shmengie Posted July 24, 2005 Share Posted July 24, 2005 http://www.spamcop.net/sc?id=z789394833z4e...492f5c3aaea1d4z Name: accurate.torrence-family.com Address: 71.96.15.218, 24.11.214.98, 68.203.184.97, 69.76.69.208, 70.92.245.129 The nslookup on the the domain accurate.torrence-family.com frequently changes. I recieve about 3 spams a week which reference domains resolving in this fashion. Spamcop identifies only one of the addresses per url listed. The posted tracking url had abuse[at]rr.com for one url in the spam and abuse[at]verison.net for the other url. My attempts to report these zombies has fallen on deaf ears at IPSs because they don't resolve to webservers in their farms. Since the ipaddresses change frequently, they probably think I'm making this shiat up. I've tried to explain the issue, but voice in this matter seems to be recieved by the deaf. The only other thing I can think of is to complain to the registrar. I've initiated communication with Tucows but I don't have high expectations. Best they can do is cancel the domain, I suppose. What's the odds of that happening? Link to comment Share on other sites More sharing options...
Jeff G. Posted July 24, 2005 Share Posted July 24, 2005 Have you tried tracking how this hostname resolves over some time, and including all the IP Addresses it resolves to and that host its name services in one Manual Report to all the ISPs for all of those IP Addresses? Its name servers are currently as follows: ns1.torrence-family.com. 172800 IN A 68.37.212.170 ns2.torrence-family.com. 172800 IN A 71.111.70.192 ns3.torrence-family.com. 172800 IN A 65.43.218.215 ns4.torrence-family.com. 172800 IN A 66.65.46.21 ns5.torrence-family.com. 172800 IN A 24.4.100.137 Link to comment Share on other sites More sharing options...
Wazoo Posted July 24, 2005 Share Posted July 24, 2005 http://www.dnsreport.com/tools/dnsreport.c...ence-family.com Generated by www.DNSreport.com at 21:47:17 GMT on 24 Jul 2005 A timeout occurred getting the NS records from your nameservers! None of your nameservers responded fast enough. They are probably down or unreachable. I can't continue since your nameservers aren't responding. Link to comment Share on other sites More sharing options...
Jeff G. Posted July 24, 2005 Share Posted July 24, 2005 The SOA record I got for torrence-family.com when composing my previous Reply in this Topic pointed to the source of this mess as ns.torrence-family.com and the email address of the doer as "webmaster.torrence-family.com." AKA "webmaster[at]torrence-family.com", and had a TTL of 5 seconds. There appear to be five "*.torrence-family.com." A records, which are used for the five different IP Addresses, in addition to the five individual NS Records for torrence-family.com and matching A Records for ns{1-5}.torrence-family.com at the gtld-servers, pointing to those same five IP Addresses. The reporting addresses are as follows: 69.211.16.157 abuse[at]sbcglobal.net 220.198.23.93 postmaster[at]cnuninet.com, abuse[at]chinanet.cn.net, ct-abuse[at]abuse.sprint.net, abuse[at]savvis.net, abuse[at]att.net, and abuse[at]mci.com (anti-spam[at]ns.chinanet.cn.net bounces) 24.158.140.213 abuse[at]charter.net 68.74.120.86 abuse[at]sbcglobal.net 24.91.186.74 abuse[at]comcast.net Link to comment Share on other sites More sharing options...
Farelf Posted July 25, 2005 Share Posted July 25, 2005 Sort of mesmerizing to watch, isn't it? DNS Report for torrence-family.com [b]Generated by www.DNSreport.com at 02:51:39 GMT on 25 Jul 2005.[/b] Your NS records at the parent servers are: ns1.torrence-family.com. [68.56.134.62] [TTL=172800] [US] ns2.torrence-family.com. [69.213.253.73] [TTL=172800] [US] ns3.torrence-family.com. [67.121.176.24] [TTL=172800] [US] ns4.torrence-family.com. [24.11.214.98] [TTL=172800] [US] ns5.torrence-family.com. [24.175.127.82] [TTL=172800] [US] [These were obtained from m.gtld-servers.net] A timeout occurred getting the NS records from your nameservers! [b]Generated by www.DNSreport.com at 03:12:31 GMT on 25 Jul 2005.[/b] Your NS records at the parent servers are: ns1.torrence-family.com. [68.74.120.86] [TTL=172800] [US] ns2.torrence-family.com. [24.168.185.6] [TTL=172800] [US] ns3.torrence-family.com. [69.211.16.157] [TTL=172800] [US] ns4.torrence-family.com. [71.111.70.192] [TTL=172800] [US] ns5.torrence-family.com. [24.210.201.4] [TTL=172800] [US] [These were obtained from m.gtld-servers.net] [b][i](lifting a few of the comments:)[/i][/b] OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names. ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. [b]Generated by www.DNSreport.com at 03:40:07 GMT on 25 Jul 2005.[/b] Your NS records at the parent servers are: ns1.torrence-family.com. [68.74.120.86] [TTL=172800] [US] ns2.torrence-family.com. [69.248.21.171] [TTL=172800] [US] ns3.torrence-family.com. [71.103.207.158] [TTL=172800] [US] ns4.torrence-family.com. [24.214.250.56] [TTL=172800] [US] ns5.torrence-family.com. [67.165.71.72] [TTL=172800] [US] [These were obtained from m.gtld-servers.net] WARNING: Your SOA REFRESH interval is : 0 seconds.This seems very low WARNING: Your SOA RETRY interval is : 0 seconds. This seems very low. ERROR: I could not find any mailservers for torrence-family.com. ERROR: I couldn't find any A records for www.torrence-family.com. [b]Generated by www.DNSreport.com at 03:29:32 GMT on 25 Jul 2005.[/b] Your NS records at the parent servers are: ns1.torrence-family.com. [68.74.120.86] [TTL=172800] [US] ns2.torrence-family.com. [69.248.21.171] [TTL=172800] [US] ns3.torrence-family.com. [71.103.207.158] [TTL=172800] [US] ns4.torrence-family.com. [24.214.250.56] [TTL=172800] [US] ns5.torrence-family.com. [67.165.71.72] [TTL=172800] [US] [These were obtained from i.gtld-servers.net] A timeout occurred getting the NS records from your nameservers! OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names. All the usual suspects, at some time or another as above - Comcast, Road Runner, Ameritech, SWBell, Verizon, Knology As the OP suggests, appeal to "higher authority" might be in order. The individual server owners would find it difficult to get on top of this. Can that be done? This is a monumental breach of the protocols, surely? Link to comment Share on other sites More sharing options...
shmengie Posted July 25, 2005 Author Share Posted July 25, 2005 Crafty spammer. Their zombies are performing nameserver duties and serving up web pages. Using either of the ipaddresses for webpage and domain lookup produce the same results on all of the robot zombies. I wrote a tiny little python program and every one of them dish up the same webpage. I had thought they might be doing some kind of redirection, but that's not the case. I did run thru all the pages and placed a bogus order. Minor note: It sez credit card info is being gathered on secure 128-bit encryption. Lies of course. It also stated that my ip address 24.xxx.xxx.xxx was being recorded for security purposes. My ip does not begin with 24.... looked like static text. Most of the links they use end in .php? which is there to further convince ppl it's a real web server I guess. These zombies all collect credit card info from the unsuspecting foo that think this is legit. There must be a method of sending the credit card info back to the culprits. Probably the same way that the zombies know which other zombies are up and running. Very impressive trojans tho. Kudos to the spammer, they've got annonimity out the yin-yang going on here. Link to comment Share on other sites More sharing options...
Turmoyl Posted July 25, 2005 Share Posted July 25, 2005 Good work on bringing this up and doing the research, all. I successfully submitted torrence-family.com to rfc-ignorant.org due to the fact that out of 5 nameservers there isn't a single MX record configured, and the A record (fallback) doesn't even properly provide an IP address: http://www.rfc-ignorant.org/tools/lookup.p...ence-family.com For those of you that run your own mail servers: as long as your serving software is modern enough to use RHSBLs (Right-Hand Side Black Lists) I encourage you to take full advantage of rfc-ignorant.org's lists. If you run Sendmail >=8.12 you are welcome to use my config for these lists: FEATURE(rhsbl,`dsn.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. MX of domain does not accept bounces. This violates RFC 821/2505/2821 - see http://www.rfc-ignorant.org/"')dnl dnl FEATURE(rhsbl,`postmaster.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. MX of domain does not have a working postmaster address. This violates RFC 2821 - see http://www.rfc-ignorant.org/"')dnl dnl FEATURE(rhsbl,`abuse.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. MX of domain does not have a working abuse address. This violates RFC 2142 - see http://www.rfc-ignorant.org/"')dnl dnl FEATURE(rhsbl,`bogusmx.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. MX of domain is bogus. This violates RFC 1035/3330 - see http://www.rfc-ignorant.org/"')dnl dnl FEATURE(rhsbl,`whois.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. TLD does not have a proper WHOIS registry. This violates RFC 1032/3912 - see http://www.rfc-ignorant.org/"')dnl Link to comment Share on other sites More sharing options...
shmengie Posted July 27, 2005 Author Share Posted July 27, 2005 I recieved a spam from Taiwan. I don't know anyone over there, so it's a safe bet it was supposed to be spam. I think this falls under the category of crafty spammer, so I'm re-using this thread. I couldn't help but find this spam interesting. Don't know how many of you enjoy programming, but the codes used for subject/date etc... are somewhat facinating to me. It looks like the spam template was used, but no spam content replaced the macro fields. The subject looks like the spammers basian work-around. Subject: STR_RNDLEN(2-4)}{EXTRA_TIME_4} {WORD} Date: {DATE} MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: {ALNUM[36-36]} Content-type: multipart/related; boundary="{_BOUNDARY_RELATED}" --{_BOUNDARY_RELATED} Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit {BODYHTML} --{_BOUNDARY_RELATED} Content-Type: image/jpg; name="{LC_CHAR[7-7]}.jpg" Content-Transfer-Encoding: base64 Content-ID: <{_UC_CHAR[20-20]}> {JPEG:/home/larry/baner.jpg:q80cg8cc5} --{_BOUNDARY_RELATED}-- . Link to comment Share on other sites More sharing options...
Turmoyl Posted July 27, 2005 Share Posted July 27, 2005 Scripting code like that will only work in Outlook/Outlook Express. That's reason # 1,000,001 to use Thunderbird. Link to comment Share on other sites More sharing options...
Turmoyl Posted July 28, 2005 Share Posted July 28, 2005 Back on topic: It appears that, due to whatever pressures, torrence-family.com has shut down (at least temporarily): Domain servers in listed order: NS1.NETSOL.COM 216.168.229.228 So they are down to only a single nameserver, and at a different host. Also: ~$ dig any [at]216.168.229.228 torrence-family.com ; <<>> DiG 9.2.4 <<>> any [at]216.168.229.228 torrence-family.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7749 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;torrence-family.com. IN ANY ;; AUTHORITY SECTION: . 3600000 IN NS E.ROOT-SERVERS.NET. . 3600000 IN NS F.ROOT-SERVERS.NET. . 3600000 IN NS G.ROOT-SERVERS.NET. . 3600000 IN NS H.ROOT-SERVERS.NET. . 3600000 IN NS I.ROOT-SERVERS.NET. . 3600000 IN NS J.ROOT-SERVERS.NET. . 3600000 IN NS K.ROOT-SERVERS.NET. . 3600000 IN NS L.ROOT-SERVERS.NET. . 3600000 IN NS M.ROOT-SERVERS.NET. . 3600000 IN NS A.ROOT-SERVERS.NET. . 3600000 IN NS B.ROOT-SERVERS.NET. . 3600000 IN NS C.ROOT-SERVERS.NET. . 3600000 IN NS D.ROOT-SERVERS.NET. This is a completely empty DNS record. No SOA, no A, no MX, nada. In other words they are 100% offline as I write this. Link to comment Share on other sites More sharing options...
Jeff G. Posted July 28, 2005 Share Posted July 28, 2005 I'm getting the same responses. Thanks for the update! Link to comment Share on other sites More sharing options...
shmengie Posted July 28, 2005 Author Share Posted July 28, 2005 Do you think it's possible that TuCows came to the rescue here? I see the whois record for torrence-family.com last Updated Date: 26-jul-2005 That's about right time for all records to be stale now. I sent a letter to TuCows Saturday. I suspect they have few if any weekend worriers. All day Monday it would have been working it's way thru their slew of mail... Tuesday somebody did something. Ratz, now I wish I had reported this to the FBI frist. Thought of them last.... I did want the FBI to track 'em down, but I suspect that may have been difficult even w/excessive resources. That's one of the most impressive spammer scheems I've seen. Link to comment Share on other sites More sharing options...
shmengie Posted July 28, 2005 Author Share Posted July 28, 2005 double dratz (or not) udowzy.torrence-family.com is now resolving again :/ Shouldn't be too supprised that it winked out for a while. After all, the actual dns servers are viri infected zombies. The main server must have been reboot because was running to slow, or maybe the user woke up and anti-virus'd it. zeus:~$ dig udowzy.torrence-family.com ; <<>> DiG 9.1.0 <<>> udowzy.torrence-family.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45807 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;udowzy.torrence-family.com. IN A ;; ANSWER SECTION: udowzy.torrence-family.com. 5 IN A 24.178.100.28 udowzy.torrence-family.com. 5 IN A 63.206.119.30 udowzy.torrence-family.com. 5 IN A 69.211.16.157 udowzy.torrence-family.com. 5 IN A 24.12.119.73 udowzy.torrence-family.com. 5 IN A 24.13.123.241 ;; AUTHORITY SECTION: torrence-family.com. 155815 IN NS ns1.netsol.com. ;; Query time: 640 msec ;; SERVER: 192.168.1.112#53(192.168.1.112) ;; WHEN: Thu Jul 28 02:50:11 2005 ;; MSG SIZE rcvd: 149 Link to comment Share on other sites More sharing options...
Jeff G. Posted July 28, 2005 Share Posted July 28, 2005 I find it difficult to believe that Verisign's ns1.netsol.com is participating in this scheme. It is more likely that the spammer is seeding/poisoning his target domains' public nameservers' caches with its filth just before each spam run. Link to comment Share on other sites More sharing options...
shmengie Posted July 28, 2005 Author Share Posted July 28, 2005 These <quote> servers <quote> aren't necessiarly sending spam. They host the web page/rouge dns servers that support this domain. The domain was referenced in a spam, I kept the last three that reference it in my spam box <yet to be deleted>. I doubt that they send spam, themselves, unless they hare infected with additional robot/spamware. Frankly this avenue of spamer proliferation bugs the wooloo (not to be confused w/wazoo) out of me, becuase it offers another level of annonimity to the spamers. No specific isp is being used, but a bunch of their clients are being abused. Look at it this way. We can't track spam to a specific spamer who's spam was delivered by anonymous spambot infected machine. Now we've got a spammer that's upped the anty and uses a webbot/dnsbot infected ring of computers to deliever web pages. Although it is possible they could also deliver spam, I suspect they use their other army of infected machines for that doody. They have no fear of isp reprocussion, because they aren't using an isp service. They're abusing idiots w/computers that don't know their computers are being used this way. Link to comment Share on other sites More sharing options...
Turmoyl Posted July 28, 2005 Share Posted July 28, 2005 I'm not sure excactly what's going on but their DNS record is once again empty: ~$ dig any [at]NS1.NETSOL.COM udowzy.torrence-family.com ; <<>> DiG 9.2.4 <<>> any [at]NS1.NETSOL.COM udowzy.torrence-family.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53024 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;udowzy.torrence-family.com. IN ANY ;; AUTHORITY SECTION: . 3600000 IN NS G.ROOT-SERVERS.NET. . 3600000 IN NS H.ROOT-SERVERS.NET. . 3600000 IN NS I.ROOT-SERVERS.NET. . 3600000 IN NS J.ROOT-SERVERS.NET. . 3600000 IN NS K.ROOT-SERVERS.NET. . 3600000 IN NS L.ROOT-SERVERS.NET. . 3600000 IN NS M.ROOT-SERVERS.NET. . 3600000 IN NS A.ROOT-SERVERS.NET. . 3600000 IN NS B.ROOT-SERVERS.NET. . 3600000 IN NS C.ROOT-SERVERS.NET. . 3600000 IN NS D.ROOT-SERVERS.NET. . 3600000 IN NS E.ROOT-SERVERS.NET. . 3600000 IN NS F.ROOT-SERVERS.NET. ;; Query time: 47 msec ;; SERVER: 216.168.229.228#53(NS1.NETSOL.COM) ;; WHEN: Thu Jul 28 16:34:44 2005 ;; MSG SIZE rcvd: 255 ~$ dig any [at]NS1.NETSOL.COM torrence-family.com ; <<>> DiG 9.2.4 <<>> any [at]NS1.NETSOL.COM torrence-family.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20253 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;torrence-family.com. IN ANY ;; AUTHORITY SECTION: . 3600000 IN NS F.ROOT-SERVERS.NET. . 3600000 IN NS G.ROOT-SERVERS.NET. . 3600000 IN NS H.ROOT-SERVERS.NET. . 3600000 IN NS I.ROOT-SERVERS.NET. . 3600000 IN NS J.ROOT-SERVERS.NET. . 3600000 IN NS K.ROOT-SERVERS.NET. . 3600000 IN NS L.ROOT-SERVERS.NET. . 3600000 IN NS M.ROOT-SERVERS.NET. . 3600000 IN NS A.ROOT-SERVERS.NET. . 3600000 IN NS B.ROOT-SERVERS.NET. . 3600000 IN NS C.ROOT-SERVERS.NET. . 3600000 IN NS D.ROOT-SERVERS.NET. . 3600000 IN NS E.ROOT-SERVERS.NET. ;; Query time: 47 msec ;; SERVER: 216.168.229.228#53(NS1.NETSOL.COM) ;; WHEN: Thu Jul 28 16:36:47 2005 ;; MSG SIZE rcvd: 248 Link to comment Share on other sites More sharing options...
Farelf Posted July 29, 2005 Share Posted July 29, 2005 Thanks for the continuing updates guys. Following with interest (and the hope someone comes up with a suggested way of smacking down this latest impudence). Link to comment Share on other sites More sharing options...
Jeff G. Posted July 29, 2005 Share Posted July 29, 2005 1. Report each IP Address mentioned in this Topic (but not yet reported) to the appropriate ISP, requesting that the ISPs help you to track down the real spammer. 2. Query each of those IP Addresses for NS and A Records. 3. Use the results of those queries to update this Topic, as appropriate. 4. Repeat, ad infinitum (an infinite number of times), ad nauseum (until you are nauseous). Link to comment Share on other sites More sharing options...
shmengie Posted July 30, 2005 Author Share Posted July 30, 2005 Hate when ppl fix stuff and don't bother to tell you. Reported until I was blue in the fingers on that one. Now I don't know how/why it was resolved, but it appears to be. If it happens again, do I have to go blue in the fingers to achieve resolution? FWIW... I've seen spam that resolved like that one for about 3-5 months passing by my spam reporting eyes. When I started this thread, I figured I'd try to put an end to it and tenatiously reported to everywhere/one I could fathom to get it to stop. Heh, I even blogged it, which made me feel a little better. http://spamnation.blogspot.com/ Wish I would have assigned some blame to ISP's for the state of the spam (in the blog). Link to comment Share on other sites More sharing options...
Jeff G. Posted July 30, 2005 Share Posted July 30, 2005 *.torrence-family.com is still somewhat alive. 68.37.212.170 reports at least the following IP Addresses for them, sorted alphabetically: 24.158.127.243 24.173.238.236 24.34.202.69 24.4.7.96 24.7.125.104 63.200.55.35 67.176.137.127 70.241.30.193 80.98.219.161 82.231.185.57 24.4.100.137 reports at least the following IP Addresses for them, sorted alphabetically: 24.13.123.241 24.14.51.159 24.158.127.243 24.173.238.236 24.3.75.140 24.7.125.104 24.9.114.7 24.94.238.113 63.200.55.35 67.173.19.43 67.176.137.127 68.37.212.170 69.151.154.149 71.8.197.224 82.231.185.57 24.168.185.6 reports at least the following IP Addresses for them, sorted alphabetically: 24.13.123.241 24.14.51.159 24.3.75.140 24.9.114.7 24.94.238.113 67.173.19.43 67.176.137.127 68.37.212.170 69.151.154.149 71.8.197.224 67.165.71.72 reports at least the following IP Addresses for them, sorted alphabetically: 24.13.123.241 24.14.51.159 24.3.75.140 24.9.114.7 24.94.238.113 67.173.19.43 67.176.137.127 68.37.212.170 69.151.154.149 71.8.197.224 24.12.119.73 reports at least the following IP Addresses for them, sorted alphabetically: 24.13.123.241 24.130.44.226 24.15.148.146 24.9.114.7 66.229.220.213 67.182.30.46 68.44.185.91 69.151.154.149 69.211.16.157 70.241.30.193 All combined, that gives us the following reporting addresses for those IP Address, each of which is presumed to be either a zombie or directly under the control of the spammer: 24.12.119.73 (ns & a) abuse[at]comcast.net, abuse[at]att.net 24.13.123.241 abuse[at]comcast.net, abuse[at]att.net 24.130.44.226 abuse[at]comcast.net, abuse[at]att.net 24.14.51.159 abuse[at]comcast.net, abuse[at]att.net 24.15.148.146 abuse[at]comcast.net, abuse[at]att.net 24.158.127.243 abuse[at]charter.net, abuse[at]att.net 24.168.185.6 (ns) abuse[at]rr.com 24.173.238.236 abuse[at]rr.com 24.3.75.140 abuse[at]comcast.net, abuse[at]att.net 24.34.202.69 abuse[at]comcast.net, abuse[at]att.net 24.4.100.137 (ns) abuse[at]comcast.net, abuse[at]att.net 24.4.7.96 abuse[at]comcast.net, abuse[at]att.net 24.7.125.104 abuse[at]comcast.net, abuse[at]att.net 24.9.114.7 abuse[at]comcast.net, abuse[at]att.net 24.94.238.113 abuse[at]rr.com 63.200.55.35 abuse[at]pacbell.net 66.229.220.213 abuse[at]comcast.net, abuse[at]att.net 67.165.71.72 (ns) abuse[at]comcast.net, abuse[at]att.net 67.173.19.43 abuse[at]comcast.net, abuse[at]att.net 67.176.137.127 abuse[at]comcast.net, abuse[at]att.net 67.182.30.46 abuse[at]comcast.net, abuse[at]att.net 68.37.212.170 (ns & a) abuse[at]comcast.net, abuse[at]att.net 68.44.185.91 abuse[at]comcast.net, abuse[at]att.net 69.151.154.149 abuse[at]sbcglobal.net 69.211.16.157 abuse[at]sbcglobal.net 70.241.30.193 abuse[at]sbcglobal.net 71.8.197.224 abuse[at]charter.net, abuse[at]att.net 80.98.219.161 abuse[at]upc.hu, abuse[at]chello.hu, postmaster[at]aorta.net, abuse[at]chello.at, abuse[at]chello.se, abuse[at]telekabel.at, postmaster[at]chellonetwork.com, abuse[at]chello.com, abuse[at]cox.net, abuse[at]aol.com 82.231.185.57 abuse[at]proxad.net, abuse[at]sprintlink.net Link to comment Share on other sites More sharing options...
spaceman Posted July 31, 2005 Share Posted July 31, 2005 Is this some new variation, or a just a coincidence? From one I got today: http://bullwhack.torrence-store.com/farm/?...ater=bwligbreak Link to comment Share on other sites More sharing options...
Turmoyl Posted July 31, 2005 Share Posted July 31, 2005 It could be that they are setting up shop on a new domain name but as of this moment their entire DNS setup is hosed. There are no A records and while there are SOA records this time they point to a CNAME that doesn't exist nor goes anywhere because there isn't an A record for it to reference. In other words that URI is not resolvable/routable right now. I've submitted entries to rfc-ignorant.org that reflect the new domain name. Link to comment Share on other sites More sharing options...
shmengie Posted July 31, 2005 Author Share Posted July 31, 2005 Looks like the same criminals at work. All web <quote>servers<quote> are running on hijacked dsl/cable computers. The whois record for both torrence-family and torrence-store indicate both domaines were registered 11-Jun-2005 and last modified 26-Jun-2005. I don't have the energy at the moment to try and put an end to this one... Maybe tomorrow... Links on that page introduced "movienetworks.com" which is another domain I assume being run by these criminals, since it was registered... you guess it 11-Jun-2005. But it's hosted by internap.... ??? .... Link to comment Share on other sites More sharing options...
shmengie Posted July 31, 2005 Author Share Posted July 31, 2005 It could be that they are setting up shop on a new domain name but as of this moment their entire DNS setup is hosed. Their dns setup is hosed by design. You can't run an illegitimate operation and avoid beinig tracked down if you leave a trail point to you. Link to comment Share on other sites More sharing options...
Turmoyl Posted August 1, 2005 Share Posted August 1, 2005 What I mean by "hosed" is that they have not been operational at all both at the check I performed when I posted earlier and again right now. Their DNS records have nothing except a spoofed and unusable SOA entry. This means that clicking on any links to torrence-store.com will accomplish nothing but a client-side 404. You mentioned that you browsed this domain and were redirected to another site, but I just don't see how that's been possible, at least over the last several hours. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.