shmengie Posted August 1, 2005 Author Share Posted August 1, 2005 You mentioned that you browsed this domain and were redirected to another site, but I just don't see how that's been possible, at least over the last several hours. 31043[/snapback] I'd be lying to you if I said I understood how this works, but digging (and nslookup too) on the fqdn bullwhack.torrence-store.com works even tho torrence-store.com doesn't ??????? That doesn't fit my understanding of DNS resolution. Yet, looky there. $ dig bullwhack.torrence-store.com ; <<>> DiG 9.1.0 <<>> bullwhack.torrence-store.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17281 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 5, ADDITIONAL: 0 ;; QUESTION SECTION: ;bullwhack.torrence-store.com. IN A ;; ANSWER SECTION: bullwhack.torrence-store.com. 5 IN A 68.58.110.87 bullwhack.torrence-store.com. 5 IN A 68.254.114.243 bullwhack.torrence-store.com. 5 IN A 24.94.238.113 bullwhack.torrence-store.com. 5 IN A 24.194.147.92 bullwhack.torrence-store.com. 5 IN A 67.190.24.114 ;; AUTHORITY SECTION: torrence-store.com. 7200 IN NS ns4.torrence-store.com. torrence-store.com. 7200 IN NS ns5.torrence-store.com. torrence-store.com. 7200 IN NS ns1.torrence-store.com. torrence-store.com. 7200 IN NS ns2.torrence-store.com. torrence-store.com. 7200 IN NS ns3.torrence-store.com. Link to comment Share on other sites More sharing options...
Turmoyl Posted August 1, 2005 Share Posted August 1, 2005 Ahh - they're spoofing a CNAME record as an A. That's how you got routed to it. I'll file some more stuff at rfc-ignorant.org now. Thanks for clearing that up. Edit: rofl - looks like they're already off-line again: $ dig bullwhack.torrence-store.com ; <<>> DiG 9.2.4 <<>> bullwhack.torrence-store.com ;; global options: printcmd ;; connection timed out; no servers could be reached Link to comment Share on other sites More sharing options...
Farelf Posted August 2, 2005 Share Posted August 2, 2005 I guess they can be resolved most of the time - but whenever you try to look at their status they're gone again (or going). Neat in a perverted sort of way. [b][i]01-08-2005 09:22 GMT[/i][/b] DNS Traversal for bullwhack.torrence-store.com. Generated by www.DNSstuff.com Getting NS record list at l.root-servers.net... Done! Looking up at the 13 com. parent servers: Server Response Time c.gtld-servers.net [192.26.92.30] ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 8ms a.gtld-servers.net [192.5.6.30] ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 114ms g.gtld-servers.net [192.42.93.30] ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 114ms l.gtld-servers.net [192.41.162.30] ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 114ms f.gtld-servers.net [192.35.51.30] ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 114ms k.gtld-servers.net [192.52.178.30] ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 114ms e.gtld-servers.net [192.12.94.30] ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 114ms h.gtld-servers.net [192.54.112.30] ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 223ms i.gtld-servers.net [192.43.172.30] ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 223ms b.gtld-servers.net [192.33.14.30] ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 223ms d.gtld-servers.net [192.31.80.30] ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 223ms j.gtld-servers.net [192.48.79.30] ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 223ms m.gtld-servers.net [192.55.83.30] ns1.torrence-store.com. ns2.torrence-store.com. ns3.torrence-store.com. ns4.torrence-store.com. ns5.torrence-store.com. 334ms Status: Records all match. Looking up at the 5 torrence-store.com. parent servers: Server Response Time ns1.torrence-store.com [24.15.148.146] 24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 107ms ns3.torrence-store.com [67.173.19.43] 24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 107ms ns5.torrence-store.com [69.245.151.168] 24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 107ms ns4.torrence-store.com [24.14.251.172] 24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 325ms ns2.torrence-store.com [71.8.197.224] Timeout Status: Records DO NOT all match: Results from ns2.torrence-store.com do not match results from ns4.torrence-store.com. © Copyright 2000-2005 R. Scott Perry [b][i]01-08-2005 09:28 GMT[/b][/i] DNS Traversal for bullwhack.torrence-store.com. Generated by www.DNSstuff.com Getting NS record list at a.root-servers.net... Done! Looking up at the 13 com. parent servers: Server Response Time [b][i]... similar to first run[/b][/i] Status: Records all match. Looking up at the 5 torrence-store.com. parent servers: Server Response Time ns1.torrence-store.com [24.15.148.146] 24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 108ms ns3.torrence-store.com [67.173.19.43] 24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 108ms ns2.torrence-store.com [71.8.197.224] Timeout ns4.torrence-store.com [24.14.251.172] Timeout ns5.torrence-store.com [69.245.151.168] Timeout Status: Records DO NOT all match: Results from ns5.torrence-store.com do not match results from ns3.torrence-store.com. © Copyright 2000-2005 R. Scott Perry [b][i]01-08-2005 09:38 GMT[/b][/i] DNS Traversal for bullwhack.torrence-store.com. Generated by www.DNSstuff.com Getting NS record list at f.root-servers.net... Done! Looking up at the 13 com. parent servers: Server Response Time [b][i]... similar to first run[/b][/i] Status: Records all match. Looking up at the 5 torrence-store.com. parent servers: Server Response Time ns5.torrence-store.com [69.245.151.168] 24.14.251.172 24.15.148.146 67.173.19.43 69.245.151.168 71.8.197.224 110ms ns3.torrence-store.com [67.173.19.43] [Error: Socket error 10054 [s=6968 tcp=0]] 217ms ns1.torrence-store.com [24.15.148.146] Timeout ns2.torrence-store.com [71.8.197.224] Timeout ns4.torrence-store.com [24.14.251.172] Timeout Status: Records DO NOT all match: Results from ns4.torrence-store.com do not match results from ns5.torrence-store.com. © Copyright 2000-2005 R. Scott Perry [b][i]02-08-2005 02:24 GMT[/b][/i] DNS Traversal for bullwhack.torrence-store.com. Generated by www.DNSstuff.com Getting NS record list at h.root-servers.net... Done! Looking up at the 13 com. parent servers: [b][i]... similar to first run[/b][/i] Status: Records all match. Looking up at the 5 torrence-store.com. parent servers: Server Response Time ns4.torrence-store.com [24.170.168.82] 24.14.199.175 24.170.168.82 24.72.103.253 69.139.33.81 69.139.45.186 108ms ns1.torrence-store.com [69.139.45.186] 24.14.199.175 24.170.168.82 24.72.103.253 69.139.33.81 69.139.45.186 217ms ns2.torrence-store.com [24.72.103.253] 24.14.199.175 24.170.168.82 24.72.103.253 69.139.33.81 69.139.45.186 217ms ns3.torrence-store.com [24.14.199.175] 24.14.199.175 24.170.168.82 24.72.103.253 69.139.33.81 69.139.45.186 217ms ns5.torrence-store.com [69.139.33.81] 24.14.199.175 24.170.168.82 24.72.103.253 69.139.33.81 69.139.45.186 217ms Status: Records all match. © Copyright 2000-2005 R. Scott Perry Link to comment Share on other sites More sharing options...
shmengie Posted August 2, 2005 Author Share Posted August 2, 2005 They cycle thru new zombies all the time. I'm guessing all the zombies communicate via an IRC ring. When one drops out (probably frequently since these hijacked computers are probably slow), a new one is more than willing to take it's place. This makes it very difficult to report to ISP's because they are contantly changing. ISPs probably don't log the web traffic, so nonexisteant logs makes reference difficult. nslookup[at]infected machine also reports the same addresses. Looks like dnsrecords are all set to expire as soon as they're issued. Web browsing the 'domain' directly doesn't tell you which host you connect to, unless you're sniffing packets. Directly referencing IPaddresses results in a disconnect/no data. I wrote this bare minimum web browser python scri_pt to verify each and every "server" returned web pages, by addressing server directly then issuing a get url command, should you wish to check for your own amusement. SpamResearch.py import socket domain = 'bullwhack.torrence-store.com' url = 'http://bullwhack.torrence-store.com'#/farm/?bridgewater=bwligbreak' domain, alias, addresses = socket.gethostbyname_ex(domain) command = 'GET ' for address in addresses: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((address,80)) print 'peer:',s.getpeername() s.send(command + ' ' + url + '\n') result = '' while True: data = s.recv(8196) if not data: break result = result + data s.close() print 'Address: %s returned %d bytes' % (address, len(result)) #print 'Last result\n:' #print result Heh, if it wasn't vigilantisim (and I might get in trouble w/my isp), I'd write a scri_pt that sent an e-mail once a minute to the isp's stating that such and such computer is serving spamvertized webpages. Link to comment Share on other sites More sharing options...
Jeff G. Posted August 2, 2005 Share Posted August 2, 2005 How about every time you get a spam advertising that domain? Link to comment Share on other sites More sharing options...
Jank1887 Posted August 2, 2005 Share Posted August 2, 2005 How about every time you get a spam advertising that domain?31125[/snapback] Hey, that sounds strangely like a manual report. Why didn't anyone think of that before <g> Link to comment Share on other sites More sharing options...
shmengie Posted August 2, 2005 Author Share Posted August 2, 2005 How about every time you get a spam advertising that domain? It's been done, ad infinitum, spam keeps comming... I haven't recieved a spam referencing torrence-store.com so I have not reported it. Can't get China, Korea, Russia (ASIA for that matter) to quit providing web-space to spammers. Reporting seems mearly an excercise for the tenatious. The volume of spam I recive has dropped to 1/2 lately. It seems as though I may have been taken off "a" spammers list by reporting the torrence-family.com to everyone I could think fathom. Seems unlikely I will recieve a spam referencing the family "store." In order for these domains to get a hook into the DNS system, the spammer probably has to expose themself in a window of potential identification. Once the domain is running around loose on the web, they can cut the ties and enjoy pure annonimity. In either event, I think this spammer is a blatant criminal, using uneducated ipublic to host web pages on their computers. I'm tempted to take a proactive stance. If I can get a spammer shutdown, I'm inclined to do so... I've reported the web-bots to isps. I've tried to tell several ISPs how they could take a proactive stance. They seem to ignore my suggestions as well as the abuse reports. I reported several web hosting bots to an ISPs and the only rsponce I've recieved was "We don't host web sites on that address so your report is wrong." I promply replied and beleive my reply was promptly ignored. So if you get a spam that references a website, should you hold your breath until you get another referencing the same site? Q: Would you turn blue in the process? Link to comment Share on other sites More sharing options...
KenLongcrier Posted August 2, 2005 Share Posted August 2, 2005 I've just received a spam that had 3 other sites that were not really advertisements and had nothing to do with the spam. :angry: (I took the liberty of sending targeted based on the addresses that SpamCop used to send the initial reports...) I just thought someone should know Thanks Ken P.S. Any spam reporting to SiteSpecific.com is being ignored... -----Original Message----- From: postmaster[at]sitespecific.net [mailto:postmaster[at]sitespecific.net] Sent: Tuesday, August 02, 2005 10:41 AM To: Longcrier, Ken Subject: Autoreply: Please disregard the spam-Report I just sent through SPAMCOP... You have sent an email to an unmonitored Site Specific, Inc. email address. You may contact us using the information provided in the following link. http://www.sitespecific.com/contact Thank you, Link to comment Share on other sites More sharing options...
Turmoyl Posted August 2, 2005 Share Posted August 2, 2005 Ken, That is a violation of RFC 2821 and you can use that autoresponder as "evidence" to submit that domain for blacklisting at RFC-Ignorant: http://www.rfc-ignorant.org/tools/submit_f...able=postmaster If you do not want to do that then please post the source of that entire message here and I'll do it on your behalf. Link to comment Share on other sites More sharing options...
shmengie Posted August 2, 2005 Author Share Posted August 2, 2005 This doesn't fit the topic of this thread, but here goes... I've just received a spam that had 3 other sites that were not really advertisements and had nothing to do with the spam. :angry: (I took the liberty of sending targeted based on the addresses that SpamCop used to send the initial reports...)Spamers do that often... Why??? I dunno. Some include anchored links around nothing so they're not visible in HTML rendered text but point to other domains??? (ones they hate?) Some include domains that don't resolve??? Not sure what to do about the ones that obscate the spamvertized site by forcing a direct searchengine match thru google or yahoo. I usually report to google and/or yahoo so they recieve notification, as well as the ISP hosting the actual spamvertized site. Link to comment Share on other sites More sharing options...
Jeff G. Posted August 2, 2005 Share Posted August 2, 2005 That is a violation of RFC 2821 and you can use that autoresponder as "evidence" to submit that domain for blacklisting at RFC-Ignorant: http://www.rfc-ignorant.org/tools/submit_f...able=postmaster If you do not want to do that then please post the source of that entire message here and I'll do it on your behalf. 31146[/snapback] That won't be necessary, Ralf took care of it last week. Link to comment Share on other sites More sharing options...
Jeff G. Posted August 2, 2005 Share Posted August 2, 2005 Spamers do that often... Why??? I dunno. Some include anchored links around nothing so they're not visible in HTML rendered text but point to other domains??? (ones they hate?) 31147[/snapback] These appear to be a mix of joe-jobs and misdirectionSome include domains that don't resolve???31147[/snapback] These appear to be domains that have either been terminated in some way or are temporararily unavailable due to circumstances beyond the spammer's controlNot sure what to do about the ones that obscate the spamvertized site by forcing a direct searchengine match thru google or yahoo. I usually report to google and/or yahoo so they recieve notification, as well as the ISP hosting the actual spamvertized site.31147[/snapback] I try to do the same. Link to comment Share on other sites More sharing options...
Turmoyl Posted August 2, 2005 Share Posted August 2, 2005 That won't be necessary, Ralf took care of it last week. It looks like they didn't accept Rolf's input (they can be very picky) so I'd still like Ken to post the source of that message so that we can submit them again. EDIT: I have just submitted them to RFC-I's WHOIS list becasue the address on their WHOIS record is falsified. However, if we can get the source of that message then I can list them on the Postmaster BL as well. Link to comment Share on other sites More sharing options...
Jeff G. Posted August 3, 2005 Share Posted August 3, 2005 The submission I was writing about was the postmaster submission for sitespecific.net. I believe you were writing about the postmaster submission for sitespecific.com. In any case, multiple people have been busy - see http://www.rfc-ignorant.org/tools/lookup.p...ific.net&full=1 and http://www.rfc-ignorant.org/tools/lookup.p...ific.com&full=1 for details. Link to comment Share on other sites More sharing options...
Turmoyl Posted August 3, 2005 Share Posted August 3, 2005 I'm glad to se we're not alone in this. The pending WHOIS for sitespecific.com is mine. Link to comment Share on other sites More sharing options...
Jeff G. Posted August 3, 2005 Share Posted August 3, 2005 Cool. Should that fail, please be aware that sitespecific.com's hostmaster (probably the same "Nate R. Sullivan") doesn't like reading test messages, but is perfectly willing to send MDNs (mail delivery notifications). Link to comment Share on other sites More sharing options...
Turmoyl Posted August 3, 2005 Share Posted August 3, 2005 torrence-family.com, torrence-store.com, sitespecific.com and sitespecific.net are all now firmy entrenched into the RFCI blacklists: http://www.rfc-ignorant.org/tools/lookup.p...ence-family.com http://www.rfc-ignorant.org/tools/lookup.p...rence-store.com http://www.rfc-ignorant.org/tools/lookup.p...itespecific.com http://www.rfc-ignorant.org/tools/lookup.p...itespecific.net I'll have postmaster and abuse entries done for spamis.info over this coming weekend as well (I'm just waiting on the 5-day queue time for the delivery failures). Link to comment Share on other sites More sharing options...
shmengie Posted August 4, 2005 Author Share Posted August 4, 2005 OMG, the criminals expand their criminality Recieved an e-bay spoof. This one resolves to the web-bot. www.access-authorization.com/ebayauth Maybe e-bay will step up and help fight this plight. Name: www.access-authorization.com Addresses: 12.214.117.250, 62.195.145.140, 67.176.137.127, 68.73.144.101 69.252.161.230 peer: ('69.252.161.230', 80) pcp0012142052pcs.oakrdg01.tn.comcast.net Address: 69.252.161.230 returned 17397 bytes peer: ('12.214.117.250', 80) 12-214-117-250.client.mchsi.com Address: 12.214.117.250 returned 17397 bytes peer: ('62.195.145.140', 80) i145140.upc-i.chello.nl Address: 62.195.145.140 returned 17397 bytes peer: ('67.176.137.127', 80) c-67-176-137-127.hsd1.il.comcast.net Address: 67.176.137.127 returned 17397 bytes peer: ('68.73.144.101', 80) adsl-68-73-144-101.dsl.ipltin.ameritech.net Address: 68.73.144.101 returned 17397 bytes Link to comment Share on other sites More sharing options...
Jeff G. Posted August 4, 2005 Share Posted August 4, 2005 Bad Thpammerth! Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 4, 2005 Share Posted August 4, 2005 OMG, the criminals expand their criminality Recieved an e-bay spoof. This one resolves to the web-bot. www.access-authorization.com/ebayauth Maybe e-bay will step up and help fight this plight. 31232[/snapback] Why is this any different than the spoofs I have gotten re: ebay for over a year now? IIRC, their emails to spoof<at>ebay.com directed me to use their web page to report...never heard anything more. Link to comment Share on other sites More sharing options...
Wazoo Posted August 4, 2005 Share Posted August 4, 2005 whois -h whois.crsnic.net access-authorization.com ... Redirecting to TUCOWS INC. whois -h whois.opensrs.net access-authorization.com ... Registrant: Shut Down for Spamming Shut Down Shut Down, Shut Down 00000 US Domain name: ACCESS-AUTHORIZATION.COM Administrative Contact: Shut Down, Shut Down shutdownforspamming[at]aoneloan.com Shut Down Shut Down, Shut Down 00000 US 0000000000 Technical Contact: Shut Down, Shut Down shutdownforspamming[at]aoneloan.com Shut Down Shut Down, Shut Down 00000 US 0000000000 Registrar of Record: TUCOWS, INC. Record last updated on 04-Aug-2005. Record expires on 02-Jul-2006. Record created on 02-Jul-2005. Domain servers in listed order: Domain status: ACTIVE Link to comment Share on other sites More sharing options...
shmengie Posted August 4, 2005 Author Share Posted August 4, 2005 Why is this any different than the spoofs I have gotten re: ebay for over a year now? IIRC, their emails to spoof<at>ebay.com directed me to use their web page to report...never heard anything more. 31236[/snapback] In the past, spoofs have pointed to a specific IP address, which didn't resolve to a domain name. This one doesn't appear to be a random ip address, because you'll see the "a somewhat convincing domain name" in the address bar of your browser. Because this "website" is hosted on zombied machines, it is not possible for "officials" to identify or track down the criminal responsible. This is a somewhat unprecidented level of anonimity afforded to these criminals by this virus/trojan/zombie. Link to comment Share on other sites More sharing options...
shmengie Posted August 4, 2005 Author Share Posted August 4, 2005 Shut Down, Shut Down 00000 Record last updated on 04-Aug-2005. Record expires on 02-Jul-2006. Record created on 02-Jul-2005. 31241[/snapback] Wow, that was quick. Guessing that e-bay contacted tucows regarding that domain. I didn't. access-authorization.com 02-Jul-2005 torrence-family.com 11-Jul-2005 torrence-store.com 11-Jul-2005 Looks like this zombie was designed for the e-bay spoof, and the other scams were added as an afterthought. Shortly (about 2 days) after I wrote tucows about the torrence-family.com it became inactive. That record does not reflect the "spamming" incident. The two inactive have NS1.NETSOL.COM as their domain server on the whois record. Currently torrence-store.com is still active and lists the "current" zombies as the domain servers. Since this site is picking on the w3ird0s who like to see ppl and farm animal sex, I haven't been in a hurry to see it shutdow. I'm hoping the FBI is investigating this issue, but I doubt it. Link to comment Share on other sites More sharing options...
shmengie Posted August 12, 2005 Author Share Posted August 12, 2005 Two new domains showed up today, hosted on compromised computers: www.nelema.com www.teljar.com pheromones anyone? Appears that the criminals have switched from Tucows to YESNIC for registrar. Domain Name: NELEMA.COM Registrar: YESNIC CO. LTD. These two were registered 10-Aug-2005 Link to comment Share on other sites More sharing options...
Jeff G. Posted August 12, 2005 Share Posted August 12, 2005 Email to dmanager[at]yesnic.com works when its mailbox isn't full, which is the case at present. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.