Fri, 08 Dec 2006

Outage

Everyone please thank the ass spammer at 205.134.172.137 and 138. He was pounding the site so hard that the admins took the server offline and beat me. (A system load of 68?!) Analysis pending. joat: 02:18:29 8 Dec 2006

| [/Spammers] permanent link

Tue, 21 Nov 2006

Weird spam

Just noticed the following... (Click to see photo). (89K) Do you see it? (Hint: look at the body but not the text.) I've got a growing collection of messages in which someone has gone to the trouble of adding little colored threads. It is not a picture as the text is normal. Though the threads are included as part of a graphic, they are inline. If I resize the window, no scrollbars appear (unless there's too much text). This is too weird. Anyone have any ideas on what it is? joat: 11:37:20 21 Nov 2006

| [/Spammers] permanent link

Sun, 05 Nov 2006

No more forgers?

I attempted to find a good example of a forged email header, for a short demo that I'm writing, by wading through my quarantine folder. Guess what I've noticed: no one bothers to forge headers anymore. Why bother when you buy zombies for a few pennies per box? joat: 13:00:00 5 Nov 2006

| [/Spammers] permanent link

Wed, 20 Sep 2006

Spam

The recent e360 rumble reminded me that I hadn't visited a few sites in awhile. It's always interesting to watch both ends of the ordeal (if you don't mind waiting)(these things take time). In any case, here's one on the front end: Spamhaus and here's one on the backend: the FTC's Commission Actions for 2006 (look for links with the "FTC v. so-and-so" format. (Their archives are here.) joat: 12:00:00 20 Sep 2006

| [/Spammers] permanent link

Fri, 21 Jul 2006

New?

Just found this one in my in box. Seems that someone has come up with an interesting way to get me to open an attachment. The text of the message reads (my email address has been edited): From: Automatic Email Delivery Software To: joat@757.org Subject: [SPAM] ERROR Date: Fri, 30 Jun 2006 23:28:24 +0300 (16:28 EDT) Your message was undeliverable due to the following reason(s): Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within 7 days: Mail server 117.57.210.242 is not responding. The following recipients did not receive this message: <joat@757.org> Please reply to postmaster@cox.net if you feel this message to be in error. Looks normal, right? The "trick" lies in the attachment. It has a "scr" file extension. This prompted me to look at the header. Sure enough, my ISP received the message from 62.103.212.133. Even though the IP claimed to be cox.net (told the SMTP server "helo cox.net"), a reverse lookup on the IP returns "primalch.static.otenet.gr". A whois lookup confirms this. So add the following to things not to do: "Don't open attachments from error messages." I'll look at the attachment this weekend. joat: 12:05:00 21 Jul 2006

| [/Spammers] permanent link

Wed, 19 Jul 2006

Spam Injection?

This is the first that I've heard of this technique and I find it especially intriguing/annoying. Intriguing in that it's a new (to me) technique. Annoying in that it's yet another way to get unwanted ads in front of you. And ABC wonders why people have a tendancy to skip commercials when they able to. I also worry that this will become yet another vector for infection and exploit. Oh, and shame on you, Vonage, for encouraging the mess by funding it (in part). joat: 20:30:00 19 Jul 2006

| [/Spammers] permanent link

Sat, 17 Jun 2006

Spammers

Okay, this is getting out of hand. I was out of town for a week and was able to sift through the comment queue only once (on Tuesday). Since then the comment spammers have dumped a little over 21,000 spams into the queue. Luckily, I'm not limited to manual delete. It is a PITA though. joat: 17:00:00 17 Jun 2006

| [/Spammers] permanent link

Wed, 16 Feb 2005

Spammer profile

Here's yet another spammer analysis. This one is incomplete but will hopefully help someone else in their searches. The following URL's show up in unending attempts to post comment spam to the blog: 888.ronnieazza.com buy-phentermine.ronnieazza.com buy-viagra.future-2000.net buy-xanax.ronnieazza.com carisoprodol.future-2000.net cialis.future-2000.net credit-cards.ronnieazza.com didrex.future-2000.net diet-pills.ronnieazza.com free-poker.future-2000.net generic-viagra.ronnieazza.com loans.future-2000.net online-pharmacy.future-2000.net online-poker.future-2000.net party-poker.ronnieazza.com payday-loan.future-2000.net pay-day-loan.ronnieazza.com payday-loans.ronnieazza.com phentermine.future-2000.net poker-games.future-2000.net poker-online.ronnieazza.com poker.ronnieazza.com private-mortgage.future-2000.net prozac.future-2000.net reductil.ronnieazza.com soma.ronnieazza.com student-loans.ronnieazza.com texas-hold-em.future-2000.net texas-holdem.ronnieazza.com tramadol.ronnieazza.com valium.ronnieazza.com viagra.future-2000.net www.future-2000.net www.ronnieazza.com All of the above translate to IP address 219.150.118.16 A WHOIS lookup of 219.150.118.16 results in: % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 219.150.112.0 - 219.150.255.255 netname: CHINATELECOM-ha descr: CHINANET henan province network descr: China Telecom descr: No.31,jingrong street descr: Beijing 100032 country: CN admin-c: CH93-AP tech-c: HZ149-AP mnt-by: MAINT-CHINANET mnt-lower: MAINT-CHINATELECOM-ha changed: hostmaster@ns.chinanet.cn.net 20030820 status: ALLOCATED NON-PORTABLE source: APNIC person: Chinanet Hostmaster address: No.31 ,jingrong street,beijing address: 100032 country: CN phone: +86-10-66027112 fax-no: +86-10-58501144 e-mail: hostmaster@ns.chinanet.cn.net e-mail: anti-spam@ns.chinanet.cn.net nic-hdl: CH93-AP mnt-by: MAINT-CHINANET changed: hostmaster@ns.chinanet.cn.net 20021016 remarks: hostmaster is not for spam complaint,please send spam complaint to anti-spam@ns.chinanet.cn.net source: APNIC person: Hongbiao Zhang nic-hdl: HZ149-AP e-mail: ip@hntele.com address: 97# Zhongyuan Street, Zhengzhou,Chinese phone: +86-371-5310007 fax-no: +86-371-5310044 country: CN changed: zhb@hntele.com 20030813 mnt-by: MAINT-CHINATELECOM-HA source: APNIC A WHOIS lookup of future-2000.net results in: Domain Name: FUTURE-2000.NET Registrant: Jim Fox 122 W 90 Street NYC NY US 10024 Administrative Contact: Leonel, Morgan (NIC-21487) mail29@support-2000.net Morgan Leonel Horseshoe Trail 65 Tabor Alaska, US 90471 Phone: 9454141824 Billing Contact: Leonel, Morgan (NIC-21487) mail29@support-2000.net Morgan Leonel Horseshoe Trail 65 Tabor Alaska, US 90471 Phone: 9454141824 Technical Contact: Leonel, Morgan (NIC-21487) mail29@support-2000.net Morgan Leonel Horseshoe Trail 65 Tabor Alaska, US 90471 Phone: 9454141824 Domain servers in listed order: NS0.DNS2005.NET NS1.DNS2005.NET Record created on 2001-12-23 12:42:00.0 Database last updated on 2005-02-10 12:30:04.967 Domain Expires on 2007-12-23 12:42:00.0 A WHOIS lookup of ronnieazza.com results in: Domain Name: RONNIEAZZA.COM Registrar: MONIKER ONLINE SERVICES, INC. Whois Server: whois.moniker.com Referral URL: http://www.moniker.com/whois.html Name Server: NS0.MANAGE-DNS.NET Name Server: NS1.MANAGE-DNS.NET Status: REGISTRAR-LOCK Updated Date: 05-feb-2005 Creation Date: 24-mar-2002 Expiration Date: 24-mar-2007 Registrant: Susan Lee 112 W 77 Street NYC NY US 10020 Administrative Contact: Evelin, Porter (NIC-14080) contact56@support-24x7.biz Porter Evelin Woodmere Ct 56 Saint Ansgar Kansas, US 46318 Phone: 8183780401 Billing Contact: Erika, Alicia (NIC-14090) contact66@support-24x7.biz Alicia Erika Devon State Rd 66 Sanborn Montana, US 43848 Phone: 8193680401 Technical Contact: Evelin, Porter (NIC-14080) contact56@support-24x7.biz Porter Evelin Woodmere Ct 56 Saint Ansgar Kansas, US 46318 Phone: 8183780401 Domain servers in listed order: NS0.MANAGE-DNS.NET NS1.MANAGE-DNS.NET Record created on 2002-03-24 09:04:00.0 Database last updated on 2005-02-05 01:56:13.25 Domain Expires on 2007-03-24 09:04:00.0 As both registrants are in the middle of Manhattan Island at addresses that do not correspond to any mailing address known to Google or Yahoo, I'm willing to bet that they're fake. Let's take a look at the mailing addresses for the technical and administrative contacts. A WHOIS lookup for support-2000.net returns: domain: SUPPORT-2000.NET owner-address: Chen owner-address: 282 Shibuya-ku owner-address: 100-0005 owner-address: Tokyo owner-address: Japan admin-c: CY187-GANDI tech-c: AR41-GANDI bill-c: CY187-GANDI nserver: full1.gandi.net 217.70.177.42 nserver: full2.gandi.net 217.70.179.34 reg_created: 2004-12-08 04:30:26 expires: 2005-12-08 04:30:26 created: 2004-12-08 10:30:27 changed: 2004-12-08 10:30:27 person: Chen Young nic-hdl: CY187-GANDI address: 282 Shibuya-ku address: 100-0005 address: Tokyo address: Japan phone: +81.332146532 e-mail: contact@support-2000.net lastupdated: 2004-12-08 10:34:09 person: GANDI Auto Register 4.1 nic-hdl: AR41-GANDI address: GANDI address: 38 rue Notre-Dame de Nazareth address: F-75003 address: Paris address: France phone: N/A e-mail: support@gandi.net Ah, it's that nice Registrar in France: Gandi. How about the other? A WHOIS lookup for support-24x7.biz returns: support-24x7.biz = [ 217.70.180.17 ] Domain Name: SUPPORT-24X7.BIZ Domain ID: D7437648-BIZ Sponsoring Registrar: GANDI SARL Sponsoring Registrar IANA ID: 81 Domain Status: ok Registrant ID: O-854424-GANDI Registrant Name: Ron Miles Registrant Organization: Phentermine Deals Registrant Address1: P.O.box 710 Registrant City: St John's English Harbour Registrant Postal Code: 2003 Registrant Country: Antigua and Barbuda Registrant Country Code: AG Registrant Phone Number: 268.4606129 Registrant Email: 99f8210a45bbd8f39062cf022ba867b7-856213@owner.gandi.net Administrative Contact ID: RM957-GANDI Administrative Contact Name: Ron Miles Administrative Contact Organization: Phentermine Deals Administrative Contact Address1: P.O.box 713 Administrative Contact City: St John's English Harbour Administrative Contact Postal Code: 2003 Administrative Contact Country: Antigua and Barbuda Administrative Contact Country Code: AG Administrative Contact Phone Number: 268.4606129 Administrative Contact Email: dea8e5907adc69b07c4df20c207e1894-rm957@contact.gandi.net Billing Contact ID: AR41-GANDI Billing Contact Name: CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois Billing Contact Organization: Gandi SARL Billing Contact Address1: 38 rue Notre-Dame de Nazareth Billing Contact City: Paris Billing Contact Postal Code: 75003 Billing Contact Country: France Billing Contact Country Code: FR Billing Contact Email: support@gandi.net Technical Contact ID: AR41-GANDI Technical Contact Name: CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois Technical Contact Organization: Gandi SARL Technical Contact Address1: 38 rue Notre-Dame de Nazareth Technical Contact City: Paris Technical Contact Postal Code: 75003 Technical Contact Country: France Technical Contact Country Code: FR Technical Contact Email: support@gandi.net Name Server: FULL1.GANDI.NET Name Server: FULL2.GANDI.NET Created by Registrar: GANDI SARL Last Updated by Registrar: GANDI SARL Domain Registration Date: Tue Jul 27 06: 48: 49 GMT 2004 Domain Expiration Date: Tue Jul 26 23: 59: 59 GMT 2005 Domain Last Updated Date: Thu Aug 26 15: 05: 55 GMT 2004 >>> Whois database was last updated on: Sat Feb 12 23: 43: 13 GMT 2005 <<< NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. Yep, the nice Registrar again. Let's look at mail servers... The mail server for future-2000.net is: Non-authoritative answer: *** Can't find future-2000.net: No answer Authoritative answers can be found from: future-2000.net origin = ns0.future-2000.net mail addr = hostmaster.future-2000.net serial = 200308131 refresh = 1800 retry = 900 expire = 604810 minimum = 1200 Hmm... Doesn't exist. If we ask ns0.future-2000.net we get: Server: ns0.future-2000.net Address: 219.150.118.16 Authoritative answers can be found from: (root) nameserver = F.ROOT-SERVERS.net (root) nameserver = G.ROOT-SERVERS.net (root) nameserver = H.ROOT-SERVERS.net (root) nameserver = I.ROOT-SERVERS.net (root) nameserver = J.ROOT-SERVERS.net (root) nameserver = K.ROOT-SERVERS.net (root) nameserver = L.ROOT-SERVERS.net (root) nameserver = M.ROOT-SERVERS.net (root) nameserver = A.ROOT-SERVERS.net (root) nameserver = B.ROOT-SERVERS.net (root) nameserver = C.ROOT-SERVERS.net (root) nameserver = D.ROOT-SERVERS.net (root) nameserver = E.ROOT-SERVERS.net So it doesn't exist. An "A" query for future-2000.net (just in case it's an explicit name rather than a MX) yields the similar results. Actually, any query to ns0.future-2000.net returns only pointers to the root servers. This might be valuable later in complaining about the domain. Also, please note that the root servers indicate that the domain is served by ns0.future-2000.net and that it is at 219.150.118.16. This most definitely is valuable when we look at server headers below. The mail server for support-24x7.biz is: Server: full1.gandi.net Address: 217.70.177.42 support-24x7.biz preference = 10, mail exchanger = redir-mailav-telehouse1.gandi.net support-24x7.biz preference = 10, mail exchanger = redir-mailav-telehouse2.gandi.net support-24x7.biz nameserver = full1.gandi.net support-24x7.biz nameserver = full2.gandi.net Let's see if we can grab web server headers: > wget -S http://www.support-24x7.biz --19:05:00-- http://www.support-24x7.biz/ => `index.html.7' Resolving www.support-24x7.biz... done. Connecting to www.support-24x7.biz[217.70.180.17]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 302 Found 2 Date: Sun, 13 Feb 2005 00:05:03 GMT 3 Server: Apache/1.3.28 (Unix) 4 Location: http://redir-error.gandi.net 5 Connection: close 6 Content-Type: text/html; charset=iso-8859-1 Location: http://redir-error.gandi.net [following] --19:05:03-- http://redir-error.gandi.net/ => `index.html.7' Resolving redir-error.gandi.net... done. Connecting to redir-error.gandi.net[217.70.178.17]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 200 OK 2 Date: Sun, 13 Feb 2005 00:05:03 GMT 3 Server: Apache/1.3.23 (Unix) Debian GNU/Linux 4 Last-Modified: Thu, 23 Dec 2004 15:30:56 GMT 5 ETag: "2fe87-275-41cae4b0" 6 Accept-Ranges: bytes 7 Content-Length: 629 8 Connection: close 9 Content-Type: text/html; charset=iso-8859-1 100%[====================================>] 629 614.26K/s ETA 00:00 19:05:03 (614.26 KB/s) - `index.html.7' saved [629/629] This could be the standard redir that some of the registrar's have started doing. (Yeah, even Network Solutions uses this unethical practice.) > wget -S http://www.future-2000.net --19:14:15-- http://www.future-2000.net/ => `index.html.9' Resolving www.future-2000.net... done. Connecting to www.future-2000.net[219.150.118.16]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 200 OK 2 Date: Sun, 13 Feb 2005 13:17:15 GMT 3 Server: Apache 4 Accept-Ranges: bytes 5 X-Powered-By: PHP/4.2.2 6 Content-Length: 2121 7 Connection: close 8 Content-Type: text/html; charset=UTF-8 100%[====================================>] 2,121 4.86K/s ETA 00:00 19:14:17 (4.86 KB/s) - `index.html.9' saved [2121/2121] Ah! Not a redirect! Grabbing www.future-2000.net returns a page that looks like: This former info is currently under investigation - Due to mis-proper use of the hosting account Service Unavailable! Take a step to eliminate service agreement breaches. Please fill the form so we can take action. Issue: Your site/URL: Additional Information: Verification Code:    The publisher of this web site expressly denies liability and undertakes no responsibility for the reliance on information or services found herein. We and/or our respective suppliers may make improvements and/or changes in the sites/services at any time. This website is for your personal and non-commercial use. In the above, I disabled the following two lines: <form name=frm method='post' action=' http://64.234.220.141/submitAbuse.php' onsubmit='return checkSubmit()'> <img align=middle src="http://64.234.220.141/captcha.php" width=70 height=20>   Somehow, I'm still not convinced. Let's take a look at that IP address. A reverse lookup of 64.234.220.141 returns: Name: shetef.com Address: 64.234.220.141 A Google lookup on "shetef.com" leads to a slew of bloggers who've gotten this far and have complained about a spammer and are looking for someone to pound. A WHOIS lookup on the 64.234.220.141 returns: OrgName: WebStream, Inc. OrgID: WEBSTR Address: 2200 West Commercial Blvd Address: Suite 204 City: Fort Lauderdale StateProv: FL PostalCode: 33309 Country: US NetRange: 64.234.192.0 - 64.234.223.255 CIDR: 64.234.192.0/19 NetName: WEBSTREAM-1 NetHandle: NET-64-234-192-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: WEB.WEBSTREAM.NET NameServer: WW2.WEBSTREAM.NET Comment: RegDate: 2002-09-09 Updated: 2003-10-10 OrgAbuseHandle: ABUSE39-ARIN OrgAbuseName: Abuse Investigations OrgAbusePhone: +1-954-730-7405 OrgAbuseEmail: abuse@webstream.net OrgTechHandle: HOSTM11-ARIN OrgTechName: Hostmaster OrgTechPhone: +1-954-730-7405 OrgTechEmail: hostmaster@webstream.net # ARIN WHOIS database, last updated 2005-02-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Just to play it safe, let's look at WebStream also. A WHOIS returns: Registrant: WebStream, Inc. 2200 W Commercial Blvd Suite 204 Fort Lauderdale, FL 33309 US Domain name: WEBSTREAM.NET Administrative Contact: Master, Host hostmaster@WEBSTREAM.NET 2200 W Commercial Blvd Suite 204 Fort Lauderdale, FL 33309 US 954-730-7405 Fax: 954-733-7067 Technical Contact: Master, Host hostmaster@WEBSTREAM.NET 2200 W Commercial Blvd Suite 204 Fort Lauderdale, FL 33309 US 954-730-7405 Fax: 954-733-7067 Registration Service Provider: Webstream, Inc. 954-730-7405 954-733-7067 (fax) http://www.webstream.net Registrar of Record: TUCOWS, INC. Record last updated on 03-Feb-2004. Record expires on 26-Jun-2005. Record created on 27-Jun-1997. Domain servers in listed order: WEB.WEBSTREAM.NET 64.234.192.5 WW2.WEBSTREAM.NET 64.234.192.6 NS2.WEBSTREAM.NET 64.234.192.6 NS1.WEBSTREAM.NET 64.234.192.5 A DNS MX lookup on shetef.com returns: Non-authoritative answer: shetef.com preference = 10, mail exchanger = mail.shetef.com Authoritative answers can be found from: shetef.com nameserver = ns2.dnsmadeeasy.com shetef.com nameserver = ns3.dnsmadeeasy.com shetef.com nameserver = ns4.dnsmadeeasy.com shetef.com nameserver = ns0.dnsmadeeasy.com shetef.com nameserver = ns1.dnsmadeeasy.com mail.shetef.com internet address = 67.18.52.66 ns2.dnsmadeeasy.com internet address = 66.117.40.198 ns3.dnsmadeeasy.com internet address = 64.246.42.123 ns4.dnsmadeeasy.com internet address = 205.177.124.51 ns0.dnsmadeeasy.com internet address = 63.219.151.3 ns1.dnsmadeeasy.com internet address = 69.10.137.166 The mail server for shetef.com is in yet another IP range? A WHOIS lookup on 67.18.52.66 returns: OrgName: ThePlanet.com Internet Services, Inc. OrgID: TPCM Address: 1333 North Stemmons Freeway Address: Suite 110 City: Dallas StateProv: TX PostalCode: 75207 Country: US ReferralServer: rwhois://rwhois.theplanet.com:4321 NetRange: 67.18.0.0 - 67.19.255.255 CIDR: 67.18.0.0/15 NetName: NETBLK-THEPLANET-BLK-11 NetHandle: NET-67-18-0-0-1 Parent: NET-67-0-0-0-0 NetType: Direct Allocation NameServer: NS1.THEPLANET.COM NameServer: NS2.THEPLANET.COM Comment: RegDate: 2004-03-15 Updated: 2004-07-29 TechHandle: PP46-ARIN TechName: Pathos, Peter TechPhone: +1-214-782-7800 TechEmail: abuse@theplanet.com OrgAbuseHandle: ABUSE271-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-214-782-7802 OrgAbuseEmail: abuse@theplanet.com OrgNOCHandle: TECHN33-ARIN OrgNOCName: Technical Support OrgNOCPhone: +1-214-782-7800 OrgNOCEmail: admins@theplanet.com OrgTechHandle: TECHN33-ARIN OrgTechName: Technical Support OrgTechPhone: +1-214-782-7800 OrgTechEmail: admins@theplanet.com # ARIN WHOIS database, last updated 2005-02-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. A DNS reverse lookup on 67.18.52.66 returns: Name: escape.websitewelcome.com Address: 67.18.52.66 Remember the WHOIS lookup for future-2000.net? It had the following DNS servers: NS0.DNS2005.NET NS1.DNS2005.NET A WHOIS lookup on dns2005.net returns: domain: DNS2005.NET owner-address: Phentermine Deals owner-address: P.O.box 710 owner-address: 2003 owner-address: St John's, English Harbour owner-address: Antigua and Barbuda admin-c: RM957-GANDI tech-c: AR41-GANDI bill-c: RM957-GANDI nserver: ns0.dns2005.net 64.234.220.141 nserver: ns1.dns2005.net 64.234.220.141 reg_created: 2004-10-12 10:20:26 expires: 2005-10-12 10:20:26 created: 2004-10-12 16:20:24 changed: 2004-10-12 16:42:24 person: Ron Miles nic-hdl: RM957-GANDI address: Phentermine Deals address: P.O.box 713 address: 2003 address: St John's, English Harbour address: Antigua and Barbuda phone: +268.4606129 e-mail: dea8e5907adc69b07c4df20c207e1894-rm957@contact.gandi.net lastupdated: 2004-11-29 01:08:27 person: GANDI Auto Register 4.1 nic-hdl: AR41-GANDI address: GANDI address: 38 rue Notre-Dame de Nazareth address: F-75003 address: Paris address: France phone: N/A e-mail: support@gandi.net Again, Gandi.net. Also note the IP addresses for the DNS servers: 64.234.220.141. We've seen that one. It's our friend shetef.com again! How about the DNS servers for ronnieazza.com? A WHOIS lookup on manage-dns.net returns: domain: MANAGE-DNS.NET owner-address: Betina owner-address: Alameda Santos, 2233 owner-address: 4461 owner-address: Sao Paulo owner-address: Brazil admin-c: BR701-GANDI tech-c: AR41-GANDI bill-c: BR701-GANDI nserver: ns0.manage-dns.net 64.234.220.141 nserver: ns1.manage-dns.net 64.234.220.141 reg_created: 2004-11-10 13:29:50 expires: 2005-11-10 13:29:50 created: 2004-11-10 19:29:51 changed: 2004-11-10 19:42:10 person: Betina Raul nic-hdl: BR701-GANDI address: Alameda Santos, 2263 address: 4461 address: Sao Paulo address: Brazil phone: +55.1130692263 e-mail: contact@top-support.net lastupdated: 2005-02-03 14:10:46 person: GANDI Auto Register 4.1 nic-hdl: AR41-GANDI address: GANDI address: 38 rue Notre-Dame de Nazareth address: F-75003 address: Paris address: France phone: N/A e-mail: support@gandi.net Again, the Gandi registrar and the shetef.com DNS server. How about MX records for those two? A DNS MX lookup on dns2005.net returns: Authoritative answers can be found from: dns2005.net origin = ns0.dns2005.net mail addr = hostmaster.dns2005.net serial = 200308131 refresh = 1800 (30M) retry = 900 (15M) expire = 604810 (1w10s) minimum ttl = 1200 (20M) A familiar failure. A DNS MX lookup on manage-dns.net returns: ** server can't find manage-dns.net: SERVFAIL So MX records for manage-dns.net aren't configured. Remember that the WHOIS lookup for manage-dns.net points back to 64.234.220.141. Let's take a closer look at that IP. Remember the reverse lookup on 64.234.220.141 returned: Name: shetef.com Address: 64.234.220.141 and that the MX record for shetef.com returned: Non-authoritative answer: shetef.com preference = 10, mail exchanger = mail.shetef.com Authoritative answers can be found from: shetef.com nameserver = ns2.dnsmadeeasy.com shetef.com nameserver = ns3.dnsmadeeasy.com shetef.com nameserver = ns4.dnsmadeeasy.com shetef.com nameserver = ns0.dnsmadeeasy.com shetef.com nameserver = ns1.dnsmadeeasy.com mail.shetef.com internet address = 67.18.52.66 ns2.dnsmadeeasy.com internet address = 66.117.40.198 ns3.dnsmadeeasy.com internet address = 64.246.42.123 ns4.dnsmadeeasy.com internet address = 205.177.124.51 ns0.dnsmadeeasy.com internet address = 63.219.151.3 ns1.dnsmadeeasy.com internet address = 69.10.137.166 Connecting to port 25 on the mail server returns: > telnet 67.18.52.66 25 Trying 67.18.52.66... Connected to escape.websitewelcome.com. Escape character is '^]'. 220-escape.websitewelcome.com ESMTP Exim 4.44 #1 Sat, 12 Feb 2005 20:00:14 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. quit 221 escape.websitewelcome.com closing connection Connection closed by foreign host. Pointing a browser at http://shetef.com () indicates that shetef.com is an Israeli software seller with the following info: A fax number of +972-8-9389070 A business number of +972-8-930-0519 A mailing address of: Shetef Solutions & Consulting Ltd. P.O. Box 637 Ness-Ziona 704000 ISRAEL Grabbing the server headers for shetef.com returns: > wget -S http://shetef.com --21:08:31-- http://shetef.com/ => `index.html.11' Resolving shetef.com... done. Connecting to shetef.com[67.18.52.66]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 200 OK 2 Date: Sun, 13 Feb 2005 02:08:35 GMT 3 Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a 4 Last-Modified: Fri, 06 Aug 2004 17:08:39 GMT 5 ETag: "db843b-75f-4113bb17" 6 Accept-Ranges: bytes 7 Content-Length: 1887 8 Keep-Alive: timeout=15 9 Connection: Keep-Alive 10 Content-Type: text/html 100%[====================================>] 1,887 263.25K/s ETA 00:00 21:08:31 (263.25 KB/s) - `index.html.11' saved [1887/1887] The domain websitewelcome.com is registered via Enom, Inc. who does not give out their customer's domain info. Grabbing the web server headers for http://escape.webserverwelcome.com returns: > wget -S http://escape.websitewelcome.com --21:17:48-- http://escape.websitewelcome.com/ => `index.html.12' Resolving escape.websitewelcome.com... done. Connecting to escape.websitewelcome.com[67.18.52.66]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 200 OK 2 Date: Sun, 13 Feb 2005 02:17:52 GMT 3 Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a 4 Last-Modified: Mon, 17 May 2004 00:18:11 GMT 5 ETag: "1fe5b-b9d-40a804c3" 6 Accept-Ranges: bytes 7 Content-Length: 2973 8 Keep-Alive: timeout=15 9 Connection: Keep-Alive 10 Content-Type: text/html 100%[====================================>] 2,973 31.90K/s ETA 00:00 21:17:48 (31.90 KB/s) - `index.html.12' saved [2973/2973] Pointing a browser at http://escape.websitewelcom.com brings up the standard cPanel default page. So does pointing the browser at the IP address. Performing a Google lookup on websitewelcome.com reveals that that domain appears to be a reseller client of hostgator.com. Suspiciously, it appears to be their only reseller client. One of HostGator's features is that reseller clients are allowed to host unlimited sites. Pointing a browser at http://www.websitewelcome.com returns a directory listing. Going back to shetef.com, a Google search reveals that CodyTheFreak is quite unhappy with shetef.com. He also points out a few extra domains. It appears that CodyTheFreak and I are the only ones that have traced the spammer back that far and have complained about it. All other Google entries appear to be spam for the shareware/software available on shetef's site. I've probably missed a bunch of stuff associated with this spammer, but as I've spent the better part of a Saturday afternoon working on this, I'm going to drop it here. joat: 13:00:00 16 Feb 2005

| [/Spammers] permanent link

Wed, 12 Jan 2005

HWGA

Here we go again. I knew it couldn't last forever. The spammers have adapted to the changes I made to the comment system so I'll be tweaking it again this weekend. joat: 13:34:51 12 Jan 2005

| [/Spammers] permanent link

Sun, 02 Jan 2005

Spammers List

Here's the list of spammers for yesterday. I cannot guarantee the accuracy of this list. These are just the IPs attempting to access the old comment system that doesn't live here anymore. 1 148.233.165.151 customer-148-233-165-151.uninet-ide.com.mx 2 193.188.105.16 1 194.154.129.7 proxy03.spidernet.net 1 195.61.146.130 eapp.tamisa.ro 28 202.134.0.136 webserver2.telkom.net.id 6 202.134.0.137 1 202.160.25.46 espeed25-46.brunet.bn 21 202.57.35.130 1 202.86.196.18 1 203.190.254.9 52 205.232.210.35 3 208.31.142.13 dkhs-13.mei.net 10 208.63.116.194 1 209.88.128.9 5 212.17.56.2 1 212.203.71.247 1 213.155.143.19 13 213.172.36.62 12 213.174.190.219 1 213.253.212.101 7 213.56.68.29 4 217.117.225.34 louise.utelisys.netloes.utelisys.netlouise.tc2.utelisys.net 1 217.139.146.246 mail.latt.com.eg 29 217.57.78.70 host70-78.pool21757.interbusiness.it 2 217.59.135.138 host138-135.pool21759.interbusiness.it 2 62.49.144.85 no-dns-yet.demon.co.uk 1 62.99.210.222 62-99-210-222.c-vbergg.xdsl-line.inode.at 1 66.128.202.122 66-128-202-122.rev.intercom.com 1 66.160.92.90 66-160-92-90.dsl.cavtel.net 4 66.195.232.124 5 66.237.84.20 66.237.84.20.ptr.us.xo.net 1 68.167.94.202 h-68-167-94-202.chcgilgm.covad.net 1 69.199.80.43 CPE00a065c62c50-CM0011aefcded4.cpe.net.cable.rogers.com 1 80.200.243.151 151.243-200-80.adsl-fix.skynet.be 1 80.200.243.152 152.243-200-80.adsl-fix.skynet.be 1 80.200.243.153 153.243-200-80.adsl-fix.skynet.be 3 80.201.241.47 47.241-201-80.adsl-fix.skynet.be 1 80.65.102.162 ip102-162.introweb.nl 46 81.114.64.103 host103-64.pool81114.interbusiness.it joat: 19:30:02 2 Jan 2005

| [/Spammers] permanent link

Tue, 07 Dec 2004

Spammer update

Roughly two weeks have gone by. Total number of spams, three. Two from the same jerk at/via 81.27.200.49, trying to be funny. The other at/via 24.69.65.52. Both of them entered via the web page (vice the CGI interface). Both added to the blacklist. It's probably not helping that I talk about it but since this is the last week in the semester, I have a bit of free time to run the donkey at the windmill. joat: 23:30:00 7 Dec 2004

| [/Spammers] permanent link

Mon, 06 Dec 2004

Spammer list for 4DEC04

Following is the list of IP's that attempted to connect to the old-style comment system. The only "things" that attempt this are automated programs of one of two types: either search engine spiders (such as Google's below) or comment spammers. Do what you will with the list, just don't hold me responsible for it. 2 12.158.228.18 1 168.143.113.5 5 193.95.113.114 12 194.213.41.11 127 194.213.41.12 26 194.213.41.13 72 194.213.41.14 1 194.7.246.43 uu194-7-246-43.unknown.uunet.be 1 195.132.141.251 m251.net195-132-141.noos.fr 4 195.27.14.2 1 200.12.238.23 40 200.21.45.4 mangostino.ut.edu.co 3 200.212.114.3 4 200.34.99.9 1 211.239.170.46 1 212.138.47.16 cache6-1.ruh.isu.net.sa 1 212.138.47.20 cache10-4.ruh.isu.net.sa 1 212.138.47.21 cache13-4.ruh.isu.net.sa 1 212.138.47.26 10 213.172.36.62 12 213.41.1.222 wan-222.1.rev.fr.colt.net 8 213.41.1.226 wan-226.1.rev.fr.colt.net 19 217.144.0.137 5 218.4.189.197 1 218.57.113.11 6 219.93.211.74 11 64.125.108.114 64.125.108.114.available.above.net 42 65.54.188.139 1 66.249.64.146 crawl-66-249-64-146.googlebot.com 1 66.249.64.156 crawl-66-249-64-156.googlebot.com 1 66.249.64.160 crawl-66-249-64-160.googlebot.com 1 66.249.64.198 crawl-66-249-64-198.googlebot.com 4 68.167.94.202 h-68-167-94-202.chcgilgm.covad.net 6 68.98.206.172 wsip-68-98-206-172.ks.ok.cox.net 5 80.65.102.162 ip102-162.introweb.nl joat: 01:52:25 6 Dec 2004

| [/Spammers] permanent link

Sun, 28 Nov 2004

Spam list for 27 Nov 2004

Here's the list of Saturday's spammers (those attempting to access the old comments system). Please remember that some of the IP's are legitimate search engine spiders. Do what you will the list but don't hold me responsible for it. 1 142.165.112.131 msjwsk02d010101131.sk.sympatico.ca 5 193.255.207.253 seyhan.cu.edu.tr 2 194.117.217.227 7 200.12.238.31 4 201.12.13.170 1 202.141.239.4 1 202.163.115.203 4 202.163.115.205 1 202.68.147.182 3 203.113.29.2 7 203.115.21.155 1 203.151.40.252 203-151-40-252.inter.net.th 1 203.190.254.9 1 203.197.234.177 delhi-203.197.234-177.vsnl.net.in 1 210.18.184.246 3 211.185.38.61 4 212.117.152.70 mailrelay.flying.co.il 1 212.36.213.15 12 213.172.36.62 22 213.56.68.29 1 216.239.39.5 proxy.google.com 1 217.14.219.34 1 219.95.89.125 1 24.24.72.83 bgm-24-24-72-83.stny.rr.com 1 61.1.185.85 68 64.125.108.114 64.125.108.114.available.above.net 1 64.238.121.155 1 65.35.35.197 197-35.35-65.tampabay.rr.com 26 65.54.188.138 44 65.54.188.139 1 66.231.168.82 2 66.249.64.156 crawl-66-249-64-156.googlebot.com 1 66.249.64.195 crawl-66-249-64-195.googlebot.com 1 66.249.64.30 crawl-66-249-64-30.googlebot.com 1 66.249.64.33 crawl-66-249-64-33.googlebot.com 1 67.107.73.195 1 68.83.190.72 pcp09996361pcs.narlington.nj.comcast.net 9 80.65.102.162 ip102-162.introweb.nl 2 80.65.121.214 ip121-214.dsl.introweb.nl 1 81.15.196.129 1 83.108.243.136 ti400720a080-13192.bb.online.no joat: 23:30:00 28 Nov 2004

| [/Spammers] permanent link

Fri, 26 Nov 2004

Spammers list

Following is a list of IP addresses attempting to use the old comment system on 25 Nov 2004. Please note that some of these may be search engine spiders such as Google (hopefully the spiders will catch on shortly). The rest are spammers. I'm a bit concerned that a good portion of the non-spider entries are caches or proxies. Do what you want with the list. 47 148.244.150.57 host-148-244-150-57.block.alestra.net.mx 2 152.163.100.199 cache-rtc-ad05.proxy.aol.com 1 193.129.22.146 8 193.79.18.243 3 194.63.235.155 cache1.thess.sch.gr 2 194.63.235.156 cache2.thess.sch.gr 1 194.63.235.157 cache3.thess.sch.gr 4 195.175.37.11 8 195.175.37.24 2 195.175.37.26 1 195.175.37.7 26 195.245.247.155 1 195.61.146.130 eapp.tamisa.ro 5 200.118.118.4 Static-IP-cr2001181184.cable.net.co 1 200.12.238.31 2 200.168.62.134 200-168-62-134.cebinet.com.br 13 200.31.79.214 2 200.60.207.58 client-200.60.207.58.speedy.net.pe 16 203.113.29.1 3 203.113.29.2 6 203.150.234.46 203-150-234-46.inter.net.th 6 203.151.40.252 203-151-40-252.inter.net.th 2 203.172.154.114 19 203.197.234.177 delhi-203.197.234-177.vsnl.net.in 1 209.33.210.2 209-33-210-2.sg-wireless.infowest.net 1 210.143.29.247 c12-247.actv.ne.jp 12 212.117.152.70 mailrelay.flying.co.il 1 212.138.47.12 cache2-2.ruh.isu.net.sa 2 212.138.47.16 cache6-1.ruh.isu.net.sa 1 212.138.47.21 cache13-4.ruh.isu.net.sa 1 213.132.32.130 eth1.cache2.dubaiinternetcity.net 43 213.172.36.62 8 213.56.68.29 3 217.14.219.34 1 218.5.191.126 15 220.90.132.183 1 221.132.39.253 localhost 2 61.19.243.11 1 61.95.226.18 4 63.100.211.203 63-100-211-203.reverse.newskies.net 1 63.72.136.96 4 64.124.92.199 stdev1.sj3.escalate.com 86 64.125.108.114 64.125.108.114.available.above.net 5 64.132.198.149 64-132-198-149.essind.com 1 65.4.208.158 adsl-4-208-158.mem.bellsouth.net 1 65.50.67.11 CPE002078d287e4-CM014250010853.cpe.net.cable.rogers.com 17 65.54.188.138 1 66.249.64.160 crawl-66-249-64-160.googlebot.com 1 66.249.64.167 crawl-66-249-64-167.googlebot.com 1 66.249.64.189 crawl-66-249-64-189.googlebot.com 1 66.249.64.195 crawl-66-249-64-195.googlebot.com 1 66.249.64.198 crawl-66-249-64-198.googlebot.com 2 66.249.64.201 crawl-66-249-64-201.googlebot.com 4 66.249.64.202 crawl-66-249-64-202.googlebot.com 2 66.249.64.205 crawl-66-249-64-205.googlebot.com 1 66.249.64.30 crawl-66-249-64-30.googlebot.com 1 66.249.64.37 crawl-66-249-64-37.googlebot.com 2 66.249.64.38 crawl-66-249-64-38.googlebot.com 1 66.249.64.55 crawl-66-249-64-55.googlebot.com 2 66.249.64.58 crawl-66-249-64-58.googlebot.com 1 66.249.64.68 crawl-66-249-64-68.googlebot.com 2 66.249.64.70 crawl-66-249-64-70.googlebot.com 1 68.167.94.202 h-68-167-94-202.chcgilgm.covad.net 1 68.235.196.123 68-235-196-123.crlsca.adelphia.net 1 68.252.22.121 adsl-68-252-22-121.dsl.dytnoh.ameritech.net 1 69.152.200.106 adsl-69-152-200-106.dsl.fyvlar.swbell.net 39 80.65.102.162 ip102-162.introweb.nl 2 80.65.121.214 ip121-214.dsl.introweb.nl 6 81.110.124.10 cpc2-with1-4-0-cust10.bagu.cable.ntl.com 1 81.153.86.133 host81-153-86-133.range81-153.btcentralplus.com 7 81.208.62.130 1 82.176.17.196 2 83.168.19.77 adsl-19-77.cytanet.com.cy joat: 22:11:40 26 Nov 2004

| [/Spammers] permanent link