Korean spammers: kornet and hanaro

[leelikwe]

I have been receiving about 10 spam mail daily, which I usually forward to spamcop. For many months, I notice that a large amount of the reports are being sent to

abuse[at]kornet.net

abuse[at]hanaro.com

So I did a search on google and discovered that they originate from Korea.

http://www.greens.org/etc/krmail.shtml

My question is that if the ISP refuses to take action, is there a point to diligently report spam to the two abuse email address. I even suspect the message are routed to /dev/null or something.

I did a search discovered that there is a Korean spam Response Center. They have a web form to report spam

http://minwon.spamcop.or.kr:5010/eng/m_3_3.jsp

which allows you to attach a file. I was wondering if it is possible for spamcop to report the spam there. I couldn't find a email address of where to report spam there. I thought it might be more useful than reporting to the ISP.

Thanks

likwee

[Wazoo]

http://minwon.spamcop.or.kr:5010/eng/m_3_3.jsp

I've no knowledge of the referenced URL, but it smells really bad ....

(I note that Marjolien has this "office" listed on her BanSpam page of links (see the FAQ) but she also didn't appear comfortable with putting up any of the links (the majority of Google returns all seem to show a .jsp web page for any contact, she didn't allow java scri_pt to run on her systems, so probably the same thoughts, unverifiable. I seem to recall sending a note upstream about a Korean SpamCop thing a few years back, not sure if this is the same thing or not.) But in any case, the "real" SpamCop parsing & reporting tool is not geared up to try to attempt web-form submittals of complaints.

The use of a non-standard port for connecting, then the URL firing up a bit of scri_pt ...

IPv4 Address : 211.252.150.0-211.252.150.255

Network Name : PUBNET-PUBNET2001008949

Connect ISP Name : PUBNET

E-Mail : abuse[at]pubnet.ne.kr

attempting a "normal" connection doesn't fly ....

07/01/05 13:04:22 Browsing http://minwon.spamcop.or.kr/

Fetching http://minwon.spamcop.or.kr/ ...

GET / HTTP/1.1

Host: minwon.spamcop.or.kr

Connection: close

User-Agent: Sam Spade 1.14

Socket Error

Trace minwon.spamcop.or.kr (211.252.150.21) ...

211.216.216.97 RTT: 241ms TTL: 16 (apnc10 bogus rDNS: host not found [authoritative])

211.216.216.12 RTT: 221ms TTL: 16 (glgate201-g2-0.kornet.net bogus rDNS: host not found [authoritative])

203.234.255.86 RTT: 210ms TTL: 16 (No rDNS)

202.30.94.7 RTT: 211ms TTL: 16 (No rDNS)

210.204.254.253 RTT: 210ms TTL: 16 (No rDNS)

210.104.3.74 RTT: 212ms TTL: 16 (No rDNS)

211.253.254.82 RTT: 214ms TTL: 16 (No rDNS)

210.204.252.41 RTT: 213ms TTL: 16 (No rDNS)

* * * failed

* * * failed

* * * failed

* * * failed

* * * failed

* * * failed

[leelikwe]

I've no knowledge of the referenced URL, but it smells really bad ....

Hmm..I am not sure why it smells bad....but the url for the Korean spam Response Center

http://www.spamcop.or.kr/eng/index.jsp

Somewhere along http://www.spamcop.or.kr/eng/m_1.html, it says

Korea spam Response Center was established within the KISA (Korea Information Security Agency),

which is an affiliated agency of the Ministry of Information and Communication, on January 24, 2003,

to receive and handle civil appeals relating spam issues and to carry out anti-spam activities.

And I ran the following command, if that's helpful

I don't know why the *** in traceroute

$host minwon.spamcop.or.kr

minwon.spamcop.or.kr has address 211.252.150.21

$traceroute to minwon.spamcop.or.kr (211.252.150.21), 30 hops max, 38 byte packets

1 comm-d1-g-v130 (128.114.130.252) 0.719 ms 0.690 ms 0.678 ms

2 isp-d1-g-G0-1 (128.114.101.33) 0.484 ms 0.406 ms 0.390 ms

3 hpr-g-GE2-1 (128.114.0.46) 0.562 ms 0.426 ms 0.414 ms

4 hpr-oak-hpr--ucsc-egm.cenic.net (137.164.27.153) 3.590 ms 3.541 ms 3.538 ms

5 sac-hpr--oak-hpr-10ge.cenic.net (137.164.25.17) 5.713 ms 5.206 ms 5.211 ms

6 lax-hpr--sac-hpr-10ge.cenic.net (137.164.25.10) 12.287 ms 12.988 ms 12.382 ms

7 transpac-local.lsanca.pacificwave.net (207.231.240.136) 12.280 ms 12.265 ms 12.252 ms

8 tokyo-losa-oc192.transpac2.net (192.203.116.146) 125.651 ms 125.612 ms 125.613 ms

9 tpr4-10gi0-1-0.jp.apan.net (203.181.248.109) 174.677 ms 145.036 ms 149.547 ms

10 apii-juniper-ge1-0-0-1036.jp.apan.net (203.181.248.226) 143.109 ms 143.185 ms 143.167 ms

11 203.181.249.161 (203.181.249.161) 147.127 ms 147.130 ms 147.172 ms

12 * * *

13 * * *

14 * * *

15 * * *

16 203.255.249.237 (203.255.249.237) 155.301 ms 155.132 ms 155.360 ms

17 202.30.94.7 (202.30.94.7) 150.236 ms 150.571 ms 150.632 ms

18 210.204.254.253 (210.204.254.253) 151.125 ms 150.771 ms 152.612 ms

19 210.104.3.106 (210.104.3.106) 175.929 ms 175.730 ms 175.956 ms

20 211.253.254.70 (211.253.254.70) 151.221 ms 151.038 ms 151.035 ms

21 210.204.252.57 (210.204.252.57) 151.399 ms 150.953 ms 151.846 ms

22 * * *

23 * * *

24 * * *

25 * * *

26 * * *

27 * * *

28 * * *

29 * * *

30 * * *

[leelikwe]

I've no knowledge of the referenced URL, but it smells really bad ....

(I note that Marjolien has this "office" listed on her BanSpam page of links (see the FAQ) but she also didn't appear comfortable with putting up any of the links (the majority of Google returns all seem to show a .jsp web page for any contact, she didn't allow java scri_pt to run on her systems, so probably the same thoughts, unverifiable.  I seem to recall sending a note upstream about a Korean SpamCop thing a few years back, not sure if this is the same thing or not.)  But in any case, the "real" SpamCop parsing & reporting tool is not geared up to try to attempt web-form submittals of complaints.

Looking at http://banspam.javawoman.com/report3.html

the link is there even though it says online reporting only.

Ok...after browsing further

http://www.spamcop.or.kr/eng/m_3_3.html

It says:

--------------------------------------

Reporting Korean spam

Currently, KSRC receives foreigners' reports via e-mail.

If you want to report any received spam originating from Korea, contact us at

spamcop[at]kisa.or.kr

* Please attach the original copy of the received Korean spam

or its header information for identifying the Spammer,

and provide the recipient's precise e-mail address for notifying the Spammer of the recipient's refusal.

------------------------------------------

If ISP doesn't care, maybe reporting spam to that email would be more useful.

[Jank1887]

and provide the recipient's precise e-mail address for notifying the Spammer of the recipient's refusal.

29843[/snapback]

would have to be a 'refuses munged reports' option. sounds like a formal attempt to listwash to me.

[Turmoyl]

I agree that the whole thing just doesn't feel right. No rDNS, requiring the spam target's email address and attempts to claim responsibility for other ISP's abuse issues. Combine that with the BanSpam hit and I wouldn't touch it with a long pole.

There's another side to this as well. If you send general network abuse reports (hack attempts, viral activity, etc.) to either abuse[at]hanaro.com or abuse[at]kornet.net you'll get an identical canned response after few hours that they don't deal with abuse issues (I find this astounding... after all, the abuse was generated inside their own network) and that any abuse reports should be sent to abuse[at]kisa.or.kr. Despite this claim both of their NIC records still reflect abuse addresses at their own TLD rather than at KISA.

At least a dozen times per domain I responded to the canned response in both English and Korean (gotta love Babelfish) that if they wanted abuse reports to go to a different host then they need to change their NIC records to reflect a different POC and that since they are the abuse handle on the current NIC it is their responsibility to deal with abuse reports and/or their responsibility to forward it to the host they want it to go to. Despite my efforts I never heard another thing back on any of my reports. I even went so far as to call them in the hopes of locating an English speaker at either facility but I had no luck after 3 attempts.

In short, the whole setup of hanaro.com and kornet.net does not feel right nor operate according to the simplest recognized standards so I don't trust them at all nor any organization (such as KISA) that they claim affiliation with.

[skyward]

I'd like to echo the sentiments of the OT -- I also have been receiving an inordinate amount of crap from hanaro and kornet. They are clearly a great example of a slimy spamhaus.

Have a look at Hanaro's "Anti-spam policy" at

http://www.hanaro.com/eng/other/spam.asp

They may officially look down on warez and porn spam, basically a huge precentage of garbage sent from them looks OK to them.

Then there are a few pages online that are easily found thru Google by just combining

one of the culprits with the word spam --

http://web.greens.org/etc/krmail.shtml

http://steeev.f2o.org/mt/2004/07/bloody_sp...ertccorkr_.html

And news at

http://www.spamfo.co.uk/component/option,c...d,219/Itemid,2/

Supposedly Hanaro canned 130 cell phone spammers....at any rate, it mentioned an official at Korea's Ministry of Information and Communication (MIC)

Maybe fire off a complaint against Hanaro and Kornet to them....for what good it'll do.....

[leelikwe]

Guess nothing is going to be done then and I am doomed to get the spam....:angry:

and think I will give up reporting to spamcop since it doesn't seems to help a bit.

I am using myrealbox.com which although some website says is filters spam, I am sure it doesn't.

[Jeff G.]

I am using myrealbox.com which although some website says is filters spam, I am sure it doesn't.

29902[/snapback]

I have the following in an archived email from them:

From: "MyRealBox Team" <myrealboxteam<at>myrealbox.com>

To: <MyRealBox Users>

Subject: MyRealBox Update

Date: Fri, 29 Mar 2002 18:01:30 -0700

...

5) AntiSpam tips:

    MyRealBox has some great anti-spam technology.  We have taken steps

    to prevent our users from receiving spam; however, these steps do

    not prevent all spam.  Here are some of the anti-spam measures we have

    taken:

    a) By default you are not listed in the MyRealBox system wide address

    book.

    We have implemented multiple DNS Block lists (DNSBL) that block

    known spammers and spam friendly networks.

    c) We do not release any user's information.

    These steps will prevent the majority of spam that you might otherwise

    receive

...

AntiVirus

  Last October we added an AntiVirus agent to MyRealBox.  We now scan all

  email attachments for viruses.  However, we do not guarantee our Virus

  scanner will catch all email viruses. Our virus scanner should be used

  in conjunction with an Anti-Virus package installed on your workstation,

  not as a substitute.

I can post the full email if there is interest.

[leelikwe]

I have the following in an archived email from them:I can post the full email if there is interest.

29903[/snapback]

If that's the case, how can you explain that I keep getting more than 10 spams a day.

Also, the email you quote is 3 years ago. I believe I had much less spam then than now.

I wonder how updated their block list is.

[Jeff G.]

I wonder how updated their block list is.

29904[/snapback]

Good luck asking them.

[leelikwe]

Good luck asking them.

29905[/snapback]

Here's my mail to them . If I get a reply, I will post.

-----------------------------

Hi,

I have been receiving an inordinate amount of spam (more than 10 per day) in myrealbox.com account. I wonder if myrealbox does any spam filtering since I believed the case.

Someone at spamcop quoted an email from myrealbox saying:

"We have implemented multiple DNS Block lists (DNSBL) that block known spammers and spam friendly networks."

Is the list updated? Is there an email address where I can forward my spam mails so that you can find ways to block them.

Thanks,

-----------------------------

[Turmoyl]

Guess nothing is going to be done then and I am doomed to get the spam....

Not necessarily...

Over the last 24 hours I received roughly 20 spams from Korea and China. I decided I've had enough, and since I run my own personal mail and DNS servers I figured I could make my own dnsbl for those 2 countries (I know there is at least one hosted set out there but the response time is so slow it hurts).

So, I visited this site: http://www.okean.com/thegoods.html

and made myself an all-Korean and all-Chinese blacklist.

It's been up and running for about 3 hours now and it's already killed 4 Korean and 2 Chinese connection attempts with 0 of either getting through.

This solution may not be possible for you but it sure does work nicely.

[dzaidle]

"...made myself an all-Korean and all-Chinese blacklist."

I do something similar for my personal email account, but I blackhole ALL messages from IP addresses registered in APNIC, LACNIC, and RIPE. Since I receive no legitimate communications from persons anywhere but the U.S., it cuts my spam voume by three-fourths and I get no fales positives on legitimate email.

[theiss]

FYI - I received the following email from Hanaro in response to one of my Spamcop reports. Comments, opinions anyone?? (I've also received replies from Cablecom, Biglobe, Neuf Telecom, MCI, NTT Communications, and Time Warner Telecom, for all the good they do. )

---------------------------------------------------------------------------------------------

From: abuse[at]hanaro.com

To: ****[at]reports.spamcop.net

Subject: RE][spamCop (219.249.214.249) id:****]Reply: regula Extra

time pills delivered fast

Mime-Version: 1.0

Content-Type: text/plain; charset=euc-kr

Content-Transfer-Encoding: 8bit

X-TERRACE-SPAMMARK: NO (SR:8.06)

(by Terrace)

Date: Thu, 14 Jul 2005 17:19:52 -0700 (PDT)

The spam mail that you reported us was received and processed.

Hanaro Telecom, Inc. warned those who transmitted spam mail contrary to the Article 50 of "Act on Protection of Information and Promotion of Information Communication Network" not to send spam mails any more.

If a spammer doesn't stop sending spam mail, Hanaro Telecom, Inc. will report spam mail transmitter to the related authorities.

In addition to looking into legal actions to compensate for the mental and physical damage.

[Related Provisions of Laws and Regulations]

- Article 50 of the Act on Protection of Information and Promotion of Information and Communication Network

(Restriction on Transmission of Advertisement Information) -

¨ç Anyone cannot transmit the profit-based advertisement information contrary to the expressed opinion of a recipient not to receive such mails.

¨è Those who want to transmit the profit-based advertisement information by e-mail under the regulation of the Article, they should indicate in such e-mails information on as in each of the following subparagraphs as specified by the enforcement regulation of the "Information and Communication Act".

1. Purpose of transmission and main contents

2. Name and contact information of transmitter(or sender), etc.

3. Matters related to the opinion of denying further reception

¡Ø for more information, please refer to the Antispam Policy of Hanaro Telecom, Inc on website (http://www.hanaro.com)

¡Ø We can¡¯t manage the reports for a spam Mail sent to a wrong mail accout.

So you should report to abuse[at]hanaro.com

[Jeff G.]

Comments, opinions anyone??

30287[/snapback]

It's very weak, IMHO. It's a form letter they send every once in a while. Note that the don't actually say or promise to disconnect anyone, just to report the spammer to the authorities and Hanaro's lawyers.

[turetzsr]

It's very weak, IMHO.  It's a form letter they send every once in a while.  Note that the don't actually say or promise to disconnect anyone, just to report the spammer to the authorities and Hanaro's lawyers.

30295[/snapback]

...Agreed. What I would think we anti-spammers would like to see is something along the lines of: "The spam you reported is a violation of our terms of service. In addition to reporting this to the appropriate government authorities, we are terminating the account from which the spam was sent for violating those terms of service. We appreciate your report and apologize for any difficulty you experienced from our lack of proactive action against this spam. We pledge to improve our efforts in this regard.

<g>

[atinoco]

is it possible to only block the ip addresses that these providers use? via a netblock blacklist maybe

any ideas where to look for these providers netblocks?

Thanks in Advance

-Andres

[Jeff G.]

is it possible to only block the ip addresses that these providers use? via a netblock blacklist maybe

39290[/snapback]

Yes, you could use the korea.services.net blocklist - see http://korea.services.net/ for details.