Marty Posted April 29, 2010 Posted April 29, 2010 Hi, this is a new one to me... http://www.spamcop.net/sc?id=z3960927722z2...55eef358046eaaz hxxp://www.wk0.tabl-online.com is odd... marty[at]homer-laptop:~$ host www.wk0.tabl-online.com www.wk0.tabl-online.com has address 98.219.14.60 (c-98-219-14-60.hsd1.ga.comcast.net) www.wk0.tabl-online.com has address 71.60.91.124 (c-71-60-91-124.hsd1.pa.comcast.net) www.wk0.tabl-online.com has address 125.99.107.122 (none) www.wk0.tabl-online.com has address 68.48.86.68 (c-68-48-86-68.hsd1.md.comcast.net) www.wk0.tabl-online.com has address 24.209.24.242 (cpe-24-209-24-242.cinci.res.rr.com) Those IP#'s appear to be compromised home addresses. Then Mr(s) spammie tries to regale us with their technical prowess Some of the time those IP#'s serve up a Micro$oft ad for visual studio 2010. But hit 68.48.86.68 VIA the URL ONLY and we end up on his/her male organ enhancement page! Cor, what a palava! My question is, who / how many ISP's do I report to? (The vicar at our local church wants her organ enlarged, perhaps I should send it to her )
rconner Posted April 29, 2010 Posted April 29, 2010 hxxp://www.wk0.tabl-online.com is odd...The site appears to be hosted on a "fast flux" botnet, swapping its IP addresses around at intervals of 300 seconds (5 min). A "dig a" lookup gives you that info. Those IP#'s appear to be compromised home addresses.That'd be a good guess, they look like pool addresses. Then Mr(s) spammie tries to regale us with their technical prowess Some of the time those IP#'s serve up a Micro$oft ad for visual studio 2010. But hit 68.48.86.68 VIA the URL ONLY and we end up on his/her male organ enhancement page!Thanks to "virtual domain" features in web servers, loading a named-host URL won't always give you the same result as loading that host's bare IP address (this is done so that many domains & websites can share a common IP address). The culprit here is using a simple HTTP redirect to move you on to Microsoft (presumably randomly selected) if you are enough of a snoop as to be trying to access his site via bare IP addresses (you can see this with a "curl -i" command). My question is, who / how many ISP's do I report to?Spamcop says the mail came via Hotmail, so you can obviously report to them. As for the web hosting, you could report to the upstreams of all the addresses you see, but there's more than a little futility here because that list of addresses is liable to change every 5 mins and might include hundreds of addresses from scores of providers in dozens of countries. A simpler line of attack might be to deal with the DNS service -- but DNS for these services is often farked (intentionally or not) and may also be hosted on a botnet. Yet a third avenue is to go to the domain registrar for tabl-online.com and make a complaint, but unless this registrar is pretty proactive this might not yield a result. You might find this Wiki page useful: http://forum.spamcop.net/scwik/ReportingSpamWebsites (The vicar at our local church wants her organ enlarged, perhaps I should send it to her )Since this is an institutional application, she will probably want to use the "Viagra Professional" that I see these guys advertising. -- rick
Wazoo Posted April 29, 2010 Posted April 29, 2010 Wow!! Great question, oustanding answer!! Many thanks to both parties!!
Marty Posted May 1, 2010 Author Posted May 1, 2010 rconner and wazoo, Yes very much so Wazoo, A Huge Thank You to Rick for an excellent and most informative reply. I believe I've been a reporting member of SpamCop since way before Rick's wiki article was added and must have missed it. I thoroughly recommend it as a "great read" to members new and old... http://forum.spamcop.net/scwik/ReportingSpamWebsites incidentally: they now seem to be using www.aaan.HEALTH-LIFE-CO.com (a=alpha n=numeric) I'm continuing to report, (no, Quixote is not my middle name) but I'm adding a custom note for the probably compromised hosts ISP about their customer's IP being included in a round-robin arrangement. This question/issue is indeed "Resolved" eta: tidy up and stuff
petzl Posted May 2, 2010 Posted May 2, 2010 rconner and wazoo, This question/issue is indeed "Resolved" eta: tidy up and stuff Using http://web-sniffer.net/ (to stop possibility of ones computer being compromised) It shows the target spammers URL (report the Bot net also) Then looking up registrar I get Domain name: discountmedstablets.net Record created on: 2010-04-22 Record expires on: 2011-04-22 Technical Contact: Alexander Zolotov Alexander Zolotov ul. Akademika Anohina d.13 kv.244 Moskva Moskva 119571 Phone: +7.4957284001 Fax: +7.4957284001 zion[at]qx8.ru Making Complaints to Registrar I recommend a free throwaway email like Gmail Use the link SpamCop gives you for evidence A program called Complainterator makes it easy (register with a Throwaway email) I find them a bit "spammy" annoying but exceptionally effective in taking down spam sites
Recommended Posts
Archived
This topic is now archived and is closed to further replies.