bobbear Posted January 21, 2007 Posted January 21, 2007 Tracking URL This money laundering fraudster, (norden.hk) appears to be running a zombie botnet herded by an Apache webserver running on the nameserver IP 72.29.99.77 (ns1.bg-arati.com [72.29.99.77]) The IP 72.29.99.77 is owned by Colo4Dallas & is part of a block reassigned to one Patrick Moore (no, not the Sky at Night Patrick Moore for UK readers, but then I suspect that it's an alias....). Colo4Dallas are totally unresponsive to innumerable abuse reports sent to all addresses including the CEO & VP So, what's the word on Colo4Dallas? Are they a blackhat organisation? Anyone any info? Norden United are one of my most prolific crooked spammers, but the IP 72.29.99.77 doesn't appear to be listed anywhere, but then the Spamcop parser doesn't see the nameserver IP, just the source IP which is just one of umpteen ever changing zombies, so it's not a lot of use in getting the controlling IP listed. The registrar for norden.hk is HKDNR who is also totally unresponsive to abuse reports & is in the blackhat frame along with Joker etc.
turetzsr Posted January 22, 2007 Posted January 22, 2007 ... :google: is your friend! http://groups.google.com/groups?lnk=hpsg&q=Colo4Dallas
bobbear Posted January 22, 2007 Author Posted January 22, 2007 Thanks for that Steve - tried a web search but didn't try the groups. Lots of chaff that's hard work to make much sense of, but two things appear to be certain, firstly that colo4dallas crops up an awful lot, but the main thing is that they do not respond to abuse reports. Despite Paul VanMeter's claim that they "do not support spammers", they appear to support both spammers & fraudsters in my, admittedly limited, experience in trying to get them to take action.
bobbear Posted January 23, 2007 Author Posted January 23, 2007 Finally managed to make contact with Jeremy Pope of colo4dallas. It seems the problem was a not unusual one - spam filtering on the abuse address along with no NDRs being sent. I'm happy to report back that now we have made contact they report that they have given the offending IP address owner 2 hours notice to remove the service prior to null routing it. [Edit] Jeremy was as good as his word and turned it round very fast. Mind the crook wasted no time in switching his apache botnet herder over to a layeredtech IP address, (72.36.159.12). Here we go again..... At least they don't appear to have a spamfilter on their abuse reporting address....
turetzsr Posted January 23, 2007 Posted January 23, 2007 ...Thanks for the good news, bobbear! ...Based on your latest note, I shall mark this forum thread as "resolved."
Recommended Posts
Archived
This topic is now archived and is closed to further replies.