Jump to content

How to take down geocities spammers


thewird
 Share

Recommended Posts

Ok, i get 400 mails/day to my yahoo account and report every single one to spamcop starting last 2 weeks. I've noticed at least 100 of those are for spams h ttp://cre eknatural.c om/ which use a different geocities redirect. An examples of this...

h ttp://ww w.geoc ities.com/nbpw gd19urd/

h ttp://ww w.geoci ties.com/rfffsdima13.

Obviously, these are sent through unsecure computers/servers so stopping the source of the e-mail is almost unimportant but I report it anyway.

So what I want to know is if theres a way to contact ht tp://cre eknatural .com/ hosting provider and tell them whats happening to get the site taken down.

Also, maybe spamcop could check geocities for redirects as a new feature and send a spam report to the site if a redirect exists.

thewird

Moderator Edit: Useless data deleted. URLs broken.

Edited by Wazoo
Link to comment
Share on other sites

No "problem" with the Parsing & Reporting system noted in this post.

The Subject Line indicates an entirely different query in mind, as does the content.

No Tracking URL provided to see the 'linking' of the data offered up in the query.

Mis-use of terminology, based on data supplied. There is a definition of a 're-direct' .. esprcually when sites like GeoCities, Yahoo, etc. are involved. The URLs providded as samples are not those kinds of re-directs. Those specific web-pages exist exactly where they are listed.

That both contain some nasty java scri_pt is another matter entirely.

With that, this post moves the wrongly placed Topic to the Lounge.

Link to comment
Share on other sites

Could you elaborate more on that these sites exist on geocities and what type of java scri_pt?

What's to elaborate on? Only going to offer the first example, as both are the same ....

04/07/07 02:51:03 Browsing h ttp://ww w.geocit ies.com/nb pwgd19urd/

Fetching h ttp://ww w.geoci ties.com/nbp wgd19urd/ ...

GET /nbp wgd19urd/ HTTP/1.1

Host: www.geocities.com

Connection: close

HTTP/1.1 200 OK

Date: Sat, 07 Apr 2007 07:51:04 GMT

X-Host: w86.geo.scd.yahoo.com

X-INKT-URI: ht tp://us.geocit ies.com/nbp wgd19u rd/index.html

X-INKT-SITE: ht tp://us.geo cities.com/n bpwgd19u rd

Last-Modified: Tue, 03 Apr 2007 03:17:48 GMT

Content-Length: 1959

Connection: close

Content-Type: text/html

<html><scri_pt LANGUAGE="java scri_pt"><!--

e v a l (unescape("%66%75%6 <munged> 9%7D"));//--></scri_pt>

<head>

<title>HerbalKing - NO.1 For Penis Enlargement</title>

<scri_pt LANGUAGE="java scri_pt"><!--

e_e("s0%2E%3A%2B%250 <even more munging applied>

As I stated, this crap exists exactly where the URL in the spam says it's located.

Now if you want to follow those links with an insecure browser, well .. sorry, but that's your issue to deal with.

The SpamCop.net parser does not decode java scri_pt .. this is documented in the FAQ ....

Link to comment
Share on other sites

You asked for a tracking URL and here it is...

http://www.spamcop.net/sc?id=z1272368587zb...d4aa172d95ce92z

Thanks ... but as conjectured in the above, there is nothing 'in the spam' that can be considered a 're-direct' .... sent as MIME type plain-text, direct URL used ....

So I guess its up to yahoo to increase security on their sh**...

Not sure 'security' is the word needed in this case .. just another set of 'free' web-pages that apparently have not been reported / handled thus far.

I use firefox btw

and that's supposed to mean what by itself? Somehow ignoring that version numbers keep creeping up, a lot of them due to the closing of exploits ... that the configuration can be changed by the user to "make things work better" .... that belief that something non-Microsoft solves everyting?

Kind of right up there with "I have an anti-virus tool installed" ... but not qualified by "it came with the computer that I bought 3 years ago" ....

Link to comment
Share on other sites

Ok, how about this. I have never got a virus in 6 years. I update my Firefox the day releases come out and I use AVG (paid version noncracked) that auto updates and scans every night. I think that is a safe setup. Also, common computer sense applies to a lot this which many people don't have.

thewird

Link to comment
Share on other sites

Also, maybe spamcop could check geocities for redirects as a new feature and send a spam report to the site if a redirect exists.

There are lots of ways for a spammer to redirect from Geocities, it would be a pretty complex and high-maintenance task to write code to detect them all. And, as is frequently pointed out here, SpamCop's priority is to deal with the SMTP (mail) side of spamming, rather than the website side. Still, couldn't hurt to ask for the feature (in the New Feature Request forum, mayhap).

So what I want to know is if theres a way to contact ht tp://cre eknatural .com/ hosting provider and tell them whats happening to get the site taken down.

Yes, there are several ways, but they require you to do some amount of work outside of SpamCop. I will tell you how I usually handle these:

When I get these kinds of messages, and have time to report them in detail, I usually fetch the Geocities URL using the curl command-line utility which you could think of as a "safe" web browser that doesn't take cookies or execute scripts.

Since I know a bit about how to read HTML & Java scri_pt, I can usually figure out pretty readily from the curl output to where the redirect points. Then, I simply use a DNS lookup (host or nslookup commands) (to get the address of the redirected-to site), and IP-whois (to get the contact info for the IP address). You can also do both of these kinds of lookups from a good online network toolset like DNSStuff.

With this info, I then usually "piggyback" a report to this provider as a "user notification" to the main SpamCop report (I'm a paid SpamCop subscriber, don't know whether this feature is available to free users). I always include a note to identify the redirection and explain how it was done.

The report you posted in the tracking link may be a bit stale (the Geocities link is now 403), but for the record:

alu-g4pb:~ rconner$ host creeknatural.com
creeknatural.com has address 121.156.65.126

... giving the address 121.156.65.126 for the site, and ...

alu-g4pb:~ rconner$ whois 121.156.65.126

(( snipping ARIN &amp; APNIC info ))

inetnum:      121.128.0.0 - 121.191.255.255
netname:      KORNET
descr:        Korea Telecom
descr:        Network Management Center
country:      KR
admin-c:      IM76-AP
tech-c:       IM76-AP
descr:        ************************************************
descr:        Allocated to KRNIC Member.
descr:        If you would like to find assignment
descr:        information in detail please refer to
descr:        the KRNIC Whois Database at:
descr:        "http://whois.nic.or.kr/english/index.html"
descr:        ************************************************
status:       Allocated Portable
mnt-by:       MNT-KRNIC-AP
mnt-lower:    MNT-KRNIC-AP
changed:      hm-changed[at]apnic.net 20060407
changed:      hm-changed[at]apnic.net 20061101
source:       APNIC

person:       IP Manager
nic-hdl:      IM76-AP
e-mail:       ip[at]krnic.kornet.net
e-mail:       abuse[at]kornet.net
address:      Seoul
address:      206, Jungja-Dong, Bundang-Gu, Sungnam, Gyunggi-Do
address:      463-711
phone:        +82-2-3674-5708
fax-no:       +82-2-747-8701
country:      KR
changed:      hostmaster[at]nic.or.kr 20061009
mnt-by:       MNT-KRNIC-AP
source:       APNIC

... giving abuse[at]kornet.net as your abuse contact (good luck with them, they probably get hundreds or thousands of spam-hosting complaints every day).

-- rick

Link to comment
Share on other sites

Therre is still that Forum section titled How to use .... Instructions, Tutorials > Research Tools that awaits thing like this ...

However, that *NIX is involved (but not explained / defined) is going to lead to a lot of frustration for those folks that only know Windows .....

Link to comment
Share on other sites

Therre is still that Forum section titled How to use .... Instructions, Tutorials > Research Tools that awaits thing like this ...

However, that *NIX is involved (but not explained / defined) is going to lead to a lot of frustration for those folks that only know Windows .....

He asked, I told him what I do. Peer-to-peer support, right? I also said to go to DNSStuff (et. al.) to do whois and DNS lookups, this should not be too frustrating, should it?

-- rick

Link to comment
Share on other sites

this should not be too frustrating, should it?

That's actually a pretty funny question .... coming in after a particularly rowdy bit of traffic over in the spamcop newsgroup .... one tangent gone down with the recent pay/subscribe/whatever concept there and the removel of some tools from the 'free' side of the house ... another tangent gone down by the redesign of those same web-pages to include a bit of java scri_pt that 'blocked' another user's access .....

Anyway, just pointing out that some assumptions just can't be made ... folks that have no idea how to get down to a command-line prompt level to begin with, being advised to type in things that don't have any corresponding executables, ad infinitum ....

Link to comment
Share on other sites

Anyway, just pointing out that some assumptions just can't be made ... folks that have no idea how to get down to a command-line prompt level to begin with, being advised to type in things that don't have any corresponding executables, ad infinitum ....

So, we're not allowed to post anything here if it is possible that novice Windows users can't use it or won't understand it? Is that the policy? Too bad the spammers don't follow this rule, otherwise they'd be far easier to stop.

Honestly, Wazoo, this is the second time (at least) that you've given this kind of response to one of my posts, "telegraphing" to readers that they needn't bother to read it since they probably won't understand it (and that the author was rude not to "explain / define" his operating system).

Why can't we just let the readers decide for themselves whether a particular post makes sense or contains useful information? Let 'em post back, report me, or kill file me if they don't like the information I provide. I'm willing to live by such a judgement. I'm not particularly happy about having good solid technical information summarily publicly disparaged by a moderator before most people even get to read it.

-- rick

Link to comment
Share on other sites

  • 2 weeks later...
So, we're not allowed to post anything here if it is possible that novice Windows users can't use it or won't understand it? Is that the policy?

<snip>

Hi, rick,

...You seem to have misread what Wazoo wrote (emphasis added by me):

<snip>

However, that *NIX is involved (but not explained / defined) is going to lead to a lot of frustration for those folks that only know Windows .....

In other words, Wazoo was just asking that if you are making an assumption (unix) that is material, please consider making it explicit. That will help others reading your (otherwise very helpful -- thank you!) posts.
Link to comment
Share on other sites

Hi, rick,

...You seem to have misread what Wazoo wrote (emphasis added by me):In other words, Wazoo was just asking that if you are making an assumption (unix) that is material, please consider making it explicit. That will help others reading your (otherwise very helpful -- thank you!) posts.

Sorry if I came off as a bit prickly. Let me try to explain once again, slowly:

I made no assumptions about operating systems...the technique I described for spotting redirected websites does not require any OS-specific capabilities. Neither whois nor nslookup/host are operating-system dependent. The whois service is actually defined by IETF (in RFC 3912), while host/nslookup are part of the standard set of tools that should be provided with any IP stack on any operating system. Both utilities are pretty much open source (from before the meaning of this term was understood), and have been ported to many different OS platforms in many different incarnations (from command-line tools to parts of multipurpose GUI network tool suites).

Curl is an open source application available for many operating systems (including Windows DOS). It is free to download, install, and use.

As I was at pains to explain in the original post, both nslookup and whois can be also be used online at DNSStuff or similar sites, if for some reason they are not available on a particular user's operating system. DNSStuff (et. al.) will also fetch web pages for inspection a la curl. Indeed, using web-based tools was the only recourse I had back when I was running MacOS9 (which was notoriously short of network tools). I should think that this would answer the "I-don't-have-this-on-my-system" problem.

In order to spot redirections from a portal website, you must (as I indicated) know a bit about HTML, HTTP, and other topics like java scri_pt or URI encoding. I'm sorry that such knowledge is required, but this is what spammers do.

So, my technique boils down to (1) using OS-independent basic IP network tools, and (2) applying some domain knowledge as to how web browsers can be redirected from one site to another. I just don't see how I can make things any plainer than that.

I'm sorry that I can't collapse this procedure down to a simple one-click query that can be run by everyone on any computer (maybe that's a project for later), but as we know spammers like to hide, and it often takes a lot of picking and shoveling to find them. We might as well see that everyone is issued the necessary picks and shovels, and is trained in their use.

BTW, some folks post here about particular tools to do this and other spam-related tasks, but these tools are truly OS-specific (for Intel/Windows) and I cannot run them at all, even if I wanted to. Nor do they appear to be available as source code should I want to try to port them to my own computer. Yet, these folks have not (so far as I know) been asked to make their assumptions explicit in the use of these tools. Nor would I want to put that burden onto them, lest it discourage them from posting. If I have a burning question about these, I'll ask.

-- rick

Link to comment
Share on other sites

So what I want to know is if theres a way to contact ht tp://cre eknatural .com/ hosting provider and tell them whats happening to get the site taken down.

Hi

Spamcop's priority is to stop spam emails. If you want to help in closing down the spammy websites, please report your spam to knujon. They are doing a pretty good job of shutting down the spammy websites (including geocities redirects). More details can be found at www.knujon.com , http://www.knujon.com/news.html .

BTW, I am just a user of knujon and do not work for them.

hth

raju

Link to comment
Share on other sites

So what I want to know is if theres a way to contact ht tp://cre eknatural .com/ hosting provider and tell them whats happening to get the site taken down.

And has may have been mentioned above, though I could not quickly locate it, you can enter the URL into a blank spamcop parser and get the reporting address. You can then make a manual report or if you are a paid spamcop reporter, add a report to that site.

In this case the abuse address would be: abuse[at]kornet.net

I usually include in that specific report something like: http://<redirector>/ redirects to ht tp://cre eknatural .com/ hosted by your service.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...