madkingsoup Posted January 28, 2005 Posted January 28, 2005 Within the past few weeks I have noticed that what appears to be about 90% of the websites referred to in the spam I get is reported to slurp[at]inktomi.com. Has Inktomi gone a bit odd lately or is something funny going on...?
Wazoo Posted January 28, 2005 Posted January 28, 2005 I'm more suspecting something weird is going on. I'm suspecting you know that "slurp" is the name of one of the Inktomi bots that scour the web building/adding the contect for various Search Engines ... how and why that would be found with a spam is strange, even trying to apply spammer logic .. when you then go on to say "about 90% of youe spam" .. I'm thinking that something else is going on. A Tracking URL or two of these would help in seeing where this result is coming from.
eaolson Posted January 28, 2005 Posted January 28, 2005 I'm more suspecting something weird is going on. I'm suspecting you know that "slurp" is the name of one of the Inktomi bots that scour the web building/adding the contect for various Search Engines ... how and why that would be found with a spam is strange, even trying to apply spammer logic .. 23721[/snapback] I'm not so sure about that, Wazoo. Just a few days ago, I came across a whois entry that directed abuse complaints to slurp[at]inktomi.com. I didn't know that about the Inktomi crawler, but thought it odd at the time it wasn't abuse[at] Unfortunately, I can't remember what I was looking up, so I can't show you.
Wazoo Posted January 28, 2005 Posted January 28, 2005 It would be interesting to see what / who would be using that for registration data. I recall that my attempts at contacting them never got a response ... there was a period that there bot was appearing to be on heavy medication, filling up error logs on several sites, appearing to use folder/structure data from somewhere else but trying to search/scan those pages on 'this' web-site .... this went on for three or four days ... Inktomi never responded, but the weird searches stopped ..
madkingsoup Posted January 28, 2005 Author Posted January 28, 2005 It is definitely in the whois data. And I didn't know it was a bot, although I did suspect it wasn't human with a name like that. Example: http://www.spamcop.net/sc?id=z726099110zfd...a18a22de5db4c1z
Wazoo Posted January 28, 2005 Posted January 28, 2005 More than a bit odd .... In Inktomi space, yet trace-routes to a Yahoo/Geocities (allegedly) business site that has the root page showing as "under construction" ... but of course, the sub-page mentioned in the spam has content. Working on a notify to a number of folks .. thanks for the Tracking URL ...
eaolson Posted January 29, 2005 Posted January 29, 2005 It would be interesting to see what / who would be using that for registration data. I recall that my attempts at contacting them never got a response ... there was a period that there bot was appearing to be on heavy medication, filling up error logs on several sites, appearing to use folder/structure data from somewhere else but trying to search/scan those pages on 'this' web-site .... this went on for three or four days ... Inktomi never responded, but the weird searches stopped .. 23724[/snapback] Ah, here is is. www.sixpacksex.com (68.142.234.39). Trimmed a bit, here's the whois: Trying 68.142.234 at ARIN OrgName: Inktomi Corporation OrgID: INKT Address: 4100 East Third Avenue City: Foster City StateProv: CA PostalCode: 94404 Country: US NetRange: 68.142.192.0 - 68.142.255.255 CIDR: 68.142.192.0/18 NetName: INKTOMI-BLK-4 [...] AbuseHandle: ZI107-ARIN AbuseName: Inktomi Corporation AbusePhone: +1-650-653-2800 AbuseEmail: slurp[at]inktomi.com ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ OrgTechHandle: ZI35-ARIN OrgTechName: Inktomi Corporation OrgTechPhone: +1-650-653-2800 OrgTechEmail: l3-ops[at]inktomi.com Is there some reason to think this abuse address is inappropriate? I notice that an abuse.net lookup of inkomi does NOT return the slurp[at] address.
madkingsoup Posted January 29, 2005 Author Posted January 29, 2005 I'm glad that other people think it's odd. It was starting to set alarms off my in my head simply because of the sheer number of sites suddenly reported back to that address.
CompWizardry Posted February 6, 2005 Posted February 6, 2005 ::::ATTENTION::: ::::WARNING::::: The links in this post are linked to what I consider illegal sites. Do not put any info of any sort that is pertaining to you as an individual (i.e. ebay login info, passwords, credit card numbers, social security numbers.) For this site is NOT in anyway affiliated with EBAY. It will look like the real thing 100% but I assure you it is not!! :::::::::::::::::::: Hey Guys, I am 18 years old and am A+ Certified and working for my N+ and Security+ and have a computer store called Computer Wizardry. I recently had a client contact me saying that she think she gave away her life to someone on ebay. (aka social security number, credit cards, login info .. everything). Well she sent me the e-mail from supposedly ebay.com industry and it seemed very real. The mailto address was [ eBay [investigation[at]ebay.com] ]. And the logos were all from the right places and when you click on the links it directed to what it looked like the official ebay.com website if you didn't look real close; real fast. [ http://signin.ebay.com/eBayISAPI.dll?Signln&UserID=dpmracing ] But when I click on it because I use firefox it notified my that I was going to download a file called ebayISAPI.dll and the address was from [ signin.ebay.com.id-verify.info ] I checked with ebay.com and they told me id-verify.info is in no way affiliated with them. And that the client has encountered fraud. So rigt away I had the client put a notice on her and her husbands credit history, changed her ip address because it was logged, ran complete check of spyware and viruses, and she closed her bank accounts and had them opened up new ones. The client shouldn't have any problems. Now it's my job to catch this guy's ass. ::Noticeable Clues:: signin.ebay.com.id-verify.info ----> Leads to what looks like ebay.com signin >>when you break the address apart ebay.com.id-verify.info -----> No Page Found com.id-verify.info -----> No Page Found id-verify.info -----> Sends me to ebay login screen just like the first did. So if this was ebay I think they would of just put id-verify.info instead signin.ebay.com.id-verify.info so it is apparent that this site is deffinitly not legit, and is trying to hide something. (i.e. id-verify.info) So when you do a whois for id-verify.info this is what I got: Domain ID:D9293677-LRMS Domain Name:ID-VERIFY.INFO Created On:27-Dec-2004 23:42:56 UTC Expiration Date:27-Dec-2005 23:42:56 UTC Sponsoring Registrar:R141-LRMS Status:ACTIVE Status:OK Registrant ID:C8329670-LRMS Registrant Name:Jennifer Thorne Registrant Organization:Jennifer Thorne Registrant Street1:3634 Famiglia Registrant City:Las Vegas Registrant State/Province:NV Registrant Postal Code:89141 Registrant Country:US Registrant Phone:+1.2125182715 Registrant Email:jnnfrthorne[at]yahoo.com Admin ID:C8329667-LRMS Admin Name:Jennifer Thorne Admin Organization:Jennifer Thorne Admin Street1:3634 Famiglia Admin City:Las Vegas Admin State/Province:NV Admin Postal Code:89141 Admin Country:US Admin Phone:+1.2125182715 Admin Email:jnnfrthorne[at]yahoo.com Billing ID:C8329668-LRMS Billing Name:YahooDomains BillingContact Billing Organization:Yahoo! Inc Billing Street1:701 First Ave. Billing City:Sunnyvale Billing State/Province:CA Billing Postal Code:94089 Billing Country:US Billing Phone:+1.6198813096 Billing Email:domain.billing[at]YAHOO-INC.COM Tech ID:C8329669-LRMS Tech Name:YahooDomains TechContact Tech Organization:Yahoo! Inc Tech Street1:701 First Ave. Tech City:Sunnyvale Tech State/Province:CA Tech Postal Code:94089 Tech Country:US Tech Phone:+1.6198813096 Tech Email:domain.tech[at]YAHOO-INC.COM Name Server:YNS1.YAHOO.COM Name Server:YNS2.YAHOO.COM ::In otherwords:: Domain: id-verify.info Created On: 27-Dec-2004 Expiration Date: 27-Dec-2005 Jennifer Thorne 3634 Famiglia Las Vegas NV, 89141 Phone:+1.2125182715 Email:jnnfrthorne[at]yahoo.com -=Billing Info=- Name:YahooDomains BillingContact Organization:Yahoo! Inc Email:domain.billing[at]YAHOO-INC.COM -=Setup=- Name Server:YNS1.YAHOO.COM Name Server:YNS2.YAHOO.COM --------------------------------------------------- Now excuse me for saying this, "But this guy is good".... okay, so figured out yea it's pretty simple just put in some false information. Anybody can do that, but he picked one that sounds half way legit, with ebay's id verify and created: id-verify.info Then it looks like he may of took and made nameservers which are almost identical if you dont look closely and see the "Y"; nameservers to yahoo.com; yns1.yahoo.com and yns2.yahoo.com; NOW maybe this is yahoo, I really have no clue if they put a "y" in front of their nameserver extnsion or not. But I will look at this in further detail later on. You might be thinking; "This sounds like a yahoo website. I'm starting to get confused" But it isn't, if it was yahoo.com why would they only register this domain for one year. Which brings me to my next conclusion; He registered the domain on December 27th 2004 -----> He has just recently started doing this ---------------------------------------------------- OKAY, so I bet you read this up to this point, and at least once said WHY THE HELL IS THIS POST IN THIS THREAD! .:Answer:. When I ran command prompt and ran [ nslookup id-verify.info ] I found the ip addresses of 68.142.234.77 68.142.234.35 68.142.234.36 68.142.234.37 68.142.234.38 68.142.234.39 And with a simple google search of the isp [68.142.234.x] I found you guys. Then I read that you have been having issuses of a total different world, I had to let you know that he is starting up a new scheme. I just got the email from my client this morning at 7:30 and been working on it for 2 hours, and easily found all this information simply by free resources. ------------------------------------------------------ .: More of the simple basics :. When I ran the ping command [ ping id-verify.info ] I got that his ip address is: 68.142.234.77 Now this ip address is for the website not for the indvidual computer of the culprit. Then When I got this webste [ http://www.melissadata.com/Lookups/iplocat...7&submit=submit ] I just put in the ip address and found this information: IP Address: 68.142.234.77 City: Foster City State: California Courty: US ISP: Inktomi Corporation ------------------------------------------------------------ So that is as much as I found on this guy, It looks like everyone in this thred wants to see this ass go down. I want to help in anyway possible. **My question whats next? Where do I go to report this? How do I know something is going to be done? ** Personally I want to kick this guy in the balls, for the headache I am having right now. I will be posting a link for all to view and see the email that the guy sent to my client. Let me know if this helped any. Steve Douglas stevesmename[at]adelphia.net Computer Wizardry CompWizardry.com --> Site is down because admin is an ass and suspended my acount without notification. Do not use siterollout.net -- they are the biggest pricks ever. [HAND] Have A Nice Day.
swingspacers Posted February 6, 2005 Posted February 6, 2005 All you have established is that your phishing web site and the spamvertized web sites discussed above are all hosted at Yahoo/Geocities/Inktomi. Because Yahoo is a big hosting company with many customers (including a number of spammers, apparently), I doubt that it is the same guy. BTW, the yns name servers are legitimate Yahoo servers. See here: http://smallbusiness.yahoo.com/domains/redelegation.php
CompWizardry Posted February 6, 2005 Posted February 6, 2005 that makes sense, thank you for the reply. sorry about that then.
Bumpkin Posted February 7, 2005 Posted February 7, 2005 A GGS of "slurp[at]inktomi.com" turned up a ton of postings showing this to be the reporting address. I agree that it's not professional, and even questionable. Why would the name of a bot be their abuse address?
asclep Posted March 18, 2005 Posted March 18, 2005 I am quite new to this, but I receive about 40-50 emails every day. 99% of them point to pornographic websites of which yahoo Inc is the administrator. I cannot think of way of complaining to Yahoo about this ... all the normal channels i have tried result in a 'Thank you for contacting yahoo but the email did not originate from yahoo' response. Any ideas, anyone?
Jeff G. Posted March 18, 2005 Posted March 18, 2005 Quote the whois on the domains in your reports' comments or in manual reports.
asclep Posted March 18, 2005 Posted March 18, 2005 Quote the whois on the domains in your reports' comments or in manual reports. 25707[/snapback] ] Thanks, Jeff, but who to? I cannot find a name at yahoo to contact, and the 'normal' channels of communiction are automated. So if i complain, i get a 'this has nothing to do with us' response'. Forgive me if i am repeating myself. Just got another 30 spam and all the same... admin by yahoo. I'm getting fed up :-) Anyone else have this problem? I posted here because it started with inktomi as the admin....
Miss Betsy Posted March 19, 2005 Posted March 19, 2005 I don't know if it would work with yahoo, but with hotmail when I get that kind of answer, I just kept replying and replying (with the same ID #) until finally I got a real person who listened (actually I went through three or four until I found one that understood). Also all manual reports. Miss Betsy
Jeff G. Posted March 19, 2005 Posted March 19, 2005 Well, lessee here... 03/18/05 21:06:07 Abuse address lookup for yahoo.com whois -h whois.abuse.net yahoo.com ... mail-abuse<at>yahoo-inc.com (for yahoo.com) postmaster<at>yahoo.com (for yahoo.com) What I sent looks much like the following: To: mail-abuse<at>yahoo-inc.com, postmaster<at>yahoo.com Subject: Commercial Use of jnnfrthorne<at>yahoo.com Yahoo! Customer Care Representatives at mail-abuse<at>yahoo-inc.com and postmaster<at>yahoo.com, your customer jnnfrthorne<at>yahoo.com registered commercial domain id-verify.info, exploiting that customer's Yahoo! I.D. and Email portions of your Service for commercial purposes in violation of Term 10 of your Yahoo! Terms of Service at http://docs.yahoo.com/info/terms/ . Please enforce that Term. Also, we called +1.2125182715, which is an Emergency Services Number and is a wrong number for Jennifer Thorne. [However, she does have a listed number at 3634 Famiglia Dr, (702) 270 - 0950. I don't have time to call that number right now, maybe later.] Thanks and Best Regards, Jeff ----- Evidence Follows ----- 03/18/05 21:16:20 whois id-verify.info .info is a domain of Information (international dialing code 1) Searches for .info can be run at http://www.nic.info whois -h whois.afilias.net id-verify.info ... NOTICE: Access to .INFO WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Afilias registry database. The data in this record is provided by Afilias Limited for informational purposes only, and Afilias does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or ( enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator or any ICANN-Accredited Registrar, except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Afilias reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain ID:D9293677-LRMS Domain Name:ID-VERIFY.INFO Created On:27-Dec-2004 23:42:56 UTC Expiration Date:27-Dec-2005 23:42:56 UTC Sponsoring Registrar:R141-LRMS Status:ACTIVE Status:OK Registrant ID:C8329670-LRMS Registrant Name:Jennifer Thorne Registrant Organization:Jennifer Thorne Registrant Street1:3634 Famiglia Registrant City:Las Vegas Registrant State/Province:NV Registrant Postal Code:89141 Registrant Country:US Registrant Phone:+1.2125182715 Registrant Email:jnnfrthorne<at>yahoo.com Admin ID:C8329667-LRMS Admin Name:Jennifer Thorne Admin Organization:Jennifer Thorne Admin Street1:3634 Famiglia Admin City:Las Vegas Admin State/Province:NV Admin Postal Code:89141 Admin Country:US Admin Phone:+1.2125182715 Admin Email:jnnfrthorne<at>yahoo.com Billing ID:C8329668-LRMS Billing Name:YahooDomains BillingContact Billing Organization:Yahoo! Inc Billing Street1:701 First Ave. Billing City:Sunnyvale Billing State/Province:CA Billing Postal Code:94089 Billing Country:US Billing Phone:+1.6198813096 Billing Email:domain.billing<at>YAHOO-INC.COM Tech ID:C8329669-LRMS Tech Name:YahooDomains TechContact Tech Organization:Yahoo! Inc Tech Street1:701 First Ave. Tech City:Sunnyvale Tech State/Province:CA Tech Postal Code:94089 Tech Country:US Tech Phone:+1.6198813096 Tech Email:domain.tech<at>YAHOO-INC.COM Name Server:YNS1.YAHOO.COM Name Server:YNS2.YAHOO.COM
asclep Posted March 19, 2005 Posted March 19, 2005 Wow. Thanks, guys. I'll give it a try. Really appreciate your help. Well, lessee here... 25766[/snapback]
Jeff G. Posted March 21, 2005 Posted March 21, 2005 ... and I got a response from Yahoo! Domains <domains-abuse<at>yahoo-inc.com> as follows: Hello, Thank you for writing to Yahoo! Domains. Thank you for reporting possible abuse on Yahoo! Web Hosting. We will investigate the site and take the appropriate action. Please continue to notify us of any questionable content you find in Yahoo! Web Hosting. The Yahoo! Terms of Service can be viewed at: http://docs.yahoo.com/info/terms/ Thank you again for contacting Yahoo! Customer Care. Regards, Yahoo! Customer Care http://www.yahoo.com/ 13417236
Recommended Posts
Archived
This topic is now archived and is closed to further replies.