Geek Posted September 13, 2007 Posted September 13, 2007 Hi, I've compiled a list of Russian "ISP's" that seems if spam is reported to them, will "autobotically" cause a flood of retaliation within a few minutes to an hour: [at]tmb.ru [at]mtu.ru [at]rt.ru [at]vt.ru [at]komet.ru [at]spbnit.ru [at]dtd.ptn.ru [at]ptn.ru [at]telegraph.spb.ru [at]migtel.ru [at]permlink.ru [at]atelperm.ru New ones pop up daily. I have found if I uncheck the boxes to them and only report to the host of the spamvertized site, no retaliation happens. Maybe Spamcop can #devnull reports to these guys? Cheers!
Farelf Posted September 13, 2007 Posted September 13, 2007 I've compiled a list of Russian "ISP's" that seems if spam is reported to them, will "autobotically" cause a flood of retaliation within a few minutes to an hour: ... I have found if I uncheck the boxes to them and only report to the host of the spamvertized site, no retaliation happens.This is unusual/interesting at several levels. You are reporting them 'unmunged' via SpamCop? And seeing rapid response from where - their domains or various/apparent botnet? You stop reporting and the deluge stops - can you link that to the specific domains, if so how? (except of course if the 'retaliatory' spam is coming from the domains in question in which case the answer is evident)....Maybe Spamcop can #devnull reports to these guys?Maybe, the Deputies will be better placed than any of us users to detect any patterns but the information sought may help them. I have checked the home pages of the domain addresses listed with LinkScanner and SiteAdvisor, none have an evident/known exploit, most of them have an "OK" from SiteAdvisor. I've looked at most of them in the SenderBase stats and can see no unusual activity. None of which means much, except to eliminate some lines of approach.
Geek Posted September 13, 2007 Author Posted September 13, 2007 Hello, This is unusual/interesting at several levels. You are reporting them 'unmunged' via SpamCop? And seeing rapid response from where - their domains or various/apparent botnet? You stop reporting and the deluge stops - can you link that to the specific domains, if so how? (except of course if the 'retaliatory' spam is coming from the domains in question in which case the answer is evident). Yes, that is what happens. I parse the spam, it comes from one of the above. I send the report and anywhere from a few minutes to an hour later, I'll get one to five more from the same source. Here's three more that do the same: [at]surnet.ru [at]online.kz [at]rosprint.net I have also noticed a "loop" pattern, in that the spam reported can also come from one of the above, then "travel down" a list and repeats (like stuff from vt.ru is reported, next one comes from rt.ru, third from mtu.ru, then the cycle repeats). I have ran this experiment/test for about 5 days and it is extremely repeatable. I have checked the home pages of the domain addresses listed with LinkScanner and SiteAdvisor, none have an evident/known exploit, most of them have an "OK" from SiteAdvisor. I've looked at most of them in the SenderBase stats and can see no unusual activity. None of which means much, except to eliminate some lines of approach. They just showed up here. Maybe new? They don't seem to be running out of domains :-\ Cheers!
Geek Posted September 13, 2007 Author Posted September 13, 2007 I've peen poking around WHOIS and perhaps the ISP's are legit and there's one heckuva Russian botnet-trojan that's been recently unleashed?
Farelf Posted September 13, 2007 Posted September 13, 2007 I've peen poking around WHOIS and perhaps the ISP's are legit and there's one heckuva Russian botnet-trojan that's been recently unleashed?Yes, I think they're legitimate and the behavior is not typical botnet (why would a botnet retaliate at all and why use the same address blocks from which to do it?). The unknowing hosts of zombied machines are hardly likely to attack the person who alerts them to the problem. You haven't confirmed whether you are munging your reports (ie, if your address is "X" in the repprts you send). If not, you might try switching your user preference to this option and see what happens. In any event, please post a Tracking URL for a case which resulted in retaliation (you go back in your reporting history up to 90 days) and preferably one of the resulting/matching spams received in 'payback'.
C2H5OH Posted September 13, 2007 Posted September 13, 2007 Yes, I think they're legitimate and the behavior is not typical botnet (why would a botnet retaliate at all and why use the same address blocks from which to do it?). The unknowing hosts of zombied machines are hardly likely to attack the person who alerts them to the problem. You haven't confirmed whether you are munging your reports (ie, if your address is "X" in the repprts you send). If not, you might try switching your user preference to this option and see what happens. In any event, please post a Tracking URL for a case which resulted in retaliation (you go back in your reporting history up to 90 days) and preferably one of the resulting/matching spams received in 'payback'. This is a very intriguing thread. I too have suffered floods of russian "undeliverable bounce" spam - from those same domains amongst others. My SpamCop reports are always sent munged (xxxx as domain) but that doesn't prevent sender address harvesting from encrypted email body of course. What had changed for me was that I'd started sending reports via Coldrain too. I thought that their "unsubscribe me" option might have been what triggered the reponses. I've since turned that option off in Coldrain's control panel. For the past week I have also set my ISP's email server to drop all DSN emails (to stop the flood to my inbox). I'll try re-enabling them to see whether the flood has now abated. (Except my ISP's email service is down - again - at the moment).
Farelf Posted September 13, 2007 Posted September 13, 2007 This is a very intriguing thread. I too have suffered floods of russian "undeliverable bounce" spam - from those same domains amongst others. ...Thanks C2H5OH - certainly seems a bit out of the ordinary and supporting observations are most welcome.
Geek Posted September 13, 2007 Author Posted September 13, 2007 Ok, I'm having problems replying... posts end up out of order, then disappear Here's the jist of what it was Todays batch of "origins": [at]telros.net [at]ru.net [at]ptc.spbu.ru [at]iwan.ru [at]mtu-intel.ru [at]post.mos.ru [at]mos.ru [at]tel.ru [at]ncc.primorye.ru [at]prim.dsv.ru [at]su29.ru [at]iasnet.ru [at]ccl.ru Normally I get 5-10 spams/day. Since these Russian's showed up, I've been getting 40+, growing at about 5 per day. Still a far cry from the 4,000/wk I used to get before I started reporting... I'm keeping track of case numbers, as suggested now. Are their THAT many providers in Russia?
Wazoo Posted September 13, 2007 Posted September 13, 2007 Ok, I'm having problems replying... posts end up out of order, then disappear If you are talking about this Forum, I need a better explanation. No one has (yet) moved this Topic or any posts. If you do not provide a Tracking URL (or a few of them) sometime soon, this will be moved to the Lounge. Here's the jist of what it was Todays batch of "origins": [at]telros.net [at]ru.net [at]ptc.spbu.ru <snip> I am actually still a bit lost on your story. "Origin" of spam is normally the IP Address of the server involved, but you seem to be listing partial e-mail addresses. Looking at some of the data from your initial posts, Domains were seen that (allegedly) dated back to 1997 (one that I recall looking up) A couple that I looked up had no 'abuse' address, and the identified addresses left me wondering a bit .. my preferences would have been to do a CC: to an upstream in a manual report. What no one here yet knows is just what addresses you are seeing (and unselecting you say) for whatever spam you're submitting for parsing. Again, waiting for some Tracking URLs to provide some actual data to talk about. Normally I get 5-10 spams/day. Since these Russian's showed up, I've been getting 40+, growing at about 5 per day. Still a far cry from the 4,000/wk I used to get before I started reporting... Not sure what that's actually supposed to mean, as referenced against your Topic starting post. The newsgroup archive/list is being 'attacked' by crap that is written in "charset=ISO-2022-JP" .. using alleged .jp e-mail addresses, but the actual source IP Addresses are from all around the world. One Yahoo account sees a lot of .pl garbage. On and on .... I'm still looking for something beyond the accusations made thus far, noting that several questions asked thus far haven't been answered either.
Farelf Posted September 14, 2007 Posted September 14, 2007 Ok, I'm having problems replying... posts end up out of order, then disappear I had something like that once (or twice) - turned out to be my firewall objecting to something in the topic/thread. Solution was to allow exception for the forum server (or turn that blocking firewall function off temporarily). Don't see anything "here" that would trigger such action but there will be a cause (even 'operator error', which is almost undiagnosable from this side). Stay with it because there's not enough to figure out what's happening on either front yet - refIf you are talking about this Forum, I need a better explanation. No one has (yet) moved this Topic or any posts. If you do not provide a Tracking URL (or a few of them) sometime soon, this will be moved to the Lounge.Which will be fair indication we see nothing that we think could be laid before the Deputies yet in terms of your original posting, if in fact there is something requiring their action, which is what you were requesting. We're just trying to help with that.
Geek Posted September 14, 2007 Author Posted September 14, 2007 I had something like that once (or twice) - turned out to be my firewall objecting to something in the topic/thread. Yes, I discovered it was on my end. I restarted my browser and all was OK Stay with it because there's not enough to figure out what's happening on either front yet - refWhich will be fair indication we see nothing that we think could be laid before the Deputies yet in terms of your original posting, if in fact there is something requiring their action, which is what you were requesting. We're just trying to help with that. OK, I'm logging the report ID's sent and keeping track of any other patterns that seem to appear, like reporting then getting more spam. I'm not even sure yet of what's happening, just thought I'd throw it all out into the open to see if anyone else may have found something similar (which there seems to be one person). I should have put (?) after the post topic. I admit I've phased things horribly Hi Wazoo, I am actually still a bit lost on your story. "Origin" of spam is normally the IP Address of the server involved, but you seem to be listing partial e-mail addresses. These are the domains to where the reports would be sent to. I'm still looking for something beyond the accusations made thus far, noting that several questions asked thus far haven't been answered either. Sorry about that, as I explained to Farelf above, I've worded things badly. Will do better. The newsgroup archive/list is being 'attacked' by crap that is written in "charset=ISO-2022-JP" .. using alleged .jp e-mail addresses, but the actual source IP Addresses are from all around the world. One Yahoo account sees a lot of .pl garbage. On and on .... There's tons of those on the alt.binaries groups right now Using the killfile is useless since the "originator" alsways seems random >.< Cheers guys!
Geek Posted September 16, 2007 Author Posted September 16, 2007 Just to update... They've been fairly quiet other than a couple of repeat offenders the last couple days and it looks like the Trustee's are on the job, as some have been tossed into /dev/null. This is good, since the file I was using with all my notes got corrupted If no one has objections, maybe this can be tagged "Resolved" ? Cheers!
axxx007 Posted September 16, 2007 Posted September 16, 2007 I have received a lot of spam in the last few months from these Russion ISP's to my hotmail account. A lot of this spam has been a spam where the spammer has inserted my email address in the headers to make it appear that I have sent spam out to myself. There is a thread in the lounge on this a few pages back that covers this problem a bit, titled :" My email address in senders properties " ....maybe that will give you some information as well. Most of the spam I am getting going through these Russian ISP's now is pharmacy spam.
C2H5OH Posted September 17, 2007 Posted September 17, 2007 SNIP For the past week I have also set my ISP's email server to drop all DSN emails (to stop the flood to my inbox). I'll try re-enabling them to see whether the flood has now abated. (Except my ISP's email service is down - again - at the moment). Re-enabled DSNs midday Saturday. Just one or two undeliverable notifications on Sunday, then overnight Sunday-Monday received 198 misdirected bounces, most from Russia or its satellites. I am still opted out of the unsubscribe option with Coldrain. For comparison/interest, here are the 105 unique source domains from those 198 bounces... 54.ru aaanet.ru adamant.net agava.com agava.net alkar.net astel.net atnet.ru avtlg.ru bashnet.ru caravan.ru chereda.net ci.ukrpack.net colocall.net comstar.net.ua comtat.ru corbina.net ctcs.ru dinet.ru donbass.net elcom.ru elpskov.ru eltel.net farlep.net fmcg.ru freenet.com.ua globus-telecom.com harvestr.ru hc.ru inc.ru incoma.ru infobox.ru infos.ru infosport.ru irlink.ru irs.ru itn.ru kgts.ru kharkiv.net kis.ru kraslan.ru ktk.ru lep.lg.ua liga.net lsv.kiev.ua lyceum.usu.ru makdak.ru manpower.ru mark-itt.net masterhost.ru mastertel.ru metrocom.ru mfist.usi.ru miee.ru msu.ru mtu.ru nbi.com.ua netup.ru nornik.ru parkline.ru pbank.dp.ua pcn.net.ua peterstar.net playfon.ru ptt.spb.ru radio-msu.net ras.ru rbc.ru redcom.net rgs.ru rls.ru rosnet.ru rosprint.net rtcomm.ru run.net rusonyx.ru s42.dcn-asu.ru samara.net samtelecom.ru scat-7.ru sci.lebedev.ru snc.ru solaris.ru sovam.com sovintel.ru spb.edu ssft.net stacktelecom.ru sunet.ru svwh.net techno.spb.ru televic-cs.ru tsinet.ru tula.net uar.net ukr-com.net unets.ru unibel.by united.net.ua utk.ru vado.ru volia.net vtt.net westcall.netadmnsk.ru wsnet.ru If only they were all REAL providers and had read; http://members.spamcop.net/fom-serve/cache/329.html sigh..
Farelf Posted September 17, 2007 Posted September 17, 2007 I have received a lot of spam in the last few months from these Russion ISP's to my hotmail account. A lot of this spam has been a spam where the spammer has inserted my email address in the headers to make it appear that I have sent spam out to myself. ...Yes, well that's a bit of a catch 22 if you want to send munged reports - "From:" addresses don't get munged (last I knew), even if it is your address. That certainly would be a "neat" way to tag reports if these people were playing those games.Re-enabled DSNs midday Saturday. Just one or two undeliverable notifications on Sunday, then overnight Sunday-Monday received 198 misdirected bounces, most from Russia or its satellites. I am still opted out of the unsubscribe option with Coldrain. ...If only they were all REAL providers and had read; [edit - switched from members to www for those not logged in] http://www.spamcop.net/fom-serve/cache/329.html ... I checked a few of those 105 at random. They may be clueless but they look real enough to me. I'm inclining now to view it all as chronic cluelessness in fact - it seems to explain all that has been said in this topic to date. Maybe that FAQ should get translated into Russian - in the meantime, misdirected bounces are reportable and the more that are reported, the more likely the offending ISPs are to 'get a clue'.
Merlyn Posted September 17, 2007 Posted September 17, 2007 If you have your own server block the following IP's http://www.blackholes.us/zones/country/russia.txt
Geek Posted September 18, 2007 Author Posted September 18, 2007 If you have your own server block the following IP's http://www.blackholes.us/zones/country/russia.txt Thanks! I don't run my own server, but I do know someone who does and is being overrun. Hopefully he'll find the link useful
Geek Posted September 18, 2007 Author Posted September 18, 2007 CRIPES!!!! I spoke too soon I sent spam report 2506194430 to "iva[at]mgsn-invest.ru" (now if that isn't a fishy address, I don't know what is) and I got a days allotment of spam in about 20 minutes Is it possible the jibberish at the bottom contains a code representing my addy (like some Chinese spam URL strings do), because how on earth did the "retalliation" happen?
Wazoo Posted September 18, 2007 Posted September 18, 2007 I sent spam report 2506194430 to "iva[at]mgsn-invest.ru" (now if that isn't a fishy address, I don't know what is) and I got a days allotment of spam in about 20 minutes SpamCop FAQ "here" links at the very top of the page Jump/scroll down to the section; Parsing Problems / Issues How Do I Show Full / Technical Details in a Parse? "Header incomplete, aborting." and "No source IP address found, cannot proceed." Causes of "Would send" and "If reported today, reports would be sent to:" messages SpamCop said "No reports filed." What does it mean? Steps taken by the parser, general overview The Link Analysis Process SpamCop reporting of spamvertized sites - some philosophy Getting a Tracking URL from a Report ID ^^^^^^^^^^^^^^^^^^^^^^^^^^ Follow this link ....
Pinebear Posted November 7, 2007 Posted November 7, 2007 I'm going to add to this discussion. For the past several months, I have been receiving tons of spam in cyrillic. I use Mailwasher and have been reporting those not already on the SpamCop RBL to both SpamCop and Knujon. The daily quantity seemed to be ever rising. I then came across this thread a couple weeks ago and decided to stop reporting the SPAMs in cyrillic to SpamCop. Almost immediately, the volume dramatically decreased. In fact, around the middle of last week I was ready to report my experience as part of this thread. But then, about two days ago, I was again bombed with dozens of SPAMs in cyrillic. I now suspect that some of the ones that are in English, are also being reported to the various *.ru contacts, mainly mtu/spbnit/ptn.ru, which has resulted in this ongoing plethora of spam with virtually 100% have something do do with penile enhancement. No real proof, just my observation of what I am seeing.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.