TerryNZ Posted February 14, 2007 Posted February 14, 2007 COMPLAINTERATOR V5 For immediate use Spamcop is incredibly successful and useful for reporting to the source of spam. Spamcop does a reasonable job of reporting to the owner of the IP of a spamvertzed site. When a spamvertized site is a criminal operation, the likes of Alex Polyakov, Yambo Financials, Leo Kuvayev for example, then there is a better way to shut them down. If you lodge a compliance request to the registrar, requiring thenm to shut them down, you have more effect. But it would be a tiresome and inefficient approach to complain to the registrar where the site is defined: one request per site, where there are literally thousands of sites. No, it is more efficient to send requests to the registrars of the domain name servers for those spamvertized sites. Each time a registrar shuts down the name servers, then all of the spamvertized sites are inaccessible. This can result in hundreds of sites being shut down trough one small change by the registrar who complies with the request. What's more, if it is done properly, those sites are not only inaccessible to the Internet, they remain inaccessible to the spammer. Dead and gone forever. This approach has been used for the past 9 months, with stunning results. The above gangs have been hounded out of most spammer unfriendly registrars all over the world, and herded into a narrow clique of spammer friendly registrars. THeir days there are numbered, too. The driving engine behind this approach is now being released for public use. It runs in a specific operating environment - Windows, Firefox / Mozilla, and any email program. It takes as input the spamvertized domain, such as 44rx.com and determines who are the registrars for its name servers. It then prepares the complaint message(s) and allows you to review it before sending. Download your copy from http://www.mytempdir.com/index.php?id=1215642 unzip it, read the documentation, and launch it from the Complainterator folder. Note This is not a replacement for Spamcop reporting, just another approach that covers some extra ground. Feedback on Complainterator is in the discussion forum at http://thecarpcstore.com/phpbb2
StevenUnderwood Posted February 14, 2007 Posted February 14, 2007 The driving engine behind this approach is now being released for public use. It runs in a specific operating environment - Windows, Firefox / Mozilla, and any email program. It takes as input the spamvertized domain, such as 44rx.com and determines who are the registrars for its name servers. It then prepares the complaint message(s) and allows you to review it before sending. Is there a reason that it is specific to firefox/mozilla?
petzl Posted February 14, 2007 Posted February 14, 2007 Is there a reason that it is specific to firefox/mozilla? I would prefer to use genuine Microsoft parts myself However it is giving me a extra email address (of Registrar) I can include in my SpamCop report (I do not munge reports)
TerryNZ Posted February 14, 2007 Author Posted February 14, 2007 I would prefer to use genuine Microsoft parts myself However it is giving me a extra email address (of Registrar) I can include in my SpamCop report (I do not munge reports) V6 is now ready, and can be downloaded from http://thecarpcstore.com/phpbb2/viewtopic.php?p=6272 It has added support for Internet Explorer. It will uses Mozilla / Firefox if such a window is open, or Internet Explorer if a browser window is open.
StevenUnderwood Posted February 15, 2007 Posted February 15, 2007 V6 is now ready, and can be downloaded from http://thecarpcstore.com/phpbb2/viewtopic.php?p=6272 It has added support for Internet Explorer. It will uses Mozilla / Firefox if such a window is open, or Internet Explorer if a browser window is open. Thank you. Just tested it a couple times (without sending) using the lodrx.com example you give in the docs and I think I have got the hang of it. I will try it on the next spamvertized site I find. I did find that it did not like to have my new windows open into my home page (never entered the first URL). Setting that back to the default of opening a blank page allowed the scripts to work, owever. Have you spoken to the registrars? Do they not need the spam to prove it was a spamvertized site before closing them down?
TerryNZ Posted February 15, 2007 Author Posted February 15, 2007 Have you spoken to the registrars? Do they not need the spam to prove it was a spamvertized site before closing them down? Registrars who have shut down nameservers as a result of my requests (without including spam) VV--- Number of name servers . . VVVVVVVVVVVVVVVV-- Registrar who acted 01 EST 07 DSTR 80 Tucows 46 eNom 36 Yesnic 08 CSL 02 Aztus 12 Gandi SAS 17 Beijing Innovative 06 Misk 26 Ace of Domains / Moniker.com 02 Intercosmos 08 XIN Net 251 Domain name servers shut down using this complaint method since August 2006 Spamvertized domains shut down and removed from circulation as a result of my testing this tool number over 4,000. Primarily I have used this method with illegal web sites, such as fake pharmacy (Leo Kuvayev and Alex Polyakov / Yambo). Of course, if you want to copy/paste additional evidence at the bottom of the prepared email, please do so. However, it should go at the bottom, because the message is carefully structured to have the most salient information at the top.
TerryNZ Posted February 21, 2007 Author Posted February 21, 2007 Complainterator V7 is now available at the same location http://thecarpcstore.com/phpbb2/viewtopic.php?p=6272 I welcome feedback on user experiences with Internet Explorer.
petzl Posted February 22, 2007 Posted February 22, 2007 Complainterator V7 is now available at the same location http://thecarpcstore.com/phpbb2/viewtopic.php?p=6272 I welcome feedback on user experiences with Internet Explorer. http://www.spamcop.net/sc?id=z1232121563z9...0c73927be4f633z Reported (penis) spamvertized URL "http:// aldd.net" which redirects to "http:// herbal-kings.net/" (spaced links as adult content sites) The first report for aldd.net went through The second herbal-kings.net bounced accused me of spamming The following message to <info[at]nrw.net> was undeliverable. The reason for the problem: 5.1.0 - Unknown address error 554-'Your email is considered spam (10.50 spam-hits)' Can these type of reports be considered spam? I then reported both sites at Joker who are the registrar for both sites https://joker.com/index.joker?mode=support&...pport_type=spam There was no copy of spam (headers and or body) in Complainterator email I did go to http://www.nrw.net/ site is completely in German? So not able to understand any of it
Farelf Posted February 22, 2007 Posted February 22, 2007 I did go to http://www.nrw.net/ site is completely in German? So not able to understand any of it If you want to, Google the URL and accept the "Translate this page" option (translation works with linked pages too). Buttons and such-like remain in German. "IMPRESSUM" is the contacts page. I've heard the IP address showing at the website when you use this service is Google's, not yours - if so, a bit of added security.
TerryNZ Posted February 23, 2007 Author Posted February 23, 2007 http://www.spamcop.net/sc?id=z1232121563z9...0c73927be4f633z Reported (penis) spamvertized URL "http:// aldd.net" which redirects to "http:// herbal-kings.net/" (spaced links as adult content sites) The first report for aldd.net went through The second herbal-kings.net bounced accused me of spamming The following message to <info[at]nrw.net> was undeliverable. The reason for the problem: 5.1.0 - Unknown address error 554-'Your email is considered spam (10.50 spam-hits)' Can these type of reports be considered spam? I then reported both sites at Joker who are the registrar for both sites https://joker.com/index.joker?mode=support&...pport_type=spam There was no copy of spam (headers and or body) in Complainterator email I did go to http://www.nrw.net/ site is completely in German? So not able to understand any of it See the spam Wiki at http://www.spamtrackers.eu/wiki/index.php?title=Herbal_King CSL = Joker is a special case. You should have got an error when trying to send, because I put an invalid address in the CC field, asking you to go to the www.joker.com web site. I should not have even put the info[at]nrw.net there. Feel free to edit it out of the complainterator.contacts.txt file. You need to register with joker, www.joker.com, then come back, Log In, and click Support/Contact Because you are logged in you wiil now see 3 options, the first two being Report spammers/phishing Report cases of spamming and phishing, which are related to Joker.com domains. Support General support, questions regarding domains, nameserver, billling, URL-forwarding and other issues. Take the first option. Report the name server domain in the first field, and paste the Complainterator message into the message area. Don't bother with including the actual spam, the complaint is about a spamvertized domain. If you really want to, append it at the end of the message. This works successfully, and you get an auto-reply with the ability to add your follow-ups to the ticket via e-mail. They are responsive.
petzl Posted February 25, 2007 Posted February 25, 2007 You need to register with joker, www.joker.com, then come back, Log In, and click Support/Contact Because you are logged in you wiil now see 3 options, the first two being Take the first option. Report the name server domain in the first field, and paste the Complainterator message into the message area. Don't bother with including the actual spam, the complaint is about a spamvertized domain. If you really want to, append it at the end of the message. This works successfully, and you get an auto-reply with the ability to add your follow-ups to the ticket via e-mail. They are responsive. I am getting a fair bit of success with your complainterator at getting registrars to take spamvertised domain names down so I will keep using it. It does not seem to stop the spammer as I see the same site under a new domain name I also go through to linked spamvertized URL as well. I am certain though the spammer does not enjoy me and I'm costing him money, as well as steering even more crime agencies towards these criminals Thanks for the program seems to work well with IE7 and Outlook Express. I are getting actual replies as well as auto-acks for follow-ups Attack is definitely your best defence against spam and spammers
TerryNZ Posted March 1, 2007 Author Posted March 1, 2007 Version 8 has now been released * SeaMonkey support * Detection and warning for country level TLDs * Better handling of multiple registrars * Better handling of mixed name servers * more contacts pre-loaded http://thecarpcstore.com/phpbb2/viewtopic.php?t=575 Feedback here or in the distribution forum is appreciated
TerryNZ Posted March 17, 2007 Author Posted March 17, 2007 This free spam reporting tool is now at version 10 Complainterator V10 includes support for BROWSERS: Internet Explorer / Mozilla / Firefox / SeaMonkey MAILERS: Outlook / Outlook Express / Thunderbird (all others with some manual assistance) It checks the IP address of the spammed site's name servers, and does not generate messages to the registrar if the name server has already been removed. It reports the spammed site's name servers and their current IP addresses. This innovation is better when reporting to Chinese registrars, who prefer to black-hole the IP rather than mess with the DNS name server record. Complainterator takes a different approach from Spamcop - it addresses complaints to the registrars, rather than IP address owners. It complains to the registrars of the sites name servers, not the registrar of the spammed site. Removal of a spammer's name server takes down all spammed sites that depend on that name server. There have been cases where one complaint to a registrar has canceled several hundred spammed sites in one email. Complainterator is therefore a high leverage spam site removal tool.
TerryNZ Posted March 24, 2007 Author Posted March 24, 2007 To give an idea of how effective Complainterator can be - Complaints to Registrar "Ace of Domains" (support[at]moniker.com) to shut down the following name servers would freeze access to this many spammed sites ns1.driedoutdns.com 176 ns2.driedoutdns.com ns1.hairyolddns.com 223 ns2.hairyolddns.com ns1.surprisingdns.com 532 ns2.surprisingdns.com ns1.ferygoins.com 346 ns2.ferygoins.com ns1.chambogos.com 247 ns2.chambogos.com TOTAL 1,524 illegal web sites would be removed A complaint to Network Solutions to shut out the two nameservers on eggbacondns.com would take down 227 illegal spammed web sites. The world of registrars is quickly being divided into two camps - those who combat crime, and . . . um . . the rest.
StevenUnderwood Posted April 3, 2007 Posted April 3, 2007 One problem just noticed... Complainerator does not recognize the .us tld as in: imageshack.us
TerryNZ Posted April 4, 2007 Author Posted April 4, 2007 One problem just noticed... Complainerator does not recognize the .us tld as in: imageshack.us Thanks. Please quote me a spammed domain name that illustrates the problem.
Wazoo Posted April 4, 2007 Posted April 4, 2007 Thanks. Please quote me a spammed domain name that illustrates the problem. He did .... the imageshack issue is just the latest spammer abused tool .... surrounding traffic about the problem exists 'all over the net' .... Just staying 'here' ... examples at http://forum.spamcop.net/forums/index.php?showtopic=8109 .... http://zeta.cesmail.net/pipermail/scspamco...ril/002127.html for a recent spamcop newsgroup thread .... On the other hand, this isn't really a Domain Registrar or DNS issue (at present)
StevenUnderwood Posted April 5, 2007 Posted April 5, 2007 On the other hand, this isn't really a Domain Registrar or DNS issue (at present) imageshack.us Correct. I have been "testing" it with many domains to see where the reports for different domains would go without actually sending them. After the first dnsstuff lookup is complete, it comes up with an error message: Name Server = ns9.imageshack.us Does not represent a valid example, not a .com / .biz / .info / .net etc Its generated message may not be correct, check it carefully Skip? or Cancel completely? Yes No Cancel and I can continue by selecting No, but with additional prompting (unless that is related to the GoDaddy registrar.
TerryNZ Posted April 5, 2007 Author Posted April 5, 2007 imageshack.us Correct. I have been "testing" it with many domains to see where the reports for different domains would go without actually sending them. After the first dnsstuff lookup is complete, it comes up with an error message: and I can continue by selecting No, but with additional prompting (unless that is related to the GoDaddy registrar. Yes it is working as intended. I also received an imageshack spam today. method From keystroke keyboard key press generates http://img444.imageshack.us/my.php?image=gaux5.jpg Sipura Skype Wanted WiMAX White Complainterator correctly warns that this is not a URL likely to generate a valid message. It urges the user to check the message. It gives two options to get out (Yes and Cancel) and one option to continue (No) If anyone does elect to continue, Complainterator has a pretty hard time dealing with what follows. Just as with Spamcop, there is expected to be a degree of intelligent decision making on the part of the user. And in this case, Complainterator has given a clear hint that sending a complaint asking for the removal of all 8 imageshack name servers is not such a bright idea. But if anyone were to send off such a request to Godaddy, the next stage would be for Godaddy to perform their own reasonability checks.
StevenUnderwood Posted April 5, 2007 Posted April 5, 2007 Yes it is working as intended. I also received an imageshack spam today. Complainterator correctly warns that this is not a URL likely to generate a valid message.Thank you for the explanation. Does it give this warning simply because of the .us tld? That is how I read the warning message. Does not represent a valid example, not a .com / .biz / .info / .net etc While .us domains are not very popular right now, they are a "valid" tld.
TerryNZ Posted April 5, 2007 Author Posted April 5, 2007 Thank you for the explanation. Does it give this warning simply because of the .us tld? That is how I read the warning message. While .us domains are not very popular right now, they are a "valid" tld. I accept all TLDs except ccTLDs without question. aero/biz/cat/com/coop/edu/gov/info/int/jobs/mil/mobi/museum/name/net/org/pro/travel/hk I pop up a warning for ccTLDs because there are few spams using them as NS. (Beijing may get tired of requests to remove dns.com.cn otherwise) The exception to the rule is .hk which is rapidly becoming a haven for spammer NS. * * * * V.11 will add a generated complaint message to the spammed URL registrar, to complement the existing complaints to NS registrars. I see that as a necessary fallback, given the 3-4 remaining registrars who totally refuse to cut their ties with organized crime. The removal of the spammed sites, usually under law abiding registrars, will help address this issue. This additional comp-laint message will accept any TLD. * * * * The advent of V 11 will complete a useful picture. Using Polyakov's operation as an example - With reference to the pyramid at http://www.spamtrackers.eu/wiki/index.php?...od_of_operation Law enforcement tackles layer 1 Complainterator tackles most of layer 2-3, at the registrar level, and an AutoAlerter tackles the hijacks (see http://pharmalert.zoomshare.com) at the IP / ISP level Spamcop tackles layer 4-5 at the IP / ISP level * * * * In an ideal world, all of these spam prevention measures would be embodied under the one composite operation. Imagine it. One spam generates * request to ISP to shut down a compromised machine or open relay at source of spam * request to ISP to remove a spammed website at its IP address * request to registrar to deregister the spammed site domain * request to registrars to null route the spammers' name servers that resolved access to the spammed site * evidence accumulated for law enforcement to be used in the prosecution "I have a dream . . . "
TerryNZ Posted April 13, 2007 Author Posted April 13, 2007 Version 11 of Complainterator is now available. Details and download links are at http://thecarpcstore.com/phpbb2/viewforum.php?f=4 and http://www.spamtrackers.eu/wiki/index.php?...=Complainterato Version 11 adds the complaint message to the spamvertized site - and incorporates many user suggestions.
TerryNZ Posted April 17, 2007 Author Posted April 17, 2007 CORRECTION Version 11 of Complainterator is now available. Details and download links are at http://thecarpcstore.com/phpbb2/viewforum.php?f=4 and Link to Complainterator - corrected Version 11 adds the complaint message to the spamvertized site - and incorporates many user suggestions.
StevenUnderwood Posted April 17, 2007 Posted April 17, 2007 CORRECTION TerryNZ: I just tried v11 on the domain theironoly.net from another thread here and had some strange things happen. WinXP Professional 2002 SP2 with all patches IE7 with all patches Microsoft Outlook 2002 SP3 with all patches The first lookup and traverrsal worked OK and generated: theironoly.net.txt The first DNS lookup worked and generated: fatiloquent.com.txt The second DNS lookup worked and generated: practicekiss.net.txt Then the strange stuff started happening... The program opened my favorites on screen appeared to browse around nside the favorites and ultimately opened what appeared to be a random web page from my favorites. Then came up with the Check It message with the OK and appears to have correctly generated: champakdagon.com.txt. This strangeness repeated and ultimately generated: norchikmik.com.txt as well. This test was repeated twice to try and determine a pattern. No emails were ever sent by me and the emails after the strange actions were never even generated (though the text appears to have been). The 4 text messages appear to be correct for this domain. Is it some programming in your application that could have opened the favorites (like the key combination Alt+C were hit) or is there some information in these records that is being interpretted as the Alt+C? Can you replicate this on another machine? My alternate machine here does not have email configured (kids machine)?
TerryNZ Posted April 17, 2007 Author Posted April 17, 2007 Thanks for the detailed problem description. I was able to duplicate it, and found exactly the same result as you describe. It opened the Favorites pull-down, and subsequent keystrokes were directed there. I will examine the cause right away.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.