dra007 Posted July 3, 2004 Share Posted July 3, 2004 can anyone help me finding the upstream ISP for 82.76.216.52 ...This IP has sent me viruses daily for the last 3 months. The request for assistance to their abuse desk was answered immediately with another virus (below). I already reported them to ORBB, nothing seems to stop them. This is a confirmation from ORDB.org You have submitted the following hosts for checking by the ORDB.org system. Will test: 82.76.216.52. Your comment: the abuse desk of this IP answers to my queries with more viruses Thank you for using ORDB.org Return-Path: <bbb[at]zzz.org> Received: from mb1i1.ns.pitt.edu (mb1i1.ns.pitt.edu [136.142.185.161]) by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4) ID <OAA20883[at]imap.srv.cis.pitt.edu> for < [at]imap.pitt.edu>; Sat, 3 Jul 2004 14:25:50 -0400 (EDT) From: bbb[at]zzz.org Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462) id <01LC10INXWLC00KHPB[at]mb1i1.ns.pitt.edu> for [at]imap.pitt.edu; Sat, 3 Jul 2004 14:25:50 EDT Received: from imap.pitt.edu ([82.76.216.52]) by pitt.edu (PMDF V5.2-32 #41462) with ESMTP id <01LC10IJM8HS00GPJX[at]mb1i1.ns.pitt.edu> for [at]imap.pitt.edu; Sat, 03 Jul 2004 14:25:49 -0400 (EDT) Date: Sat, 03 Jul 2004 21:25:41 +0300 Subject: Re: Your text To: [at]imap.pitt.edu Message-id: <01LC10IKZZWY00GPJX[at]mb1i1.ns.pitt.edu> MIME-version: 1.0 Content-type: multipart/mixed; boundary="Boundary_(ID_qy6J5bQ4jvEuseQOsK4HSQ)" X-Priority: 3 X-MSMail-priority: Normal This is a multi-part message in MIME format. --Boundary_(ID_qy6J5bQ4jvEuseQOsK4HSQ) Content-type: text/plain; charset="Windows-1252" Content-transfer-encoding: 7bit Here is the file. --Boundary_(ID_qy6J5bQ4jvEuseQOsK4HSQ) Content-type: text/plain; name=replaced.txt Content-disposition: attachment Content-transfer-encoding: 7BIT IMPORTANT: An attachment included with this message has been automatically removed by the University's electronic mail systems because such attachments may contain computer viruses, worms, or other potentially malicious software code. If you were expecting to receive a message from this sender including an attached executable file (.exe), batch file (.bat), or others, and you know the identity of the sender, you should contact the sender to make other arrangements to receive the file. Please contact the Technology Help Desk at 412 624-HELP [4357] for additional information or assistance. Further information on message attachment removal is available online at http://technology.pitt.edu/security/index.html. Thank you. --Boundary_(ID_qy6J5bQ4jvEuseQOsK4HSQ)-- Link to comment Share on other sites More sharing options...
dra007 Posted July 3, 2004 Author Share Posted July 3, 2004 I found some interesting additional information about the ISP serving the above IP: An accompanying mail was sent to the following addresses which are thought to be responsible for domain(s), IP blocks, ASN, or nameservers associated with the origin point: iq[at]rdsnet.ro Message abstract: Message ID: <b08401c454f8$2bffa65d$9c7ad457[at]umfxipb> Originating IP address: 80.96.34.178 () ASN: 8708 ASN Description: Romania Data Systems S.A. CIDR: 80.96.32.0/19 The following (if any) queryable spam-related information is associated with the originating IP and/or domain: IP 80.96.34.178 () is known to SpamHaus as a source or relay of spam. See: http://www.spamhaus.org/ Classification(s): - Illegal 3rd party exploits, including proxies, worms and trojans. For more information on this host, see: http://www.spamhaus.org/query/bl?ip=80.96.34.178 Please address these issues. - Composite Blocklist: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=80.96.34.178 - DSBL Proxy: http://dsbl.org/listing?ip=80.96.34.178 Additional resources of possible interest: http://www.senderbase.org/?searchBy=ipaddr...ng=80.96.34.178 http://openrbl.org/lookup?i=80.96.34.178 http://groups.google.com/groups?scoring=d&...8+group:*abuse* Link to comment Share on other sites More sharing options...
dra007 Posted July 4, 2004 Author Share Posted July 4, 2004 An update to my attempt to contact the ofending site, a direct response in which I am advised to contact their lawyer! The ordacity of this spam gang is beyond believe. Can anyone help me find the upstream ISP of this idiot? Link to comment Share on other sites More sharing options...
Wazoo Posted July 4, 2004 Share Posted July 4, 2004 http://bgp.potaroo.net/cgi-bin/as-report?as=AS8708 Report for AS8708 Name - RDSNET Romania Data Systems S.A. AS Adjancency Report In the context of this report "Upstream" indicates that there is an adjacent AS that lines between the BGP table collection point (in this case at AS4637) as the specified AS. Similarly, "Downstream" referes to an adjacent AS that lies beyond the specified AS. This upstream / downstream categorisation is strictly a description relative topology, and should not be confused with provider / customer / peer inter-AS relationships 48 AS8708 RDSNET Romania Data Systems S.A. Adjacency: 61 Upstream: 2 Downstream: 59 Upstream Adjacent AS list AS3356 LEVEL3 Level 3 Communications AS3549 GBLX Global Crossing Ltd. 07/04/04 00:57:20 Slow traceroute 82.76.216.52 Trace 82.76.216.52 ... 67.17.65.58 RTT: 132ms TTL:176 (so2-0-0-2488M.ar2.FRA3.gblx.net ok) 67.17.159.102 RTT: 133ms TTL:176 (Romania-Data-Systems.so-1-3-2.ar2.FRA3.gblx.net ok) 193.231.252.233 RTT: 161ms TTL:176 (buh1-gsr1-p6-0.rdsnet.ro bogus rDNS: host not found [authoritative]) 193.231.252.75 RTT: 167ms TTL:176 (buch1-qos.rdslink.ro bogus rDNS: host not found [authoritative]) 193.231.252.73 RTT: 163ms TTL:176 (buh1-cr1-vlan4.rdsnet.ro bogus rDNS: host not found [authoritative]) 82.76.241.5 RTT: 162ms TTL:176 (No rDNS) 82.76.216.52 RTT: 182ms TTL:110 (No rDNS) Link to comment Share on other sites More sharing options...
dra007 Posted July 4, 2004 Author Share Posted July 4, 2004 Interesting Wazoo, thank you...am I to understand that Upstream Adjacent AS list AS3356 LEVEL3 Level 3 Communications AS3549 GBLX Global Crossing Ltd. Those two above are upstream ISPs as well? I get spam from both daily (and they obviously don't act on it) ...I just need to find the ISP upstream of RDSNET Romania Data Systems S.A. ...ask why the abuse desk of Data System is so abusive...and whether anyone can take some action to stop the trojan flow from the downstream ISP. I got a dozen netzky attachments from them today alone and this has been going on for some time.. Also note that they have no reverse DNS...however ORDB could not get past their firewall... Link to comment Share on other sites More sharing options...
Wazoo Posted July 4, 2004 Share Posted July 4, 2004 As stated in the "definition" .. the next level up reads as; 11 AS4637 REACH Reach Network Border AS Adjacency: 250 Upstream: 0 Downstream: 250 Then we drop down to what you asked for; 48 AS8708 RDSNET Romania Data Systems S.A. Adjacency: 61 Upstream: 2 Downstream: 59 Upstream Adjacent AS list AS3356 LEVEL3 Level 3 Communications AS3549 GBLX Global Crossing Ltd. So lets say that Reach owns the optic fiber inter-continental network, Level3 and Glbx buy their bandwidth from them, sell it to others .... I offered a tracroute from my end and at that time, the connection path went through Glbx, then to RDS ... so, with those data points, the upstream of the connection I showed is Glbx .... OrgAbuseHandle: GBLXA-ARIN OrgAbuseName: GBLX-Abuse OrgAbusePhone: +1-800-404-7714 OrgAbuseEmail: abuse[at]gblx.net OrgNOCHandle: GBLXN-ARIN OrgNOCName: GBLX-NOC OrgNOCPhone: +1-800-404-7714 OrgNOCEmail: gc-noc[at]gblx.net and just to flush out the data bits; 6 AS3549 GBLX Global Crossing Ltd. Adjacency: 496 Upstream: 8 Downstream: 488 Upstream Adjacent AS list AS1221 ASN-TELSTRA Telstra Pty Ltd AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd AS1239 SPRN Sprint AS4637 REACH Reach Network Border AS AS5693 INTELE-13 InteleNet Communications, Inc. AS27354 LAYER LayerOne Holdings, Inc. AS10026 ANC Asia Netcom Corporation AS701 UU UUNET Technologies, Inc. Link to comment Share on other sites More sharing options...
dra007 Posted July 4, 2004 Author Share Posted July 4, 2004 Thank you Wazoo, I appreciate your help. I am geeting a picture of the Data System being a cover for spam and abuse. My knowledge is limited at this point, but it also seems that they may exploit upstream servers to send spam. I will see if my query to their help/abuse desk will remain silent. All I was able to get from them in the past were automated replies. PS. Interestingly, just after typing the first paragraph I got an e-mail from tim[at]rdsnet.ro arguing around the following link (IP in question) that my complains should not go to him. In the same vein he shows a lot of bravado, saying he is not afraid of American laws and is not planing to come to US. He ends up blaming US spammers for my grief. I do not follow that logic. I don't know what to make of this. -------------------- edited July 6, tim[at]rdsnet.ro whose real name is Bogdan Surdu (tr. the deaf), has been sighted as an originator of the VIAGRA spams that we all hate so much! This particular spam looks awfuly familiar! Link to comment Share on other sites More sharing options...
Wazoo Posted July 4, 2004 Share Posted July 4, 2004 they may exploit upstream servers to send spam not really much exploitation. At this level, spam is probably jusr a very small percentage of all traffic routed, so the cost of actually doing something to filter/block it out is probably seen as more expensive than just continuing to pay the bandwidth bill. that my complains should not go to him Technically, this is correct. That address is listed as being one who "handled some data changes" ... actual tech points of contact, issues and complaints would go to the only contact address offered, possibly the owner (?) at iq <at> rdsnet.ro ... but, as you'll notice in the RIPE listing, hostmaster <at> rnc.ro shows up all over the place ... going to www.rnc.ro shows the blurb; RNC is a national project co-ordinated and established by Department of Research, Ministry of Education and Research targeted on the objectives related to research and development activity. Also the line; WHOIS.ROTLD.RO - the new WHOIS server for .ro domains ..... from there, http://www.rnc.ro/new/finra.shtml lists and defines what is supposed to be in the registration fields, leading one to search out the admin-c and tech-c addresses, as these are the folks that should have some control (?) over what happens on their network. Link to comment Share on other sites More sharing options...
dra007 Posted July 4, 2004 Author Share Posted July 4, 2004 I find it interesting that some of these domains, supposedly funded by western grants (at least in part), are also listed in ROKSO: Since November, 2003, a spam gang has been operating out of Romania. They routinely host some of the worst ROKSO spammers in what has come to be known as "clustering," where a group of spammers will flock from place-to-place as a cluster. Spammers include Alan Ralsky, LMIHosting, Oromar Mollica, Evidence-Eliminator, Webfinity (Python), Tim Goyetche, Damon DeCrescenzo, and others. Their MO is to get a new SWIP, usually a /23, but sometimes a /24 or /22, get a new ASN, and get an established Romanian network to announce them (and to colocate their servers). As soon as they are "up," the spammers pile on, just as in their previous incarnation. This is evidently done by paying hosts to turn a blind eye, as the spam complaints roll in immediately for spamvertised websites and bulletproof DNS, but the hosting continues indefinitely, or takes small detours as they play hide-and-seek games with the routing. There have been (as of this writing) 83 SBL listings directly related to this gang. Some of the more notable listings include these: /snip 81.180.202.0/23 rdsnet.ro SBL16436 Linux Security Systems - Telecom SRL /snip 195.225.144.0/22 rdsnet.ro SBL16274 SC System Area SRL (systemarea.ro) / LSS-HOLDING 193.27.196.0/23 rdsnet.ro SBL16273 SC System Area SRL (systemarea.ro) /snip 141.85.14.0/23 rdsnet.ro SBL15988 ABOUT-ARTS.COM 193.25.188.0/23 rdsnet.ro SBL15606 HORADONET /snip 193.27.84.0/23 rdsnet.ro SBL14522 SC DELTA ELECTRIC IMPEX SRL [AS31088] 193.27.72.0/23 rdsnet.ro SBL14260 ElDorado Networks (AS31039) 193.19.114.0/23 rdsnet.ro SBL14124 Virtual NET (AS31007) 81.180.87.0/24 rdsnet.ro SBL14123 SC SOROCAM SRL (AS31007) 80.97.54.0/24 rdsnet.ro SBL12726 SC MW Trade Groupage SRL (AS29203) 81.180.103.0/24 rdsnet.ro SBL12725 SC MW Trade Groupage SRL (AS29203) /snip 81.180.85.0/24 rnc.ro SBL10758 Webfinity/Dynamic Pipe 18n-ready.com; www.hackedpasses.net; www.stop-payingforporn.com Strangely enough the person I exchanged e-mails which also signs as Tim (one of the spammers:<tim[at]extreme.ro>Sent: Sunday, July 04, 2004 5:59 AM) ...coincidence perhaps...He claims his IP was spoofed in the offending e-mails... Link to comment Share on other sites More sharing options...
dra007 Posted July 5, 2004 Author Share Posted July 5, 2004 Update. I got two mixed replies from RNC. Basically they claim they do not have any authority in the issue, but if the request comes from the responsible ISP they may do something. Seems at this stage everybody is passing the hot potato. I got a few more viruses since yesterday, they seem to be stuck on Netsky: UNIVERSITY OF PITTSBURGH's virus protection service has detected a potential email virus. This suspicious message has been quarantined in your UNIVERSITY OF PITTSBURGH Message Center: From: cameliamaier[at]k.ro Subject: Re: Extended Mail Virus: W32/Netsky.p[at]MM!zip You can read the message without infecting your computer. Click on the link to access your UNIVERSITY OF PITTSBURGH Message Center: It comes from an IP that answered to my abuse requests claiming inocence.. and this one below, I got this morning from the IP in the above thread which also claims inocence: Return-Path: <someone[at]somewhere.com> Received: from mb2i1.ns.pitt.edu (mb2i1.ns.pitt.edu [136.142.185.162]) by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4) ID <WAA14181[at]imap.srv.cis.pitt.edu> for < [at]imap.pitt.edu>; Sun, 4 Jul 2004 22:55:40 -0400 (EDT) From: someone[at]somewhere.com Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462) id <01LC2WM47Q2O004WY0[at]mb2i1.ns.pitt.edu> for [at]imap.pitt.edu; Sun, 4 Jul 2004 22:55:40 EDT Received: from imap.pitt.edu ([82.76.216.52]) by pitt.edu (PMDF V5.2-32 #41462) with ESMTP id <01LC2WLZCKDQ0051E3[at]mb2i1.ns.pitt.edu> for [at]imap.pitt.edu; Sun, 04 Jul 2004 22:55:36 -0400 (EDT) Date: Mon, 05 Jul 2004 05:55:27 +0300 Subject: Re: Hello To: [at]imap.pitt.edu Message-id: <01LC2WLZOT5C0051E3[at]mb2i1.ns.pitt.edu> MIME-version: 1.0 Content-type: multipart/mixed; boundary="Boundary_(ID_TKXF8EPXTFhmNaX8BzvmKw)" X-Priority: 3 X-MSMail-priority: Normal This is a multi-part message in MIME format. --Boundary_(ID_TKXF8EPXTFhmNaX8BzvmKw) Content-type: text/plain; charset="Windows-1252" Content-transfer-encoding: 7bit Please read the attached file. --Boundary_(ID_TKXF8EPXTFhmNaX8BzvmKw) Content-type: text/plain; name=replaced.txt Content-disposition: attachment Content-transfer-encoding: 7BIT IMPORTANT: An attachment included with this message has been automatically removed by the University's electronic mail systems because such attachments may contain computer viruses, worms, or other potentially malicious software code. If you were expecting to receive a message from this sender including an attached executable file (.exe), batch file (.bat), or others, and you know the identity of the sender, you should contact the sender to make other arrangements to receive the file. Please contact the Technology Help Desk at 412 624-HELP [4357] for additional information or assistance. Further information on message attachment removal is available online at http://technology.pitt.edu/security/index.html. Thank you. --Boundary_(ID_TKXF8EPXTFhmNaX8BzvmKw)-- PS. I filed a complaint with the agency that deals with fraud (https://www.efrauda.ro/admin/default.htm). Hope that will have some results. Link to comment Share on other sites More sharing options...
dra007 Posted July 5, 2004 Author Share Posted July 5, 2004 That Romania Data Systems has a pretty inflated name for an abusive ISP. I got a bounce and another virus from them after sending reports to various agencies: __________________ (edited July 6) There is a lot of data here on spamspew funneled out of Romania Data Systems. I am sure spam like that was recieved by most people here. You will note they have a connection with both Korean and Brazilian webadvertized sites. ___________________ Hi. This is the qmail-send program at rdsnet.ro. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <abuse[at]rdsnet.ro>: Return-Path: <staff[at]list.cashculture.com> Received: from mb2i1.ns.pitt.edu (mb2i1.ns.pitt.edu [136.142.185.162]) by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4) ID <MAA06517[at]imap.srv.cis.pitt.edu> for < [at]imap.pitt.edu>; Mon, 5 Jul 2004 12:03:52 -0400 (EDT) From: staff[at]list.cashculture.com Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462) id <01LC3O5BJSB4004PTZ[at]mb2i1.ns.pitt.edu> for [at]imap.pitt.edu; Mon, 5 Jul 2004 12:03:51 EDT Received: from imap.pitt.edu ([82.76.216.52]) by pitt.edu (PMDF V5.2-32 #41462) with ESMTP id <01LC3O555FB8004XVM[at]mb2i1.ns.pitt.edu> for [at]imap.pitt.edu; Mon, 05 Jul 2004 12:03:50 -0400 (EDT) Date: Mon, 05 Jul 2004 19:03:35 +0300 Subject: Re: Excel file To: [at]imap.pitt.edu Message-id: <01LC3O55DTMW004XVM[at]mb2i1.ns.pitt.edu> MIME-version: 1.0 Content-type: multipart/mixed; boundary="Boundary_(ID_E3Wf3DBDMQ1FjPiRiVzowQ)" X-Priority: 3 X-MSMail-priority: Normal This is a multi-part message in MIME format. --Boundary_(ID_E3Wf3DBDMQ1FjPiRiVzowQ) Content-type: text/plain; charset="Windows-1252" Content-transfer-encoding: 7bit Please have a look at the attached file. --Boundary_(ID_E3Wf3DBDMQ1FjPiRiVzowQ) Content-type: text/plain; name=replaced.txt Content-disposition: attachment Content-transfer-encoding: 7BIT IMPORTANT: An attachment included with this message has been automatically removed by the University's electronic mail systems because such attachments may contain computer viruses, worms, or other potentially malicious software code. If you were expecting to receive a message from this sender including an attached executable file (.exe), batch file (.bat), or others, and you know the identity of the sender, you should contact the sender to make other arrangements to receive the file. Please contact the Technology Help Desk at 412 624-HELP [4357] for additional information or assistance. Further information on message attachment removal is available online at http://technology.pitt.edu/security/index.html. Thank you. --Boundary_(ID_E3Wf3DBDMQ1FjPiRiVzowQ)-- Link to comment Share on other sites More sharing options...
Farelf Posted July 6, 2004 Share Posted July 6, 2004 Well done dra007 - I shall harbour no more suspicions that you might be just a little paranoid, those damned Transylvanians really have tracked you down to Pennsylvania. Seriously though, I for one will be interested in how this all turns out. This is the first actual (as opposed to mythical) case of its type I know of. Link to comment Share on other sites More sharing options...
dra007 Posted July 6, 2004 Author Share Posted July 6, 2004 Thank you Farelf. For all I know I might be related to Vlad the Impaler aka Dracula myself, so they might get a dose of their own medicine. And I am not talking Viagra. Bytheway, Dracula was a real medieval king (1400's) named so because he belonged to a Crusader's Order of the Dragon (dracul=the devil or dragon in Romanian). I filed complains with everyone including their Ministry of Informatics/Computer Networking and FTC on this side of the ocean. Link to comment Share on other sites More sharing options...
Miss Betsy Posted July 6, 2004 Share Posted July 6, 2004 I still don't understand how dra007 knows that the abuse desk is sending hir viruses. The viruses come from the same IP address but that does not mean that the abuse desk is sending them to hir on purpose - or anyone, for that matter, viruses generally are randomly generated and the owner of the machine does not know they are being sent. However, if s/he creates enough stir, perhaps someone else will see that there really is a problem with both spammers and viruses on this network. The squeaky wheel gets the grease and not everyone has time to track down addresses to complain to. Miss Betsy Link to comment Share on other sites More sharing options...
dra007 Posted July 6, 2004 Author Share Posted July 6, 2004 Well, the update is that I got another attack, this time from the site dealing with their Research and Development. My suspicions were only confirmed, they are all corrupted and in kahutz with each other. In fact the rnc (http://www.rnc.ro/new/finra.shtml) site has been listed in ROKSO before: 81.180.85.0/24 rnc.ro SBL10758 Webfinity/Dynamic Pipe 18n-ready.com; www.hackedpasses.net; www.stop-payingforporn.com Here is their footprint: Received: from source ([217.156.87.150]) by exprod7mx53.postini.com ([12.158.38.251]) with SMTP; Tue, 06 Jul 2004 01:00:49 EDT From: lohn[at]k.ro To: [at]pitt.edu Subject: Re: document_all Date: Tue, 6 Jul 2004 08:04:34 +0300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0016----=_NextPart_000_0016" X-Priority: 3 X-MSMail-Priority: Normal X-pstnvirus: W32/Netsky.p[at]MM boundary=" -------------------------------------------------------------------------------- Date: Tue, 6 Jul 2004 08:04:34 +0300 From: lohn[at]k.ro To: [at]pitt.edu Subject: Re: document_all Please read the attached file! Attachments: application/octet-stream Received: from source ([217.156.87.150]) by exprod7mx5.postini.com ([12.158.38.251]) with SMTP; Tue, 06 Jul 2004 00:00:14 CDT From: grv[at]aol.com To: [at]pitt.edu Subject: Mail Delivery (failure [at]pitt.edu) Date: Tue, 6 Jul 2004 08:03:57 +0300 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_001B_01C0CA80.6B015D10" X-Priority: 3 X-MSMail-Priority: Normal X-pstnvirus: Exploit-MIME.gen.c boundary=" -------------------------------------------------------------------------------- Date: Tue, 6 Jul 2004 08:03:57 +0300 From: grv[at]aol.com To: [at]pitt.edu Subject: Mail Delivery (failure [at]pitt.edu) Content-Type: application/octet-stream Content-Transfer-Encoding: base64 VmlydXMgdmFyaWFudCBkZXRlY3RlZCBhbmQgZGVsZXRlZC4= __________________________________________ Tracking details Display data: "whois 217.156.87.150[at]whois.ripe.net" (Getting contact from whois.ripe.net) Backup contact notify = hostmaster[at]rnc.ro pn2940-ripe = nicol[at]tts.ro whois.ripe.net 217.156.87.150 = nicol[at]tts.ro whois: 217.156.87.0 - 217.156.87.255 = nicol[at]tts.ro Routing details for 217.156.87.150 Using last resort contacts nicol[at]tts.ro I have exchanged e-mails with nicol[at]tts.ro already. Again claims inocence. Seems rule number one applies here again!! Funny they have the ordacity to spoof aol in their header. Link to comment Share on other sites More sharing options...
dra007 Posted July 6, 2004 Author Share Posted July 6, 2004 Ms Betsy, I would like to believe that there are an incredible large number of coincidences. However, I get the viruses as soon as I complain to their abuse desk. For the most part my inquiries to them have remained unanswered or answered with more abuse. If anything, they are guilty of being unresposive to what seems to be a problem (read my ROKSO quote). And they cannot claim a language barrier, I wrote to them in their mother's tongue. This is not something that started yesterday, it has been going on for several months. I keep a meticulous record of its history. One day it may come up handy in court. Link to comment Share on other sites More sharing options...
dra007 Posted July 6, 2004 Author Share Posted July 6, 2004 As coincidences go, I got another virus soon after posting here: Reports routes for 82.76.216.52: routeid:11160204 82.76.0.0 - 82.79.255.255 to: nadriang[at]rdsnet.ro Administrator found from whois records routeid:11160203 82.76.0.0 - 82.79.255.255 to: tim[at]extreme.ro Administrator found from whois records routeid:11160202 82.76.0.0 - 82.79.255.255 to: dragosv[at]rdsnet.ro Administrator found from whois records routeid:11160201 82.76.0.0 - 82.79.255.255 to: andii[at]rdsnet.ro Administrator found from whois records Same IP that advised me to contact their lawyer: Return-Path: <toadervictor[at]yahoo.com> Received: from mb2i1.ns.pitt.edu (mb2i1.ns.pitt.edu [136.142.185.162]) by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4) ID <MAA24984[at]imap.srv.cis.pitt.edu> for < [at]imap.pitt.edu>; Tue, 6 Jul 2004 12:00:14 -0400 (EDT) From: toadervictor[at]yahoo.com Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462) id <01LC52B5LTQ80050XL[at]mb2i1.ns.pitt.edu> for [at]imap.pitt.edu; Tue, 6 Jul 2004 12:00:13 EDT Received: from imap.pitt.edu ([82.76.216.52]) by pitt.edu (PMDF V5.2-32 #41462) with ESMTP id <01LC52B1MPJU00595N[at]mb2i1.ns.pitt.edu> for [at]imap.pitt.edu; Tue, 06 Jul 2004 12:00:08 -0400 (EDT) Date: Tue, 06 Jul 2004 18:59:58 +0300 Subject: Re: Your bill To: [at]imap.pitt.edu Message-id: <01LC52B1UDIK00595N[at]mb2i1.ns.pitt.edu> MIME-version: 1.0 Content-type: multipart/mixed; boundary="Boundary_(ID_pDMysrn1SaWu4gtghqCOdQ)" X-Priority: 3 X-MSMail-priority: Normal This is a multi-part message in MIME format. --Boundary_(ID_pDMysrn1SaWu4gtghqCOdQ) Content-type: text/plain; charset="Windows-1252" Content-transfer-encoding: 7bit Please read the attached file. --Boundary_(ID_pDMysrn1SaWu4gtghqCOdQ) Content-type: text/plain; name=replaced.txt Content-disposition: attachment Content-transfer-encoding: 7BIT IMPORTANT: An attachment included with this message has been automatically removed by the University's electronic mail systems because such attachments may contain computer viruses, worms, or other potentially malicious software code. If you were expecting to receive a message from this sender including an attached executable file (.exe), batch file (.bat), or others, and you know the identity of the sender, you should contact the sender to make other arrangements to receive the file. Please contact the Technology Help Desk at 412 624-HELP [4357] for additional information or assistance. Further information on message attachment removal is available online at http://technology.pitt.edu/security/index.html. Thank you. --Boundary_(ID_pDMysrn1SaWu4gtghqCOdQ)-- My bill they say. I guess they see this as a payback time. Link to comment Share on other sites More sharing options...
Miss Betsy Posted July 6, 2004 Share Posted July 6, 2004 I don't doubt that they have been unresponsive or that viruses are coming from that IP address. It does seem like a high number of coincidences. A few spammers do take the time to respond to individual spam complaints, I believe. And I certainly hope that your complaints are taken seriously since being unresponsive to viruses cannot be seen in any other light than irresponsible. BTW, how do you know that they are mostly Netsky? I don't see anything in the IT Dept's message that identifies the attachment. Or have you been comparing them with the known subjects of Netsky? Miss Betsy Link to comment Share on other sites More sharing options...
dra007 Posted July 6, 2004 Author Share Posted July 6, 2004 Ms Betsy, See my previous posts in this thread, I can check the attachments at my help desk, they are eiter Netsky or Mime exploits. Thanks god they are holding them. Unfortunately some do get through occasionally and are detected by my antispam software. They went as far as spoofing trusted NIH addresses to get past the virus filter on my server: UNIVERSITY OF PITTSBURGH's virus protection service has detected a potential email virus. This suspicious message has been quarantined in your UNIVERSITY OF PITTSBURGH Message Center: From: cameliamaier[at]k.ro Subject: Re: Extended Mail Virus: W32/Netsky.p[at]MM!zip You can read the message without infecting your computer. Click on the link to access your UNIVERSITY OF PITTSBURGH Message Center: Those severs are notorious for sending trojans as listed in ROTSKO/spamhouse, and they are widely known as a spam gang... Link to comment Share on other sites More sharing options...
dra007 Posted July 7, 2004 Author Share Posted July 7, 2004 Well folks, my suspicion that the above abusive IP is a source of spam has just been confirmed: -------- Original Message -------- Subject: [spamCop (80.96.34.178) id:1053453133]Overage $3579 Date: 3 Jun 2004 10:14:56 -0000 From: 1053453133[at]reports.spamcop.net To: iq[at]rdsnet.ro [ SpamCop V1.324 ] This message is brief for your comfort. Please use links below for details. Email from 80.96.34.178 / 3 Jun 2004 10:14:56 -0000 80.96.34.178 is an open proxy, more information: http://www.spamcop.net/mky-proxies.html http://www.spamcop.net/w3m?i=z1053453133zd...78631406335057z [ Offending message ] Return-Path: Delivered-To: x Received: (qmail 5750 invoked from network); 3 Jun 2004 10:14:56 -0000 Received: from unknown (192.168.1.101) by blade6.cesmail.net with QMQP; 3 Jun 2004 10:14:56 -0000 Received: from unknown (HELO 8) (80.96.34.178) by mailgate.cesmail.net with SMTP; 3 Jun 2004 10:14:56 -0000 Received: from [241.183.250.64] by 80.96.34.178 with HTTP; Thu, 03 Jun 2004 17:09:47 +0600 From: "Records--zP1f" To: x Subject: Overage $3579 Mime-Version: 1.0 X-Mailer: agriculture caucus january Date: Thu, 03 Jun 2004 16:04:47 +0500 Reply-To: "Records--zP1f" Content-Type: multipart/alternative; boundary="111243660610114145" Message-Id: X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6 X-spam-Level: ** X-spam-Status: hits=2.5 tests=FORGED_YAHOO_RCVD,FROM_ENDS_IN_NUMS, HTML_MESSAGE,J_CHICKENPOX_24,J_CHICKENPOX_34 version=2.63 X-SpamCop-Checked: 192.168.1.101 80.96.34.178 X-SpamCop-Disposition: Blocked bl.spamcop.net --111243660610114145 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit neanderthal christianson loft parachute fierce maurice cyclotomic alumna changeable moraine seek smith injury pardon camellia igloo diversion datsun spin spector bella bricklay surveillant hay doctoral rancho ecole prudent wiretapper dang carney horseplay hump biracial bobbin perimeter penates yvette betray cinematic --111243660610114145 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 8bit Hello again, I sent you an email a few days ago. Because we have great news for you ! A bigger house with bigger savings are now yours for the taking at.. L ow er ..rat.es ! You can easily be approved for a $200,000 loa n for only $550/month ! We represent major ban ks and le nders that will gladly accept, and approve your mo rt.gage qualifications ! And that means a new ..m ort.gage at L.ow.er r..ates that will save you alot of money each and every month ! Bad c.r.e.d.i.t IS NOT a problem. 1 minute is all it takes to enter your information for a... m or t gage that truly benefits YOU. This service is -F r e e- and without any obligations This way for a really great opportunity ! Thank you for your time, Best Regards, Harry Tracy 613456893973864322 pontiff obfuscatory meadowland flagging surrogate buddhist old wingmen daylight crook chisel --111243660610114145-- Apparently these spammers are playing games with their own upstream server and refuse to answer to its queries as well. I hope I will shut down these idiots. Link to comment Share on other sites More sharing options...
Miss Betsy Posted July 7, 2004 Share Posted July 7, 2004 You are confusing me again. I thought you said that you had an extensive history of spam from this IP address. Or was it, the history of the manual reports you sent to them about a virus and the subsequent virus immediately sent? When you send the abuse desk manual reports about a virus, do you include the headers and a portion of the body - enough to identify the virus, but not the attachment? Did you send such a message to the one who said they were innocent and ask hir to explain why that did not come from that network? Miss Betsy Link to comment Share on other sites More sharing options...
dra007 Posted July 7, 2004 Author Share Posted July 7, 2004 The history with respect to virus and spam attacks is so well documented, I was succesful closing them down. Whew, what a relief. Thanks again everyone for the help and encouragement. The good news is that one less spammer is now crawling the internet. For a while anyways, I am sure they are resourceful enough to re-incarnate again. Incidentally, my spam has trickled down to nil since I started this fight. Link to comment Share on other sites More sharing options...
HillsCap Posted July 7, 2004 Share Posted July 7, 2004 If they do start up again, I've found that having a FriedSpam.net party with 10 of your friends for a couple weeks usually knocks a clue into the spammer's thick skull. Hitting their website about 100,000 times a day per FriedSpam participant tends to do that. What I've found to be extremely effective is to contact the spammers and TELL them that you'll be hitting their sites, and tell them to never send spam to your domain again. I've only gotten 3 spams so far this week. Of those three, one was from a newbie spammer, and two were from USA Lenders Network (ironically, they give their address as being in Canada), whose sites I've been working on / mauling for a while now. Link to comment Share on other sites More sharing options...
dra007 Posted July 7, 2004 Author Share Posted July 7, 2004 Thank you Sir, There are plenty of good hits in my thread alone. You are most welcome to start a party with them, I will join in, even bring a case of good wine if necessary. Let me know, I'll be there. Link to comment Share on other sites More sharing options...
dra007 Posted July 9, 2004 Author Share Posted July 9, 2004 Well folks, if the spam spew continues from any of the above sites I have the word of an administrator that they will close down a whole range of problematic and unresponsive IPs. Hope that will help many of you, not just myself! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.