Sign in to follow this  
Followers 0
TerryNZ

Complainterator V5 Announcement

35 posts in this topic

COMPLAINTERATOR V5

For immediate use

Spamcop is incredibly successful and useful for reporting to the source of spam.

Spamcop does a reasonable job of reporting to the owner of the IP of a spamvertzed site.

When a spamvertized site is a criminal operation, the likes of Alex Polyakov, Yambo Financials, Leo Kuvayev for example, then there is a better way to shut them down. If you lodge a compliance request to the registrar, requiring thenm to shut them down, you have more effect.

But it would be a tiresome and inefficient approach to complain to the registrar where the site is defined: one request per site, where there are literally thousands of sites. No, it is more efficient to send requests to the registrars of the domain name servers for those spamvertized sites. Each time a registrar shuts down the name servers, then all of the spamvertized sites are inaccessible. This can result in hundreds of sites being shut down trough one small change by the registrar who complies with the request.

What's more, if it is done properly, those sites are not only inaccessible to the Internet, they remain inaccessible to the spammer. Dead and gone forever.

This approach has been used for the past 9 months, with stunning results. The above gangs have been hounded out of most spammer unfriendly registrars all over the world, and herded into a narrow clique of spammer friendly registrars. THeir days there are numbered, too.

The driving engine behind this approach is now being released for public use. It runs in a specific operating environment - Windows, Firefox / Mozilla, and any email program. It takes as input the spamvertized domain, such as 44rx.com and determines who are the registrars for its name servers. It then prepares the complaint message(s) and allows you to review it before sending.

Download your copy from http://www.mytempdir.com/index.php?id=1215642 unzip it, read the documentation, and launch it from the Complainterator folder.

Note This is not a replacement for Spamcop reporting, just another approach that covers some extra ground.

Feedback on Complainterator is in the discussion forum at http://thecarpcstore.com/phpbb2

Share this post


Link to post
Share on other sites
The driving engine behind this approach is now being released for public use. It runs in a specific operating environment - Windows, Firefox / Mozilla, and any email program. It takes as input the spamvertized domain, such as 44rx.com and determines who are the registrars for its name servers. It then prepares the complaint message(s) and allows you to review it before sending.

Is there a reason that it is specific to firefox/mozilla?

Share this post


Link to post
Share on other sites
Is there a reason that it is specific to firefox/mozilla?

I would prefer to use genuine Microsoft parts myself

However it is giving me a extra email address (of Registrar) I can include in my SpamCop report (I do not munge reports)

Share this post


Link to post
Share on other sites
I would prefer to use genuine Microsoft parts myself

However it is giving me a extra email address (of Registrar) I can include in my SpamCop report (I do not munge reports)

V6 is now ready, and can be downloaded from http://thecarpcstore.com/phpbb2/viewtopic.php?p=6272

It has added support for Internet Explorer. It will uses Mozilla / Firefox if such a window is open, or Internet Explorer if a browser window is open.

Share this post


Link to post
Share on other sites
V6 is now ready, and can be downloaded from http://thecarpcstore.com/phpbb2/viewtopic.php?p=6272

It has added support for Internet Explorer. It will uses Mozilla / Firefox if such a window is open, or Internet Explorer if a browser window is open.

Thank you. Just tested it a couple times (without sending) using the lodrx.com example you give in the docs and I think I have got the hang of it. I will try it on the next spamvertized site I find. I did find that it did not like to have my new windows open into my home page (never entered the first URL). Setting that back to the default of opening a blank page allowed the scripts to work, owever.

Have you spoken to the registrars? Do they not need the spam to prove it was a spamvertized site before closing them down?

Share this post


Link to post
Share on other sites

Have you spoken to the registrars? Do they not need the spam to prove it was a spamvertized site before closing them down?

Registrars who have shut down nameservers as a result of my requests (without including spam)

VV--- Number of name servers

. . VVVVVVVVVVVVVVVV-- Registrar who acted

01 EST

07 DSTR

80 Tucows

46 eNom

36 Yesnic

08 CSL

02 Aztus

12 Gandi SAS

17 Beijing Innovative

06 Misk

26 Ace of Domains / Moniker.com

02 Intercosmos

08 XIN Net

251 Domain name servers shut down using this complaint method since August 2006

Spamvertized domains shut down and removed from circulation as a result of my testing this tool number over 4,000.

Primarily I have used this method with illegal web sites, such as fake pharmacy (Leo Kuvayev and Alex Polyakov / Yambo).

Of course, if you want to copy/paste additional evidence at the bottom of the prepared email, please do so. However, it should go at the bottom, because the message is carefully structured to have the most salient information at the top.

Edited by TerryNZ

Share this post


Link to post
Share on other sites

Complainterator V7 is now available at the same location

http://thecarpcstore.com/phpbb2/viewtopic.php?p=6272

I welcome feedback on user experiences with Internet Explorer.

http://www.spamcop.net/sc?id=z1232121563z9...0c73927be4f633z

Reported (penis) spamvertized URL "http:// aldd.net" which redirects to "http:// herbal-kings.net/"

(spaced links as adult content sites)

The first report for aldd.net went through

The second herbal-kings.net bounced accused me of spamming

The following message to <info[at]nrw.net> was undeliverable.
The reason for the problem:
5.1.0 - Unknown address error 554-'Your email is considered spam (10.50 spam-hits)'

Can these type of reports be considered spam?

I then reported both sites at Joker who are the registrar for both sites

https://joker.com/index.joker?mode=support&...pport_type=spam

There was no copy of spam (headers and or body) in Complainterator email

I did go to

http://www.nrw.net/

site is completely in German? So not able to understand any of it

Edited by petzl

Share this post


Link to post
Share on other sites
I did go to

http://www.nrw.net/

site is completely in German? So not able to understand any of it

If you want to, Google the URL and accept the "Translate this page" option (translation works with linked pages too). Buttons and such-like remain in German. "IMPRESSUM" is the contacts page. I've heard the IP address showing at the website when you use this service is Google's, not yours - if so, a bit of added security.

Share this post


Link to post
Share on other sites

http://www.spamcop.net/sc?id=z1232121563z9...0c73927be4f633z

Reported (penis) spamvertized URL "http:// aldd.net" which redirects to "http:// herbal-kings.net/"

(spaced links as adult content sites)

The first report for aldd.net went through

The second herbal-kings.net bounced accused me of spamming

The following message to <info[at]nrw.net> was undeliverable.
The reason for the problem:
5.1.0 - Unknown address error 554-'Your email is considered spam (10.50 spam-hits)'

Can these type of reports be considered spam?

I then reported both sites at Joker who are the registrar for both sites

https://joker.com/index.joker?mode=support&...pport_type=spam

There was no copy of spam (headers and or body) in Complainterator email

I did go to

http://www.nrw.net/

site is completely in German? So not able to understand any of it

See the spam Wiki at http://www.spamtrackers.eu/wiki/index.php?title=Herbal_King

CSL = Joker is a special case. You should have got an error when trying to send, because I put an invalid address in the CC field, asking you to go to the www.joker.com web site. I should not have even put the info[at]nrw.net there. Feel free to edit it out of the complainterator.contacts.txt file.

You need to register with joker, www.joker.com, then come back, Log In, and click

Support/Contact

Because you are logged in you wiil now see 3 options, the first two being

Report spammers/phishing

Report cases of spamming and phishing, which are related to Joker.com domains.

Support

General support, questions regarding domains, nameserver, billling, URL-forwarding and other issues.

Take the first option.

Report the name server domain in the first field, and paste the Complainterator message into the message area. Don't bother with including the actual spam, the complaint is about a spamvertized domain. If you really want to, append it at the end of the message.

This works successfully, and you get an auto-reply with the ability to add your follow-ups to the ticket via e-mail. They are responsive.

Edited by TerryNZ

Share this post


Link to post
Share on other sites

You need to register with joker, www.joker.com, then come back, Log In, and click

Support/Contact

Because you are logged in you wiil now see 3 options, the first two being

Take the first option.

Report the name server domain in the first field, and paste the Complainterator message into the message area. Don't bother with including the actual spam, the complaint is about a spamvertized domain. If you really want to, append it at the end of the message.

This works successfully, and you get an auto-reply with the ability to add your follow-ups to the ticket via e-mail. They are responsive.

I am getting a fair bit of success with your complainterator at getting registrars to take spamvertised domain names down so I will keep using it.

It does not seem to stop the spammer as I see the same site under a new domain name I also go through to linked spamvertized URL as well. I am certain though the spammer does not enjoy me and I'm costing him money, as well as steering even more crime agencies towards these criminals

Thanks for the program seems to work well with IE7 and Outlook Express. I are getting actual replies as well as auto-acks for follow-ups

Attack is definitely your best defence against spam and spammers B)

Edited by petzl

Share this post


Link to post
Share on other sites

Version 8 has now been released

* SeaMonkey support

* Detection and warning for country level TLDs

* Better handling of multiple registrars

* Better handling of mixed name servers

* more contacts pre-loaded

http://thecarpcstore.com/phpbb2/viewtopic.php?t=575

Feedback here or in the distribution forum is appreciated

Edited by TerryNZ

Share this post


Link to post
Share on other sites

This free spam reporting tool is now at version 10

Complainterator V10 includes support for

BROWSERS: Internet Explorer / Mozilla / Firefox / SeaMonkey

MAILERS: Outlook / Outlook Express / Thunderbird (all others with some manual assistance)

It checks the IP address of the spammed site's name servers, and does not generate messages to the registrar if the name server has already been removed.

It reports the spammed site's name servers and their current IP addresses. This innovation is better when reporting to Chinese registrars, who prefer to black-hole the IP rather than mess with the DNS name server record.

Complainterator takes a different approach from Spamcop - it addresses complaints to the registrars, rather than IP address owners. It complains to the registrars of the sites name servers, not the registrar of the spammed site. Removal of a spammer's name server takes down all spammed sites that depend on that name server.

There have been cases where one complaint to a registrar has canceled several hundred spammed sites in one email. Complainterator is therefore a high leverage spam site removal tool.

Edited by TerryNZ

Share this post


Link to post
Share on other sites

To give an idea of how effective Complainterator can be -

Complaints to Registrar "Ace of Domains" (support[at]moniker.com) to shut down the following name servers would freeze access to this many spammed sites

ns1.driedoutdns.com 176

ns2.driedoutdns.com

ns1.hairyolddns.com 223

ns2.hairyolddns.com

ns1.surprisingdns.com 532

ns2.surprisingdns.com

ns1.ferygoins.com 346

ns2.ferygoins.com

ns1.chambogos.com 247

ns2.chambogos.com

TOTAL 1,524 illegal web sites would be removed

A complaint to Network Solutions to shut out the two nameservers on eggbacondns.com would take down 227 illegal spammed web sites.

The world of registrars is quickly being divided into two camps -

those who combat crime, and . . . um . . the rest.

Share this post


Link to post
Share on other sites

One problem just noticed... Complainerator does not recognize the .us tld as in: imageshack.us

Share this post


Link to post
Share on other sites

One problem just noticed... Complainerator does not recognize the .us tld as in: imageshack.us

Thanks. Please quote me a spammed domain name that illustrates the problem.

Share this post


Link to post
Share on other sites
Thanks. Please quote me a spammed domain name that illustrates the problem.

He did .... the imageshack issue is just the latest spammer abused tool .... surrounding traffic about the problem exists 'all over the net' ....

Just staying 'here' ... examples at http://forum.spamcop.net/forums/index.php?showtopic=8109 .... http://zeta.cesmail.net/pipermail/scspamco...ril/002127.html for a recent spamcop newsgroup thread ....

On the other hand, this isn't really a Domain Registrar or DNS issue (at present)

Share this post


Link to post
Share on other sites

On the other hand, this isn't really a Domain Registrar or DNS issue (at present)

imageshack.us

Correct. I have been "testing" it with many domains to see where the reports for different domains would go without actually sending them.

After the first dnsstuff lookup is complete, it comes up with an error message:

Name Server = ns9.imageshack.us

Does not represent a valid example, not a .com / .biz / .info / .net etc

Its generated message may not be correct, check it carefully

Skip? or Cancel completely?

Yes No Cancel

and I can continue by selecting No, but with additional prompting (unless that is related to the GoDaddy registrar.

Share this post


Link to post
Share on other sites

imageshack.us

Correct. I have been "testing" it with many domains to see where the reports for different domains would go without actually sending them.

After the first dnsstuff lookup is complete, it comes up with an error message:

and I can continue by selecting No, but with additional prompting (unless that is related to the GoDaddy registrar.

Yes it is working as intended. I also received an imageshack spam today.

method From keystroke keyboard key press generates

http://img444.imageshack.us/my.php?image=gaux5.jpg

Sipura Skype Wanted WiMAX White

Complainterator correctly warns that this is not a URL likely to generate a valid message. It urges the user to check the message. It gives two options to get out (Yes and Cancel) and one option to continue (No)

If anyone does elect to continue, Complainterator has a pretty hard time dealing with what follows.

Just as with Spamcop, there is expected to be a degree of intelligent decision making on the part of the user. And in this case, Complainterator has given a clear hint that sending a complaint asking for the removal of all 8 imageshack name servers is not such a bright idea.

But if anyone were to send off such a request to Godaddy, the next stage would be for Godaddy to perform their own reasonability checks.

Share this post


Link to post
Share on other sites

Yes it is working as intended. I also received an imageshack spam today. Complainterator correctly warns that this is not a URL likely to generate a valid message.

Thank you for the explanation. Does it give this warning simply because of the .us tld? That is how I read the warning message.

Does not represent a valid example, not a .com / .biz / .info / .net etc

While .us domains are not very popular right now, they are a "valid" tld.

Share this post


Link to post
Share on other sites

Thank you for the explanation. Does it give this warning simply because of the .us tld? That is how I read the warning message.

While .us domains are not very popular right now, they are a "valid" tld.

I accept all TLDs except ccTLDs without question.

aero/biz/cat/com/coop/edu/gov/info/int/jobs/mil/mobi/museum/name/net/org/pro/travel/hk

I pop up a warning for ccTLDs because there are few spams using them as NS. (Beijing may get tired of requests to remove dns.com.cn otherwise)

The exception to the rule is .hk which is rapidly becoming a haven for spammer NS.

* * * *

V.11 will add a generated complaint message to the spammed URL registrar, to complement the existing complaints to NS registrars.

I see that as a necessary fallback, given the 3-4 remaining registrars who totally refuse to cut their ties with organized crime. The removal of the spammed sites, usually under law abiding registrars, will help address this issue. This additional comp-laint message will accept any TLD.

* * * *

The advent of V 11 will complete a useful picture. Using Polyakov's operation as an example -

With reference to the pyramid at http://www.spamtrackers.eu/wiki/index.php?...od_of_operation

Law enforcement tackles layer 1

Complainterator tackles most of layer 2-3, at the registrar level, and an AutoAlerter tackles the hijacks (see http://pharmalert.zoomshare.com) at the IP / ISP level

Spamcop tackles layer 4-5 at the IP / ISP level

* * * *

In an ideal world, all of these spam prevention measures would be embodied under the one composite operation. Imagine it. One spam generates

* request to ISP to shut down a compromised machine or open relay at source of spam

* request to ISP to remove a spammed website at its IP address

* request to registrar to deregister the spammed site domain

* request to registrars to null route the spammers' name servers that resolved access to the spammed site

* evidence accumulated for law enforcement to be used in the prosecution

"I have a dream . . . "

Edited by TerryNZ

Share this post


Link to post
Share on other sites

CORRECTION

TerryNZ:

I just tried v11 on the domain theironoly.net from another thread here and had some strange things happen.

WinXP Professional 2002 SP2 with all patches

IE7 with all patches

Microsoft Outlook 2002 SP3 with all patches

The first lookup and traverrsal worked OK and generated: theironoly.net.txt

The first DNS lookup worked and generated: fatiloquent.com.txt

The second DNS lookup worked and generated: practicekiss.net.txt

Then the strange stuff started happening... The program opened my favorites on screen appeared to browse around nside the favorites and ultimately opened what appeared to be a random web page from my favorites. Then came up with the Check It message with the OK and appears to have correctly generated: champakdagon.com.txt. This strangeness repeated and ultimately generated: norchikmik.com.txt as well.

This test was repeated twice to try and determine a pattern. No emails were ever sent by me and the emails after the strange actions were never even generated (though the text appears to have been).

The 4 text messages appear to be correct for this domain. Is it some programming in your application that could have opened the favorites (like the key combination Alt+C were hit) or is there some information in these records that is being interpretted as the Alt+C?

Can you replicate this on another machine? My alternate machine here does not have email configured (kids machine)?

Share this post


Link to post
Share on other sites

Thanks for the detailed problem description. I was able to duplicate it, and found exactly the same result as you describe. It opened the Favorites pull-down, and subsequent keystrokes were directed there. I will examine the cause right away.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0