Online Casino

[Anonymous]

greek39 wrote:

For the site http://www.sierrastarcasino.com/ I find the following servers:

pdns1.ultradns.net:
204.74.108.1
pdns2.ultradns.net:
204.74.109.1
pdns3.ultradns.org:
199.7.68.1
pdns4.ultradns.org:
199.7.69.1
pdns5.ultradns.info:
204.74.114.1
pdns6.ultradns.co.uk:

When I cross reference this with my own archives I find:

PDNS1.ULTRADNS.NET 204.74.108.1
PDNS3.ULTRADNS.ORG 199.7.68.1
PDNS2.ULTRADNS.NET 204.74.109.1
PDNS6.ULTRADNS.CO.UK
PDNS4.ULTRADNS.ORG 199.7.69.1
PDNS5.ULTRADNS.INFO 204.74.114.1

Would anybody agree this linkage provides proof the spam is coming from these servers for the domain mentioned. Because if it is you will not believe who is doing this.

greek39

I wouldn’t agree because sierrastarcasino is the ultimate destination of one of the links posted in the email. It is NOT the source of the email itself.

The sources are:

Received: from 66-79-17-75.dsl.coastalnow.net (66.79.17.75)
Received: from [62.212.219.169] ([62.212.219.169])
Received: from host-81-190-73-39.gdynia.mm.pl (81.190.73.39)

It should be patently obvious that this is coming from various infected PCs, with the real origin completely masked. Without knowing what trojan is on these PCs, you will never be able to tell what the real source is unless you track the owners of the links such as:

1stmart.com – the first spammer, apparently unrelated:

Quote:

Registrant:
Global Soft Technologies, Inc.
265 Klassen Rd.
Kelowna, BC V1X7P1
CA

Registrar: DOTSTER
Domain Name: 1STMART.COM
Created on: 28-FEB-99
Expires on: 28-FEB-07
Last Updated on: 01-MAR-06

Administrative, Technical Contact:
Sadowick, Fred admin@1stchoiceinternational.com
Global Soft Technologies, Inc.
265 Klassen Rd.
Kelowna, BC V1X7P1
CA
(250) 491-9386
(250) 491-5644

Domain servers in listed order:
NS1.1STCHOICE-UN.NET
NS2.1STCHOICE-UN.NET

and arengor.com. which is where all the links in the following emails point to:

Quote:

Registrant Contact

Name: Lenin Leon
Address: 482 Pennsylvania Avenue
Kenova, WV 25530
US
Email Address: leninjleon@gmail.com
Phone Number: (304)438-3839

Administrative Contact

Name: Lenin Leon
Address: 482 Pennsylvania Avenue
Kenova, WV 25530
US
Email Address: leninjleon@gmail.com
Phone Number: (304)438-3839

Technical Contact

Name: Lenin Leon
Address: 482 Pennsylvania Avenue
Kenova, WV 25530
US
Email Address: leninjleon@gmail.com
Phone Number: (304)438-3839

Record Created on…….. 2006-12-22 15:05:17.449
Expire on……………. 2007-12-22 15:15:01.000

Domain servers in listed order:

ns1.aruanresar.com
ns2.bustersolg.com

[Anonymous]

Yes spearmaster I have that info already. I agree to a certain extent I am looking for one person/company.

greek39

[Anonymous]

I don’t believe these are coming from zombie machines. But I better take a break for a while.

[Anonymous]

Trust me, they’re zombies. I just got one (and I wasn’t paying attention but I’ve been getting quite a few every day as well) from

Quote:

Domain Name: colkinhf.com
Registrar: THE NAME IT CORPORATION DBA NAMESERVICES.NET

Registrant Contact

Name: Mary Childree
Address: 2934 New Britain Ave
Cheshire, CT 06410
US
Email Address:
Phone Number: (860)656-6284

Administrative Contact

Name: Mary Childree
Address: 2934 New Britain Ave
Cheshire, CT 06410
US
Email Address:
Phone Number: (860)656-6284

Technical Contact

Name: Mary Childree
Address: 2934 New Britain Ave
Cheshire, CT 06410
US
Email Address:
Phone Number: (860)656-6284

Record Created on…….. 2006-12-29 04:49:18.824
Expire on……………. 2007-12-29 04:59:02.000

Domain servers in listed order:

ns1.mrachnishko.com
ns2.dencovinsho.com

The only similarity is the name registrar – and look at the date the domains were created… this one JUST created a few days before the New Year…

Best thing to do is pass on the domain names colkinhf.com and arengor.com to Wagershare and ask them to check their logs to see which affiliate is referring them this traffic… and shut his ass down.

edit – add iklunfex.com – and similar DNS servers as arengor.com.

Quote:

Domain Name: iklunfes.com
Registrar: THE NAME IT CORPORATION DBA NAMESERVICES.NET

Registrant Contact

Name: alejandro bianchi
Address: p.o.box 12
bronx, ny 10453
US
Email Address:
Phone Number: (917)804-3922

Administrative Contact

Name: alejandro bianchi
Address: p.o.box 12
bronx, ny 10453
US
Email Address:
Phone Number: (917)804-3922

Technical Contact

Name: alejandro bianchi
Address: p.o.box 12
bronx, ny 10453
US
Email Address:
Phone Number: (917)804-3922

Record Created on…….. 2006-12-22 15:31:04.203
Expire on……………. 2007-12-22 15:41:00.000

Domain servers in listed order:

ns1.aruanresar.com
ns2.bustersolg.com

edit 2 –> Ok… I got it… found something I need to check on.

[Anonymous]

Well if they are zombies pretty tuff too track but not impossible. I don’t feel it would be worth the time. Instead I will focus on the message ID and see if certain agencies can trap these people. This would put them out of business for good. I need a name and address of the person, this is what I am looking for.

The domain is the easy part. But it couldn’t hurt contacting the hosts of the domains.

greek39

[Anonymous]

Let me make it easy for you.

All of the websites with the strange names are on a single server, with the IP 203.87.155.69.

If you have the ability to “take out” a server, this is your target.

[Anonymous]

Thank you spearmaster these had to be coming from a server of some kind.

greek39

[Anonymous]

The emails are not coming from this server. Zombies are sending the emails.

The destination – ie the links in the emails – all point to various websites which are hosted on this server.

[Anonymous]

From spamhaus

Ref: SBL49407

203.87.155.69/32 is listed on the Spamhaus Block List (SBL)

02-Jan-2007 05:47 GMT | SR22

Spam webhosting – nasamih.com

Spamvertized URL: [url]xhttp://nasamih.com/micro/4[/url]

nasamih.com has address 203.87.155.69

nasamih.com. 2D IN NS ns1.ferontairc.com.
nasamih.com. 2D IN NS ns2.merbologa.com.

ns1.ferontairc.com. 2D IN A 84.41.233.252
ns2.merbologa.com. 2D IN A 210.76.106.15

—

Server IP address is 203.87.155.69

HTTP/1.1 200 OK
Connection: close
Date: Sat, 23 Dec 2006 19:09:54 GMT
Accept-Ranges: bytes
ETag: “dfb37-aa-9a583440”
Server: Apache/2.0.40 (Red Hat Linux)
Content-Length: 170
Content-Type: text/html; charset=ISO-8859-1
Last-Modified: Tue, 19 Dec 2006 10:31:37 GMT

Vistors are being redirected via a Javascript. The file bs.js looks like this:

// JavaScript Document
var defUrl = “xhttp://www.the999casino.com/click.asp?site=4”
self.location.replace(defUrl)

—

ns1.bedolic.com A 203.87.155.69
ns1.newhad.com A 203.87.155.69
ns2.newhad.com A 203.87.155.69
ns1.madetad.com A 203.87.155.69
ns2.madetad.com A 203.87.155.69
lvqzm.madetad.com A 203.87.155.69
tiredf.com A 203.87.155.69
ns1.tiredf.com A 203.87.155.69
ns2.tiredf.com A 203.87.155.69
muref.com A 203.87.155.69
ns1.muref.com A 203.87.155.69
ns2.muref.com A 203.87.155.69
gefraing.com A 203.87.155.69
ns1.gefraing.com A 203.87.155.69
ns2.gefraing.com A 203.87.155.69
ns1.nasamih.com A 203.87.155.69
ns2.nasamih.com A 203.87.155.69
brigyh.com A 203.87.155.69
ns1.brigyh.com A 203.87.155.69
ns2.brigyh.com A 203.87.155.69
tranyh.com A 203.87.155.69
ns1.tranyh.com A 203.87.155.69
ns2.tranyh.com A 203.87.155.69
ns1.getgsi.com A 203.87.155.69
ns2.getgsi.com A 203.87.155.69
prorj.com A 203.87.155.69
ns1.prorj.com A 203.87.155.69
ns2.prorj.com A 203.87.155.69
ns1.lifejk.com A 203.87.155.69
ns2.lifejk.com A 203.87.155.69
jarboro.com A 203.87.155.69
ns1.jarboro.com A 203.87.155.69
ns2.jarboro.com A 203.87.155.69
clublp.com A 203.87.155.69
ns1.clublp.com A 203.87.155.69
ns2.clublp.com A 203.87.155.69
ns1.lifelp.com A 203.87.155.69
ns2.lifelp.com A 203.87.155.69
senfeder.com A 203.87.155.69
ns1.senfeder.com A 203.87.155.69
ns2.senfeder.com A 203.87.155.69
edrofer.com A 203.87.155.69
ns1.edrofer.com A 203.87.155.69
ns2.edrofer.com A 203.87.155.69
bigher.com A 203.87.155.69
ns1.bigher.com A 203.87.155.69
ns2.bigher.com A 203.87.155.69
ns1.retdirr.com A 203.87.155.69
ns2.retdirr.com A 203.87.155.69
rolganes.com A 203.87.155.69
ns1.rolganes.com A 203.87.155.69
ns2.rolganes.com A 203.87.155.69
ns1.muleis.com A 203.87.155.69
ns2.muleis.com A 203.87.155.69
ksiks.com A 203.87.155.69
ns1.ksiks.com A 203.87.155.69
ns2.ksiks.com A 203.87.155.69
arenmors.com A 203.87.155.69
ns1.arenmors.com A 203.87.155.69
ns2.arenmors.com A 203.87.155.69
ns1.bergfat.com A 203.87.155.69
helasct.com A 203.87.155.69
ns1.helasct.com A 203.87.155.69
ns2.helasct.com A 203.87.155.69
hedaft.com A 203.87.155.69
ns1.hedaft.com A 203.87.155.69
ns2.hedaft.com A 203.87.155.69
lpyou.com A 203.87.155.69
ns1.lpyou.com A 203.87.155.69
ns2.lpyou.com A 203.87.155.69
ns1.vasyou.com A 203.87.155.69
ns2.vasyou.com A 203.87.155.69
ns1.sadamaz.com A 203.87.155.69
ns2.sadamaz.com A 203.87.155.69

—

Domain: nasamih.com

Registrant
John Greene
John Greene
xcolopkacan@yahoo.com
289 Houghton Street
Worcester, MA 01604 US
+1.5087985427

Administrative
John Greene
John Greene
xcolopkacan@yahoo.com
289 Houghton Street
Worcester, MA 01604 US
+1.5087985427

Billing
John Greene
John Greene
xcolopkacan@yahoo.com
289 Houghton Street
Worcester, MA 01604 US
+1.5087985427

Technical
John Greene
John Greene
xcolopkacan@yahoo.com
289 Houghton Street
Worcester, MA 01604 US
+1.5087985427

Record created on December 17, 2006
Record last updated on December 17, 2006
Record expires on December 17, 2007

Domain Name Servers:
NS1.FERONTAIRC.COM
NS2.MERBOLOGA.COM

[Anonymous]

The key line in what you just posted is this:

Quote:

Spam webhosting – nasamih.com

Spamhaus has listed the IP as a spam destination. It is not the source of the spam.

Filters in mail programs or on ISPs mail servers don’t block destinations – they only block sources.

[Anonymous]

Courtesy of one of my good friends and prominent webmasters… the full list of sites on that IP:

1. abrolgaur.com
2. adrenfoal.com
3. aerbonas.com
4. arebolen.com
5. arelutlp.com
6. arengor.com
7. arenmors.com
8. argiurt.com
9. asomred.com
10. aurlies.com
11. avraon.com
12. barniag.com
13. bentiume.com
14. berasro.com
15. beromes.com
16. bersalo.com
17. bervarod.com
18. bfruerto.com
19. bigher.com
20. bredsazo.com
21. brigyh.com
22. brologaur.com
23. brolsher.com
24. builkar.com
25. caleros.com
26. casreho.com
27. chafuh.com
28. clervansd.com
29. clublp.com
30. clulnar.com
31. coilsbo.com
32. coimror.com
33. colkinhf.com
34. derscolv.com
35. dolcasher.com
36. dolkuero.com
37. dolps.com
38. edrofer.com
39. egrumrot.com
40. einrosh.com
41. erialan.com
42. ernugil.com
43. ersanfa.com
44. eurojk.com
45. eurour.com
46. feranim.com
47. ferasdok.com
48. ferdraref.com
49. feringoa.com
50. fetihavierat.com
51. findjk.com
52. florisakinza.com
53. fotruar.com
54. fourhont.com
55. freasenc.com
56. furnaor.com
57. gefraing.com
58. getgsi.com
59. gkoner.com
60. gohers.com
61. gutbasre.com
62. harcetosh.com
63. hasemat.com
64. hedaft.com
65. helasct.com
66. horeaetniker.com
67. hotrt.com
68. hounhir.com
69. iklunfes.com
70. ilaruo.com
71. jarboro.com
72. jorasil.com
73. kelrinfo.com
74. ksiks.com
75. lcofric.com
76. ledalse.com
77. lerargo.com
78. lifejk.com
79. lifelp.com
80. loemben.com
81. lpyou.com
82. madetad.com
83. mafringa.com
84. malikra.com
85. medimazerina.com
86. muleis.com
87. muref.com
88. nasamih.com
89. newhad.com
90. nubristas.com
91. nujklar.com
92. olkshart.com
93. oruper.com
94. papidaikusus.com
95. prorj.com
96. ratderno.com
97. renfeim.com
98. renosgatr.com
99. reoliad.com
100. resakel.com
101. retade.com
102. retdirr.com
103. retoksal.com
104. rolganes.com
105. romiare.com
106. ryyou.com
107. sadamaz.com
108. saurla.com
109. sdualkiu.com
110. senfeder.com
111. sormola.com
112. spheryt.com
113. splitsl.com
114. sualon.com
115. telirskar.com
116. tgaurga.com
117. tiredf.com
118. tranyh.com
119. ulsuhs.com
120. urdurs.com
121. vasyou.com
122. veriamfa.com
123. vershanc.com
124. veruar.com
125. vreirto.com
126. vuinerse.com
127. webgsi.com
128. yredyis.com

[Anonymous]

Getting very close Sorbs implemented a spamtrap as follows:

Netblock: 203.87.155.0/24 (203.87.155.0-203.87.155.255)
Record Created: Sun Dec 24 00:28:08 2006 GMT
Record Updated: Sun Dec 31 18:41:45 2006 GMT
Additional Information: spamvertised gefraing.com. 5M IN A 203.87.155.69
Currently active and flagged to be published in DNS

So it may very well be this person is getting by the trap by changing their message ID. I really want this persons name and address. So the authorities can bust their door down.

I ran a check on all domains residing on the server using the swiss army knive. I know the answer lies somewhere in the posts already made. Man is this fustrating!

The domains you listed are all using the Apache Web Server on Red Hat Linux.

greek39

[Anonymous]

Come on spearmaster bust out I can’t afford to lose anymore hair! We are darn close I must be sure who i will be going after.

BTW: all running wireless broadband

greek39

[Anonymous]

Well frictionNet I gave it my best shot. Given the time and resources needed to catch this person would require a lot. But I believe this to be one person who pushes mainly Microgaming products. On the brighter side we created a good reference thread.

I am truley sorry, but I can’t speculate on things when it comes to pipe screwing. Good luck and try and get your program to bounce the email.

greek39

[Anonymous]

No need for apologies, greek. You’ve clearly put in a lot of time and effort – much of it goes over my head but it sounds good, anyway

[Author]

Posts