[Resolved] Those crafty spammers

[shmengie]

You mentioned that you browsed this domain and were redirected to another site, but I just don't see how that's been possible, at least over the last several hours.

31043[/snapback]

I'd be lying to you if I said I understood how this works, but digging (and nslookup too) on the fqdn bullwhack.torrence-store.com works even tho torrence-store.com doesn't ???????

That doesn't fit my understanding of DNS resolution. Yet, looky there.

$ dig bullwhack.torrence-store.com

; <<>> DiG 9.1.0 <<>> bullwhack.torrence-store.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17281
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 5, ADDITIONAL: 0

;; QUESTION SECTION:
;bullwhack.torrence-store.com.  IN      A

;; ANSWER SECTION:
bullwhack.torrence-store.com. 5 IN      A       68.58.110.87
bullwhack.torrence-store.com. 5 IN      A       68.254.114.243
bullwhack.torrence-store.com. 5 IN      A       24.94.238.113
bullwhack.torrence-store.com. 5 IN      A       24.194.147.92
bullwhack.torrence-store.com. 5 IN      A       67.190.24.114

;; AUTHORITY SECTION:
torrence-store.com.     7200    IN      NS      ns4.torrence-store.com.
torrence-store.com.     7200    IN      NS      ns5.torrence-store.com.
torrence-store.com.     7200    IN      NS      ns1.torrence-store.com.
torrence-store.com.     7200    IN      NS      ns2.torrence-store.com.
torrence-store.com.     7200    IN      NS      ns3.torrence-store.com.

[Turmoyl]

Ahh - they're spoofing a CNAME record as an A. That's how you got routed to it. I'll file some more stuff at rfc-ignorant.org now. Thanks for clearing that up.

Edit: rofl - looks like they're already off-line again:

$ dig bullwhack.torrence-store.com

; <<>> DiG 9.2.4 <<>> bullwhack.torrence-store.com

;; global options:  printcmd

;; connection timed out; no servers could be reached

[Farelf]

I guess they can be resolved most of the time - but whenever you try to look at their status they're gone again (or going). Neat in a perverted sort of way.

[b][i]01-08-2005 09:22 GMT[/i][/b]

DNS Traversal for bullwhack.torrence-store.com.
Generated by www.DNSstuff.com


Getting NS record list at l.root-servers.net... Done!
Looking up at the 13 com. parent servers:

Server	Response	Time
c.gtld-servers.net [192.26.92.30]	ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 	8ms
a.gtld-servers.net [192.5.6.30]	ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 	114ms
g.gtld-servers.net [192.42.93.30]	ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 	114ms
l.gtld-servers.net [192.41.162.30]	ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 	114ms
f.gtld-servers.net [192.35.51.30]	ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 	114ms
k.gtld-servers.net [192.52.178.30]	ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 	114ms
e.gtld-servers.net [192.12.94.30]	ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 	114ms
h.gtld-servers.net [192.54.112.30]	ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 	223ms
i.gtld-servers.net [192.43.172.30]	ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 	223ms
b.gtld-servers.net [192.33.14.30]	ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 	223ms
d.gtld-servers.net [192.31.80.30]	ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 	223ms
j.gtld-servers.net [192.48.79.30]	ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 	223ms
m.gtld-servers.net [192.55.83.30]	ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 	334ms

Status: Records all match.

Looking up at the 5 torrence-store.com. parent servers:

Server	Response	Time
ns1.torrence-store.com [24.15.148.146]	24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 	107ms
ns3.torrence-store.com [67.173.19.43]	24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 	107ms
ns5.torrence-store.com [69.245.151.168]	24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 	107ms
ns4.torrence-store.com [24.14.251.172]	24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 	325ms
ns2.torrence-store.com [71.8.197.224]	Timeout	 

Status: Records DO NOT all match: Results from ns2.torrence-store.com do not match results from ns4.torrence-store.com.

© Copyright 2000-2005 R. Scott Perry

[b][i]01-08-2005 09:28 GMT[/b][/i]

DNS Traversal for bullwhack.torrence-store.com.
Generated by www.DNSstuff.com


Getting NS record list at a.root-servers.net... Done!
Looking up at the 13 com. parent servers:

Server	Response	Time
[b][i]... similar to first run[/b][/i]

Status: Records all match.

Looking up at the 5 torrence-store.com. parent servers:

Server	Response	Time
ns1.torrence-store.com [24.15.148.146]	24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 	108ms
ns3.torrence-store.com [67.173.19.43]	24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 	108ms
ns2.torrence-store.com [71.8.197.224]	Timeout	 
ns4.torrence-store.com [24.14.251.172]	Timeout	 
ns5.torrence-store.com [69.245.151.168]	Timeout	 

Status: Records DO NOT all match: Results from ns5.torrence-store.com do not match results from ns3.torrence-store.com.

© Copyright 2000-2005 R. Scott Perry

[b][i]01-08-2005 09:38 GMT[/b][/i]
DNS Traversal for bullwhack.torrence-store.com.
Generated by www.DNSstuff.com


Getting NS record list at f.root-servers.net... Done!
Looking up at the 13 com. parent servers:

Server	Response	Time
[b][i]... similar to first run[/b][/i]

Status: Records all match.

Looking up at the 5 torrence-store.com. parent servers:

Server	Response	Time
ns5.torrence-store.com [69.245.151.168]	24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 	110ms
ns3.torrence-store.com [67.173.19.43]	[Error: Socket error 10054 [s=6968 tcp=0]]	217ms
ns1.torrence-store.com [24.15.148.146]	Timeout	 
ns2.torrence-store.com [71.8.197.224]	Timeout	 
ns4.torrence-store.com [24.14.251.172]	Timeout	 

Status: Records DO NOT all match: Results from ns4.torrence-store.com do not match results from ns5.torrence-store.com.

© Copyright 2000-2005 R. Scott Perry

[b][i]02-08-2005 02:24 GMT[/b][/i]

DNS Traversal for bullwhack.torrence-store.com.
Generated by www.DNSstuff.com


Getting NS record list at h.root-servers.net... Done!
Looking up at the 13 com. parent servers:
[b][i]... similar to first run[/b][/i]


Status: Records all match.

Looking up at the 5 torrence-store.com. parent servers:

Server	Response	Time
ns4.torrence-store.com [24.170.168.82]	24.14.199.175 24.170.168.82 24.72.103.253 69.139.33.81 69.139.45.186 	108ms
ns1.torrence-store.com [69.139.45.186]	24.14.199.175 24.170.168.82 24.72.103.253 69.139.33.81 69.139.45.186 	217ms
ns2.torrence-store.com [24.72.103.253]	24.14.199.175 24.170.168.82 24.72.103.253 69.139.33.81 69.139.45.186 	217ms
ns3.torrence-store.com [24.14.199.175]	24.14.199.175 24.170.168.82 24.72.103.253 69.139.33.81 69.139.45.186 	217ms
ns5.torrence-store.com [69.139.33.81]	24.14.199.175 24.170.168.82 24.72.103.253 69.139.33.81 69.139.45.186 	217ms

Status: Records all match.

© Copyright 2000-2005 R. Scott Perry

[shmengie]

They cycle thru new zombies all the time.

I'm guessing all the zombies communicate via an IRC ring. When one drops out (probably frequently since these hijacked computers are probably slow), a new one is more than willing to take it's place. This makes it very difficult to report to ISP's because they are contantly changing. ISPs probably don't log the web traffic, so nonexisteant logs makes reference difficult.

nslookup[at]infected machine also reports the same addresses. Looks like dnsrecords are all set to expire as soon as they're issued.

Web browsing the 'domain' directly doesn't tell you which host you connect to, unless you're sniffing packets. Directly referencing IPaddresses results in a disconnect/no data.

I wrote this bare minimum web browser python scri_pt to verify each and every "server" returned web pages, by addressing server directly then issuing a get url command, should you wish to check for your own amusement.

SpamResearch.py

import socket
domain = 'bullwhack.torrence-store.com'
url = 'http://bullwhack.torrence-store.com'#/farm/?bridgewater=bwligbreak'
domain, alias, addresses = socket.gethostbyname_ex(domain)
command = 'GET '
for address in addresses:
      s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
      s.connect((address,80))
      print 'peer:',s.getpeername()
      s.send(command + ' ' + url + '\n')
      result = ''
      while True:
            data = s.recv(8196)
            if not data:
                  break
            result = result + data
      s.close()
      print 'Address: %s returned %d bytes' % (address, len(result))
#print 'Last result\n:'
#print result

Heh, if it wasn't vigilantisim (and I might get in trouble w/my isp), I'd write a scri_pt that sent an e-mail once a minute to the isp's stating that such and such computer is serving spamvertized webpages.

[Jeff G.]

How about every time you get a spam advertising that domain?

[Jank1887]

How about every time you get a spam advertising that domain?

31125[/snapback]

Hey, that sounds strangely like a manual report. Why didn't anyone think of that before <g>

[shmengie]

How about every time you get a spam advertising that domain?

It's been done, ad infinitum, spam keeps comming...

I haven't recieved a spam referencing torrence-store.com so I have not reported it.

Can't get China, Korea, Russia (ASIA for that matter) to quit providing web-space to spammers. Reporting seems mearly an excercise for the tenatious.

The volume of spam I recive has dropped to 1/2 lately. It seems as though I may have been taken off "a" spammers list by reporting the torrence-family.com to everyone I could think fathom. Seems unlikely I will recieve a spam referencing the family "store."

In order for these domains to get a hook into the DNS system, the spammer probably has to expose themself in a window of potential identification. Once the domain is running around loose on the web, they can cut the ties and enjoy pure annonimity.

In either event, I think this spammer is a blatant criminal, using uneducated ipublic to host web pages on their computers.

I'm tempted to take a proactive stance. If I can get a spammer shutdown, I'm inclined to do so...

I've reported the web-bots to isps. I've tried to tell several ISPs how they could take a proactive stance. They seem to ignore my suggestions as well as the abuse reports.

I reported several web hosting bots to an ISPs and the only rsponce I've recieved was "We don't host web sites on that address so your report is wrong." I promply replied and beleive my reply was promptly ignored.

So if you get a spam that references a website, should you hold your breath until you get another referencing the same site? Q: Would you turn blue in the process?

[KenLongcrier]

I've just received a spam that had 3 other sites that were not really advertisements and had nothing to do with the spam. :angry: (I took the liberty of sending targeted based on the addresses that SpamCop used to send the initial reports...)

I just thought someone should know

Thanks

Ken

P.S.

Any spam reporting to SiteSpecific.com is being ignored...

-----Original Message-----

From: postmaster[at]sitespecific.net [mailto:postmaster[at]sitespecific.net]

Sent: Tuesday, August 02, 2005 10:41 AM

To: Longcrier, Ken

Subject: Autoreply: Please disregard the spam-Report I just sent through SPAMCOP...

You have sent an email to an unmonitored Site Specific, Inc. email address.

You may contact us using the information provided in the following link.

http://www.sitespecific.com/contact

Thank you,

[Turmoyl]

Ken,

That is a violation of RFC 2821 and you can use that autoresponder as "evidence" to submit that domain for blacklisting at RFC-Ignorant: http://www.rfc-ignorant.org/tools/submit_f...able=postmaster

If you do not want to do that then please post the source of that entire message here and I'll do it on your behalf.

[shmengie]

This doesn't fit the topic of this thread, but here goes...

I've just received a spam that had 3 other sites that were not really advertisements and had nothing to do with the spam. :angry: (I took the liberty of sending targeted based on the addresses that SpamCop used to send the initial reports...)

Spamers do that often... Why??? I dunno.

Some include anchored links around nothing so they're not visible in HTML rendered text but point to other domains??? (ones they hate?)

Some include domains that don't resolve???

Not sure what to do about the ones that obscate the spamvertized site by forcing a direct searchengine match thru google or yahoo. I usually report to google and/or yahoo so they recieve notification, as well as the ISP hosting the actual spamvertized site.

[Jeff G.]

That is a violation of RFC 2821 and you can use that autoresponder as "evidence" to submit that domain for blacklisting at RFC-Ignorant: http://www.rfc-ignorant.org/tools/submit_f...able=postmaster

If you do not want to do that then please post the source of that entire message here and I'll do it on your behalf.

31146[/snapback]

That won't be necessary, Ralf took care of it last week.

[Jeff G.]

Spamers do that often...  Why???  I dunno.

Some include anchored links around nothing so they're not visible in HTML rendered text but point to other domains???  (ones they hate?)

31147[/snapback]

These appear to be a mix of joe-jobs and misdirection

Some include domains that don't resolve???

31147[/snapback]

These appear to be domains that have either been terminated in some way or are temporararily unavailable due to circumstances beyond the spammer's control

Not sure what to do about the ones that obscate the spamvertized site by forcing a direct searchengine match thru google or yahoo.  I usually report to google and/or yahoo so they recieve notification, as well as the ISP hosting the actual spamvertized site.

31147[/snapback]

I try to do the same.

[Turmoyl]

That won't be necessary, Ralf took care of it last week.

It looks like they didn't accept Rolf's input (they can be very picky) so I'd still like Ken to post the source of that message so that we can submit them again.

EDIT: I have just submitted them to RFC-I's WHOIS list becasue the address on their WHOIS record is falsified. However, if we can get the source of that message then I can list them on the Postmaster BL as well.

[Jeff G.]

The submission I was writing about was the postmaster submission for sitespecific.net. I believe you were writing about the postmaster submission for sitespecific.com. In any case, multiple people have been busy - see http://www.rfc-ignorant.org/tools/lookup.p...ific.net&full=1 and http://www.rfc-ignorant.org/tools/lookup.p...ific.com&full=1 for details.

[Turmoyl]

I'm glad to se we're not alone in this. The pending WHOIS for sitespecific.com is mine.

[Jeff G.]

Cool. Should that fail, please be aware that sitespecific.com's hostmaster (probably the same "Nate R. Sullivan") doesn't like reading test messages, but is perfectly willing to send MDNs (mail delivery notifications).

[Turmoyl]

torrence-family.com, torrence-store.com, sitespecific.com and sitespecific.net are all now firmy entrenched into the RFCI blacklists:

http://www.rfc-ignorant.org/tools/lookup.p...ence-family.com

http://www.rfc-ignorant.org/tools/lookup.p...rence-store.com

http://www.rfc-ignorant.org/tools/lookup.p...itespecific.com

http://www.rfc-ignorant.org/tools/lookup.p...itespecific.net

I'll have postmaster and abuse entries done for spamis.info over this coming weekend as well (I'm just waiting on the 5-day queue time for the delivery failures).

[shmengie]

OMG, the criminals expand their criminality

Recieved an e-bay spoof. This one resolves to the web-bot.

www.access-authorization.com/ebayauth

Maybe e-bay will step up and help fight this plight.

Name: www.access-authorization.com

Addresses: 12.214.117.250, 62.195.145.140, 67.176.137.127, 68.73.144.101

69.252.161.230

peer: ('69.252.161.230', 80)

pcp0012142052pcs.oakrdg01.tn.comcast.net

Address: 69.252.161.230 returned 17397 bytes

peer: ('12.214.117.250', 80)

12-214-117-250.client.mchsi.com

Address: 12.214.117.250 returned 17397 bytes

peer: ('62.195.145.140', 80)

i145140.upc-i.chello.nl

Address: 62.195.145.140 returned 17397 bytes

peer: ('67.176.137.127', 80)

c-67-176-137-127.hsd1.il.comcast.net

Address: 67.176.137.127 returned 17397 bytes

peer: ('68.73.144.101', 80)

adsl-68-73-144-101.dsl.ipltin.ameritech.net

Address: 68.73.144.101 returned 17397 bytes

[Jeff G.]

Bad Thpammerth!

[StevenUnderwood]

OMG, the criminals expand their criminality

Recieved an e-bay spoof.  This one resolves to the web-bot.

www.access-authorization.com/ebayauth

Maybe e-bay will step up and help fight this plight.

31232[/snapback]

Why is this any different than the spoofs I have gotten re: ebay for over a year now? IIRC, their emails to spoof<at>ebay.com directed me to use their web page to report...never heard anything more.

[Wazoo]

whois -h whois.crsnic.net access-authorization.com ...

Redirecting to TUCOWS INC.

whois -h whois.opensrs.net access-authorization.com ...

Registrant:

Shut Down for Spamming

Shut Down

Shut Down, Shut Down 00000

US

Domain name: ACCESS-AUTHORIZATION.COM

Administrative Contact:

Shut Down, Shut Down shutdownforspamming[at]aoneloan.com

Shut Down

Shut Down, Shut Down 00000

US

0000000000

Technical Contact:

Shut Down, Shut Down shutdownforspamming[at]aoneloan.com

Shut Down

Shut Down, Shut Down 00000

US

0000000000

Registrar of Record: TUCOWS, INC.

Record last updated on 04-Aug-2005.

Record expires on 02-Jul-2006.

Record created on 02-Jul-2005.

Domain servers in listed order:

Domain status: ACTIVE

[shmengie]

Why is this any different than the spoofs I have gotten re: ebay for over a year now?  IIRC, their emails to spoof<at>ebay.com directed me to use their web page to report...never heard anything more.

31236[/snapback]

In the past, spoofs have pointed to a specific IP address, which didn't resolve to a domain name. This one doesn't appear to be a random ip address, because you'll see the "a somewhat convincing domain name" in the address bar of your browser.

Because this "website" is hosted on zombied machines, it is not possible for "officials" to identify or track down the criminal responsible.

This is a somewhat unprecidented level of anonimity afforded to these criminals by this virus/trojan/zombie.

[shmengie]

    Shut Down, Shut Down 00000

Record last updated on 04-Aug-2005.

Record expires on 02-Jul-2006.

Record created on 02-Jul-2005.

31241[/snapback]

Wow, that was quick. Guessing that e-bay contacted tucows regarding that domain. I didn't.

access-authorization.com 02-Jul-2005

torrence-family.com 11-Jul-2005

torrence-store.com 11-Jul-2005

Looks like this zombie was designed for the e-bay spoof, and the other scams were added as an afterthought.

Shortly (about 2 days) after I wrote tucows about the torrence-family.com it became inactive. That record does not reflect the "spamming" incident.

The two inactive have NS1.NETSOL.COM as their domain server on the whois record.

Currently torrence-store.com is still active and lists the "current" zombies as the domain servers. Since this site is picking on the w3ird0s who like to see ppl and farm animal sex, I haven't been in a hurry to see it shutdow.

I'm hoping the FBI is investigating this issue, but I doubt it.

[shmengie]

Two new domains showed up today, hosted on compromised computers:

www.nelema.com

www.teljar.com

pheromones anyone?

Appears that the criminals have switched from Tucows to YESNIC for registrar.

Domain Name: NELEMA.COM

Registrar: YESNIC CO. LTD.

These two were registered 10-Aug-2005

[Jeff G.]

Email to dmanager[at]yesnic.com works when its mailbox isn't full, which is the case at present.