Jump to content

[Resolved] spamvertised URL using round-robin DNS and more


Marty

Recommended Posts

Posted

Hi, this is a new one to me...

http://www.spamcop.net/sc?id=z3960927722z2...55eef358046eaaz

hxxp://www.wk0.tabl-online.com is odd...

marty[at]homer-laptop:~$ host www.wk0.tabl-online.com

www.wk0.tabl-online.com has address 98.219.14.60 (c-98-219-14-60.hsd1.ga.comcast.net)

www.wk0.tabl-online.com has address 71.60.91.124 (c-71-60-91-124.hsd1.pa.comcast.net)

www.wk0.tabl-online.com has address 125.99.107.122 (none)

www.wk0.tabl-online.com has address 68.48.86.68 (c-68-48-86-68.hsd1.md.comcast.net)

www.wk0.tabl-online.com has address 24.209.24.242 (cpe-24-209-24-242.cinci.res.rr.com)

Those IP#'s appear to be compromised home addresses.

Then Mr(s) spammie tries to regale us with their technical prowess :o Some of the time those IP#'s serve up a Micro$oft ad for visual studio 2010. But hit 68.48.86.68 VIA the URL ONLY and we end up on his/her male organ enhancement page!

Cor, what a palava!

My question is, who / how many ISP's do I report to?

(The vicar at our local church wants her organ enlarged, perhaps I should send it to her ;))

Posted
hxxp://www.wk0.tabl-online.com is odd...
The site appears to be hosted on a "fast flux" botnet, swapping its IP addresses around at intervals of 300 seconds (5 min). A "dig a" lookup gives you that info.

Those IP#'s appear to be compromised home addresses.
That'd be a good guess, they look like pool addresses.

Then Mr(s) spammie tries to regale us with their technical prowess :o Some of the time those IP#'s serve up a Micro$oft ad for visual studio 2010. But hit 68.48.86.68 VIA the URL ONLY and we end up on his/her male organ enhancement page!
Thanks to "virtual domain" features in web servers, loading a named-host URL won't always give you the same result as loading that host's bare IP address (this is done so that many domains & websites can share a common IP address). The culprit here is using a simple HTTP redirect to move you on to Microsoft (presumably randomly selected) if you are enough of a snoop as to be trying to access his site via bare IP addresses (you can see this with a "curl -i" command).

My question is, who / how many ISP's do I report to?
Spamcop says the mail came via Hotmail, so you can obviously report to them. As for the web hosting, you could report to the upstreams of all the addresses you see, but there's more than a little futility here because that list of addresses is liable to change every 5 mins and might include hundreds of addresses from scores of providers in dozens of countries.

A simpler line of attack might be to deal with the DNS service -- but DNS for these services is often farked (intentionally or not) and may also be hosted on a botnet.

Yet a third avenue is to go to the domain registrar for tabl-online.com and make a complaint, but unless this registrar is pretty proactive this might not yield a result.

You might find this Wiki page useful: http://forum.spamcop.net/scwik/ReportingSpamWebsites

(The vicar at our local church wants her organ enlarged, perhaps I should send it to her ;))
Since this is an institutional application, she will probably want to use the "Viagra Professional" that I see these guys advertising.

-- rick

Posted

rconner and wazoo,

Yes very much so Wazoo, A Huge Thank You to Rick for an excellent and most informative reply.

I believe I've been a reporting member of SpamCop since way before Rick's wiki article was added and must have missed it.

I thoroughly recommend it as a "great read" to members new and old...

http://forum.spamcop.net/scwik/ReportingSpamWebsites

incidentally: they now seem to be using www.aaan.HEALTH-LIFE-CO.com (a=alpha n=numeric)

I'm continuing to report, (no, Quixote is not my middle name) but I'm adding a custom note for the probably compromised hosts ISP about their customer's IP being included in a round-robin arrangement.

This question/issue is indeed "Resolved"

eta: tidy up and stuff

Posted
rconner and wazoo,

This question/issue is indeed "Resolved"

eta: tidy up and stuff

Using

http://web-sniffer.net/

(to stop possibility of ones computer being compromised)

It shows the target spammers URL (report the Bot net also)

Then looking up registrar

I get

Domain name: discountmedstablets.net

Record created on: 2010-04-22

Record expires on: 2011-04-22

Technical Contact:

Alexander Zolotov

Alexander Zolotov

ul. Akademika Anohina d.13 kv.244

Moskva Moskva 119571

Phone: +7.4957284001

Fax: +7.4957284001

zion[at]qx8.ru

Making Complaints to Registrar I recommend a free throwaway email like Gmail

Use the link SpamCop gives you for evidence

A program called Complainterator makes it easy (register with a Throwaway email)

I find them a bit "spammy" annoying but exceptionally effective in taking down spam sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...