Jump to content
Sign in to follow this  
shmengie

[Resolved] Those crafty spammers

Recommended Posts

http://www.spamcop.net/sc?id=z789394833z4e...492f5c3aaea1d4z

Name: accurate.torrence-family.com

Address: 71.96.15.218, 24.11.214.98, 68.203.184.97, 69.76.69.208, 70.92.245.129

The nslookup on the the domain accurate.torrence-family.com frequently changes.

I recieve about 3 spams a week which reference domains resolving in this fashion.

Spamcop identifies only one of the addresses per url listed. The posted tracking url had abuse[at]rr.com for one url in the spam and abuse[at]verison.net for the other url.

My attempts to report these zombies has fallen on deaf ears at IPSs because they don't resolve to webservers in their farms. Since the ipaddresses change frequently, they probably think I'm making this shiat up.

I've tried to explain the issue, but voice in this matter seems to be recieved by the deaf.

The only other thing I can think of is to complain to the registrar. I've initiated communication with Tucows but I don't have high expectations. Best they can do is cancel the domain, I suppose. What's the odds of that happening?

Share this post


Link to post
Share on other sites

Have you tried tracking how this hostname resolves over some time, and including all the IP Addresses it resolves to and that host its name services in one Manual Report to all the ISPs for all of those IP Addresses? Its name servers are currently as follows:

ns1.torrence-family.com. 172800 IN      A    68.37.212.170

ns2.torrence-family.com. 172800 IN      A    71.111.70.192

ns3.torrence-family.com. 172800 IN      A    65.43.218.215

ns4.torrence-family.com. 172800 IN      A    66.65.46.21

ns5.torrence-family.com. 172800 IN      A    24.4.100.137

Share this post


Link to post
Share on other sites

The SOA record I got for torrence-family.com when composing my previous Reply in this Topic pointed to the source of this mess as ns.torrence-family.com and the email address of the doer as "webmaster.torrence-family.com." AKA "webmaster[at]torrence-family.com", and had a TTL of 5 seconds. There appear to be five "*.torrence-family.com." A records, which are used for the five different IP Addresses, in addition to the five individual NS Records for torrence-family.com and matching A Records for ns{1-5}.torrence-family.com at the gtld-servers, pointing to those same five IP Addresses. The reporting addresses are as follows:

69.211.16.157 abuse[at]sbcglobal.net

220.198.23.93 postmaster[at]cnuninet.com, abuse[at]chinanet.cn.net, ct-abuse[at]abuse.sprint.net, abuse[at]savvis.net, abuse[at]att.net, and abuse[at]mci.com (anti-spam[at]ns.chinanet.cn.net bounces)

24.158.140.213 abuse[at]charter.net

68.74.120.86 abuse[at]sbcglobal.net

24.91.186.74 abuse[at]comcast.net

Share this post


Link to post
Share on other sites

Sort of mesmerizing to watch, isn't it?


DNS Report for torrence-family.com

[b]Generated by www.DNSreport.com at 02:51:39 GMT on 25 Jul 2005.[/b]
Your NS records at the parent servers are:

ns1.torrence-family.com. [68.56.134.62] [TTL=172800] [US]
ns2.torrence-family.com. [69.213.253.73] [TTL=172800] [US]
ns3.torrence-family.com. [67.121.176.24] [TTL=172800] [US]
ns4.torrence-family.com. [24.11.214.98] [TTL=172800] [US]
ns5.torrence-family.com. [24.175.127.82] [TTL=172800] [US]

[These were obtained from m.gtld-servers.net]

A timeout occurred getting the NS records from your nameservers!


[b]Generated by www.DNSreport.com at 03:12:31 GMT on 25 Jul 2005.[/b]

Your NS records at the parent servers are:

ns1.torrence-family.com. [68.74.120.86] [TTL=172800] [US]
ns2.torrence-family.com. [24.168.185.6] [TTL=172800] [US]
ns3.torrence-family.com. [69.211.16.157] [TTL=172800] [US]
ns4.torrence-family.com. [71.111.70.192] [TTL=172800] [US]
ns5.torrence-family.com. [24.210.201.4] [TTL=172800] [US]

[These were obtained from m.gtld-servers.net]

[b][i](lifting a few of the comments:)[/i][/b]

OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names.

ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers.

[b]Generated by www.DNSreport.com at 03:40:07 GMT on 25 Jul 2005.[/b]

Your NS records at the parent servers are:

ns1.torrence-family.com. [68.74.120.86] [TTL=172800] [US]
ns2.torrence-family.com. [69.248.21.171] [TTL=172800] [US]
ns3.torrence-family.com. [71.103.207.158] [TTL=172800] [US]
ns4.torrence-family.com. [24.214.250.56] [TTL=172800] [US]
ns5.torrence-family.com. [67.165.71.72] [TTL=172800] [US]

[These were obtained from m.gtld-servers.net]
WARNING: Your SOA REFRESH interval is : 0 seconds.This seems very low
WARNING: Your SOA RETRY interval is : 0 seconds. This seems very low.
ERROR: I could not find any mailservers for torrence-family.com.
ERROR: I couldn't find any A records for www.torrence-family.com.

[b]Generated by www.DNSreport.com at 03:29:32 GMT on 25 Jul 2005.[/b]

Your NS records at the parent servers are:

ns1.torrence-family.com. [68.74.120.86] [TTL=172800] [US]
ns2.torrence-family.com. [69.248.21.171] [TTL=172800] [US]
ns3.torrence-family.com. [71.103.207.158] [TTL=172800] [US]
ns4.torrence-family.com. [24.214.250.56] [TTL=172800] [US]
ns5.torrence-family.com. [67.165.71.72] [TTL=172800] [US]

[These were obtained from i.gtld-servers.net]

A timeout occurred getting the NS records from your nameservers!

OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names.


All the usual suspects, at some time or another as above - Comcast, Road Runner, Ameritech, SWBell, Verizon, Knology

As the OP suggests, appeal to "higher authority" might be in order. The individual server owners would find it difficult to get on top of this. Can that be done? This is a monumental breach of the protocols, surely?

Edited by Farelf

Share this post


Link to post
Share on other sites

Crafty spammer. Their zombies are performing nameserver duties and serving up web pages.

Using either of the ipaddresses for webpage and domain lookup produce the same results on all of the robot zombies.

I wrote a tiny little python program and every one of them dish up the same webpage. I had thought they might be doing some kind of redirection, but that's not the case.

I did run thru all the pages and placed a bogus order. Minor note: It sez credit card info is being gathered on secure 128-bit encryption. Lies of course. It also stated that my ip address 24.xxx.xxx.xxx was being recorded for security purposes. My ip does not begin with 24.... looked like static text. Most of the links they use end in .php? which is there to further convince ppl it's a real web server I guess.

These zombies all collect credit card info from the unsuspecting foo that think this is legit. There must be a method of sending the credit card info back to the culprits. Probably the same way that the zombies know which other zombies are up and running.

Very impressive trojans tho. Kudos to the spammer, they've got annonimity out the yin-yang going on here.

Share this post


Link to post
Share on other sites

Good work on bringing this up and doing the research, all. I successfully submitted torrence-family.com to rfc-ignorant.org due to the fact that out of 5 nameservers there isn't a single MX record configured, and the A record (fallback) doesn't even properly provide an IP address: http://www.rfc-ignorant.org/tools/lookup.p...ence-family.com

For those of you that run your own mail servers: as long as your serving software is modern enough to use RHSBLs (Right-Hand Side Black Lists) I encourage you to take full advantage of rfc-ignorant.org's lists.

If you run Sendmail >=8.12 you are welcome to use my config for these lists:

FEATURE(rhsbl,`dsn.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. MX of domain does not accept bounces. This violates RFC 821/2505/2821 - see http://www.rfc-ignorant.org/"')dnl
dnl
FEATURE(rhsbl,`postmaster.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. MX of domain does not have a working postmaster address.  This violates RFC 2821 - see http://www.rfc-ignorant.org/"')dnl
dnl
FEATURE(rhsbl,`abuse.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. MX of domain does not have a working abuse address.  This violates RFC 2142 - see http://www.rfc-ignorant.org/"')dnl
dnl
FEATURE(rhsbl,`bogusmx.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. MX of domain is bogus.  This violates RFC 1035/3330 - see http://www.rfc-ignorant.org/"')dnl
dnl
FEATURE(rhsbl,`whois.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. TLD does not have a proper WHOIS registry. This violates RFC 1032/3912 - see http://www.rfc-ignorant.org/"')dnl

Edited by Turmoyl

Share this post


Link to post
Share on other sites

I recieved a spam from Taiwan. I don't know anyone over there, so it's a safe bet it was supposed to be spam. I think this falls under the category of crafty spammer, so I'm re-using this thread.

I couldn't help but find this spam interesting. Don't know how many of you enjoy programming, but the codes used for subject/date etc... are somewhat facinating to me. It looks like the spam template was used, but no spam content replaced the macro fields.

The subject looks like the spammers basian work-around.

Subject: STR_RNDLEN(2-4)}{EXTRA_TIME_4} {WORD}
Date: {DATE}
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Thread-Index: {ALNUM[36-36]}
Content-type: multipart/related;
        boundary="{_BOUNDARY_RELATED}"

--{_BOUNDARY_RELATED}
Content-Type: text/html;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit

{BODYHTML}

--{_BOUNDARY_RELATED}
Content-Type: image/jpg;
        name="{LC_CHAR[7-7]}.jpg"
Content-Transfer-Encoding: base64
Content-ID: <{_UC_CHAR[20-20]}>

{JPEG:/home/larry/baner.jpg:q80cg8cc5}

--{_BOUNDARY_RELATED}--



.

Share this post


Link to post
Share on other sites

Scripting code like that will only work in Outlook/Outlook Express. That's reason # 1,000,001 to use Thunderbird.

Share this post


Link to post
Share on other sites

Back on topic:

It appears that, due to whatever pressures, torrence-family.com has shut down (at least temporarily):

Domain servers in listed order:
    NS1.NETSOL.COM   216.168.229.228

So they are down to only a single nameserver, and at a different host. Also:

~$ dig any [at]216.168.229.228 torrence-family.com

; <<>> DiG 9.2.4 <<>> any [at]216.168.229.228 torrence-family.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7749
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;torrence-family.com.           IN      ANY

;; AUTHORITY SECTION:
.                       3600000 IN      NS      E.ROOT-SERVERS.NET.
.                       3600000 IN      NS      F.ROOT-SERVERS.NET.
.                       3600000 IN      NS      G.ROOT-SERVERS.NET.
.                       3600000 IN      NS      H.ROOT-SERVERS.NET.
.                       3600000 IN      NS      I.ROOT-SERVERS.NET.
.                       3600000 IN      NS      J.ROOT-SERVERS.NET.
.                       3600000 IN      NS      K.ROOT-SERVERS.NET.
.                       3600000 IN      NS      L.ROOT-SERVERS.NET.
.                       3600000 IN      NS      M.ROOT-SERVERS.NET.
.                       3600000 IN      NS      A.ROOT-SERVERS.NET.
.                       3600000 IN      NS      B.ROOT-SERVERS.NET.
.                       3600000 IN      NS      C.ROOT-SERVERS.NET.
.                       3600000 IN      NS      D.ROOT-SERVERS.NET.

This is a completely empty DNS record. No SOA, no A, no MX, nada. In other words they are 100% offline as I write this.

Edited by Turmoyl

Share this post


Link to post
Share on other sites

I'm getting the same responses. Thanks for the update!

Share this post


Link to post
Share on other sites

Do you think it's possible that TuCows came to the rescue here?

I see the whois record for torrence-family.com last Updated Date: 26-jul-2005

That's about right time for all records to be stale now. I sent a letter to TuCows Saturday. I suspect they have few if any weekend worriers. All day Monday it would have been working it's way thru their slew of mail... Tuesday somebody did something.

Ratz, now I wish I had reported this to the FBI frist. Thought of them last.... :ph34r:

I did want the FBI to track 'em down, but I suspect that may have been difficult even w/excessive resources. That's one of the most impressive spammer scheems I've seen.

Edited by shmengie

Share this post


Link to post
Share on other sites

double dratz (or not)

udowzy.torrence-family.com is now resolving again :/

Shouldn't be too supprised that it winked out for a while. After all, the actual dns servers are viri infected zombies. The main server must have been reboot because was running to slow, or maybe the user woke up and anti-virus'd it.

zeus:~$ dig udowzy.torrence-family.com

; <<>> DiG 9.1.0 <<>> udowzy.torrence-family.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45807
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;udowzy.torrence-family.com.    IN      A

;; ANSWER SECTION:
udowzy.torrence-family.com. 5   IN      A       24.178.100.28
udowzy.torrence-family.com. 5   IN      A       63.206.119.30
udowzy.torrence-family.com. 5   IN      A       69.211.16.157
udowzy.torrence-family.com. 5   IN      A       24.12.119.73
udowzy.torrence-family.com. 5   IN      A       24.13.123.241

;; AUTHORITY SECTION:
torrence-family.com.    155815  IN      NS      ns1.netsol.com.

;; Query time: 640 msec
;; SERVER: 192.168.1.112#53(192.168.1.112)
;; WHEN: Thu Jul 28 02:50:11 2005
;; MSG SIZE  rcvd: 149

Edited by shmengie

Share this post


Link to post
Share on other sites

I find it difficult to believe that Verisign's ns1.netsol.com is participating in this scheme. It is more likely that the spammer is seeding/poisoning his target domains' public nameservers' caches with its filth just before each spam run.

Share this post


Link to post
Share on other sites

These <quote> servers <quote> aren't necessiarly sending spam. They host the web page/rouge dns servers that support this domain. The domain was referenced in a spam, I kept the last three that reference it in my spam box <yet to be deleted>.

I doubt that they send spam, themselves, unless they hare infected with additional robot/spamware.

Frankly this avenue of spamer proliferation bugs the wooloo (not to be confused w/wazoo) out of me, becuase it offers another level of annonimity to the spamers. No specific isp is being used, but a bunch of their clients are being abused.

Look at it this way. We can't track spam to a specific spamer who's spam was delivered by anonymous spambot infected machine.

Now we've got a spammer that's upped the anty and uses a webbot/dnsbot infected ring of computers to deliever web pages. Although it is possible they could also deliver spam, I suspect they use their other army of infected machines for that doody.

They have no fear of isp reprocussion, because they aren't using an isp service. They're abusing idiots w/computers that don't know their computers are being used this way.

Edited by shmengie

Share this post


Link to post
Share on other sites

I'm not sure excactly what's going on but their DNS record is once again empty:

~$ dig any [at]NS1.NETSOL.COM udowzy.torrence-family.com

; &lt;&lt;&gt;&gt; DiG 9.2.4 &lt;&lt;&gt;&gt; any [at]NS1.NETSOL.COM udowzy.torrence-family.com
;; global options:  printcmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 53024
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;udowzy.torrence-family.com.    IN      ANY

;; AUTHORITY SECTION:
.                       3600000 IN      NS      G.ROOT-SERVERS.NET.
.                       3600000 IN      NS      H.ROOT-SERVERS.NET.
.                       3600000 IN      NS      I.ROOT-SERVERS.NET.
.                       3600000 IN      NS      J.ROOT-SERVERS.NET.
.                       3600000 IN      NS      K.ROOT-SERVERS.NET.
.                       3600000 IN      NS      L.ROOT-SERVERS.NET.
.                       3600000 IN      NS      M.ROOT-SERVERS.NET.
.                       3600000 IN      NS      A.ROOT-SERVERS.NET.
.                       3600000 IN      NS      B.ROOT-SERVERS.NET.
.                       3600000 IN      NS      C.ROOT-SERVERS.NET.
.                       3600000 IN      NS      D.ROOT-SERVERS.NET.
.                       3600000 IN      NS      E.ROOT-SERVERS.NET.
.                       3600000 IN      NS      F.ROOT-SERVERS.NET.

;; Query time: 47 msec
;; SERVER: 216.168.229.228#53(NS1.NETSOL.COM)
;; WHEN: Thu Jul 28 16:34:44 2005
;; MSG SIZE  rcvd: 255

~$ dig any [at]NS1.NETSOL.COM torrence-family.com

; &lt;&lt;&gt;&gt; DiG 9.2.4 &lt;&lt;&gt;&gt; any [at]NS1.NETSOL.COM torrence-family.com
;; global options:  printcmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 20253
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;torrence-family.com.           IN      ANY

;; AUTHORITY SECTION:
.                       3600000 IN      NS      F.ROOT-SERVERS.NET.
.                       3600000 IN      NS      G.ROOT-SERVERS.NET.
.                       3600000 IN      NS      H.ROOT-SERVERS.NET.
.                       3600000 IN      NS      I.ROOT-SERVERS.NET.
.                       3600000 IN      NS      J.ROOT-SERVERS.NET.
.                       3600000 IN      NS      K.ROOT-SERVERS.NET.
.                       3600000 IN      NS      L.ROOT-SERVERS.NET.
.                       3600000 IN      NS      M.ROOT-SERVERS.NET.
.                       3600000 IN      NS      A.ROOT-SERVERS.NET.
.                       3600000 IN      NS      B.ROOT-SERVERS.NET.
.                       3600000 IN      NS      C.ROOT-SERVERS.NET.
.                       3600000 IN      NS      D.ROOT-SERVERS.NET.
.                       3600000 IN      NS      E.ROOT-SERVERS.NET.

;; Query time: 47 msec
;; SERVER: 216.168.229.228#53(NS1.NETSOL.COM)
;; WHEN: Thu Jul 28 16:36:47 2005
;; MSG SIZE  rcvd: 248

Edited by Turmoyl

Share this post


Link to post
Share on other sites

Thanks for the continuing updates guys. Following with interest (and the hope someone comes up with a suggested way of smacking down this latest impudence).

Share this post


Link to post
Share on other sites

1. Report each IP Address mentioned in this Topic (but not yet reported) to the appropriate ISP, requesting that the ISPs help you to track down the real spammer.

2. Query each of those IP Addresses for NS and A Records.

3. Use the results of those queries to update this Topic, as appropriate.

4. Repeat, ad infinitum (an infinite number of times), ad nauseum (until you are nauseous).

Share this post


Link to post
Share on other sites

Hate when ppl fix stuff and don't bother to tell you.

Reported until I was blue in the fingers on that one.

Now I don't know how/why it was resolved, but it appears to be. If it happens again, do I have to go blue in the fingers to achieve resolution?

FWIW... I've seen spam that resolved like that one for about 3-5 months passing by my spam reporting eyes. When I started this thread, I figured I'd try to put an end to it and tenatiously reported to everywhere/one I could fathom to get it to stop.

Heh, I even blogged it, which made me feel a little better.

http://spamnation.blogspot.com/

Wish I would have assigned some blame to ISP's for the state of the spam (in the blog).

Edited by shmengie

Share this post


Link to post
Share on other sites

*.torrence-family.com is still somewhat alive.

68.37.212.170 reports at least the following IP Addresses for them, sorted alphabetically:

24.158.127.243

24.173.238.236

24.34.202.69

24.4.7.96

24.7.125.104

63.200.55.35

67.176.137.127

70.241.30.193

80.98.219.161

82.231.185.57

24.4.100.137 reports at least the following IP Addresses for them, sorted alphabetically:

24.13.123.241

24.14.51.159

24.158.127.243

24.173.238.236

24.3.75.140

24.7.125.104

24.9.114.7

24.94.238.113

63.200.55.35

67.173.19.43

67.176.137.127

68.37.212.170

69.151.154.149

71.8.197.224

82.231.185.57

24.168.185.6 reports at least the following IP Addresses for them, sorted alphabetically:

24.13.123.241

24.14.51.159

24.3.75.140

24.9.114.7

24.94.238.113

67.173.19.43

67.176.137.127

68.37.212.170

69.151.154.149

71.8.197.224

67.165.71.72 reports at least the following IP Addresses for them, sorted alphabetically:

24.13.123.241

24.14.51.159

24.3.75.140

24.9.114.7

24.94.238.113

67.173.19.43

67.176.137.127

68.37.212.170

69.151.154.149

71.8.197.224

24.12.119.73 reports at least the following IP Addresses for them, sorted alphabetically:

24.13.123.241

24.130.44.226

24.15.148.146

24.9.114.7

66.229.220.213

67.182.30.46

68.44.185.91

69.151.154.149

69.211.16.157

70.241.30.193

All combined, that gives us the following reporting addresses for those IP Address, each of which is presumed to be either a zombie or directly under the control of the spammer:

24.12.119.73 (ns & a) abuse[at]comcast.net, abuse[at]att.net

24.13.123.241 abuse[at]comcast.net, abuse[at]att.net

24.130.44.226 abuse[at]comcast.net, abuse[at]att.net

24.14.51.159 abuse[at]comcast.net, abuse[at]att.net

24.15.148.146 abuse[at]comcast.net, abuse[at]att.net

24.158.127.243 abuse[at]charter.net, abuse[at]att.net

24.168.185.6 (ns) abuse[at]rr.com

24.173.238.236 abuse[at]rr.com

24.3.75.140 abuse[at]comcast.net, abuse[at]att.net

24.34.202.69 abuse[at]comcast.net, abuse[at]att.net

24.4.100.137 (ns) abuse[at]comcast.net, abuse[at]att.net

24.4.7.96 abuse[at]comcast.net, abuse[at]att.net

24.7.125.104 abuse[at]comcast.net, abuse[at]att.net

24.9.114.7 abuse[at]comcast.net, abuse[at]att.net

24.94.238.113 abuse[at]rr.com

63.200.55.35 abuse[at]pacbell.net

66.229.220.213 abuse[at]comcast.net, abuse[at]att.net

67.165.71.72 (ns) abuse[at]comcast.net, abuse[at]att.net

67.173.19.43 abuse[at]comcast.net, abuse[at]att.net

67.176.137.127 abuse[at]comcast.net, abuse[at]att.net

67.182.30.46 abuse[at]comcast.net, abuse[at]att.net

68.37.212.170 (ns & a) abuse[at]comcast.net, abuse[at]att.net

68.44.185.91 abuse[at]comcast.net, abuse[at]att.net

69.151.154.149 abuse[at]sbcglobal.net

69.211.16.157 abuse[at]sbcglobal.net

70.241.30.193 abuse[at]sbcglobal.net

71.8.197.224 abuse[at]charter.net, abuse[at]att.net

80.98.219.161 abuse[at]upc.hu, abuse[at]chello.hu, postmaster[at]aorta.net, abuse[at]chello.at, abuse[at]chello.se, abuse[at]telekabel.at, postmaster[at]chellonetwork.com, abuse[at]chello.com, abuse[at]cox.net, abuse[at]aol.com

82.231.185.57 abuse[at]proxad.net, abuse[at]sprintlink.net

Edited by Jeff G.

Share this post


Link to post
Share on other sites

It could be that they are setting up shop on a new domain name but as of this moment their entire DNS setup is hosed. There are no A records and while there are SOA records this time they point to a CNAME that doesn't exist nor goes anywhere because there isn't an A record for it to reference.

In other words that URI is not resolvable/routable right now.

I've submitted entries to rfc-ignorant.org that reflect the new domain name.

Edited by Turmoyl

Share this post


Link to post
Share on other sites

Looks like the same criminals at work.

All web <quote>servers<quote> are running on hijacked dsl/cable computers.

The whois record for both torrence-family and torrence-store indicate both domaines were registered 11-Jun-2005 and last modified 26-Jun-2005.

I don't have the energy at the moment to try and put an end to this one... Maybe tomorrow...

Links on that page introduced "movienetworks.com" which is another domain I assume being run by these criminals, since it was registered... you guess it 11-Jun-2005.

But it's hosted by internap.... ??? ....

Edited by shmengie

Share this post


Link to post
Share on other sites
It could be that they are setting up shop on a new domain name but as of this moment their entire DNS setup is hosed.

Their dns setup is hosed by design. You can't run an illegitimate operation and avoid beinig tracked down if you leave a trail point to you.

Share this post


Link to post
Share on other sites

What I mean by "hosed" is that they have not been operational at all both at the check I performed when I posted earlier and again right now. Their DNS records have nothing except a spoofed and unusable SOA entry. This means that clicking on any links to torrence-store.com will accomplish nothing but a client-side 404.

You mentioned that you browsed this domain and were redirected to another site, but I just don't see how that's been possible, at least over the last several hours.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×