All from the same place?

[madkingsoup]

Within the past few weeks I have noticed that what appears to be about 90% of the websites referred to in the spam I get is reported to slurp[at]inktomi.com.

Has Inktomi gone a bit odd lately or is something funny going on...?

[Wazoo]

I'm more suspecting something weird is going on. I'm suspecting you know that "slurp" is the name of one of the Inktomi bots that scour the web building/adding the contect for various Search Engines ... how and why that would be found with a spam is strange, even trying to apply spammer logic .. when you then go on to say "about 90% of youe spam" .. I'm thinking that something else is going on. A Tracking URL or two of these would help in seeing where this result is coming from.

[eaolson]

I'm more suspecting something weird is going on.  I'm suspecting you know that "slurp" is the name of one of the Inktomi bots that scour the web building/adding the contect for various Search Engines ...  how and why that would be found with a spam is strange, even trying to apply spammer logic ..

23721[/snapback]

I'm not so sure about that, Wazoo. Just a few days ago, I came across a whois entry that directed abuse complaints to slurp[at]inktomi.com. I didn't know that about the Inktomi crawler, but thought it odd at the time it wasn't abuse[at] Unfortunately, I can't remember what I was looking up, so I can't show you.

[Wazoo]

It would be interesting to see what / who would be using that for registration data. I recall that my attempts at contacting them never got a response ... there was a period that there bot was appearing to be on heavy medication, filling up error logs on several sites, appearing to use folder/structure data from somewhere else but trying to search/scan those pages on 'this' web-site .... this went on for three or four days ... Inktomi never responded, but the weird searches stopped ..

[madkingsoup]

It is definitely in the whois data. And I didn't know it was a bot, although I did suspect it wasn't human with a name like that.

Example:

http://www.spamcop.net/sc?id=z726099110zfd...a18a22de5db4c1z

[Wazoo]

More than a bit odd .... In Inktomi space, yet trace-routes to a Yahoo/Geocities (allegedly) business site that has the root page showing as "under construction" ... but of course, the sub-page mentioned in the spam has content. Working on a notify to a number of folks .. thanks for the Tracking URL ...

[eaolson]

It would be interesting to see what / who would be using that for registration data.  I recall that my attempts at contacting them never got a response ... there was a period that there bot was appearing to be on heavy medication, filling up error logs on several sites, appearing to use folder/structure data from somewhere else but trying to search/scan those pages on 'this' web-site .... this went on for three or four days ... Inktomi never responded, but the weird searches stopped ..

23724[/snapback]

Ah, here is is. www.sixpacksex.com (68.142.234.39). Trimmed a bit, here's the whois:

Trying 68.142.234 at ARIN

OrgName:    Inktomi Corporation 
OrgID:      INKT
Address:    4100 East Third Avenue
City:       Foster City
StateProv:  CA
PostalCode: 94404
Country:    US

NetRange:   68.142.192.0 - 68.142.255.255 
CIDR:       68.142.192.0/18 
NetName:    INKTOMI-BLK-4
[...]
AbuseHandle: ZI107-ARIN
AbuseName:   Inktomi Corporation 
AbusePhone:  +1-650-653-2800
AbuseEmail:  slurp[at]inktomi.com
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

OrgTechHandle: ZI35-ARIN
OrgTechName:   Inktomi Corporation 
OrgTechPhone:  +1-650-653-2800
OrgTechEmail:  l3-ops[at]inktomi.com

Is there some reason to think this abuse address is inappropriate? I notice that an abuse.net lookup of inkomi does NOT return the slurp[at] address.

[madkingsoup]

I'm glad that other people think it's odd. It was starting to set alarms off my in my head simply because of the sheer number of sites suddenly reported back to that address.

[CompWizardry]

::::ATTENTION:::

::::WARNING:::::

The links in this post are linked to what I consider illegal sites. Do not put any info of any sort that is pertaining to you as an individual (i.e. ebay login info, passwords, credit card numbers, social security numbers.) For this site is NOT in anyway affiliated with EBAY. It will look like the real thing 100% but I assure you it is not!!

::::::::::::::::::::

Hey Guys,

I am 18 years old and am A+ Certified and working for my N+ and Security+ and have a computer store called Computer Wizardry.

I recently had a client contact me saying that she think she gave away her life to someone on ebay. (aka social security number, credit cards, login info .. everything).

Well she sent me the e-mail from supposedly ebay.com industry and it seemed very real. The mailto address was [ eBay [investigation[at]ebay.com] ]. And the logos were all from the right places and when you click on the links it directed to what it looked like the official ebay.com website if you didn't look real close; real fast.

[ http://signin.ebay.com/eBayISAPI.dll?Signln&UserID=dpmracing ]

But when I click on it because I use firefox it notified my that I was going to download a file called ebayISAPI.dll and the address was from

[ signin.ebay.com.id-verify.info ]

I checked with ebay.com and they told me id-verify.info is in no way affiliated with them. And that the client has encountered fraud.

So rigt away I had the client put a notice on her and her husbands credit history, changed her ip address because it was logged, ran complete check of spyware and viruses, and she closed her bank accounts and had them opened up new ones. The client shouldn't have any problems.

Now it's my job to catch this guy's ass.

::Noticeable Clues::

signin.ebay.com.id-verify.info

----> Leads to what looks like ebay.com signin

>>when you break the address apart

ebay.com.id-verify.info

-----> No Page Found

com.id-verify.info

-----> No Page Found

id-verify.info

-----> Sends me to ebay login screen just like the first did. So if this was ebay I think they would of just put id-verify.info instead signin.ebay.com.id-verify.info so it is apparent that this site is deffinitly not legit, and is trying to hide something. (i.e. id-verify.info)

So when you do a whois for id-verify.info this is what I got:

Domain ID:D9293677-LRMS

Domain Name:ID-VERIFY.INFO

Created On:27-Dec-2004 23:42:56 UTC

Expiration Date:27-Dec-2005 23:42:56 UTC

Sponsoring Registrar:R141-LRMS

Status:ACTIVE

Status:OK

Registrant ID:C8329670-LRMS

Registrant Name:Jennifer Thorne

Registrant Organization:Jennifer Thorne

Registrant Street1:3634 Famiglia

Registrant City:Las Vegas

Registrant State/Province:NV

Registrant Postal Code:89141

Registrant Country:US

Registrant Phone:+1.2125182715

Registrant Email:jnnfrthorne[at]yahoo.com

Admin ID:C8329667-LRMS

Admin Name:Jennifer Thorne

Admin Organization:Jennifer Thorne

Admin Street1:3634 Famiglia

Admin City:Las Vegas

Admin State/Province:NV

Admin Postal Code:89141

Admin Country:US

Admin Phone:+1.2125182715

Admin Email:jnnfrthorne[at]yahoo.com

Billing ID:C8329668-LRMS

Billing Name:YahooDomains BillingContact

Billing Organization:Yahoo! Inc

Billing Street1:701 First Ave.

Billing City:Sunnyvale

Billing State/Province:CA

Billing Postal Code:94089

Billing Country:US

Billing Phone:+1.6198813096

Billing Email:domain.billing[at]YAHOO-INC.COM

Tech ID:C8329669-LRMS

Tech Name:YahooDomains TechContact

Tech Organization:Yahoo! Inc

Tech Street1:701 First Ave.

Tech City:Sunnyvale

Tech State/Province:CA

Tech Postal Code:94089

Tech Country:US

Tech Phone:+1.6198813096

Tech Email:domain.tech[at]YAHOO-INC.COM

Name Server:YNS1.YAHOO.COM

Name Server:YNS2.YAHOO.COM

::In otherwords::

Domain: id-verify.info

Created On: 27-Dec-2004

Expiration Date: 27-Dec-2005

Jennifer Thorne

3634 Famiglia

Las Vegas NV, 89141

Phone:+1.2125182715

Email:jnnfrthorne[at]yahoo.com

-=Billing Info=-

Name:YahooDomains BillingContact

Organization:Yahoo! Inc

Email:domain.billing[at]YAHOO-INC.COM

-=Setup=-

Name Server:YNS1.YAHOO.COM

Name Server:YNS2.YAHOO.COM

---------------------------------------------------

Now excuse me for saying this, "But this guy is good".... okay, so figured out yea it's pretty simple just put in some false information. Anybody can do that, but he picked one that sounds half way legit, with ebay's id verify and created:

id-verify.info

Then it looks like he may of took and made nameservers which are almost identical if you dont look closely and see the "Y"; nameservers to yahoo.com; yns1.yahoo.com and yns2.yahoo.com; NOW maybe this is yahoo, I really have no clue if they put a "y" in front of their nameserver extnsion or not. But I will look at this in further detail later on.

You might be thinking; "This sounds like a yahoo website. I'm starting to get confused" But it isn't, if it was yahoo.com why would they only register this domain for one year. Which brings me to my next conclusion;

He registered the domain on December 27th 2004

-----> He has just recently started doing this

----------------------------------------------------

OKAY, so I bet you read this up to this point, and at least once said WHY THE HELL IS THIS POST IN THIS THREAD!

.:Answer:.

When I ran command prompt and ran [ nslookup id-verify.info ] I found the ip addresses of

68.142.234.77

68.142.234.35

68.142.234.36

68.142.234.37

68.142.234.38

68.142.234.39

And with a simple google search of the isp [68.142.234.x] I found you guys.

Then I read that you have been having issuses of a total different world, I had to let you know that he is starting up a new scheme.

I just got the email from my client this morning at 7:30 and been working on it for 2 hours, and easily found all this information simply by free resources.

------------------------------------------------------

.: More of the simple basics :.

When I ran the ping command [ ping id-verify.info ]

I got that his ip address is: 68.142.234.77

Now this ip address is for the website not for the indvidual computer of the culprit.

Then When I got this webste

[ http://www.melissadata.com/Lookups/iplocat...7&submit=submit ]

I just put in the ip address and found this information:

IP Address: 68.142.234.77

City: Foster City

State: California

Courty: US

ISP: Inktomi Corporation

------------------------------------------------------------

So that is as much as I found on this guy, It looks like everyone in this thred wants to see this ass go down. I want to help in anyway possible.

**My question whats next? Where do I go to report this? How do I know something is going to be done? **

Personally I want to kick this guy in the balls, for the headache I am having right now. I will be posting a link for all to view and see the email that the guy sent to my client.

Let me know if this helped any.

Steve Douglas

stevesmename[at]adelphia.net

Computer Wizardry

CompWizardry.com --> Site is down because admin is an ass and suspended my acount without notification. Do not use siterollout.net -- they are the biggest pricks ever.

[HAND] Have A Nice Day.

[swingspacers]

All you have established is that your phishing web site and the spamvertized web sites discussed above are all hosted at Yahoo/Geocities/Inktomi. Because Yahoo is a big hosting company with many customers (including a number of spammers, apparently), I doubt that it is the same guy.

BTW, the yns name servers are legitimate Yahoo servers. See here:

http://smallbusiness.yahoo.com/domains/redelegation.php

[CompWizardry]

that makes sense, thank you for the reply.

sorry about that then.

[Bumpkin]

A GGS of "slurp[at]inktomi.com" turned up a ton of postings showing this to be the reporting address. I agree that it's not professional, and even questionable.

Why would the name of a bot be their abuse address?

[asclep]

I am quite new to this, but I receive about 40-50 emails every day. 99% of them point to pornographic websites of which yahoo Inc is the administrator. I cannot think of way of complaining to Yahoo about this ... all the normal channels i have tried result in a 'Thank you for contacting yahoo but the email did not originate from yahoo' response. Any ideas, anyone?

[Jeff G.]

Quote the whois on the domains in your reports' comments or in manual reports.

[asclep]

Quote the whois on the domains in your reports' comments or in manual reports.

25707[/snapback]

]

Thanks, Jeff, but who to? I cannot find a name at yahoo to contact, and the 'normal' channels of communiction are automated. So if i complain, i get a 'this has nothing to do with us' response'. Forgive me if i am repeating myself. Just got another 30 spam and all the same... admin by yahoo. I'm getting fed up :-) Anyone else have this problem? I posted here because it started with inktomi as the admin....

[Miss Betsy]

I don't know if it would work with yahoo, but with hotmail when I get that kind of answer, I just kept replying and replying (with the same ID #) until finally I got a real person who listened (actually I went through three or four until I found one that understood). Also all manual reports.

Miss Betsy

[Jeff G.]

Well, lessee here...

03/18/05 21:06:07 Abuse address lookup for yahoo.com

whois -h whois.abuse.net yahoo.com ...

mail-abuse<at>yahoo-inc.com (for yahoo.com)

postmaster<at>yahoo.com (for yahoo.com)

What I sent looks much like the following:

To: mail-abuse<at>yahoo-inc.com, postmaster<at>yahoo.com

Subject: Commercial Use of jnnfrthorne<at>yahoo.com

Yahoo! Customer Care Representatives at mail-abuse<at>yahoo-inc.com and postmaster<at>yahoo.com, your customer jnnfrthorne<at>yahoo.com registered commercial domain id-verify.info, exploiting that customer's Yahoo! I.D. and Email portions of your Service for commercial purposes in violation of Term 10 of your Yahoo! Terms of Service at http://docs.yahoo.com/info/terms/ .  Please enforce that Term.

Also, we called +1.2125182715, which is an Emergency Services Number and is a wrong number for Jennifer Thorne.  [However, she does have a listed number at 3634 Famiglia Dr, (702) 270 - 0950.  I don't have time to call that number right now, maybe later.]

Thanks and Best Regards,

Jeff

----- Evidence Follows -----

03/18/05 21:16:20 whois id-verify.info

.info is a domain of Information

(international dialing code 1)

Searches for .info can be run at http://www.nic.info

whois -h whois.afilias.net id-verify.info ...

NOTICE: Access to .INFO WHOIS information is provided to assist persons in

determining the contents of a domain name registration record in the Afilias

registry database. The data in this record is provided by Afilias Limited

for informational purposes only, and Afilias does not guarantee its

accuracy.  This service is intended only for query-based access.  You agree

that you will use this data only for lawful purposes and that, under no

circumstances will you use this data to: (a) allow, enable, or otherwise

support the transmission by e-mail, telephone, or facsimile of mass

unsolicited, commercial advertising or solicitations to entities other than

the data recipient's own existing customers; or ( enable high volume,

automated, electronic processes that send queries or data to the systems of

Registry Operator or any ICANN-Accredited Registrar, except as reasonably

necessary to register domain names or modify existing registrations.  All

rights reserved. Afilias reserves the right to modify these terms at any

time. By submitting this query, you agree to abide by this policy.

Domain ID:D9293677-LRMS

Domain Name:ID-VERIFY.INFO

Created On:27-Dec-2004 23:42:56 UTC

Expiration Date:27-Dec-2005 23:42:56 UTC

Sponsoring Registrar:R141-LRMS

Status:ACTIVE

Status:OK

Registrant ID:C8329670-LRMS

Registrant Name:Jennifer Thorne

Registrant Organization:Jennifer Thorne

Registrant Street1:3634 Famiglia

Registrant City:Las Vegas

Registrant State/Province:NV

Registrant Postal Code:89141

Registrant Country:US

Registrant Phone:+1.2125182715

Registrant Email:jnnfrthorne<at>yahoo.com

Admin ID:C8329667-LRMS

Admin Name:Jennifer Thorne

Admin Organization:Jennifer Thorne

Admin Street1:3634 Famiglia

Admin City:Las Vegas

Admin State/Province:NV

Admin Postal Code:89141

Admin Country:US

Admin Phone:+1.2125182715

Admin Email:jnnfrthorne<at>yahoo.com

Billing ID:C8329668-LRMS

Billing Name:YahooDomains BillingContact

Billing Organization:Yahoo! Inc

Billing Street1:701 First Ave.

Billing City:Sunnyvale

Billing State/Province:CA

Billing Postal Code:94089

Billing Country:US

Billing Phone:+1.6198813096

Billing Email:domain.billing<at>YAHOO-INC.COM

Tech ID:C8329669-LRMS

Tech Name:YahooDomains TechContact

Tech Organization:Yahoo! Inc

Tech Street1:701 First Ave.

Tech City:Sunnyvale

Tech State/Province:CA

Tech Postal Code:94089

Tech Country:US

Tech Phone:+1.6198813096

Tech Email:domain.tech<at>YAHOO-INC.COM

Name Server:YNS1.YAHOO.COM

Name Server:YNS2.YAHOO.COM

[asclep]

Wow. Thanks, guys. I'll give it a try. Really appreciate your help.

Well, lessee here...

25766[/snapback]

[Jeff G.]

... and I got a response from Yahoo! Domains <domains-abuse<at>yahoo-inc.com> as follows:

Hello,

Thank you for writing to Yahoo! Domains.

Thank you for reporting possible abuse on Yahoo! Web Hosting.  We will

investigate the site and take the appropriate action. 

Please continue to notify us of any questionable content you find in

Yahoo! Web Hosting.  The Yahoo! Terms of Service can be viewed at:

http://docs.yahoo.com/info/terms/

Thank you again for contacting Yahoo! Customer Care.

Regards,

Yahoo! Customer Care

http://www.yahoo.com/

13417236