  by blade6.cesmail.net with QMQP; 3 Jun 2004 10:14:56 -0000

Received: from unknown (HELO 8) (80.96.34.178)

  by mailgate.cesmail.net with SMTP; 3 Jun 2004 10:14:56 -0000

Received: from [241.183.250.64] by 80.96.34.178 with HTTP;

Thu, 03 Jun 2004 17:09:47 +0600

From: "Records--zP1f"

To: x

Subject: Overage $3579

Mime-Version: 1.0

X-Mailer: agriculture caucus january

Date: Thu, 03 Jun 2004 16:04:47 +0500

Reply-To: "Records--zP1f"

Content-Type: multipart/alternative;

boundary="111243660610114145"

Message-Id:

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6

X-spam-Level: **

X-spam-Status: hits=2.5 tests=FORGED_YAHOO_RCVD,FROM_ENDS_IN_NUMS,

HTML_MESSAGE,J_CHICKENPOX_24,J_CHICKENPOX_34 version=2.63

X-SpamCop-Checked: 192.168.1.101 80.96.34.178

X-SpamCop-Disposition: Blocked bl.spamcop.net

--111243660610114145

Content-Type: text/plain; charset=us-ascii

Content-Transfer-Encoding: 8bit

neanderthal christianson loft parachute fierce maurice cyclotomic alumna changeable moraine

seek smith injury pardon camellia igloo diversion datsun spin

spector bella bricklay surveillant

hay doctoral rancho ecole prudent wiretapper

dang carney horseplay hump biracial bobbin

perimeter penates yvette betray cinematic

--111243660610114145

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 8bit

Hello again,

I sent you an email a few days ago.

Because we have great  news for you !

A bigger house with bigger savings are now yours for the taking at.. L ow er ..rat.es !

You can  easily be approved for a $200,000 loa n for only $550/month !

We represent major ban ks and le nders that will gladly accept,

and approve your mo rt.gage qualifications !

And that  means a  new ..m ort.gage at L.ow.er r..ates

that will save you alot of money each and every month !

Bad c.r.e.d.i.t  IS NOT a problem.

1 minute is all it takes to enter your information for a... m or t gage that truly benefits YOU.

This service is -F r e e- and without any obligations

This way for a  really great opportunity !

Thank you for your time,

Best Regards,

Harry Tracy

613456893973864322

pontiff obfuscatory meadowland flagging surrogate buddhist old wingmen daylight crook chisel

--111243660610114145--

Apparently these spammers are playing games with their own upstream server and refuse to answer to its queries as well. I hope I will shut down these idiots.

Share this post


Link to post
Share on other sites

You are confusing me again. I thought you said that you had an extensive history of spam from this IP address. Or was it, the history of the manual reports you sent to them about a virus and the subsequent virus immediately sent?

When you send the abuse desk manual reports about a virus, do you include the headers and a portion of the body - enough to identify the virus, but not the attachment?

Did you send such a message to the one who said they were innocent and ask hir to explain why that did not come from that network?

Miss Betsy

Share this post


Link to post
Share on other sites

The history with respect to virus and spam attacks is so well documented, I was succesful closing them down. Whew, what a relief.

Thanks again everyone for the help and encouragement. The good news is that one less spammer is now crawling the internet. For a while anyways, I am sure they are resourceful enough to re-incarnate again.

Incidentally, my spam has trickled down to nil since I started this fight.

Edited by dra007

Share this post


Link to post
Share on other sites

If they do start up again, I've found that having a FriedSpam.net party with 10 of your friends for a couple weeks usually knocks a clue into the spammer's thick skull.

Hitting their website about 100,000 times a day per FriedSpam participant tends to do that. What I've found to be extremely effective is to contact the spammers and TELL them that you'll be hitting their sites, and tell them to never send spam to your domain again.

I've only gotten 3 spams so far this week. Of those three, one was from a newbie spammer, and two were from USA Lenders Network (ironically, they give their address as being in Canada), whose sites I've been working on / mauling for a while now.

Share this post


Link to post
Share on other sites

Thank you Sir,

There are plenty of good hits in my thread alone. You are most welcome to start a party with them, I will join in, even bring a case of good wine if necessary. Let me know, I'll be there.

Share this post


Link to post
Share on other sites

Well folks, if the spam spew continues from any of the above sites I have the word of an administrator that they will close down a whole range of problematic and unresponsive IPs. Hope that will help many of you, not just myself!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×