My "Canadian" Pharmacy

[Wazoo]

http://www.dnsreport.com/tools/dnsreport.c...opeckstable.com

At the time of this posting;

[ERROR: I was unable to get an answer from the parent servers [e.gtld-servers.net], when I tried to find the NS records for copeckstable.com.]

I woud suggest that "you" running the same query in a few minutes would come up with different results, probably uncluding lots of red and yellow warnings and failures .... ignoring that it might actually have been whacked/abandoned already ...

ping, traceroute, 'personal' browser action does not translate to SpamCop.net's DNS look-up functions ....

Edit: As a matter of fact, after posting the above, I hit the link provided and did get a different response;

A timeout occurred getting the NS records from your nameservers! None of your nameservers responded fast enough. They are probably down or unreachable. I can't continue since your nameservers aren't responding.

As stated, in a few minutes more, there just might be some zombied computer configured to provide DNS for this Domain ... for a few minutes more .. then the process repeats in general spammer methodology ....

[Spaminator]

For specialized and detailed information on spamvertised websites, I strongly suggest the SpamWiki at http://www.spamtrackers.eu/wiki .

That site is created and maintained by sector professionals, and has exhaustive information on many spams and scams, notably on My Canadian Pharmacy.

There are also links to forums that deal with spamvertised websites.

This Spamcop forum is intended for Spamcop peer-to-peer support, while the above site is specialized in the spam themselves, so it is a more appropriate place for discussion and information (which also means you will find information there as well).

[mac2007]

Hi all,

Is this the same as the spam I get for http://sujji.hk ?

I must be getting 50 of these every day. They used to go by lostned or sloik.hk , or somesuch but this week it has been sujji.hk.

I am just wondering why after I report one of these on Spamcop that it won't recognize the URL? "No history" or something.

I also report to Knujon and they never show up on their reports either.

I'd be happy if I could get of these....

Any comments or advice much appreciated. (Keep it simple though )

Thanks.

Moderator Edit: Removed the entire previous post that was quoted in full in this post, yet nothing seemed to be associated with that previous post .. ignoring that if there ws a 'direct link' it would have had something to do with the other sites/forums identified .. but the question asked (here) doesn't seem to be dealing with data on other those other sites ...????

[Wazoo]

Is this the same as the spam I get for http://sujji.hk ?

I must be getting 50 of these every day. They used to go by lostned or sloik.hk , or somesuch but this week it has been sujji.hk.

I am just wondering why after I report one of these on Spamcop that it won't recognize the URL? "No history" or something.

Tracking URL?

[petzl]

I am just wondering why after I report one of these on Spamcop that it won't recognize the URL? "No history" or something.

SpamCop is a "BOT" it allocates time to get a reply from URL's it looks up. This is often not enough as the URL is often on a hacked computer

(If SpamCop doubles the time to retrieve an IP it slows down for everyone else)

You then have to find IP yourself. For this you need to "traceroute" or WhoIs to get the IP.

SpamCop will then tell you the reporting address/es if you put that IP in the "Report spam" box

The Ip for

http://sujji.hk/ is

218.21.90.7

ct-abuse[at]abuse.sprint.net postmaster[at]gx163.net hostmaster[at]gx163.net anti-spam[at]ns.chinanet.cn.net

You can get a free program (windows users) to report to registrar's to take down the host servers

http://thecarpcstore.com/phpbb2/viewtopic.php?p=6272

Version 10 out now

[rconner]

Apropos sujji.hk ...

These guys have been flooding me for the past 48 hrs or so. The domain registrant data (from HKDNR) looks pretty bogus, and HKDNR doesn't even have well-formed whois output. I reported to HKDNR on the basis of incomplete registrant info (not expecting much from it, though).

-- rick

[mac2007]

Here is one I got this today (Monday 19, March). This week the sujji(dot)hk has been replaced with unaik(dot)hk.

"With Viagra and Cialis pills from Canada Pharmacy store! There is no need to pay more just buy erectile dysfunction medications online at lowest prices on the web.

http://unaik.hk

No one will know that you are using medications. Completely CONIDENTIAL and SECURE purchase. "

I thought that "Canadian Pharmacy" was the original topic.

Thanks

Moderator Edit: Once again, removed the "quoted with its entirety" previous post ... there was no connection between the quoted post and 'this' post. (other than it included my previous Moderator Edit: note about this very same issue (which was also included in the quote just deleted here))

[Wazoo]

Here is one I got this today (Monday 19, March). This week the sujji(dot)hk has been replaced with unaik(dot)hk.

"With Viagra and Cialis pills from Canada Pharmacy store! There is no need to pay more just buy erectile dysfunction medications online at lowest prices on the web.

http://unaik.hk

I thought that "Canadian Pharmacy" was the original topic.

Having to ask the question, based on the lack of Tracking URLs and actual questions .... are you simply hyping this spamvertised URL?

[Wazoo]

Received via PM;

Hi,

Sorry for being a dufus and quoting everything. Do I just hit reply instead?.

The Forum FAQ and the How to use .... SpamCop Forum[/b] both have entries on the various Reply and Quote buttons.

Anyway, when I ran it I got....(I figured that sending you this by a PM would be better.)

Not really .. as noted, a delay in any response is noted. Even reading PM traffic is only done after catching up with Forum traffic, and even that has its place in the time available, mood, etc.

********************************************

Tracking message source: 83.135.133.196:

Routing details for 83.135.133.196

[refresh/show] Cached whois for 83.135.133.196 : abuse[at]versatel.de

Using abuse net on abuse[at]versatel.de

abuse net versatel.de = abuse[at]versatel.de, postmaster[at]versatel.de

Using best contacts abuse[at]versatel.de postmaster[at]versatel.de

Yum, this spam is fresh!

Message is 2 hours old

83.135.133.196 not listed in dnsbl.njabl.org

83.135.133.196 not listed in dnsbl.njabl.org

83.135.133.196 listed in cbl.abuseat.org ( 127.0.0.2 )

83.135.133.196 is an open proxy

83.135.133.196 not listed in accredit.habeas.com

83.135.133.196 not listed in plus.bondedsender.org

83.135.133.196 not listed in iadb.isipp.com

Finding links in message body

no links found

Please make sure this email IS spam:

From: "Reinstating O. Equalling" <sybbar[at]greeklanguage.net> (*****spam***** Re:)

Sorok. Ia Namestnik Haaskana. Kakogo Zla Gilsveri pozvolil emu ehat s nami? Otra

batyval by svoi dolgi Pered nim v drugoe vremia. Ustav vertet golovoj, chtoby de

View full message

Report spam to:

Re: 83.135.133.196 (Administrator of network where email originates)

To: postmaster[at]versatel.de (Notes)

To: abuse[at]versatel.de (Notes)

Additional notes (optional - max 2000 characters):

*************************************************

Then I filled in the boxes with my complaint and sent the reports.

I am not trying to hype the sites, just adding my 2 cents worth. I just want it to stopped as much as rconner and the many others who receive this kind of unsolicted email do.

So from the above SC report, the link is not being found even when I ,ahem, add it in ( Like when it says "Visit us here!, I click "view source" in Outlook" and find it in the code) .

I'm not sure I grok part of what was said here, the suggestion being a modification to the spam to be reported which is against the Reporting Rules. Once again, the Tracking URL would be the preferred vehicle for pointing to data to be discussed.

I was wondering is Spamcop only would process it if it were from US or EU websites? These uaikki(dot) hk , or whatever, are from Hong Kong and might not be regulated to the same extent as sites here. Or is there a site where Hong Kong spam can be forwarded to? Just wondering that's all.

Many thanks for your time and assistance. I shall look forward to hearing from you.

Not sure what is actually trying to be said or hinted at in this set of remarks. The parser has no aptitude for favoring locales, data is gleand, look-ups are attempted (the majority are off-site), and results (of the successgil look-ups) are then posted on the parsing results screen for your review.

In this case, you cite rconner's efforts, and along with that, I'll point to rconner's last post in reply to yours, amd note that he points to lousy WHOIS data, which would then translate to a look-up probably not finding a valid reporting address (for starters)

03/20/07 12:17:09 Slow traceroute sujji.hk

Trace sujji.hk (218.21.90.7) ...

192.205.32.234 RTT: 63ms TTL: 48 (att-gw.sjc.chinatelecomusa.com fraudulent rDNS)

202.97.51.169 RTT: 219ms TTL: 48 (No rDNS)

202.97.33.157 RTT: 224ms TTL: 48 (No rDNS)

202.97.40.230 RTT: 231ms TTL: 48 (No rDNS)

202.97.21.234 RTT: 239ms TTL: 48 (No rDNS)

222.217.177.142 RTT: 233ms TTL: 48 (No rDNS)

* * * failed

218.21.90.7 RTT: 240ms TTL: 49 (sujji.hk ok)

03/20/07 12:18:42 dns sujji.hk

Canonical name: sujji.hk

Addresses:

218.21.90.7

alleged web-site also providing its own DNS .... not a normal situation

whois -h whois.apnic.net 218.21.90.7 ...

% [whois.apnic.net node-1]

% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 218.21.64.0 - 218.21.127.255

netname: CHINANET-GX

descr: CHINANET Guangxi province network

descr: China Telecom

descr: A12,Xin-Jie-Kou-Wai Street

descr: Beijing 100088

country: CN

admin-c: CH93-AP

tech-c: CR766-AP

mnt-by: MAINT-CHINANET

mnt-lower: MAINT-CHINANET-GX

changed: hostmaster[at]ns.chinanet.cn.net 20010731

status: ALLOCATED NON-PORTABLE

source: APNIC

role: CHINANET GUANGXI

address: No.35,Minzhu Road,Nanning 530015

country: CN

phone: +86-771-2815987

fax-no: +86-771-2839278

e-mail: hostmaster[at]gx163.net

trouble: send spam reports to hostmaster[at]gx163.net

trouble: send abuse reports to hostmaster[at]gx163.net

trouble: times in GMT+8

admin-c: CR76-AP

tech-c: BD37-AP

nic-hdl: CR766-AP

remarks: http://www.gx.cninfo.net

notify: hostmaster[at]gx163.net

mnt-by: MAINT-CHINANET-GX

changed: hostmaster[at]gx163.net 20021024

source: APNIC

person: Chinanet Hostmaster

nic-hdl: CH93-AP

e-mail: anti-spam[at]ns.chinanet.cn.net

address: No.31 ,jingrong street,beijing

address: 100032

phone: +86-10-58501724

fax-no: +86-10-58501724

country: CN

changed: lqing[at]chinatelecom.com.cn 20051212

mnt-by: MAINT-CHINANET

source: APNIC

163.net already famous for spam spew sourcing .. so the odds on sending yet another complaint there doing anything different are pretty slim.

03/20/07 12:22:20 Browsing http://sujji.hk/

Fetching http://sujji.hk/ ...

GET / HTTP/1.1

Host: sujji.hk

Connection: close

pulls up nothing more than this ..... could make an assumption that if there is still anything there, it's hiding behind some scripting to check for 'gullible users' using insecure browsers ...????

[rconner]

Apropos sujji.hk ...

These guys have been flooding me for the past 48 hrs or so. The domain registrant data (from HKDNR) looks pretty bogus, and HKDNR doesn't even have well-formed whois output. I reported to HKDNR on the basis of incomplete registrant info (not expecting much from it, though).

I received a personal reply from HKDNR, asking whether it would be OK for them to forward my report to the HK police and HKCERT. I told them to feel free (so long as they didn't send it to anyone else). Of course, since these crooks do not use HK resources for mail or web hosting, I don't know what the HK Police could be expected to do about the matter. I told HKDNR (again) to suspend the domain, but they haven't yet and I won't hold my breath until they do.

The crooks seem to have backed off using the sujji.hk domain, they have now moved on to at least two others (but still pointing to the same IP address).

The CHINANET-GX net block is where I consistently find these guys' website. I've copied this outfit on dozens of reports, they appear to be unresponsive (pardon me while I collect myself from the terrible shock of this realization).

-- rick

[bobbear]

I received a personal reply from HKDNR, asking whether it would be OK for them to forward my report to the HK police and HKCERT. I told them to feel free (so long as they didn't send it to anyone else). Of course, since these crooks do not use HK resources for mail or web hosting, I don't know what the HK Police could be expected to do about the matter. I told HKDNR (again) to suspend the domain, but they haven't yet and I won't hold my breath until they do.<snip>

As an aside.... This is an automated reply that they appear to send out to all domain abuse reports. I've submitted many hundreds of reports to HKDNR relating to .hk out-and-out criminal fraud domains, (these lot for example) and received that bot reply every time, but they have never suspended a single domain to my knowledge. I copy all my reports to Hong Kong police (crimeinformation[at]police.gov.hk) direct now with an allegation that HKDNR are aiding and abetting criminal fraud & requesting an investigation. It doesn't do any good, of course, but I do get an occasional reply from the police to say they are looking into it, and it does make me feel better.. If everybody flooded the HK police with complaints re .hk out and out fraud sites, then perhaps some pressure might be put on HKDNR to be less criminal friendly, (their registration agreement allows them to take action). As it is I seem to see, (if it's not my imagination!), more and more .hk spamming and fraud domains like the one above appearing in my spam every day, not surprising, really as they appear to be bulletproof.

[petzl]

The crooks seem to have backed off using the sujji.hk domain, they have now moved on to at least two others (but still pointing to the same IP address).

The CHINANET-GX net block is where I consistently find these guys' website. I've copied this outfit on dozens of reports, they appear to be unresponsive (pardon me while I collect myself from the terrible shock of this realization).

The law is a nascent, not yet developed, justice system when dealing with spammers s expect Police action to be slow. A big key to the law targeting a suspect is when the website is not taken down they have identified the suspect but need to complete proof

[TerryNZ]

The problem with SpamCop not being able to resolve many of Alex Polyakov's spammed sites (eg My Canadian Pharmacy) is well known, documented, and accepted by Ironport.

To see how and why it happens, check out the EU spam Wikipedia entry for Alex Polyakov at

http://www.spamtrackers.eu/wiki/index.php?...od_of_operation

The process of hijacking other people's machines is covered at

http://www.spamtrackers.eu/wiki/index.php?...e=Hijacked_host

Historical note.

The Ironport IP block was first discovered during a forensic analysis of one of the machines he hijacked back in May 2006, so the problem has been outstanding for a year now.

http://snowcrash.ca/blawg/2006/05/investig...romised_li.html

[Farelf]

Thanks Terry. Noting this extends/complements the discussion in the closed topic at http://forum.spamcop.net/forums/index.php?...ost&p=55696

Yes, IronPort is the first range in the IP table quoted in your last link above, Mike's Blawg.

[ahoier]

This topic brings up a good question. Would it be possible for me to, say, on my parents computer, use SpamCop's DNS server? Since spammers like blocking spamcop's DNS so much, it would, in the end, stop these spammer sites from loading on my parents computer

If so, how would I go about doing this? Or, does it not "work" this way?

Now, if only they would "block" OpenDNS servers (208.67.222.222, 208.67.220.220 if any of you miscreants are reading!).

[turetzsr]

<snip>

Would it be possible for me to, say, on my parents computer, use SpamCop's DNS server?

<snip>

...My guess is that SpamCop would not permit this but you could ask: deputies[at]admin.spamcop.net.

[Wazoo]

Would it be possible for me to, say, on my parents computer, use SpamCop's DNS server? Since spammers like blocking spamcop's DNS so much, it would, in the end, stop these spammer sites from loading on my parents computer

If so, how would I go about doing this? Or, does it not "work" this way?

Things don't work the way you are trying to describe. I believe you are confusing some terms and definitions. Dictionary, Glossary contents here has been making its way to the Wiki over the years. At issue are things like DNS, IPA, and IP-Block.

Somewhat simply, a DNS (Domain Name Server) is something your computer would use to do a look-up to find the location of a particular URL/URI. So in general, the only reason 'your computer' would want/need to look up the spammers' sites would be because you clicked on the links, thus asking your computer to do that work. The actual browser 'call' to ask for and download/transfer the data to display the web-page would be coming from "your" computer (specifically, from the IP Addresss your computer has been assigned from your ISP/Host,) which would have nothing to do with the DNS server you had requested data from.

It should also bear repeating, SpamCop's Parsing & Reporting systems' DNS look-ups only spend a few milli-seconds waiting for a reply, whereas your browser is willing to wait 2, 5, 10 minutes to not interfere with the user experience. Not the same process at all.

On the other hand, OpenDNS does have a function of handling 'bad' data. There are numerous third-party filtering tools out there, not all them as senseless as simply filling yp the local Hosts file intil it's so bloated that nothing really runs anymore as fas as Internet traffic.

[rconner]

This topic brings up a good question. Would it be possible for me to, say, on my parents computer, use SpamCop's DNS server?

Great lateral thinking! Use a nameserver that spammers deliberately try to duck! Another form of spam filtering, I suppose.

The post you mentioned was a couple years old, so I don't know whether the condition described (attributed to a specific crew of spammers) still obtains. Also, as has been pointed out, sometimes the spammy DNS only seems to refuse service to SpamCop, when what is really happening is that the spammy DNS is just very slow (makes sense, because a lot of these guys hide their auth nameservers behind botnet proxies, not the most efficient networking technique).

If you do ask the admins about this, please post the results if you don't mind. I'd be interested to hear about them.

-- rick