Jump to content

oldskoolflash

Members
  • Posts

    48
  • Joined

  • Last visited

Everything posted by oldskoolflash

  1. Many thanks guys. Sorry for being a bit slow but presumably SolarWinds Network managemant is the upstream ISP? And what is an AS number? Also, is traceroute a DOS command? Many thanks.
  2. A few times I have parsed spam emails and hit a "whois" brick wall. The reporting address is clearly belongs to the spammer and there seems to be no way of finding the host's, host. Is this a very difficult process to do? For example this morning I have received spam referencing the sites: http://delicateperformance.org/ AND http://www.cheerfultune.org (google redirectors removed) Both resolve to: 200.79.160.7 = [ npm.vpnmexico.net ] Reporting address carlos.vargas[at]VPNMEXICO.NET hmmmmm I don't think so! Also vpnmexico.net does not have a website (pretty suspicious for an host i'd say). inetnum: 200.79.160/20 status: reallocated owner: Infraestructura de Telecomunicaciones Inalambrica ownerid: MX-ITIN-LACNIC responsible: Carlos Andres Vargas Salas address: Paseo de la Reforma 2608 21 PISO address: 11950 - Mexico - DF country: MX phone: 52 55 52164200 [4300] owner-c: CAV tech-c: CAV created: 20021209 changed: 20021209 inetnum-up: 200.79/16 nic-hdl: CAV person: Carlos Andres Vargas e-mail: carlos.vargas[at]VPNMEXICO.NET address: Paseo de la Reforma 2608 21 PISO address: 11950 - Mexico - DF country: MX phone: 52 55 52164200 [4300] created: 20021209 changed: 20041207
  3. Surely they care if their website gets shut down? - you would think it's not worth the hassle, I mean as if anyone from the spamcop forum is going to buy some fake viagra, "enhancment" pills and a dodgy mortgage...
  4. I know spammers are stupid, but surely a harvesting a database of email addresses that regularly report spam has got to be the singularly most stupid thing I have heard all year. Does anyone think this hack has anything to do with spammers wanting to listwash all spamcop emails to stop them being reported?
  5. If the offending website is kassir.ru it seems that my address was lifted too, I got 30 spams in one day all linking to this site see my previous post here
  6. Hi, Iaan, sorry to hear about your misfortune, you need to think very hard about ALL the possible times you have used the same information (credit cards, online banking, store accounts, internet shopping sites). Work through them all, contact them and change all your personal information. This happened to me a few years ago before anyone really knew about identity fraud: I left my mobile phone in an airport scanner. I got a call from "Vodafone" asking me to confirm my details. As the phone was missing I thought it was genuine, the guy asked for my username and my DOB, which I gave him, but when he asked for my password I became suspicious and asked for his name and telephone number (which were fictitious). I immediately phoned Vodafone, to change my password etc. About an hour later I had a heart attack as I realised (as many people do) I had stored my password in my phone as a fake phone number, problem was this was also the log in to my internet banking. I then tried to log in to my bank and discovered I couldn't, when I called them, it turns out that my log-in information had been changed and a new debit card requested! At this point I contacted the airport police as I am certain someone at the airport had something to do with it, eventually a man in the lost property department was arrested as part of on on-going investigation. BTW before I get people posting messages about how stupid it is to have the same password for several accounts, but this was a few years ago long before there was so much awareness about this kind of thing. I have definitely changed my ways these days!
  7. You are receiving the same spam as me, always claimagent[at].......... I haven't noticed a referenced website before though, but it doesn't surprise me at all that no action has been taken. It is amazing isn't it, if this was any other large corporate business and a member of the public approached them to inform them that one of their own was committing fraud, there would be immediate action taken, but because this is an ISP, they do nothing. I'm sorry, but in the UK, they are required by law to do something about it. If it can be proved that they are willingly allowing their systems to be used to facilitate criminal fraud, then they are accessory to fraud and can be held accountable. The fact is, nobody pursues these cases - after all who wants to take on Yahoo. If there was enough media interest in this there would be uproar that large organisations a participating in this kind of criminal activity.
  8. Thanks, I've got quite a few examples of this, ill forward them, but it seems the parser is just using the contact info provided for that IP address. I do think that the parser should be a bit smarter and discard these addresses as fake. BTW I have posted an example in this thread.
  9. I know the parser is using the info provided for that IP, my point was, why does the parser not filter out donaldduck[at]hotmail.com and discard it as fake. Whenever I question the reliability of the parser at locating referenced websites, people are very quick to pipe up that this is not what the parser is for, and all the efforts are put in to detecting the source of the spam. My point is that quite often it does not do that very efficiently. Who wants to send spammers confirmation that their email address is live, and actively reports spam and yet the parser allows this with surprising ease. I know you can untick specific addresses, but surely anything [at]gmail.com or [at]hotmail.com or [at]geocities.com that isn't abuse[at] or postmaster[at] is fake, the parser should be smart enough to discard anything that is obviously fake.
  10. I think the parser often gets the source wrong! Often it or gives the spammers email address as a reporting address - how and why does the parser give the address royir143[at]hotmail.com as a valid spam reporting email adddress (see below) ?!!! Surely it must be possible to have a system where anything other than abuse[at]hotmail.com is discarded as fake. I really think the spammers are one step ahead here and are actively building a database of users who report spam. They can then use this for a variety of uses like refining spam to evade the pharser, using reporters of spam to maliciously report legitimate websites, or more worryingly set DDos attacks and virus campaigns... Tracking message source: 124.106.177.207: Routing details for 124.106.177.207 [refresh/show] Cached whois for 124.106.177.207 : rrdelavega[at]pldt.com.ph nctabernilla[at]pldt.com.ph ssmiguel[at]pldt.com.ph riresurreccion[at]pldt.com.ph jcgonzales[at]pldt.com.ph vrortiz[at]pldt.com.ph royir143[at]hotmail.com Using last resort contacts rrdelavega[at]pldt.com.ph nctabernilla[at]pldt.com.ph ssmiguel[at]pldt.com.ph riresurreccion[at]pldt.com.ph jcgonzales[at]pldt.com.ph vrortiz[at]pldt.com.ph royir143[at]hotmail.com Message is 4 hours old 124.106.177.207 not listed in dnsbl.njabl.org 124.106.177.207 not listed in dnsbl.njabl.org 124.106.177.207 not listed in cbl.abuseat.org 124.106.177.207 not listed in dnsbl.sorbs.net 124.106.177.207 not listed in relays.ordb.org. 124.106.177.207 not listed in accredit.habeas.com 124.106.177.207 not listed in plus.bondedsender.org 124.106.177.207 not listed in iadb.isipp.com Finding links in message body Parsing text part no links found Please make sure this email IS spam: From: "Phyllis Honeycutt" <tkynqmck[at]ainsight.com> (FWD: Big news shows promise) Did not par ticularly enjoy your previous tra ding day? Don?t focus on that. Mov e on to your most successful one with the tips I listed below! You?ll come out o View full message Report spam to: Re: 124.106.177.207 (Administrator of network where email originates) To: royir143[at]hotmail.com (Notes) To: vrortiz[at]pldt.com.ph (Notes) To: jcgonzales[at]pldt.com.ph (Notes) To: riresurreccion[at]pldt.com.ph (Notes) To: ssmiguel[at]pldt.com.ph (Notes) To: nctabernilla[at]pldt.com.ph (Notes) To: rrdelavega[at]pldt.com.ph (Notes) Re: 124.106.177.207 (Third party interested in email source) To: Cyveillance spam collection (Notes)
  11. A bit of an update - I think this may be a campaign against a legitimate website (see below) - I have had spammers do this before with the (genuine) dutch lottery website. They deliberately send malicious spam to addresses they know report spam. They are basically getting us to work for them.... I really hate these b******* Tracking link: http://kassir.ru/ [report history] ISP does not wish to receive report regarding http://kassir.ru/ Resolves to 217.73.200.248 Routing details for 217.73.200.248 [refresh/show] Cached whois for 217.73.200.248 : postmaster[at]stack.net abuse[at]stack.net Using abuse net on postmaster[at]stack.net abuse net stack.net = postmaster[at]stack.net, abuse[at]stack.net Using best contacts postmaster[at]stack.net abuse[at]stack.net ISP does not wish to receive reports regarding http://kassir.ru/ - no date available http://kassir.ru/ has been appealed previously.
  12. I am getting so disillusioned by reporting spam. It seems that spamcop is slipping further and further behind the spammers in this battle. I keep getting gif spam with no referenced websites and sources that change so quickly it is obvious the spammer doesn't care if they get reported and added to a blacklist. Also I am finding spamcop less and less reliable at correctly tracing the source and is often giving hotmail reporting addresses (obviously owned by the spammer). Also am finding spamcop is failing to pharse headers properly (even after multiple refreshes) and correctly give reporting addresses for referenced websites. And today, a new low, 35 spam emails overnight all from different sources, all referencing the same website http://kassir.ru - spamcop failed to find a reporting address for any of them! I hit a brick wall when trying to find a host for this website (probably for the same reason spamcop is failing to find a reporting address). Sorry to vent, but I have to ask is it really worth the effort......?
  13. Thanks for that Stephen, you'd think Yahoo would mention that rather than constantly repeating that the user has not breached their TOS! Another possibility is that my constant nagging for a week has persuaded them to disable that email address, unless by "domain invalid" you mean the whole of yahoo.hk - is that not yahoo hong kong though?
  14. How do I verify the account, do you mean send an email and see if it bounces? I would be very suprised if the email wasn't active as it was the only means of contact in the original spam. Thank's for that link farelf, i'll definately get in touch
  15. I have recently been receiving Lottery spam, you know the kind that encourages you to to contact them because you have won a "prize" they then con you out of large sums of money. Because there is no spavertised website reverenced, they include a contact email address (in this case a yahoo email address). I sent a copy of the spam to Yahoo with a note stating that, although this the spam did not originate from a Yahoo user or server, the spammer was using a referenced Yahoo email address in an attempt to obtain money by deception. I also encouraged them to disable the email account promptly so that anyone duped by the scam would not be defrauded. Two days later I get the standard canned reply from Yahoo saying "We understand your frustration in receiving unsolicited email. While we investigate all reported violations against the Yahoo! Terms of Service (TOS), unfortunately in this particular case the message you received was not sent through the Yahoo! Mail system." Now this really annoys me, because it is clear that they have not bothered to read my email, if they had, they would realise that I was not reporting spam, but criminal activity by one of their users. I said this in myreply to them and get the identical canned reply back. Finally I blow my top at them and get a reply saying that the user has not broken any of their TOS! By this time over a week had passed, meaning the spammer has almost certainly already defrauded several victims, and all this time Yahoo has been protecting them. When will ISP's realise they have a duty to ensure that they, and their members act within the law. How can fraud and obtaining money by deception not be a breach of their TOS? Stuff their TOS it is against the law! :angry: :angry: :angry: Here is my last reply to them: I am frankly staggered by your response, and clear incompetence in dealing with this matter. I shall therefore be writing to your Chief Executive, Terry Semel, with full details of this case. With reference to the Yahoo Terms of Service, I feel obliged to inform you that the world is not based on the "Law of Yahoo". It may be news to you, but we live in a society in which individuals and businesses must respect local and international legislation. When a member of the public takes the time to report a serious crime, committed by one of your members, they have every right to expect quick and decisive action against the offender. In this case, Yahoo has done neither. By failing to acknowledge that abuse has taken place Yahoo are effectively protecting the criminals involved and allowing them to facilitate fraud. Seeing as Yahoo are unaware there is a world outside their TOS I would like to draw your attention to the following breaches. I have highlighted them for your convenience as you seem to be having trouble reading. Finally, I have also referred this matter to the Camelot legal team who are responsible for overseeing the UK National Lottery, you may be interested to note that their email address is not claimagent_info01[at]yahoo.hk as suggested in the offending email reported to you. Yahoo Terms of Service, Section 6: You agree to not use the Service to: upload, post, email or otherwise transmit any Content that is unlawful, harmful, threatening, abusive, harassing, tortious, defamatory, vulgar, obscene, libellous, invasive of another's privacy, hateful, or racially, ethnically or otherwise objectionable; "Unlawful". Is fraud not a crime in Yahooland? c. impersonate any person or entity, including, but not limited to, a Yahoo! official, forum leader, guide or host, or f falsely state or otherwise misrepresent your affiliation with a person or entity; "Impersonate any person or entity" Last time I checked the UK National Lottery was an "entity". Your customer is clearly impersonating them and using a Yahoo email account to conduct their "business". d. forge headers or otherwise manipulate identifiers in order to disguise the origin of any Content transmitted through the Service; Headers were forged and identifiers manipulated as identified in the original report. e.upload, post, email or otherwise transmit any Content that you do not have a right to transmit under any law Hmm, there it is again that damn law thing, wouldn't life be much simpler if we all just followed the Yahoo Terms of Service….? f. upload, post, email or otherwise transmit any Content that infringes any patent, trademark, trade secret, copyright or other proprietary rights ("Rights") of any party; The UK National Lottery is a trademark and it is protected by UK legislation. g.upload, post, email or otherwise transmit any unsolicited or unauthorised advertising, promotional materials, "junk mail," "spam," Have you heard of the expression "if it looks like a duck, and sounds like a duck" ? k. intentionally or unintentionally violate any applicable law or regulation including, but not limited to, regulations promulgated by any securities exchange; Law law law law law…….yawn
  16. Apologies Wazoo - I am , of course grateful for your help and prompt reply. I was actually being a bit dim, once I decoded the website spamcop pharsed it no problem and gave me the reporting address. Not sure why I was getting the error from samspade....? Andrew - I take your point about the websites, they usually do respawm pretty quickly and because of the massive amount of spam received by most people it's just not an option to take this kind of action. In my case, because it is only a few e-mails a week, I make the effort. I do feel, however that the real criminals here are the ISP's that blindly profit from this kind of illegal industry. I know this has been discussed at length before, but it is they who annoy me more than the spammers. How many millions of reports are ignored every day by ISP's wanting to make an extra buck? If more people hassled them maybe, just maybe it would have some effect..... Sorry - way off topic here.....
  17. In my case I couldn't disagree more. I think you hit the nail on the head by saying why would they bother to disguise the URL in the first place? I have been procative with ALL the spam that arrives in my in-box. As a result I now get 8-12 e-mails a week, compared to 50-100 previously. Most of these are for software, sex or pharmasuticals. I am particularly concerned with the pharmacuticals as many of these drugs are illegal, dangerous copies, I therefore will do everything in my power to get them shut down. If I report a site to an ISP and they take no action, I then send all my correspondence to a contact I have at Pfizer Global security. The sites are usually down within a week....
  18. Need a bit of help with this one. I have recently received a lot spam to my gmail with an html attachment containing coded links to the offending site (see below). By doing this SpamCop does not find the link when pharsing. I have been manually reporting these sites but this one has been giving me some trouble. http://www.google.com/url?q=%68%74%74%70%3...%61%6ec%2Ec%6fm Decodes to http://vfmy.arenanc.com When I do a whois on the link, I get the following ERROR: IP Range Reserved by IANA.org Any Ideas? DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body> <font color="72FC83" size="1">pride bad allow find why? nothing corner did not mentioned use. being arms beautiful fire?</font> <center><table border="3" cellspacing="0" cellpadding="5" width="570"> <tr><td bgcolor="004080" align="center"> <font size="2" face="tahoma" color="DADADA"> <font size="6" color="FFFF00"><b>Bigger Your Small-Size Peniis</b><br><font color="B0FA50" size="4">The Only Safe & Natural Way To Bigger ur Size the<br><font color="FFB3D9">Become Thicker & up to 3-inch longer after 1-2 months</font></font></font> <center><br> <a href="http://www.google.com/url?q=%68%74%74%70%3A%2F%2Fvfmy%2ear%65n%61%6ec%2Ec%6fm" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font size="4" color="ffffff"><u>back <b>Dont Wait, Bigger Today & Fcuk Tomorrow</b></u></font></a><br><a href="http://vvgj.acrossleast.comb4/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">No More</a><br><br></center></font></td></tr></table><font color="72FC83" size="1">studied side we similar, fire purpose fire. side respect he. the young already somewhere reading. explain disappoint end wanted, you out human evening mentioned steps.</font> </center></body></html>
  19. I have reported to shinbiro, but I'm not holding out for them to take any action. I thing Merlyn's suggestion about going after the registrar is good. Basically you've gotta go with whoever is prepared to take action, if DirectI have the the imputus at the moment then you have to use that to your advantage
  20. Ok I got http://belfry.thebestpills4u.com shut down by tracing it to DirectI and filing a report. Having some problems with this one... Spamcop will cannot resolve http://hoarseness.livegun.info The furthest I can get is shown below - is there a reliable way to trace the upstream server so I don't have to keep posting here? I use samspade.org - sometimes it yeilds results other times I just hit a brick wall. As soon as I can get a host, I can send to my friend at Pfizer and get them shut down quicker than you can say viagra. X-Gmail-Received: d9b9a7300a2c8b93e6331067b2d3733c48fbf280 Delivered-To: x Received: by 10.36.141.7 with SMTP id o7cs18489nzd; Tue, 11 Oct 2005 06:34:08 -0700 (PDT) Received: by 10.54.125.1 with SMTP id x1mr3557375wrc; Tue, 11 Oct 2005 06:34:08 -0700 (PDT) Return-Path: <bredpitcoachman[at]africamail.com> Received: from bouffont (i220-108-232-194.s02.a024.ap.plala.or.jp [220.108.232.194]) by mx.gmail.com with SMTP id 33si538563wra.2005.10.11.06.33.55; Tue, 11 Oct 2005 06:34:08 -0700 (PDT) Received-SPF: neutral (gmail.com: 220.108.232.194 is neither permitted nor denied by domain of bredpitcoachman[at]africamail.com) Message-ID: <hqghumeayl.6189279543lfdxfircvs[at]Brax.usenetxggbwkf.com> From: "Brax.usenet" <bredpitcoachman[at]africamail.com> Date: Tue, 11 Oct 2005 22:39:34 +0900 To: x Subject: hi MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/html; charset=iso-8859-1 <html> <font color= "#FFFBFC">Urania residences Munsey megabyte Palmyra</font><br> <font color= "#FFFBFC">strait dismissed balls interframe films</font><br> <font color= "#FFFBFC">lulled clarify vacuuming reproduced bedrock</font><br> <a hreflegionhref=http://flannels.com href= "http://hoarseness.livegun.info"><font size="6"><b>buuy gener1c v11agr[at]! 0nly I.80</a> <font color= "#FFFBFC">inflatable bounds affidavit tribal deliverers</font><br> <font color= "#FFFBFC">herding relaxing Drummond sneered mosaic</font><br> <font color= "#FFFBFC">radiology Mendelizes bathrobe chink routings</font><br> </html> Tracking info: http://livegun.info = [ 202.30.198.201 ] Access to INFO WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Afilias registry database. The data in this record is provided by Afilias Limited for informational purposes only and Afilias does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that under no circumstances will you use this data to: (a) allow enable or otherwise support the transmission by e-mail telephone or facsimile of mass unsolicited commercial advertising or solicitations to entities other than the data recipient's own existing customers; or ( enable high volume automated electronic processes that send queries or data to the systems of Registry Operator a Registrar or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Afilias reserves the right to modify these terms at any time. By submitting this query you agree to abide by this policy. Domain ID: D10941464-LRMS Domain Name: LIVEGUN.INFO Created On: 03-Oct-2005 09: 01: 21 UTC Expiration Date: 03-Oct-2006 09: 01: 21 UTC Sponsoring Registrar: Direct Information Pvt. Ltd. (R159-LRMS) Status: TRANSFER PROHIBITED Registrant ID: DI_1921988 Registrant Name: Susan Maingay Registrant Organization: N/A Registrant Street1: Al. Jerozolimskie 59 Registrant City: Warsaw Registrant State/Province: Warazawa Registrant Postal Code: 00697 Registrant Country: PL Registrant Phone: 48.226955900 Registrant Email: susamaing[at]yahoo.com Admin ID: DI_1921988 Admin Name: Susan Maingay Admin Organization: N/A Admin Street1: Al. Jerozolimskie 59 Admin City: Warsaw Admin State/Province: Warazawa Admin Postal Code: 00697 Admin Country: PL Admin Phone: 48.226955900 Admin Email: susamaing[at]yahoo.com Billing ID: DI_1921988 Billing Name: Susan Maingay Billing Organization: N/A Billing Street1: Al. Jerozolimskie 59 Billing City: Warsaw Billing State/Province: Warazawa Billing Postal Code: 00697 Billing Country: PL Billing Phone: 48.226955900 Billing Email: susamaing[at]yahoo.com Tech ID: DI_1921988 Tech Name: Susan Maingay Tech Organization: N/A Tech Street1: Al. Jerozolimskie 59 Tech City: Warsaw Tech State/Province: Warazawa Tech Postal Code: 00697 Tech Country: PL Tech Phone: 48.226955900 Tech Email: susamaing[at]yahoo.com Name Server: NS1.GREATPHARMACY.INFO Name Server: NS2.GREATPHARMACY.INFO Name Server: NS2.PIILS24.INFO Name Server: NS1.PIILS24.INFO
  21. An update..... Decided to report to DirectI as I didn't like the look of web-namez.com at all. I got the following e-mail from them. At least it seems like a "human" reply, and they responded extremely quickly.... We have received your complaint for spam from thebestpills4u.com. We are extremely strict and proactive with regards to our terms of usage. Pursuant to our terms of service we have sent WARNING emails to the customer, all the contacts and any associated reseller about this domain. Failing to comply with our terms by the Customer will result in immediate termination of the domain name. Thank you for contacting our abuse department. Regards, DirectI Abuse Team ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Board Line (USA): +1 (415) 240 4171/2 Board Line (India): +91 (22) 5679 7500 FAX (USA): +1 (320) 210 5146 FAX (India): +91 (22) 5679 7508 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  22. Thanks guys - to tell you the truth, I didn't even bother with web-namez.com - their page would not display without cookies enabled. The organisation doesn't sound legit "namez"????! I'll look into them in more detail tommorow and if they look ok i'll lart them and like Merlyn suggests, cc it to directi. Failing that, I have a friend who works for Pfizer; I may forward the details to them, they are usually pretty efficient in closing down this kind of site! Thanks again.
  23. I have sucesfully shut down 3 websites in a row for this idiot who keeps spamming me. Now is seems he is getting smarter. Spamcop was never able to resolve the website link of the previous spamvertized websites, but a little legwork yeilded the required info. This one I am having a little trouble with http://belfry.thebestpills4u.com/ It resolves to: Registration Service Provided By: WEB-NAMEZ.COM Domain servers in listed order: ns1.drrecommends.info ns2.yourgoldenhealth.info ns2.drrecommends.info ns1.yourgoldenhealth.info "web-namez" hmmmmmm That resolves to: Domain servers in listed order: 24572.mercury.orderbox-dns.com 24572.venus.orderbox-dns.com 24572.earth.orderbox-dns.com 24572.mars.orderbox-dns.com And the above resolves to: mercury.orderbox-dns.com = [ 66.135.40.144 ] Registration Service Provided By: DIRECTI Contact: 91.2256797500 Website: http://www.directi.com Domain Name: ORDERBOX-DNS.COM Leaving me with a reporting address of abuse[at]directi.com Is that right, could someone confirm? Ta.
×
×
  • Create New...