Jump to content
Sign in to follow this  
petzl

IP of Spamvertised Websites

Recommended Posts

217.171.66.173 is from SpamCop (refreshed Cache)Reporting addresses:mostow[at]sl.ru alexdu[at]sl.ru

Spamspade http://www.zodrx.com = [ 82.146.53.153 ] abuse[at]ispserver.com (SpamCop No valid email addresses found, sorry!)

TRACERT Trace http://www.zodrx.com (66.148.87.103) abuse[at]hopone.net (from Australia)

So if I want to report which is the most accurate and why all different?

Edited by petzl

Share this post


Link to post
Share on other sites

217.171.66.173 is from SpamCop (refreshed Cache)Reporting addresses:mostow[at]sl.ru alexdu[at]sl.ru

Spamspade http://www.zodrx.com = [ 82.146.53.153 ] abuse[at]ispserver.com (SpamCop No valid email addresses found, sorry!)

TRACERT Trace http://www.zodrx.com (66.148.87.103) abuse[at]hopone.net (from Australia)

So if I want to report which is the most accurate and why all different?

They are all accurate because they are likely all running on corrupted end user machines. In the last hour I have had both the hopone.net and the sl.ru show up as results in spamcop.

DNS traversal just now: Looking up at the 2 zodrx.com. parent servers:

Server Response Time

ns0.kerunhandgunfandesikuntun.com [218.79.93.167] 217.171.66.173 594ms

ns0.adesuikintandefunhandesun.com [218.79.93.167] Timeout

Looks like another revolving setup. A few seconds later: Looking up at the 2 zodrx.com. parent servers:

Server Response Time

ns0.adesuikintandefunhandesun.com [218.79.93.167] 87.118.102.23 548ms

ns0.kerunhandgunfandesikuntun.com [218.79.93.167] 87.118.102.23 562ms

Then: Looking up at the 2 zodrx.com. parent servers:

Server Response Time

ns0.adesuikintandefunhandesun.com [218.79.93.167] 82.146.53.153 534ms

ns0.kerunhandgunfandesikuntun.com [218.79.93.167] 82.146.53.153 565ms

Share this post


Link to post
Share on other sites
They are all accurate because they are likely all running on corrupted end user machines. In the last hour I have had both the hopone.net and the sl.ru show up as results in spamcop.

Thanks Steven reported all three none seem to be working now

http://82.146.53.153

http://217.171.66.173

http://66.148.87.103 are dead the spammer has shifted website to

http://62.149.0.62 Not sure if I have been whitelisted but will look for spam to turf it out of here also

Share this post


Link to post
Share on other sites
Thanks Steven reported all three none seem to be working now

http://82.146.53.153

http://217.171.66.173

http://66.148.87.103 are dead the spammer has shifted website to

http://62.149.0.62 Not sure if I have been whitelisted but will look for spam to turf it out of here also

I've often found that trying to access a named website using a bare IP address may not always work if the web server on that host has virtual domain service set up. This seems to be the case with many spam websites (which often "double up" to sell different products using different domain names all pointing to the same IP). You may be sent to some kind of default website (maybe the infamous Apache page), or else get some kind of HTTP error, if you don't supply a host name URL for the server to glom onto.

On the other hand, if you can show that you get no response at all to an HTTP query on these (i.e., timeout as opposed to a reply or an error message), you can conclude that the web service is in fact dead at the host.

-- rick

Share this post


Link to post
Share on other sites
I've often found that trying to access a named website using a bare IP address may not always work if the web server on that host has virtual domain service set up. This seems to be the case with many spam websites (which often "double up" to sell different products using different domain names all pointing to the same IP). You may be sent to some kind of default website (maybe the infamous Apache page), or else get some kind of HTTP error, if you don't supply a host name URL for the server to glom onto.

On the other hand, if you can show that you get no response at all to an HTTP query on these (i.e., timeout as opposed to a reply or an error message), you can conclude that the web service is in fact dead at the host.

Thanks when I have a lazyday I just go through spamvertised URL's and report them I often get a URL run from two different IP's this is the first I have with three/ now four? I like the terminology "corrupted end user machines" (no idea what it means) I use it in report. I don't reckon the IT persons knows what it means either and panicks :o

I always check whether the IP adress is responding via tracert and check http://samspade.org for a verygood "whois" (mainly/mostly)

Share this post


Link to post
Share on other sites
Thanks when I have a lazyday I just go through spamvertised URL's and report them I often get a URL run from two different IP's this is the first I have with three/ now four? I like the terminology "corrupted end user machines" (no idea what it means) I use it in report. I don't reckon the IT persons knows what it means either and panicks :o

I always check whether the IP adress is responding via tracert and check http://samspade.org for a verygood "whois" (mainly/mostly)

This may be (or may have been) a "botnet hosted website." They are very popular with the dating-service spammers, and some of the drug spammers have used them as well. I got really annoyed a few months back and started tracking these things down in earnest, running DNS on them every few minutes for a week or so at a time.

It seems that some of these botnets can be as large as 1,000 or more IP hosts, which all take turns being in the DNS lookup for a few minutes at a time. Some of these even get to be the authoritative nameservers now and then. There can be as many as 5 or 6 widely different addresses returned for such hosts when you resolve the host name.

Since these hosts are generally home user machines (as you might tell from whois on the addresses), they are probably almost all Windows machines. Yet, the HTTP header info sometimes reports that the webserver is of a type that only runs on *nix machines. From this, I have concluded that the spammers are installing "reverse proxy web servers" on the infected hosts; these relay visitors' requests back to a central website God-knows-where that contains the actual spam pitch. You can't (unfortunately) see where this other site is, all you see is what the reverse proxy host tells you.

Very often, the "stable" or "real" authoritative name servers (and there's always one or two of these) are hosted on Russian IP space, not terribly surprising to me.

The more I learn about this stuff, the more discouraged I get, but the more resolved I become to keep plugging away with my reports.

-- rick

Share this post


Link to post
Share on other sites
Very often, the "stable" or "real" authoritative name servers (and there's always one or two of these) are hosted on Russian IP space, not terribly surprising to me.

The more I learn about this stuff, the more discouraged I get, but the more resolved I become to keep plugging away with my reports.

I seem to have a high success rate at getting them shut down? Maybe coincidence?

My biggest gripe is ISP's and registrar's that have no valid abuse address this slows down reporting but I hang in there even resorting to the ISP's shareholders

IMO I'm very good at spotting bad economic news and sending complaints to company CEO's if I have to

Share this post


Link to post
Share on other sites
I've often found that trying to access a named website using a bare IP address may not always work if the web server on that host has virtual domain service set up. This seems to be the case with many spam websites (which often "double up" to sell different products using different domain names all pointing to the same IP). You may be sent to some kind of default website (maybe the infamous Apache page), or else get some kind of HTTP error, if you don't supply a host name URL for the server to glom onto.

Most of this also tracks back to the low, low, low rates based on the use of this 'virtual' type of hosting. Hosting a couple of hundred of low-traffic sites on a single server is a definite profit center for the host .... anyone actually trying to run/present a 'real' business on that environment soon learns the folly of those low, low rates when the business/site gets 'popular' ..... spammer doesn't care as there isn't that much traffic involved for the short time the site exists.

Share this post


Link to post
Share on other sites

I seem to have a high success rate at getting them shut down? Maybe coincidence?

I've also had quite a good success rate at going after the botnet controllers/nameservers, but there has been one notable exception who simply refused to take any action no matter what evidence was presented. Other abuse teams have needed some convincing of the situation, but have eventually agreed to take action & null-route the controller IP. It can sometimes be hard work in my experience, but it shouldn't be.

As I see it, the problem with some abuse teams is that on the spam front they are simply geared up to look at the host IP of the spamvertized site & if that's not one of their IP's, (as it isn't as it's just one of the controlled zombies), then you've got some convincing to do as they understandably have extremely limited time & resources & botnet controllers are simply not in their scri_pt.

The botnet is a relatively recent, (but rapidly growing), menace & most abuse teams don't seem to be at all familiar with it, (& it also isn't in their AUP's as such), so trying to convince teams that they should take action on this sort of 'spamming by proxy' can be a little uphill. Hopefully, as abuse teams become more familiar with this method of hosting & distributing spam it will become easier to get them shut down.

It raises an interesting point - should the use of a botnet be regarded as a criminal act in itself? It does involve hacking into third party machines without permission. It's certainly not an argument that cut any ice with my one notable exception....

IMO the running of a botnet should be reason enough to null route an IP, but then you have to have a reasonable standard of proof, so what can you provide?

1) You can provide spam source code that contains the HTML href link to the spamvertized site.

2) You can demonstrate with the DNS traversal data for that site that the nameserver involved (usually an Apache webserver), links to the spamvertized site.*

3) You can also demonstrate with the same data that the nameserver involved references one or more, (often 5 IPs for some reason), that constantly rotate every five minutes or so.*

4) You can demonstrate that those IP's often RDNS to ADSL pool IP's.

5) You can show that the nameserver domain was generally only registered in the last month or so as is also generally the case with the spamvertized site domain.

Should that be enough data in itself? All of the above data & more on the fraudulent nature of the spamvertized site itself, (norden.hk), was supplied to my one notable failure, (layeredtech.com), but they simply said it was insufficient evidence & refused to take action and their botnet controller (ns1.bg-arati.com [72.36.159.12]) is still active today. This was the final reply from Layeredtech:

"We require more information then a simple DNS lookup as proof of abuse and can not take action until a copy of the spam or other data being transferred is provided and can be linked back to the host in question. We are more then happy to assist in taking abusive hosts offline once the correct data has been provided. We can not take hosts offline without documented proof as it will hold us liable and can lead to taking a clients legitimate site or service offline."

Needless to say, multiple copies of unmunged spam source code & all the above data were supplied.

What further proof other than the above is possible in the botnet scenario? How do you convince the determinedly blackhat SP?

*e.g: http://www.dnsstuff.com/tools/traversal.ch...n.hk&type=A

Share this post


Link to post
Share on other sites
It raises an interesting point - should the use of a botnet be regarded as a criminal act in itself? It does involve hacking into third party machines without permission. It's certainly not an argument that cut any ice with my one notable exception....

What further proof other than the above is possible in the botnet scenario? How do you convince the determinedly blackhat SP?

*e.g: http://www.dnsstuff.com/tools/traversal.ch...n.hk&type=A

I have to wonder if a company that responds like this is actually involved in trying to take court action against spammers? If they are not they could be charged with "complacency" in a criminal act (aiding and abetting)

A few years back spammers were never being charged now they are and getting convicitons and on a more regular event. I thin it is time ISP's were being looked at as being "aiders and abetters" of spammers. The simple act of a port 25 block would stop a major percentage of spam.

I also wonder why so many registrants of spamvertised URL's are hard to contact? There needs to be a standard abuse address for registrants for abuse reports. Then SpamCop could be easily made to send a report to them as well.

I do a Tracert to get an IP address of a website as well as (when working?) use http://samspade.org which also gives an IP as well as (or often) gives the registrar of spamvertised URL. I contend that when a spamvertised site of an Adult content site is recorded/reported, that site automatically needs closing for 72 hours (if not permanently) as that spam is also sent to minors worldwide

Share this post


Link to post
Share on other sites

As well as spam from the Norden United (norden.hk) money launderer I'm now also being spammed by their sister crooks, Impex Consult who've also moved a botnet onto layeredtech's territory - looks like the word's out the Layeredtech are criminal friendly. Let's try another abuse report to abuse[at]layeredtech.com. (You can tell by now I'm getting more than a little ticked off with this lot - I tend to start off all sweetness & light, but being called a spammer for sending them abuse reports for the spam I was getting as a result of their inaction rather ticked me off...):

_______________________________________________________________

As well as sheltering the criminal fraudster Norden United (norden.hk), you

now also have the associated criminal spammer "Impex Consult"

(consult-im.biz), abusing your network by using a botnet controller on

another of your IP's 72.36.132.21 (ns1.transfer-bk.com [72.36.132.21]).

Looks like the word has got round the criminal community that you happily

host their botnets. For what it's worth, here is the evidence, (spam & full

DNS data), that you say I never supply:

Full source code of the received spam is supplied below showing the

spamvertized site to be <http://consult-im.biz> This links directly to the

botnet controller ns1.transfer-bk.com [72.36.132.21] according to the

following authoritative lookup data:

DNS Lookup: consult-im.biz A record

Domain---------Type---Class---TTL-------Answer

consult-im.biz--A--------IN------1800---24.107.111.55

consult-im.biz--A--------IN------1800---70.52.58.37

consult-im.biz--A--------IN------1800---70.74.14.128

consult-im.biz--A--------IN------1800---85.108.164.183

consult-im.biz--A--------IN------1800---86.71.18.230

consult-im.biz--NS------IN------1800---ns1.transfer-bk.com

consult-im.biz--NS------IN------1800---ns2.transfer-bk.com

Full DNS traversal data for domain consult-im.biz:

(http://www.dnsstuff.com/tools/traversal.ch?domain=consult-im.biz&type=A)

-----------------------Server-------------------Response

ns1.transfer-bk.com [72.36.132.21] 24.107.111.55 70.52.58.37 70.74.14.128

85.108.164.183 86.71.18.230 3ms

Tracert consult-im.biz : 70.52.58.37 AS577 BACOM [Reached

Destination]bas3-montreal31-1177827877.dsl.bell.ca.

The criminal spammer's network consists of an apache webserver as zombie

botnet controller on your IP ns1.transfer-bk.com [72.36.132.21] controlling

5 constantly rotating infected end user machine zombie IPs (RDNS confirms).

The above tracert proves that the domain consult-im.biz is hosted on one of

the above zombies.

The above evidence conclusively proves that the spamvertized domain

consult-im.biz is hosted on a rotating zombie botnet controlled by a bogus

nameserver ns1.transfer-bk.com located on your IP address 72.36.132.21 There

is also indisputable public domain evidence of the fraudulent nature &

spamming activity of the so-called company "Impex Consult".

I would ask you to null route the above IP (ns1.transfer-bk.com

[72.36.132.21]), but I don't hold out much hope as you are happy to shelter

an identical botnet controller (ns1.bg-arati.com [72.36.159.12]) on another

IP for the sister money launderer Norden United aka norden.hk.

spam source code follows:

________________________________________

Return-Path: <onwftqque[at]mail.com>

Received: from mwinf3308.me.freeserve.com (mwinf3308.me.freeserve.com)

by mwinb3406 (SMTP Server) with LMTP; Sun, 04 Feb 2007 18:41:01 +0100

X-Sieve: Server Sieve 2.2

Envelope-to: me[at]freeserve.co.uk

Received: from me-wanadoo.net (localhost [127.0.0.1])

by mwinf3308.me.freeserve.com (SMTP Server) with ESMTP id A700C1C000B5

for <me[at]freeserve.co.uk>; Sun, 4 Feb 2007 18:41:01 +0100 (CET)

Received: from cc500436-a.mp1.dr.home.nl (cc500436-a.mp1.dr.home.nl

[217.120.9.200])

by mwinf3308.me.freeserve.com (SMTP Server) with SMTP id 00AA91C00089

for <me[at]freeserve.co.uk>; Sun, 4 Feb 2007 18:41:00 +0100 (CET)

X-ME-UUID: 20070204174101322.00AA91C00089[at]mwinf3308.me.freeserve.com

Received: from ipowerdns.com (unknown [12.128.65.154])

by colo-cation.com with SMTP id IHZI8OD5XC

for <me[at]freeserve.co.uk>; Sun, 04 Feb 2007 17:40:59 -0000

Received: from purinmail.com (HELO purinmail.com.apc.com [40.117.216.153])

by tandastudios.com with SMTP id 4SEQUNY9JQ

for <me[at]freeserve.co.uk>; Sun, 04 Feb 2007 11:36:59 -0600

From: "Impex Consult" <onwftqque[at]mail.com>

To: "Bob" <me[at]freeserve.co.uk>

Subject: Prestigious job/vacancy!

X-Authentication-Warning: S74-conscionable85.PK50dkbl.connextra.com

(malnutrition.buydomains.com [136.136.13.209]): zl8dis set sender to

kgyjokkpzpw[at]malaysia.net using -m

X-Mailer: MIME-tools 5.503 (Entity 5.501)

X-Priority: 3 (Normal)

MIME-Version: 1.0

Content-Type: multipart/related;

boundary="5ZF48RQGUTE9ZRH746GDFA4"

Message-Id: <20070204174100.00AA91C00089[at]mwinf3308.me.freeserve.com>

Date: Sun, 4 Feb 2007 18:41:00 +0100 (CET)

X-me-spamlevel: med

X-me-spamrating: 99.806928

X-Antivirus: AVG for E-mail 7.5.441 [268.17.24/668]

--5ZF48RQGUTE9ZRH746GDFA4

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

<HTML><HEAD>

<META http-equiv=Content-Type content="text/html; charset=utf-8">

<META content="MSHTML 6.00.2800.1522" name=GENERATOR></HEAD>

<BODY bgcolor="#FFFFF7" text="#240C35">

<a hREF=http://consult-im.biz>

<img src="cid:NUXWQH1VDV" border=0></a>

</p><p><font color="#FFFFFD">"We have to talk,»she said. carbonate

cycle 12:00 PM</font></p><p><font color="#FFFFF3">It was not

grief, this feeling, although she was nearly overwhelmed with grief - this

was a strange, thundery feeling that she couldn't ever remember having

before. He imagined her fiddling with the shoulder-bag. "No need for

thanks. His thighs, crotch, even his penis, were all still mottled with

fading bruises. Oh, I am in so much trouble here, he thought. When she

took her lips away this time he did not let her breath out but pushed it and

whooped in a gigantic breath of his own. But that last name brought

its own association, a painful and unhappy one under these circumstances: a

memory of Cyndi Lauper hiccuping her way cheerfully through "Girls Just Want

to Have Fun»that was so clear it was almost auditory: Oh daddy dear, you're

still number one / But girls, they wanna have fuh-un / Oh when the workin

day is done / Girls just wanna have fun. behave</font></p>

</BODY>

</HTML>

--5ZF48RQGUTE9ZRH746GDFA4

Content-Type: image/gif; name="astm.gif"

Content-Transfer-Encoding: base64

Content-ID: <NUXWQH1VDV> <decoded>

Impex Consult Financial consulting Group was established early in 1994. The

group's offices are Iocated

in over 20 countries of the world. The Group comprises a consultancy, a

legal, an auditing and an

appraising companies. AII the companies controlled by the Impex Consult

holding pursue one ultimate

goal - that of improving efficiency of the client's business.

Impex Consult is one of the oldest companies on the market with invaluable

experience of working with

investments. WE are proud of the trust our clients and partners have put in

us. The core of our success is

our specialist team. We are constantly developing and always keen to bring

more determined and

ambitious professionals into our team. At this stage we offer you to start

your career in our team as a

Transactions Specialist.

The duties would involve prompt processing of incoming cash funds and their

transfer to accounts

indicated by our managers. With efficient time management your whole day's

work should take 3 to 5

hours.

What we expect from a candidate

* Higher (tertiary) education

* Age upward of 20

* Experience of handling money remittances (appreciated)

* Knowledge of principle electronic payment instrument

* Confident computer skills

What we offer

* Speedy career progress

* High earnings plus performance result bonus

follow this link to take a visit to our web site: <http://consult-im.biz>

[Moderator edit - link broken in earlier instance of spamvertized site.]

Edited by Farelf

Share this post


Link to post
Share on other sites

Just to add, can't give you much more than moral support from here bobbear - quite difficult to resolve the NS & the website at the moment -

Tracing route to yourhosts.co.uk [72.36.132.21] over a maximum of 30 hops:

<snip>(100 ms)

5 72 ms 73 ms 73 ms 202.139.19.37

6 219 ms 220 ms 229 ms 203.208.148.17

7 219 ms 219 ms 220 ms ber1-ge-4-14.losangeles.savvis.net [208.172.44.137]

8 219 ms 219 ms 219 ms dcr2-ge-3-0-0.losangeles.savvis.net [204.70.193.49]

9 220 ms 251 ms 220 ms dcr1-as0-0.losangeles.savvis.net [204.70.192.117]

10 251 ms 253 ms 258 ms dcr2-so-3-3-0.dallas.savvis.net [204.70.192.246]

11 253 ms 253 ms 252 ms bhr1-pos-1-0.fortworthda1.savvis.net [208.172.129.230]

12 253 ms 253 ms 253 ms 216.39.64.19

13 * 253 ms * 216.39.69.134

14 253 ms * 252 ms yourhosts.co.uk [72.36.132.18]

15 253 ms 252 ms 253 ms yourhosts.co.uk [72.36.132.21]

Trace complete.

(tracert consult-im.biz times out at about hop 22) [added, ah, a better result]
Tracing route to consult-im.biz [88.68.27.167] over a maximum of 30 hops:

<snip> (107 ms)

5 73 ms 73 ms 73 ms 202.139.19.33

6 235 ms 234 ms 234 ms 203.208.148.105

7 232 ms 231 ms 233 ms so4-1-0-622m.ar2.pao2.gblx.net [208.50.13.165]

8 397 ms 397 ms 397 ms so6-0-0-2488m.ar1.fra2.gblx.net [67.17.74.150]

9 396 ms 396 ms 397 ms arcor-agco.so-2-0-0.ar2.fra2.gblx.net [67.17.134.114]

10 400 ms 399 ms 399 ms ffm-145-254-16-73.arcor-ip.net [145.254.16.73]

11 391 ms 390 ms 390 ms 145.254.1.30

12 * 993 ms 1281 ms dslb-088-068-027-167.pools.arcor-ip.net [88.68.27.167]

Trace complete.

Anyway, not practicable from here.

...I have to wonder if a company that responds like this is actually involved in trying to take court action against spammers? If they are not they could be charged with "complacency" in a criminal act (aiding and abetting)...
'Twere best if they were charged with complicity. :) That would *really* test their complacency!

Share this post


Link to post
Share on other sites
It raises an interesting point - should the use of a botnet be regarded as a criminal act in itself? It does involve hacking into third party machines without permission. It's certainly not an argument that cut any ice with my one notable exception....

I'm no lawyer, but in the U.S. we have 18 USC 1030, which prohibits "unauthorized use" of "a protected computer." The definition of "protected computer" isn't terribly clear in the code, but it is possible that it does not include people's home computers (i.e., may refer to servers, or maybe just to certain classes of server).

Unlike a lot of cyber-crime and cyber-fraud, however, we can trace botnet influence to specific geographic locations (i.e., the home of the user whose computer has been infected). Seems like a good prosecutor might be able to hang some sort of case on this, particularly when thousands of individual computers are involved.

-- rick

Share this post


Link to post
Share on other sites
I'm no lawyer, but in the U.S. we have 18 USC 1030, which prohibits "unauthorized use" of "a protected computer." The definition of "protected computer" isn't terribly clear in the code, but it is possible that it does not include people's home computers (i.e., may refer to servers, or maybe just to certain classes of server)....
Nor am I a lawyer, but for the convenience of fellow laymen - The definition FWIW is

... (e)(2) the term “protected computer” means a computer—

('A') exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

('B') which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; ...

... with the perusal of superior and subordinate definitions left as an excercise for the masochistic (my reference Cornell Law School LLI US Code Collection). However it seems prosecution need not rely entirely on §1030. Of course State laws may also be applicable, as may other Federal codes. Some relatively recent case law is presented under Phillips Nizer Internet Library (for instance Computer Fraud and Abuse Act) which appears to reveal some unfortunate avenues of evasion (for example, 'independent contractors' are not agents under the control of the principal). But, IMO, petzl's surmise is correct, that any defense relying on 'arms length' distancing from illicit activity is undermined by guilty knowledge (or the reasonable expectation of such knowledge in civil cases which use the test of 'the balance of probability' rather than that of 'proof beyond reasonable doubt'). And so it goes ... frankly, I still advocate short and sharpened stakes.

Share this post


Link to post
Share on other sites

I am grateful for the highly valued legal advice from my right honorable colleagues. I am also in favour of raising the short & sharpened stakes....

It seems that this is an area in law that hasn't yet been explored, but I suspect that a successful challenge would probably only come from a company or individual that has suffered material or financial loss as a result of implied negligence on behalf of the network operator. I would be happy to supply written evidence of notification of network abuse to the network operator, (in this case layeredtech.com), to the attorneys of anyone who has suffered such loss or legal action as a result of any involvement with Norden United &/or Impex Consult.

The sort of defence layeredtech.com have deployed is the sort of defence that is used all the time by the various registrars who also turn a blind eye to spamming & criminal activity by refusing to suspend the obvious criminal domains involved.

No reply as yet from the layeredtech abuse team apart from the usual auto acknowledgement. In view of our previous correspondence I would not be 100% surprised if they simply ignored me, but I live in hope as the botnet is a particularly iniquitous way of propagating spam & I think needs challenging manually as it just isn't seen by the SC parser.

Share this post


Link to post
Share on other sites

Update: It's nearly 48 hours since I submitted the above abuse report to Layeredtech and received an auto acknowledgement from their abuse team. As I suspected they are simply ignoring me and have taken no action against the reported criminal fraudster/spammer consult-im.biz nor the other domain, (norden.hk), that I have reported many times.

The message is loud and clear - the zombie botnet with its associated spammers and criminal fraudsters is safe with Layeredtech who by their inaction appear to be thoroughly blackhat.

If such an apparently unethical company can operate unhindered in the heart of the US, how can China, Korea etc be criticised for their levels of 'bullet-proof' services?

Share this post


Link to post
Share on other sites
used 600-700 compromised PCs to send about nine billion spam messages promoting penis pills, pornographic websites and other assorted tat. X's 14-month junk mail campaign reportedly earned him an estimated € 40,000 before he was collared in November 2005

Lucky he wasn't in the US... his fines would have been 1000x that, based on the 'per email' fine that many states like to impose and the Fed has no problem agreeing with.

Share this post


Link to post
Share on other sites
... Layeredtech ... such an apparently unethical company ...
Aye and there's the rub. To the greater public they *appear* to be totally ethical. They employ specialists to keep their networks clean, they writhe in sympathetic agony for a world burdened with less perfect ISPs than they and they rant their righteous indignation at the iniquity of such carbuncles on the societal corpus (pestillence to contrast their own purity) as would profit from the world of spam. And they name Names for us to revile and none of those names is theirs so trust them we must.

What the greater public know of them is what they tell the public - as in Should ISPs Be Profiting From Knowingly Hosting spam Gangs?. Do I have it wrong bobbear, or would you be seeing "misdirection" and more in that pronouncement? What I see is a huge impediment to any future defence based on their denial of their guilty knowledge. The run-around they give you is the "plausible deniability" tactic which seldom is (plausible) - and when they presume to adopt a position of such moral and technical superiority then any unsupported or apparently ignorant denial is shown to be actual and pure effrontery .

Share this post


Link to post
Share on other sites

Just a small alternative view/action .... My complaint about a scripted attack against this very server from three IP addresses 'owned' by Layered Technologies was met with an auto-ack ... followed up in less than an hour with a copy of an e-mail sent to thier client, promising disconnection in 12 hours if the actions didn't stop. I can say that within three hours, the specific abuse did in fact stop.

Not defending anyone, simply tossing out one of my recent experiences with the same folks being complained about ...????

Share this post


Link to post
Share on other sites

Just a small alternative view/action .... My complaint about a scripted attack against this very server from three IP addresses 'owned' by Layered Technologies was met with an auto-ack ... followed up in less than an hour with a copy of an e-mail sent to thier client, promising disconnection in 12 hours if the actions didn't stop. I can say that within three hours, the specific abuse did in fact stop.

Not defending anyone, simply tossing out one of my recent experiences with the same folks being complained about ...????

That's fair enough - no problem with that - it's down to the sort of problem, I think. I'm sure that the problem with the total refusal of Layeredtech to take any action on the utterly clear evidence of botnet abuse I posted above was down to the abuse team simply not understanding the problem, (in particular one LT NOC abuse team manager whose name I won't mention....). I honestly could not understand how an abuse team could be so dumb as not to understand the DNS data as I presented it so I was perfectly happy to consider them blackhat. I think some retraining is necessary....

The problem was that I don't think it fitted into one of their 'boxes', i.e. the spamvertised site was not on one of their IP's and they seemed incapable of thinking 'outside the box' to be able to see the botnet that they were hosting and so wouldn't entertain the abuse report.

However, the problem was passed to the LT-Savvis NOC abuse team earlier today and thankfully they did understand the problem and have issued a cease order on one of the new generation of aliases of these money laundering fraudsters FIC Financial inc. using several domains, but the one LT-Savvis have taken action on is finintconsult.hk/mu-home.com, (their other domains fic.hk & finintcon.hk have been moved to another nameserver host now, (ns1.too-top.com [66.7.192.244]) and the IP owner (HostDime.com), have not yet responded to the two abuse reports (no auto-ack), I sent earlier today. Let's hope it is not such an uphill struggle with them. It could be just a spam filter on the abuse address problem again & no NDR, I suppose, (come back NDRs....), but it is depressing when it is such an uphill struggle to get these pretty obvious criminal fraudsters & their botnets shut down.

[Edit] I never did get a reply from Layeredtech regarding my original botnet abuse reports relating to norden.hk & consult-im.biz apart from the initial refusal to take any action but the IP's quietly died in the last day or so, so I suspect the penny finally dropped, possibly when they didn't get paid or they discovered that the accounts were paid with stolen credit card details....

Edited by bobbear

Share this post


Link to post
Share on other sites

The money laundering fraudster domains fic.hk and finintcon.hk are still active on their zombie botnets on layeredtech.com nameserver IP ns1.hot-bc.com [72.36.142.38] and replies from layeredtech abuse team to my further detailed evidential reports now leave me personally in no doubt whatsoever that they are a blackhat organisation. The fraudsters are still spamming me at the rate of up to ten a day and they are still undoubtedly still sucking the gullible into their fraud but I've given up wasting my time reporting them to layeredtech - there's nothing more I can do. The registrar HKDNR also totally ignores abuse reports concerning the above two domains. It's a depressing state of affairs that two such unscrupulous organisations can continue to ply their trade.

Share this post


Link to post
Share on other sites
Just a small alternative view/action .... My complaint about a scripted attack against this very server from three IP addresses 'owned' by Layered Technologies was met with an auto-ack ... followed up in less than an hour with a copy of an e-mail sent to thier client, promising disconnection in 12 hours if the actions didn't stop. I can say that within three hours, the specific abuse did in fact stop.

Not defending anyone, simply tossing out one of my recent experiences with the same folks being complained about ...????

Quoted post to being it to the second page (default Forum settings)

Today's action .... while researching something else entirely, noted that the hacking attempts are still flowing freely from at least one range of IP addresses tied back to Layered Tech folks .. granted that the previous complaint did result in the stopping of that specific hack attack, what I see now is coming from all over that space .. so the assumption would have to be that the hacker has gotten a little but smarter ..????

At any rate, iptables have been updated here to reject traffic from 72.232.0.0/16 and 72.233.0.0/17 ....

User impact should be minimal, as the only Registered users from that IP Block have been idiots that actually tried spamming here, hence already Banned ....

Share this post


Link to post
Share on other sites

I have to wonder if a company that responds like this is actually involved in trying to take court action against spammers? If they are not they could be charged with "complacency" in a criminal act (aiding and abetting)

A few years back spammers were never being charged now they are and getting convicitons and on a more regular event. I thin it is time ISP's were being looked at as being "aiders and abetters" of spammers. ...

I was wondering if the same can be applied to those who hire the spammers to do their advertising, either directly or indirectly. I've been following an Israeli spammer that seems to be botnet-based (statistics show that 270 messages I got from them over more than a year came from 268 different IP addresses in 40 different countries + 26 US states, and different networks within each country.). The reason I follow this particular spammer is that this spammer is that they are very successful in marketing their product to what people call "kegitimate businesses", and that the service they sell is the use of people's computers without the owner's knowledge). I was trying (still am) trying to get positive evidence that the different IP addresses actually represent infected machines and so I include with every spamcop report on this particular spammer a request to the ISP to check and confirm if it is actually an infected PC used without the owner's permision. I had only one ISP respond. It was a local ISP in Oklahoma the sent a reply to my SpamCop report saying he believed that this was an infected PC, that the IP address got complaints about other spam, and had open ports sending out binary traffic.

I can confirm that I have other reports from this system, including what

appears

to be german stock pump spam.

It will take a few days. There's no way for sure to verify outside of asking the

customer. However, we've not had any issues with this customer sending spam in

the past. They are also located in a small rural town in Oklahoma. I will try

and get the customer to report to me which viruses and trojans are removed by

A/V supposing they don't reformat.

I guess I'm saying that the spam is sent without their permission. I'm just not

completely sure how to prove it.

I'm not sure if the customer will get me the proper virus/trojan information,

but I can attest to them being infected. They were caught scanning 137 and 445.

They also had 2 open ports which were handing out binary code, most likely the

payload of the virus.

5468/tcp open unknown

50507/tcp open unknown

This machine is definitely compromised, we just don't know by what.

Now the particular spam sent from the said machine advertised government loans being offered by an Israeli government agency, that has already sent spam using the services of this spammer in the past. So the story here is that an Israeli government agency has spent Israeli taxpayer money to hire a criminal to provide them a service by using hijacked private machine in Oklahoma and its network resources (probably thousands of hijacked machines but we know for sure only one of them was hijacked).

I went with this info (list of IP addresses, copy of the above quoted correspondence and some more email) to the Israeli police computer crime unit, and they said they were interested, that they would investigate, that they would very much like to stop the spammers but there's very little they can do with what I brought them and with the way the law limits them (and of course they are severely understaffed and have to deal with lots of other things, fraud, child porn etc.). I also filed a complaint with the State Comptroller about the use of taxpayer's money to hire criminals.

Anyway what I see is "legitimate" businesses such as several academic colleges (real ones, not the "get whatever degree you like" type), an investment house offering to handle your portfolio if it's worth $100000 or more (would you let a botnet spammer do that for you? Apparently people do because they hired the spammer several times) and many more businesses selling "legitimate" products. So I think there should be some way to take those that hire these services to criminal court. Several times I saw complaints about companies that advertise through this spammer, and the replies were usually of the sort "we don't directly work with them, we use a marketing agency that hired them" and "we made sure to ask that there would be a removal link". If they would have to pay a price because they purchased stolen goods (or stolen services) they would check more carefully what they are getting before they give their money to the criminal!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×