Jump to content
Sign in to follow this  
gwelsh

Is there any point to reporting Chinese web hosts?

Recommended Posts

I do not believe that the abuse desk sends spam or viruses (unless they are infected themselves).

They have been infected for over 4-5 months now. I just got another virus after reporting them to another open relay site. The ISP belongs to Shanghai Medical School.

This is a confirmation request from ORDB.org

You have submitted the following hosts for checking by the ORDB.org system.

Will test:     202.120.139.35. Your comment: this sender is sending viruses in response to abuse requests

However we need your confirmation in order to proceed with the test.

Simply hit the reply-button in your mail-client, and the automated system

at ORDB.org will start the test during its next run

Please ensure that you do not change the subject of this mail

when replying (except for prefixing it by "Re: ", which is ok)

Or you can follow this link:

http://ORDB.org/confirmation/?0.1743044875069870.7906044715

Thank you for using ORDB.org

I have found the actual name of the abuse desk administrator and send him a personal e-mail. Will see how this turn out. :huh:

Edited by dra007

Share this post


Link to post
Share on other sites
I just got another virus after reporting them to another open relay site.

It is likely just coincidence if you report an IP to a third party and then receive another virus from them. Most likely, you would have received that virus even if you did nothing with the previous one.

Share this post


Link to post
Share on other sites

A coincidence doesn't repeat doezen of times consistently. This happens every single time. I have been getting viruses from this abuse desk every day for the last 4-5 months.

This is the last e-mail I sent him:

abuse[at]net.edu.cn <abuse[at]net.edu.cn>

person:    Lu Zhang

address:      280 South Chongqing Road

address:      Shanghai 200025, China

phone:        21-328-6590ext.457

fax-no:    21-320-2916

nic-hdl:      LZ5-CN

notify:    address-allocation-staff#cernic.net

mnt-by:    MAINT-NULL

changed:      szhu#cernic.net 19951117

source:    APNIC

Dear Lu,

What kind of medical school are you representing when you keep sending viruses and worms on a daily basis? Is your server infected or are you so brainless that you think I won't be able to find out your location. If you don't stop, you will end up on every single block and abuse list out there. Your users will be prevented from sending e-mail outside China.

Thank you

Share this post


Link to post
Share on other sites
have been getting viruses from this abuse desk every day for the last 4-5 months.

abuse desks and IP addresses are not synomous. An abuse desk has an email address that uses the same IP address as its users. They also have a computer on which they write the email. The worm has to be on the computer that generates the email so it would have to be on the computer that the abuse desk uses. You can not tell whether the abuse desk computer is infected or whether it is another user. That's why you send the abuse desk a report because they can do so.

There are often arguments about whether the abuse desk personnel can read English which is why I suggested finding an interpreter. It is much more likely that the IT department of an educational institution may not know technical English.

If one hopes to convince a clueless abuse desk of its errors, it would be much better to demonstrate how they can verify what you say. Did you also send the headers of the infected email? Pointing out how you know this came from their IP address. I would not expect much from an email that does not give some detail about what the problem is and how you expect them to solve it, but only tells them that they are idiots.

Miss Betsy

Share this post


Link to post
Share on other sites

Of course I send them the headers and parsed/analysed headers as well...to no avail. The only reply was another virus/worm.

PS. This is a medical school in a major Chinese city (opened to western business), I doubt they would have trouble finding translators.

Edited by dra007

Share this post


Link to post
Share on other sites
A coincidence doesn't repeat doezen of times consistently. This happens every single time. I have been getting viruses from this abuse desk every day for the last 4-5 months.

My point is...stop reporting them and you are likely to keep getting these virus messages as well. There is no likely link between the two functions, especially if you are reporting to a third party like you stated, not the IP address directly.

Share this post


Link to post
Share on other sites

Where do you suggest I oughtta report? I report to the abuse desk responsible for that IP.

Share this post


Link to post
Share on other sites

I am going on this quote from your post:

I just got another virus after reporting them to another open relay site.

In that line, it looks like you are reporting them to something like ordb and got a virus from them and linking the 2.

My suggstion is to stop reporting them altogether if you think they are targeting you because of your reports. I don't think the 2 are related but it is not happening to me.

Share this post


Link to post
Share on other sites

I know this is not a spamcop related issue, but I need all help to find the appropriate help to deal with these people. My own help desk doesdefang most of their viruses but is anoying, regardless. In an earlier post I also said:

What is puzzling is that their abuse desk replies to complaints with more viruses and snutty comments.

That is why I started doing some serches on this server, it has been sending me viruses daily for the last 4-5 month. In fact the spam attack started only after I recieved viruses and other attempts to de-fraud me. I was rarely getting spam e-mail before that.

Edited by dra007

Share this post


Link to post
Share on other sites
That is why I started doing some serches on this server, it has been sending me viruses daily for the last 4-5 month. In fact the spam attack started only after I recieved viruses and other attempts to de-fraud me. I was rarely getting spam e-mail before that.

Someone with your address on their machine being infected was probably the start of your problems. All it takes is one virus message sent to the wrong person and your name can be added to one of the million addresses CD's. The fact that this address is another educational facility means you may actually know the person infected.

However, I have a couple of people at work who started receiving virus attacks and spam after their addresses were posted in a paper they wrote for an industry journal. The virus apparently can search through either MS Word or PDF formatted documents in the cache on an infected machine or someone added every address in the paper to their address book in the order they were posted. Some of the spam they received had all of the addresses shown in the order they were in the paper.

Share this post


Link to post
Share on other sites

I have had my e-mail in publications for at least 10-15 years as a first/corresponding author, since it became customary to have it instead or with regular mail, but anything is possible. I have a suspicion this whole thing started as a malicious attack on a newgroup frequented by geeks and hackers. I just recieved 2 more virus attack attempts a few minutes ago:

Return-Path: <cao_liqun[at]sina.com>

Received: from mb2i1.ns.pitt.edu (mb2i1.ns.pitt.edu [136.142.185.162])

          by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4)

          ID <XAA19847[at]imap.srv.cis.pitt.edu> for < B)          

Sun, 13 Jun 2004 23:47:55 -0400 (EDT)

From: cao_liqun[at]sina.com

Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462)

id <01LB9MBM5040002GZO[at]mb2i1.ns.pitt.edu> for  B) ; Sun,

13 Jun 2004 23:47:54 EDT

Received: from  B)  ([202.120.139.35])

by pitt.edu (PMDF V5.2-32 #41462)

with ESMTP id <01LB9MBGRBLM0027UO[at]mb2i1.ns.pitt.edu> for  B) ;

Sun, 13 Jun 2004 23:47:52 -0400 (EDT)

Date: Mon, 14 Jun 2004 11:48:03 +0800

Subject: Mail Delivery (failure a B) )

To: B)

Message-id: <01LB9MBHIQNW0027UO[at]mb2i1.ns.pitt.edu>

MIME-version: 1.0

Content-type: multipart/related;

boundary="Boundary_(ID_NKk3Z0lqsywAuKgyrHP/VA)"; type="multipart/alternative"

X-Priority: 3

X-MSMail-priority: Normal

This is a multi-part message in MIME format.

--Boundary_(ID_NKk3Z0lqsywAuKgyrHP/VA)

Content-type: multipart/alternative;

boundary="Boundary_(ID_6GrPMAgKoqe7GPMJj2AFNg)"

--Boundary_(ID_6GrPMAgKoqe7GPMJj2AFNg)

Content-type: text/plain; charset="iso-8859-1"

Content-transfer-encoding: quoted-printable

--Boundary_(ID_6GrPMAgKoqe7GPMJj2AFNg)

Edited by dra007

Share this post


Link to post
Share on other sites

I don't have time to go back and forth to be sure, but at first glance that looks like a mail delivery failure notice of the lart dra007 said was just sent to "Lin"

Miss Betsy

Share this post


Link to post
Share on other sites

I agree...if you parse the headers it came from the same IP that just sent me a virus before this e-mail, this had a suspicious attachment as well. It was removed by my ISP before reacing my inbox.

Share this post


Link to post
Share on other sites

Often mail delivery emails attach the email you sent. Probably the attachment to this email was your email to him.

It sounds to me as though every time you send a report to the abuse desk, it either bounces or they send you an autoreport back that includes your email. Your IT department is removing all attachments from undeliverable email and non-whitelisted addresses - benign or suspicious.

The reason that I keep suggesting that you use an interpreter is because they don't seem to know what to do with your reports. If they get an email, in Chinese, that explains that viruses are coming from this address with the supporting data plus that they have an open relay again with supporting data, then perhaps they would investigate.

Also, if your IT department allows these emails to be delivered to you, then they may have that IP address whitelisted because a collegue is corresponding with someone at that school. He may be able to contact his collegue and get him to talk to the IT department.

It is in everyone's interests to secure the open relay at this school and to clean the infected machine. If someone can contact them in their language, perhaps, they will have an explanation for what you are experiencing.

They may have blocked you because the reports you are sending don't make sense either technically nor because they can't translate.

Miss Betsy

Share this post


Link to post
Share on other sites

I had various one liner replies from them, not all attachments were removed by my ISP and some were deffinitely quarantined as netzky or other type of viruses by Norton. I don't think that is an indication of a language problem. They tried everything, even spoofing NIH addresses in the From: line hoping it was whitelisted. Those virus attachments were not removed and were indeed viruses and worms. If they had infected machine, you would thing they would fix that in a 5 months spam. Their replies usually follow massive spam reports or e-mails to their abuse desk.

Share this post


Link to post
Share on other sites
had various one liner replies from them, not all attachments were removed by my ISP and some were deffinitely quarantined as netzky or other type of viruses by Norton.

How do you know that the viruses came from the abuse desk and not from the infected computer at that IP address?

If I don't understand exactly what you are describing (and English is my native language), I think that there is a good chance that someone trying to translate your emails would be completely confused as to what you are trying to tell them. In addition, if they are not as technically fluent as they should be, they would not be able to make an educated guess. Since they haven't closed the open relay, they either don't understand the problem or they are funding a new classroom from a spammer's contribution.

I am unsure of the viruses that are definitely connected to spammer activity so I wouldn't want to make a sweeping statement, but in my experience, there is no correlation between virus activity and spammer activity (except for 419 scam emails which seem to follow virus activity on occasion).

Miss Betsy

Share this post


Link to post
Share on other sites
<snip>

My main point is, that spammers in China, without doubt, are driven by money provided by the West. All big brand names know how to market their products, and I am sure that a product like Viagra would not have gotten so "imprinted", if it was not for the overwhelming "spam-campaign" on the Net, the sponsor "must have bought".  If you look at a typical spam content from China, then the spam only contains  "European/U.S.A." products. That is, 99.99% of spammers are selling Western products. Chinese do not understand english, so the spam is not aimed at Asians and they are not making the products! You ask yourself about the source of spam

There is 1.300.000 of Chinese, and they spam in their own language, which remarkably, I have not yet received a single spam in chinese (the only spam I get is on the mobile). Worth thinking of.

<snip>

...You may not have received any spam in Chinese but I certainly have! And, since I don't read Chinese, it's an even worse abuse of the internet that if it were in English!

Share this post


Link to post
Share on other sites

I recieve spams in Korean every day and don't read or speak or read that language, except kim-chi of course...When I report them the from address always has a spamcop domain, guess the parser cannot translate Korean either...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×