Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by TerryNZ

  1. Heritage International University is covered in detail at the EU spam Wiki http://www.spamtrackers.eu/wiki/index.php?...onal_University It is a Diploma Mill scam attributed to Alton Scott aka Alton Scott Poe, thought to be residing in Montreal.
  2. Over the past week I pasted about 4,000. I have an automated page paster, which should gain their attention. Not that they haven't been made painstakingly aware of the problem, and how to remedy it. Other flags for Google are in all of the Site Advisor pages for the redirect sites, http://www.siteadvisor.com/sites/tromoem.com (Illegal software piracy) http://www.siteadvisor.com/sites/discusswoman.com (Fake Canadian Pharmacy) http://www.siteadvisor.com/sites/theoutworlds.com (Herbal Express fraud) etc etc Also, there are the Castlecops SIRT alerts sent to Google http://www.castlecops.com/t217904-SIRT_142...an_Pharmac.html http://www.castlecops.com/t217705-SIRT_140...e_Software.html > BLOGSPOT ACTION REQUIRED > 1. remove all existing violations (see the list of 12,460 sites appended at spamtrackers.eu) > 2. remove the loop-hole that facilitates this crime and then there are the huge list of abused blogspot sites at http://spamtrackers.eu/wiki/index.php?title=Blogspot Why are they allowing these criminals to abuse their service llke this? Google has some work to do to repair a tarnished reputation.
  3. I do not know if you can paste in 3000 urls. It may be easier to paste just the one link listing the 3000 urls http://rss.uribl.com/hosters/blogspot_com.html And then, for Yahoo's Geocities http://rss.uribl.com/hosters/geocities_com.html Perhaps Google should do a Google lookup on +blogspot +redirection +abuse
  4. Complainterator is a tool which has proven highly successful in the wholesale removal of tens of thousands of spammed websites. Like Spamcop when used with standard rather than "quick" reporting, it allows the user to select whether or not to forward the generated complaint for the spammed site. The difference is that Complainterator addresses the complaint not to the ISP who owns the IP address on which the spammed site is hosted; instead, it addresses the complaint to the Registrar for the hosting site. Rationale - When a spammed site is illegal, the registrar has accepted a contract to register its name from a criminal. Once a complaint is lodged, the registrar has to decide whether to uphold that contract with the criminal. or whether it is better to terminate the contract and avoid the possibility of legal proceedings for aiding and abetting a crime. Most legitimate registrars make the right decision. Complainterator is also effective in combating countermeasures that criminals have taken against Spamcop. We are seeing the emergence of spammed hosts running on fast-flux botnets of up to 20 host IPs at a time. These host IPs refresh every few minutes to another range of 20 hosts. That's because Spamcop has been so successful in complaining to the ISPs who owned the hosting IP addresses that they had to do something about it. Of course, there is no way that Spamcop can keep up with the fast-flux botnet hosting described here. Because Complainterator goes further up the "food chain" and complains to the registrar, this countermeasure gets foiled. Of course, the bad guys have realized this, too. So they create hundreds of "throw-away" host names, hoping to get ahead of Complainterator, in the same way as they have with Spamcop. So Complainerator examines the name servers that the spammers have created to resolve their hundreds of host names. Complainterator refers to detailed instructions teaching the registrars how to effectively suspend the spammers' name servers, thus removing hundreds of spammed host sites in one move. Powerful stuff! So, if you are frustrated at the thought of spammers getting the better of your Spamcop reporting, try out Complainterator. It runs on a Windows platform and supports multiple browsers and mailers. Read more about it and download it from http://complainterator.com It is at version 20.1 as at October 27th, 2007. And it is free.
  5. The distribution site for this successful spam site removal tool has come under a DDOS attack by the spamming criminals. This attack coincides with others on Spamhaus.org, uribl.com, surbl.org and spamassassin. Complainterator V14 can still be downloaded from the European spam Wiki and download site http://www.spamtrackers.eu/downloads The EU spam wiki has comprehensive information on the most frequent spammers, and details the fraud inherent in their spammed web sites. http://spamtrackers.eu/wiki Documentation on Complainterator is also in the Wiki.
  6. The reply from HK police is a standard template, one of two. You got the one for a single complaint. Template two is a reply for multiple complaints, and it differs in that it lists the dates the complaints were received, and the total number. Eventually you may receive a follow-up email stating what action was take, if any.
  7. The problem with SpamCop not being able to resolve many of Alex Polyakov's spammed sites (eg My Canadian Pharmacy) is well known, documented, and accepted by Ironport. To see how and why it happens, check out the EU spam Wikipedia entry for Alex Polyakov at http://www.spamtrackers.eu/wiki/index.php?...od_of_operation The process of hijacking other people's machines is covered at http://www.spamtrackers.eu/wiki/index.php?...e=Hijacked_host Historical note. The Ironport IP block was first discovered during a forensic analysis of one of the machines he hijacked back in May 2006, so the problem has been outstanding for a year now. http://snowcrash.ca/blawg/2006/05/investig...romised_li.html
  8. I missed no valid points. I explained the initial blocklist problem and provided all the evidence that it is prudent to provide. You challenged the evidence. I explained why it was imprudent to proffer more. I do not consider that you are in the "need to know" category, so I provided more detail privately. When I provided that evidence in private, you accused me of using criminal methods to gain it, and therefore refused to accept it. For someone who openly refuses to accept what I offer because it lacks visible proof, I am astounded that you assume that I have used criminal methods to gain evidence, without any proof of your accusation. An apology and full retraction might have gone some way to mitigate your irrational actions. But I am left with no option to dismiss you for what you have shown yourself up to be. "There is none so blind as he who will not see"
  9. The above example demonstrating its veracity for DNSSTUFF.COM should be sufficient to show that if it fits in one case, it probably fits in another. As pointed out earlier, there is nothing to gain by parading the actual evidence in total, other than to satisfy your curiosity. Satisfying your curiosity and parading information that Ironport may have preferred to keep confidential was not necessary. When I did provide further proof in private messages, you told me that you did not want to discuss it, that you seemed to know the real reason (response time exceeded 1/3 of a second, with no proof that that was an issue) and then went on to suggest that I must have come by the information through criminal means, therefore you could not pay any attention to it. I do not take kindly to accusations of criminal activity, especially when the evidence was voluntarily provided by a victim whose system had been compromised. Our team in not in the business of supplying intelligence to the crime syndicates. You might want to see that information. But we are neither concerned about your curiosity nor your credibility, nor your credulousness. Case closed.
  10. That's OK. Your skepticism in the face of overwhelming evidence created some amusement with my team. You could have done some more homework. The techniques used by this prolific spammer are well documented, both at the http://spamtrackers.eu/wiki (Alex Polyakov .. Hijacked Hosts etc) and at http://pharmalert.zoomshare.com which describes the server hijacking operation to its victims. Nobody has to believe everything they read. Proof that Alex Polyakov blocks the IP range for DNSSTUFF.COM http://www.dnsstuff.com/tools/traversal.ch....net&type=A Note the four name servers all appear to time out. Now observe how you can use the same nameservers from your own (unblocked) IP address, and how you can load the spammed fake pharmacy site at http://loparolwet.net - unless you are coming in from an Ironport IP of course. Or FDA, or DEA, or DOJ, or Visa . . .
  11. Three examples of live "Polyakov" sites where SC could not perform the IP address lookup because of the block on the Ironport IP address range in his name server IPTable deny list http://www.spamcop.net/sc?id=z1286194521za...f78bfa48f92e46z http://www.spamcop.net/sc?id=z1287128262zc...3bea2fb391f7e7z http://www.spamcop.net/sc?id=z1287883950z4...328725294a2c66z
  12. I would appreciate feedback on whether the problem is resolved. The latest version has the fix for both Internet Explorer, where it was repeatable, and for Firefox, where it occurred (ie was reported) on about 1 in 50 systems
  13. The fixed version is ready for download from the Tools forum at http://thecarpcstore.com/phpbb2/viewtopic.php?t=702
  14. Thanks for the detailed problem description. I was able to duplicate it, and found exactly the same result as you describe. It opened the Favorites pull-down, and subsequent keystrokes were directed there. I will examine the cause right away.
  15. The perpetrator behind this spam is Robert Soloway, whom you can find in Spamhaus, and the EU Wiki - http://www.spamtrackers.eu/wiki/index.php?...=Robert_Soloway and the Wikipedia at http://en.wikipedia.org/wiki/Robert_Soloway If you have an address that can be found in the "WHOIS" registry, you are likely on his multi-million spamming list.
  16. The proof of the evidence exists, but is not in the public domain. That is often the case prior to arrest and prosecution. You only need ask anyone in Ironport - they can test the loading of MCP sites from their IP range. Even ordinary citizens whom Alex has got pissed with, can verify that despite receiving his spammed invitations, they can not load his sites except via an anonymous proxy. Welcome to the contradictory world of Alex.
  17. Version 11 of Complainterator is now available. Details and download links are at http://thecarpcstore.com/phpbb2/viewforum.php?f=4 and http://www.spamtrackers.eu/wiki/index.php?...=Complainterato Version 11 adds the complaint message to the spamvertized site - and incorporates many user suggestions.
  18. That is precisely what the Alex Polyakov / Yambo gang is doing. They use DNS resolution on hijacked machines, and set up an IP Table that blocks specific ranges of IP addresses from gaining access to the site. To remove your doubt, read the evidence. http://www.spamtrackers.eu/wiki/index.php?...e=Alex_Polyakov and specifically the section http://www.spamtrackers.eu/wiki/index.php?...od_of_operation where Ironport (Spamcop) is mentioned. Stop thinking "ISP" and start thinking "Registrar" - the companies who have accepted a contract with criminals. The above quoted link shows the registrant is "Paul Gregoire", whose details are also entered into evidence, both at Spamhaus, and at the spam Wiki http://www.spamtrackers.eu/wiki/index.php?...e=Paul_Gregoire Instructions for registrars on how to remove his site, and the dnspotato.com name server, are also there: http://www.spamtrackers.eu/wiki/index.php?...egistrar_Advice.
  19. I have noticed that spammed sites are more and more often failing to find the associated IP once the URL has been de-obfuscated. When I do a whois lookup myself on the failed domain name, I have no problem. This happens with all of the "Alex Polyakov" sites like My Canadian Pharmacy, International Legal RX, US Drugs, Viagra+Cialis etc. This is happening because he is running his own name servers, and on those name servers he has installed his IP Tables. IP range entries discovered in the IP Tables that are being blocked include Ironport. (Plus the FBI, FDA, DEA, Visa, DOJ etc to name a few). His boasts that his sites are immune to Spamcop will result in more spamvertizers adopting his method. Spamcop needs to perform the whois lookup through an ever changing range of proxy addresses to subvert this evasion technique. See the evidence at http://www.spamtrackers.eu/wiki/index.php?...e=Alex_Polyakov under the "Method of operation" section.
  20. I accept all TLDs except ccTLDs without question. aero/biz/cat/com/coop/edu/gov/info/int/jobs/mil/mobi/museum/name/net/org/pro/travel/hk I pop up a warning for ccTLDs because there are few spams using them as NS. (Beijing may get tired of requests to remove dns.com.cn otherwise) The exception to the rule is .hk which is rapidly becoming a haven for spammer NS. * * * * V.11 will add a generated complaint message to the spammed URL registrar, to complement the existing complaints to NS registrars. I see that as a necessary fallback, given the 3-4 remaining registrars who totally refuse to cut their ties with organized crime. The removal of the spammed sites, usually under law abiding registrars, will help address this issue. This additional comp-laint message will accept any TLD. * * * * The advent of V 11 will complete a useful picture. Using Polyakov's operation as an example - With reference to the pyramid at http://www.spamtrackers.eu/wiki/index.php?...od_of_operation Law enforcement tackles layer 1 Complainterator tackles most of layer 2-3, at the registrar level, and an AutoAlerter tackles the hijacks (see http://pharmalert.zoomshare.com) at the IP / ISP level Spamcop tackles layer 4-5 at the IP / ISP level * * * * In an ideal world, all of these spam prevention measures would be embodied under the one composite operation. Imagine it. One spam generates * request to ISP to shut down a compromised machine or open relay at source of spam * request to ISP to remove a spammed website at its IP address * request to registrar to deregister the spammed site domain * request to registrars to null route the spammers' name servers that resolved access to the spammed site * evidence accumulated for law enforcement to be used in the prosecution "I have a dream . . . "
  21. Yes it is working as intended. I also received an imageshack spam today. Complainterator correctly warns that this is not a URL likely to generate a valid message. It urges the user to check the message. It gives two options to get out (Yes and Cancel) and one option to continue (No) If anyone does elect to continue, Complainterator has a pretty hard time dealing with what follows. Just as with Spamcop, there is expected to be a degree of intelligent decision making on the part of the user. And in this case, Complainterator has given a clear hint that sending a complaint asking for the removal of all 8 imageshack name servers is not such a bright idea. But if anyone were to send off such a request to Godaddy, the next stage would be for Godaddy to perform their own reasonability checks.
  22. Thanks. Please quote me a spammed domain name that illustrates the problem.
  23. To give an idea of how effective Complainterator can be - Complaints to Registrar "Ace of Domains" (support[at]moniker.com) to shut down the following name servers would freeze access to this many spammed sites ns1.driedoutdns.com 176 ns2.driedoutdns.com ns1.hairyolddns.com 223 ns2.hairyolddns.com ns1.surprisingdns.com 532 ns2.surprisingdns.com ns1.ferygoins.com 346 ns2.ferygoins.com ns1.chambogos.com 247 ns2.chambogos.com TOTAL 1,524 illegal web sites would be removed A complaint to Network Solutions to shut out the two nameservers on eggbacondns.com would take down 227 illegal spammed web sites. The world of registrars is quickly being divided into two camps - those who combat crime, and . . . um . . the rest.
  24. This free spam reporting tool is now at version 10 Complainterator V10 includes support for BROWSERS: Internet Explorer / Mozilla / Firefox / SeaMonkey MAILERS: Outlook / Outlook Express / Thunderbird (all others with some manual assistance) It checks the IP address of the spammed site's name servers, and does not generate messages to the registrar if the name server has already been removed. It reports the spammed site's name servers and their current IP addresses. This innovation is better when reporting to Chinese registrars, who prefer to black-hole the IP rather than mess with the DNS name server record. Complainterator takes a different approach from Spamcop - it addresses complaints to the registrars, rather than IP address owners. It complains to the registrars of the sites name servers, not the registrar of the spammed site. Removal of a spammer's name server takes down all spammed sites that depend on that name server. There have been cases where one complaint to a registrar has canceled several hundred spammed sites in one email. Complainterator is therefore a high leverage spam site removal tool.
  • Create New...