Jump to content


  • Posts

  • Joined

  • Last visited

bobbear's Achievements

Advanced Member

Advanced Member (3/6)



  1. More than likely - this is the sort of network I've come across quite a few times: ==============Server===========DNS 'A' Record Response (Site host IPs)==== yns1.yahoo.com [] yns2.yahoo.com [] The network uses a set of 34 Yahoo/Geocities IPs from to to host domains on a fast rotating basis controlled by Yahoo nameservers yns1.yahoo.com [] & yns2.yahoo.com [] When I've looked up the domains hosted on that network, (which seems to use the same sort of software as a zombie botnet controller, only rotating much faster), there seem to be an appreciable number of very dubious domains hosted, including the money laundering fraud ones I got removed.... It seems to be Yahoo's idea of a "Small Business Network", (no questions asked.....).
  2. Agreed.- it has to be a two-pronged attack.
  3. I'm all for blocking all SMTP traffic from compromised machines and only allowing them access to a local page on the ISP's server where all the information and tools are located to allow them to clean their machines up, (possibly!). However it seems to me that it would be more productive to chase after the numerous US servers that are controlling these tens of thousands of zombies and the 'blackhat' providers that knowingly host them. I've just put five weeks of effort into getting a botnet controller hosted by Eonix/Infinitie.net, (ns1.search-pnd.com []), closed down & they are far from being the only company that ignores all abuse reports of this activity. Make knowingly hosting a botnet a federal crime and charge & close the companies down that aid and abet crime in this way. The criminal involved is now back up using another botnet controller, (ns1.lp-vote.com []), hosted by FastServers, Inc. of Chicago. (Why does abuse.net come up with a Powersurge abuse address for them, by the way?- I don't believe it!). These are the people controlling the zombies & should be whacked hard & fast.
  4. Quite right - as if a zombie SMTP engine is going to leave a copy of its spam in the OE Sent Items folder! I suppose the guy's knowledge is pretty good for Yahoo tech, (kingdom of the blind & all that...). It used to be next to impossible to get the Yahoo abuse teams to comprehend how a 419er could use a Yahoo response address without sending his spam via Yahoo webmail, and as for getting criminal fraud domains removed from their botnet lookalike 'Small Business Network'.......
  5. They look kosher - their domain was registered 'way back' in 2004 (AP Secure Technologies Inc), which is usually a good sign & their 'FortiGuard Antispam Solutions' seem to be used by some SP's, notably Zen who are a reputable UK ISP.
  6. There is a Consultation Paper on the Review on Administration of Internet Domain Names in Hong Kong available at http://www.ogcio.gov.hk/eng/pubpress/downl...omainreview.pdf or via the HKDNR website newsreel. Comments are invited on the recommendations before finalising any proposals on changes and arrangements. At present, the responsibility for the administration of all .hk domains rests with HKIRC who acquired the Hong Kong Domain Name Registration Company Limited (HKDNR), a wholly-owned subsidiary of the JUCC, (the previous administrator of .hk domains), for that purpose. The consultation document itself makes fairly interesting reading. In particular the "Guiding Principles", which make no mention whatsoever of any basic 'ethical' considerations concerning domain registration & use such as legality, honesty & integrity or even spamming as one would expect to be enshrined in a defined and applied Acceptable Use Policy which one would have thought would have been an important 'guiding principle'. That isn't much of a surprise to anyone like me who regards the registrar HKDNR as little more than a 'front' company to criminal fraudsters, zombie botnet controllers & spammers by its apparent unwillingness to apply its own registration agreement/AUP to suspend even the most blatant crooks, not to mention the burgeoning number of spammers who are exploiting the apparent 'domain for life' policy of HKDNR, no matter what fraudulent, spamming or abusive purposes the domain is used for.
  7. I'm not sure what is going on with Yahoo - their networks seem to be more and more in a mess and the abuse response is suddenly almost non-existent. I've had domains on that network closed down before, but all of a sudden Yahoo are not responding. Certainly their hosting of that site and numerous others is still live despite what must be numerous reports, (certainly from me & you!). I'm pretty sure what the problem is is that my ISP, (Newnet), has either a DNS server problem or an A record TTL in excess of two days....I've got a query out to them. I don't know what the RFC's have to say on DNS A record TTL's, if anything - my old brain's hurting too much at the moment to start getting that involved. I'll have to look it up when my head stops pounding.. I've scanned around & used many other DNS servers and not found another record, so I'm pretty sure that's it, but it's always nice to get confirmation... Certainly Newnet couldn't get it from the authoritative .org servers as that record disappeared on April 30th. unless of course there's one lurking somewhere which is where the confirmation is always handy... Edit: You'll probably find if you use these DNS servers it will resolve for you too... * Primary DNS server: * Secondary DNS server: Edit2: mmm - I think I see the problem. Using the nslookup shell to query the SOA on the primary DNS server I get: expire = 7084000 (81 days 23 hours 46 mins 40 secs) That seems rather a long expire time. Is that normal does anyone know?? The secondary DNS server appears to have expired....
  8. I've actually managed to get Joker to suspend the fraudsters domain aegis-capital.org, (30th. April), and it is listed as "hold,infringe-3rd-parties" and supposedly out of the zone with nameserver data pulled. TLD5.ULTRADNS.INFO. (an authoritative nameserver for org.) says that there are no A records for aegis-capital.org, and that the hostname aegis-capital.org does not exist. I cannot find any stored caching of it anywhere. So, why is the crook's website still resolving for me on its Yahoo network??? (It's not locally cached). Server Response (Yahoo Site Host IPs) yns2.yahoo.com [] yns1.yahoo.com [] I originally thought that it was just cached somewhere & it would disappear in 24 hours - that was on April 30th. Is it resolving for others? There's got to be a record somewhere I guess, even if it's just my ISP's DNS... Yahoo seem to have reverted to 'clueless' mode & are not responding in a timely manner to abuse reports. The above network appeared to be being used by all sorts of spammers & crooks last time I looked.
  9. I don't know if this adds anything, but it appears to be a 'double zombie botnet': http://www.dnsstuff.com/tools/traversal.ch....com&type=A Looking up at the 4 kosoro.com. parent servers: ---------------Nameserver---------------------------------------------Response--------------- ns3.ajaxmx.com [] ns4.ajaxmx.com [] ns2.ajaxmx.com [] ns.ajaxmx.com [] Timeout The nameserver IPs and the host, (Response) IPs, (the only ones that Spamcop sees & change all the time) all appear to be compromised adsl machines. He's possibly got an Apache webserver on another IP somewhere controlling all of this, (I'm no DNS expert). The nameserver domain ajaxmx.com has almost certainly been registered by the spammer..... As Wazoo says, that snapshot above changes all the time, the only two consistent things are the nameserver domain and the site domain.
  10. A couple of weeks or so ago I mentioned in passing a new, (to me, anyhow), and interesting pseudo-botnet based on Yahoo nameservers and what appeared to be Yahoo Geocities IP's. It's still on the go, e.g. for this money laundering fraudster, aegis-capital.org: DNS structure for money laundering fraudster aegis-capital.org: (http://www.dnsstuff.com/tools/traversal.ch?domain=aegis-capital.org&type=A) Server Response (Yahoo/Geocities Site Host IPs) yns2.yahoo.com [] yns1.yahoo.com [] The rotating fraudsters site host IPs are all Geocities? IPs in the range to (inclusive) as shown in the above DNS structure and RDNS to what appear to be Geocities user addresses listed below, (e.g. = p10w14.geo.mud.yahoo.com). Perhaps a Geocities user can confirm that is indeed a standard Geocities user address? (or not). They are referenced by the Yahoo nameservers yns2.yahoo.com [] & yns1.yahoo.com [] It's much more widespread than that example, though. A Google search on any of the RDNS details for the above IPs shows that this network is used for a whole host of spamming, porn, fraud & 'dummy' domains. Last time I had a peek into this money laundering fraudster's network he had upwards of 100, (mainly fraud), domains registered. It's probably many more now. It's been difficult in the past to get Yahoo abuse teams to even understand the principle of a 419er's Yahoo response address & it's proving difficult to get them to understand the above. If it doesn't fit into their little boxes they just send out a kneejerk "request for more info" pro-forma response...
  11. I've put a false whois data report into CNNIC re ourhosting.cn, so hopefully something will happen... (or not...).
  12. You give up too easily, Wazoo... It is all related to the same criminal, United Cargo Solutions, but not obviously, I admit. Try the DNSstuff data on unicargo.hk in addition to the ucasol.info data link I posted above - same crook, different MO as Columbo might say... I could have started two threads, but I'm acutely aware of the need to save forum space & thus not get shouted at.... The first point is the issue as the title suggests. The second point is more of a (related!), point of interest to botnet aficionados as I said but I'm open to any feedback on it. [Edit] Re the second point: Yahoo have come up trumps and looped the DNS lookup result back to the root servers so it can be ignored. The data appeared to be accurate. Mind, it may well crop up again though, if it hasn't already as it was a novel way to create a 'pseudo-botnet' - using a selection of Geocities IPs as the rotating site hosts. It certainly created a fog factor that has got to baffle some abuse teams.... I'd still appreciate any suggestions on finding the sponsoring registrar for ourhosting.cn
  13. The domain in question is ourhosting.cn Who is the sponsoring registrar? The whois data from a variety of tools returns a series of question marks for the sponsoring registrar (even CNNIC - which incidentally seems to be having whois access problems ATM). This obfuscation may well be intentional as the domain is being used in conjunction with criminal fraud. On another tack, for all botnet afficionados, here is an interesting variation on a theme that I'm getting at the moment from the United Cargo Solutions money laundering criminal: http://www.dnsstuff.com/tools/traversal.ch...info&type=A On the face of it, the crook seems to be using a 'pseudo-botnet' arrangement with a selection of Yahoo! Geocities IPs from to inclusive to host the site on a fast DNS rotation controlled by two Yahoo nameservers, but I'm not 100% convinced that the data is telling the whole truth, so any opinions valued from DNS experts... As per usual it's proving difficult to convince the Yahoo! abuse teams of the apparent situation although every IP in the data is reportable to them...
  14. As an aside.... This is an automated reply that they appear to send out to all domain abuse reports. I've submitted many hundreds of reports to HKDNR relating to .hk out-and-out criminal fraud domains, (these lot for example) and received that bot reply every time, but they have never suspended a single domain to my knowledge. I copy all my reports to Hong Kong police (crimeinformation[at]police.gov.hk) direct now with an allegation that HKDNR are aiding and abetting criminal fraud & requesting an investigation. It doesn't do any good, of course, but I do get an occasional reply from the police to say they are looking into it, and it does make me feel better.. If everybody flooded the HK police with complaints re .hk out and out fraud sites, then perhaps some pressure might be put on HKDNR to be less criminal friendly, (their registration agreement allows them to take action). As it is I seem to see, (if it's not my imagination!), more and more .hk spamming and fraud domains like the one above appearing in my spam every day, not surprising, really as they appear to be bulletproof.
  15. I think the problem is that they have a very small abuse team. I'm sure their intentions are still good, but I think that they do get snowed under from time to time. My abuse report was responded to eventually, but only after a second report, but in the past they have shut sites down much quicker. Perhaps just a blip. I did eventually get this reply: Hello Bob, I am writing to you to confirm the suspension of radiddrp.org. Thank you for your clear and detailed complaint. That has helped speed up the process enormously. If you would like to bring this scam to the knowledge of the general public, why not add it as a "recent spam" at http://spamtrackers.eu/forum... I appreciate your kind words in your blog concerning Gandi's reactivity! Of course it helps when there are informative complaints like yours... Best regards, There's a new forum there which might be of interest.
  • Create New...