bobbear Posted October 5, 2006 Share Posted October 5, 2006 norwaygroupconsulting.cn DEAD (4 days) consultinggroupnorway.cn DEAD (5 days) It took 5 days. I entered a trouble ticket for each at www.joker.com and provided evidence. I sent a follow-up quoting the original ticket numbers. Well done. The only trouble is, Terry is that both those domains, (& also the other 10 I reported & listed earlier in the thread), have all sequentially gone on 'Invalid Address' which I assume means false whois data which means that they have been through the ICANN 15 day procedure, something which Joker have always said they stick to. Mind, everyone who reports them to Joker undoubtedly helps to focus their priorities and you certainly do make a superbly convincing & excellently researched case which means your reports are more likely to be listened to. I don't wish to take any credit away from you - if everybody reported these crooks in the way you do I'm sure the rogue registrars would be 'encouraged' to clean up their acts. Mind, even 4 or 5 days is a totally unacceptable response from a registrar with such unassailable evidential reports as yours of criminal fraud. I suspect we are getting close to a new incarnation for these crooks....I wonder what it will be next? Swedish consulting Co? Finnish consulting Co? Finninvest Co etc etc? I expect they will hold a brainstorming session on the new name..... smile.gif All answers on a £5 note..... smile.gif Well, I wasn't far off there - in my first batch of spam today is this one: http://israeliservicesbrokerage.cn/index.php?sect_id=6 Same criminals, same MO and guess who the registrar is? Joker.com of course..... :angry: I thought they might stick with Europe, but they've gone with the middle East this time. This is a fresh incarnation, Terry (with me , anyhow and I seem to be their favourite mug) & would be a better indicator of Joker's response time. If you feel like having a go at this one please feel free - I'm sure your reports are better than mine. It would be nice to really attack this one. As usual I shall also submit my usual reports to Joker, but the more, (& better!), the merrier! They are also using a new nameserver, (gwjirr.com), & guess who that is also registered with.... I assume from that that they have given up on teams-cs.com so I guess that is history - I'll give you that one, Terry - Enom always resisted that one for me.... [Edit] Right - that's reports submitted via email & webform to Joker & also to the nameserver hosts. Not to my usual evidential standard as I am due to cook an old ladies lunch 25 miles away & tempus fugit...Assuming I was the first to report the two domains involved, (& that may well not be the case), I wouldn't expect action from joker for a couple of weeks, so any other reports to speed things up would be a great help... ). With any decent registrar it would be suspended & out of the zone in 24 hours, i.e. tomorrow - some hopes.... Link to comment Share on other sites More sharing options...
Farelf Posted October 5, 2006 Share Posted October 5, 2006 Well done Terry. On a slightly different tack, it strikes me shmengie would be interested in the topic (but hasn't been around since it started). Note some of the work reported in the topic http://forum.spamcop.net/forums/index.php?...ost&p=34509 - even a bit of Python scri_pt to help verify botnets (not that there's much else, just a year later) - http://forum.spamcop.net/forums/index.php?...ost&p=34810. Link to comment Share on other sites More sharing options...
TerryNZ Posted October 5, 2006 Author Share Posted October 5, 2006 Today my computer went down and into the repair shop for a quote. My backup computer is not working on DSL. Furthermore, I don't usually spend time taking out one site. I am currently trying to get >2,500 sites taken down in one effort, and >1,000 in another, and that has priority over this new consulting scam. I have only so much time, so I have to spend it where there is maximum leverage. Link to comment Share on other sites More sharing options...
bobbear Posted October 5, 2006 Share Posted October 5, 2006 Right - that's reports submitted via email & webform to Joker & also to the nameserver hosts. Not to my usual evidential standard as I am due to cook an old ladies lunch 25 miles away & tempus fugit...Assuming I was the first to report the two domains involved, (& that may well not be the case), I wouldn't expect action from joker for a couple of weeks, so any other reports to speed things up would be a great help... ). With any decent registrar it would be suspended & out of the zone in 24 hours, i.e. tomorrow - some hopes.... Response from Joker so far - Nil Response within 30 minutes from nameserver hosts:-"Hi Bob, Thanks for bringing this to our attention. The customers server has now been blocked. Regards Nick Ryce Network Administrator Real Time Management LLP". Thank you Nick. It just shows what could be achieved if all links in the chain were to pull in the same direction. The site is unresolvable as I write this, but not for long, I fear - two more domains registered by Israeli Brokerage Services Ltd, (israeliservicesbrokerageltd.cn & israeliltdbrokerageservices.cn), & no doubt somewhat more bombproof nameserver host(s) are being set up..... Anyway, I have no wish to bore everyone to death, so I think that's the end of this topic for me! Good hunting Terry and all.... Link to comment Share on other sites More sharing options...
TerryNZ Posted October 5, 2006 Author Share Posted October 5, 2006 No action on my part, but http://www.dnsstuff.com/tools/traversal.ch?domain=israeliservicesbrokerage.cn&type=A http://www.dnsstuff.com/tools/traversal.ch?domain=israeliltdbrokerageservices.cn&type=A ns1.gwjirr.com [195.170.173.8] Timeout ns2.gwjirr.com [66.78.51.10] Timeout Both sites are currently down. You don't know your own power sometimes. :-) Link to comment Share on other sites More sharing options...
TerryNZ Posted October 5, 2006 Author Share Posted October 5, 2006 Subsequent to 3 emails to a registrar requesting removal of a chain of nameservers, the following 1,980 web sites are not responding today. 100watches.net aanddckhinese.com abcdemsignstudy.com abcdonetwonow.com abcnutrihtionn.com abcoffdiett.com abcofhghtwo.com abcoftruth.com abcwatcdhcompanyy.com ableklittlethreez.com abouteitdiett.com abrakahdoobra.info . . <snip for brevity> . . yeswatches.net yetihealthhyone.com yettocomeeok.com youkknowingmeok.com youonknewdiett.com zeroheaklththingz.com zoekyhasafever.com zoeykhasacold.com These sites accounted for huge amounts of spam for the following Exquisite Replica Hoodia Life HGH Life The sites were the handiwork of the most wanted spammer on the Rokso Top 10 - Alex Polyakov. Link to comment Share on other sites More sharing options...
bobbear Posted October 6, 2006 Share Posted October 6, 2006 No action on my part, but http://www.dnsstuff.com/tools/traversal.ch?domain=israeliservicesbrokerage.cn&type=A http://www.dnsstuff.com/tools/traversal.ch?domain=israeliltdbrokerageservices.cn&type=A ns1.gwjirr.com [195.170.173.8] Timeout ns2.gwjirr.com [66.78.51.10] Timeout Both sites are currently down. You don't know your own power sometimes. :-) Well done on the multiple nameserver front.... V. Satisfying when it all comes off, especially on that sort of scale!... ns1.gwjirr.com [195.170.173.8] Timeout = Real Time Management (Nick Ryce - v. helpful - actioned my report in less than 30 mins...) ns2.gwjirr.com [66.78.51.10] Timeout = bogus Still no action from Joker on either gwjirr.com or israeliservicesbrokerage.cn etc although they received exactly the same evidential report, (showing DNS traversal/botnet setup & other evidential data), as did the nameserver hosts, Real Time Management, (I copy reports to all concerned). Joker MAY have initiated the 15 day ICANN procedure on my report as part of it alleged false whois data, but i) They never respond to tell you, and ii) That sort of response time is simply not satisfactory anyway. I find the site/nameserver hosts are usually more responsive than some registrars, but the spammers are usually back up on another host only too quickly....... I'm surprised that israeliservicesbrokerage.cn is not back up again already - they usually pop up on another host in 24 hours or less, but all harassment is better than none at all... I only mention israeliservicesbrokerage.cn as a typical example - I tend to go after all obvious criminal fraud spams, (money laundering, phishing, 419 etc), that I receive & leave the pills/porn/watches/stocks etc sites to others with better eyes & more time..... Keep up the good work! Link to comment Share on other sites More sharing options...
TerryNZ Posted October 6, 2006 Author Share Posted October 6, 2006 Well done on the multiple nameserver front.... V. Satisfying when it all comes off, especially on that sort of scale!... Thanks, I must admit to feeling somewhat vindicated in my suggestions tht SapmCop adopt the nameserver - Registrar reporting strategy. It's great when it works on such a scale. I have a spreadsheet containing 2,010 site names that were all working last week, spamming HGH Life, Exquisite Replicas, Hoodia Life. I can't test them all, but random sampling of 20 sites show them all down. Joker MAY have initiated the 15 day ICANN procedure on my report as part of it alleged false whois data, but i) They never respond to tell you, and ii) That sort of response time is simply not satisfactory anyway. Yes, I know from this side of the fence how frustrating it is to get no feedback. But in the past I have spent time on the other side of the fence. Working for two of the world's largest Internet companies, I have had some experience with large scale helpdesk operations, and have had to make decisions in this very area. There are two very good reasons for the "no response" approach to high volume complaints. 1. Opening a dialog adds an order of magnitude to an already massive workload. Better to fix the problem and spend your time fixing the next one than performing feedback. Robotoc acknowledgement response saying "we have taken your request and we are handling it" is the best tactic, and uses your resources to maximum efficiency. 2. Legal reasons related to liability. I will not explain any further. Link to comment Share on other sites More sharing options...
Farelf Posted October 7, 2006 Share Posted October 7, 2006 Thanks, I must admit to feeling somewhat vindicated in my suggestions tht SapmCop adopt the nameserver - Registrar reporting strategy. It's great when it works on such a scale. ...Indeed, my jaw bone is possibly permanently welded to the carpet. Magnificent work. Link to comment Share on other sites More sharing options...
TerryNZ Posted October 9, 2006 Author Share Posted October 9, 2006 The Registrar / Nameserver compliance request method I received a spam with subject VbAGRA. The URL redirected to royaledward.info - yet another attempted reincarnation of Pharma Shop. I thought it might be a good idea to show how to go about shutting down the operation. Up front is the request. Then the definitive evidence. REQUEST ------- This is a compliance request to remove access to the illegal Pharma Shop site. ACTION: eNom Inc: to lock out and remove access to royaledward.info ACTION: Intercosmos: to lock out and set to 0.0.0.0 the Address records in zone file ahamew.info EVIDENCE -------- Pharma Shop http://royaledward.info Nameserver and Address discovery http://www.dnsstuff.com/tools/traversal.ch...info&type=A < ../tools/traversal.ch?domain=royaledward.info&type=A > ns1.ahamew.info [201.150.75.155] Timeout ns2.ahamew.info [200.30.252.182] Timeout ns3.ahamew.info [64.252.215.93] Timeout ns4.ahamew.info [200.159.197.142] 159.134.167.155 200.159.197.142 200.30.252.182 217.162.110.20 76.208.249.153 ns5.ahamew.info [81.32.119.26] 159.134.167.155 200.159.197.142 200.30.252.182 217.162.110.20 76.208.249.153 Five minutes later ns1.ahamew.info [201.150.75.155] Timeout ns2.ahamew.info [200.30.252.182] Timeout ns3.ahamew.info [64.252.215.93] Timeout ns4.ahamew.info [200.159.197.142] 200.30.252.182 200.60.216.160 217.162.110.20 24.67.108.19 84.26.154.21 ns5.ahamew.info [81.32.119.26] 200.30.252.182 200.60.216.160 217.162.110.20 24.67.108.19 84.26.154.21 Five minutes later ns1.ahamew.info [62.46.105.117] Timeout ns2.ahamew.info [200.30.252.182] Timeout ns3.ahamew.info [84.26.154.21] 159.134.163.143 200.159.210.151 200.30.252.182 200.60.216.160 76.208.249.153 ns4.ahamew.info [200.159.197.142] 159.134.163.143 200.159.210.151 200.30.252.182 200.60.216.160 76.208.249.153 ns5.ahamew.info [76.208.249.153] [Error: Port Unreachable] Interpretation -------------- A webserver botnet of illegally compromised machines running a proxy webserver. Addresses on a round-robin are updated every 5 minutes to escape security alerts sent to the owners of the compromised machines. Nameservers (located in Spain, Brazil, Mexico, Chile, CT USA, Austria, Netherlands etc) are also illegally compromised machines running a trojan proxy nameserver program. Nameserver registrar discovery ------------------------------ http://www.dnsstuff.com/tools/whois.ch?ip=ahamew.info Sponsoring Registrar:Intercosmos Media Group, Inc. Website registrar discovery --------------------------- http://www.dnsstuff.com/tools/whois.ch?ip=royaledward.info Sponsoring Registrar:eNom, Inc. See the McAfee Site Advisor page available to all browsers with the Site Advisor plug-in http://www.siteadvisor.com/sites/royaledward.info Please act promptly to terminate your sponsorship for this criminal activity. Link to comment Share on other sites More sharing options...
Farelf Posted October 10, 2006 Share Posted October 10, 2006 Thanks Terry, a useful template (even I understand it). The Registrar / Nameserver compliance request method I received a spam with subject VbAGRA. The URL redirected to royaledward.info - yet another attempted reincarnation of Pharma Shop. I thought it might be a good idea to show how to go about shutting down the operation. Up front is the request. Then the definitive evidence. (Link to subject post added) Link to comment Share on other sites More sharing options...
showker Posted October 10, 2006 Share Posted October 10, 2006 Let's not forget that any recent effort to go after web advertising more aggresively (i. e. Blue Frog like) have met with severe retaliation from spammers who were succesful shuting them down All the more reason to deploy an "FFB" than one single entity. No matter how good the criminals are, they couldn't go after hundreds of thousands of individual users for retaliation -- even if they could find out who they are. :-) See: http://www.paulgraham.com/ffb.html Link to comment Share on other sites More sharing options...
Jank1887 Posted October 12, 2006 Share Posted October 12, 2006 ok, lets recap: SC still does its job, providing an automated mechanism for assisting people in notifying ISP's about spamming activity, and maintaining the SCRBL. We've seen some evidence here and a pretty straightforward process (template) for communicating spamvertised site abuse to responsible parties, with success ranging from marginal to exceptional. Now, what? TerryNZ has hinted at direct past contact with some of the Powers that Be here with SC, and they've indicated a lack of resources to take this same approach in an automated fashion with the SC submissions. (more later) My thoughts: 1) start a new thread in the New Feature Request board. Link to this discussion (possibly to individual posts since this is getting long) showing the 'template' and results. Recommend SC find a way to implement some form of this Template. TerryNZ mentioned that it doesn't make sense to send a million of these to the registrars. So, maybe limit based on reported volume (1 report per day for each... ?domain? ?server? per #Threshold# reports). I.e., something with similar methods but "reasonable" resources. 2) Based on the statement above, would it make sense to implement similar limiting to the standard SC ISP reports? (one per IP per unique spam per... ?day? ?listing renewal? ?#threshold number of reports#) Maybe another New Feature Request. THose with better knowledge of the current reporting mechanism could shoot this down. End goal: ease up SC mailserver resources. (rather that send the ISP a link to individual reports, send them a link to a single page listing the reports for that IP, which gets updated as they come in.) 3) I just started playing around with the PhishTank. For those who aren't aware, it's a "new wacky cool Web 2.0" open (free) Phishing site database which is user driven. (submit a site with spam background, users vote it up or down onto a confirmed list, list available for free to those who could use it, with an open API) Currently I think it just feeds OpenDNS, but it's something. Anyway, the point is, would something like this approach be useful for facilitating item #1 above. Some user supported, system facilitated mechanism to notify the appropriate bodies in a controlled fashion. Just a thought. Link to comment Share on other sites More sharing options...
Wazoo Posted October 12, 2006 Share Posted October 12, 2006 1) start a new thread in the New Feature Request board. An ignored suggestion way back in Linear Post #15 ... Link to comment Share on other sites More sharing options...
TerryNZ Posted October 12, 2006 Author Share Posted October 12, 2006 The Registrar / Nameserver compliance request method REQUEST ------- This is a compliance request to remove access to the illegal Pharma Shop site. ACTION: eNom Inc: to lock out and remove access to royaledward.info ACTION: Intercosmos: to lock out and set to 0.0.0.0 the Address records in zone file ahamew.info EVIDENCE -------- Pharma Shop http://royaledward.info Link now results in "Server not found" DEAD Nameserver and Address discovery http://www.dnsstuff.com/tools/traversal.ch...info&type=A < ../tools/traversal.ch?domain=royaledward.info&type=A > ns1.ahamew.info [201.150.75.155] Timeout ns2.ahamew.info [200.30.252.182] Timeout ns3.ahamew.info [64.252.215.93] Timeout ns4.ahamew.info [200.159.197.142] 159.134.167.155 200.159.197.142 200.30.252.182 217.162.110.20 76.208.249.153 ns5.ahamew.info [81.32.119.26] 159.134.167.155 200.159.197.142 200.30.252.182 217.162.110.20 76.208.249.153 Link now results in [Reports no A record (NXDOMAIN)] Nameserver registrar discovery ------------------------------ http://www.dnsstuff.com/tools/whois.ch?ip=ahamew.info Sponsoring Registrar:Intercosmos Media Group, Inc. He can't take it anywhere else Status:TRANSFER PROHIBITED Website registrar discovery --------------------------- http://www.dnsstuff.com/tools/whois.ch?ip=royaledward.info Sponsoring Registrar:eNom, Inc. He can't transfer it from eNom either Status:TRANSFER PROHIBITED Removal complete in 48 hours Link to comment Share on other sites More sharing options...
dnk Posted January 3, 2007 Share Posted January 3, 2007 Brilliant! The best and most instructive read I have had in ages. I have been subjected to hundreds of automatic non-delivery notices for a couple of days now, and your article, along with others in this forum, has cheered me up 100% and forced me to contribute. - Though as I am at the start of an exponential learning curve all I can offer is a big thank you! I hope that this is not too frivolous as a first post. Link to comment Share on other sites More sharing options...
Wazoo Posted January 3, 2007 Share Posted January 3, 2007 I hope that this is not too frivolous as a first post. That you made it here, took the time to read it all, offer up thanks to those that took the time to post it all .... hardly frivilous .... a big Thank You! is offered. Your efforts amd actions are much appreciated. Link to comment Share on other sites More sharing options...
dallase Posted January 6, 2007 Share Posted January 6, 2007 They exist http://rss.uribl.com/nic/ http://rss.uribl.com/nic/ has been updated from 3 days to the last 5 days of available data, sorted by most abused/abusive registar. Link to comment Share on other sites More sharing options...
Telarin Posted March 1, 2007 Share Posted March 1, 2007 Dredging up an old post... TerryNZ: Have you had any luck with nameservers handled by Beijing Innovative? I have been reporting the same replica site to these guys for weeks, always the same nameservers ns0.lestem.com and ns1.lestem.com, and they just won't die. I'm wondering if either Beijing Innovative is black hat, or just empty hat. Link to comment Share on other sites More sharing options...
dra007 Posted March 2, 2007 Share Posted March 2, 2007 empty skull more likely! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.