Jump to content



Recommended Posts

A couple of weeks or so ago I mentioned in passing a new, (to me, anyhow), and interesting pseudo-botnet based on Yahoo nameservers and what appeared to be Yahoo Geocities IP's. It's still on the go, e.g. for this money laundering fraudster, aegis-capital.org:

DNS structure for money laundering fraudster aegis-capital.org:


Server Response (Yahoo/Geocities Site Host IPs)

yns2.yahoo.com []

yns1.yahoo.com []

The rotating fraudsters site host IPs are all Geocities? IPs in the range to (inclusive) as shown in the above DNS structure and RDNS to what appear to be Geocities user addresses listed below, (e.g. = p10w14.geo.mud.yahoo.com). Perhaps a Geocities user can confirm that is indeed a standard Geocities user address? (or not). They are referenced by the Yahoo nameservers yns2.yahoo.com [] & yns1.yahoo.com []

It's much more widespread than that example, though. A Google search on any of the RDNS details for the above IPs shows that this network is used for a whole host of spamming, porn, fraud & 'dummy' domains. Last time I had a peek into this money laundering fraudster's network he had upwards of 100, (mainly fraud), domains registered. It's probably many more now.

It's been difficult in the past to get Yahoo abuse teams to even understand the principle of a 419er's Yahoo response address & it's proving difficult to get them to understand the above. If it doesn't fit into their little boxes they just send out a kneejerk "request for more info" pro-forma response...

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...