Reporting a zombie to deaf ISP

[Elvira]

Since April 2006, off and on, my domain name has been targeted by a botnet in France, using a fictitious name[at]my domain as a reply-to address. At one point I was receiving hundreds of thousands (yes, really) of false bounces from clueless ISP's. The most clueless one of all is Wanadoo/Orange.fr, ironic because the all the originating IP's of the original spam resolved to Wanadoo machines. I tried to report this and got no reply (or an auto-reply which just told me how to look at headers). After a lull over Christmas, another machine has started up. Its IP number is [193.251.27.217], and it routes to various other Wanadoo/orange servers. How can I report this machine to Spamcop or anyone else who might take notice? I have tried reporting to abuse[at]wanadoo and abuse[at]orange.fr but get either no reply at all, or the auto-reply that just goes round in circles. I've tried using the Spamcop report form, but cannot put it in a form that does not generate errors. Help!

[StevenUnderwood]

Since April 2006, off and on, my domain name has been targeted by a botnet in France, using a fictitious name[at]my domain as a reply-to address. At one point I was receiving hundreds of thousands (yes, really) of false bounces from clueless ISP's. The most clueless one of all is Wanadoo/Orange.fr, ironic because the all the originating IP's of the original spam resolved to Wanadoo machines. I tried to report this and got no reply (or an auto-reply which just told me how to look at headers). After a lull over Christmas, another machine has started up. Its IP number is [193.251.27.217], and it routes to various other Wanadoo/orange servers. How can I report this machine to Spamcop or anyone else who might take notice? I have tried reporting to abuse[at]wanadoo and abuse[at]orange.fr but get either no reply at all, or the auto-reply that just goes round in circles. I've tried using the Spamcop report form, but cannot put it in a form that does not generate errors. Help!

You can use SpamCop to report the actual email you get (likely the misdirected bounce). It is against SpamCop's rules to report the message that caused the bounce because "it is not your spam to report".

That being said, you can simply enter the IP address into the spamcop report form and get the addresses spamcop will use for reporting and try a manual report to there. In this case:

Reporting addresses: abuse[at]wanadoo.fr (I know, but you likely get the same response that SpamCop does. As long as you submitted with headers, know that you have done what you can.)

In the last 24 hours there have been 2 reports made against that address and a bunch in the last week. It is not listed on SpamCop currently, but is listed at: 193.251.27.217 listed in dnsbl.sorbs.net ( 127.0.0.10 )

[Miss Betsy]

There is a very long topic about wanadoo's cluelessness and lack of response (not about misdirected bounces, but other areas).

If you report the misdirected bounces via spamcop, you will be educating all those clueless ISPs (except wanadoo apparently) that still accept email and then email a non-delivery message.

If you want to educate wanadoo, IMHO, it will have to be via some other medium - letters to editors, to stockholders, etc.

Better yet, get your ISP to block them. If enough ISPs blocked them, they might get the message. The problem is that ISPs won't block mail servers because they get too many complaints that aunt susie's email is blocked. Comcast is just as bad as wanadoo, but lots of people who would be appalled that 'their' ISP is allowing porn to be sent still use Comcast because it is cheap and available.

Miss Betsy

[Nev]

Since April 2006, off and on, my domain name has been targeted by a botnet in France, using a fictitious name[at]my domain as a reply-to address. At one point I was receiving hundreds of thousands (yes, really) of false bounces from clueless ISP's.

Perhaps you have already fixed this problem, but I have been similarly targeted and suffered from thousands of "false bounce" messages, until I found out that my ISP allows me to specify that only emails addressed to a certain few of my e-addresses at my domains are allowed to reach my inbox.

In other words:

Mail sent to info[at]mydomain.com and myname[at]mydomain.com is sent to my Inbox.

Mail sent to anythingelse[at]mydomain.com is automatically redirected to the equivalent of junk[at]myisp.com and trashed by my ISP.

This simple and very effective action has stopped all this type of extraneous email from cluttering up my inbox. For you and any other people suffering similarly; perhaps your ISPs offer the same filtering service.

Cheers

Nev

[Wazoo]

Perhaps you have already fixed this problem, but I have been similarly targeted and suffered from thousands of "false bounce" messages, until I found out that my ISP allows me to specify that only emails addressed to a certain few of my e-addresses at my domains are allowed to reach my inbox.

In other words:

Mail sent to info[at]mydomain.com and myname[at]mydomain.com is sent to my Inbox.

Mail sent to anythingelse[at]mydomain.com is automatically redirected to the equivalent of junk[at]myisp.com and trashed by my ISP.

Terminology usually seen around here for this is "turn off the catch-all account" .. meaning that yes, only certain e-mail addresses are valid, and those to non-valid addresses should be rejected at the time of the attempted delivery.

[Nev]

Terminology usually seen around here for this is "turn off the catch-all account" .. meaning that yes, only certain e-mail addresses are valid, and those to non-valid addresses should be rejected at the time of the attempted delivery.

Gracious felicitations for the illuminating terminological elucidation Wazoo ..

The trouble is that with using "correct terminology" all the time .. those readers who are not computer geeks, or natural English speakers, can get quite confused at times.

Surely there is a need to reach and help those people such as myself, who are reasonably computer literate, but struggle to understand some of the terminology used on this forum and would prefer "plain English speak" on occasions.

I fail to understand why you feel the need to criticise and repeat the information. You use the correct terminology because you understand fully all the nuances associated with it .. that is why you are eligible to be one of the Admin crew. I would suggest that information understandable by the majority is preferable to “tech-speakâ€, only understandable by those who probably don’t need much help.

The benefit of using SpamCop is that it is easy to use by even the most amateur computer newbie … of which there must be many amongst the SpamCop forum readers. IMHO .. general help and answers given to questions should be given in an understandable manner, considering all who will be reading them.

The more people that use SpamCop and its Forums .. and are not put off of posting or asking simple questions for fear of being corrected for their terminology, just for the sake of it .. the better for us / the worse for the Spammers !

You "turn off the catch-all account" and I ( with the help of my ISP ) will only allow those e-addresses that I wish to be sent to my Inbox. In my very occasional posts, I will continue to use plain English for the benefit of those not so computer-savvy ( er …. technically linguistically fortunate ) as yourself. I wonder who helps who the most ?

Cheers

Nev

This forum is composed of people who have used spamcop and those who are LEARNING about anti-spam efforts.

[Wazoo]

Gracious felicitations for the illuminating terminological elucidation Wazoo ..

The trouble is that with using "correct terminology" all the time .. those readers who are not computer geeks, or natural English speakers, can get quite confused at times.

Surely there is a need to reach and help those people such as myself, who are reasonably computer literate, but struggle to understand some of the terminology used on this forum and would prefer "plain English speak" on occasions.

Thus begat the Dictionary, Glossary, Wiki, FAQs, ad infinitum ....

I fail to understand why you feel the need to criticise and repeat the information. You use the correct terminology because you understand fully all the nuances associated with it .. that is why you are eligible to be one of the Admin crew. I would suggest that information understandable by the majority is preferable to “tech-speak”, only understandable by those who probably don’t need much help.

Geeze ... took a lot of time off recently .. got involved this morning due to a number of PMs and e-mails received about issues in this Forum .. came back, caught up, dropped that line or two, and get jumped on again ...... thanks for firing up the attitude issue again ... here I set with over 20 windows opened up, looking at configuration files on this server, configuration files on another of JT's servers, I actually just re-booted 'this' server, have answered over a dozen PM's, 50 e-mails, and that's within the last hour. I've got four other people's computers fired up around me in various stages of repair, re-build, clean-up. Personal issues include a Mother in the hospital about 50 miles away, yet another back surgery that has now been postponed due to an issue with her heart noted while she was waiting in the pre-operation prep room ... over a foot of snow outside and it's still coming down .. on and on ... yet, you want to take me to task for pointing out the words that could be used in a 'search' here to find all the other/previous mentioning of this scenario, look it up in the oher data-holding sources, etc., etc., etc. .....

The words that come to my mind are not allowed to be used in here.

The benefit of using SpamCop is that it is easy to use by even the most amateur computer newbie … of which there must be many amongst the SpamCop forum readers. IMHO .. general help and answers given to questions should be given in an understandable manner, considering all who will be reading them.

The more people that use SpamCop and its Forums .. and are not put off of posting or asking simple questions for fear of being corrected for their terminology, just for the sake of it .. the better for us / the worse for the Spammers !

And this just after going round and round with a person that "downloaded" a bunch of stuff on his computer, to include a new version of Windows. Excuse me, but the (techy) word "download" to me has me thinking that this computer is full of hot, crap software .. which had me also thinking that he was going to be told to hit the road, as I don't deal with hot software. As it turns out, he was actually "installing" software from the original CD's ... there was no "downloading" going on at all .....

[StevenUnderwood]

The benefit of using SpamCop is that it is easy to use by even the most amateur computer newbie … of which there must be many amongst the SpamCop forum readers. IMHO .. general help and answers given to questions should be given in an understandable manner, considering all who will be reading them.

I find this line very funny. We RARELY get posts stating that spamcop is easy to use, especially trying to get people to submit the entire headers of a message.

[Nev]

Thus begat the Dictionary, Glossary, Wiki, FAQs, ad infinitum ....

you want to take me to task for pointing out the words that could be used in a 'search' here to find all the other/previous mentioning of this scenario, look it up in the oher data-holding sources, etc., etc., etc. .....

Aaah, and there was me thinking you were just trying to be clever .. my apologies

Although, by explaining yourself fully .. now we all understand that you were trying to be helpful.

Seems you have enough personal issues to last a lifetime .. so I won't annoy you further.

Good luck to your Mother.

Cheers

Nev

[Miss Betsy]

It is refreshing to see that someone recognizes that Wazoo does try to be helpful.

On the subject of 'catch-all' addresses - when someone isn't helped by saying 'turn off the catch-all' (which in at least one web site I know of is identified by that name in preferences with a toggle switch), then if they don't think to look it up in the glossary, they can ask. Wazoo would tell them to look it up, but others may explain it again.

If one is going to work with technical items, then one should know what the correct term is. One can probably change a tire with something that lifts the car up and a tool that fits the big roundy like things that hold the tire on, but it helps if you are asking advice on how to do it if you are told the proper names and then use them when you are asking questions. I once knew someone who called all yellow flowers, daffodils. That got me confused for a while until she explained.

Miss Betsy

[turetzsr]

...By the way, note that what Nev described 53482[/snapback] ("redirected to the equivalent of junk[at]myisp.com and trashed by [the] ISP") is not the preferred method to deal with the problem, IIUC. What most of us here would suggest be done is what Wazoo described thusly: "e-mail ... to non-valid addresses should be rejected at the time of the attempted delivery." See Snowbat's reply in thread "Misdirected Bounces".

[matts]

Since April 2006, off and on, my domain name has been targeted by a botnet in France, using a fictitious name[at]my domain as a reply-to address. At one point I was receiving hundreds of thousands (yes, really) of false bounces from clueless ISP's. The most clueless one of all is Wanadoo/Orange.fr, ironic because the all the originating IP's of the original spam resolved to Wanadoo machines. I tried to report this and got no reply (or an auto-reply which just told me how to look at headers). After a lull over Christmas, another machine has started up. Its IP number is [193.251.27.217], and it routes to various other Wanadoo/orange servers. How can I report this machine to Spamcop or anyone else who might take notice? I have tried reporting to abuse[at]wanadoo and abuse[at]orange.fr but get either no reply at all, or the auto-reply that just goes round in circles. I've tried using the Spamcop report form, but cannot put it in a form that does not generate errors. Help!

I also see TONS of stuff from Orange, including orange.co.uk, and they have been deaf to my requests as well

[btech]

keyweb.de is another that doesn't want SC reports, yet still has an infected computer on its network:

Parsing input: PHARM77.COM
Host pharm77.com (checking ip) = 87.118.102.23
host 87.118.102.23 = ns.km20935-02.keymachine.de (cached)
Host pharm77.com (checking ip) = 87.118.102.23
host 87.118.102.23 = ns.km20935-02.keymachine.de (cached)
ISP does not wish to receive report regarding [url=http://PHARM77.COM/]http://PHARM77.COM/[/url]
ISP does not wish to receive reports regarding [url=http://PHARM77.COM/]http://PHARM77.COM/[/url] - no date available
Routing details for 87.118.102.23
Cached whois for 87.118.102.23 : keyweb[at]keyweb.de abuse[at]keyweb.de
Using abuse net on abuse[at]keyweb.de
No abuse net record for keyweb.de
Using best contacts abuse[at]keyweb.de

Reporting addresses:
abuse[at]keyweb.de 

Quite frankly, I don't care if they don't want the reports.. I send it to them as a 'user notification'. They need to do something about the infected/exploited computer.

[turetzsr]

keyweb.de is another that doesn't want SC reports, yet still has an infected computer on its network:

<snip>

ISP does not wish to receive report regarding http://PHARM77.COM/

<snip>

Quite frankly, I don't care if they don't want the reports.. I send it to them as a 'user notification'. They need to do something about the infected/exploited computer.

...My take would be that they do not want reports from SpamCop. I don't see anything wrong with your sending a manual report, though (one that you construct and send, not one constructed and sent by SpamCop).

[Miss Betsy]

The problem is, AIUI, is that these admins are deaf to everyone, spamcop or manual reports. If you are serious about getting them to do something, then you have to find, and use, other ways to contact people who might actually do something. Stockholders, upstreams for instance or phone calls and snail mail letters.

You may be lucky and find someone who will do something, but since both wanadoo and comcast, two notorious networks that do not stop infected computers, still do nothing despite thousands of reports (maybe even hundreds of thousands), the only solution may be to block or filter. I am sure that I read somewhere that one server admin didn't care that his computer that housed his spam filter also was used by all the zombies on his network to send spam, since it never sent email, it didn't matter to him if it were on every blocklist there is.

Miss Betsy

[matts]

The problem is, AIUI, is that these admins are deaf to everyone, spamcop or manual reports. If you are serious about getting them to do something, then you have to find, and use, other ways to contact people who might actually do something. Stockholders, upstreams for instance or phone calls and snail mail letters.

You may be lucky and find someone who will do something, but since both wanadoo and comcast, two notorious networks that do not stop infected computers, still do nothing despite thousands of reports (maybe even hundreds of thousands), the only solution may be to block or filter. I am sure that I read somewhere that one server admin didn't care that his computer that housed his spam filter also was used by all the zombies on his network to send spam, since it never sent email, it didn't matter to him if it were on every blocklist there is.

All comments above are true - over the course of the last few weeks of trying to be more "proactive" than usual, I've contacted most of the "big guys" in both ISP and registrar groups, and none seem to care. They all pay lip serivce to it, but it seems "cheaper" for them to ignore it, even when bashed with complaints. I've started blocking the REALLY major offenders, Like Road Runner here and virgilio.it from over there, but I don't want to overload my gateways with too many filter lines, so I use a defnese in depth approach. I catch the big offenders at the gaste and drop them, then the banned topic/content tpye stuff in SA, the pump and dump crap in ImageInfo, and the virus packages in SMSSMTP. Still iritates the hell out of me that I can't get so-called responsible businesses to even take an infected machine off long enough to get it cleaned up

[Miss Betsy]

<snip>so-called responsible businesses to even take an infected machine off long enough to get it cleaned up

Then if they are not responsible, they are irresponsible. I only wish that some charismatic character would come along and take the time to let ordinary people know how 'irresponsible' some of the 'big guys' are.

Miss Betsy

[Farelf]

...I only wish that some charismatic character would come along and take the time to let ordinary people know how 'irresponsible' some of the 'big guys' are.

Amen to that - but that education would have to include just how much the deliquency of those 'big guys' is actually costing them (elucidation of the fact ordinary people the ultimate cash cows of the internet who end up paying for the spammers' bandwidth theft). Until then, with their own and their IP's inwards filters it's all effectively invisible to them.

[rant]And the 'big guys' would have to sack their bean counters and thumb their noses at their stockholders because, until then it's all relative. Remember when Comcast used to head the hall of shame lisings? They no longer do and consequently the general public and their 'ethical stakeholders' no doubt reckon CC's doing a heck of a good job. CC still stinks to high heaven of course and that's not just the collective malfunction of their waterless dunnies back in corporate HQ (we all used to have waterless dunnies once and I can't say the 'retrospections' bring back anything in the way of fond memories - but I digress). On the other hand "we" are seen as the inconvencing zealots. They're not for justice thereabouts. They are for profit.[/rant]

[bobbear]

Freeserve/Wanadoo/Orange are well known for their cluelessness and lack of response to any problems on their network, but I find that it's a much wider problem in that many network abuse teams are also completely clueless when it comes to the zombie botnet. I currently have a problem with layeredtech who are hosting an Apache botnet herder on ns1.bg-arati.com [72.36.159.12] which runs a botnet for the well known criminal fraudster Norden United (norden.hk - HKDNR seem to be blackhat too, but that's another story as they say).

See DNS traversal

I don't think they understand the above data, & they won't accept that running a zombie botnet is evidence of criminal or spamming activity per se and refuse to take any action, therefore apparently recognising it as an acceptable process. Despite source code evidence of prolific spamming being provided by numerous abuse reports, they simply refuse to take action.

What can you do when you are constantly faced with such intransigence & stupidity by the supposed experts?

[bobbear]

I've come across some really dumb abuse teams in my time, but the Layeredtech ones really take the biscuit! They are undoubtedly the most clueless I've come across for a long while:

DNS traversal for norden.hk:

ns1.bg-arati.com [72.36.159.12] 172.201.48.199 62.43.146.9 69.159.69.196 82.103.76.86 82.227.128.20

They're still running the above botnet herder on 72.36.159.12 and just refuse to see it, no matter what evidence I supply - I have to give up as they are now accusing me of spamming them by having the sheer effrontery to send them spam abuse reports relating to the above.

I'm no expert, but surely you'd think the above data would be enough in itself to anyone who knows an IP from a split pea? Perhaps my expectations are too high. It looks like norden.hk has found a safe haven, whether it's blackhat or just crass stupidity I don't know, but I honestly find it hard to imagine an abuse team being that dumb.

I just don't think there's enough awareness of the zombie botnet & I think it's a real problem that spamcop only sees one spam source zombie & not the fat controller. It's got to be of limited use reporting a single zombie when they are just 'throwaway' addresses with thousands ready to take their place. The controller is the IP address to report, but could it be done? I don't really know much about the parser or its capabilities. I imagine it's quite difficult if not impossible but I'd be interested in any thoughts on how to more effectively attack the botnet herders as they seem to be a growing problem.

[StevenUnderwood]

I just don't think there's enough awareness of the zombie botnet & I think it's a real problem that spamcop only sees one spam source zombie & not the fat controller. It's got to be of limited use reporting a single zombie when they are just 'throwaway' addresses with thousands ready to take their place. The controller is the IP address to report, but could it be done? I don't really know much about the parser or its capabilities. I imagine it's quite difficult if not impossible but I'd be interested in any thoughts on how to more effectively attack the botnet herders as they seem to be a growing problem.

How could you program that search for the controller? Can you show the steps you use to track them down? Perhaps you could create a program/system to do it and ask spamcop to pass off the information to your program for further processing?

I doubt it will be implemented on spamcops servers just for the fact that these ns servers are usually set slow enough to time out before spamcop gives up on them anyway. Just keep remembering how many reports per second are being prepared and how increaing that timeout would affect all the parsing.

[Farelf]

Just to cross-link (making it easier for me, at least, to follow), the "botnet takeout" template is at TerryNZ's 'Botnet Scenario' with important discussion before and after in that Topic.

[bobbear]

How could you program that search for the controller? Can you show the steps you use to track them down? Perhaps you could create a program/system to do it and ask spamcop to pass off the information to your program for further processing?

Unfortunately I don't have the expertise to program the search for the controller or create a program/system to do it. I wish I could, but my brain's too old, unfortunately.

The site hosting, (and possibly the spam sourcing), is done by the zombies and that is what SC sees as the reporting address(es) from the spam source code and reports re those addresses have limited effect as we've seen - the controllers aren't seen unless they are reported manually and dumb abuse teams like layeredtech just haven't a clue about botnets - they just do a tracert on the site, see one particular zombie and say "nothing to do with us, mate - stop spamming us" even though the controller is on one of their IPs.

As for the manual steps to track them down, that is very simple - all that is needed is the main site domain. The controller of the zombies can be seen by doing a DNS traversal lookup on the domain which shows the nameserver, its IP address and the zombies it is referencing.

For example I have just received a spam from a 'new crook on the block' western-solutions.eu who is now spamming me with the usual money laundering offer same as other well known crooks such as norden united, impex consult & swiss invest etc, the MO is pretty much the same.

All that is necessary is to input the domain, (in this case western-solutions.eu into the http://www.dnsstuff.com/ 'DNS Lookup' box, (A record), and it will return a list of the site host IP's and the nameservers. To see the full traversal, including the all important nameserver IP lookup all that is necessary is to click on the 'Click Here' button on that page and the information displayed tells the story as in this example:

http://www.dnsstuff.com/tools/traversal.ch...s.eu&type=A

The lower table is the important one here - this shows the nameserver domain, (registered by the criminals), its IP address and the zombie IPs it's referencing, presumably with the application running on the apache webserver. The multiple host IP's are indicative of a botnet, (they can be checked over time and will generally be found to rotate and rdns will usually show dsl pool addresses).

I have no idea if a recognise & lookup could be automated. If it could be then the nameserver address would be a far more useful address to send abuse reports to. One problem would be is that a zombie botnet has nameservers registered and run by the criminals, (usually using apache webservers on third party IPs), but a genuine site or a non-botnet arrangement would probably have genuine third party nameservers which obviously must not be picked up. It would be difficult.

I doubt it will be implemented on spamcops servers just for the fact that these ns servers are usually set slow enough to time out before spamcop gives up on them anyway. Just keep remembering how many reports per second are being prepared and how increasing that timeout would affect all the parsing.

Good point, although the lookup for the nameserver IP is all that is necessary in the case of a botnet nameserver & that should be fast enough - I accept that the difficulty is recognising a botnet in a sensible time frame.

Even if it can't be automated, anything that raises the awareness of the need to report the botnet nameserver/herder IPs should be useful and perhaps even some of the dumber abuse teams may get to recognise the problem, which is undoubtedly on the increase:

http://go.theregister.com/news/http://www..../botnet_threat/

I'm not teaching anyone to suck eggs here, I'm sure a lot of people more clever than me are more than familiar with all this, but this is for those who are not so familiar with the botnet, how to recognise it & how to report it in hopefully fairly simple terms.