Jump to content


  • Posts

  • Joined

  • Last visited

get-even's Achievements


Member (2/6)



  1. The spam was sent from a machine at IP, part of the CNC Group-Henan province network. It forges headers to look like it came through gmail forwarding mail from a go.com account ( go.com is owned by Disney and has a bad history of being abused by spammers). The Received_SPF is just another forged header - go.com does not use SPF. Most likely the domain her0es.net (the spamvertised domain) is operated by Leo Kuvayev (currently #2 at Spamhaus). - it uses a set of registration records he has used on dozens of other domains It is mortgage spam, so if he is following pattern, there exists a nearly identical domain named her0es.com, which was likely registered within seconds of this one, but not yet used.
  2. WilTel's contracts aren't pink - they're bright red. Wiltel/WGC is a provider of last resort; Note they are also the current bandwidth provider for Brian Kramer/Expedite and AS33012 (look up the Spamhaus records about Exipdite being dropped by MCI, Broadwing, Singtel, Mzima, Anet, TimeWarner, Sprint and a few more all in the past two months. WCG gladly took them on - and I do remember when twenty+ years ago WilTel were the good guys. Notice even companies with sullied reputrations don't want to handle Expidite (who also lost almost all their IP space, because it was hijacked illegally and revoked by ARIN); Most of what is left is actually another Peters/JTel fake ISP with a fraudulent Jamaican front comapny, disconnected telephone lines, invalid email and suspended domains for all the contacts - It is amazing the *even* WCG will carry that kind of traffic.
  3. Latest multitrade group spams all use this method to avoid SpamCop. BTW. The registratations contacts' telephone number is disconnected, and the domain of the contacts' email address is falsely registered also (non-existant Washington state address - listed voice number is a fax machine in Delaware state).
  4. I have also receieve a large number of thes - It seems to be a busted worm. I tracked quite a few to a student's machine at Princeton, reported it to them, and received a very nice "thank you, we have removed the machine from our network", back. Definitely looks like someone is testing a virus, but either it is misconfigured or purposely sending empty spams.
  5. Homail is far from perfect, but they have an excellent "zero-tolerance" policy. Write a polite short (ten or fifteen line) message and add a copy of te *unmunged* spam and a copy of the 'whois' data for the domain " hycod.com" to abuse[at]hotmail.com. If the message doesn't bounce and you do get the standard "auto-reply", his account will likely be canceled within two days. Once the account is canceled, go to wdprs.internic.net a file a complaint saying that the email contacts are invalid - depending on the registrar, the domain (but probably not the site, which likely uses many domains) will be gone in a couple of weeks. Quick check, the registrar is Namebay Sam, so the domain will last a while, but the domain is also part of the taiwantelcom.com/taiwanmedialtd.com group, which despite its name operates mainly from Amsterdam - their domains are blacklisted right and left, and already the contacts' domain TAIWANTELCOM.COM and the name servers' domain, DNST.NET are on "hold" status - the first stage of already being deleted. On just this basis, you can already file a complaint at wdprs, and hycod.com should be on "HOLD" itself within three days; Note: this gang creates about 10 new domains a week (I know that at least 6 that were shut down last week). This is a large professional operation - expect more spam from different domains now that you are on their list.
  6. Notice that this domain shares the same name servers as the domains used by the Vancouver/Texas "porn" pair who control the domains: hansenmansion.info kazuyukitaki.com johnmasonmen.info cheruskialot.net heidelberga.com scottiq.info sadgencrenaz.net aretedf.com among others. This might be an "affiliate" operation since all of those seem to redirect to either or both of Squirt.tv and goodporno.net. The domain you listed, gjmatvienkoxdfg.com and the ones in my list all share the same name servers; Each uses the four name servers NS1.ANWOO.COM, NS1.BOMOFO.COM, NS1.EPOBOY.COM, and NS1.MYNAMESERVER.CA. In your case, the registrant uses a different address in Virginia, not in either Vancouver or Texas as all previuosly tied domains have. Also, your "one pixel" trick, while well known is quite different than all the others with are straight forward "porn" spams. Still, the relationship is there!
  7. Actually they are run by a small newpaper and spam for their advertisers. Primarily for not honoring remove requests *and* needing a password for removal, they will be blacklisted quite quickly. Also they have many domains trackable to them, several have false registration data - another blacklistable offence. Also, they seem to be spamming themselves (other reports can be found in search engines), not "free-email customers" (mis-)using their system. Notice, they generally do not forge headers, but anything sent to the U.S. would appear to not be CAN-spam compliant (No subject header noting an advertisement, no remove instructions in the email). You can get spam from them, if you want, by siging up, then canceling - the deluge comes quickly! This is already sufficient evidence for a few lists. If it continues after a day or two - what they say it should take, - I'll start reporting to SpamCop also. BTW. you also start getting mail from other domains which they control, you just have to dig to determine their ownership. Also. the email is such egregious spam, I'll have to open filters to let it by blocking which has already occured (i.e. my servers already refuse the mail based on blacklists they are already on *and* on content alone).
  8. They are not "too small" to be blacklisted; The process has begun (they operate a /24 netblock). You should see results within a week (some already).
  9. Seem like Ralsky shut almost all his domains off today - It looks like he was doing the DNS and possibly the mailing for the people being sued; Maybe he'll finally get proven guilty (he always seems to get off on previous attempts to prosecute or sue him). Also, for anyone who wants to check, the info posted in this thread before, has been changed as of yesterday and/or today.
  10. A good ISP will act quickly, for one one my pipes, I had a DOS last night - within 8 minutes the ISP and AboveNet had blocked the source and the pipe was back up (it was my primary routing path and the only one I publish SPF records for, so it was a pain i the neck despite being near 3AM local time).
  11. ICANN policy, check their web page, the registrant gets *at least* 15 days to fix the registration (unless somebody goes to the trouble of proving fraud and/or immediate harm is occurring). Besides, they've already change the data once, the addresses and telephone numbers are valid, and the email accounts listed for the contacts do work. So basically, unless Pfizer or the FBI wants to file a complaint, they get 15 days! Personally, I don;t have any of the typical data I use to get domains delisted (i.e. invalid data - provably so, with fraudluent headers on copies of email), otherwise I'd be tempted to complain myself. (I did get the name servers blacklisted in a variety of places though - for them I could "prove" fraudulent data!)
  12. No, but notice that the registration of the DNS servers' contact email is at the now infamous 126.com (after the posting here, it seems that 126.com is also used by "customers" to). jwhois myepharmacydirect.com [Querying whois.internic.net] [Redirected to whois.godaddy.com] [Querying whois.godaddy.com] [whois.godaddy.com] ... Registrant: Domains by Proxy, Inc. Registered through: GoDaddy.com Domain Name: MYEPHARMACYDIRECT.COM Domain servers in listed order: NS0.NNNSSS.COM NS1.NNNSSSS.COM For complete domain details go to: http://whois.godaddy.com [Querying whois.internic.net] [Redirected to whois.paycenter.com.cn] [Querying whois.paycenter.com.cn] [whois.paycenter.com.cn] The Data in Paycenter's WHOIS database is provided by Paycenter ... Domain Name:nnnsss.com Registrant: zheng zhou 74 # zhong he road 450005 Administrative Contact: zheng zhou zheng zhou 74 # zhong he road zheng zhou Henan 450005 China tel: 86 371 8349581 fax: 86 371 8349581 zhenservicemed[at]126.com Technical Contact: zheng zhou zheng zhou 74 # zhong he road zheng zhou Henan 450005 China tel: 86 371 8349581 fax: 86 371 8349581 zhenservicemed[at]126.com Billing Contact: zheng zhou zheng zhou 74 # zhong he road zheng zhou Henan 450005 China tel: 86 371 8349581 fax: 86 371 8349581 zhenservicemed[at]126.com Registration Date: 2005-01-06 Update Date: 2005-01-06 Expiration Date: 2006-01-06 Primary DNS: ns0.nameserverrt.com Secondary DNS: ns1.namserverst.com So while we might not know who they are, we know who they are in business with! % jwhois NNNSSS.COM - fails, whois.directi.com has just gone offline to the world!
  13. You have received much good advice; But if you want to go further, I can tell you what I used to do (I stopped this a little over 7 years ago when attacks became too common). The first scan or attack got you in a database, the second got me to break into your machine - If a MS box, autoexec.bat was changd, if a *nix box then /etc/motd, was change to state "Your machine is probably infected with a virus, please check it and repair", the third attempt led to renaming crucial files on the machine so that it wouldn't boot and a file was left either at the top of the C: drive or in / for *nix machines with the name "Please-Cleanup" and a single line stating "This machine is being used for attacks against other internet users", The fourth offense led to disk erasure. I'm sure that this is now quite illegal (at least in the U.S.) and I certainly see thousands of port scans a day, and a few hundred real `attacks for my network (a few hundred IPs)'. I'm not recommending this, but if you wanted to, you could (fairly easily) find the needed exploits to perform these actions; Just be aware that in the most common case, the immediate attacker is an otherwise innocent party whose machine is `owned' by a real hacker (oddly a common technique once a machine is `owned' is for the hacker to secire the box so that someone else doesn't `steal' it from him) Also, the IP you gave is currently not up and is likely a DUL anyway (you have to catch them during the scan to be effective in many cases). BTW. for loafman, I do have the extensive equipment and necessary privileges to *really* backtrace the several levels typically, but I've found the `real' attacker's box (nowadays) is usually a relatively secure `BSD or SelLinux machine and the effort involved is not worth it. Besides, now, what I used to do commonly is clearly a prosecutable offense.
  14. I hate to reply to my own post, but I just reported another spam from the same site. Again, "No recent reports". Note, the wildcard DNS on the domain in the previous post and that there only one 'A' record if you follow the trail from the CNAME. % dig www.phillysayswhat.biz any [at] ; <<>> DiG 9.3.0 <<>> www.phillysayswhat.biz any [at] ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63865 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.phillysayswhat.biz. IN ANY ;; ANSWER SECTION: www.phillysayswhat.biz. 30 IN A ;; AUTHORITY SECTION: phillysayswhat.biz. 3600 IN NS ns1.realdnssystem.com. phillysayswhat.biz. 3600 IN NS ns3.autonameservers.com. phillysayswhat.biz. 3600 IN NS ns4.bighostsolutions.com. phillysayswhat.biz. 3600 IN NS ns7.bighostsolutions.com. ;; ADDITIONAL SECTION: ns4.bighostsolutions.com. 3600 IN A ns7.bighostsolutions.com. 3600 IN A ;; Query time: 504 msec ;; SERVER: ;; WHEN: Tue Feb 8 18:18:21 2005 ;; MSG SIZE rcvd: 210 Also, as I mentioned before, at least nearly a dozen other (also reported) domains refer to the same IP (it does move around, see that the TTL is only one hour for the name servers and just 30 seconds for the actual site).
  15. I'm still waoting for the confimation messages to appear from the spam I sumbited (according the the logs on my outgoing MTA - there is an internal relay step before the mail goes out) 5 hours and 55 minutes ago; This is the longest delay I have seem yet. Is something down (I can provide times and MSGIDs to any staff member or administrator who wishes to try to track down the trouble).. And of, course there have been even a few more reports since with no confirmation either.
  • Create New...