rayh Posted March 6, 2011 Posted March 6, 2011 This my first post so I hope I'm in the right area. I have a personal vendetta against this one spammer. He has been spamming me for many months now at about 30 messages a day using a personal e-mail address that I believe he got from someones contact book. He appears to have a fairly sophisticated approach. He owns many domains and is registering new ones regularly. Each e-mail fetches images from one of those domains with individually identifiable links in the e-mails (www.abcdedgf.domain.com). He also uses fake registrant info. Months ago I turned off my preview window after I realized he was using these identifiable links to determine if I opened the e-mail. Prior to this spammer I received almost no spam at that e-mail address so I didn't' worry so much about the preview issue. I'm trying to hit this guy from many angles. I have lodged complaints with the registrar about the fake names and the spamming, though I don't expect much. I have also complained to some of the businesses he is advertising for by using the affiliate ID. I think this might have more of an affect since advertiser probably doesn't want to pay out for click-throughs on poorly targeted spam. And may of had an effect because he has now implemented a system where I can no longer capture the affiliate ID. Now to my point. I have found a way to get a dump from server with a test.cgi command. I'm curious what can be learned from the dump and if there is information there that would help out my cause. The original domain resolves to 208.70.175.70 but there are references to 68.168.97.168 and 68.168.97.247 so I'm not even sure who is hosting this server. Thanks in advance for any help. Ray http://www.xxxxxxxxx.datalemtiaz.com/test.cgi is the URL used and it produced the following dump: SCRIPT_NAME = /test.cgi SERVER_NAME = www.xxxxxxxxx.datalemtiaz.com SERVER_ADMIN = root[at]localhost HTTP_ACCEPT_ENCODING = gzip, deflate HTTP_CONNECTION = Keep-Alive REQUEST_METHOD = GET HTTP_ACCEPT = image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* SCRIPT_URI = http://www.xxxxxxxxx.datalemtiaz.com/test.cgi SCRIPT_FILENAME = /home/benp.offersonline.org/public_html/test.cgi SERVER_SOFTWARE = Apache/2.2.3 (CentOS) QUERY_STRING = REMOTE_PORT = 3244 HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E) SERVER_PORT = 80 SERVER_SIGNATURE = Apache/2.2.3 (CentOS) Server at www.xxxxxxxxx.datalemtiaz.com Port 80 HTTP_ACCEPT_LANGUAGE = en-us REMOTE_ADDR = 00.00.00.00 (I zeroed out my IP) SERVER_PROTOCOL = HTTP/1.1 PATH = /usr/local/bin:/usr/bin:/bin REQUEST_URI = /test.cgi GATEWAY_INTERFACE = CGI/1.1 SCRIPT_URL = /test.cgi SERVER_ADDR = 68.168.97.168 DOCUMENT_ROOT = /home/benp.offersonline.org/public_html HTTP_HOST = www.xxxxxxxxx.datalemtiaz.com Working Directory is: /home/benp.offersonline.org/public_html -------------------------------------------------------------------------------- Hostname: 68-168-97-247.phx.dedicated.codero.com Kernel: Linux Version: 2.6.18-164.15.1.el5PAE Release: #1 SMP Wed Mar 17 12:14:29 EDT 2010 Hardware Type:i686 -------------------------------------------------------------------------------- Main IP interface: 68.168.98.49 Hardware ID: 00:26:18:92:C2:A5 -------------------------------------------------------------------------------- ALL PERL MODULES FOUND, Successfuly tested and works. -------------------------------------------------------------------------------- DBI -- 1.42 GD -- 1.19 GD::Graph -- 1.44 GD::Text -- 0.86 HTML::Parser -- 3.60 HTML::Tagset -- 3.03 Image::Size -- 2.99 LWP -- 5.825 MIME::Base64 -- 2.12 Net -- ok Perl -- 5.8.8 --------------------------------------------------------------------------------
Farelf Posted March 6, 2011 Posted March 6, 2011 Don't know about interpreting the CGI dump but there are a number of resources that give you the information you are after: http://www.robtex.com/dns/datalemtiaz.com.html#records (and other tabs - the "Shared" one indicating 51 domains hosted on 208.70.175.70 - not to say they would all be his, that would usually be unlikely) http://centralops.net/co/DomainDossier.aspx (select domain whois record, network whois record, DNS records and service scan Which seem to indicate this sleezebag is off the air just now (and probably scurrying from one provider to the next as internet vigilantes keep whacking him). http://whois.arin.net/rest/nets;q=208.70.1...;showARIN=false indicates he is currently hosted by cooplabs.net (OrgAbuseEmail: abuse[at]cooplabs.com) who could be in the process of either taking him in or throwing him out - hard (for me anyway) to tell which.
agsteele Posted March 6, 2011 Posted March 6, 2011 to my point. I have found a way to get a dump from server with a test.cgi command. I'm curious what can be learned from the dump and if there is information there that would help out my cause. The original domain resolves to 208.70.175.70 but there are references to 68.168.97.168 and 68.168.97.247 so I'm not even sure who is hosting this server. Thanks in advance for any help. Ray ://www.xxxxxxxxx.datalemtiaz.com/ test .cgi is the URL used and it produced the following dump: No disrespect Ray, but I don't see anyone trying out your scri_pt since we don't know what actions it will actually perform... In fact I'm not clear how you got access to this cgi scri_pt on the server in question. Andrew
Recommended Posts
Archived
This topic is now archived and is closed to further replies.