Yahoo...grrrr

[bobbear]

A couple of weeks or so ago I mentioned in passing a new, (to me, anyhow), and interesting pseudo-botnet based on Yahoo nameservers and what appeared to be Yahoo Geocities IP's. It's still on the go, e.g. for this money laundering fraudster, aegis-capital.org:

DNS structure for money laundering fraudster aegis-capital.org:

(http://www.dnsstuff.com/tools/traversal.ch?domain=aegis-capital.org&type=A)

Server Response (Yahoo/Geocities Site Host IPs)

yns2.yahoo.com [216.109.116.20] 68.142.212.117 68.142.212.137 68.142.212.138 68.142.212.139 68.142.212.140 68.142.212.141

yns1.yahoo.com [66.218.71.205] 68.142.212.117 68.142.212.118 68.142.212.119 68.142.212.139 68.142.212.140 68.142.212.141

The rotating fraudsters site host IPs are all Geocities? IPs in the range 68.142.212.117 to 68.142.212.141 (inclusive) as shown in the above DNS structure and RDNS to what appear to be Geocities user addresses listed below, (e.g. 68.142.212.130 = p10w14.geo.mud.yahoo.com). Perhaps a Geocities user can confirm that is indeed a standard Geocities user address? (or not). They are referenced by the Yahoo nameservers yns2.yahoo.com [216.109.116.20] & yns1.yahoo.com [66.218.71.205]

It's much more widespread than that example, though. A Google search on any of the RDNS details for the above IPs shows that this network is used for a whole host of spamming, porn, fraud & 'dummy' domains. Last time I had a peek into this money laundering fraudster's network he had upwards of 100, (mainly fraud), domains registered. It's probably many more now.

It's been difficult in the past to get Yahoo abuse teams to even understand the principle of a 419er's Yahoo response address & it's proving difficult to get them to understand the above. If it doesn't fit into their little boxes they just send out a kneejerk "request for more info" pro-forma response...